[Pkg-swan-devel] [strongswan] 01/07: New upstream version 5.5.2
Yves-Alexis Perez
corsac at moszumanska.debian.org
Fri May 19 09:55:10 UTC 2017
This is an automated email from the git hooks/post-receive script.
corsac pushed a commit to branch master
in repository strongswan.
commit 05ddd767992d68bb38c7f16ece142e8c2e9ae016
Author: Yves-Alexis Perez <corsac at corsac.net>
Date: Sat Apr 1 16:26:44 2017 +0200
New upstream version 5.5.2
---
Android.common.mk | 2 +-
Makefile.am | 2 +-
Makefile.in | 4 +-
NEWS | 45 +-
conf/Makefile.am | 5 +-
conf/Makefile.in | 7 +-
conf/options/aikpub2.conf | 7 -
conf/options/aikpub2.opt | 2 -
conf/options/charon.conf | 9 +
conf/options/charon.opt | 20 +
conf/plugins/addrblock.conf | 11 +
conf/plugins/addrblock.opt | 8 +
conf/plugins/bypass-lan.conf | 17 +
conf/plugins/bypass-lan.opt | 8 +
conf/plugins/kernel-netlink.conf | 6 +
conf/plugins/kernel-netlink.opt | 17 +
conf/plugins/pkcs11.conf | 16 +-
conf/plugins/pkcs11.opt | 10 +-
conf/plugins/revocation.conf | 14 +
conf/plugins/revocation.opt | 7 +
conf/plugins/tpm.conf | 11 +
conf/plugins/tpm.opt | 2 +
conf/strongswan.conf.5.main | 86 +-
configure | 775 +++---
configure.ac | 91 +-
init/Makefile.in | 2 +-
init/systemd-swanctl/Makefile.in | 2 +-
init/systemd-swanctl/strongswan-swanctl.service.in | 3 +-
init/systemd/Makefile.in | 2 +-
init/systemd/strongswan.service.in | 3 +-
man/Makefile.in | 2 +-
man/ipsec.conf.5.in | 10 +-
scripts/Makefile.in | 2 +-
scripts/dh_speed.c | 17 +-
src/Makefile.am | 4 -
src/Makefile.in | 7 +-
src/_copyright/Makefile.in | 2 +-
src/_updown/Makefile.in | 2 +-
src/aikgen/Makefile.in | 2 +-
src/aikpub2/Makefile.am | 15 -
src/aikpub2/Makefile.in | 762 ------
src/aikpub2/aikpub2.c | 305 ---
src/charon-cmd/Makefile.in | 2 +-
src/charon-cmd/charon-cmd.c | 11 +-
src/charon-nm/Makefile.in | 2 +-
src/charon-nm/charon-nm.c | 2 +-
src/charon-svc/Makefile.in | 2 +-
src/charon-svc/charon-svc.c | 3 +-
src/charon-systemd/Makefile.in | 2 +-
src/charon-systemd/charon-systemd.c | 18 +-
src/charon-tkm/Makefile.in | 2 +-
src/charon-tkm/src/charon-tkm.c | 2 +-
src/charon-tkm/src/tkm/tkm_keymat.c | 3 +-
src/charon-tkm/tests/tests.c | 2 +-
src/charon/Makefile.in | 2 +-
src/charon/charon.c | 17 +-
src/checksum/Makefile.am | 4 +
src/checksum/Makefile.in | 55 +-
src/checksum/checksum_builder.c | 3 +
src/conftest/Makefile.in | 2 +-
src/conftest/hooks/pretend_auth.c | 3 +-
src/conftest/hooks/rebuild_auth.c | 2 +-
src/dumm/Makefile.in | 2 +-
src/include/Makefile.in | 2 +-
src/ipsec/Makefile.in | 2 +-
src/ipsec/_ipsec.8 | 2 +-
src/ipsec/_ipsec.in | 32 +-
src/libcharon/Android.mk | 2 +
src/libcharon/Makefile.am | 9 +
src/libcharon/Makefile.in | 324 +--
src/libcharon/bus/bus.c | 10 +-
src/libcharon/config/child_cfg.c | 35 +-
src/libcharon/config/ike_cfg.c | 37 +-
src/libcharon/config/ike_cfg.h | 13 +-
src/libcharon/config/peer_cfg.c | 13 +-
src/libcharon/config/peer_cfg.h | 16 +-
src/libcharon/config/proposal.c | 24 +-
src/libcharon/config/proposal.h | 9 +-
src/libcharon/control/controller.c | 1 -
src/libcharon/daemon.c | 52 +-
src/libcharon/daemon.h | 28 +-
src/libcharon/kernel/kernel_interface.c | 11 +
src/libcharon/kernel/kernel_interface.h | 17 +
src/libcharon/kernel/kernel_net.h | 11 +
src/libcharon/plugins/addrblock/Makefile.in | 2 +-
src/libcharon/plugins/addrblock/addrblock_narrow.c | 72 +-
.../plugins/addrblock/addrblock_validator.c | 14 +-
src/libcharon/plugins/android_dns/Makefile.in | 2 +-
src/libcharon/plugins/android_log/Makefile.in | 2 +-
src/libcharon/plugins/attr/Makefile.in | 2 +-
src/libcharon/plugins/attr_sql/Makefile.in | 2 +-
src/libcharon/plugins/bypass_lan/Makefile.am | 18 +
src/libcharon/plugins/bypass_lan/Makefile.in | 795 ++++++
.../plugins/bypass_lan/bypass_lan_listener.c | 295 +++
.../plugins/bypass_lan/bypass_lan_listener.h | 54 +
.../plugins/bypass_lan/bypass_lan_plugin.c | 109 +
.../plugins/bypass_lan/bypass_lan_plugin.h | 42 +
src/libcharon/plugins/certexpire/Makefile.in | 2 +-
src/libcharon/plugins/connmark/Makefile.in | 2 +-
src/libcharon/plugins/connmark/connmark_plugin.c | 6 +
src/libcharon/plugins/coupling/Makefile.in | 2 +-
src/libcharon/plugins/dhcp/Makefile.in | 2 +-
src/libcharon/plugins/dnscert/Makefile.in | 2 +-
src/libcharon/plugins/duplicheck/Makefile.in | 2 +-
src/libcharon/plugins/eap_aka/Makefile.in | 2 +-
src/libcharon/plugins/eap_aka_3gpp2/Makefile.in | 2 +-
src/libcharon/plugins/eap_dynamic/Makefile.in | 2 +-
src/libcharon/plugins/eap_dynamic/eap_dynamic.c | 12 +
src/libcharon/plugins/eap_gtc/Makefile.in | 2 +-
src/libcharon/plugins/eap_identity/Makefile.in | 2 +-
src/libcharon/plugins/eap_md5/Makefile.in | 2 +-
src/libcharon/plugins/eap_mschapv2/Makefile.in | 2 +-
src/libcharon/plugins/eap_peap/Makefile.in | 2 +-
src/libcharon/plugins/eap_radius/Makefile.in | 2 +-
src/libcharon/plugins/eap_sim/Makefile.in | 2 +-
src/libcharon/plugins/eap_sim_file/Makefile.in | 2 +-
src/libcharon/plugins/eap_sim_pcsc/Makefile.in | 2 +-
.../plugins/eap_simaka_pseudonym/Makefile.in | 2 +-
.../plugins/eap_simaka_reauth/Makefile.in | 2 +-
src/libcharon/plugins/eap_simaka_sql/Makefile.in | 2 +-
src/libcharon/plugins/eap_tls/Makefile.in | 2 +-
src/libcharon/plugins/eap_tnc/Makefile.in | 2 +-
src/libcharon/plugins/eap_ttls/Makefile.in | 2 +-
src/libcharon/plugins/error_notify/Makefile.in | 2 +-
src/libcharon/plugins/ext_auth/Makefile.in | 2 +-
src/libcharon/plugins/farp/Makefile.in | 2 +-
src/libcharon/plugins/farp/farp_spoofer.c | 2 +-
src/libcharon/plugins/forecast/Makefile.in | 2 +-
src/libcharon/plugins/forecast/forecast_listener.c | 2 +-
src/libcharon/plugins/ha/Makefile.in | 2 +-
src/libcharon/plugins/ha/ha_attribute.c | 8 +-
src/libcharon/plugins/ha/ha_ike.c | 15 +
src/libcharon/plugins/ipseckey/Makefile.in | 2 +-
src/libcharon/plugins/kernel_iph/Makefile.in | 2 +-
src/libcharon/plugins/kernel_libipsec/Makefile.in | 2 +-
src/libcharon/plugins/kernel_netlink/Makefile.in | 2 +-
.../plugins/kernel_netlink/kernel_netlink_ipsec.c | 56 +-
.../plugins/kernel_netlink/kernel_netlink_net.c | 269 +-
.../plugins/kernel_netlink/kernel_netlink_shared.c | 64 +-
src/libcharon/plugins/kernel_pfkey/Makefile.in | 2 +-
.../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 45 +-
src/libcharon/plugins/kernel_pfroute/Makefile.in | 2 +-
.../plugins/kernel_pfroute/kernel_pfroute_net.c | 197 +-
src/libcharon/plugins/kernel_wfp/Makefile.in | 2 +-
.../plugins/kernel_wfp/kernel_wfp_ipsec.c | 4 +
src/libcharon/plugins/led/Makefile.in | 2 +-
src/libcharon/plugins/load_tester/Makefile.in | 2 +-
src/libcharon/plugins/lookip/Makefile.in | 2 +-
src/libcharon/plugins/medcli/Makefile.in | 2 +-
src/libcharon/plugins/medcli/medcli_config.c | 81 +-
src/libcharon/plugins/medsrv/Makefile.in | 2 +-
src/libcharon/plugins/osx_attr/Makefile.in | 2 +-
src/libcharon/plugins/p_cscf/Makefile.in | 2 +-
src/libcharon/plugins/radattr/Makefile.in | 2 +-
src/libcharon/plugins/resolve/Makefile.in | 2 +-
src/libcharon/plugins/smp/Makefile.in | 2 +-
src/libcharon/plugins/socket_default/Makefile.in | 2 +-
src/libcharon/plugins/socket_dynamic/Makefile.in | 2 +-
src/libcharon/plugins/socket_win/Makefile.in | 2 +-
src/libcharon/plugins/sql/Makefile.in | 2 +-
src/libcharon/plugins/sql/sql_config.c | 10 +-
src/libcharon/plugins/stroke/Makefile.in | 2 +-
src/libcharon/plugins/stroke/stroke_config.c | 124 +-
src/libcharon/plugins/stroke/stroke_control.c | 20 +-
src/libcharon/plugins/stroke/stroke_cred.c | 10 +-
src/libcharon/plugins/stroke/stroke_list.c | 2 +-
src/libcharon/plugins/stroke/stroke_plugin.c | 2 +
src/libcharon/plugins/systime_fix/Makefile.in | 2 +-
src/libcharon/plugins/tnc_ifmap/Makefile.in | 2 +-
src/libcharon/plugins/tnc_pdp/Makefile.in | 2 +-
src/libcharon/plugins/uci/Makefile.in | 2 +-
src/libcharon/plugins/unity/Makefile.in | 2 +-
src/libcharon/plugins/unity/unity_handler.c | 5 +-
src/libcharon/plugins/updown/Makefile.in | 2 +-
src/libcharon/plugins/vici/Makefile.in | 2 +-
src/libcharon/plugins/vici/README.md | 109 +-
src/libcharon/plugins/vici/perl/Makefile.in | 2 +-
src/libcharon/plugins/vici/python/Makefile.in | 2 +-
src/libcharon/plugins/vici/python/vici/protocol.py | 13 +-
src/libcharon/plugins/vici/python/vici/session.py | 6 +-
src/libcharon/plugins/vici/ruby/Makefile.in | 2 +-
src/libcharon/plugins/vici/ruby/lib/vici.rb | 4 +-
src/libcharon/plugins/vici/vici_attribute.c | 12 +-
src/libcharon/plugins/vici/vici_authority.c | 107 +-
src/libcharon/plugins/vici/vici_config.c | 326 ++-
src/libcharon/plugins/vici/vici_config.h | 2 +-
src/libcharon/plugins/vici/vici_control.c | 141 +-
src/libcharon/plugins/vici/vici_cred.c | 210 +-
src/libcharon/plugins/vici/vici_dispatcher.c | 6 +-
src/libcharon/plugins/vici/vici_logger.c | 7 +
src/libcharon/plugins/vici/vici_query.c | 96 +-
src/libcharon/plugins/whitelist/Makefile.in | 2 +-
src/libcharon/plugins/xauth_eap/Makefile.in | 2 +-
src/libcharon/plugins/xauth_generic/Makefile.in | 2 +-
src/libcharon/plugins/xauth_noauth/Makefile.in | 2 +-
src/libcharon/plugins/xauth_pam/Makefile.in | 2 +-
src/libcharon/processing/jobs/delete_ike_sa_job.c | 3 +-
.../processing/jobs/initiate_mediation_job.c | 21 +-
src/libcharon/processing/jobs/start_action_job.c | 4 +-
src/libcharon/sa/child_sa.c | 19 +-
src/libcharon/sa/ike_sa.c | 45 +-
src/libcharon/sa/ike_sa.h | 18 +-
src/libcharon/sa/ike_sa_manager.c | 4 -
.../sa/ikev1/authenticators/psk_v1_authenticator.c | 4 +-
.../ikev1/authenticators/pubkey_v1_authenticator.c | 4 +-
src/libcharon/sa/ikev1/iv_manager.c | 355 +++
src/libcharon/sa/ikev1/iv_manager.h | 120 +
src/libcharon/sa/ikev1/keymat_v1.c | 259 +-
src/libcharon/sa/ikev1/keymat_v1.h | 33 +-
src/libcharon/sa/ikev1/phase1.c | 70 +-
src/libcharon/sa/ikev1/task_manager_v1.c | 29 +-
src/libcharon/sa/ikev1/tasks/quick_mode.c | 21 +-
.../sa/ikev2/authenticators/pubkey_authenticator.c | 39 +-
src/libcharon/sa/ikev2/keymat_v2.c | 6 +-
src/libcharon/sa/ikev2/keymat_v2.h | 6 +-
src/libcharon/sa/ikev2/task_manager_v2.c | 94 +-
src/libcharon/sa/ikev2/tasks/ike_auth.c | 10 +-
src/libcharon/sa/ikev2/tasks/ike_init.c | 32 +
src/libcharon/sa/ikev2/tasks/ike_mid_sync.c | 264 ++
src/libcharon/sa/ikev2/tasks/ike_mid_sync.h | 74 +
src/libcharon/sa/shunt_manager.c | 90 +-
src/libcharon/sa/shunt_manager.h | 13 +-
src/libcharon/sa/task.c | 1 +
src/libcharon/sa/task.h | 2 +
src/libcharon/sa/task_manager.h | 10 +-
src/libcharon/tests/Makefile.am | 1 +
src/libcharon/tests/Makefile.in | 21 +-
src/libcharon/tests/exchange_tests.h | 1 +
src/libcharon/tests/libcharon_tests.c | 2 +-
src/libcharon/tests/suites/test_ike_mid_sync.c | 535 ++++
src/libcharon/tests/suites/test_proposal.c | 26 +-
src/libcharon/tests/utils/exchange_test_helper.c | 2 +-
src/libfast/Makefile.in | 2 +-
src/libimcv/Makefile.in | 2 +-
src/libimcv/plugins/imc_attestation/Makefile.in | 2 +-
src/libimcv/plugins/imc_hcd/Makefile.in | 2 +-
src/libimcv/plugins/imc_os/Makefile.in | 2 +-
src/libimcv/plugins/imc_scanner/Makefile.in | 2 +-
src/libimcv/plugins/imc_swid/Makefile.in | 2 +-
src/libimcv/plugins/imc_test/Makefile.in | 2 +-
src/libimcv/plugins/imv_attestation/Makefile.in | 2 +-
src/libimcv/plugins/imv_hcd/Makefile.in | 2 +-
src/libimcv/plugins/imv_os/Makefile.in | 2 +-
src/libimcv/plugins/imv_scanner/Makefile.in | 2 +-
src/libimcv/plugins/imv_swid/Makefile.in | 2 +-
src/libimcv/plugins/imv_test/Makefile.in | 2 +-
src/libipsec/Makefile.am | 4 +
src/libipsec/Makefile.in | 13 +-
src/libipsec/esp_context.c | 19 +-
src/libipsec/esp_packet.c | 2 +
src/libipsec/ip_packet.c | 29 +
src/libipsec/ipsec_policy.c | 22 +-
src/libipsec/ipsec_processor.c | 12 +-
src/libipsec/ipsec_sa_mgr.c | 21 +-
src/libipsec/tests/Makefile.in | 2 +-
src/libpttls/Makefile.in | 2 +-
src/libradius/Makefile.in | 2 +-
src/libsimaka/Makefile.in | 2 +-
src/libstrongswan/Android.mk | 5 +
src/libstrongswan/Makefile.am | 7 +
src/libstrongswan/Makefile.in | 230 +-
src/libstrongswan/asn1/asn1.c | 4 +-
src/libstrongswan/asn1/oid.c | 215 +-
src/libstrongswan/asn1/oid.h | 146 +-
src/libstrongswan/asn1/oid.txt | 3 +
src/libstrongswan/collections/linked_list.h | 2 +-
src/libstrongswan/credentials/auth_cfg.c | 48 +-
src/libstrongswan/credentials/builder.c | 5 +-
src/libstrongswan/credentials/builder.h | 7 +-
src/libstrongswan/credentials/cred_encoding.h | 4 +
src/libstrongswan/credentials/keys/public_key.c | 36 +-
src/libstrongswan/credentials/keys/public_key.h | 21 +-
src/libstrongswan/credentials/sets/cert_cache.c | 41 +-
src/libstrongswan/credentials/sets/mem_cred.c | 113 +-
src/libstrongswan/credentials/sets/mem_cred.h | 40 +-
src/libstrongswan/crypto/diffie_hellman.c | 14 +-
src/libstrongswan/crypto/diffie_hellman.h | 3 +
src/libstrongswan/crypto/hashers/hasher.c | 40 +-
src/libstrongswan/crypto/hashers/hasher.h | 8 +-
.../crypto/proposal/proposal_keywords_static.c | 213 +-
.../crypto/proposal/proposal_keywords_static.txt | 2 +
src/libstrongswan/math/libnttfft/Makefile.in | 2 +-
src/libstrongswan/math/libnttfft/tests/Makefile.in | 2 +-
.../math/libnttfft/tests/suites/test_ntt_fft.c | 10 +
src/libstrongswan/networking/host.c | 2 +-
src/libstrongswan/plugins/acert/Makefile.in | 2 +-
src/libstrongswan/plugins/aes/Makefile.in | 2 +-
src/libstrongswan/plugins/aesni/Makefile.in | 2 +-
src/libstrongswan/plugins/af_alg/Makefile.in | 2 +-
src/libstrongswan/plugins/agent/Makefile.in | 2 +-
src/libstrongswan/plugins/bliss/Makefile.in | 2 +-
src/libstrongswan/plugins/bliss/tests/Makefile.in | 2 +-
.../bliss/tests/suites/test_bliss_sampler.c | 4 +-
src/libstrongswan/plugins/blowfish/Makefile.in | 2 +-
src/libstrongswan/plugins/ccm/Makefile.in | 2 +-
src/libstrongswan/plugins/chapoly/Makefile.in | 2 +-
src/libstrongswan/plugins/cmac/Makefile.in | 2 +-
src/libstrongswan/plugins/constraints/Makefile.in | 2 +-
src/libstrongswan/plugins/ctr/Makefile.in | 2 +-
src/libstrongswan/plugins/curl/Makefile.in | 2 +-
src/libstrongswan/plugins/curve25519/Makefile.am | 23 +
src/libstrongswan/plugins/curve25519/Makefile.in | 822 ++++++
.../plugins/curve25519/curve25519_dh.c | 174 ++
.../plugins/curve25519/curve25519_dh.h | 47 +
.../plugins/curve25519/curve25519_drv.c | 41 +
.../plugins/curve25519/curve25519_drv.h | 66 +
.../plugins/curve25519/curve25519_drv_portable.c | 613 +++++
.../plugins/curve25519/curve25519_drv_portable.h | 31 +
.../curve25519/curve25519_identity_hasher.c | 25 +
.../curve25519/curve25519_identity_hasher.h | 47 +
.../plugins/curve25519/curve25519_plugin.c | 101 +
.../plugins/curve25519/curve25519_plugin.h | 42 +
.../plugins/curve25519/curve25519_private_key.c | 346 +++
.../plugins/curve25519/curve25519_private_key.h | 60 +
.../plugins/curve25519/curve25519_public_key.c | 331 +++
.../plugins/curve25519/curve25519_public_key.h | 74 +
src/libstrongswan/plugins/curve25519/ref10/base.h | 2121 +++++++++++++++
src/libstrongswan/plugins/curve25519/ref10/base2.h | 73 +
src/libstrongswan/plugins/curve25519/ref10/ref10.c | 2731 ++++++++++++++++++++
src/libstrongswan/plugins/curve25519/ref10/ref10.h | 93 +
src/libstrongswan/plugins/des/Makefile.in | 2 +-
src/libstrongswan/plugins/dnskey/Makefile.in | 2 +-
src/libstrongswan/plugins/files/Makefile.in | 2 +-
src/libstrongswan/plugins/fips_prf/Makefile.in | 2 +-
src/libstrongswan/plugins/gcm/Makefile.in | 2 +-
src/libstrongswan/plugins/gcrypt/Makefile.in | 2 +-
src/libstrongswan/plugins/gmp/Makefile.in | 2 +-
src/libstrongswan/plugins/hmac/Makefile.in | 2 +-
src/libstrongswan/plugins/keychain/Makefile.in | 2 +-
src/libstrongswan/plugins/ldap/Makefile.in | 2 +-
src/libstrongswan/plugins/md4/Makefile.in | 2 +-
src/libstrongswan/plugins/md5/Makefile.in | 2 +-
src/libstrongswan/plugins/mgf1/Makefile.in | 2 +-
src/libstrongswan/plugins/mysql/Makefile.in | 2 +-
src/libstrongswan/plugins/newhope/Makefile.in | 2 +-
.../plugins/newhope/tests/Makefile.in | 2 +-
src/libstrongswan/plugins/nonce/Makefile.in | 2 +-
src/libstrongswan/plugins/ntru/Makefile.in | 2 +-
src/libstrongswan/plugins/openssl/Makefile.in | 2 +-
.../plugins/openssl/openssl_ec_diffie_hellman.c | 5 +-
src/libstrongswan/plugins/padlock/Makefile.in | 2 +-
src/libstrongswan/plugins/pem/Makefile.in | 2 +-
src/libstrongswan/plugins/pem/pem_encoder.c | 21 +-
src/libstrongswan/plugins/pem/pem_plugin.c | 7 +
src/libstrongswan/plugins/pgp/Makefile.in | 2 +-
src/libstrongswan/plugins/pkcs1/Makefile.in | 2 +-
src/libstrongswan/plugins/pkcs1/pkcs1_builder.c | 9 +-
src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c | 3 +
src/libstrongswan/plugins/pkcs11/Makefile.in | 2 +-
src/libstrongswan/plugins/pkcs12/Makefile.in | 2 +-
src/libstrongswan/plugins/pkcs7/Makefile.in | 2 +-
src/libstrongswan/plugins/pkcs8/Makefile.in | 2 +-
src/libstrongswan/plugins/pkcs8/pkcs8_builder.c | 15 +-
src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c | 2 +
src/libstrongswan/plugins/plugin_loader.c | 4 +-
src/libstrongswan/plugins/pubkey/Makefile.in | 2 +-
src/libstrongswan/plugins/random/Makefile.in | 2 +-
src/libstrongswan/plugins/rc2/Makefile.in | 2 +-
src/libstrongswan/plugins/rdrand/Makefile.in | 2 +-
src/libstrongswan/plugins/revocation/Makefile.in | 2 +-
.../plugins/revocation/revocation_validator.c | 114 +-
src/libstrongswan/plugins/sha1/Makefile.in | 2 +-
src/libstrongswan/plugins/sha2/Makefile.in | 2 +-
src/libstrongswan/plugins/sha3/Makefile.in | 2 +-
src/libstrongswan/plugins/soup/Makefile.in | 2 +-
src/libstrongswan/plugins/sqlite/Makefile.in | 2 +-
src/libstrongswan/plugins/sshkey/Makefile.in | 2 +-
src/libstrongswan/plugins/test_vectors/Makefile.am | 1 +
src/libstrongswan/plugins/test_vectors/Makefile.in | 9 +-
.../plugins/test_vectors/test_vectors.h | 1 +
.../plugins/test_vectors/test_vectors/curve25519.c | 34 +
src/libstrongswan/plugins/unbound/Makefile.in | 2 +-
src/libstrongswan/plugins/winhttp/Makefile.in | 2 +-
src/libstrongswan/plugins/x509/Makefile.in | 2 +-
src/libstrongswan/plugins/x509/x509_cert.c | 136 +-
src/libstrongswan/plugins/xcbc/Makefile.in | 2 +-
src/libstrongswan/selectors/traffic_selector.c | 35 +-
src/libstrongswan/selectors/traffic_selector.h | 64 +-
src/libstrongswan/settings/settings.c | 7 +-
src/libstrongswan/settings/settings_types.c | 2 +-
src/libstrongswan/tests/Makefile.am | 3 +-
src/libstrongswan/tests/Makefile.in | 25 +-
src/libstrongswan/tests/suites/test_chunk.c | 21 +-
src/libstrongswan/tests/suites/test_crypter.c | 3 +-
src/libstrongswan/tests/suites/test_ed25519.c | 527 ++++
src/libstrongswan/tests/suites/test_hasher.c | 78 +-
src/libstrongswan/tests/suites/test_host.c | 10 +-
.../tests/suites/test_traffic_selector.c | 12 +-
src/libstrongswan/tests/test_suite.h | 2 +
src/libstrongswan/tests/tests.h | 2 +
src/libstrongswan/utils/chunk.c | 8 +-
src/libstrongswan/utils/compat/windows.h | 7 +
src/libtls/Makefile.in | 2 +-
src/libtls/tests/Makefile.in | 2 +-
src/libtls/tests/suites/test_socket.c | 134 +-
src/libtls/tls_fragmentation.c | 2 +-
src/libtnccs/Makefile.in | 2 +-
src/libtnccs/plugins/tnc_imc/Makefile.in | 2 +-
src/libtnccs/plugins/tnc_imv/Makefile.in | 2 +-
src/libtnccs/plugins/tnc_tnccs/Makefile.in | 2 +-
src/libtnccs/plugins/tnccs_11/Makefile.in | 2 +-
src/libtnccs/plugins/tnccs_20/Makefile.in | 2 +-
src/libtnccs/plugins/tnccs_dynamic/Makefile.in | 2 +-
src/libtncif/Makefile.in | 2 +-
src/libtpmtss/Makefile.am | 27 +-
src/libtpmtss/Makefile.in | 204 +-
src/libtpmtss/plugins/tpm/Makefile.am | 21 +
src/libtpmtss/plugins/tpm/Makefile.in | 799 ++++++
src/libtpmtss/plugins/tpm/tpm_plugin.c | 96 +
src/libtpmtss/plugins/tpm/tpm_plugin.h | 42 +
src/libtpmtss/plugins/tpm/tpm_private_key.c | 239 ++
src/libtpmtss/plugins/tpm/tpm_private_key.h | 49 +
src/libtpmtss/plugins/tpm/tpm_rng.c | 94 +
src/libtpmtss/plugins/tpm/tpm_rng.h | 47 +
src/libtpmtss/tpm_tss.h | 24 +
src/libtpmtss/tpm_tss_trousers.c | 17 +-
src/libtpmtss/tpm_tss_tss2.c | 225 +-
src/manager/Makefile.in | 2 +-
src/medsrv/Makefile.in | 2 +-
src/pki/Makefile.in | 2 +-
src/pki/commands/acert.c | 4 +-
src/pki/commands/gen.c | 11 +-
src/pki/commands/issue.c | 28 +-
src/pki/commands/keyid.c | 20 +-
src/pki/commands/print.c | 10 +-
src/pki/commands/pub.c | 4 +-
src/pki/commands/req.c | 21 +-
src/pki/commands/self.c | 29 +-
src/pki/commands/signcrl.c | 5 +-
src/pki/man/Makefile.in | 2 +-
src/pki/man/pki---acert.1.in | 3 +-
src/pki/man/pki---gen.1.in | 5 +-
src/pki/man/pki---issue.1.in | 20 +-
src/pki/man/pki---keyid.1.in | 10 +-
src/pki/man/pki---print.1.in | 6 +-
src/pki/man/pki---pub.1.in | 4 +
src/pki/man/pki---req.1.in | 10 +-
src/pki/man/pki---self.1.in | 18 +-
src/pki/man/pki---signcrl.1.in | 3 +-
src/pki/pki.c | 22 +
src/pki/pki.h | 9 +
src/pool/Makefile.in | 2 +-
src/pt-tls-client/Makefile.in | 2 +-
src/scepclient/Makefile.in | 2 +-
src/starter/Makefile.in | 2 +-
src/starter/confread.c | 2 +-
src/starter/tests/Makefile.in | 2 +-
src/stroke/Makefile.in | 2 +-
src/swanctl/Makefile.am | 1 +
src/swanctl/Makefile.in | 12 +-
src/swanctl/command.h | 2 +-
src/swanctl/commands/initiate.c | 12 +-
src/swanctl/commands/install.c | 15 +-
src/swanctl/commands/list_pools.c | 14 +-
src/swanctl/commands/list_sas.c | 23 +-
src/swanctl/commands/load_authorities.c | 8 +-
src/swanctl/commands/load_conns.c | 67 +-
src/swanctl/commands/load_creds.c | 377 ++-
src/swanctl/commands/rekey.c | 125 +
src/swanctl/swanctl.8.in | 3 +
src/swanctl/swanctl.conf | 123 +-
src/swanctl/swanctl.conf.5.head.in | 3 +-
src/swanctl/swanctl.conf.5.main | 253 +-
src/swanctl/swanctl.opt | 223 +-
testing/Makefile.in | 2 +-
testing/config/kernel/config-4.10 | 2524 ++++++++++++++++++
testing/config/kernel/config-4.9 | 2502 ++++++++++++++++++
testing/do-tests | 57 -
testing/hosts/default/usr/local/bin/init_tnc | 15 +
.../etc/openssl/ed25519/newcerts/carolCert.pem | 13 +
.../etc/openssl/ed25519/newcerts/daveCert.pem | 13 +
.../etc/openssl/ed25519/newcerts/moonCert.pem | 13 +
.../etc/openssl/ed25519/newcerts/sunCert.pem | 13 +
.../etc/openssl/ed25519/newkeys/carolKey.pem | 3 +
.../etc/openssl/ed25519/newkeys/daveKey.pem | 3 +
.../etc/openssl/ed25519/newkeys/moonKey.pem | 3 +
.../etc/openssl/ed25519/newkeys/sunKey.pem | 3 +
.../etc/openssl/ed25519/strongswan_ed25519.crl | Bin 0 -> 252 bytes
.../etc/openssl/ed25519/strongswan_ed25519Cert.pem | 11 +
.../etc/openssl/ed25519/strongswan_ed25519Key.pem | 3 +
testing/hosts/winnetou/etc/openssl/generate-crl | 3 +
testing/hosts/winnetou/etc/openssl/index.txt | 3 +-
testing/hosts/winnetou/etc/openssl/index.txt.old | 3 +-
testing/hosts/winnetou/etc/openssl/newcerts/38.pem | 26 +
testing/hosts/winnetou/etc/openssl/serial | 2 +-
testing/hosts/winnetou/etc/openssl/serial.old | 2 +-
testing/hosts/winnetou/etc/strongswan.conf | 2 +-
testing/scripts/build-guestkernel | 2 +-
testing/scripts/load-testconfig | 119 +-
testing/scripts/recipes/015_strongTNC.mk | 2 +-
testing/testing.conf | 6 +-
.../active-passive/hosts/alice/etc/strongswan.conf | 3 +-
.../active-passive/hosts/carol/etc/strongswan.conf | 2 +-
.../active-passive/hosts/dave/etc/strongswan.conf | 2 +-
.../active-passive/hosts/moon/etc/strongswan.conf | 3 +-
.../ha/both-active/hosts/alice/etc/strongswan.conf | 3 +-
.../ha/both-active/hosts/carol/etc/strongswan.conf | 2 +-
.../ha/both-active/hosts/dave/etc/strongswan.conf | 2 +-
.../ha/both-active/hosts/moon/etc/strongswan.conf | 3 +-
.../ike/rw-cert/hosts/carol/etc/strongswan.conf | 2 +-
.../ike/rw-cert/hosts/dave/etc/strongswan.conf | 2 +-
.../ike/rw-cert/hosts/moon/etc/strongswan.conf | 2 +-
.../rw_v1-net_v2/hosts/carol/etc/strongswan.conf | 2 +-
.../rw_v1-net_v2/hosts/moon/etc/strongswan.conf | 2 +-
.../ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf | 2 +-
.../alg-3des-md5/hosts/carol/etc/strongswan.conf | 2 +-
.../alg-3des-md5/hosts/moon/etc/strongswan.conf | 2 +-
.../alg-blowfish/hosts/carol/etc/strongswan.conf | 3 +-
.../alg-blowfish/hosts/dave/etc/strongswan.conf | 3 +-
.../alg-blowfish/hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev1/alg-sha256/description.txt | 2 +-
testing/tests/ikev1/alg-sha256/evaltest.dat | 8 +-
.../ikev1/alg-sha256/hosts/carol/etc/ipsec.conf | 4 +-
.../alg-sha256/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev1/alg-sha256/hosts/moon/etc/ipsec.conf | 4 +-
.../alg-sha256/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev1/alg-sha384/description.txt | 2 +-
testing/tests/ikev1/alg-sha384/evaltest.dat | 8 +-
.../ikev1/alg-sha384/hosts/carol/etc/ipsec.conf | 4 +-
.../alg-sha384/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev1/alg-sha384/hosts/moon/etc/ipsec.conf | 4 +-
.../alg-sha384/hosts/moon/etc/strongswan.conf | 2 +-
.../alg-sha512/hosts/carol/etc/strongswan.conf | 2 +-
.../alg-sha512/hosts/moon/etc/strongswan.conf | 2 +-
.../ikev1/compress/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev1/compress/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../config-payload/hosts/carol/etc/strongswan.conf | 2 +-
.../config-payload/hosts/dave/etc/strongswan.conf | 2 +-
.../config-payload/hosts/moon/etc/strongswan.conf | 2 +-
.../double-nat-net/hosts/alice/etc/strongswan.conf | 2 +-
.../double-nat-net/hosts/bob/etc/strongswan.conf | 2 +-
.../double-nat/hosts/alice/etc/strongswan.conf | 2 +-
.../ikev1/double-nat/hosts/bob/etc/strongswan.conf | 2 +-
.../dpd-clear/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev1/dpd-clear/hosts/moon/etc/strongswan.conf | 2 +-
.../dpd-restart/hosts/carol/etc/strongswan.conf | 2 +-
.../dpd-restart/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../tests/ikev1/esp-alg-aes-ccm/description.txt | 4 +-
.../esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf | 4 +-
.../esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf | 2 +-
.../tests/ikev1/esp-alg-aes-ctr/description.txt | 2 +-
.../esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf | 4 +-
.../esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf | 2 +-
.../tests/ikev1/esp-alg-aes-gcm/description.txt | 4 +-
.../esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf | 4 +-
.../esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf | 2 +-
.../tests/ikev1/esp-alg-aes-gmac/description.txt | 2 +-
.../esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev1/esp-alg-null/evaltest.dat | 8 +-
.../ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf | 4 +-
.../esp-alg-null/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf | 4 +-
.../esp-alg-null/hosts/moon/etc/strongswan.conf | 2 +-
.../host2host-ah/hosts/moon/etc/strongswan.conf | 2 +-
.../host2host-ah/hosts/sun/etc/strongswan.conf | 2 +-
.../host2host-cert/hosts/moon/etc/strongswan.conf | 2 +-
.../host2host-cert/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../ip-pool-db/hosts/carol/etc/strongswan.conf | 2 +-
.../ip-pool-db/hosts/dave/etc/strongswan.conf | 2 +-
.../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +-
.../ikev1/ip-pool/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev1/ip-pool/hosts/dave/etc/strongswan.conf | 2 +-
.../ikev1/ip-pool/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../multi-level-ca/hosts/carol/etc/strongswan.conf | 2 +-
.../multi-level-ca/hosts/dave/etc/strongswan.conf | 2 +-
.../multi-level-ca/hosts/moon/etc/strongswan.conf | 2 +-
.../ikev1/nat-rw/hosts/alice/etc/strongswan.conf | 2 +-
.../ikev1/nat-rw/hosts/sun/etc/strongswan.conf | 2 +-
.../ikev1/nat-rw/hosts/venus/etc/strongswan.conf | 2 +-
.../nat-virtual-ip/hosts/moon/etc/strongswan.conf | 2 +-
.../nat-virtual-ip/hosts/sun/etc/strongswan.conf | 2 +-
testing/tests/ikev1/net2net-ah/description.txt | 6 +-
testing/tests/ikev1/net2net-ah/evaltest.dat | 8 +-
.../ikev1/net2net-ah/hosts/moon/etc/ipsec.conf | 4 +-
.../net2net-ah/hosts/moon/etc/strongswan.conf | 2 +-
.../ikev1/net2net-ah/hosts/sun/etc/ipsec.conf | 4 +-
.../ikev1/net2net-ah/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-cert/hosts/moon/etc/strongswan.conf | 4 +-
.../net2net-cert/hosts/sun/etc/strongswan.conf | 4 +-
testing/tests/ikev1/net2net-esn/description.txt | 4 +-
testing/tests/ikev1/net2net-esn/evaltest.dat | 10 +-
.../ikev1/net2net-esn/hosts/moon/etc/ipsec.conf | 4 +-
.../net2net-esn/hosts/moon/etc/strongswan.conf | 2 +-
.../ikev1/net2net-esn/hosts/sun/etc/ipsec.conf | 4 +-
.../net2net-esn/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../hosts/sun/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-psk-fail/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-psk/hosts/moon/etc/strongswan.conf | 4 +-
.../net2net-psk/hosts/sun/etc/strongswan.conf | 4 +-
.../protoport-dual/hosts/carol/etc/strongswan.conf | 2 +-
.../protoport-dual/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../rw-cert-unity/hosts/carol/etc/strongswan.conf | 4 +-
.../rw-cert-unity/hosts/moon/etc/strongswan.conf | 4 +-
.../ikev1/rw-cert/hosts/carol/etc/strongswan.conf | 3 +-
.../ikev1/rw-cert/hosts/dave/etc/strongswan.conf | 3 +-
.../ikev1/rw-cert/hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../rw-psk-fqdn/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-psk-fqdn/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-psk-fqdn/hosts/moon/etc/strongswan.conf | 2 +-
.../rw-psk-ipv4/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-psk-ipv4/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-psk-ipv4/hosts/moon/etc/strongswan.conf | 2 +-
.../virtual-ip/hosts/carol/etc/strongswan.conf | 2 +-
.../virtual-ip/hosts/dave/etc/strongswan.conf | 2 +-
.../virtual-ip/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../xauth-psk/hosts/carol/etc/strongswan.conf | 4 +-
.../ikev1/xauth-psk/hosts/dave/etc/strongswan.conf | 4 +-
.../ikev1/xauth-psk/hosts/moon/etc/strongswan.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../xauth-rsa/hosts/carol/etc/strongswan.conf | 4 +-
.../ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf | 4 +-
.../ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf | 4 +-
.../acert-cached/hosts/carol/etc/strongswan.conf | 2 +-
.../acert-cached/hosts/dave/etc/strongswan.conf | 2 +-
.../acert-cached/hosts/moon/etc/strongswan.conf | 2 +-
.../acert-fallback/hosts/carol/etc/strongswan.conf | 2 +-
.../acert-fallback/hosts/moon/etc/strongswan.conf | 2 +-
.../acert-inline/hosts/carol/etc/strongswan.conf | 2 +-
.../acert-inline/hosts/dave/etc/strongswan.conf | 2 +-
.../acert-inline/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../alg-3des-md5/hosts/carol/etc/strongswan.conf | 2 +-
.../alg-3des-md5/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/alg-aes-ccm/description.txt | 4 +-
.../ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf | 4 +-
.../alg-aes-ccm/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf | 4 +-
.../alg-aes-ccm/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/alg-aes-ctr/description.txt | 4 +-
.../ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf | 4 +-
.../alg-aes-ctr/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf | 4 +-
.../alg-aes-ctr/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/alg-aes-gcm/description.txt | 4 +-
.../ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf | 4 +-
.../alg-aes-gcm/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf | 4 +-
.../alg-aes-gcm/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/alg-aes-xcbc/description.txt | 2 +-
testing/tests/ikev2/alg-aes-xcbc/evaltest.dat | 4 +-
.../ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf | 4 +-
.../alg-aes-xcbc/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf | 4 +-
.../alg-aes-xcbc/hosts/moon/etc/strongswan.conf | 2 +-
.../alg-blowfish/hosts/carol/etc/strongswan.conf | 3 +-
.../alg-blowfish/hosts/dave/etc/strongswan.conf | 3 +-
.../alg-blowfish/hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/alg-sha256-96/description.txt | 2 +-
testing/tests/ikev2/alg-sha256-96/evaltest.dat | 4 +-
.../ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf | 4 +-
.../alg-sha256-96/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf | 4 +-
.../alg-sha256-96/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/alg-sha256/description.txt | 2 +-
testing/tests/ikev2/alg-sha256/evaltest.dat | 4 +-
.../ikev2/alg-sha256/hosts/carol/etc/ipsec.conf | 4 +-
.../alg-sha256/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/alg-sha256/hosts/moon/etc/ipsec.conf | 4 +-
.../alg-sha256/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/alg-sha384/description.txt | 2 +-
testing/tests/ikev2/alg-sha384/evaltest.dat | 4 +-
.../ikev2/alg-sha384/hosts/carol/etc/ipsec.conf | 4 +-
.../alg-sha384/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/alg-sha384/hosts/moon/etc/ipsec.conf | 4 +-
.../alg-sha384/hosts/moon/etc/strongswan.conf | 2 +-
.../alg-sha512/hosts/carol/etc/strongswan.conf | 2 +-
.../alg-sha512/hosts/moon/etc/strongswan.conf | 2 +-
.../any-interface/hosts/alice/etc/strongswan.conf | 2 +-
.../any-interface/hosts/bob/etc/strongswan.conf | 2 +-
.../any-interface/hosts/moon/etc/strongswan.conf | 2 +-
.../any-interface/hosts/sun/etc/strongswan.conf | 2 +-
.../compress-nat/hosts/alice/etc/strongswan.conf | 2 +-
.../compress-nat/hosts/bob/etc/strongswan.conf | 2 +-
.../compress-nat/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/compress/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/compress/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../config-payload/hosts/carol/etc/strongswan.conf | 2 +-
.../config-payload/hosts/dave/etc/strongswan.conf | 2 +-
.../config-payload/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../crl-from-cache/hosts/carol/etc/strongswan.conf | 2 +-
.../crl-from-cache/hosts/moon/etc/strongswan.conf | 2 +-
.../ikev2/crl-ldap/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/crl-ldap/hosts/moon/etc/strongswan.conf | 2 +-
.../crl-revoked/hosts/carol/etc/strongswan.conf | 2 +-
.../crl-revoked/hosts/moon/etc/strongswan.conf | 2 +-
.../crl-to-cache/hosts/carol/etc/strongswan.conf | 2 +-
.../crl-to-cache/hosts/moon/etc/strongswan.conf | 2 +-
.../dhcp-dynamic/hosts/carol/etc/strongswan.conf | 2 +-
.../dhcp-dynamic/hosts/dave/etc/strongswan.conf | 2 +-
.../dhcp-dynamic/hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../dhcp-static-mac/hosts/dave/etc/strongswan.conf | 2 +-
.../dhcp-static-mac/hosts/moon/etc/strongswan.conf | 3 +-
.../double-nat-net/hosts/alice/etc/strongswan.conf | 2 +-
.../double-nat-net/hosts/bob/etc/strongswan.conf | 2 +-
.../double-nat/hosts/alice/etc/strongswan.conf | 2 +-
.../ikev2/double-nat/hosts/bob/etc/strongswan.conf | 2 +-
.../dpd-clear/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/dpd-clear/hosts/moon/etc/strongswan.conf | 2 +-
.../ikev2/dpd-hold/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/dpd-hold/hosts/moon/etc/strongswan.conf | 2 +-
.../dpd-restart/hosts/carol/etc/strongswan.conf | 2 +-
.../dpd-restart/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 4 +-
.../tests/ikev2/esp-alg-aes-gmac/description.txt | 2 +-
.../esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf | 4 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../esp-alg-md5-128/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/esp-alg-null/evaltest.dat | 8 +-
.../ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf | 4 +-
.../esp-alg-null/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf | 4 +-
.../esp-alg-null/hosts/moon/etc/strongswan.conf | 2 +-
.../esp-alg-sha1-160/hosts/carol/etc/ipsec.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../esp-alg-sha1-160/hosts/moon/etc/ipsec.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../ikev2/farp/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/farp/hosts/dave/etc/strongswan.conf | 2 +-
.../ikev2/farp/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/alice/etc/strongswan.conf | 2 +-
.../force-udp-encaps/hosts/sun/etc/strongswan.conf | 2 +-
.../ikev2/forecast/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/forecast/hosts/dave/etc/strongswan.conf | 2 +-
.../ikev2/forecast/hosts/moon/etc/strongswan.conf | 3 +-
.../host2host-ah/hosts/moon/etc/strongswan.conf | 2 +-
.../host2host-ah/hosts/sun/etc/strongswan.conf | 2 +-
.../host2host-cert/hosts/moon/etc/strongswan.conf | 2 +-
.../host2host-cert/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/alice/etc/strongswan.conf | 5 +
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/venus/etc/strongswan.conf | 5 +
.../hosts/alice/etc/strongswan.conf | 5 +
.../hosts/sun/etc/strongswan.conf | 5 +
.../hosts/venus/etc/strongswan.conf | 5 +
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../ip-pool-db/hosts/carol/etc/strongswan.conf | 2 +-
.../ip-pool-db/hosts/dave/etc/strongswan.conf | 2 +-
.../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +-
.../ip-pool-wish/hosts/carol/etc/strongswan.conf | 2 +-
.../ip-pool-wish/hosts/dave/etc/strongswan.conf | 2 +-
.../ip-pool-wish/hosts/moon/etc/strongswan.conf | 2 +-
.../ikev2/ip-pool/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/ip-pool/hosts/dave/etc/strongswan.conf | 2 +-
.../ikev2/ip-pool/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/alice/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../ip-two-pools-db/hosts/dave/etc/strongswan.conf | 2 +-
.../ip-two-pools-db/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/venus/etc/strongswan.conf | 2 +-
.../hosts/alice/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../ip-two-pools/hosts/alice/etc/strongswan.conf | 2 +-
.../ip-two-pools/hosts/carol/etc/strongswan.conf | 2 +-
.../ip-two-pools/hosts/moon/etc/strongswan.conf | 2 +-
.../ikev2/lookip/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/lookip/hosts/dave/etc/strongswan.conf | 2 +-
.../ikev2/lookip/hosts/moon/etc/strongswan.conf | 2 +-
.../mobike-nat/hosts/alice/etc/strongswan.conf | 2 +-
.../ikev2/mobike-nat/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/alice/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../ikev2/mobike/hosts/alice/etc/strongswan.conf | 2 +-
.../ikev2/mobike/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../multi-level-ca/hosts/carol/etc/strongswan.conf | 2 +-
.../multi-level-ca/hosts/dave/etc/strongswan.conf | 2 +-
.../multi-level-ca/hosts/moon/etc/strongswan.conf | 2 +-
.../nat-rw-mark/hosts/alice/etc/strongswan.conf | 2 +-
.../nat-rw-mark/hosts/sun/etc/strongswan.conf | 2 +-
.../nat-rw-mark/hosts/venus/etc/strongswan.conf | 2 +-
.../nat-rw-psk/hosts/alice/etc/strongswan.conf | 2 +-
.../ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf | 2 +-
.../nat-rw-psk/hosts/venus/etc/strongswan.conf | 2 +-
.../ikev2/nat-rw/hosts/alice/etc/strongswan.conf | 2 +-
.../ikev2/nat-rw/hosts/sun/etc/strongswan.conf | 2 +-
.../ikev2/nat-rw/hosts/venus/etc/strongswan.conf | 2 +-
.../nat-virtual-ip/hosts/moon/etc/strongswan.conf | 2 +-
.../nat-virtual-ip/hosts/sun/etc/strongswan.conf | 2 +-
testing/tests/ikev2/net2net-ah/description.txt | 6 +-
testing/tests/ikev2/net2net-ah/evaltest.dat | 8 +-
.../ikev2/net2net-ah/hosts/moon/etc/ipsec.conf | 4 +-
.../net2net-ah/hosts/moon/etc/strongswan.conf | 2 +-
.../ikev2/net2net-ah/hosts/sun/etc/ipsec.conf | 4 +-
.../ikev2/net2net-ah/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-cert/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-cert/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-dnscert/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-dnscert/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-dnssec/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-dnssec/hosts/sun/etc/strongswan.conf | 2 +-
.../tests/ikev2/net2net-ed25519/description.txt | 6 +
testing/tests/ikev2/net2net-ed25519/evaltest.dat | 9 +
.../net2net-ed25519/hosts/moon/etc/ipsec.conf | 24 +
.../moon/etc/ipsec.d/cacerts/strongswanCert.pem | 11 +
.../hosts/moon/etc/ipsec.d/certs/moonCert.pem | 13 +
.../hosts/moon/etc/ipsec.d/private/moonKey.pem | 3 +
.../net2net-ed25519/hosts/moon/etc/ipsec.secrets | 3 +
.../net2net-ed25519/hosts/moon/etc/strongswan.conf | 6 +
.../ikev2/net2net-ed25519/hosts/sun/etc/ipsec.conf | 24 +
.../sun/etc/ipsec.d/cacerts/strongswanCert.pem | 11 +
.../hosts/sun/etc/ipsec.d/certs/sunCert.pem | 13 +
.../hosts/sun/etc/ipsec.d/private/sunKey.pem | 3 +
.../net2net-ed25519/hosts/sun/etc/ipsec.secrets | 8 +
.../net2net-ed25519/hosts/sun/etc/strongswan.conf | 6 +
testing/tests/ikev2/net2net-ed25519/posttest.dat | 5 +
testing/tests/ikev2/net2net-ed25519/pretest.dat | 7 +
testing/tests/ikev2/net2net-ed25519/test.conf | 21 +
testing/tests/ikev2/net2net-esn/description.txt | 4 +-
testing/tests/ikev2/net2net-esn/evaltest.dat | 8 +-
.../ikev2/net2net-esn/hosts/moon/etc/ipsec.conf | 4 +-
.../net2net-esn/hosts/moon/etc/strongswan.conf | 2 +-
.../ikev2/net2net-esn/hosts/sun/etc/ipsec.conf | 4 +-
.../net2net-esn/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/sun/etc/strongswan.conf | 3 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-pgp-v3/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-pgp-v3/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-pgp-v4/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-pgp-v4/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-pkcs12/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-pkcs12/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-psk-dscp/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-psk-fail/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-psk/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-psk/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-pubkey/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-pubkey/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-rfc3779/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-rfc3779/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-route/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-route/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-rsa/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-rsa/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-start/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-start/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../ocsp-local-cert/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../ocsp-revoked/hosts/carol/etc/strongswan.conf | 2 +-
.../ocsp-revoked/hosts/moon/etc/strongswan.conf | 2 +-
.../ocsp-root-cert/hosts/carol/etc/strongswan.conf | 2 +-
.../ocsp-root-cert/hosts/moon/etc/strongswan.conf | 2 +-
.../carol/etc/ipsec.d/certs/carolCert-ocsp.pem | 103 +-
.../carol/etc/ipsec.d/private/carolKey-ocsp.pem | 50 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../carol/etc/ipsec.d/certs/carolCert-ocsp.pem | 103 +-
.../carol/etc/ipsec.d/private/carolKey-ocsp.pem | 50 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../protoport-dual/hosts/carol/etc/strongswan.conf | 2 +-
.../protoport-dual/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../protoport-route/hosts/moon/etc/strongswan.conf | 2 +-
.../reauth-early/hosts/carol/etc/strongswan.conf | 2 +-
.../reauth-early/hosts/moon/etc/strongswan.conf | 2 +-
.../reauth-late/hosts/carol/etc/strongswan.conf | 2 +-
.../reauth-late/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../reauth-mbb/hosts/carol/etc/strongswan.conf | 2 +-
.../reauth-mbb/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/alice/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../redirect-active/hosts/dave/etc/strongswan.conf | 2 +-
.../redirect-active/hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/ikev2/rw-cert/evaltest.dat | 1 -
.../ikev2/rw-cert/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/rw-cert/hosts/dave/etc/strongswan.conf | 2 +-
.../ikev2/rw-cert/hosts/moon/etc/strongswan.conf | 2 +-
.../rw-dnssec/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf | 2 +-
.../ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf | 2 +-
.../rw-eap-dynamic/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-eap-dynamic/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-eap-dynamic/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../rw-eap-peap-md5/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-eap-peap-md5/hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../tests/ikev2/rw-eap-sim-only-radius/pretest.dat | 3 +
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 3 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 3 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../rw-hash-and-url/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-hash-and-url/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../rw-mark-in-out/hosts/alice/etc/strongswan.conf | 2 +-
.../rw-mark-in-out/hosts/sun/etc/strongswan.conf | 2 +-
.../rw-mark-in-out/hosts/venus/etc/strongswan.conf | 2 +-
.../ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf | 2 +-
.../ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf | 2 +-
.../rw-psk-fqdn/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-psk-fqdn/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-psk-fqdn/hosts/moon/etc/strongswan.conf | 2 +-
.../rw-psk-ipv4/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-psk-ipv4/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-psk-ipv4/hosts/moon/etc/strongswan.conf | 2 +-
.../rw-psk-no-idr/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-psk-no-idr/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-psk-no-idr/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../rw-sig-auth/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-sig-auth/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-sig-auth/hosts/moon/etc/strongswan.conf | 2 +-
.../rw-whitelist/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-whitelist/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-whitelist/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/alice/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/venus/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../ikev2/trap-any/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/trap-any/hosts/dave/etc/strongswan.conf | 2 +-
.../ikev2/trap-any/hosts/moon/etc/strongswan.conf | 2 +-
.../ikev2/trap-any/hosts/sun/etc/strongswan.conf | 2 +-
.../two-certs/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/two-certs/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../virtual-ip/hosts/carol/etc/strongswan.conf | 2 +-
.../virtual-ip/hosts/dave/etc/strongswan.conf | 2 +-
.../virtual-ip/hosts/moon/etc/strongswan.conf | 2 +-
.../wildcards/hosts/carol/etc/strongswan.conf | 2 +-
.../ikev2/wildcards/hosts/dave/etc/strongswan.conf | 2 +-
.../ikev2/wildcards/hosts/moon/etc/strongswan.conf | 2 +-
.../host2host-ikev1/hosts/moon/etc/strongswan.conf | 2 +-
.../host2host-ikev1/hosts/sun/etc/strongswan.conf | 2 +-
.../host2host-ikev2/hosts/moon/etc/strongswan.conf | 2 +-
.../host2host-ikev2/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-ikev1/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-ikev1/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-ikev2/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-ikev2/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf | 2 +-
.../ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf | 2 +-
.../ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf | 2 +-
.../ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf | 2 +-
.../ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf | 2 +-
.../ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../rw-psk-ikev1/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-psk-ikev1/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-psk-ikev1/hosts/moon/etc/strongswan.conf | 2 +-
.../rw-psk-ikev2/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-psk-ikev2/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-psk-ikev2/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../transport-ikev1/hosts/moon/etc/strongswan.conf | 2 +-
.../transport-ikev1/hosts/sun/etc/strongswan.conf | 2 +-
.../transport-ikev2/hosts/moon/etc/strongswan.conf | 2 +-
.../transport-ikev2/hosts/sun/etc/strongswan.conf | 2 +-
.../host2host-cert/hosts/moon/etc/strongswan.conf | 3 +-
.../host2host-cert/hosts/sun/etc/strongswan.conf | 3 +-
testing/tests/libipsec/net2net-3des/evaltest.dat | 4 +-
.../net2net-3des/hosts/moon/etc/ipsec.conf | 4 +-
.../net2net-3des/hosts/moon/etc/strongswan.conf | 2 +-
.../libipsec/net2net-3des/hosts/sun/etc/ipsec.conf | 4 +-
.../net2net-3des/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-cert/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-cert/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-null/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-null/hosts/sun/etc/strongswan.conf | 2 +-
.../rw-suite-b/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-suite-b/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-suite-b/hosts/moon/etc/strongswan.conf | 2 +-
.../ecdsa-certs/hosts/carol/etc/ipsec.conf | 2 +
.../ecdsa-certs/hosts/dave/etc/ipsec.conf | 2 +
.../ecdsa-certs/hosts/moon/etc/ipsec.conf | 2 +
.../critical-extension/hosts/moon/etc/ipsec.conf | 2 +
.../critical-extension/hosts/sun/etc/ipsec.conf | 2 +
.../ecdsa-certs/hosts/carol/etc/ipsec.conf | 2 +
.../ecdsa-certs/hosts/dave/etc/ipsec.conf | 2 +
.../ecdsa-certs/hosts/moon/etc/ipsec.conf | 2 +
.../ecdsa-pkcs8/hosts/carol/etc/ipsec.conf | 2 +
.../ecdsa-pkcs8/hosts/dave/etc/ipsec.conf | 2 +
.../ecdsa-pkcs8/hosts/moon/etc/ipsec.conf | 2 +
.../net2net-pgp-v3/hosts/moon/etc/ipsec.conf | 5 +-
.../net2net-pgp-v3/hosts/sun/etc/ipsec.conf | 3 +
.../net2net-pkcs12/hosts/moon/etc/ipsec.conf | 2 +
.../net2net-pkcs12/hosts/sun/etc/ipsec.conf | 4 +-
.../hosts/alice/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/venus/etc/strongswan.conf | 2 +-
.../medsrv-psk/hosts/alice/etc/strongswan.conf | 2 +-
.../medsrv-psk/hosts/bob/etc/strongswan.conf | 2 +-
.../medsrv-psk/hosts/carol/etc/strongswan.conf | 2 +-
.../alg-aes-xcbc/hosts/carol/etc/strongswan.conf | 2 +-
.../alg-aes-xcbc/hosts/moon/etc/strongswan.conf | 2 +-
.../alg-sha384/hosts/carol/etc/strongswan.conf | 2 +-
.../alg-sha384/hosts/moon/etc/strongswan.conf | 2 +-
.../alg-sha512/hosts/carol/etc/strongswan.conf | 2 +-
.../alg-sha512/hosts/moon/etc/strongswan.conf | 2 +-
.../pfkey/compress/hosts/carol/etc/strongswan.conf | 2 +-
.../pfkey/compress/hosts/moon/etc/strongswan.conf | 2 +-
.../esp-alg-null/hosts/carol/etc/strongswan.conf | 2 +-
.../esp-alg-null/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../pfkey/nat-rw/hosts/alice/etc/strongswan.conf | 2 +-
.../pfkey/nat-rw/hosts/sun/etc/strongswan.conf | 2 +-
.../pfkey/nat-rw/hosts/venus/etc/strongswan.conf | 2 +-
.../net2net-route/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-route/hosts/sun/etc/strongswan.conf | 2 +-
.../protoport-dual/hosts/carol/etc/strongswan.conf | 2 +-
.../protoport-dual/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../protoport-route/hosts/moon/etc/strongswan.conf | 2 +-
.../pfkey/rw-cert/hosts/carol/etc/strongswan.conf | 2 +-
.../pfkey/rw-cert/hosts/dave/etc/strongswan.conf | 2 +-
.../pfkey/rw-cert/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/alice/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/venus/etc/strongswan.conf | 2 +-
testing/tests/swanctl/config-payload/evaltest.dat | 8 +-
.../config-payload/hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../config-payload/hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../config-payload/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl_base.conf | 4 +-
testing/tests/swanctl/dhcp-dynamic/evaltest.dat | 8 +-
.../dhcp-dynamic/hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../dhcp-dynamic/hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../dhcp-dynamic/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 4 +-
testing/tests/swanctl/ip-pool-db/evaltest.dat | 8 +-
.../ip-pool-db/hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../ip-pool-db/hosts/dave/etc/strongswan.conf | 2 +-
.../ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +-
.../ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf | 4 +-
testing/tests/swanctl/ip-pool/evaltest.dat | 8 +-
.../ip-pool/hosts/carol/etc/strongswan.conf | 2 +-
.../ip-pool/hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../swanctl/ip-pool/hosts/dave/etc/strongswan.conf | 2 +-
.../ip-pool/hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../swanctl/ip-pool/hosts/moon/etc/strongswan.conf | 2 +-
.../ip-pool/hosts/moon/etc/swanctl/swanctl.conf | 4 +-
testing/tests/swanctl/manual-prio/evaltest.dat | 8 +-
.../manual-prio/hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../manual-prio/hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../manual-prio/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 4 +-
.../swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat | 4 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 4 +-
testing/tests/swanctl/net2net-cert/evaltest.dat | 4 +-
.../net2net-cert/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 4 +-
.../net2net-cert/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/swanctl/swanctl.conf | 4 +-
.../tests/swanctl/net2net-ed25519/description.txt | 6 +
testing/tests/swanctl/net2net-ed25519/evaltest.dat | 7 +
.../net2net-ed25519/hosts/moon/etc/strongswan.conf | 22 +
.../hosts/moon/etc/swanctl/pkcs8/moonKey.pem | 3 +
.../hosts/moon/etc/swanctl/swanctl.conf | 33 +
.../hosts/moon/etc/swanctl/x509/moonCert.pem | 13 +
.../moon/etc/swanctl/x509ca/strongswanCert.pem | 11 +
.../net2net-ed25519/hosts/sun/etc/strongswan.conf | 22 +
.../hosts/sun/etc/swanctl/pkcs8/sunKey.pem | 3 +
.../hosts/sun/etc/swanctl/swanctl.conf | 33 +
.../hosts/sun/etc/swanctl/x509/sunCert.pem | 13 +
.../sun/etc/swanctl/x509ca/strongswanCert.pem | 11 +
testing/tests/swanctl/net2net-ed25519/posttest.dat | 7 +
testing/tests/swanctl/net2net-ed25519/pretest.dat | 9 +
testing/tests/swanctl/net2net-ed25519/test.conf | 25 +
testing/tests/swanctl/net2net-gw/evaltest.dat | 4 +-
.../net2net-gw/hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../net2net-gw/hosts/moon/etc/strongswan.conf | 2 +-
.../net2net-gw/hosts/moon/etc/swanctl/swanctl.conf | 4 +-
.../net2net-gw/hosts/sun/etc/strongswan.conf | 2 +-
.../net2net-gw/hosts/sun/etc/swanctl/swanctl.conf | 4 +-
.../tests/swanctl/net2net-multicast/evaltest.dat | 4 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 4 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/swanctl/swanctl.conf | 4 +-
testing/tests/swanctl/net2net-route/evaltest.dat | 4 +-
.../net2net-route/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 4 +-
.../net2net-route/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/swanctl/swanctl.conf | 4 +-
.../swanctl/net2net-sha3-rsa-cert/evaltest.dat | 4 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 4 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/swanctl/swanctl.conf | 4 +-
testing/tests/swanctl/net2net-start/evaltest.dat | 4 +-
.../net2net-start/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 4 +-
.../net2net-start/hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/swanctl/swanctl.conf | 4 +-
.../tests/swanctl/ocsp-disabled/description.txt | 10 +
testing/tests/swanctl/ocsp-disabled/evaltest.dat | 8 +
.../ocsp-disabled/hosts/carol/etc/strongswan.conf | 16 +
.../hosts/carol/etc/swanctl/rsa/carolKey.pem | 27 +
.../hosts/carol/etc/swanctl/swanctl.conf | 35 +
.../hosts/carol/etc/swanctl/x509/carolCert.pem | 26 +
.../ocsp-disabled/hosts/moon/etc/strongswan.conf | 15 +
.../hosts/moon/etc/swanctl/swanctl.conf | 25 +
testing/tests/swanctl/ocsp-disabled/posttest.dat | 3 +
testing/tests/swanctl/ocsp-disabled/pretest.dat | 5 +
testing/tests/swanctl/ocsp-disabled/test.conf | 25 +
.../tests/swanctl/ocsp-signer-cert/description.txt | 10 +
.../tests/swanctl/ocsp-signer-cert/evaltest.dat | 11 +
.../hosts/carol/etc/strongswan.conf | 11 +
.../hosts/carol/etc/swanctl/rsa/carolKey.pem | 27 +
.../hosts/carol/etc/swanctl/swanctl.conf | 35 +
.../hosts/carol/etc/swanctl/x509/carolCert.pem | 26 +
.../hosts/moon/etc/strongswan.conf | 10 +
.../hosts/moon/etc/swanctl/swanctl.conf | 25 +
.../tests/swanctl/ocsp-signer-cert/posttest.dat | 3 +
testing/tests/swanctl/ocsp-signer-cert/pretest.dat | 5 +
testing/tests/swanctl/ocsp-signer-cert/test.conf | 25 +
testing/tests/swanctl/protoport-dual/evaltest.dat | 4 +-
.../protoport-dual/hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 6 +-
.../protoport-dual/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 6 +-
testing/tests/swanctl/protoport-range/evaltest.dat | 4 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 8 +-
.../protoport-range/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 8 +-
testing/tests/swanctl/rw-cert/evaltest.dat | 8 +-
.../rw-cert/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-cert/hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../swanctl/rw-cert/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-cert/hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../swanctl/rw-cert/hosts/moon/etc/strongswan.conf | 2 +-
.../rw-cert/hosts/moon/etc/swanctl/swanctl.conf | 4 +-
testing/tests/swanctl/rw-dnssec/evaltest.dat | 8 +-
.../rw-dnssec/hosts/carol/etc/strongswan.conf | 2 +-
.../rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../rw-dnssec/hosts/dave/etc/strongswan.conf | 2 +-
.../rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../rw-dnssec/hosts/moon/etc/strongswan.conf | 2 +-
.../rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf | 4 +-
.../tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat | 8 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 4 +-
testing/tests/swanctl/rw-hash-and-url/evaltest.dat | 8 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../rw-hash-and-url/hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../rw-hash-and-url/hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 4 +-
.../swanctl/rw-multi-ciphers-ikev1/evaltest.dat | 4 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../hosts/dave/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 6 +-
.../hosts/carol/etc/strongswan.conf | 2 +-
.../hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/strongswan.conf | 2 +-
testing/tests/swanctl/rw-psk-fqdn/evaltest.dat | 8 +-
.../rw-psk-fqdn/hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../rw-psk-fqdn/hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../rw-psk-fqdn/hosts/moon/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 4 +-
testing/tests/swanctl/rw-psk-ikev1/evaltest.dat | 8 +-
.../rw-psk-ikev1/hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../rw-psk-ikev1/hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../rw-psk-ikev1/hosts/moon/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 8 +-
testing/tests/swanctl/rw-psk-ipv4/evaltest.dat | 8 +-
.../rw-psk-ipv4/hosts/carol/etc/strongswan.conf | 4 +-
.../hosts/carol/etc/swanctl/swanctl.conf | 4 +-
.../rw-psk-ipv4/hosts/dave/etc/strongswan.conf | 4 +-
.../hosts/dave/etc/swanctl/swanctl.conf | 4 +-
.../rw-psk-ipv4/hosts/moon/etc/strongswan.conf | 4 +-
.../hosts/moon/etc/swanctl/swanctl.conf | 4 +-
.../swanctl/shunt-policies-nat-rw/evaltest.dat | 8 +-
.../hosts/alice/etc/strongswan.conf | 2 +-
.../hosts/alice/etc/swanctl/swanctl.conf | 4 +-
.../hosts/sun/etc/strongswan.conf | 2 +-
.../hosts/sun/etc/swanctl/swanctl.conf | 4 +-
.../hosts/venus/etc/strongswan.conf | 2 +-
.../hosts/venus/etc/swanctl/swanctl.conf | 4 +-
.../hosts/alice/etc/strongTNC/settings.ini | 2 +-
testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat | 2 +-
.../hosts/alice/etc/strongTNC/settings.ini | 2 +-
testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat | 2 +-
1427 files changed, 26630 insertions(+), 5087 deletions(-)
diff --git a/Android.common.mk b/Android.common.mk
index 3447d5b..56e5fd8 100644
--- a/Android.common.mk
+++ b/Android.common.mk
@@ -26,5 +26,5 @@ add_plugin_subdirs = $(if $(call plugin_enabled,$(1)), \
)
# strongSwan version, replaced by top Makefile
-strongswan_VERSION := "5.5.1"
+strongswan_VERSION := "5.5.2"
diff --git a/Makefile.am b/Makefile.am
index 64b858d..a02c576 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -54,7 +54,7 @@ cov-report:
@mkdir $(top_builddir)/coverage
lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \
--rc lcov_branch_coverage=1
- lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \
+ lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' '*/suites/*' '/usr*' \
-o $(top_builddir)/coverage/coverage.cleaned.info \
--rc lcov_branch_coverage=1
genhtml --num-spaces 4 --legend --branch-coverage --ignore-errors source \
diff --git a/Makefile.in b/Makefile.in
index c85aa44..521c253 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -388,7 +388,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -423,6 +422,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -1031,7 +1031,7 @@ cov-reset-common:
@COVERAGE_TRUE@ @mkdir $(top_builddir)/coverage
@COVERAGE_TRUE@ lcov -c -o $(top_builddir)/coverage/coverage.info -d $(top_builddir) \
@COVERAGE_TRUE@ --rc lcov_branch_coverage=1
- at COVERAGE_TRUE@ lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' \
+ at COVERAGE_TRUE@ lcov -r $(top_builddir)/coverage/coverage.info '*/tests/*' '*/suites/*' '/usr*' \
@COVERAGE_TRUE@ -o $(top_builddir)/coverage/coverage.cleaned.info \
@COVERAGE_TRUE@ --rc lcov_branch_coverage=1
@COVERAGE_TRUE@ genhtml --num-spaces 4 --legend --branch-coverage --ignore-errors source \
diff --git a/NEWS b/NEWS
index 3a7aba8..aed5ee1d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,44 @@
+strongswan-5.5.2
+----------------
+
+- Support of Diffie-Hellman group 31 using Curve25519 for IKE as defined
+ by RFC 8031.
+
+- Support of Ed25519 digital signature algorithm for IKEv2 as defined by
+ draft-ietf-ipsecme-eddsa. Ed25519-based public key pairs, X.509 certificates
+ and CRLs can be generated and printed by the pki tool.
+
+- The new "tpm" libtpmtss plugin allows to use persistent private RSA and ECDSA
+ keys bound to a TPM 2.0 for both IKE and TLS authentication. Using the
+ TPM 2.0 object handle as keyid parameter, the pki --pub tool can extract
+ the public key from the TPM thereby replacing the aikpub2 tool. In a similar
+ fashion pki --req can generate a PKCS#10 certificate request signed with
+ the TPM private key.
+
+- The pki tool gained support for generating certificates with the RFC 3779
+ addrblock extension. The charon addrblock plugin now dynamically narrows
+ traffic selectors based on the certificate addrblocks instead of rejecting
+ non-matching selectors completely. This allows generic connections, where
+ the allowed selectors are defined by the used certificates only.
+
+- In-place update of cached base and delta CRLs does not leave dozens
+ of stale copies in cache memory.
+
+- Several new features for the VICI interface and the swanctl utility: Querying
+ specific pools, enumerating and unloading keys and shared secrets, loading
+ keys and certificates from PKCS#11 tokens, the ability to initiate, install
+ and uninstall connections and policies by their exact name (if multiple child
+ sections in different connections share the same name), a command to initiate
+ the rekeying of IKE and IPsec SAs, support for settings previously only
+ supported by the old config files (plain pubkeys, dscp, certificate policies,
+ IPv6 Transport Proxy Mode, NT Hash secrets, mediation extension).
+
+ Important: Due to issues with VICI bindings that map sub-sections to
+ dictionaries the CHILD_SA sections returned via list-sas now have a unique
+ name, the original name of a CHILD_SA is returned in the "name" key of its
+ section.
+
+
strongswan-5.5.1
----------------
@@ -1356,7 +1397,7 @@ strongswan-4.3.5
correctly if the system time changes (e.g. when using NTP).
- In addition to time based rekeying, charon supports IPsec SA lifetimes based
- on processed volume or number of packets. They new ipsec.conf paramaters
+ on processed volume or number of packets. They new ipsec.conf parameters
'lifetime' (an alias to 'keylife'), 'lifebytes' and 'lifepackets' handle
SA timeouts, while the parameters 'margintime' (an alias to rekeymargin),
'marginbytes' and 'marginpackets' trigger the rekeying before a SA expires.
@@ -1584,7 +1625,7 @@ strongswan-4.2.10
counterparts with better lookup times.
- Better parallelization to run charon on multiple cores. Due to improved
- ressource locking and other optimizations the daemon can take full
+ resource locking and other optimizations the daemon can take full
advantage of 16 or even more cores.
- The load-tester plugin can use a NULL Diffie-Hellman group and simulate
diff --git a/conf/Makefile.am b/conf/Makefile.am
index 4588b09..eb5c9c2 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -9,7 +9,6 @@ pluginstemplatedir = $(templatesdir)/plugins
options = \
options/aikgen.opt \
- options/aikpub2.opt \
options/attest.opt \
options/charon.opt \
options/charon-logging.opt \
@@ -28,10 +27,12 @@ options = \
options/tnc.opt
plugins = \
+ plugins/addrblock.opt \
plugins/android_log.opt \
plugins/attr.opt \
plugins/attr-sql.opt \
plugins/bliss.opt \
+ plugins/bypass-lan.opt \
plugins/certexpire.opt \
plugins/coupling.opt \
plugins/dhcp.opt \
@@ -80,6 +81,7 @@ plugins = \
plugins/radattr.opt \
plugins/random.opt \
plugins/resolve.opt \
+ plugins/revocation.opt \
plugins/socket-default.opt \
plugins/sql.opt \
plugins/stroke.opt \
@@ -90,6 +92,7 @@ plugins = \
plugins/tnc-pdp.opt \
plugins/tnccs-11.opt \
plugins/tnccs-20.opt \
+ plugins/tpm.opt \
plugins/unbound.opt \
plugins/updown.opt \
plugins/vici.opt \
diff --git a/conf/Makefile.in b/conf/Makefile.in
index e6d66a2..70e1b01 100644
--- a/conf/Makefile.in
+++ b/conf/Makefile.in
@@ -312,7 +312,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -347,6 +346,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -407,7 +407,6 @@ optionstemplatedir = $(templatesdir)/strongswan.d
pluginstemplatedir = $(templatesdir)/plugins
options = \
options/aikgen.opt \
- options/aikpub2.opt \
options/attest.opt \
options/charon.opt \
options/charon-logging.opt \
@@ -426,10 +425,12 @@ options = \
options/tnc.opt
plugins = \
+ plugins/addrblock.opt \
plugins/android_log.opt \
plugins/attr.opt \
plugins/attr-sql.opt \
plugins/bliss.opt \
+ plugins/bypass-lan.opt \
plugins/certexpire.opt \
plugins/coupling.opt \
plugins/dhcp.opt \
@@ -478,6 +479,7 @@ plugins = \
plugins/radattr.opt \
plugins/random.opt \
plugins/resolve.opt \
+ plugins/revocation.opt \
plugins/socket-default.opt \
plugins/sql.opt \
plugins/stroke.opt \
@@ -488,6 +490,7 @@ plugins = \
plugins/tnc-pdp.opt \
plugins/tnccs-11.opt \
plugins/tnccs-20.opt \
+ plugins/tpm.opt \
plugins/unbound.opt \
plugins/updown.opt \
plugins/vici.opt \
diff --git a/conf/options/aikpub2.conf b/conf/options/aikpub2.conf
deleted file mode 100644
index fd48f2c..0000000
--- a/conf/options/aikpub2.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-aikpub2 {
-
- # Plugins to load in aikpub2 tool.
- # load =
-
-}
-
diff --git a/conf/options/aikpub2.opt b/conf/options/aikpub2.opt
deleted file mode 100644
index 6a755d2..0000000
--- a/conf/options/aikpub2.opt
+++ /dev/null
@@ -1,2 +0,0 @@
-aikpub2.load =
- Plugins to load in aikpub2 tool.
diff --git a/conf/options/charon.conf b/conf/options/charon.conf
index f72041e..1b5d52d 100644
--- a/conf/options/charon.conf
+++ b/conf/options/charon.conf
@@ -164,6 +164,9 @@ charon {
# will be allocated.
# port_nat_t = 4500
+ # Wether to prefer updating SAs to the path with the best route.
+ # prefer_best_path = no
+
# Prefer locally configured proposals for IKE/IPsec over supplied ones as
# responder (disabling this can avoid keying retries due to
# INVALID_KE_PAYLOAD notifies).
@@ -236,6 +239,12 @@ charon {
# Whether to enable constraints against IKEv2 signature schemes.
# signature_authentication_constraints = yes
+ # The upper limit for SPIs requested from the kernel for IPsec SAs.
+ # spi_max = 0xcfffffff
+
+ # The lower limit for SPIs requested from the kernel for IPsec SAs.
+ # spi_min = 0xc0000000
+
# Number of worker threads in charon.
# threads = 16
diff --git a/conf/options/charon.opt b/conf/options/charon.opt
index 6e0b37c..4c4311e 100644
--- a/conf/options/charon.opt
+++ b/conf/options/charon.opt
@@ -260,6 +260,16 @@ charon.port_nat_t = 4500
allocated. Has to be different from **charon.port**, otherwise a random
port will be allocated.
+charon.prefer_best_path = no
+ Wether to prefer updating SAs to the path with the best route.
+
+ By default, charon keeps SAs on the routing path with addresses it
+ previously used if that path is still usable. By setting this option to
+ yes, it tries more aggressively to update SAs with MOBIKE on routing
+ priority changes using the cheapest path. This adds more noise, but allows
+ to dynamically adapt SAs to routing priority changes. This option has no
+ effect if MOBIKE is not supported or disabled.
+
charon.prefer_configured_proposals = yes
Prefer locally configured proposals for IKE/IPsec over supplied ones as
responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
@@ -340,6 +350,16 @@ charon.signature_authentication_constraints = yes
certificate chain, are also used as constraints against the signature scheme
used by peers during IKEv2.
+charon.spi_min = 0xc0000000
+ The lower limit for SPIs requested from the kernel for IPsec SAs.
+
+ The lower limit for SPIs requested from the kernel for IPsec SAs. Should not
+ be set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved
+ by IANA.
+
+charon.spi_max = 0xcfffffff
+ The upper limit for SPIs requested from the kernel for IPsec SAs.
+
charon.start-scripts {}
Section containing a list of scripts (name = path) that are executed when
the daemon is started.
diff --git a/conf/plugins/addrblock.conf b/conf/plugins/addrblock.conf
new file mode 100644
index 0000000..2749613
--- /dev/null
+++ b/conf/plugins/addrblock.conf
@@ -0,0 +1,11 @@
+addrblock {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ # Whether to strictly require addrblock extension in subject certificates.
+ # strict = yes
+
+}
+
diff --git a/conf/plugins/addrblock.opt b/conf/plugins/addrblock.opt
new file mode 100644
index 0000000..e35e4c5
--- /dev/null
+++ b/conf/plugins/addrblock.opt
@@ -0,0 +1,8 @@
+charon.plugins.addrblock.strict = yes
+ Whether to strictly require addrblock extension in subject certificates.
+
+ If set to yes, a subject certificate without an addrblock extension is
+ rejected if the issuer certificate has such an addrblock extension. If set
+ to no, subject certificates issued without the addrblock extension are
+ accepted without any traffic selector checks and no policy is enforced
+ by the plugin.
diff --git a/conf/plugins/bypass-lan.conf b/conf/plugins/bypass-lan.conf
new file mode 100644
index 0000000..ad496db
--- /dev/null
+++ b/conf/plugins/bypass-lan.conf
@@ -0,0 +1,17 @@
+bypass-lan {
+
+ # A comma-separated list of network interfaces for which connected subnets
+ # should be ignored, if interfaces_use is specified this option has no
+ # effect.
+ # interfaces_ignore =
+
+ # A comma-separated list of network interfaces for which connected subnets
+ # should be considered. All other interfaces are ignored.
+ # interfaces_use =
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
diff --git a/conf/plugins/bypass-lan.opt b/conf/plugins/bypass-lan.opt
new file mode 100644
index 0000000..8c72fac
--- /dev/null
+++ b/conf/plugins/bypass-lan.opt
@@ -0,0 +1,8 @@
+charon.plugins.bypass-lan.interfaces_ignore
+ A comma-separated list of network interfaces for which connected subnets
+ should be ignored, if **interfaces_use** is specified this option has no
+ effect.
+
+charon.plugins.bypass-lan.interfaces_use
+ A comma-separated list of network interfaces for which connected subnets
+ should be considered. All other interfaces are ignored.
diff --git a/conf/plugins/kernel-netlink.conf b/conf/plugins/kernel-netlink.conf
index 47f7d58..22d94ee 100644
--- a/conf/plugins/kernel-netlink.conf
+++ b/conf/plugins/kernel-netlink.conf
@@ -3,6 +3,9 @@ kernel-netlink {
# Buffer size for received Netlink messages.
# buflen = <min(PAGE_SIZE, 8192)>
+ # Force maximum Netlink receive buffer on Netlink socket.
+ # force_receive_buffer_size = no
+
# Firewall mark to set on the routing rule that directs traffic to our
# routing table.
# fwmark =
@@ -32,6 +35,9 @@ kernel-netlink {
# Whether to use port or socket based IKE XFRM bypass policies.
# port_bypass = no
+ # Maximum Netlink socket receive buffer in bytes.
+ # receive_buffer_size = 0
+
# Number of Netlink message retransmissions to send on timeout.
# retries = 0
diff --git a/conf/plugins/kernel-netlink.opt b/conf/plugins/kernel-netlink.opt
index 77ba6ea..1136af1 100644
--- a/conf/plugins/kernel-netlink.opt
+++ b/conf/plugins/kernel-netlink.opt
@@ -1,6 +1,14 @@
charon.plugins.kernel-netlink.buflen = <min(PAGE_SIZE, 8192)>
Buffer size for received Netlink messages.
+charon.plugins.kernel-netlink.force_receive_buffer_size = no
+ Force maximum Netlink receive buffer on Netlink socket.
+
+ If the maximum Netlink socket receive buffer in bytes set by
+ _receive_buffer_size_ exceeds the system-wide maximum from
+ /proc/sys/net/core/rmem_max, this option can be used to override the limit.
+ Enabling this option requires special priviliges (CAP_NET_ADMIN).
+
charon.plugins.kernel-netlink.fwmark =
Firewall mark to set on the routing rule that directs traffic to our routing
table.
@@ -39,6 +47,15 @@ charon.plugins.kernel-netlink.port_bypass = no
port based policies use global XFRM bypass policies for the used IKE UDP
ports.
+charon.plugins.kernel-netlink.receive_buffer_size = 0
+ Maximum Netlink socket receive buffer in bytes.
+
+ Maximum Netlink socket receive buffer in bytes. This value controls how many
+ bytes of Netlink messages can be received on a Netlink socket. The default
+ value is set by /proc/sys/net/core/rmem_default. The specified value cannot
+ exceed the system-wide maximum from /proc/sys/net/core/rmem_max, unless
+ _force_receive_buffer_size_ is enabled.
+
charon.plugins.kernel-netlink.roam_events = yes
Whether to trigger roam events when interfaces, addresses or routes change.
diff --git a/conf/plugins/pkcs11.conf b/conf/plugins/pkcs11.conf
index 35248c2..c786a9a 100644
--- a/conf/plugins/pkcs11.conf
+++ b/conf/plugins/pkcs11.conf
@@ -4,9 +4,6 @@ pkcs11 {
# priority of this plugin.
load = yes
- # Whether to load certificates from tokens.
- # load_certs = yes
-
# Reload certificates from all tokens if charon receives a SIGHUP.
# reload_certs = no
@@ -31,6 +28,19 @@ pkcs11 {
# List of available PKCS#11 modules.
modules {
+ <name> {
+
+ # Whether to automatically load certificates from tokens.
+ # load_certs = yes
+
+ # Whether OS locking should be enabled for this module.
+ # os_locking = no
+
+ # Full path to the shared object file of this PKCS#11 module.
+ # path =
+
+ }
+
}
}
diff --git a/conf/plugins/pkcs11.opt b/conf/plugins/pkcs11.opt
index f5a2028..8f328f0 100644
--- a/conf/plugins/pkcs11.opt
+++ b/conf/plugins/pkcs11.opt
@@ -1,8 +1,14 @@
charon.plugins.pkcs11.modules {}
List of available PKCS#11 modules.
-charon.plugins.pkcs11.load_certs = yes
- Whether to load certificates from tokens.
+charon.plugins.pkcs11.modules.<name>.path =
+ Full path to the shared object file of this PKCS#11 module.
+
+charon.plugins.pkcs11.modules.<name>.os_locking = no
+ Whether OS locking should be enabled for this module.
+
+charon.plugins.pkcs11.modules.<name>.load_certs = yes
+ Whether to automatically load certificates from tokens.
charon.plugins.pkcs11.reload_certs = no
Reload certificates from all tokens if charon receives a SIGHUP.
diff --git a/conf/plugins/revocation.conf b/conf/plugins/revocation.conf
new file mode 100644
index 0000000..ca24a64
--- /dev/null
+++ b/conf/plugins/revocation.conf
@@ -0,0 +1,14 @@
+revocation {
+
+ # Whether CRL validation should be enabled.
+ # enable_crl = yes
+
+ # Whether OCSP validation should be enabled.
+ # enable_ocsp = yes
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+}
+
diff --git a/conf/plugins/revocation.opt b/conf/plugins/revocation.opt
new file mode 100644
index 0000000..5d2b8c0
--- /dev/null
+++ b/conf/plugins/revocation.opt
@@ -0,0 +1,7 @@
+charon.plugins.revocation.enable_ocsp = yes
+ Whether OCSP validation should be enabled.
+
+charon.plugins.revocation.enable_crl = yes
+ Whether CRL validation should be enabled.
+
+
diff --git a/conf/plugins/tpm.conf b/conf/plugins/tpm.conf
new file mode 100644
index 0000000..222bb7b
--- /dev/null
+++ b/conf/plugins/tpm.conf
@@ -0,0 +1,11 @@
+tpm {
+
+ # Whether to load the plugin. Can also be an integer to increase the
+ # priority of this plugin.
+ load = yes
+
+ # Whether the TPM should be used as RNG.
+ # use_rng = no
+
+}
+
diff --git a/conf/plugins/tpm.opt b/conf/plugins/tpm.opt
new file mode 100644
index 0000000..cd666dd
--- /dev/null
+++ b/conf/plugins/tpm.opt
@@ -0,0 +1,2 @@
+charon.plugins.tpm.use_rng = no
+ Whether the TPM should be used as RNG.
diff --git a/conf/strongswan.conf.5.main b/conf/strongswan.conf.5.main
index c0ecbb7..72ab3a7 100644
--- a/conf/strongswan.conf.5.main
+++ b/conf/strongswan.conf.5.main
@@ -3,10 +3,6 @@
Plugins to load in ipsec aikgen tool.
.TP
-.BR aikpub2.load " []"
-Plugins to load in aikpub2 tool.
-
-.TP
.BR attest.database " []"
File measurement information database URI. If it contains a password, make sure
to adjust the permissions of the config file accordingly.
@@ -402,6 +398,13 @@ WINS servers assigned to peer via configuration payload (CP).
WINS servers assigned to peer via configuration payload (CP).
.TP
+.BR charon.plugins.addrblock.strict " [yes]"
+If set to yes, a subject certificate without an addrblock extension is rejected
+if the issuer certificate has such an addrblock extension. If set to no, subject
+certificates issued without the addrblock extension are accepted without any
+traffic selector checks and no policy is enforced by the plugin.
+
+.TP
.BR charon.plugins.android_log.loglevel " [1]"
Loglevel for logging to Android specific logger.
@@ -442,6 +445,18 @@ Enable logging of SQL IP pool leases.
Use the enhanced BLISS\-B key generation and signature algorithm.
.TP
+.BR charon.plugins.bypass-lan.interfaces_ignore " []"
+A comma\-separated list of network interfaces for which connected subnets should
+be ignored, if
+.RB "" "interfaces_use" ""
+is specified this option has no effect.
+
+.TP
+.BR charon.plugins.bypass-lan.interfaces_use " []"
+A comma\-separated list of network interfaces for which connected subnets should
+be considered. All other interfaces are ignored.
+
+.TP
.BR charon.plugins.certexpire.csv.cron " []"
Cron style string specifying CSV export times.
@@ -922,6 +937,14 @@ to circumvent that problem.
Buffer size for received Netlink messages.
.TP
+.BR charon.plugins.kernel-netlink.force_receive_buffer_size " [no]"
+If the maximum Netlink socket receive buffer in bytes set by
+.RI "" "receive_buffer_size" ""
+exceeds the system\-wide maximum from
+/proc/sys/net/core/rmem_max, this option can be used to override the limit.
+Enabling this option requires special priviliges (CAP_NET_ADMIN).
+
+.TP
.BR charon.plugins.kernel-netlink.fwmark " []"
Firewall mark to set on the routing rule that directs traffic to our routing
table. The format is [!]mark[/mask], where the optional exclamation mark inverts
@@ -962,6 +985,15 @@ based policies are directly tied to the IKE UDP sockets, port based policies use
global XFRM bypass policies for the used IKE UDP ports.
.TP
+.BR charon.plugins.kernel-netlink.receive_buffer_size " [0]"
+Maximum Netlink socket receive buffer in bytes. This value controls how many
+bytes of Netlink messages can be received on a Netlink socket. The default value
+is set by /proc/sys/net/core/rmem_default. The specified value cannot exceed the
+system\-wide maximum from /proc/sys/net/core/rmem_max, unless
+.RI "" "force_receive_buffer_size" ""
+is enabled.
+
+.TP
.BR charon.plugins.kernel-netlink.retries " [0]"
Number of Netlink message retransmissions to send on timeout.
@@ -1264,15 +1296,23 @@ server addresses. Requests will be sent for addresses of the same families for
which internal IPs are requested.
.TP
-.BR charon.plugins.pkcs11.load_certs " [yes]"
-Whether to load certificates from tokens.
-
-.TP
.B charon.plugins.pkcs11.modules
.br
List of available PKCS#11 modules.
.TP
+.BR charon.plugins.pkcs11.modules.<name>.load_certs " [yes]"
+Whether to automatically load certificates from tokens.
+
+.TP
+.BR charon.plugins.pkcs11.modules.<name>.os_locking " [no]"
+Whether OS locking should be enabled for this module.
+
+.TP
+.BR charon.plugins.pkcs11.modules.<name>.path " []"
+Full path to the shared object file of this PKCS#11 module.
+
+.TP
.BR charon.plugins.pkcs11.reload_certs " [no]"
Reload certificates from all tokens if charon receives a SIGHUP.
@@ -1338,6 +1378,14 @@ should have a high priority according to the order defined in
.TP
+.BR charon.plugins.revocation.enable_crl " [yes]"
+Whether CRL validation should be enabled.
+
+.TP
+.BR charon.plugins.revocation.enable_ocsp " [yes]"
+Whether OCSP validation should be enabled.
+
+.TP
.BR charon.plugins.socket-default.fwmark " []"
Firewall mark to set on outbound packets.
@@ -1523,6 +1571,10 @@ Send an unsupported PB\-TNC message type with the NOSKIP flag set.
Send a PB\-TNC batch with a modified PB\-TNC version.
.TP
+.BR charon.plugins.tpm.use_rng " [no]"
+Whether the TPM should be used as RNG.
+
+.TP
.BR charon.plugins.unbound.dlv_anchors " []"
File to read trusted keys for DLV (DNSSEC Lookaside Validation) from. It uses
the same format as
@@ -1588,6 +1640,15 @@ otherwise a random port
will be allocated.
.TP
+.BR charon.prefer_best_path " [no]"
+By default, charon keeps SAs on the routing path with addresses it previously
+used if that path is still usable. By setting this option to yes, it tries more
+aggressively to update SAs with MOBIKE on routing priority changes using the
+cheapest path. This adds more noise, but allows to dynamically adapt SAs to
+routing priority changes. This option has no effect if MOBIKE is not supported
+or disabled.
+
+.TP
.BR charon.prefer_configured_proposals " [yes]"
Prefer locally configured proposals for IKE/IPsec over supplied ones as
responder (disabling this can avoid keying retries due to INVALID_KE_PAYLOAD
@@ -1695,6 +1756,15 @@ are also used as constraints against the signature scheme used by peers during
IKEv2.
.TP
+.BR charon.spi_max " [0xcfffffff]"
+The upper limit for SPIs requested from the kernel for IPsec SAs.
+
+.TP
+.BR charon.spi_min " [0xc0000000]"
+The lower limit for SPIs requested from the kernel for IPsec SAs. Should not be
+set lower than 0x00000100 (256), as SPIs between 1 and 255 are reserved by IANA.
+
+.TP
.B charon.start-scripts
.br
Section containing a list of scripts (name = path) that are executed when the
diff --git a/configure b/configure
index 52a1971..bdf0dfe 100755
--- a/configure
+++ b/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for strongSwan 5.5.1.
+# Generated by GNU Autoconf 2.69 for strongSwan 5.5.2.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -587,8 +587,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='strongSwan'
PACKAGE_TARNAME='strongswan'
-PACKAGE_VERSION='5.5.1'
-PACKAGE_STRING='strongSwan 5.5.1'
+PACKAGE_VERSION='5.5.2'
+PACKAGE_STRING='strongSwan 5.5.2'
PACKAGE_BUGREPORT=''
PACKAGE_URL=''
@@ -649,8 +649,6 @@ USE_SVC_FALSE
USE_SVC_TRUE
USE_SWANCTL_FALSE
USE_SWANCTL_TRUE
-USE_AIKPUB2_FALSE
-USE_AIKPUB2_TRUE
USE_AIKGEN_FALSE
USE_AIKGEN_TRUE
USE_CMD_FALSE
@@ -755,6 +753,8 @@ USE_FORECAST_FALSE
USE_FORECAST_TRUE
USE_CONNMARK_FALSE
USE_CONNMARK_TRUE
+USE_BYPASS_LAN_FALSE
+USE_BYPASS_LAN_TRUE
USE_SOCKET_WIN_FALSE
USE_SOCKET_WIN_TRUE
USE_SOCKET_DYNAMIC_FALSE
@@ -927,6 +927,8 @@ USE_CTR_FALSE
USE_CTR_TRUE
USE_CHAPOLY_FALSE
USE_CHAPOLY_TRUE
+USE_TPM_FALSE
+USE_TPM_TRUE
USE_PKCS11_FALSE
USE_PKCS11_TRUE
USE_KEYCHAIN_FALSE
@@ -983,6 +985,8 @@ USE_AESNI_FALSE
USE_AESNI_TRUE
USE_RDRAND_FALSE
USE_RDRAND_TRUE
+USE_CURVE25519_FALSE
+USE_CURVE25519_TRUE
USE_GMP_FALSE
USE_GMP_TRUE
USE_FIPS_PRF_FALSE
@@ -1023,7 +1027,7 @@ USE_TEST_VECTORS_FALSE
USE_TEST_VECTORS_TRUE
t_plugins
s_plugins
-h_plugins
+p_plugins
c_plugins
aikgen_plugins
cmd_plugins
@@ -1306,6 +1310,7 @@ enable_fips_prf
enable_gcm
enable_gcrypt
enable_gmp
+enable_curve25519
enable_hmac
enable_md4
enable_md5
@@ -1369,6 +1374,7 @@ enable_ext_auth
enable_ipseckey
enable_keychain
enable_pkcs11
+enable_tpm
enable_revocation
enable_whitelist
enable_xauth_generic
@@ -1417,6 +1423,7 @@ enable_tnccs_11
enable_tnccs_20
enable_tnccs_dynamic
enable_android_log
+enable_bypass_lan
enable_certexpire
enable_connmark
enable_forecast
@@ -1432,7 +1439,6 @@ enable_systime_fix
enable_test_vectors
enable_updown
enable_aikgen
-enable_aikpub2
enable_charon
enable_cmd
enable_conftest
@@ -2072,7 +2078,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures strongSwan 5.5.1 to adapt to many kinds of systems.
+\`configure' configures strongSwan 5.5.2 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -2143,7 +2149,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of strongSwan 5.5.1:";;
+ short | recursive ) echo "Configuration of strongSwan 5.5.2:";;
esac
cat <<\_ACEOF
@@ -2167,6 +2173,7 @@ Optional Features:
--enable-gcrypt enables the libgcrypt plugin.
--disable-gmp disable GNU MP (libgmp) based crypto implementation
plugin.
+ --disable-curve25519 disable Curve25519 Diffie-Hellman plugin.
--disable-hmac disable HMAC crypto implementation plugin.
--enable-md4 enable MD4 software implementation plugin.
--disable-md5 disable MD5 software implementation plugin.
@@ -2246,6 +2253,7 @@ Optional Features:
--enable-ipseckey enable IPSECKEY authentication plugin.
--enable-keychain enables OS X Keychain Services credential set.
--enable-pkcs11 enables the PKCS11 token support plugin.
+ --enable-tpm enables the TPM plugin.
--disable-revocation disable X509 CRL/OCSP revocation check plugin.
--enable-whitelist enable peer identity whitelisting plugin.
--disable-xauth-generic disable generic XAuth backend.
@@ -2306,6 +2314,8 @@ Optional Features:
--enable-tnccs-20 enable TNCCS 2.0 protocol module.
--enable-tnccs-dynamic enable dynamic TNCCS protocol discovery module.
--enable-android-log enable Android specific logger plugin.
+ --enable-bypass-lan enable plugin to install bypass policies for local
+ subnets.
--enable-certexpire enable CSV export of expiration dates of used
certificates.
--enable-connmark enable connmark plugin using conntrack based marks
@@ -2330,7 +2340,6 @@ Optional Features:
--enable-test-vectors enable plugin providing crypto test vectors.
--disable-updown disable updown firewall script plugin.
--enable-aikgen enable AIK generator for TPM 1.2.
- --enable-aikpub2 enable AIK extractor for TPM 2.0.
--disable-charon disable the IKEv1/IKEv2 keying daemon charon.
--enable-cmd enable the command line IKE client charon-cmd.
--enable-conftest enforce Suite B conformance test framework.
@@ -2604,7 +2613,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-strongSwan configure 5.5.1
+strongSwan configure 5.5.2
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -3126,7 +3135,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by strongSwan $as_me 5.5.1, which was
+It was created by strongSwan $as_me 5.5.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3989,7 +3998,7 @@ fi
# Define the identity of the package.
PACKAGE='strongswan'
- VERSION='5.5.1'
+ VERSION='5.5.2'
cat >>confdefs.h <<_ACEOF
@@ -5040,6 +5049,22 @@ fi
enabled_by_default=${enabled_by_default}" gmp"
+# Check whether --enable-curve25519 was given.
+if test "${enable_curve25519+set}" = set; then :
+ enableval=$enable_curve25519; curve25519_given=true
+ if test x$enableval = xyes; then
+ curve25519=true
+ else
+ curve25519=false
+ fi
+else
+ curve25519=true
+ curve25519_given=false
+
+fi
+
+ enabled_by_default=${enabled_by_default}" curve25519"
+
# Check whether --enable-hmac was given.
if test "${enable_hmac+set}" = set; then :
enableval=$enable_hmac; hmac_given=true
@@ -6052,6 +6077,22 @@ fi
disabled_by_default=${disabled_by_default}" pkcs11"
+# Check whether --enable-tpm was given.
+if test "${enable_tpm+set}" = set; then :
+ enableval=$enable_tpm; tpm_given=true
+ if test x$enableval = xyes; then
+ tpm=true
+ else
+ tpm=false
+ fi
+else
+ tpm=false
+ tpm_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" tpm"
+
# Check whether --enable-revocation was given.
if test "${enable_revocation+set}" = set; then :
enableval=$enable_revocation; revocation_given=true
@@ -6825,6 +6866,22 @@ fi
disabled_by_default=${disabled_by_default}" android_log"
+# Check whether --enable-bypass-lan was given.
+if test "${enable_bypass_lan+set}" = set; then :
+ enableval=$enable_bypass_lan; bypass_lan_given=true
+ if test x$enableval = xyes; then
+ bypass_lan=true
+ else
+ bypass_lan=false
+ fi
+else
+ bypass_lan=false
+ bypass_lan_given=false
+
+fi
+
+ disabled_by_default=${disabled_by_default}" bypass_lan"
+
# Check whether --enable-certexpire was given.
if test "${enable_certexpire+set}" = set; then :
enableval=$enable_certexpire; certexpire_given=true
@@ -7066,22 +7123,6 @@ fi
disabled_by_default=${disabled_by_default}" aikgen"
-# Check whether --enable-aikpub2 was given.
-if test "${enable_aikpub2+set}" = set; then :
- enableval=$enable_aikpub2; aikpub2_given=true
- if test x$enableval = xyes; then
- aikpub2=true
- else
- aikpub2=false
- fi
-else
- aikpub2=false
- aikpub2_given=false
-
-fi
-
- disabled_by_default=${disabled_by_default}" aikpub2"
-
# Check whether --enable-charon was given.
if test "${enable_charon+set}" = set; then :
enableval=$enable_charon; charon_given=true
@@ -18008,10 +18049,6 @@ if test x$aikgen = xtrue; then
tss_trousers=true
fi
-if test x$aikpub2 = xtrue; then
- tss_tss2=true
-fi
-
if test x$ntru = xtrue -o x$bliss = xtrue; then
mgf1=true
fi
@@ -19659,9 +19696,9 @@ fi
if test x$printf_hooks = xvstr; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lvstr" >&5
-$as_echo_n "checking for main in -lvstr... " >&6; }
-if ${ac_cv_lib_vstr_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for vstr_init in -lvstr" >&5
+$as_echo_n "checking for vstr_init in -lvstr... " >&6; }
+if ${ac_cv_lib_vstr_vstr_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -19669,27 +19706,33 @@ LIBS="-lvstr $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char vstr_init ();
int
main ()
{
-return main ();
+return vstr_init ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_vstr_main=yes
+ ac_cv_lib_vstr_vstr_init=yes
else
- ac_cv_lib_vstr_main=no
+ ac_cv_lib_vstr_vstr_init=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_vstr_main" >&5
-$as_echo "$ac_cv_lib_vstr_main" >&6; }
-if test "x$ac_cv_lib_vstr_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_vstr_vstr_init" >&5
+$as_echo "$ac_cv_lib_vstr_vstr_init" >&6; }
+if test "x$ac_cv_lib_vstr_vstr_init" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "Vstr string library not found" "$LINENO" 5
@@ -19708,9 +19751,9 @@ fi
if test x$gmp = xtrue; then
saved_LIBS=$LIBS
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgmp" >&5
-$as_echo_n "checking for main in -lgmp... " >&6; }
-if ${ac_cv_lib_gmp_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for __gmpz_init in -lgmp" >&5
+$as_echo_n "checking for __gmpz_init in -lgmp... " >&6; }
+if ${ac_cv_lib_gmp___gmpz_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -19718,27 +19761,33 @@ LIBS="-lgmp $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char __gmpz_init ();
int
main ()
{
-return main ();
+return __gmpz_init ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_gmp_main=yes
+ ac_cv_lib_gmp___gmpz_init=yes
else
- ac_cv_lib_gmp_main=no
+ ac_cv_lib_gmp___gmpz_init=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp_main" >&5
-$as_echo "$ac_cv_lib_gmp_main" >&6; }
-if test "x$ac_cv_lib_gmp_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gmp___gmpz_init" >&5
+$as_echo "$ac_cv_lib_gmp___gmpz_init" >&6; }
+if test "x$ac_cv_lib_gmp___gmpz_init" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_LIBGMP 1
_ACEOF
@@ -19808,9 +19857,9 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
if test x$ldap = xtrue; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lldap" >&5
-$as_echo_n "checking for main in -lldap... " >&6; }
-if ${ac_cv_lib_ldap_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_init in -lldap" >&5
+$as_echo_n "checking for ldap_init in -lldap... " >&6; }
+if ${ac_cv_lib_ldap_ldap_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -19818,35 +19867,41 @@ LIBS="-lldap $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ldap_init ();
int
main ()
{
-return main ();
+return ldap_init ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_ldap_main=yes
+ ac_cv_lib_ldap_ldap_init=yes
else
- ac_cv_lib_ldap_main=no
+ ac_cv_lib_ldap_ldap_init=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_main" >&5
-$as_echo "$ac_cv_lib_ldap_main" >&6; }
-if test "x$ac_cv_lib_ldap_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_ldap_init" >&5
+$as_echo "$ac_cv_lib_ldap_ldap_init" >&6; }
+if test "x$ac_cv_lib_ldap_ldap_init" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "LDAP library ldap not found" "$LINENO" 5
fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -llber" >&5
-$as_echo_n "checking for main in -llber... " >&6; }
-if ${ac_cv_lib_lber_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ber_free in -llber" >&5
+$as_echo_n "checking for ber_free in -llber... " >&6; }
+if ${ac_cv_lib_lber_ber_free+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -19854,27 +19909,33 @@ LIBS="-llber $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ber_free ();
int
main ()
{
-return main ();
+return ber_free ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_lber_main=yes
+ ac_cv_lib_lber_ber_free=yes
else
- ac_cv_lib_lber_main=no
+ ac_cv_lib_lber_ber_free=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lber_main" >&5
-$as_echo "$ac_cv_lib_lber_main" >&6; }
-if test "x$ac_cv_lib_lber_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lber_ber_free" >&5
+$as_echo "$ac_cv_lib_lber_ber_free" >&6; }
+if test "x$ac_cv_lib_lber_ber_free" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "LDAP library lber not found" "$LINENO" 5
@@ -19891,9 +19952,9 @@ fi
fi
if test x$curl = xtrue; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcurl" >&5
-$as_echo_n "checking for main in -lcurl... " >&6; }
-if ${ac_cv_lib_curl_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for curl_global_init in -lcurl" >&5
+$as_echo_n "checking for curl_global_init in -lcurl... " >&6; }
+if ${ac_cv_lib_curl_curl_global_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -19901,27 +19962,33 @@ LIBS="-lcurl $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char curl_global_init ();
int
main ()
{
-return main ();
+return curl_global_init ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_curl_main=yes
+ ac_cv_lib_curl_curl_global_init=yes
else
- ac_cv_lib_curl_main=no
+ ac_cv_lib_curl_curl_global_init=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_main" >&5
-$as_echo "$ac_cv_lib_curl_main" >&6; }
-if test "x$ac_cv_lib_curl_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_curl_curl_global_init" >&5
+$as_echo "$ac_cv_lib_curl_curl_global_init" >&6; }
+if test "x$ac_cv_lib_curl_curl_global_init" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "CURL library curl not found" "$LINENO" 5
@@ -19938,9 +20005,9 @@ fi
fi
if test x$unbound = xtrue; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lldns" >&5
-$as_echo_n "checking for main in -lldns... " >&6; }
-if ${ac_cv_lib_ldns_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldns_rr_get_type in -lldns" >&5
+$as_echo_n "checking for ldns_rr_get_type in -lldns... " >&6; }
+if ${ac_cv_lib_ldns_ldns_rr_get_type+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -19948,27 +20015,33 @@ LIBS="-lldns $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ldns_rr_get_type ();
int
main ()
{
-return main ();
+return ldns_rr_get_type ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_ldns_main=yes
+ ac_cv_lib_ldns_ldns_rr_get_type=yes
else
- ac_cv_lib_ldns_main=no
+ ac_cv_lib_ldns_ldns_rr_get_type=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldns_main" >&5
-$as_echo "$ac_cv_lib_ldns_main" >&6; }
-if test "x$ac_cv_lib_ldns_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldns_ldns_rr_get_type" >&5
+$as_echo "$ac_cv_lib_ldns_ldns_rr_get_type" >&6; }
+if test "x$ac_cv_lib_ldns_ldns_rr_get_type" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "UNBOUND library ldns not found" "$LINENO" 5
@@ -19982,9 +20055,9 @@ else
fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lunbound" >&5
-$as_echo_n "checking for main in -lunbound... " >&6; }
-if ${ac_cv_lib_unbound_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ub_ctx_create in -lunbound" >&5
+$as_echo_n "checking for ub_ctx_create in -lunbound... " >&6; }
+if ${ac_cv_lib_unbound_ub_ctx_create+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -19992,27 +20065,33 @@ LIBS="-lunbound $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char ub_ctx_create ();
int
main ()
{
-return main ();
+return ub_ctx_create ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_unbound_main=yes
+ ac_cv_lib_unbound_ub_ctx_create=yes
else
- ac_cv_lib_unbound_main=no
+ ac_cv_lib_unbound_ub_ctx_create=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unbound_main" >&5
-$as_echo "$ac_cv_lib_unbound_main" >&6; }
-if test "x$ac_cv_lib_unbound_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unbound_ub_ctx_create" >&5
+$as_echo "$ac_cv_lib_unbound_ub_ctx_create" >&6; }
+if test "x$ac_cv_lib_unbound_ub_ctx_create" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "UNBOUND library libunbound not found" "$LINENO" 5
@@ -20677,9 +20756,9 @@ fi
fi
if test x$tss_trousers = xtrue; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -ltspi" >&5
-$as_echo_n "checking for main in -ltspi... " >&6; }
-if ${ac_cv_lib_tspi_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Tspi_Context_Create in -ltspi" >&5
+$as_echo_n "checking for Tspi_Context_Create in -ltspi... " >&6; }
+if ${ac_cv_lib_tspi_Tspi_Context_Create+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -20687,27 +20766,33 @@ LIBS="-ltspi $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char Tspi_Context_Create ();
int
main ()
{
-return main ();
+return Tspi_Context_Create ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_tspi_main=yes
+ ac_cv_lib_tspi_Tspi_Context_Create=yes
else
- ac_cv_lib_tspi_main=no
+ ac_cv_lib_tspi_Tspi_Context_Create=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tspi_main" >&5
-$as_echo "$ac_cv_lib_tspi_main" >&6; }
-if test "x$ac_cv_lib_tspi_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tspi_Tspi_Context_Create" >&5
+$as_echo "$ac_cv_lib_tspi_Tspi_Context_Create" >&6; }
+if test "x$ac_cv_lib_tspi_Tspi_Context_Create" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "TrouSerS library libtspi not found" "$LINENO" 5
@@ -21289,87 +21374,73 @@ done
fi
if test x$fast = xtrue; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_cgi" >&5
-$as_echo_n "checking for main in -lneo_cgi... " >&6; }
-if ${ac_cv_lib_neo_cgi_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for hdf_init in -lneo_utl" >&5
+$as_echo_n "checking for hdf_init in -lneo_utl... " >&6; }
+if ${ac_cv_lib_neo_utl_hdf_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
-LIBS="-lneo_cgi $LIBS"
+LIBS="-lneo_utl $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char hdf_init ();
int
main ()
{
-return main ();
+return hdf_init ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_neo_cgi_main=yes
+ ac_cv_lib_neo_utl_hdf_init=yes
else
- ac_cv_lib_neo_cgi_main=no
+ ac_cv_lib_neo_utl_hdf_init=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_cgi_main" >&5
-$as_echo "$ac_cv_lib_neo_cgi_main" >&6; }
-if test "x$ac_cv_lib_neo_cgi_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_utl_hdf_init" >&5
+$as_echo "$ac_cv_lib_neo_utl_hdf_init" >&6; }
+if test "x$ac_cv_lib_neo_utl_hdf_init" = xyes; then :
LIBS="$LIBS"
else
- as_fn_error $? "ClearSilver library neo_cgi not found!" "$LINENO" 5
+ as_fn_error $? "ClearSilver library neo_utl not found!" "$LINENO" 5
fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lneo_utl" >&5
-$as_echo_n "checking for main in -lneo_utl... " >&6; }
-if ${ac_cv_lib_neo_utl_main+:} false; then :
- $as_echo_n "(cached) " >&6
-else
- ac_check_lib_save_LIBS=$LIBS
-LIBS="-lneo_utl $LIBS"
-cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for -lneo_cgi and dependencies" >&5
+$as_echo_n "checking for -lneo_cgi and dependencies... " >&6; }
+ saved_CFLAGS=$CFLAGS
+ saved_LIBS=$LIBS
+ LIBS="-lneo_cgi -lneo_cs -lneo_utl"
+ CFLAGS="-I/usr/include/ClearSilver"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
-
+#include <cgi/cgi.h>
int
main ()
{
-return main ();
+NEOERR *err = cgi_display(NULL, NULL);
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_neo_utl_main=yes
-else
- ac_cv_lib_neo_utl_main=no
-fi
-rm -f core conftest.err conftest.$ac_objext \
- conftest$ac_exeext conftest.$ac_ext
-LIBS=$ac_check_lib_save_LIBS
-fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_neo_utl_main" >&5
-$as_echo "$ac_cv_lib_neo_utl_main" >&6; }
-if test "x$ac_cv_lib_neo_utl_main" = xyes; then :
- LIBS="$LIBS"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
else
- as_fn_error $? "ClearSilver library neo_utl not found!" "$LINENO" 5
-fi
-
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking ClearSilver requires zlib" >&5
-$as_echo_n "checking ClearSilver requires zlib... " >&6; }
- saved_CFLAGS=$CFLAGS
- saved_LIBS=$LIBS
- LIBS="-lneo_cgi -lneo_cs -lneo_utl"
- CFLAGS="-I/usr/include/ClearSilver"
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ LIBS="$LIBS -lz";
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-#include <ClearSilver.h>
+#include <cgi/cgi.h>
int
main ()
{
@@ -21379,24 +21450,26 @@ NEOERR *err = cgi_display(NULL, NULL);
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
-$as_echo "no" >&6; }; clearsilver_LIBS="$LIBS"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, zlib required" >&5
+$as_echo "yes, zlib required" >&6; }
else
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }; clearsilver_LIBS="$LIBS -lz"
+ as_fn_error $? "not found" "$LINENO" 5
+
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
+ clearsilver_LIBS="$LIBS"
LIBS=$saved_LIBS
CFLAGS=$saved_CFLAGS
-# autoconf does not like CamelCase!? How to fix this?
-# AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lfcgi" >&5
-$as_echo_n "checking for main in -lfcgi... " >&6; }
-if ${ac_cv_lib_fcgi_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for FCGX_Init in -lfcgi" >&5
+$as_echo_n "checking for FCGX_Init in -lfcgi... " >&6; }
+if ${ac_cv_lib_fcgi_FCGX_Init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -21404,27 +21477,33 @@ LIBS="-lfcgi $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char FCGX_Init ();
int
main ()
{
-return main ();
+return FCGX_Init ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_fcgi_main=yes
+ ac_cv_lib_fcgi_FCGX_Init=yes
else
- ac_cv_lib_fcgi_main=no
+ ac_cv_lib_fcgi_FCGX_Init=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_fcgi_main" >&5
-$as_echo "$ac_cv_lib_fcgi_main" >&6; }
-if test "x$ac_cv_lib_fcgi_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_fcgi_FCGX_Init" >&5
+$as_echo "$ac_cv_lib_fcgi_FCGX_Init" >&6; }
+if test "x$ac_cv_lib_fcgi_FCGX_Init" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "FastCGI library fcgi not found!" "$LINENO" 5
@@ -21450,9 +21529,9 @@ else
fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lmysql" >&5
-$as_echo_n "checking for main in -lmysql... " >&6; }
-if ${ac_cv_lib_mysql_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for mysql_database_init in -lmysql" >&5
+$as_echo_n "checking for mysql_database_init in -lmysql... " >&6; }
+if ${ac_cv_lib_mysql_mysql_database_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -21460,27 +21539,33 @@ LIBS="-lmysql $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char mysql_database_init ();
int
main ()
{
-return main ();
+return mysql_database_init ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_mysql_main=yes
+ ac_cv_lib_mysql_mysql_database_init=yes
else
- ac_cv_lib_mysql_main=no
+ ac_cv_lib_mysql_mysql_database_init=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysql_main" >&5
-$as_echo "$ac_cv_lib_mysql_main" >&6; }
-if test "x$ac_cv_lib_mysql_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_mysql_mysql_database_init" >&5
+$as_echo "$ac_cv_lib_mysql_mysql_database_init" >&6; }
+if test "x$ac_cv_lib_mysql_mysql_database_init" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "MySQL library not found!" "$LINENO" 5
@@ -21541,9 +21626,9 @@ fi
fi
if test x$sqlite = xtrue; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lsqlite3" >&5
-$as_echo_n "checking for main in -lsqlite3... " >&6; }
-if ${ac_cv_lib_sqlite3_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sqlite3_open in -lsqlite3" >&5
+$as_echo_n "checking for sqlite3_open in -lsqlite3... " >&6; }
+if ${ac_cv_lib_sqlite3_sqlite3_open+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -21551,27 +21636,33 @@ LIBS="-lsqlite3 $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char sqlite3_open ();
int
main ()
{
-return main ();
+return sqlite3_open ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_sqlite3_main=yes
+ ac_cv_lib_sqlite3_sqlite3_open=yes
else
- ac_cv_lib_sqlite3_main=no
+ ac_cv_lib_sqlite3_sqlite3_open=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sqlite3_main" >&5
-$as_echo "$ac_cv_lib_sqlite3_main" >&6; }
-if test "x$ac_cv_lib_sqlite3_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_sqlite3_sqlite3_open" >&5
+$as_echo "$ac_cv_lib_sqlite3_sqlite3_open" >&6; }
+if test "x$ac_cv_lib_sqlite3_sqlite3_open" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "SQLite library sqlite3 not found" "$LINENO" 5
@@ -21638,9 +21729,9 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
if test x$openssl = xtrue; then
- as_ac_Lib=`$as_echo "ac_cv_lib_$openssl_lib''_main" | $as_tr_sh`
-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -l$openssl_lib" >&5
-$as_echo_n "checking for main in -l$openssl_lib... " >&6; }
+ as_ac_Lib=`$as_echo "ac_cv_lib_$openssl_lib''_EVP_CIPHER_CTX_new" | $as_tr_sh`
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -l$openssl_lib" >&5
+$as_echo_n "checking for EVP_CIPHER_CTX_new in -l$openssl_lib... " >&6; }
if eval \${$as_ac_Lib+:} false; then :
$as_echo_n "(cached) " >&6
else
@@ -21649,11 +21740,17 @@ LIBS="-l$openssl_lib $DLLIB $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char EVP_CIPHER_CTX_new ();
int
main ()
{
-return main ();
+return EVP_CIPHER_CTX_new ();
;
return 0;
}
@@ -21687,9 +21784,9 @@ fi
fi
if test x$gcrypt = xtrue; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lgcrypt" >&5
-$as_echo_n "checking for main in -lgcrypt... " >&6; }
-if ${ac_cv_lib_gcrypt_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gcry_control in -lgcrypt" >&5
+$as_echo_n "checking for gcry_control in -lgcrypt... " >&6; }
+if ${ac_cv_lib_gcrypt_gcry_control+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -21697,27 +21794,33 @@ LIBS="-lgcrypt -lgpg-error $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char gcry_control ();
int
main ()
{
-return main ();
+return gcry_control ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_gcrypt_main=yes
+ ac_cv_lib_gcrypt_gcry_control=yes
else
- ac_cv_lib_gcrypt_main=no
+ ac_cv_lib_gcrypt_gcry_control=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gcrypt_main" >&5
-$as_echo "$ac_cv_lib_gcrypt_main" >&6; }
-if test "x$ac_cv_lib_gcrypt_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gcrypt_gcry_control" >&5
+$as_echo "$ac_cv_lib_gcrypt_gcry_control" >&6; }
+if test "x$ac_cv_lib_gcrypt_gcry_control" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "gcrypt library not found" "$LINENO" 5
@@ -21759,9 +21862,9 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
if test x$uci = xtrue; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -luci" >&5
-$as_echo_n "checking for main in -luci... " >&6; }
-if ${ac_cv_lib_uci_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for uci_alloc_context in -luci" >&5
+$as_echo_n "checking for uci_alloc_context in -luci... " >&6; }
+if ${ac_cv_lib_uci_uci_alloc_context+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -21769,27 +21872,33 @@ LIBS="-luci $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char uci_alloc_context ();
int
main ()
{
-return main ();
+return uci_alloc_context ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_uci_main=yes
+ ac_cv_lib_uci_uci_alloc_context=yes
else
- ac_cv_lib_uci_main=no
+ ac_cv_lib_uci_uci_alloc_context=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_uci_main" >&5
-$as_echo "$ac_cv_lib_uci_main" >&6; }
-if test "x$ac_cv_lib_uci_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_uci_uci_alloc_context" >&5
+$as_echo "$ac_cv_lib_uci_uci_alloc_context" >&6; }
+if test "x$ac_cv_lib_uci_uci_alloc_context" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "UCI library libuci not found" "$LINENO" 5
@@ -21806,9 +21915,9 @@ fi
fi
if test x$android_dns = xtrue; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcutils" >&5
-$as_echo_n "checking for main in -lcutils... " >&6; }
-if ${ac_cv_lib_cutils_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for property_get in -lcutils" >&5
+$as_echo_n "checking for property_get in -lcutils... " >&6; }
+if ${ac_cv_lib_cutils_property_get+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -21816,27 +21925,33 @@ LIBS="-lcutils $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char property_get ();
int
main ()
{
-return main ();
+return property_get ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_cutils_main=yes
+ ac_cv_lib_cutils_property_get=yes
else
- ac_cv_lib_cutils_main=no
+ ac_cv_lib_cutils_property_get=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cutils_main" >&5
-$as_echo "$ac_cv_lib_cutils_main" >&6; }
-if test "x$ac_cv_lib_cutils_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cutils_property_get" >&5
+$as_echo "$ac_cv_lib_cutils_property_get" >&6; }
+if test "x$ac_cv_lib_cutils_property_get" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "Android library libcutils not found" "$LINENO" 5
@@ -22149,9 +22264,9 @@ fi
fi
if test x$xauth_pam = xtrue; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lpam" >&5
-$as_echo_n "checking for main in -lpam... " >&6; }
-if ${ac_cv_lib_pam_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pam_start in -lpam" >&5
+$as_echo_n "checking for pam_start in -lpam... " >&6; }
+if ${ac_cv_lib_pam_pam_start+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -22159,27 +22274,33 @@ LIBS="-lpam $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char pam_start ();
int
main ()
{
-return main ();
+return pam_start ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_pam_main=yes
+ ac_cv_lib_pam_pam_start=yes
else
- ac_cv_lib_pam_main=no
+ ac_cv_lib_pam_pam_start=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_main" >&5
-$as_echo "$ac_cv_lib_pam_main" >&6; }
-if test "x$ac_cv_lib_pam_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_pam_pam_start" >&5
+$as_echo "$ac_cv_lib_pam_pam_start" >&6; }
+if test "x$ac_cv_lib_pam_pam_start" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "PAM library not found" "$LINENO" 5
@@ -22321,9 +22442,9 @@ $as_echo "#define CAPABILITIES_NATIVE /**/" >>confdefs.h
fi
if test x$capabilities = xlibcap; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lcap" >&5
-$as_echo_n "checking for main in -lcap... " >&6; }
-if ${ac_cv_lib_cap_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for cap_init in -lcap" >&5
+$as_echo_n "checking for cap_init in -lcap... " >&6; }
+if ${ac_cv_lib_cap_cap_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -22331,27 +22452,33 @@ LIBS="-lcap $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char cap_init ();
int
main ()
{
-return main ();
+return cap_init ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_cap_main=yes
+ ac_cv_lib_cap_cap_init=yes
else
- ac_cv_lib_cap_main=no
+ ac_cv_lib_cap_cap_init=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_main" >&5
-$as_echo "$ac_cv_lib_cap_main" >&6; }
-if test "x$ac_cv_lib_cap_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cap_cap_init" >&5
+$as_echo "$ac_cv_lib_cap_cap_init" >&6; }
+if test "x$ac_cv_lib_cap_cap_init" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "libcap library not found" "$LINENO" 5
@@ -22424,9 +22551,9 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
fi
if test x$bfd_backtraces = xtrue; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lbfd" >&5
-$as_echo_n "checking for main in -lbfd... " >&6; }
-if ${ac_cv_lib_bfd_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for bfd_init in -lbfd" >&5
+$as_echo_n "checking for bfd_init in -lbfd... " >&6; }
+if ${ac_cv_lib_bfd_bfd_init+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -22434,27 +22561,33 @@ LIBS="-lbfd $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char bfd_init ();
int
main ()
{
-return main ();
+return bfd_init ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_bfd_main=yes
+ ac_cv_lib_bfd_bfd_init=yes
else
- ac_cv_lib_bfd_main=no
+ ac_cv_lib_bfd_bfd_init=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bfd_main" >&5
-$as_echo "$ac_cv_lib_bfd_main" >&6; }
-if test "x$ac_cv_lib_bfd_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_bfd_bfd_init" >&5
+$as_echo "$ac_cv_lib_bfd_bfd_init" >&6; }
+if test "x$ac_cv_lib_bfd_bfd_init" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "binutils libbfd not found!" "$LINENO" 5
@@ -22475,9 +22608,9 @@ fi
fi
if test x$unwind_backtraces = xtrue; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lunwind" >&5
-$as_echo_n "checking for main in -lunwind... " >&6; }
-if ${ac_cv_lib_unwind_main+:} false; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for unw_backtrace in -lunwind" >&5
+$as_echo_n "checking for unw_backtrace in -lunwind... " >&6; }
+if ${ac_cv_lib_unwind_unw_backtrace+:} false; then :
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
@@ -22485,27 +22618,33 @@ LIBS="-lunwind $LIBS"
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
-
+/* Override any GCC internal prototype to avoid an error.
+ Use char because int might match the return type of a GCC
+ builtin and then its argument prototype would still apply. */
+#ifdef __cplusplus
+extern "C"
+#endif
+char unw_backtrace ();
int
main ()
{
-return main ();
+return unw_backtrace ();
;
return 0;
}
_ACEOF
if ac_fn_c_try_link "$LINENO"; then :
- ac_cv_lib_unwind_main=yes
+ ac_cv_lib_unwind_unw_backtrace=yes
else
- ac_cv_lib_unwind_main=no
+ ac_cv_lib_unwind_unw_backtrace=no
fi
rm -f core conftest.err conftest.$ac_objext \
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unwind_main" >&5
-$as_echo "$ac_cv_lib_unwind_main" >&6; }
-if test "x$ac_cv_lib_unwind_main" = xyes; then :
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_unwind_unw_backtrace" >&5
+$as_echo "$ac_cv_lib_unwind_unw_backtrace" >&6; }
+if test "x$ac_cv_lib_unwind_unw_backtrace" = xyes; then :
LIBS="$LIBS"
else
as_fn_error $? "libunwind not found!" "$LINENO" 5
@@ -22888,10 +23027,11 @@ cmd_plugins=
aikgen_plugins=
# location specific lists for checksumming,
-# for src/libcharon, src/libstrongswan and src/libtnccs
+# for src/libcharon, src/libstrongswan, src/libtnccs and src/libtpmtss
c_plugins=
s_plugins=
t_plugins=
+p_plugins=
if test x$test_vectors = xtrue; then
s_plugins=${s_plugins}" test-vectors"
@@ -22927,6 +23067,15 @@ if test x$pkcs11 = xtrue; then
fi
+if test x$tpm = xtrue; then
+ p_plugins=${p_plugins}" tpm"
+ charon_plugins=${charon_plugins}" tpm"
+ pki_plugins=${pki_plugins}" tpm"
+ nm_plugins=${nm_plugins}" tpm"
+ cmd_plugins=${cmd_plugins}" tpm"
+
+ fi
+
if test x$aesni = xtrue; then
s_plugins=${s_plugins}" aesni"
charon_plugins=${charon_plugins}" aesni"
@@ -23319,6 +23468,15 @@ if test x$gmp = xtrue; then
fi
+if test x$curve25519 = xtrue; then
+ s_plugins=${s_plugins}" curve25519"
+ charon_plugins=${charon_plugins}" curve25519"
+ scripts_plugins=${scripts_plugins}" curve25519"
+ nm_plugins=${nm_plugins}" curve25519"
+ cmd_plugins=${cmd_plugins}" curve25519"
+
+ fi
+
if test x$agent = xtrue; then
s_plugins=${s_plugins}" agent"
charon_plugins=${charon_plugins}" agent"
@@ -23576,6 +23734,14 @@ if test x$socket_win = xtrue; then
fi
+if test x$bypass_lan = xtrue; then
+ c_plugins=${c_plugins}" bypass-lan"
+ charon_plugins=${charon_plugins}" bypass-lan"
+ nm_plugins=${nm_plugins}" bypass-lan"
+ cmd_plugins=${cmd_plugins}" bypass-lan"
+
+ fi
+
if test x$connmark = xtrue; then
c_plugins=${c_plugins}" connmark"
charon_plugins=${charon_plugins}" connmark"
@@ -24124,6 +24290,14 @@ else
USE_GMP_FALSE=
fi
+ if test x$curve25519 = xtrue; then
+ USE_CURVE25519_TRUE=
+ USE_CURVE25519_FALSE='#'
+else
+ USE_CURVE25519_TRUE='#'
+ USE_CURVE25519_FALSE=
+fi
+
if test x$rdrand = xtrue; then
USE_RDRAND_TRUE=
USE_RDRAND_FALSE='#'
@@ -24348,6 +24522,14 @@ else
USE_PKCS11_FALSE=
fi
+ if test x$tpm = xtrue; then
+ USE_TPM_TRUE=
+ USE_TPM_FALSE='#'
+else
+ USE_TPM_TRUE='#'
+ USE_TPM_FALSE=
+fi
+
if test x$chapoly = xtrue; then
USE_CHAPOLY_TRUE=
USE_CHAPOLY_FALSE='#'
@@ -25039,6 +25221,14 @@ else
USE_SOCKET_WIN_FALSE=
fi
+ if test x$bypass_lan = xtrue; then
+ USE_BYPASS_LAN_TRUE=
+ USE_BYPASS_LAN_FALSE='#'
+else
+ USE_BYPASS_LAN_TRUE='#'
+ USE_BYPASS_LAN_FALSE=
+fi
+
if test x$connmark = xtrue; then
USE_CONNMARK_TRUE=
USE_CONNMARK_FALSE='#'
@@ -25250,7 +25440,7 @@ else
USE_CONFTEST_FALSE=
fi
- if test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$aikpub2 = xtrue -o x$svc = xtrue -o x$systemd = xtrue; then
+ if test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue; then
USE_LIBSTRONGSWAN_TRUE=
USE_LIBSTRONGSWAN_FALSE='#'
else
@@ -25306,7 +25496,7 @@ else
USE_LIBPTTLS_FALSE=
fi
- if test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$aikgen = xtrue -o x$aikpub2 = xtrue -o x$imcv = xtrue; then
+ if test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm -o x$aikgen = xtrue -o x$imcv = xtrue; then
USE_LIBTPMTSS_TRUE=
USE_LIBTPMTSS_FALSE='#'
else
@@ -25458,14 +25648,6 @@ else
USE_AIKGEN_FALSE=
fi
- if test x$aikpub2 = xtrue; then
- USE_AIKPUB2_TRUE=
- USE_AIKPUB2_FALSE='#'
-else
- USE_AIKPUB2_TRUE='#'
- USE_AIKPUB2_FALSE=
-fi
-
if test x$swanctl = xtrue; then
USE_SWANCTL_TRUE=
USE_SWANCTL_FALSE='#'
@@ -25575,9 +25757,6 @@ strongswan_options=
if test -z "$USE_AIKGEN_TRUE"; then :
strongswan_options=${strongswan_options}" aikgen"
fi
-if test -z "$USE_AIKPUB2_TRUE"; then :
- strongswan_options=${strongswan_options}" aikpub2"
-fi
if test -z "$USE_ATTR_SQL_TRUE"; then :
strongswan_options=${strongswan_options}" pool"
fi
@@ -25621,7 +25800,7 @@ fi
# build Makefiles
# =================
-ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/math/libnttfft/Makefile src/libstrongswan/math/libnttfft/tests/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/ [...]
+ac_config_files="$ac_config_files Makefile conf/Makefile man/Makefile init/Makefile init/systemd/Makefile init/systemd-swanctl/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/math/libnttfft/Makefile src/libstrongswan/math/libnttfft/tests/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/cmac/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/rc2/Makefile src/ [...]
# =================
@@ -25869,6 +26048,10 @@ if test -z "${USE_GMP_TRUE}" && test -z "${USE_GMP_FALSE}"; then
as_fn_error $? "conditional \"USE_GMP\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_CURVE25519_TRUE}" && test -z "${USE_CURVE25519_FALSE}"; then
+ as_fn_error $? "conditional \"USE_CURVE25519\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_RDRAND_TRUE}" && test -z "${USE_RDRAND_FALSE}"; then
as_fn_error $? "conditional \"USE_RDRAND\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -25981,6 +26164,10 @@ if test -z "${USE_PKCS11_TRUE}" && test -z "${USE_PKCS11_FALSE}"; then
as_fn_error $? "conditional \"USE_PKCS11\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_TPM_TRUE}" && test -z "${USE_TPM_FALSE}"; then
+ as_fn_error $? "conditional \"USE_TPM\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_CHAPOLY_TRUE}" && test -z "${USE_CHAPOLY_FALSE}"; then
as_fn_error $? "conditional \"USE_CHAPOLY\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -26325,6 +26512,10 @@ if test -z "${USE_SOCKET_WIN_TRUE}" && test -z "${USE_SOCKET_WIN_FALSE}"; then
as_fn_error $? "conditional \"USE_SOCKET_WIN\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
+if test -z "${USE_BYPASS_LAN_TRUE}" && test -z "${USE_BYPASS_LAN_FALSE}"; then
+ as_fn_error $? "conditional \"USE_BYPASS_LAN\" was never defined.
+Usually this means the macro was only invoked conditionally." "$LINENO" 5
+fi
if test -z "${USE_CONNMARK_TRUE}" && test -z "${USE_CONNMARK_FALSE}"; then
as_fn_error $? "conditional \"USE_CONNMARK\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -26533,10 +26724,6 @@ if test -z "${USE_AIKGEN_TRUE}" && test -z "${USE_AIKGEN_FALSE}"; then
as_fn_error $? "conditional \"USE_AIKGEN\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
fi
-if test -z "${USE_AIKPUB2_TRUE}" && test -z "${USE_AIKPUB2_FALSE}"; then
- as_fn_error $? "conditional \"USE_AIKPUB2\" was never defined.
-Usually this means the macro was only invoked conditionally." "$LINENO" 5
-fi
if test -z "${USE_SWANCTL_TRUE}" && test -z "${USE_SWANCTL_FALSE}"; then
as_fn_error $? "conditional \"USE_SWANCTL\" was never defined.
Usually this means the macro was only invoked conditionally." "$LINENO" 5
@@ -26966,7 +27153,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by strongSwan $as_me 5.5.1, which was
+This file was extended by strongSwan $as_me 5.5.2, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -27032,7 +27219,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-strongSwan config.status 5.5.1
+strongSwan config.status 5.5.2
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
@@ -27471,6 +27658,7 @@ do
"src/libstrongswan/plugins/mgf1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mgf1/Makefile" ;;
"src/libstrongswan/plugins/fips_prf/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/fips_prf/Makefile" ;;
"src/libstrongswan/plugins/gmp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gmp/Makefile" ;;
+ "src/libstrongswan/plugins/curve25519/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curve25519/Makefile" ;;
"src/libstrongswan/plugins/rdrand/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/rdrand/Makefile" ;;
"src/libstrongswan/plugins/aesni/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/aesni/Makefile" ;;
"src/libstrongswan/plugins/random/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/random/Makefile" ;;
@@ -27578,6 +27766,7 @@ do
"src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;;
"src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;;
"src/libcharon/plugins/socket_win/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_win/Makefile" ;;
+ "src/libcharon/plugins/bypass_lan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/bypass_lan/Makefile" ;;
"src/libcharon/plugins/connmark/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/connmark/Makefile" ;;
"src/libcharon/plugins/forecast/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/forecast/Makefile" ;;
"src/libcharon/plugins/farp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/farp/Makefile" ;;
@@ -27624,6 +27813,7 @@ do
"src/libcharon/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/attr_sql/Makefile" ;;
"src/libcharon/tests/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/tests/Makefile" ;;
"src/libtpmtss/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtpmtss/Makefile" ;;
+ "src/libtpmtss/plugins/tpm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libtpmtss/plugins/tpm/Makefile" ;;
"src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;;
"src/ipsec/Makefile") CONFIG_FILES="$CONFIG_FILES src/ipsec/Makefile" ;;
"src/starter/Makefile") CONFIG_FILES="$CONFIG_FILES src/starter/Makefile" ;;
@@ -27632,7 +27822,6 @@ do
"src/_copyright/Makefile") CONFIG_FILES="$CONFIG_FILES src/_copyright/Makefile" ;;
"src/scepclient/Makefile") CONFIG_FILES="$CONFIG_FILES src/scepclient/Makefile" ;;
"src/aikgen/Makefile") CONFIG_FILES="$CONFIG_FILES src/aikgen/Makefile" ;;
- "src/aikpub2/Makefile") CONFIG_FILES="$CONFIG_FILES src/aikpub2/Makefile" ;;
"src/pki/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/Makefile" ;;
"src/pki/man/Makefile") CONFIG_FILES="$CONFIG_FILES src/pki/man/Makefile" ;;
"src/pool/Makefile") CONFIG_FILES="$CONFIG_FILES src/pool/Makefile" ;;
@@ -28956,5 +29145,7 @@ $as_echo "libstrongswan:$s_plugins" >&6; }
$as_echo "libcharon: $c_plugins" >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: libtnccs: $t_plugins" >&5
$as_echo "libtnccs: $t_plugins" >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: libtpmtss: $p_plugins" >&5
+$as_echo "libtpmtss: $p_plugins" >&6; }
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: " >&5
$as_echo "" >&6; }
diff --git a/configure.ac b/configure.ac
index 622c79a..29988d3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -19,7 +19,7 @@
# initialize & set some vars
# ============================
-AC_INIT([strongSwan],[5.5.1])
+AC_INIT([strongSwan],[5.5.2])
AM_INIT_AUTOMAKE(m4_esyscmd([
echo tar-ustar
echo subdir-objects
@@ -133,6 +133,7 @@ ARG_DISBL_SET([fips-prf], [disable FIPS PRF software implementation plugin
ARG_ENABL_SET([gcm], [enables the GCM AEAD wrapper crypto plugin.])
ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.])
ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.])
+ARG_DISBL_SET([curve25519], [disable Curve25519 Diffie-Hellman plugin.])
ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.])
ARG_ENABL_SET([md4], [enable MD4 software implementation plugin.])
ARG_DISBL_SET([md5], [disable MD5 software implementation plugin.])
@@ -200,6 +201,7 @@ ARG_ENABL_SET([ext-auth], [enable plugin calling an external authorization
ARG_ENABL_SET([ipseckey], [enable IPSECKEY authentication plugin.])
ARG_ENABL_SET([keychain], [enables OS X Keychain Services credential set.])
ARG_ENABL_SET([pkcs11], [enables the PKCS11 token support plugin.])
+ARG_ENABL_SET([tpm], [enables the TPM plugin.])
ARG_DISBL_SET([revocation], [disable X509 CRL/OCSP revocation check plugin.])
ARG_ENABL_SET([whitelist], [enable peer identity whitelisting plugin.])
ARG_DISBL_SET([xauth-generic], [disable generic XAuth backend.])
@@ -253,6 +255,7 @@ ARG_ENABL_SET([tnccs-20], [enable TNCCS 2.0 protocol module.])
ARG_ENABL_SET([tnccs-dynamic], [enable dynamic TNCCS protocol discovery module.])
# misc plugins
ARG_ENABL_SET([android-log], [enable Android specific logger plugin.])
+ARG_ENABL_SET([bypass-lan], [enable plugin to install bypass policies for local subnets.])
ARG_ENABL_SET([certexpire], [enable CSV export of expiration dates of used certificates.])
ARG_ENABL_SET([connmark], [enable connmark plugin using conntrack based marks to select return path SA.])
ARG_ENABL_SET([forecast], [enable forecast plugin forwarding broadcast/multicast messages.])
@@ -269,7 +272,6 @@ ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.])
ARG_DISBL_SET([updown], [disable updown firewall script plugin.])
# programs/components
ARG_ENABL_SET([aikgen], [enable AIK generator for TPM 1.2.])
-ARG_ENABL_SET([aikpub2], [enable AIK extractor for TPM 2.0.])
ARG_DISBL_SET([charon], [disable the IKEv1/IKEv2 keying daemon charon.])
ARG_ENABL_SET([cmd], [enable the command line IKE client charon-cmd.])
ARG_ENABL_SET([conftest], [enforce Suite B conformance test framework.])
@@ -462,10 +464,6 @@ if test x$aikgen = xtrue; then
tss_trousers=true
fi
-if test x$aikpub2 = xtrue; then
- tss_tss2=true
-fi
-
if test x$ntru = xtrue -o x$bliss = xtrue; then
mgf1=true
fi
@@ -898,7 +896,7 @@ AC_COMPILE_IFELSE(
AM_CONDITIONAL(USE_X86X64, [test "x$x86x64" = xtrue])
if test x$printf_hooks = xvstr; then
- AC_CHECK_LIB([vstr],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
+ AC_CHECK_LIB([vstr],[vstr_init],[LIBS="$LIBS"],[AC_MSG_ERROR([Vstr string library not found])],[])
AC_DEFINE([USE_VSTR], [], [use Vstr string library for printf hooks])
fi
@@ -908,7 +906,7 @@ fi
if test x$gmp = xtrue; then
saved_LIBS=$LIBS
- AC_CHECK_LIB([gmp],[main],[],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])],[])
+ AC_CHECK_LIB([gmp],[__gmpz_init],[],[AC_MSG_ERROR([GNU Multi Precision library gmp not found])],[])
AC_MSG_CHECKING([mpz_powm_sec])
if test x$mpz_powm_sec = xyes; then
AC_COMPILE_IFELSE(
@@ -937,20 +935,20 @@ if test x$gmp = xtrue; then
fi
if test x$ldap = xtrue; then
- AC_CHECK_LIB([ldap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])],[])
- AC_CHECK_LIB([lber],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])],[])
+ AC_CHECK_LIB([ldap],[ldap_init],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library ldap not found])],[])
+ AC_CHECK_LIB([lber],[ber_free],[LIBS="$LIBS"],[AC_MSG_ERROR([LDAP library lber not found])],[])
AC_CHECK_HEADER([ldap.h],,[AC_MSG_ERROR([LDAP header ldap.h not found!])])
fi
if test x$curl = xtrue; then
- AC_CHECK_LIB([curl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])],[])
+ AC_CHECK_LIB([curl],[curl_global_init],[LIBS="$LIBS"],[AC_MSG_ERROR([CURL library curl not found])],[])
AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])])
fi
if test x$unbound = xtrue; then
- AC_CHECK_LIB([ldns],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library ldns not found])],[])
+ AC_CHECK_LIB([ldns],[ldns_rr_get_type],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library ldns not found])],[])
AC_CHECK_HEADER([ldns/ldns.h],,[AC_MSG_ERROR([UNBOUND header ldns/ldns.h not found!])])
- AC_CHECK_LIB([unbound],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library libunbound not found])],[])
+ AC_CHECK_LIB([unbound],[ub_ctx_create],[LIBS="$LIBS"],[AC_MSG_ERROR([UNBOUND library libunbound not found])],[])
AC_CHECK_HEADER([unbound.h],,[AC_MSG_ERROR([UNBOUND header unbound.h not found!])])
fi
@@ -987,7 +985,7 @@ if test x$systemd = xtrue; then
fi
if test x$tss_trousers = xtrue; then
- AC_CHECK_LIB([tspi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])],[])
+ AC_CHECK_LIB([tspi],[Tspi_Context_Create],[LIBS="$LIBS"],[AC_MSG_ERROR([TrouSerS library libtspi not found])],[])
AC_CHECK_HEADER([trousers/tss.h],,[AC_MSG_ERROR([TrouSerS header trousers/tss.h not found!])])
AC_DEFINE([TSS_TROUSERS], [], [use TrouSerS library libtspi])
fi
@@ -1046,34 +1044,39 @@ if test x$dumm = xtrue; then
fi
if test x$fast = xtrue; then
- AC_CHECK_LIB([neo_cgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_cgi not found!])],[])
- AC_CHECK_LIB([neo_utl],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])],[])
- AC_MSG_CHECKING([ClearSilver requires zlib])
+ AC_CHECK_LIB([neo_utl],[hdf_init],[LIBS="$LIBS"],[AC_MSG_ERROR([ClearSilver library neo_utl not found!])],[])
+ AC_MSG_CHECKING([for -lneo_cgi and dependencies])
saved_CFLAGS=$CFLAGS
saved_LIBS=$LIBS
LIBS="-lneo_cgi -lneo_cs -lneo_utl"
CFLAGS="-I/usr/include/ClearSilver"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM(
- [[#include <ClearSilver.h>]],
+ [[#include <cgi/cgi.h>]],
[[NEOERR *err = cgi_display(NULL, NULL);]])],
- [AC_MSG_RESULT([no]); clearsilver_LIBS="$LIBS"],
- [AC_MSG_RESULT([yes]); clearsilver_LIBS="$LIBS -lz"]
+ [AC_MSG_RESULT([yes])],
+ [LIBS="$LIBS -lz";
+ AC_LINK_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[#include <cgi/cgi.h>]],
+ [[NEOERR *err = cgi_display(NULL, NULL);]])],
+ [AC_MSG_RESULT([yes, zlib required])],
+ [AC_MSG_ERROR([not found])]
+ )]
)
+ clearsilver_LIBS="$LIBS"
AC_SUBST(clearsilver_LIBS)
LIBS=$saved_LIBS
CFLAGS=$saved_CFLAGS
-# autoconf does not like CamelCase!? How to fix this?
-# AC_CHECK_HEADER([ClearSilver/ClearSilver.h],,[AC_MSG_ERROR([ClearSilver header file ClearSilver/ClearSilver.h not found!])])
- AC_CHECK_LIB([fcgi],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])],[])
+ AC_CHECK_LIB([fcgi],[FCGX_Init],[LIBS="$LIBS"],[AC_MSG_ERROR([FastCGI library fcgi not found!])],[])
AC_CHECK_HEADER([fcgiapp.h],,[AC_MSG_ERROR([FastCGI header file fcgiapp.h not found!])])
fi
if test x$mysql = xtrue; then
if test "x$windows" = xtrue; then
AC_CHECK_HEADER([mysql.h],,[AC_MSG_ERROR([MySQL header file mysql.h not found!])])
- AC_CHECK_LIB([mysql],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([MySQL library not found!])],[])
+ AC_CHECK_LIB([mysql],[mysql_database_init],[LIBS="$LIBS"],[AC_MSG_ERROR([MySQL library not found!])],[])
AC_SUBST(MYSQLLIB, -lmysql)
else
AC_PATH_PROG([MYSQLCONFIG], [mysql_config], [], [$PATH:/bin:/usr/bin:/usr/local/bin])
@@ -1086,7 +1089,7 @@ if test x$mysql = xtrue; then
fi
if test x$sqlite = xtrue; then
- AC_CHECK_LIB([sqlite3],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])],[])
+ AC_CHECK_LIB([sqlite3],[sqlite3_open],[LIBS="$LIBS"],[AC_MSG_ERROR([SQLite library sqlite3 not found])],[])
AC_CHECK_HEADER([sqlite3.h],,[AC_MSG_ERROR([SQLite header sqlite3.h not found!])])
AC_MSG_CHECKING([sqlite3_prepare_v2])
AC_COMPILE_IFELSE(
@@ -1111,13 +1114,13 @@ if test x$sqlite = xtrue; then
fi
if test x$openssl = xtrue; then
- AC_CHECK_LIB([$openssl_lib],[main],[LIBS="$LIBS"],
+ AC_CHECK_LIB([$openssl_lib],[EVP_CIPHER_CTX_new],[LIBS="$LIBS"],
[AC_MSG_ERROR([OpenSSL lib$openssl_lib not found])],[$DLLIB])
AC_CHECK_HEADER([openssl/evp.h],,[AC_MSG_ERROR([OpenSSL header openssl/evp.h not found!])])
fi
if test x$gcrypt = xtrue; then
- AC_CHECK_LIB([gcrypt],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
+ AC_CHECK_LIB([gcrypt],[gcry_control],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error])
AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])])
AC_MSG_CHECKING([gcrypt CAMELLIA cipher])
AC_COMPILE_IFELSE(
@@ -1131,12 +1134,12 @@ if test x$gcrypt = xtrue; then
fi
if test x$uci = xtrue; then
- AC_CHECK_LIB([uci],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
+ AC_CHECK_LIB([uci],[uci_alloc_context],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])],[])
AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])])
fi
if test x$android_dns = xtrue; then
- AC_CHECK_LIB([cutils],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
+ AC_CHECK_LIB([cutils],[property_get],[LIBS="$LIBS"],[AC_MSG_ERROR([Android library libcutils not found])],[])
AC_CHECK_HEADER([cutils/properties.h],,[AC_MSG_ERROR([Android header cutils/properties.h not found!])])
# we have to force the use of libdl here because the autodetection
# above does not work correctly when cross-compiling for android.
@@ -1160,7 +1163,7 @@ if test x$nm = xtrue; then
fi
if test x$xauth_pam = xtrue; then
- AC_CHECK_LIB([pam],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])],[])
+ AC_CHECK_LIB([pam],[pam_start],[LIBS="$LIBS"],[AC_MSG_ERROR([PAM library not found])],[])
AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])])
fi
@@ -1180,7 +1183,7 @@ if test x$capabilities = xnative; then
fi
if test x$capabilities = xlibcap; then
- AC_CHECK_LIB([cap],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])],[])
+ AC_CHECK_LIB([cap],[cap_init],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])],[])
AC_CHECK_HEADER([sys/capability.h],
[AC_DEFINE([HAVE_SYS_CAPABILITY_H], [], [have sys/capability.h])],
[AC_MSG_ERROR([libcap header sys/capability.h not found!])])
@@ -1211,7 +1214,7 @@ if test x$integrity_test = xtrue; then
fi
if test x$bfd_backtraces = xtrue; then
- AC_CHECK_LIB([bfd],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])],[])
+ AC_CHECK_LIB([bfd],[bfd_init],[LIBS="$LIBS"],[AC_MSG_ERROR([binutils libbfd not found!])],[])
AC_CHECK_HEADER([bfd.h],[AC_DEFINE([HAVE_BFD_H],,[have binutils bfd.h])],
[AC_MSG_ERROR([binutils bfd.h header not found!])])
BFDLIB="-lbfd"
@@ -1219,7 +1222,7 @@ if test x$bfd_backtraces = xtrue; then
fi
if test x$unwind_backtraces = xtrue; then
- AC_CHECK_LIB([unwind],[main],[LIBS="$LIBS"],[AC_MSG_ERROR([libunwind not found!])],[])
+ AC_CHECK_LIB([unwind],[unw_backtrace],[LIBS="$LIBS"],[AC_MSG_ERROR([libunwind not found!])],[])
AC_CHECK_HEADER([libunwind.h],[AC_DEFINE([HAVE_LIBUNWIND_H],,[have libunwind.h])],
[AC_MSG_ERROR([libunwind.h header not found!])])
UNWINDLIB="-lunwind"
@@ -1313,15 +1316,17 @@ cmd_plugins=
aikgen_plugins=
# location specific lists for checksumming,
-# for src/libcharon, src/libstrongswan and src/libtnccs
+# for src/libcharon, src/libstrongswan, src/libtnccs and src/libtpmtss
c_plugins=
s_plugins=
t_plugins=
+p_plugins=
ADD_PLUGIN([test-vectors], [s charon scepclient pki])
ADD_PLUGIN([unbound], [s charon scripts])
ADD_PLUGIN([ldap], [s charon scepclient scripts nm cmd])
ADD_PLUGIN([pkcs11], [s charon pki nm cmd])
+ADD_PLUGIN([tpm], [p charon pki nm cmd])
ADD_PLUGIN([aesni], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
ADD_PLUGIN([aes], [s charon scepclient pki scripts nm cmd])
ADD_PLUGIN([des], [s charon scepclient pki scripts nm cmd])
@@ -1357,6 +1362,7 @@ ADD_PLUGIN([gcrypt], [s charon scepclient pki scripts manager meds
ADD_PLUGIN([af-alg], [s charon scepclient pki scripts medsrv attest nm cmd aikgen])
ADD_PLUGIN([fips-prf], [s charon nm cmd])
ADD_PLUGIN([gmp], [s charon scepclient pki scripts manager medsrv attest nm cmd aikgen])
+ADD_PLUGIN([curve25519], [s charon scripts nm cmd])
ADD_PLUGIN([agent], [s charon nm cmd])
ADD_PLUGIN([keychain], [s charon cmd])
ADD_PLUGIN([chapoly], [s charon scripts nm cmd])
@@ -1388,6 +1394,7 @@ ADD_PLUGIN([resolve], [c charon cmd])
ADD_PLUGIN([socket-default], [c charon nm cmd])
ADD_PLUGIN([socket-dynamic], [c charon cmd])
ADD_PLUGIN([socket-win], [c charon])
+ADD_PLUGIN([bypass-lan], [c charon nm cmd])
ADD_PLUGIN([connmark], [c charon])
ADD_PLUGIN([forecast], [c charon])
ADD_PLUGIN([farp], [c charon])
@@ -1462,7 +1469,7 @@ AC_SUBST(cmd_plugins)
AC_SUBST(aikgen_plugins)
AC_SUBST(c_plugins)
-AC_SUBST(h_plugins)
+AC_SUBST(p_plugins)
AC_SUBST(s_plugins)
AC_SUBST(t_plugins)
@@ -1491,6 +1498,7 @@ AM_CONDITIONAL(USE_SHA3, test x$sha3 = xtrue)
AM_CONDITIONAL(USE_MGF1, test x$mgf1 = xtrue)
AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue)
AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue)
+AM_CONDITIONAL(USE_CURVE25519, test x$curve25519 = xtrue)
AM_CONDITIONAL(USE_RDRAND, test x$rdrand = xtrue)
AM_CONDITIONAL(USE_AESNI, test x$aesni = xtrue)
AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue)
@@ -1519,6 +1527,7 @@ AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue)
AM_CONDITIONAL(USE_AGENT, test x$agent = xtrue)
AM_CONDITIONAL(USE_KEYCHAIN, test x$keychain = xtrue)
AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue)
+AM_CONDITIONAL(USE_TPM, test x$tpm = xtrue)
AM_CONDITIONAL(USE_CHAPOLY, test x$chapoly = xtrue)
AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue)
AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue)
@@ -1608,6 +1617,7 @@ AM_CONDITIONAL(USE_IMV_HCD, test x$imv_hcd = xtrue)
AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
AM_CONDITIONAL(USE_SOCKET_WIN, test x$socket_win = xtrue)
+AM_CONDITIONAL(USE_BYPASS_LAN, test x$bypass_lan = xtrue)
AM_CONDITIONAL(USE_CONNMARK, test x$connmark = xtrue)
AM_CONDITIONAL(USE_FORECAST, test x$forecast = xtrue)
AM_CONDITIONAL(USE_FARP, test x$farp = xtrue)
@@ -1637,14 +1647,14 @@ AM_CONDITIONAL(USE_PKI, test x$pki = xtrue)
AM_CONDITIONAL(USE_SCEPCLIENT, test x$scepclient = xtrue)
AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$aikpub2 = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
AM_CONDITIONAL(USE_LIBNTTFFT, test x$bliss = xtrue -o x$newhope = xtrue)
AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
-AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$aikgen = xtrue -o x$aikpub2 = xtrue -o x$imcv = xtrue)
+AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm -o x$aikgen = xtrue -o x$imcv = xtrue)
AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue)
AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
@@ -1663,7 +1673,6 @@ AM_CONDITIONAL(USE_DBGHELP, test x$dbghelp_backtraces = xtrue)
AM_CONDITIONAL(USE_TKM, test x$tkm = xtrue)
AM_CONDITIONAL(USE_CMD, test x$cmd = xtrue)
AM_CONDITIONAL(USE_AIKGEN, test x$aikgen = xtrue)
-AM_CONDITIONAL(USE_AIKPUB2, test x$aikpub2 = xtrue)
AM_CONDITIONAL(USE_SWANCTL, test x$swanctl = xtrue)
AM_CONDITIONAL(USE_SVC, test x$svc = xtrue)
AM_CONDITIONAL(USE_SYSTEMD, test x$systemd = xtrue)
@@ -1703,7 +1712,6 @@ fi
strongswan_options=
AM_COND_IF([USE_AIKGEN], [strongswan_options=${strongswan_options}" aikgen"])
-AM_COND_IF([USE_AIKPUB2], [strongswan_options=${strongswan_options}" aikpub2"])
AM_COND_IF([USE_ATTR_SQL], [strongswan_options=${strongswan_options}" pool"])
AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging"])
AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"])
@@ -1748,6 +1756,7 @@ AC_CONFIG_FILES([
src/libstrongswan/plugins/mgf1/Makefile
src/libstrongswan/plugins/fips_prf/Makefile
src/libstrongswan/plugins/gmp/Makefile
+ src/libstrongswan/plugins/curve25519/Makefile
src/libstrongswan/plugins/rdrand/Makefile
src/libstrongswan/plugins/aesni/Makefile
src/libstrongswan/plugins/random/Makefile
@@ -1855,6 +1864,7 @@ AC_CONFIG_FILES([
src/libcharon/plugins/socket_default/Makefile
src/libcharon/plugins/socket_dynamic/Makefile
src/libcharon/plugins/socket_win/Makefile
+ src/libcharon/plugins/bypass_lan/Makefile
src/libcharon/plugins/connmark/Makefile
src/libcharon/plugins/forecast/Makefile
src/libcharon/plugins/farp/Makefile
@@ -1901,6 +1911,7 @@ AC_CONFIG_FILES([
src/libcharon/plugins/attr_sql/Makefile
src/libcharon/tests/Makefile
src/libtpmtss/Makefile
+ src/libtpmtss/plugins/tpm/Makefile
src/stroke/Makefile
src/ipsec/Makefile
src/starter/Makefile
@@ -1909,7 +1920,6 @@ AC_CONFIG_FILES([
src/_copyright/Makefile
src/scepclient/Makefile
src/aikgen/Makefile
- src/aikpub2/Makefile
src/pki/Makefile
src/pki/man/Makefile
src/pool/Makefile
@@ -1968,4 +1978,5 @@ AC_MSG_RESULT([-----------------------------------------------------])
AC_MSG_RESULT([libstrongswan:$s_plugins])
AC_MSG_RESULT([libcharon: $c_plugins])
AC_MSG_RESULT([libtnccs: $t_plugins])
+AC_MSG_RESULT([libtpmtss: $p_plugins])
AC_MSG_RESULT([])
diff --git a/init/Makefile.in b/init/Makefile.in
index 9ae5e47..e1600d0 100644
--- a/init/Makefile.in
+++ b/init/Makefile.in
@@ -336,7 +336,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -371,6 +370,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/init/systemd-swanctl/Makefile.in b/init/systemd-swanctl/Makefile.in
index 190eb8f..adb2809 100644
--- a/init/systemd-swanctl/Makefile.in
+++ b/init/systemd-swanctl/Makefile.in
@@ -304,7 +304,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -339,6 +338,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/init/systemd-swanctl/strongswan-swanctl.service.in b/init/systemd-swanctl/strongswan-swanctl.service.in
index 944101f..e53c0c6 100644
--- a/init/systemd-swanctl/strongswan-swanctl.service.in
+++ b/init/systemd-swanctl/strongswan-swanctl.service.in
@@ -1,12 +1,13 @@
[Unit]
Description=strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
-After=network.target
+After=network-online.target
[Service]
Type=notify
ExecStart=@SBINDIR@/charon-systemd
ExecStartPost=@SBINDIR@/swanctl --load-all --noprompt
ExecReload=@SBINDIR@/swanctl --reload
+Restart=on-abnormal
[Install]
WantedBy=multi-user.target
diff --git a/init/systemd/Makefile.in b/init/systemd/Makefile.in
index 325a4e3..593727d 100644
--- a/init/systemd/Makefile.in
+++ b/init/systemd/Makefile.in
@@ -304,7 +304,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -339,6 +338,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/init/systemd/strongswan.service.in b/init/systemd/strongswan.service.in
index 49c1cd0..474284a 100644
--- a/init/systemd/strongswan.service.in
+++ b/init/systemd/strongswan.service.in
@@ -1,10 +1,11 @@
[Unit]
Description=strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
-After=syslog.target network.target
+After=syslog.target network-online.target
[Service]
ExecStart=@SBINDIR@/@IPSEC_SCRIPT@ start --nofork
StandardOutput=syslog
+Restart=on-abnormal
[Install]
WantedBy=multi-user.target
diff --git a/man/Makefile.in b/man/Makefile.in
index 4d04d25..61f825c 100644
--- a/man/Makefile.in
+++ b/man/Makefile.in
@@ -310,7 +310,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -345,6 +344,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index 6f80709..5d1c639 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -554,6 +554,11 @@ If
.B %any
is used for the remote endpoint it literally means any IP address.
+If an
+.B FQDN
+is assigned it is resolved every time a configuration lookup is done. If DNS
+resolution times out, the lookup is delayed for that time.
+
To limit the connection to a specific range of hosts, a range (
.BR 10.1.0.0-10.2.255.255
) or a subnet (
@@ -908,7 +913,9 @@ the greatest common subnet. In IKEv1, this may lead to problems with other
implementations, make sure to configure identical subnets in such
configurations. IKEv2 supports multiple subnets separated by commas. IKEv1 only
interprets the first subnet of such a definition, unless the Cisco Unity
-extension plugin is enabled.
+extension plugin is enabled. This is due to a limitation of the IKEv1 protocol,
+which only allows a single pair of subnets per CHILD_SA. So to tunnel several
+subnets a conn entry has to be defined and brought up for each pair of subnets.
The optional part after each subnet enclosed in square brackets specifies a
protocol/port to restrict the selector for that subnet.
@@ -1053,6 +1060,7 @@ and
.B pull
(the default).
Push mode is currently not supported with IKEv2.
+The setting must be the same on both sides.
.TP
.BR reauth " = " yes " | no"
whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1,
diff --git a/scripts/Makefile.in b/scripts/Makefile.in
index 606efcf..6b8319c 100644
--- a/scripts/Makefile.in
+++ b/scripts/Makefile.in
@@ -418,7 +418,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -453,6 +452,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/scripts/dh_speed.c b/scripts/dh_speed.c
index 0643ea9..c2cac02 100644
--- a/scripts/dh_speed.c
+++ b/scripts/dh_speed.c
@@ -46,6 +46,7 @@ struct {
{"ecp521", ECP_521_BIT},
{"ecp192", ECP_192_BIT},
{"ecp224", ECP_224_BIT},
+ {"curve25519", CURVE_25519},
};
static void start_timing(struct timespec *start)
@@ -65,7 +66,7 @@ static double end_timing(struct timespec *start)
static void run_test(diffie_hellman_group_t group, int rounds)
{
diffie_hellman_t *l[rounds], *r;
- chunk_t chunk;
+ chunk_t chunk, chunks[rounds], lsecrets[rounds], rsecrets[rounds];
struct timespec timing;
int round;
@@ -77,21 +78,21 @@ static void run_test(diffie_hellman_group_t group, int rounds)
return;
}
- printf("%N:\t",
- diffie_hellman_group_names, group);
+ printf("%N:\t", diffie_hellman_group_names, group);
start_timing(&timing);
for (round = 0; round < rounds; round++)
{
l[round] = lib->crypto->create_dh(lib->crypto, group);
+ assert(l[round]->get_my_public_value(l[round], &chunks[round]));
}
printf("A = g^a/s: %8.1f", rounds / end_timing(&timing));
for (round = 0; round < rounds; round++)
{
- assert(l[round]->get_my_public_value(l[round], &chunk));
- assert(r->set_other_public_value(r, chunk));
- chunk_free(&chunk);
+ assert(r->set_other_public_value(r, chunks[round]));
+ assert(r->get_shared_secret(r, &rsecrets[round]));
+ chunk_free(&chunks[round]);
}
assert(r->get_my_public_value(r, &chunk));
@@ -99,12 +100,16 @@ static void run_test(diffie_hellman_group_t group, int rounds)
for (round = 0; round < rounds; round++)
{
assert(l[round]->set_other_public_value(l[round], chunk));
+ assert(l[round]->get_shared_secret(l[round], &lsecrets[round]));
}
printf(" | S = B^a/s: %8.1f\n", rounds / end_timing(&timing));
chunk_free(&chunk);
for (round = 0; round < rounds; round++)
{
+ assert(chunk_equals(rsecrets[round], lsecrets[round]));
+ free(lsecrets[round].ptr);
+ free(rsecrets[round].ptr);
l[round]->destroy(l[round]);
}
r->destroy(r);
diff --git a/src/Makefile.am b/src/Makefile.am
index 938335e..df171b2 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -135,7 +135,3 @@ endif
if USE_AIKGEN
SUBDIRS += aikgen
endif
-
-if USE_AIKPUB2
- SUBDIRS += aikpub2
-endif
diff --git a/src/Makefile.in b/src/Makefile.in
index 16b1d28..b102370 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -121,7 +121,6 @@ host_triplet = @host@
@USE_LIBPTTLS_TRUE at am__append_32 = pt-tls-client
@USE_INTEGRITY_TEST_TRUE at am__append_33 = checksum
@USE_AIKGEN_TRUE at am__append_34 = aikgen
- at USE_AIKPUB2_TRUE@am__append_35 = aikpub2
subdir = src
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -200,7 +199,7 @@ DIST_SUBDIRS = . include libstrongswan libipsec libsimaka libtls \
libcharon starter ipsec _copyright charon charon-systemd \
charon-nm stroke _updown scepclient pki swanctl conftest dumm \
libfast manager medsrv pool charon-tkm charon-cmd charon-svc \
- pt-tls-client checksum aikgen aikpub2
+ pt-tls-client checksum aikgen
am__DIST_COMMON = $(srcdir)/Makefile.in
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
am__relativize = \
@@ -374,7 +373,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -409,6 +407,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -469,7 +468,7 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \
$(am__append_25) $(am__append_26) $(am__append_27) \
$(am__append_28) $(am__append_29) $(am__append_30) \
$(am__append_31) $(am__append_32) $(am__append_33) \
- $(am__append_34) $(am__append_35)
+ $(am__append_34)
all: all-recursive
.SUFFIXES:
diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in
index ce9ce1f..aa94c55 100644
--- a/src/_copyright/Makefile.in
+++ b/src/_copyright/Makefile.in
@@ -326,7 +326,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -361,6 +360,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in
index 37a57af..46b81cb 100644
--- a/src/_updown/Makefile.in
+++ b/src/_updown/Makefile.in
@@ -304,7 +304,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -339,6 +338,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/aikgen/Makefile.in b/src/aikgen/Makefile.in
index 149e739..6b19041 100644
--- a/src/aikgen/Makefile.in
+++ b/src/aikgen/Makefile.in
@@ -327,7 +327,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -362,6 +361,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/aikpub2/Makefile.am b/src/aikpub2/Makefile.am
deleted file mode 100644
index a9ab138..0000000
--- a/src/aikpub2/Makefile.am
+++ /dev/null
@@ -1,15 +0,0 @@
-bin_PROGRAMS = aikpub2
-
-aikpub2_SOURCES = aikpub2.c
-
-aikpub2_LDADD = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(top_builddir)/src/libtpmtss/libtpmtss.la
-
-aikpub2.o : $(top_builddir)/config.status
-
-AM_CPPFLAGS = \
- -I$(top_srcdir)/src/libstrongswan \
- -I$(top_srcdir)/src/libtpmtss \
- -DIPSEC_CONFDIR=\"${sysconfdir}\" \
- -DPLUGINS=\""${aikgen_plugins}\""
diff --git a/src/aikpub2/Makefile.in b/src/aikpub2/Makefile.in
deleted file mode 100644
index 62be867..0000000
--- a/src/aikpub2/Makefile.in
+++ /dev/null
@@ -1,762 +0,0 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
-# @configure_input@
-
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
-
-# This Makefile.in is free software; the Free Software Foundation
-# gives unlimited permission to copy and/or distribute it,
-# with or without modifications, as long as this notice is preserved.
-
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
-# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
-# PARTICULAR PURPOSE.
-
- at SET_MAKE@
-
-VPATH = @srcdir@
-am__is_gnu_make = { \
- if test -z '$(MAKELEVEL)'; then \
- false; \
- elif test -n '$(MAKE_HOST)'; then \
- true; \
- elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
- true; \
- else \
- false; \
- fi; \
-}
-am__make_running_with_option = \
- case $${target_option-} in \
- ?) ;; \
- *) echo "am__make_running_with_option: internal error: invalid" \
- "target option '$${target_option-}' specified" >&2; \
- exit 1;; \
- esac; \
- has_opt=no; \
- sane_makeflags=$$MAKEFLAGS; \
- if $(am__is_gnu_make); then \
- sane_makeflags=$$MFLAGS; \
- else \
- case $$MAKEFLAGS in \
- *\\[\ \ ]*) \
- bs=\\; \
- sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
- | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
- esac; \
- fi; \
- skip_next=no; \
- strip_trailopt () \
- { \
- flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
- }; \
- for flg in $$sane_makeflags; do \
- test $$skip_next = yes && { skip_next=no; continue; }; \
- case $$flg in \
- *=*|--*) continue;; \
- -*I) strip_trailopt 'I'; skip_next=yes;; \
- -*I?*) strip_trailopt 'I';; \
- -*O) strip_trailopt 'O'; skip_next=yes;; \
- -*O?*) strip_trailopt 'O';; \
- -*l) strip_trailopt 'l'; skip_next=yes;; \
- -*l?*) strip_trailopt 'l';; \
- -[dEDm]) skip_next=yes;; \
- -[JT]) skip_next=yes;; \
- esac; \
- case $$flg in \
- *$$target_option*) has_opt=yes; break;; \
- esac; \
- done; \
- test $$has_opt = yes
-am__make_dryrun = (target_option=n; $(am__make_running_with_option))
-am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
-pkgdatadir = $(datadir)/@PACKAGE@
-pkgincludedir = $(includedir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
-pkglibexecdir = $(libexecdir)/@PACKAGE@
-am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-install_sh_DATA = $(install_sh) -c -m 644
-install_sh_PROGRAM = $(install_sh) -c
-install_sh_SCRIPT = $(install_sh) -c
-INSTALL_HEADER = $(INSTALL_DATA)
-transform = $(program_transform_name)
-NORMAL_INSTALL = :
-PRE_INSTALL = :
-POST_INSTALL = :
-NORMAL_UNINSTALL = :
-PRE_UNINSTALL = :
-POST_UNINSTALL = :
-build_triplet = @build@
-host_triplet = @host@
-bin_PROGRAMS = aikpub2$(EXEEXT)
-subdir = src/aikpub2
-ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
-am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
- $(top_srcdir)/m4/config/ltoptions.m4 \
- $(top_srcdir)/m4/config/ltsugar.m4 \
- $(top_srcdir)/m4/config/ltversion.m4 \
- $(top_srcdir)/m4/config/lt~obsolete.m4 \
- $(top_srcdir)/m4/macros/split-package-version.m4 \
- $(top_srcdir)/m4/macros/with.m4 \
- $(top_srcdir)/m4/macros/enable-disable.m4 \
- $(top_srcdir)/m4/macros/add-plugin.m4 \
- $(top_srcdir)/configure.ac
-am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
- $(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
-mkinstalldirs = $(install_sh) -d
-CONFIG_HEADER = $(top_builddir)/config.h
-CONFIG_CLEAN_FILES =
-CONFIG_CLEAN_VPATH_FILES =
-am__installdirs = "$(DESTDIR)$(bindir)"
-PROGRAMS = $(bin_PROGRAMS)
-am_aikpub2_OBJECTS = aikpub2.$(OBJEXT)
-aikpub2_OBJECTS = $(am_aikpub2_OBJECTS)
-aikpub2_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(top_builddir)/src/libtpmtss/libtpmtss.la
-AM_V_lt = $(am__v_lt_ at AM_V@)
-am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
-am__v_lt_0 = --silent
-am__v_lt_1 =
-AM_V_P = $(am__v_P_ at AM_V@)
-am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
-am__v_P_0 = false
-am__v_P_1 = :
-AM_V_GEN = $(am__v_GEN_ at AM_V@)
-am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
-am__v_GEN_0 = @echo " GEN " $@;
-am__v_GEN_1 =
-AM_V_at = $(am__v_at_ at AM_V@)
-am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
-am__v_at_0 = @
-am__v_at_1 =
-DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
-depcomp = $(SHELL) $(top_srcdir)/depcomp
-am__depfiles_maybe = depfiles
-am__mv = mv -f
-COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
- $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
-LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
- $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
- $(AM_CFLAGS) $(CFLAGS)
-AM_V_CC = $(am__v_CC_ at AM_V@)
-am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
-am__v_CC_0 = @echo " CC " $@;
-am__v_CC_1 =
-CCLD = $(CC)
-LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
- $(AM_LDFLAGS) $(LDFLAGS) -o $@
-AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
-am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
-am__v_CCLD_0 = @echo " CCLD " $@;
-am__v_CCLD_1 =
-SOURCES = $(aikpub2_SOURCES)
-DIST_SOURCES = $(aikpub2_SOURCES)
-am__can_run_installinfo = \
- case $$AM_UPDATE_INFO_DIR in \
- n|no|NO) false;; \
- *) (install-info --version) >/dev/null 2>&1;; \
- esac
-am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-# Read a list of newline-separated strings from the standard input,
-# and print each of them once, without duplicates. Input order is
-# *not* preserved.
-am__uniquify_input = $(AWK) '\
- BEGIN { nonempty = 0; } \
- { items[$$0] = 1; nonempty = 1; } \
- END { if (nonempty) { for (i in items) print i; }; } \
-'
-# Make sure the list of sources is unique. This is necessary because,
-# e.g., the same source file might be shared among _SOURCES variables
-# for different programs/libraries.
-am__define_uniq_tagged_files = \
- list='$(am__tagged_files)'; \
- unique=`for i in $$list; do \
- if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
- done | $(am__uniquify_input)`
-ETAGS = etags
-CTAGS = ctags
-am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
-DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
-ACLOCAL = @ACLOCAL@
-ALLOCA = @ALLOCA@
-AMTAR = @AMTAR@
-AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
-AR = @AR@
-ATOMICLIB = @ATOMICLIB@
-AUTOCONF = @AUTOCONF@
-AUTOHEADER = @AUTOHEADER@
-AUTOMAKE = @AUTOMAKE@
-AWK = @AWK@
-BFDLIB = @BFDLIB@
-BTLIB = @BTLIB@
-CC = @CC@
-CCDEPMODE = @CCDEPMODE@
-CFLAGS = @CFLAGS@
-COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
-COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
-CPP = @CPP@
-CPPFLAGS = @CPPFLAGS@
-CYGPATH_W = @CYGPATH_W@
-DEFS = @DEFS@
-DEPDIR = @DEPDIR@
-DLLIB = @DLLIB@
-DLLTOOL = @DLLTOOL@
-DSYMUTIL = @DSYMUTIL@
-DUMPBIN = @DUMPBIN@
-EASY_INSTALL = @EASY_INSTALL@
-ECHO_C = @ECHO_C@
-ECHO_N = @ECHO_N@
-ECHO_T = @ECHO_T@
-EGREP = @EGREP@
-EXEEXT = @EXEEXT@
-FGREP = @FGREP@
-GEM = @GEM@
-GENHTML = @GENHTML@
-GPERF = @GPERF@
-GPRBUILD = @GPRBUILD@
-GREP = @GREP@
-INSTALL = @INSTALL@
-INSTALL_DATA = @INSTALL_DATA@
-INSTALL_PROGRAM = @INSTALL_PROGRAM@
-INSTALL_SCRIPT = @INSTALL_SCRIPT@
-INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
-LCOV = @LCOV@
-LD = @LD@
-LDFLAGS = @LDFLAGS@
-LEX = @LEX@
-LEXLIB = @LEXLIB@
-LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
-LIBOBJS = @LIBOBJS@
-LIBS = @LIBS@
-LIBTOOL = @LIBTOOL@
-LIPO = @LIPO@
-LN_S = @LN_S@
-LTLIBOBJS = @LTLIBOBJS@
-LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
-MAKEINFO = @MAKEINFO@
-MANIFEST_TOOL = @MANIFEST_TOOL@
-MKDIR_P = @MKDIR_P@
-MYSQLCFLAG = @MYSQLCFLAG@
-MYSQLCONFIG = @MYSQLCONFIG@
-MYSQLLIB = @MYSQLLIB@
-NM = @NM@
-NMEDIT = @NMEDIT@
-OBJDUMP = @OBJDUMP@
-OBJEXT = @OBJEXT@
-OPENSSL_LIB = @OPENSSL_LIB@
-OTOOL = @OTOOL@
-OTOOL64 = @OTOOL64@
-PACKAGE = @PACKAGE@
-PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
-PACKAGE_NAME = @PACKAGE_NAME@
-PACKAGE_STRING = @PACKAGE_STRING@
-PACKAGE_TARNAME = @PACKAGE_TARNAME@
-PACKAGE_URL = @PACKAGE_URL@
-PACKAGE_VERSION = @PACKAGE_VERSION@
-PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
-PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
-PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
-PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
-PATH_SEPARATOR = @PATH_SEPARATOR@
-PERL = @PERL@
-PKG_CONFIG = @PKG_CONFIG@
-PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
-PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
-PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
-PTHREADLIB = @PTHREADLIB@
-PYTHON = @PYTHON@
-PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
-PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
-PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
-PYTHON_PLATFORM = @PYTHON_PLATFORM@
-PYTHON_PREFIX = @PYTHON_PREFIX@
-PYTHON_VERSION = @PYTHON_VERSION@
-PY_TEST = @PY_TEST@
-RANLIB = @RANLIB@
-RTLIB = @RTLIB@
-RUBY = @RUBY@
-RUBYGEMDIR = @RUBYGEMDIR@
-RUBYINCLUDE = @RUBYINCLUDE@
-RUBYLIB = @RUBYLIB@
-SED = @SED@
-SET_MAKE = @SET_MAKE@
-SHELL = @SHELL@
-SOCKLIB = @SOCKLIB@
-STRIP = @STRIP@
-UNWINDLIB = @UNWINDLIB@
-VERSION = @VERSION@
-YACC = @YACC@
-YFLAGS = @YFLAGS@
-abs_builddir = @abs_builddir@
-abs_srcdir = @abs_srcdir@
-abs_top_builddir = @abs_top_builddir@
-abs_top_srcdir = @abs_top_srcdir@
-ac_ct_AR = @ac_ct_AR@
-ac_ct_CC = @ac_ct_CC@
-ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
-aikgen_plugins = @aikgen_plugins@
-am__include = @am__include@
-am__leading_dot = @am__leading_dot@
-am__quote = @am__quote@
-am__tar = @am__tar@
-am__untar = @am__untar@
-attest_plugins = @attest_plugins@
-bindir = @bindir@
-build = @build@
-build_alias = @build_alias@
-build_cpu = @build_cpu@
-build_os = @build_os@
-build_vendor = @build_vendor@
-builddir = @builddir@
-c_plugins = @c_plugins@
-charon_natt_port = @charon_natt_port@
-charon_plugins = @charon_plugins@
-charon_udp_port = @charon_udp_port@
-clearsilver_LIBS = @clearsilver_LIBS@
-cmd_plugins = @cmd_plugins@
-datadir = @datadir@
-datarootdir = @datarootdir@
-dev_headers = @dev_headers@
-docdir = @docdir@
-dvidir = @dvidir@
-exec_prefix = @exec_prefix@
-fips_mode = @fips_mode@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
-host = @host@
-host_alias = @host_alias@
-host_cpu = @host_cpu@
-host_os = @host_os@
-host_vendor = @host_vendor@
-htmldir = @htmldir@
-imcvdir = @imcvdir@
-includedir = @includedir@
-infodir = @infodir@
-install_sh = @install_sh@
-ipsec_script = @ipsec_script@
-ipsec_script_upper = @ipsec_script_upper@
-ipsecdir = @ipsecdir@
-ipsecgroup = @ipsecgroup@
-ipseclibdir = @ipseclibdir@
-ipsecuser = @ipsecuser@
-json_CFLAGS = @json_CFLAGS@
-json_LIBS = @json_LIBS@
-libdir = @libdir@
-libexecdir = @libexecdir@
-libiptc_CFLAGS = @libiptc_CFLAGS@
-libiptc_LIBS = @libiptc_LIBS@
-linux_headers = @linux_headers@
-localedir = @localedir@
-localstatedir = @localstatedir@
-manager_plugins = @manager_plugins@
-mandir = @mandir@
-medsrv_plugins = @medsrv_plugins@
-mkdir_p = @mkdir_p@
-nm_CFLAGS = @nm_CFLAGS@
-nm_LIBS = @nm_LIBS@
-nm_ca_dir = @nm_ca_dir@
-nm_plugins = @nm_plugins@
-oldincludedir = @oldincludedir@
-pcsclite_CFLAGS = @pcsclite_CFLAGS@
-pcsclite_LIBS = @pcsclite_LIBS@
-pdfdir = @pdfdir@
-piddir = @piddir@
-pkgpyexecdir = @pkgpyexecdir@
-pkgpythondir = @pkgpythondir@
-pki_plugins = @pki_plugins@
-plugindir = @plugindir@
-pool_plugins = @pool_plugins@
-prefix = @prefix@
-program_transform_name = @program_transform_name@
-psdir = @psdir@
-pyexecdir = @pyexecdir@
-pythondir = @pythondir@
-random_device = @random_device@
-resolv_conf = @resolv_conf@
-routing_table = @routing_table@
-routing_table_prio = @routing_table_prio@
-runstatedir = @runstatedir@
-s_plugins = @s_plugins@
-sbindir = @sbindir@
-scepclient_plugins = @scepclient_plugins@
-scripts_plugins = @scripts_plugins@
-sharedstatedir = @sharedstatedir@
-soup_CFLAGS = @soup_CFLAGS@
-soup_LIBS = @soup_LIBS@
-srcdir = @srcdir@
-starter_plugins = @starter_plugins@
-strongswan_conf = @strongswan_conf@
-strongswan_options = @strongswan_options@
-swanctldir = @swanctldir@
-sysconfdir = @sysconfdir@
-systemd_CFLAGS = @systemd_CFLAGS@
-systemd_LIBS = @systemd_LIBS@
-systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
-systemd_daemon_LIBS = @systemd_daemon_LIBS@
-systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
-systemd_journal_LIBS = @systemd_journal_LIBS@
-systemdsystemunitdir = @systemdsystemunitdir@
-t_plugins = @t_plugins@
-target_alias = @target_alias@
-top_build_prefix = @top_build_prefix@
-top_builddir = @top_builddir@
-top_srcdir = @top_srcdir@
-tss2_CFLAGS = @tss2_CFLAGS@
-tss2_LIBS = @tss2_LIBS@
-urandom_device = @urandom_device@
-xml_CFLAGS = @xml_CFLAGS@
-xml_LIBS = @xml_LIBS@
-aikpub2_SOURCES = aikpub2.c
-aikpub2_LDADD = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(top_builddir)/src/libtpmtss/libtpmtss.la
-
-AM_CPPFLAGS = \
- -I$(top_srcdir)/src/libstrongswan \
- -I$(top_srcdir)/src/libtpmtss \
- -DIPSEC_CONFDIR=\"${sysconfdir}\" \
- -DPLUGINS=\""${aikgen_plugins}\""
-
-all: all-am
-
-.SUFFIXES:
-.SUFFIXES: .c .lo .o .obj
-$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
- @for dep in $?; do \
- case '$(am__configure_deps)' in \
- *$$dep*) \
- ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
- && { if test -f $@; then exit 0; else break; fi; }; \
- exit 1;; \
- esac; \
- done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/aikpub2/Makefile'; \
- $(am__cd) $(top_srcdir) && \
- $(AUTOMAKE) --gnu src/aikpub2/Makefile
-Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
- @case '$?' in \
- *config.status*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
- *) \
- echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
- cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
- esac;
-
-$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-
-$(top_srcdir)/configure: $(am__configure_deps)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(ACLOCAL_M4): $(am__aclocal_m4_deps)
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
-$(am__aclocal_m4_deps):
-install-binPROGRAMS: $(bin_PROGRAMS)
- @$(NORMAL_INSTALL)
- @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
- if test -n "$$list"; then \
- echo " $(MKDIR_P) '$(DESTDIR)$(bindir)'"; \
- $(MKDIR_P) "$(DESTDIR)$(bindir)" || exit 1; \
- fi; \
- for p in $$list; do echo "$$p $$p"; done | \
- sed 's/$(EXEEXT)$$//' | \
- while read p p1; do if test -f $$p \
- || test -f $$p1 \
- ; then echo "$$p"; echo "$$p"; else :; fi; \
- done | \
- sed -e 'p;s,.*/,,;n;h' \
- -e 's|.*|.|' \
- -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \
- sed 'N;N;N;s,\n, ,g' | \
- $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \
- { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \
- if ($$2 == $$4) files[d] = files[d] " " $$1; \
- else { print "f", $$3 "/" $$4, $$1; } } \
- END { for (d in files) print "f", d, files[d] }' | \
- while read type dir files; do \
- if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \
- test -z "$$files" || { \
- echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \
- $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \
- } \
- ; done
-
-uninstall-binPROGRAMS:
- @$(NORMAL_UNINSTALL)
- @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \
- files=`for p in $$list; do echo "$$p"; done | \
- sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \
- -e 's/$$/$(EXEEXT)/' \
- `; \
- test -n "$$list" || exit 0; \
- echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \
- cd "$(DESTDIR)$(bindir)" && rm -f $$files
-
-clean-binPROGRAMS:
- @list='$(bin_PROGRAMS)'; test -n "$$list" || exit 0; \
- echo " rm -f" $$list; \
- rm -f $$list || exit $$?; \
- test -n "$(EXEEXT)" || exit 0; \
- list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f" $$list; \
- rm -f $$list
-
-aikpub2$(EXEEXT): $(aikpub2_OBJECTS) $(aikpub2_DEPENDENCIES) $(EXTRA_aikpub2_DEPENDENCIES)
- @rm -f aikpub2$(EXEEXT)
- $(AM_V_CCLD)$(LINK) $(aikpub2_OBJECTS) $(aikpub2_LDADD) $(LIBS)
-
-mostlyclean-compile:
- -rm -f *.$(OBJEXT)
-
-distclean-compile:
- -rm -f *.tab.c
-
- at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/aikpub2.Po at am__quote@
-
-.c.o:
- at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
- at am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
- at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
-
-.c.obj:
- at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
- at am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
- at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
- at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
-
-.c.lo:
- at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
- at am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
- at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
- at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
- at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
-
-mostlyclean-libtool:
- -rm -f *.lo
-
-clean-libtool:
- -rm -rf .libs _libs
-
-ID: $(am__tagged_files)
- $(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
-TAGS: tags
-
-tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
- set x; \
- here=`pwd`; \
- $(am__define_uniq_tagged_files); \
- shift; \
- if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
- test -n "$$unique" || unique=$$empty_fix; \
- if test $$# -gt 0; then \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- "$$@" $$unique; \
- else \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- $$unique; \
- fi; \
- fi
-ctags: ctags-am
-
-CTAGS: ctags
-ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
- $(am__define_uniq_tagged_files); \
- test -z "$(CTAGS_ARGS)$$unique" \
- || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
- $$unique
-
-GTAGS:
- here=`$(am__cd) $(top_builddir) && pwd` \
- && $(am__cd) $(top_srcdir) \
- && gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
-
-cscopelist-am: $(am__tagged_files)
- list='$(am__tagged_files)'; \
- case "$(srcdir)" in \
- [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
- *) sdir=$(subdir)/$(srcdir) ;; \
- esac; \
- for i in $$list; do \
- if test -f "$$i"; then \
- echo "$(subdir)/$$i"; \
- else \
- echo "$$sdir/$$i"; \
- fi; \
- done >> $(top_builddir)/cscope.files
-
-distclean-tags:
- -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
-
-distdir: $(DISTFILES)
- @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
- topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
- list='$(DISTFILES)'; \
- dist_files=`for file in $$list; do echo $$file; done | \
- sed -e "s|^$$srcdirstrip/||;t" \
- -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
- case $$dist_files in \
- */*) $(MKDIR_P) `echo "$$dist_files" | \
- sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
- sort -u` ;; \
- esac; \
- for file in $$dist_files; do \
- if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
- if test -d $$d/$$file; then \
- dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
- if test -d "$(distdir)/$$file"; then \
- find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
- fi; \
- if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
- cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
- find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
- fi; \
- cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
- else \
- test -f "$(distdir)/$$file" \
- || cp -p $$d/$$file "$(distdir)/$$file" \
- || exit 1; \
- fi; \
- done
-check-am: all-am
-check: check-am
-all-am: Makefile $(PROGRAMS)
-installdirs:
- for dir in "$(DESTDIR)$(bindir)"; do \
- test -z "$$dir" || $(MKDIR_P) "$$dir"; \
- done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
-
-install-am: all-am
- @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-
-installcheck: installcheck-am
-install-strip:
- if test -z '$(STRIP)'; then \
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- install; \
- else \
- $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
- install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
- "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
- fi
-mostlyclean-generic:
-
-clean-generic:
-
-distclean-generic:
- -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
- -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
-
-maintainer-clean-generic:
- @echo "This command is intended for maintainers to use"
- @echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
-
-clean-am: clean-binPROGRAMS clean-generic clean-libtool mostlyclean-am
-
-distclean: distclean-am
- -rm -rf ./$(DEPDIR)
- -rm -f Makefile
-distclean-am: clean-am distclean-compile distclean-generic \
- distclean-tags
-
-dvi: dvi-am
-
-dvi-am:
-
-html: html-am
-
-html-am:
-
-info: info-am
-
-info-am:
-
-install-data-am:
-
-install-dvi: install-dvi-am
-
-install-dvi-am:
-
-install-exec-am: install-binPROGRAMS
-
-install-html: install-html-am
-
-install-html-am:
-
-install-info: install-info-am
-
-install-info-am:
-
-install-man:
-
-install-pdf: install-pdf-am
-
-install-pdf-am:
-
-install-ps: install-ps-am
-
-install-ps-am:
-
-installcheck-am:
-
-maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR)
- -rm -f Makefile
-maintainer-clean-am: distclean-am maintainer-clean-generic
-
-mostlyclean: mostlyclean-am
-
-mostlyclean-am: mostlyclean-compile mostlyclean-generic \
- mostlyclean-libtool
-
-pdf: pdf-am
-
-pdf-am:
-
-ps: ps-am
-
-ps-am:
-
-uninstall-am: uninstall-binPROGRAMS
-
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean \
- clean-binPROGRAMS clean-generic clean-libtool cscopelist-am \
- ctags ctags-am distclean distclean-compile distclean-generic \
- distclean-libtool distclean-tags distdir dvi dvi-am html \
- html-am info info-am install install-am install-binPROGRAMS \
- install-data install-data-am install-dvi install-dvi-am \
- install-exec install-exec-am install-html install-html-am \
- install-info install-info-am install-man install-pdf \
- install-pdf-am install-ps install-ps-am install-strip \
- installcheck installcheck-am installdirs maintainer-clean \
- maintainer-clean-generic mostlyclean mostlyclean-compile \
- mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
- tags tags-am uninstall uninstall-am uninstall-binPROGRAMS
-
-.PRECIOUS: Makefile
-
-
-aikpub2.o : $(top_builddir)/config.status
-
-# Tell versions [3.59,3.63) of GNU make to not export all variables.
-# Otherwise a system limit (for SysV at least) may be exceeded.
-.NOEXPORT:
diff --git a/src/aikpub2/aikpub2.c b/src/aikpub2/aikpub2.c
deleted file mode 100644
index fea58ed..0000000
--- a/src/aikpub2/aikpub2.c
+++ /dev/null
@@ -1,305 +0,0 @@
-/*
- * Copyright (C) 2016 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "tpm_tss.h"
-
-#include <library.h>
-#include <utils/debug.h>
-#include <utils/optionsfrom.h>
-
-#include <syslog.h>
-#include <getopt.h>
-#include <errno.h>
-
-/* default directory where AIK keys are stored */
-#define AIK_DIR IPSEC_CONFDIR "/pts/"
-
-/* default name of AIK public key blob */
-#define DEFAULT_FILENAME_AIKPUBKEY AIK_DIR "aikPub.der"
-
-/* logging */
-static bool log_to_stderr = TRUE;
-static bool log_to_syslog = TRUE;
-static level_t default_loglevel = 1;
-
-/* options read by optionsfrom */
-options_t *options;
-
-chunk_t aik_pubkey;
-chunk_t aik_keyid;
-
-/**
- * logging function for aikpub2
- */
-static void aikpub2_dbg(debug_t group, level_t level, char *fmt, ...)
-{
- char buffer[8192];
- char *current = buffer, *next;
- va_list args;
-
- if (level <= default_loglevel)
- {
- if (log_to_stderr)
- {
- va_start(args, fmt);
- vfprintf(stderr, fmt, args);
- va_end(args);
- fprintf(stderr, "\n");
- }
- if (log_to_syslog)
- {
- /* write in memory buffer first */
- va_start(args, fmt);
- vsnprintf(buffer, sizeof(buffer), fmt, args);
- va_end(args);
-
- /* do a syslog with every line */
- while (current)
- {
- next = strchr(current, '\n');
- if (next)
- {
- *(next++) = '\0';
- }
- syslog(LOG_INFO, "%s\n", current);
- current = next;
- }
- }
- }
-}
-
-/**
- * Initialize logging to stderr/syslog
- */
-static void init_log(const char *program)
-{
- dbg = aikpub2_dbg;
-
- if (log_to_stderr)
- {
- setbuf(stderr, NULL);
- }
- if (log_to_syslog)
- {
- openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
- }
-}
-
-/**
- * @brief exit aikgen
- *
- * @param status 0 = OK, -1 = general discomfort
- */
-static void exit_aikpub2(err_t message, ...)
-{
- int status = 0;
-
- free(aik_pubkey.ptr);
- free(aik_keyid.ptr);
- options->destroy(options);
-
- /* print any error message to stderr */
- if (message != NULL && *message != '\0')
- {
- va_list args;
- char m[8192];
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- fprintf(stderr, "aikpub2 error: %s\n", m);
- status = -1;
- }
- library_deinit();
- exit(status);
-}
-
-/**
- * @brief prints the usage of the program to the stderr output
- *
- * If message is set, program is exited with 1 (error)
- * @param message message in case of an error
- */
-static void usage(const char *message)
-{
- fprintf(stderr,
- "Usage: aikpub2 --handle <handle> --out <filename>\n"
- " [--force] [--quiet] [--debug <level>]\n"
- " aikpub2 --help\n"
- "\n"
- "Options:\n"
- " --handle (-H) TSS 2.0 AIK object handle\n"
- " --out (-o) AIK public key in PKCS #1 format\n"
- " --force (-f) force to overwrite existing files\n"
- " --help (-h) show usage and exit\n"
- "\n"
- "Debugging output:\n"
- " --debug (-l) changes the log level (-1..4, default: 1)\n"
- " --quiet (-q) do not write log output to stderr\n"
- );
- exit_aikpub2(message);
-}
-
-
-/**
- * @brief main of aikpub2 which extracts an Attestation Identity Key (AIK)
- *
- * @param argc number of arguments
- * @param argv pointer to the argument values
- */
-int main(int argc, char *argv[])
-{
- /* external values */
- extern char * optarg;
- extern int optind;
-
- char *aik_out_filename = DEFAULT_FILENAME_AIKPUBKEY;
- uint32_t aik_handle = 0;
- bool force = FALSE;
- hasher_t *hasher;
- tpm_tss_t *tpm;
-
- atexit(library_deinit);
- if (!library_init(NULL, "aikpub2"))
- {
- exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
- }
- if (lib->integrity &&
- !lib->integrity->check_file(lib->integrity, "aikpub2", argv[0]))
- {
- fprintf(stderr, "integrity check of aikpub2 failed\n");
- exit(SS_RC_DAEMON_INTEGRITY);
- }
-
- /* initialize global variables */
- options = options_create();
-
- for (;;)
- {
- static const struct option long_opts[] = {
- /* name, has_arg, flag, val */
- { "help", no_argument, NULL, 'h' },
- { "optionsfrom", required_argument, NULL, '+' },
- { "handle", required_argument, NULL, 'H' },
- { "in", required_argument, NULL, 'i' },
- { "out", required_argument, NULL, 'o' },
- { "force", no_argument, NULL, 'f' },
- { "quiet", no_argument, NULL, 'q' },
- { "debug", required_argument, NULL, 'l' },
- { 0,0,0,0 }
- };
-
- /* parse next option */
- int c = getopt_long(argc, argv, "h+:H:i:o:fql:", long_opts, NULL);
-
- switch (c)
- {
- case EOF: /* end of flags */
- break;
-
- case 'h': /* --help */
- usage(NULL);
-
- case '+': /* --optionsfrom <filename> */
- if (!options->from(options, optarg, &argc, &argv, optind))
- {
- exit_aikpub2("optionsfrom failed");
- }
- continue;
-
- case 'H': /* --handle <handle> */
- aik_handle = strtoll(optarg, NULL, 16);
- continue;
-
- case 'o': /* --out <filename> */
- aik_out_filename = optarg;
- continue;
-
- case 'f': /* --force */
- force = TRUE;
- continue;
-
- case 'q': /* --quiet */
- log_to_stderr = FALSE;
- continue;
-
- case 'l': /* --debug <level> */
- default_loglevel = atoi(optarg);
- continue;
-
- default:
- usage("unknown option");
- }
- /* break from loop */
- break;
- }
-
- init_log("aikpub2");
-
- if (!lib->plugins->load(lib->plugins,
- lib->settings->get_str(lib->settings, "aikpub2.load", PLUGINS)))
- {
- exit_aikpub2("plugin loading failed");
- }
- if (!aik_handle)
- {
- usage("--handle option is required");
- }
-
- /* try to find a TPM 2.0 */
- tpm = tpm_tss_probe(TPM_VERSION_2_0);
- if (!tpm)
- {
- exit_aikpub2("no TPM 2.0 found");
- }
-
- /* get AIK public key from TPM */
- aik_pubkey = tpm->get_public(tpm, aik_handle);
- tpm->destroy(tpm);
-
- /* exit if AIK public key retrieval failed */
- if (aik_pubkey.len == 0)
- {
- exit_aikpub2("retrieval of AIK public key failed");
- }
-
- /* store AIK subjectPublicKeyInfo to file */
- if (!chunk_write(aik_pubkey, aik_out_filename, 0022, force))
- {
- exit_aikpub2("could not write AIK public key file '%s': %s",
- aik_out_filename, strerror(errno));
- }
- DBG1(DBG_LIB, "AIK public key written to '%s' (%u bytes)",
- aik_out_filename, aik_pubkey.len);
-
- /* AIK keyid derived from subjectPublicKeyInfo encoding */
- hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
- if (!hasher)
- {
- exit_aikpub2("SHA1 hash algorithm not supported");
- }
- if (!hasher->allocate_hash(hasher, aik_pubkey, &aik_keyid))
- {
- hasher->destroy(hasher);
- exit_aikpub2("computing SHA1 fingerprint failed");
- }
- hasher->destroy(hasher);
-
- DBG1(DBG_LIB, "AIK keyid: %#B", &aik_keyid);
-
- exit_aikpub2(NULL);
- return -1; /* should never be reached */
-}
diff --git a/src/charon-cmd/Makefile.in b/src/charon-cmd/Makefile.in
index fb43e4e..3a5f028 100644
--- a/src/charon-cmd/Makefile.in
+++ b/src/charon-cmd/Makefile.in
@@ -364,7 +364,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -399,6 +398,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/charon-cmd/charon-cmd.c b/src/charon-cmd/charon-cmd.c
index f350198..7934964 100644
--- a/src/charon-cmd/charon-cmd.c
+++ b/src/charon-cmd/charon-cmd.c
@@ -40,11 +40,6 @@
static level_t default_loglevel = LEVEL_CTRL;
/**
- * Loglevel configuration
- */
-static level_t levels[DBG_MAX];
-
-/**
* Connection to initiate
*/
static cmd_connection_t *conn;
@@ -129,7 +124,7 @@ static int run()
"configuration");
if (lib->settings->load_files(lib->settings, lib->conf, FALSE))
{
- charon->load_loggers(charon, levels, TRUE);
+ charon->load_loggers(charon);
lib->plugins->reload(lib->plugins, NULL);
}
else
@@ -311,6 +306,7 @@ int main(int argc, char *argv[])
{
struct sigaction action;
struct utsname utsname;
+ level_t levels[DBG_MAX];
int group;
/* handle simple arguments */
@@ -338,7 +334,8 @@ int main(int argc, char *argv[])
{
levels[group] = default_loglevel;
}
- charon->load_loggers(charon, levels, TRUE);
+ charon->set_default_loggers(charon, levels, TRUE);
+ charon->load_loggers(charon);
if (!lookup_uid_gid())
{
diff --git a/src/charon-nm/Makefile.in b/src/charon-nm/Makefile.in
index 7f05b35..90cdb8c 100644
--- a/src/charon-nm/Makefile.in
+++ b/src/charon-nm/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/charon-nm/charon-nm.c b/src/charon-nm/charon-nm.c
index cbbed7a..ca12db8 100644
--- a/src/charon-nm/charon-nm.c
+++ b/src/charon-nm/charon-nm.c
@@ -192,7 +192,7 @@ int main(int argc, char *argv[])
lib->settings->set_int(lib->settings, "charon-nm.syslog.daemon.default",
lib->settings->get_int(lib->settings,
"charon-nm.syslog.daemon.default", 1));
- charon->load_loggers(charon, NULL, FALSE);
+ charon->load_loggers(charon);
/* use random ports to avoid conflicts with regular charon */
lib->settings->set_int(lib->settings, "charon-nm.port", 0);
diff --git a/src/charon-svc/Makefile.in b/src/charon-svc/Makefile.in
index e9cb266..7dd0fb6 100644
--- a/src/charon-svc/Makefile.in
+++ b/src/charon-svc/Makefile.in
@@ -327,7 +327,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -362,6 +361,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/charon-svc/charon-svc.c b/src/charon-svc/charon-svc.c
index 823b366..7201fae 100644
--- a/src/charon-svc/charon-svc.c
+++ b/src/charon-svc/charon-svc.c
@@ -220,7 +220,8 @@ static void init_and_run(DWORD dwArgc, LPTSTR *lpszArgv, int (*wait)())
update_status(SERVICE_START_PENDING);
if (libcharon_init())
{
- charon->load_loggers(charon, levels, TRUE);
+ charon->set_default_loggers(charon, levels, TRUE);
+ charon->load_loggers(charon);
print_version();
update_status(SERVICE_START_PENDING);
if (charon->initialize(charon, PLUGINS))
diff --git a/src/charon-systemd/Makefile.in b/src/charon-systemd/Makefile.in
index c1aa833..1959818 100644
--- a/src/charon-systemd/Makefile.in
+++ b/src/charon-systemd/Makefile.in
@@ -331,7 +331,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -366,6 +365,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/charon-systemd/charon-systemd.c b/src/charon-systemd/charon-systemd.c
index 5c7bbd7..60e509f 100644
--- a/src/charon-systemd/charon-systemd.c
+++ b/src/charon-systemd/charon-systemd.c
@@ -241,6 +241,7 @@ static int run()
sigset_t set;
sigemptyset(&set);
+ sigaddset(&set, SIGHUP);
sigaddset(&set, SIGTERM);
sigprocmask(SIG_BLOCK, &set, NULL);
@@ -262,6 +263,21 @@ static int run()
}
switch (sig)
{
+ case SIGHUP:
+ {
+ DBG1(DBG_DMN, "signal of type SIGHUP received. Reloading "
+ "configuration");
+ if (lib->settings->load_files(lib->settings, lib->conf, FALSE))
+ {
+ charon->load_loggers(charon);
+ lib->plugins->reload(lib->plugins, NULL);
+ }
+ else
+ {
+ DBG1(DBG_DMN, "reloading config failed, keeping old");
+ }
+ break;
+ }
case SIGTERM:
{
DBG1(DBG_DMN, "SIGTERM received, shutting down");
@@ -374,7 +390,7 @@ int main(int argc, char *argv[])
sd_notifyf(0, "STATUS=unknown uid/gid");
return SS_RC_INITIALIZATION_FAILED;
}
- charon->load_loggers(charon, NULL, FALSE);
+ charon->load_loggers(charon);
lib->plugins->add_static_features(lib->plugins, lib->ns, features,
countof(features), TRUE, journal_reload, &journal);
diff --git a/src/charon-tkm/Makefile.in b/src/charon-tkm/Makefile.in
index 30a3ac8..538335b 100644
--- a/src/charon-tkm/Makefile.in
+++ b/src/charon-tkm/Makefile.in
@@ -274,7 +274,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -309,6 +308,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/charon-tkm/src/charon-tkm.c b/src/charon-tkm/src/charon-tkm.c
index 4a6d2ae..a4d4d0c 100644
--- a/src/charon-tkm/src/charon-tkm.c
+++ b/src/charon-tkm/src/charon-tkm.c
@@ -275,7 +275,7 @@ int main(int argc, char *argv[])
lib->settings->set_int(lib->settings, "%s.syslog.daemon.default",
lib->settings->get_int(lib->settings, "%s.syslog.daemon.default", 1,
dmn_name), dmn_name);
- charon->load_loggers(charon, NULL, FALSE);
+ charon->load_loggers(charon);
DBG1(DBG_DMN, "Starting charon with TKM backend (strongSwan "VERSION")");
diff --git a/src/charon-tkm/src/tkm/tkm_keymat.c b/src/charon-tkm/src/tkm/tkm_keymat.c
index a7cce0f..a247604 100644
--- a/src/charon-tkm/src/tkm/tkm_keymat.c
+++ b/src/charon-tkm/src/tkm/tkm_keymat.c
@@ -378,7 +378,8 @@ METHOD(keymat_t, get_aead, aead_t*,
METHOD(keymat_v2_t, get_auth_octets, bool,
private_tkm_keymat_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
+ chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets,
+ array_t *schemes)
{
sign_info_t *sign;
diff --git a/src/charon-tkm/tests/tests.c b/src/charon-tkm/tests/tests.c
index e3cd2d9..3d57599 100644
--- a/src/charon-tkm/tests/tests.c
+++ b/src/charon-tkm/tests/tests.c
@@ -52,7 +52,7 @@ static bool test_runner_init(bool init)
libcharon_init();
lib->settings->set_int(lib->settings,
"test-runner.filelog.stdout.default", 0);
- charon->load_loggers(charon, NULL, FALSE);
+ charon->load_loggers(charon);
/* Register TKM specific plugins */
static plugin_feature_t features[] = {
diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in
index d07ea5c..8cf782f 100644
--- a/src/charon/Makefile.in
+++ b/src/charon/Makefile.in
@@ -330,7 +330,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -365,6 +364,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/charon/charon.c b/src/charon/charon.c
index 116ce7e..520cb3c 100644
--- a/src/charon/charon.c
+++ b/src/charon/charon.c
@@ -59,16 +59,6 @@
static FILE *pidfile = NULL;
/**
- * Log levels as defined via command line arguments
- */
-static level_t levels[DBG_MAX];
-
-/**
- * Whether to only use syslog when logging
- */
-static bool use_syslog = FALSE;
-
-/**
* hook in library for debugging messages
*/
extern void (*dbg) (debug_t group, level_t level, char *fmt, ...);
@@ -126,7 +116,7 @@ static void run()
"configuration");
if (lib->settings->load_files(lib->settings, lib->conf, FALSE))
{
- charon->load_loggers(charon, levels, !use_syslog);
+ charon->load_loggers(charon);
lib->plugins->reload(lib->plugins, NULL);
}
else
@@ -289,6 +279,8 @@ int main(int argc, char *argv[])
struct sigaction action;
int group, status = SS_RC_INITIALIZATION_FAILED;
struct utsname utsname;
+ level_t levels[DBG_MAX];
+ bool use_syslog = FALSE;
/* logging for library during initialization, as we have no bus yet */
dbg = dbg_stderr;
@@ -382,7 +374,8 @@ int main(int argc, char *argv[])
goto deinit;
}
- charon->load_loggers(charon, levels, !use_syslog);
+ charon->set_default_loggers(charon, levels, !use_syslog);
+ charon->load_loggers(charon);
if (uname(&utsname) != 0)
{
diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am
index 8821090..5db5b79 100644
--- a/src/checksum/Makefile.am
+++ b/src/checksum/Makefile.am
@@ -61,6 +61,10 @@ endif
if USE_LIBTPMTSS
deps += $(top_builddir)/src/libtpmtss/libtpmtss.la
libs += $(DESTDIR)$(ipseclibdir)/libtpmtss.so
+if !MONOLITHIC
+ AM_CPPFLAGS += -DP_PLUGINS=\""${p_plugins}\""
+endif
+
endif
if USE_LIBTNCCS
diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in
index 7644e1b..5e7a4ca 100644
--- a/src/checksum/Makefile.in
+++ b/src/checksum/Makefile.in
@@ -102,24 +102,25 @@ EXTRA_PROGRAMS = checksum_builder$(EXEEXT)
@USE_LIBPTTLS_TRUE at am__append_11 = $(DESTDIR)$(ipseclibdir)/libpttls.so
@USE_LIBTPMTSS_TRUE at am__append_12 = $(top_builddir)/src/libtpmtss/libtpmtss.la
@USE_LIBTPMTSS_TRUE at am__append_13 = $(DESTDIR)$(ipseclibdir)/libtpmtss.so
- at USE_LIBTNCCS_TRUE@am__append_14 = $(top_builddir)/src/libtnccs/libtnccs.la
- at USE_LIBTNCCS_TRUE@am__append_15 = $(DESTDIR)$(ipseclibdir)/libtnccs.so
- at MONOLITHIC_FALSE@@USE_LIBTNCCS_TRUE at am__append_16 = -DT_PLUGINS=\""${t_plugins}\""
- at USE_SIMAKA_TRUE@am__append_17 = $(top_builddir)/src/libsimaka/libsimaka.la
- at USE_SIMAKA_TRUE@am__append_18 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
- at USE_IMCV_TRUE@am__append_19 = $(top_builddir)/src/libimcv/libimcv.la
- at USE_IMCV_TRUE@am__append_20 = $(DESTDIR)$(ipseclibdir)/libimcv.so
- at USE_CHARON_TRUE@am__append_21 = $(top_builddir)/src/libcharon/libcharon.la
- at USE_CHARON_TRUE@am__append_22 = $(DESTDIR)$(ipseclibdir)/libcharon.so
- at USE_CHARON_TRUE@am__append_23 = $(DESTDIR)$(ipsecdir)/charon
- at MONOLITHIC_FALSE@@USE_CHARON_TRUE at am__append_24 = -DC_PLUGINS=\""${c_plugins}\""
- at USE_CMD_TRUE@am__append_25 = $(DESTDIR)$(sbindir)/charon-cmd
- at USE_SYSTEMD_TRUE@am__append_26 = $(DESTDIR)$(sbindir)/charon-systemd
- at USE_SCEPCLIENT_TRUE@am__append_27 = $(DESTDIR)$(ipsecdir)/scepclient
- at USE_PKI_TRUE@am__append_28 = $(DESTDIR)$(bindir)/pki
- at USE_SWANCTL_TRUE@am__append_29 = $(DESTDIR)$(sbindir)/swanctl
- at USE_ATTR_SQL_TRUE@am__append_30 = $(DESTDIR)$(ipsecdir)/pool
- at USE_IMV_ATTESTATION_TRUE@am__append_31 = $(DESTDIR)$(ipsecdir)/attest
+ at MONOLITHIC_FALSE@@USE_LIBTPMTSS_TRUE at am__append_14 = -DP_PLUGINS=\""${p_plugins}\""
+ at USE_LIBTNCCS_TRUE@am__append_15 = $(top_builddir)/src/libtnccs/libtnccs.la
+ at USE_LIBTNCCS_TRUE@am__append_16 = $(DESTDIR)$(ipseclibdir)/libtnccs.so
+ at MONOLITHIC_FALSE@@USE_LIBTNCCS_TRUE at am__append_17 = -DT_PLUGINS=\""${t_plugins}\""
+ at USE_SIMAKA_TRUE@am__append_18 = $(top_builddir)/src/libsimaka/libsimaka.la
+ at USE_SIMAKA_TRUE@am__append_19 = $(DESTDIR)$(ipseclibdir)/libsimaka.so
+ at USE_IMCV_TRUE@am__append_20 = $(top_builddir)/src/libimcv/libimcv.la
+ at USE_IMCV_TRUE@am__append_21 = $(DESTDIR)$(ipseclibdir)/libimcv.so
+ at USE_CHARON_TRUE@am__append_22 = $(top_builddir)/src/libcharon/libcharon.la
+ at USE_CHARON_TRUE@am__append_23 = $(DESTDIR)$(ipseclibdir)/libcharon.so
+ at USE_CHARON_TRUE@am__append_24 = $(DESTDIR)$(ipsecdir)/charon
+ at MONOLITHIC_FALSE@@USE_CHARON_TRUE at am__append_25 = -DC_PLUGINS=\""${c_plugins}\""
+ at USE_CMD_TRUE@am__append_26 = $(DESTDIR)$(sbindir)/charon-cmd
+ at USE_SYSTEMD_TRUE@am__append_27 = $(DESTDIR)$(sbindir)/charon-systemd
+ at USE_SCEPCLIENT_TRUE@am__append_28 = $(DESTDIR)$(ipsecdir)/scepclient
+ at USE_PKI_TRUE@am__append_29 = $(DESTDIR)$(bindir)/pki
+ at USE_SWANCTL_TRUE@am__append_30 = $(DESTDIR)$(sbindir)/swanctl
+ at USE_ATTR_SQL_TRUE@am__append_31 = $(DESTDIR)$(ipsecdir)/pool
+ at USE_IMV_ATTESTATION_TRUE@am__append_32 = $(DESTDIR)$(ipsecdir)/attest
subdir = src/checksum
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -398,7 +399,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -433,6 +433,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -499,7 +500,7 @@ CLEANFILES = checksum.c $(EXTRA_PROGRAMS)
AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
-I$(top_srcdir)/src/libcharon \
-DPLUGINDIR=\"${DESTDIR}${plugindir}\" $(am__append_1) \
- $(am__append_16) $(am__append_24)
+ $(am__append_14) $(am__append_17) $(am__append_25)
AM_CFLAGS = \
$(PLUGIN_CFLAGS)
@@ -510,15 +511,15 @@ AM_CFLAGS = \
deps = $(top_builddir)/src/libstrongswan/libstrongswan.la \
$(am__append_2) $(am__append_4) $(am__append_6) \
$(am__append_8) $(am__append_10) $(am__append_12) \
- $(am__append_14) $(am__append_17) $(am__append_19) \
- $(am__append_21)
+ $(am__append_15) $(am__append_18) $(am__append_20) \
+ $(am__append_22)
libs = $(DESTDIR)$(ipseclibdir)/libstrongswan.so $(am__append_3) \
$(am__append_5) $(am__append_7) $(am__append_9) \
- $(am__append_11) $(am__append_13) $(am__append_15) \
- $(am__append_18) $(am__append_20) $(am__append_22)
-exes = $(am__append_23) $(am__append_25) $(am__append_26) \
- $(am__append_27) $(am__append_28) $(am__append_29) \
- $(am__append_30) $(am__append_31)
+ $(am__append_11) $(am__append_13) $(am__append_16) \
+ $(am__append_19) $(am__append_21) $(am__append_23)
+exes = $(am__append_24) $(am__append_26) $(am__append_27) \
+ $(am__append_28) $(am__append_29) $(am__append_30) \
+ $(am__append_31) $(am__append_32)
all: all-am
.SUFFIXES:
diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c
index e8998d5..a360146 100644
--- a/src/checksum/checksum_builder.c
+++ b/src/checksum/checksum_builder.c
@@ -157,6 +157,9 @@ int main(int argc, char* argv[])
#ifdef S_PLUGINS
build_plugin_checksums(S_PLUGINS);
#endif
+#ifdef P_PLUGINS
+ build_plugin_checksums(P_PLUGINS);
+#endif
#ifdef T_PLUGINS
build_plugin_checksums(T_PLUGINS);
#endif
diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in
index 9c55b50..14b8351 100644
--- a/src/conftest/Makefile.in
+++ b/src/conftest/Makefile.in
@@ -344,7 +344,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -379,6 +378,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c
index 54957b0..d80196e 100644
--- a/src/conftest/hooks/pretend_auth.c
+++ b/src/conftest/hooks/pretend_auth.c
@@ -238,7 +238,8 @@ static bool build_auth(private_pretend_auth_t *this,
}
keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
if (!keymat->get_auth_octets(keymat, TRUE, this->ike_init,
- this->nonce, this->id, this->reserved, &octets))
+ this->nonce, this->id, this->reserved,
+ &octets, NULL))
{
private->destroy(private);
return FALSE;
diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c
index 42a9cb4..b2df278 100644
--- a/src/conftest/hooks/rebuild_auth.c
+++ b/src/conftest/hooks/rebuild_auth.c
@@ -137,7 +137,7 @@ static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa,
}
keymat = (keymat_v2_t*)ike_sa->get_keymat(ike_sa);
if (!keymat->get_auth_octets(keymat, FALSE, this->ike_init,
- this->nonce, id, reserved, &octets))
+ this->nonce, id, reserved, &octets, NULL))
{
private->destroy(private);
id->destroy(id);
diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in
index 38681f4..dc1e3dc 100644
--- a/src/dumm/Makefile.in
+++ b/src/dumm/Makefile.in
@@ -365,7 +365,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -400,6 +399,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index 4fa90fd..068cae1 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -274,7 +274,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -309,6 +308,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in
index 7512472..faf7c76 100644
--- a/src/ipsec/Makefile.in
+++ b/src/ipsec/Makefile.in
@@ -307,7 +307,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -342,6 +341,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/ipsec/_ipsec.8 b/src/ipsec/_ipsec.8
index 388a492..1ae6375 100644
--- a/src/ipsec/_ipsec.8
+++ b/src/ipsec/_ipsec.8
@@ -1,4 +1,4 @@
-.TH IPSEC 8 "2013-10-29" "5.5.1dr3" "strongSwan"
+.TH IPSEC 8 "2013-10-29" "5.5.2dr4" "strongSwan"
.
.SH NAME
.
diff --git a/src/ipsec/_ipsec.in b/src/ipsec/_ipsec.in
index a002614..ea399b8 100644
--- a/src/ipsec/_ipsec.in
+++ b/src/ipsec/_ipsec.in
@@ -44,6 +44,8 @@ export IPSEC_DIR IPSEC_BINDIR IPSEC_SBINDIR IPSEC_CONFDIR IPSEC_PIDDIR IPSEC_SCR
IPSEC_DISTRO="Institute for Internet Technologies and Applications\nUniversity of Applied Sciences Rapperswil, Switzerland"
+command_dir="$IPSEC_DIR"
+
case "$1" in
'')
echo "$IPSEC_SCRIPT command [arguments]"
@@ -94,10 +96,6 @@ case "$1" in
echo "$IPSEC_PIDDIR"
exit 0
;;
-copyright|--copyright)
- set _copyright
- # and fall through, invoking "ipsec _copyright"
- ;;
down)
shift
if [ "$#" -ne 1 ]
@@ -307,13 +305,19 @@ update)
exit 7
fi
;;
-pki)
- shift
- exec $IPSEC_BINDIR/pki "$@"
+aikgen|pki)
+ # programs in BINDIR may be called directly, these two are listed for legacy reasons
+ command_dir="$IPSEC_BINDIR"
+ # fall through
;;
-aikgen)
- shift
- exec $IPSEC_BINDIR/aikgen "$@"
+attest|conftest|dumm|irdumm|pacman|pool|pt-tls-client|scepclient|stroke|\
+duplicheck|error-notify|imv_policy_manager|load-tester|lookip|whitelist|\
+_updown|_imv_policy)
+ # fall through
+ ;;
+copyright|--copyright)
+ set _copyright
+ # fall through
;;
version|--version)
printf "$OS_NAME $IPSEC_NAME $IPSEC_VERSION\n"
@@ -325,16 +329,20 @@ version|--version)
echo "$0: unknown option \`$1' (perhaps command name was omitted?)" >&2
exit 2
;;
+*)
+ echo "$0: unknown command \`$1' (\`$IPSEC_SCRIPT --help' for list)" >&2
+ exit 2
+ ;;
esac
cmd="$1"
shift
-path="$IPSEC_DIR/$cmd"
+path="$command_dir/$cmd"
if [ ! -x "$path" ]
then
- echo "$0: unknown IPsec command \`$cmd' (\`$IPSEC_SCRIPT --help' for list)" >&2
+ echo "$0: unknown command \`$cmd' (\`$IPSEC_SCRIPT --help' for list)" >&2
exit 2
fi
diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk
index 4f3d78c..1a8e068 100644
--- a/src/libcharon/Android.mk
+++ b/src/libcharon/Android.mk
@@ -106,6 +106,7 @@ sa/ikev2/tasks/ike_delete.c sa/ikev2/tasks/ike_delete.h \
sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+sa/ikev2/tasks/ike_mid_sync.c sa/ikev2/tasks/ike_mid_sync.h \
sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
@@ -117,6 +118,7 @@ sa/ikev2/tasks/ike_verify_peer_cert.c sa/ikev2/tasks/ike_verify_peer_cert.h
libcharon_la_SOURCES += \
sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
+sa/ikev1/iv_manager.c sa/ikev1/iv_manager.h \
sa/ikev1/task_manager_v1.c sa/ikev1/task_manager_v1.h \
sa/ikev1/authenticators/psk_v1_authenticator.c sa/ikev1/authenticators/psk_v1_authenticator.h \
sa/ikev1/authenticators/pubkey_v1_authenticator.c sa/ikev1/authenticators/pubkey_v1_authenticator.h \
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index e530205..8461d62 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -105,6 +105,7 @@ sa/ikev2/tasks/ike_delete.c sa/ikev2/tasks/ike_delete.h \
sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+sa/ikev2/tasks/ike_mid_sync.c sa/ikev2/tasks/ike_mid_sync.h \
sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
@@ -118,6 +119,7 @@ endif
if USE_IKEV1
libcharon_la_SOURCES += \
sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
+sa/ikev1/iv_manager.c sa/ikev1/iv_manager.h \
sa/ikev1/task_manager_v1.c sa/ikev1/task_manager_v1.h \
sa/ikev1/authenticators/psk_v1_authenticator.c sa/ikev1/authenticators/psk_v1_authenticator.h \
sa/ikev1/authenticators/pubkey_v1_authenticator.c sa/ikev1/authenticators/pubkey_v1_authenticator.h \
@@ -226,6 +228,13 @@ if MONOLITHIC
endif
endif
+if USE_BYPASS_LAN
+ SUBDIRS += plugins/bypass_lan
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/bypass_lan/libstrongswan-bypass-lan.la
+endif
+endif
+
if USE_FORECAST
SUBDIRS += plugins/forecast
if MONOLITHIC
diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in
index e82e67b..8f6dc89 100644
--- a/src/libcharon/Makefile.in
+++ b/src/libcharon/Makefile.in
@@ -105,6 +105,7 @@ host_triplet = @host@
@USE_IKEV2_TRUE at sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
@USE_IKEV2_TRUE at sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
@USE_IKEV2_TRUE at sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+ at USE_IKEV2_TRUE@sa/ikev2/tasks/ike_mid_sync.c sa/ikev2/tasks/ike_mid_sync.h \
@USE_IKEV2_TRUE at sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
@USE_IKEV2_TRUE at sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
@USE_IKEV2_TRUE at sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
@@ -116,6 +117,7 @@ host_triplet = @host@
@USE_IKEV1_TRUE at am__append_2 = \
@USE_IKEV1_TRUE at sa/ikev1/keymat_v1.c sa/ikev1/keymat_v1.h \
+ at USE_IKEV1_TRUE@sa/ikev1/iv_manager.c sa/ikev1/iv_manager.h \
@USE_IKEV1_TRUE at sa/ikev1/task_manager_v1.c sa/ikev1/task_manager_v1.h \
@USE_IKEV1_TRUE at sa/ikev1/authenticators/psk_v1_authenticator.c sa/ikev1/authenticators/psk_v1_authenticator.h \
@USE_IKEV1_TRUE at sa/ikev1/authenticators/pubkey_v1_authenticator.c sa/ikev1/authenticators/pubkey_v1_authenticator.h \
@@ -161,136 +163,138 @@ host_triplet = @host@
@MONOLITHIC_TRUE@@USE_SOCKET_WIN_TRUE at am__append_13 = plugins/socket_win/libstrongswan-socket-win.la
@USE_CONNMARK_TRUE at am__append_14 = plugins/connmark
@MONOLITHIC_TRUE@@USE_CONNMARK_TRUE at am__append_15 = plugins/connmark/libstrongswan-connmark.la
- at USE_FORECAST_TRUE@am__append_16 = plugins/forecast
- at MONOLITHIC_TRUE@@USE_FORECAST_TRUE at am__append_17 = plugins/forecast/libstrongswan-forecast.la
- at USE_FARP_TRUE@am__append_18 = plugins/farp
- at MONOLITHIC_TRUE@@USE_FARP_TRUE at am__append_19 = plugins/farp/libstrongswan-farp.la
- at USE_STROKE_TRUE@am__append_20 = plugins/stroke
- at MONOLITHIC_TRUE@@USE_STROKE_TRUE at am__append_21 = plugins/stroke/libstrongswan-stroke.la
- at USE_VICI_TRUE@am__append_22 = plugins/vici
- at MONOLITHIC_TRUE@@USE_VICI_TRUE at am__append_23 = plugins/vici/libstrongswan-vici.la
- at USE_SMP_TRUE@am__append_24 = plugins/smp
- at MONOLITHIC_TRUE@@USE_SMP_TRUE at am__append_25 = plugins/smp/libstrongswan-smp.la
- at USE_SQL_TRUE@am__append_26 = plugins/sql
- at MONOLITHIC_TRUE@@USE_SQL_TRUE at am__append_27 = plugins/sql/libstrongswan-sql.la
- at USE_DNSCERT_TRUE@am__append_28 = plugins/dnscert
- at MONOLITHIC_TRUE@@USE_DNSCERT_TRUE at am__append_29 = plugins/dnscert/libstrongswan-dnscert.la
- at USE_IPSECKEY_TRUE@am__append_30 = plugins/ipseckey
- at MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE at am__append_31 = plugins/ipseckey/libstrongswan-ipseckey.la
- at USE_UPDOWN_TRUE@am__append_32 = plugins/updown
- at MONOLITHIC_TRUE@@USE_UPDOWN_TRUE at am__append_33 = plugins/updown/libstrongswan-updown.la
- at USE_EXT_AUTH_TRUE@am__append_34 = plugins/ext_auth
- at MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE at am__append_35 = plugins/ext_auth/libstrongswan-ext-auth.la
- at USE_EAP_IDENTITY_TRUE@am__append_36 = plugins/eap_identity
- at MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE at am__append_37 = plugins/eap_identity/libstrongswan-eap-identity.la
- at USE_EAP_SIM_TRUE@am__append_38 = plugins/eap_sim
- at MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE at am__append_39 = plugins/eap_sim/libstrongswan-eap-sim.la
- at USE_EAP_SIM_FILE_TRUE@am__append_40 = plugins/eap_sim_file
- at MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE at am__append_41 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
- at USE_EAP_SIM_PCSC_TRUE@am__append_42 = plugins/eap_sim_pcsc
- at MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE at am__append_43 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
- at USE_EAP_SIMAKA_SQL_TRUE@am__append_44 = plugins/eap_simaka_sql
- at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE at am__append_45 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
- at USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_46 = plugins/eap_simaka_pseudonym
- at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE at am__append_47 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
- at USE_EAP_SIMAKA_REAUTH_TRUE@am__append_48 = plugins/eap_simaka_reauth
- at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE at am__append_49 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
- at USE_EAP_AKA_TRUE@am__append_50 = plugins/eap_aka
- at MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE at am__append_51 = plugins/eap_aka/libstrongswan-eap-aka.la
- at USE_EAP_AKA_3GPP2_TRUE@am__append_52 = plugins/eap_aka_3gpp2
- at MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE at am__append_53 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
- at MONOLITHIC_TRUE@@USE_SIMAKA_TRUE at am__append_54 = $(top_builddir)/src/libsimaka/libsimaka.la
- at USE_EAP_MD5_TRUE@am__append_55 = plugins/eap_md5
- at MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE at am__append_56 = plugins/eap_md5/libstrongswan-eap-md5.la
- at USE_EAP_GTC_TRUE@am__append_57 = plugins/eap_gtc
- at MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE at am__append_58 = plugins/eap_gtc/libstrongswan-eap-gtc.la
- at USE_EAP_MSCHAPV2_TRUE@am__append_59 = plugins/eap_mschapv2
- at MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE at am__append_60 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
- at USE_EAP_DYNAMIC_TRUE@am__append_61 = plugins/eap_dynamic
- at MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE at am__append_62 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
- at USE_EAP_RADIUS_TRUE@am__append_63 = plugins/eap_radius
- at MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE at am__append_64 = plugins/eap_radius/libstrongswan-eap-radius.la
- at USE_EAP_TLS_TRUE@am__append_65 = plugins/eap_tls
- at MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE at am__append_66 = plugins/eap_tls/libstrongswan-eap-tls.la
- at USE_EAP_TTLS_TRUE@am__append_67 = plugins/eap_ttls
- at MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE at am__append_68 = plugins/eap_ttls/libstrongswan-eap-ttls.la
- at USE_EAP_PEAP_TRUE@am__append_69 = plugins/eap_peap
- at MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE at am__append_70 = plugins/eap_peap/libstrongswan-eap-peap.la
- at USE_EAP_TNC_TRUE@am__append_71 = plugins/eap_tnc
- at MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE at am__append_72 = plugins/eap_tnc/libstrongswan-eap-tnc.la
- at MONOLITHIC_TRUE@@USE_TLS_TRUE at am__append_73 = $(top_builddir)/src/libtls/libtls.la
- at MONOLITHIC_TRUE@@USE_RADIUS_TRUE at am__append_74 = $(top_builddir)/src/libradius/libradius.la
- at USE_TNC_IFMAP_TRUE@am__append_75 = plugins/tnc_ifmap
- at MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE at am__append_76 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
- at USE_TNC_PDP_TRUE@am__append_77 = plugins/tnc_pdp
- at MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE at am__append_78 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
- at MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE at am__append_79 = $(top_builddir)/src/libtnccs/libtnccs.la
- at USE_MEDSRV_TRUE@am__append_80 = plugins/medsrv
- at MONOLITHIC_TRUE@@USE_MEDSRV_TRUE at am__append_81 = plugins/medsrv/libstrongswan-medsrv.la
- at USE_MEDCLI_TRUE@am__append_82 = plugins/medcli
- at MONOLITHIC_TRUE@@USE_MEDCLI_TRUE at am__append_83 = plugins/medcli/libstrongswan-medcli.la
- at USE_DHCP_TRUE@am__append_84 = plugins/dhcp
- at MONOLITHIC_TRUE@@USE_DHCP_TRUE at am__append_85 = plugins/dhcp/libstrongswan-dhcp.la
- at USE_OSX_ATTR_TRUE@am__append_86 = plugins/osx_attr
- at MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE at am__append_87 = plugins/osx_attr/libstrongswan-osx-attr.la
- at USE_P_CSCF_TRUE@am__append_88 = plugins/p_cscf
- at MONOLITHIC_TRUE@@USE_P_CSCF_TRUE at am__append_89 = plugins/p_cscf/libstrongswan-p-cscf.la
- at USE_ANDROID_DNS_TRUE@am__append_90 = plugins/android_dns
- at MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE at am__append_91 = plugins/android_dns/libstrongswan-android-dns.la
- at USE_ANDROID_LOG_TRUE@am__append_92 = plugins/android_log
- at MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE at am__append_93 = plugins/android_log/libstrongswan-android-log.la
- at USE_HA_TRUE@am__append_94 = plugins/ha
- at MONOLITHIC_TRUE@@USE_HA_TRUE at am__append_95 = plugins/ha/libstrongswan-ha.la
- at USE_KERNEL_PFKEY_TRUE@am__append_96 = plugins/kernel_pfkey
- at MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE at am__append_97 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
- at USE_KERNEL_PFROUTE_TRUE@am__append_98 = plugins/kernel_pfroute
- at MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE at am__append_99 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
- at USE_KERNEL_NETLINK_TRUE@am__append_100 = plugins/kernel_netlink
- at MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE at am__append_101 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
- at USE_KERNEL_LIBIPSEC_TRUE@am__append_102 = plugins/kernel_libipsec
- at MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE at am__append_103 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
- at USE_KERNEL_WFP_TRUE@am__append_104 = plugins/kernel_wfp
- at MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE at am__append_105 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
- at USE_KERNEL_IPH_TRUE@am__append_106 = plugins/kernel_iph
- at MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE at am__append_107 = plugins/kernel_iph/libstrongswan-kernel-iph.la
- at USE_WHITELIST_TRUE@am__append_108 = plugins/whitelist
- at MONOLITHIC_TRUE@@USE_WHITELIST_TRUE at am__append_109 = plugins/whitelist/libstrongswan-whitelist.la
- at USE_LOOKIP_TRUE@am__append_110 = plugins/lookip
- at MONOLITHIC_TRUE@@USE_LOOKIP_TRUE at am__append_111 = plugins/lookip/libstrongswan-lookip.la
- at USE_ERROR_NOTIFY_TRUE@am__append_112 = plugins/error_notify
- at MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE at am__append_113 = plugins/error_notify/libstrongswan-error-notify.la
- at USE_CERTEXPIRE_TRUE@am__append_114 = plugins/certexpire
- at MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE at am__append_115 = plugins/certexpire/libstrongswan-certexpire.la
- at USE_SYSTIME_FIX_TRUE@am__append_116 = plugins/systime_fix
- at MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE at am__append_117 = plugins/systime_fix/libstrongswan-systime-fix.la
- at USE_LED_TRUE@am__append_118 = plugins/led
- at MONOLITHIC_TRUE@@USE_LED_TRUE at am__append_119 = plugins/led/libstrongswan-led.la
- at USE_DUPLICHECK_TRUE@am__append_120 = plugins/duplicheck
- at MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE at am__append_121 = plugins/duplicheck/libstrongswan-duplicheck.la
- at USE_COUPLING_TRUE@am__append_122 = plugins/coupling
- at MONOLITHIC_TRUE@@USE_COUPLING_TRUE at am__append_123 = plugins/coupling/libstrongswan-coupling.la
- at USE_RADATTR_TRUE@am__append_124 = plugins/radattr
- at MONOLITHIC_TRUE@@USE_RADATTR_TRUE at am__append_125 = plugins/radattr/libstrongswan-radattr.la
- at USE_UCI_TRUE@am__append_126 = plugins/uci
- at MONOLITHIC_TRUE@@USE_UCI_TRUE at am__append_127 = plugins/uci/libstrongswan-uci.la
- at USE_ADDRBLOCK_TRUE@am__append_128 = plugins/addrblock
- at MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE at am__append_129 = plugins/addrblock/libstrongswan-addrblock.la
- at USE_UNITY_TRUE@am__append_130 = plugins/unity
- at MONOLITHIC_TRUE@@USE_UNITY_TRUE at am__append_131 = plugins/unity/libstrongswan-unity.la
- at USE_XAUTH_GENERIC_TRUE@am__append_132 = plugins/xauth_generic
- at MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE at am__append_133 = plugins/xauth_generic/libstrongswan-xauth-generic.la
- at USE_XAUTH_EAP_TRUE@am__append_134 = plugins/xauth_eap
- at MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE at am__append_135 = plugins/xauth_eap/libstrongswan-xauth-eap.la
- at USE_XAUTH_PAM_TRUE@am__append_136 = plugins/xauth_pam
- at MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE at am__append_137 = plugins/xauth_pam/libstrongswan-xauth-pam.la
- at USE_XAUTH_NOAUTH_TRUE@am__append_138 = plugins/xauth_noauth
- at MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE at am__append_139 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
- at USE_RESOLVE_TRUE@am__append_140 = plugins/resolve
- at MONOLITHIC_TRUE@@USE_RESOLVE_TRUE at am__append_141 = plugins/resolve/libstrongswan-resolve.la
- at USE_ATTR_TRUE@am__append_142 = plugins/attr
- at MONOLITHIC_TRUE@@USE_ATTR_TRUE at am__append_143 = plugins/attr/libstrongswan-attr.la
- at USE_ATTR_SQL_TRUE@am__append_144 = plugins/attr_sql
- at MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE at am__append_145 = plugins/attr_sql/libstrongswan-attr-sql.la
+ at USE_BYPASS_LAN_TRUE@am__append_16 = plugins/bypass_lan
+ at MONOLITHIC_TRUE@@USE_BYPASS_LAN_TRUE at am__append_17 = plugins/bypass_lan/libstrongswan-bypass-lan.la
+ at USE_FORECAST_TRUE@am__append_18 = plugins/forecast
+ at MONOLITHIC_TRUE@@USE_FORECAST_TRUE at am__append_19 = plugins/forecast/libstrongswan-forecast.la
+ at USE_FARP_TRUE@am__append_20 = plugins/farp
+ at MONOLITHIC_TRUE@@USE_FARP_TRUE at am__append_21 = plugins/farp/libstrongswan-farp.la
+ at USE_STROKE_TRUE@am__append_22 = plugins/stroke
+ at MONOLITHIC_TRUE@@USE_STROKE_TRUE at am__append_23 = plugins/stroke/libstrongswan-stroke.la
+ at USE_VICI_TRUE@am__append_24 = plugins/vici
+ at MONOLITHIC_TRUE@@USE_VICI_TRUE at am__append_25 = plugins/vici/libstrongswan-vici.la
+ at USE_SMP_TRUE@am__append_26 = plugins/smp
+ at MONOLITHIC_TRUE@@USE_SMP_TRUE at am__append_27 = plugins/smp/libstrongswan-smp.la
+ at USE_SQL_TRUE@am__append_28 = plugins/sql
+ at MONOLITHIC_TRUE@@USE_SQL_TRUE at am__append_29 = plugins/sql/libstrongswan-sql.la
+ at USE_DNSCERT_TRUE@am__append_30 = plugins/dnscert
+ at MONOLITHIC_TRUE@@USE_DNSCERT_TRUE at am__append_31 = plugins/dnscert/libstrongswan-dnscert.la
+ at USE_IPSECKEY_TRUE@am__append_32 = plugins/ipseckey
+ at MONOLITHIC_TRUE@@USE_IPSECKEY_TRUE at am__append_33 = plugins/ipseckey/libstrongswan-ipseckey.la
+ at USE_UPDOWN_TRUE@am__append_34 = plugins/updown
+ at MONOLITHIC_TRUE@@USE_UPDOWN_TRUE at am__append_35 = plugins/updown/libstrongswan-updown.la
+ at USE_EXT_AUTH_TRUE@am__append_36 = plugins/ext_auth
+ at MONOLITHIC_TRUE@@USE_EXT_AUTH_TRUE at am__append_37 = plugins/ext_auth/libstrongswan-ext-auth.la
+ at USE_EAP_IDENTITY_TRUE@am__append_38 = plugins/eap_identity
+ at MONOLITHIC_TRUE@@USE_EAP_IDENTITY_TRUE at am__append_39 = plugins/eap_identity/libstrongswan-eap-identity.la
+ at USE_EAP_SIM_TRUE@am__append_40 = plugins/eap_sim
+ at MONOLITHIC_TRUE@@USE_EAP_SIM_TRUE at am__append_41 = plugins/eap_sim/libstrongswan-eap-sim.la
+ at USE_EAP_SIM_FILE_TRUE@am__append_42 = plugins/eap_sim_file
+ at MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE at am__append_43 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la
+ at USE_EAP_SIM_PCSC_TRUE@am__append_44 = plugins/eap_sim_pcsc
+ at MONOLITHIC_TRUE@@USE_EAP_SIM_PCSC_TRUE at am__append_45 = plugins/eap_sim_pcsc/libstrongswan-eap-sim-pcsc.la
+ at USE_EAP_SIMAKA_SQL_TRUE@am__append_46 = plugins/eap_simaka_sql
+ at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE at am__append_47 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la
+ at USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_48 = plugins/eap_simaka_pseudonym
+ at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE at am__append_49 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la
+ at USE_EAP_SIMAKA_REAUTH_TRUE@am__append_50 = plugins/eap_simaka_reauth
+ at MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE at am__append_51 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la
+ at USE_EAP_AKA_TRUE@am__append_52 = plugins/eap_aka
+ at MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE at am__append_53 = plugins/eap_aka/libstrongswan-eap-aka.la
+ at USE_EAP_AKA_3GPP2_TRUE@am__append_54 = plugins/eap_aka_3gpp2
+ at MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE at am__append_55 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la
+ at MONOLITHIC_TRUE@@USE_SIMAKA_TRUE at am__append_56 = $(top_builddir)/src/libsimaka/libsimaka.la
+ at USE_EAP_MD5_TRUE@am__append_57 = plugins/eap_md5
+ at MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE at am__append_58 = plugins/eap_md5/libstrongswan-eap-md5.la
+ at USE_EAP_GTC_TRUE@am__append_59 = plugins/eap_gtc
+ at MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE at am__append_60 = plugins/eap_gtc/libstrongswan-eap-gtc.la
+ at USE_EAP_MSCHAPV2_TRUE@am__append_61 = plugins/eap_mschapv2
+ at MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE at am__append_62 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la
+ at USE_EAP_DYNAMIC_TRUE@am__append_63 = plugins/eap_dynamic
+ at MONOLITHIC_TRUE@@USE_EAP_DYNAMIC_TRUE at am__append_64 = plugins/eap_dynamic/libstrongswan-eap-dynamic.la
+ at USE_EAP_RADIUS_TRUE@am__append_65 = plugins/eap_radius
+ at MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE at am__append_66 = plugins/eap_radius/libstrongswan-eap-radius.la
+ at USE_EAP_TLS_TRUE@am__append_67 = plugins/eap_tls
+ at MONOLITHIC_TRUE@@USE_EAP_TLS_TRUE at am__append_68 = plugins/eap_tls/libstrongswan-eap-tls.la
+ at USE_EAP_TTLS_TRUE@am__append_69 = plugins/eap_ttls
+ at MONOLITHIC_TRUE@@USE_EAP_TTLS_TRUE at am__append_70 = plugins/eap_ttls/libstrongswan-eap-ttls.la
+ at USE_EAP_PEAP_TRUE@am__append_71 = plugins/eap_peap
+ at MONOLITHIC_TRUE@@USE_EAP_PEAP_TRUE at am__append_72 = plugins/eap_peap/libstrongswan-eap-peap.la
+ at USE_EAP_TNC_TRUE@am__append_73 = plugins/eap_tnc
+ at MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE at am__append_74 = plugins/eap_tnc/libstrongswan-eap-tnc.la
+ at MONOLITHIC_TRUE@@USE_TLS_TRUE at am__append_75 = $(top_builddir)/src/libtls/libtls.la
+ at MONOLITHIC_TRUE@@USE_RADIUS_TRUE at am__append_76 = $(top_builddir)/src/libradius/libradius.la
+ at USE_TNC_IFMAP_TRUE@am__append_77 = plugins/tnc_ifmap
+ at MONOLITHIC_TRUE@@USE_TNC_IFMAP_TRUE at am__append_78 = plugins/tnc_ifmap/libstrongswan-tnc-ifmap.la
+ at USE_TNC_PDP_TRUE@am__append_79 = plugins/tnc_pdp
+ at MONOLITHIC_TRUE@@USE_TNC_PDP_TRUE at am__append_80 = plugins/tnc_pdp/libstrongswan-tnc-pdp.la
+ at MONOLITHIC_TRUE@@USE_LIBTNCCS_TRUE at am__append_81 = $(top_builddir)/src/libtnccs/libtnccs.la
+ at USE_MEDSRV_TRUE@am__append_82 = plugins/medsrv
+ at MONOLITHIC_TRUE@@USE_MEDSRV_TRUE at am__append_83 = plugins/medsrv/libstrongswan-medsrv.la
+ at USE_MEDCLI_TRUE@am__append_84 = plugins/medcli
+ at MONOLITHIC_TRUE@@USE_MEDCLI_TRUE at am__append_85 = plugins/medcli/libstrongswan-medcli.la
+ at USE_DHCP_TRUE@am__append_86 = plugins/dhcp
+ at MONOLITHIC_TRUE@@USE_DHCP_TRUE at am__append_87 = plugins/dhcp/libstrongswan-dhcp.la
+ at USE_OSX_ATTR_TRUE@am__append_88 = plugins/osx_attr
+ at MONOLITHIC_TRUE@@USE_OSX_ATTR_TRUE at am__append_89 = plugins/osx_attr/libstrongswan-osx-attr.la
+ at USE_P_CSCF_TRUE@am__append_90 = plugins/p_cscf
+ at MONOLITHIC_TRUE@@USE_P_CSCF_TRUE at am__append_91 = plugins/p_cscf/libstrongswan-p-cscf.la
+ at USE_ANDROID_DNS_TRUE@am__append_92 = plugins/android_dns
+ at MONOLITHIC_TRUE@@USE_ANDROID_DNS_TRUE at am__append_93 = plugins/android_dns/libstrongswan-android-dns.la
+ at USE_ANDROID_LOG_TRUE@am__append_94 = plugins/android_log
+ at MONOLITHIC_TRUE@@USE_ANDROID_LOG_TRUE at am__append_95 = plugins/android_log/libstrongswan-android-log.la
+ at USE_HA_TRUE@am__append_96 = plugins/ha
+ at MONOLITHIC_TRUE@@USE_HA_TRUE at am__append_97 = plugins/ha/libstrongswan-ha.la
+ at USE_KERNEL_PFKEY_TRUE@am__append_98 = plugins/kernel_pfkey
+ at MONOLITHIC_TRUE@@USE_KERNEL_PFKEY_TRUE at am__append_99 = plugins/kernel_pfkey/libstrongswan-kernel-pfkey.la
+ at USE_KERNEL_PFROUTE_TRUE@am__append_100 = plugins/kernel_pfroute
+ at MONOLITHIC_TRUE@@USE_KERNEL_PFROUTE_TRUE at am__append_101 = plugins/kernel_pfroute/libstrongswan-kernel-pfroute.la
+ at USE_KERNEL_NETLINK_TRUE@am__append_102 = plugins/kernel_netlink
+ at MONOLITHIC_TRUE@@USE_KERNEL_NETLINK_TRUE at am__append_103 = plugins/kernel_netlink/libstrongswan-kernel-netlink.la
+ at USE_KERNEL_LIBIPSEC_TRUE@am__append_104 = plugins/kernel_libipsec
+ at MONOLITHIC_TRUE@@USE_KERNEL_LIBIPSEC_TRUE at am__append_105 = plugins/kernel_libipsec/libstrongswan-kernel-libipsec.la
+ at USE_KERNEL_WFP_TRUE@am__append_106 = plugins/kernel_wfp
+ at MONOLITHIC_TRUE@@USE_KERNEL_WFP_TRUE at am__append_107 = plugins/kernel_wfp/libstrongswan-kernel-wfp.la
+ at USE_KERNEL_IPH_TRUE@am__append_108 = plugins/kernel_iph
+ at MONOLITHIC_TRUE@@USE_KERNEL_IPH_TRUE at am__append_109 = plugins/kernel_iph/libstrongswan-kernel-iph.la
+ at USE_WHITELIST_TRUE@am__append_110 = plugins/whitelist
+ at MONOLITHIC_TRUE@@USE_WHITELIST_TRUE at am__append_111 = plugins/whitelist/libstrongswan-whitelist.la
+ at USE_LOOKIP_TRUE@am__append_112 = plugins/lookip
+ at MONOLITHIC_TRUE@@USE_LOOKIP_TRUE at am__append_113 = plugins/lookip/libstrongswan-lookip.la
+ at USE_ERROR_NOTIFY_TRUE@am__append_114 = plugins/error_notify
+ at MONOLITHIC_TRUE@@USE_ERROR_NOTIFY_TRUE at am__append_115 = plugins/error_notify/libstrongswan-error-notify.la
+ at USE_CERTEXPIRE_TRUE@am__append_116 = plugins/certexpire
+ at MONOLITHIC_TRUE@@USE_CERTEXPIRE_TRUE at am__append_117 = plugins/certexpire/libstrongswan-certexpire.la
+ at USE_SYSTIME_FIX_TRUE@am__append_118 = plugins/systime_fix
+ at MONOLITHIC_TRUE@@USE_SYSTIME_FIX_TRUE at am__append_119 = plugins/systime_fix/libstrongswan-systime-fix.la
+ at USE_LED_TRUE@am__append_120 = plugins/led
+ at MONOLITHIC_TRUE@@USE_LED_TRUE at am__append_121 = plugins/led/libstrongswan-led.la
+ at USE_DUPLICHECK_TRUE@am__append_122 = plugins/duplicheck
+ at MONOLITHIC_TRUE@@USE_DUPLICHECK_TRUE at am__append_123 = plugins/duplicheck/libstrongswan-duplicheck.la
+ at USE_COUPLING_TRUE@am__append_124 = plugins/coupling
+ at MONOLITHIC_TRUE@@USE_COUPLING_TRUE at am__append_125 = plugins/coupling/libstrongswan-coupling.la
+ at USE_RADATTR_TRUE@am__append_126 = plugins/radattr
+ at MONOLITHIC_TRUE@@USE_RADATTR_TRUE at am__append_127 = plugins/radattr/libstrongswan-radattr.la
+ at USE_UCI_TRUE@am__append_128 = plugins/uci
+ at MONOLITHIC_TRUE@@USE_UCI_TRUE at am__append_129 = plugins/uci/libstrongswan-uci.la
+ at USE_ADDRBLOCK_TRUE@am__append_130 = plugins/addrblock
+ at MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE at am__append_131 = plugins/addrblock/libstrongswan-addrblock.la
+ at USE_UNITY_TRUE@am__append_132 = plugins/unity
+ at MONOLITHIC_TRUE@@USE_UNITY_TRUE at am__append_133 = plugins/unity/libstrongswan-unity.la
+ at USE_XAUTH_GENERIC_TRUE@am__append_134 = plugins/xauth_generic
+ at MONOLITHIC_TRUE@@USE_XAUTH_GENERIC_TRUE at am__append_135 = plugins/xauth_generic/libstrongswan-xauth-generic.la
+ at USE_XAUTH_EAP_TRUE@am__append_136 = plugins/xauth_eap
+ at MONOLITHIC_TRUE@@USE_XAUTH_EAP_TRUE at am__append_137 = plugins/xauth_eap/libstrongswan-xauth-eap.la
+ at USE_XAUTH_PAM_TRUE@am__append_138 = plugins/xauth_pam
+ at MONOLITHIC_TRUE@@USE_XAUTH_PAM_TRUE at am__append_139 = plugins/xauth_pam/libstrongswan-xauth-pam.la
+ at USE_XAUTH_NOAUTH_TRUE@am__append_140 = plugins/xauth_noauth
+ at MONOLITHIC_TRUE@@USE_XAUTH_NOAUTH_TRUE at am__append_141 = plugins/xauth_noauth/libstrongswan-xauth-noauth.la
+ at USE_RESOLVE_TRUE@am__append_142 = plugins/resolve
+ at MONOLITHIC_TRUE@@USE_RESOLVE_TRUE at am__append_143 = plugins/resolve/libstrongswan-resolve.la
+ at USE_ATTR_TRUE@am__append_144 = plugins/attr
+ at MONOLITHIC_TRUE@@USE_ATTR_TRUE at am__append_145 = plugins/attr/libstrongswan-attr.la
+ at USE_ATTR_SQL_TRUE@am__append_146 = plugins/attr_sql
+ at MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE at am__append_147 = plugins/attr_sql/libstrongswan-attr-sql.la
subdir = src/libcharon
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -352,12 +356,12 @@ libcharon_la_DEPENDENCIES = \
$(am__append_35) $(am__append_37) $(am__append_39) \
$(am__append_41) $(am__append_43) $(am__append_45) \
$(am__append_47) $(am__append_49) $(am__append_51) \
- $(am__append_53) $(am__append_54) $(am__append_56) \
+ $(am__append_53) $(am__append_55) $(am__append_56) \
$(am__append_58) $(am__append_60) $(am__append_62) \
$(am__append_64) $(am__append_66) $(am__append_68) \
- $(am__append_70) $(am__append_72) $(am__append_73) \
- $(am__append_74) $(am__append_76) $(am__append_78) \
- $(am__append_79) $(am__append_81) $(am__append_83) \
+ $(am__append_70) $(am__append_72) $(am__append_74) \
+ $(am__append_75) $(am__append_76) $(am__append_78) \
+ $(am__append_80) $(am__append_81) $(am__append_83) \
$(am__append_85) $(am__append_87) $(am__append_89) \
$(am__append_91) $(am__append_93) $(am__append_95) \
$(am__append_97) $(am__append_99) $(am__append_101) \
@@ -368,7 +372,7 @@ libcharon_la_DEPENDENCIES = \
$(am__append_127) $(am__append_129) $(am__append_131) \
$(am__append_133) $(am__append_135) $(am__append_137) \
$(am__append_139) $(am__append_141) $(am__append_143) \
- $(am__append_145)
+ $(am__append_145) $(am__append_147)
am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
attributes/attributes.h attributes/attribute_provider.h \
attributes/attribute_handler.h attributes/attribute_manager.c \
@@ -492,6 +496,7 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
sa/ikev2/tasks/ike_dpd.c sa/ikev2/tasks/ike_dpd.h \
sa/ikev2/tasks/ike_init.c sa/ikev2/tasks/ike_init.h \
sa/ikev2/tasks/ike_natd.c sa/ikev2/tasks/ike_natd.h \
+ sa/ikev2/tasks/ike_mid_sync.c sa/ikev2/tasks/ike_mid_sync.h \
sa/ikev2/tasks/ike_mobike.c sa/ikev2/tasks/ike_mobike.h \
sa/ikev2/tasks/ike_rekey.c sa/ikev2/tasks/ike_rekey.h \
sa/ikev2/tasks/ike_reauth.c sa/ikev2/tasks/ike_reauth.h \
@@ -503,7 +508,8 @@ am__libcharon_la_SOURCES_DIST = attributes/attributes.c \
sa/ikev2/tasks/ike_vendor.h \
sa/ikev2/tasks/ike_verify_peer_cert.c \
sa/ikev2/tasks/ike_verify_peer_cert.h sa/ikev1/keymat_v1.c \
- sa/ikev1/keymat_v1.h sa/ikev1/task_manager_v1.c \
+ sa/ikev1/keymat_v1.h sa/ikev1/iv_manager.c \
+ sa/ikev1/iv_manager.h sa/ikev1/task_manager_v1.c \
sa/ikev1/task_manager_v1.h \
sa/ikev1/authenticators/psk_v1_authenticator.c \
sa/ikev1/authenticators/psk_v1_authenticator.h \
@@ -557,6 +563,7 @@ am__dirstamp = $(am__leading_dot)dirstamp
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_dpd.lo \
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_init.lo \
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_natd.lo \
+ at USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_mid_sync.lo \
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_mobike.lo \
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_rekey.lo \
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_reauth.lo \
@@ -566,6 +573,7 @@ am__dirstamp = $(am__leading_dot)dirstamp
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_vendor.lo \
@USE_IKEV2_TRUE@ sa/ikev2/tasks/ike_verify_peer_cert.lo
@USE_IKEV1_TRUE at am__objects_2 = sa/ikev1/keymat_v1.lo \
+ at USE_IKEV1_TRUE@ sa/ikev1/iv_manager.lo \
@USE_IKEV1_TRUE@ sa/ikev1/task_manager_v1.lo \
@USE_IKEV1_TRUE@ sa/ikev1/authenticators/psk_v1_authenticator.lo \
@USE_IKEV1_TRUE@ sa/ikev1/authenticators/pubkey_v1_authenticator.lo \
@@ -733,10 +741,11 @@ ETAGS = etags
CTAGS = ctags
DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \
plugins/socket_dynamic plugins/socket_win plugins/connmark \
- plugins/forecast plugins/farp plugins/stroke plugins/vici \
- plugins/smp plugins/sql plugins/dnscert plugins/ipseckey \
- plugins/updown plugins/ext_auth plugins/eap_identity \
- plugins/eap_sim plugins/eap_sim_file plugins/eap_sim_pcsc \
+ plugins/bypass_lan plugins/forecast plugins/farp \
+ plugins/stroke plugins/vici plugins/smp plugins/sql \
+ plugins/dnscert plugins/ipseckey plugins/updown \
+ plugins/ext_auth plugins/eap_identity plugins/eap_sim \
+ plugins/eap_sim_file plugins/eap_sim_pcsc \
plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \
plugins/eap_simaka_reauth plugins/eap_aka \
plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \
@@ -927,7 +936,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -962,6 +970,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -1140,11 +1149,11 @@ libcharon_la_LIBADD = \
$(am__append_37) $(am__append_39) $(am__append_41) \
$(am__append_43) $(am__append_45) $(am__append_47) \
$(am__append_49) $(am__append_51) $(am__append_53) \
- $(am__append_54) $(am__append_56) $(am__append_58) \
+ $(am__append_55) $(am__append_56) $(am__append_58) \
$(am__append_60) $(am__append_62) $(am__append_64) \
$(am__append_66) $(am__append_68) $(am__append_70) \
- $(am__append_72) $(am__append_73) $(am__append_74) \
- $(am__append_76) $(am__append_78) $(am__append_79) \
+ $(am__append_72) $(am__append_74) $(am__append_75) \
+ $(am__append_76) $(am__append_78) $(am__append_80) \
$(am__append_81) $(am__append_83) $(am__append_85) \
$(am__append_87) $(am__append_89) $(am__append_91) \
$(am__append_93) $(am__append_95) $(am__append_97) \
@@ -1155,7 +1164,8 @@ libcharon_la_LIBADD = \
$(am__append_123) $(am__append_125) $(am__append_127) \
$(am__append_129) $(am__append_131) $(am__append_133) \
$(am__append_135) $(am__append_137) $(am__append_139) \
- $(am__append_141) $(am__append_143) $(am__append_145)
+ $(am__append_141) $(am__append_143) $(am__append_145) \
+ $(am__append_147)
EXTRA_DIST = Android.mk
@MONOLITHIC_FALSE at SUBDIRS = . $(am__append_6) $(am__append_8) \
@MONOLITHIC_FALSE@ $(am__append_10) $(am__append_12) \
@@ -1169,12 +1179,12 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_FALSE@ $(am__append_42) $(am__append_44) \
@MONOLITHIC_FALSE@ $(am__append_46) $(am__append_48) \
@MONOLITHIC_FALSE@ $(am__append_50) $(am__append_52) \
- at MONOLITHIC_FALSE@ $(am__append_55) $(am__append_57) \
+ at MONOLITHIC_FALSE@ $(am__append_54) $(am__append_57) \
@MONOLITHIC_FALSE@ $(am__append_59) $(am__append_61) \
@MONOLITHIC_FALSE@ $(am__append_63) $(am__append_65) \
@MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) \
- at MONOLITHIC_FALSE@ $(am__append_71) $(am__append_75) \
- at MONOLITHIC_FALSE@ $(am__append_77) $(am__append_80) \
+ at MONOLITHIC_FALSE@ $(am__append_71) $(am__append_73) \
+ at MONOLITHIC_FALSE@ $(am__append_77) $(am__append_79) \
@MONOLITHIC_FALSE@ $(am__append_82) $(am__append_84) \
@MONOLITHIC_FALSE@ $(am__append_86) $(am__append_88) \
@MONOLITHIC_FALSE@ $(am__append_90) $(am__append_92) \
@@ -1190,7 +1200,8 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_FALSE@ $(am__append_130) $(am__append_132) \
@MONOLITHIC_FALSE@ $(am__append_134) $(am__append_136) \
@MONOLITHIC_FALSE@ $(am__append_138) $(am__append_140) \
- at MONOLITHIC_FALSE@ $(am__append_142) $(am__append_144) tests
+ at MONOLITHIC_FALSE@ $(am__append_142) $(am__append_144) \
+ at MONOLITHIC_FALSE@ $(am__append_146) tests
# build optional plugins
########################
@@ -1206,12 +1217,12 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_TRUE@ $(am__append_42) $(am__append_44) \
@MONOLITHIC_TRUE@ $(am__append_46) $(am__append_48) \
@MONOLITHIC_TRUE@ $(am__append_50) $(am__append_52) \
- at MONOLITHIC_TRUE@ $(am__append_55) $(am__append_57) \
+ at MONOLITHIC_TRUE@ $(am__append_54) $(am__append_57) \
@MONOLITHIC_TRUE@ $(am__append_59) $(am__append_61) \
@MONOLITHIC_TRUE@ $(am__append_63) $(am__append_65) \
@MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) \
- at MONOLITHIC_TRUE@ $(am__append_71) $(am__append_75) \
- at MONOLITHIC_TRUE@ $(am__append_77) $(am__append_80) \
+ at MONOLITHIC_TRUE@ $(am__append_71) $(am__append_73) \
+ at MONOLITHIC_TRUE@ $(am__append_77) $(am__append_79) \
@MONOLITHIC_TRUE@ $(am__append_82) $(am__append_84) \
@MONOLITHIC_TRUE@ $(am__append_86) $(am__append_88) \
@MONOLITHIC_TRUE@ $(am__append_90) $(am__append_92) \
@@ -1227,7 +1238,8 @@ EXTRA_DIST = Android.mk
@MONOLITHIC_TRUE@ $(am__append_130) $(am__append_132) \
@MONOLITHIC_TRUE@ $(am__append_134) $(am__append_136) \
@MONOLITHIC_TRUE@ $(am__append_138) $(am__append_140) \
- at MONOLITHIC_TRUE@ $(am__append_142) $(am__append_144) . tests
+ at MONOLITHIC_TRUE@ $(am__append_142) $(am__append_144) \
+ at MONOLITHIC_TRUE@ $(am__append_146) . tests
all: all-recursive
.SUFFIXES:
@@ -1594,6 +1606,8 @@ sa/ikev2/tasks/ike_init.lo: sa/ikev2/tasks/$(am__dirstamp) \
sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
sa/ikev2/tasks/ike_natd.lo: sa/ikev2/tasks/$(am__dirstamp) \
sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
+sa/ikev2/tasks/ike_mid_sync.lo: sa/ikev2/tasks/$(am__dirstamp) \
+ sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
sa/ikev2/tasks/ike_mobike.lo: sa/ikev2/tasks/$(am__dirstamp) \
sa/ikev2/tasks/$(DEPDIR)/$(am__dirstamp)
sa/ikev2/tasks/ike_rekey.lo: sa/ikev2/tasks/$(am__dirstamp) \
@@ -1619,6 +1633,8 @@ sa/ikev1/$(DEPDIR)/$(am__dirstamp):
@: > sa/ikev1/$(DEPDIR)/$(am__dirstamp)
sa/ikev1/keymat_v1.lo: sa/ikev1/$(am__dirstamp) \
sa/ikev1/$(DEPDIR)/$(am__dirstamp)
+sa/ikev1/iv_manager.lo: sa/ikev1/$(am__dirstamp) \
+ sa/ikev1/$(DEPDIR)/$(am__dirstamp)
sa/ikev1/task_manager_v1.lo: sa/ikev1/$(am__dirstamp) \
sa/ikev1/$(DEPDIR)/$(am__dirstamp)
sa/ikev1/authenticators/$(am__dirstamp):
@@ -1824,6 +1840,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote at sa/$(DEPDIR)/trap_manager.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at sa/eap/$(DEPDIR)/eap_manager.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at sa/eap/$(DEPDIR)/eap_method.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at sa/ikev1/$(DEPDIR)/iv_manager.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at sa/ikev1/$(DEPDIR)/keymat_v1.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at sa/ikev1/$(DEPDIR)/phase1.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at sa/ikev1/$(DEPDIR)/task_manager_v1.Plo at am__quote@
@@ -1862,6 +1879,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_dpd.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_init.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_me.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_mid_sync.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_mobike.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_natd.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at sa/ikev2/tasks/$(DEPDIR)/ike_reauth.Plo at am__quote@
diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c
index 6b3cea8..f4bba87 100644
--- a/src/libcharon/bus/bus.c
+++ b/src/libcharon/bus/bus.c
@@ -233,6 +233,7 @@ static inline void unregister_logger(private_bus_t *this, logger_t *logger)
enumerator_t *enumerator;
linked_list_t *loggers;
log_entry_t *entry, *found = NULL;
+ debug_t group;
loggers = this->loggers[DBG_MAX];
enumerator = loggers->create_enumerator(loggers);
@@ -249,17 +250,16 @@ static inline void unregister_logger(private_bus_t *this, logger_t *logger)
if (found)
{
- level_t level = LEVEL_SILENT, vlevel = LEVEL_SILENT;
- debug_t group;
-
for (group = 0; group < DBG_MAX; group++)
{
if (found->levels[group] > LEVEL_SILENT)
{
+ level_t level = LEVEL_SILENT, vlevel = LEVEL_SILENT;
+
loggers = this->loggers[group];
loggers->remove(loggers, found, NULL);
- loggers->find_first(loggers, (linked_list_match_t)find_max_levels, NULL,
- &group, &level, &vlevel);
+ loggers->find_first(loggers, (linked_list_match_t)find_max_levels,
+ NULL, &group, &level, &vlevel);
set_level(&this->max_level[group], level);
set_level(&this->max_vlevel[group], vlevel);
}
diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c
index 6a9c342..3c6dd51 100644
--- a/src/libcharon/config/child_cfg.c
+++ b/src/libcharon/config/child_cfg.c
@@ -249,7 +249,7 @@ METHOD(child_cfg_t, select_proposal, proposal_t*,
{
proposal->strip_dh(proposal, MODP_NONE);
}
- selected = proposal->select(proposal, match, private);
+ selected = proposal->select(proposal, match, prefer_self, private);
if (selected)
{
DBG2(DBG_CFG, "received proposals: %#P", proposals);
@@ -306,25 +306,30 @@ METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*,
{
e1 = this->other_ts->create_enumerator(this->other_ts);
}
- /* In a first step, replace "dynamic" TS with the host list */
+ /* in a first step, replace "dynamic" TS with the host list */
while (e1->enumerate(e1, &ts1))
{
- if (hosts && hosts->get_count(hosts) &&
- ts1->is_dynamic(ts1))
- {
- e2 = hosts->create_enumerator(hosts);
- while (e2->enumerate(e2, &host))
+ if (hosts && hosts->get_count(hosts))
+ { /* set hosts if TS is dynamic or as initiator in transport mode */
+ bool dynamic = ts1->is_dynamic(ts1);
+ if (dynamic || (this->mode == MODE_TRANSPORT && !this->proxy_mode &&
+ !supplied))
{
- ts2 = ts1->clone(ts1);
- ts2->set_address(ts2, host);
- derived->insert_last(derived, ts2);
+ e2 = hosts->create_enumerator(hosts);
+ while (e2->enumerate(e2, &host))
+ {
+ ts2 = ts1->clone(ts1);
+ if (dynamic || !host->is_anyaddr(host))
+ { /* don't make regular TS larger than they were */
+ ts2->set_address(ts2, host);
+ }
+ derived->insert_last(derived, ts2);
+ }
+ e2->destroy(e2);
+ continue;
}
- e2->destroy(e2);
- }
- else
- {
- derived->insert_last(derived, ts1->clone(ts1));
}
+ derived->insert_last(derived, ts1->clone(ts1));
}
e1->destroy(e1);
diff --git a/src/libcharon/config/ike_cfg.c b/src/libcharon/config/ike_cfg.c
index 7d52ac8..480dd37 100644
--- a/src/libcharon/config/ike_cfg.c
+++ b/src/libcharon/config/ike_cfg.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2016 Tobias Brunner
+ * Copyright (C) 2012-2017 Tobias Brunner
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -339,7 +339,7 @@ METHOD(ike_cfg_t, select_proposal, proposal_t*,
}
while (match_enum->enumerate(match_enum, (void**)&match))
{
- selected = proposal->select(proposal, match, private);
+ selected = proposal->select(proposal, match, prefer_self, private);
if (selected)
{
DBG2(DBG_CFG, "received proposals: %#P", proposals);
@@ -559,6 +559,39 @@ int ike_cfg_get_family(ike_cfg_t *cfg, bool local)
/**
* Described in header.
*/
+bool ike_cfg_has_address(ike_cfg_t *cfg, host_t *addr, bool local)
+{
+ private_ike_cfg_t *this = (private_ike_cfg_t*)cfg;
+ enumerator_t *enumerator;
+ host_t *host;
+ char *str;
+ bool found = FALSE;
+
+ if (local)
+ {
+ enumerator = this->my_hosts->create_enumerator(this->my_hosts);
+ }
+ else
+ {
+ enumerator = this->other_hosts->create_enumerator(this->other_hosts);
+ }
+ while (enumerator->enumerate(enumerator, &str))
+ {
+ host = host_create_from_string(str, 0);
+ if (host && addr->ip_equals(addr, host))
+ {
+ found = TRUE;
+ break;
+ }
+ DESTROY_IF(host);
+ }
+ enumerator->destroy(enumerator);
+ return found;
+}
+
+/**
+ * Described in header.
+ */
ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
char *me, uint16_t my_port,
char *other, uint16_t other_port,
diff --git a/src/libcharon/config/ike_cfg.h b/src/libcharon/config/ike_cfg.h
index afcb772..4d37264 100644
--- a/src/libcharon/config/ike_cfg.h
+++ b/src/libcharon/config/ike_cfg.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2016 Tobias Brunner
+ * Copyright (C) 2012-2017 Tobias Brunner
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -266,4 +266,15 @@ ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
*/
int ike_cfg_get_family(ike_cfg_t *this, bool local);
+/**
+ * Determine if the given address was explicitly configured as local or remote
+ * address.
+ *
+ * @param this ike config to check
+ * @param addr address to check
+ * @param local TRUE to check local addresses, FALSE for remote
+ * @return TRUE if address was configured
+ */
+bool ike_cfg_has_address(ike_cfg_t *this, host_t *addr, bool local);
+
#endif /** IKE_CFG_H_ @}*/
diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c
index 6463c7a..5d7ab07 100644
--- a/src/libcharon/config/peer_cfg.c
+++ b/src/libcharon/config/peer_cfg.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2016 Tobias Brunner
+ * Copyright (C) 2007-2017 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* HSR Hochschule fuer Technik Rapperswil
@@ -164,7 +164,7 @@ struct private_peer_cfg_t {
/**
* Name of the mediation connection to mediate through
*/
- peer_cfg_t *mediated_by;
+ char *mediated_by;
/**
* ID of our peer at the mediation server (= leftid of the peer's conn with
@@ -235,6 +235,7 @@ METHOD(enumerator_t, child_cfgs_replace_enumerate, bool,
{
break;
}
+ this->wrapped->destroy(this->wrapped);
this->wrapped = this->added->create_enumerator(this->added);
this->add = TRUE;
}
@@ -579,7 +580,7 @@ METHOD(peer_cfg_t, is_mediation, bool,
return this->mediation;
}
-METHOD(peer_cfg_t, get_mediated_by, peer_cfg_t*,
+METHOD(peer_cfg_t, get_mediated_by, char*,
private_peer_cfg_t *this)
{
return this->mediated_by;
@@ -682,7 +683,7 @@ METHOD(peer_cfg_t, equals, bool,
auth_cfg_equal(this, other)
#ifdef ME
&& this->mediation == other->mediation &&
- this->mediated_by == other->mediated_by &&
+ streq(this->mediated_by, other->mediated_by) &&
(this->peer_id == other->peer_id ||
(this->peer_id && other->peer_id &&
this->peer_id->equals(this->peer_id, other->peer_id)))
@@ -712,8 +713,8 @@ METHOD(peer_cfg_t, destroy, void,
this->vips->destroy_offset(this->vips, offsetof(host_t, destroy));
this->pools->destroy_function(this->pools, free);
#ifdef ME
- DESTROY_IF(this->mediated_by);
DESTROY_IF(this->peer_id);
+ free(this->mediated_by);
#endif /* ME */
this->mutex->destroy(this->mutex);
free(this->name);
@@ -801,7 +802,7 @@ peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
.refcount = 1,
#ifdef ME
.mediation = data->mediation,
- .mediated_by = data->mediated_by,
+ .mediated_by = strdupnull(data->mediated_by),
.peer_id = data->peer_id,
#endif /* ME */
);
diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h
index 8e4d533..b294ae7 100644
--- a/src/libcharon/config/peer_cfg.h
+++ b/src/libcharon/config/peer_cfg.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2016 Tobias Brunner
+ * Copyright (C) 2007-2017 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
* HSR Hochschule fuer Technik Rapperswil
@@ -319,14 +319,14 @@ struct peer_cfg_t {
*
* @return TRUE, if this is a mediation connection
*/
- bool (*is_mediation) (peer_cfg_t *this);
+ bool (*is_mediation)(peer_cfg_t *this);
/**
- * Get peer_cfg of the connection this one is mediated through.
+ * Get name of the connection this one is mediated through.
*
- * @return the peer_cfg of the mediation connection
+ * @return the name of the mediation connection
*/
- peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
+ char* (*get_mediated_by)(peer_cfg_t *this);
/**
* Get the id of the other peer at the mediation server.
@@ -338,7 +338,7 @@ struct peer_cfg_t {
*
* @return the id of the other peer
*/
- identification_t* (*get_peer_id) (peer_cfg_t *this);
+ identification_t* (*get_peer_id)(peer_cfg_t *this);
#endif /* ME */
/**
@@ -398,8 +398,8 @@ struct peer_cfg_create_t {
#ifdef ME
/** TRUE if this is a mediation connection */
bool mediation;
- /** peer_cfg_t of the mediation connection to mediate through (adopted) */
- peer_cfg_t *mediated_by;
+ /** peer_cfg_t of the mediation connection to mediate through (cloned) */
+ char *mediated_by;
/** ID that identifies our peer at the mediation server (adopted) */
identification_t *peer_id;
#endif /* ME */
diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c
index 011c0b8..a2dc113 100644
--- a/src/libcharon/config/proposal.c
+++ b/src/libcharon/config/proposal.c
@@ -273,7 +273,8 @@ static bool select_algo(private_proposal_t *this, proposal_t *other,
}
METHOD(proposal_t, select_proposal, proposal_t*,
- private_proposal_t *this, proposal_t *other, bool private)
+ private_proposal_t *this, proposal_t *other, bool other_remote,
+ bool private)
{
proposal_t *selected;
@@ -285,7 +286,17 @@ METHOD(proposal_t, select_proposal, proposal_t*,
return NULL;
}
- selected = proposal_create(this->protocol, other->get_number(other));
+ if (other_remote)
+ {
+ selected = proposal_create(this->protocol, other->get_number(other));
+ selected->set_spi(selected, other->get_spi(other));
+ }
+ else
+ {
+ selected = proposal_create(this->protocol, this->number);
+ selected->set_spi(selected, this->spi);
+
+ }
if (!select_algo(this, other, selected, ENCRYPTION_ALGORITHM, private) ||
!select_algo(this, other, selected, PSEUDO_RANDOM_FUNCTION, private) ||
@@ -298,7 +309,6 @@ METHOD(proposal_t, select_proposal, proposal_t*,
}
DBG2(DBG_CFG, " proposal matches");
- selected->set_spi(selected, other->get_spi(other));
return selected;
}
@@ -915,6 +925,8 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
case ECP_256_BP:
case ECP_384_BP:
case ECP_512_BP:
+ case CURVE_25519:
+ case CURVE_448:
case NTRU_128_BIT:
case NTRU_192_BIT:
case NTRU_256_BIT:
@@ -956,9 +968,12 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
case MODP_768_BIT:
/* weak */
break;
+ case MODP_1024_160:
case MODP_2048_224:
+ case MODP_2048_256:
+ /* RFC 5114 primes are of questionable source */
+ break;
case MODP_1536_BIT:
- case MODP_1024_160:
case ECP_224_BIT:
case ECP_224_BP:
case ECP_192_BIT:
@@ -966,7 +981,6 @@ static bool proposal_add_supported_ike(private_proposal_t *this, bool aead)
/* rarely used */
break;
case MODP_2048_BIT:
- case MODP_2048_256:
case MODP_1024_BIT:
add_algorithm(this, DIFFIE_HELLMAN_GROUP, group, 0);
break;
diff --git a/src/libcharon/config/proposal.h b/src/libcharon/config/proposal.h
index f9f2778..2bdf345 100644
--- a/src/libcharon/config/proposal.h
+++ b/src/libcharon/config/proposal.h
@@ -1,6 +1,7 @@
/*
+ * Copyright (C) 2009-2016 Tobias Brunner
* Copyright (C) 2006 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -124,10 +125,14 @@ struct proposal_t {
* in common, a resulting proposal of this kind is created.
*
* @param other proposal to compare against
+ * @param other_remote whether other is the remote proposal from which to
+ * copy SPI and proposal number to the result,
+ * otherwise copy from this proposal
* @param private accepts algorithms allocated in a private range
* @return selected proposal, NULL if proposals don't match
*/
- proposal_t *(*select) (proposal_t *this, proposal_t *other, bool private);
+ proposal_t *(*select)(proposal_t *this, proposal_t *other,
+ bool other_remote, bool private);
/**
* Get the protocol ID of the proposal.
diff --git a/src/libcharon/control/controller.c b/src/libcharon/control/controller.c
index 93ff70b..8e7816b 100644
--- a/src/libcharon/control/controller.c
+++ b/src/libcharon/control/controller.c
@@ -588,7 +588,6 @@ METHOD(controller_t, terminate_ike, status_t,
.listener = {
.public = {
.ike_state_change = _ike_state_change_terminate,
- .child_state_change = _child_state_change_terminate,
},
.logger = {
.public = {
diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c
index 532d081..eadc10a 100644
--- a/src/libcharon/daemon.c
+++ b/src/libcharon/daemon.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2016 Tobias Brunner
+ * Copyright (C) 2006-2017 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005 Jan Hutter
@@ -87,6 +87,16 @@ struct private_daemon_t {
linked_list_t *loggers;
/**
+ * Cached log levels for default loggers
+ */
+ level_t *levels;
+
+ /**
+ * Whether to log to stdout/err by default
+ */
+ bool to_stderr;
+
+ /**
* Identifier used for syslog (in the openlog call)
*/
char *syslog_identifier;
@@ -532,7 +542,7 @@ static void load_custom_logger(private_daemon_t *this,
}
METHOD(daemon_t, load_loggers, void,
- private_daemon_t *this, level_t levels[DBG_MAX], bool to_stderr)
+ private_daemon_t *this)
{
enumerator_t *enumerator;
linked_list_t *current_loggers;
@@ -564,7 +574,7 @@ METHOD(daemon_t, load_loggers, void,
load_custom_logger(this, &custom_loggers[i], current_loggers);
}
- if (!this->loggers->get_count(this->loggers) && levels)
+ if (!this->loggers->get_count(this->loggers) && this->levels)
{ /* setup legacy style default loggers configured via command-line */
file_logger_t *file_logger;
sys_logger_t *sys_logger;
@@ -578,11 +588,11 @@ METHOD(daemon_t, load_loggers, void,
{
if (sys_logger)
{
- sys_logger->set_level(sys_logger, group, levels[group]);
+ sys_logger->set_level(sys_logger, group, this->levels[group]);
}
- if (to_stderr)
+ if (this->to_stderr)
{
- file_logger->set_level(file_logger, group, levels[group]);
+ file_logger->set_level(file_logger, group, this->levels[group]);
}
}
if (sys_logger)
@@ -604,13 +614,39 @@ METHOD(daemon_t, load_loggers, void,
this->mutex->unlock(this->mutex);
}
+METHOD(daemon_t, set_default_loggers, void,
+ private_daemon_t *this, level_t levels[DBG_MAX], bool to_stderr)
+{
+ debug_t group;
+
+ this->mutex->lock(this->mutex);
+ if (!levels)
+ {
+ free(this->levels);
+ this->levels = NULL;
+ }
+ else
+ {
+ if (!this->levels)
+ {
+ this->levels = calloc(sizeof(level_t), DBG_MAX);
+ }
+ for (group = 0; group < DBG_MAX; group++)
+ {
+ this->levels[group] = levels[group];
+ }
+ this->to_stderr = to_stderr;
+ }
+ this->mutex->unlock(this->mutex);
+}
+
METHOD(daemon_t, set_level, void,
private_daemon_t *this, debug_t group, level_t level)
{
enumerator_t *enumerator;
logger_entry_t *entry;
- /* we set the loglevel on ALL sys- and file-loggers */
+ /* we set the loglevel on ALL loggers */
this->mutex->lock(this->mutex);
enumerator = this->loggers->create_enumerator(this->loggers);
while (enumerator->enumerate(enumerator, &entry))
@@ -694,6 +730,7 @@ static void destroy(private_daemon_t *this)
DESTROY_IF(this->public.bus);
this->loggers->destroy_function(this->loggers, (void*)logger_entry_destroy);
this->mutex->destroy(this->mutex);
+ free(this->levels);
free(this);
}
@@ -879,6 +916,7 @@ private_daemon_t *daemon_create()
.initialize = _initialize,
.start = _start,
.load_loggers = _load_loggers,
+ .set_default_loggers = _set_default_loggers,
.set_level = _set_level,
.bus = bus_create(),
},
diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h
index 48b9c7e..a37a314 100644
--- a/src/libcharon/daemon.h
+++ b/src/libcharon/daemon.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2012 Tobias Brunner
+ * Copyright (C) 2006-2017 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005 Jan Hutter
@@ -169,7 +169,7 @@
* IKE_SA.
*
* The controller, credential_manager, bus and backend_manager (config) are
- * places where a plugin ca register itself to privide information or observe
+ * places where a plugin ca register itself to provide information or observe
* and control the daemon.
*/
@@ -338,17 +338,27 @@ struct daemon_t {
/**
* Load/Reload loggers defined in strongswan.conf
*
- * @param levels optional debug levels used to create default loggers
- * if none are defined in strongswan.conf
+ * If none are defined in strongswan.conf default loggers configured via
+ * set_default_loggers() are loaded.
+ */
+ void (*load_loggers)(daemon_t *this);
+
+ /**
+ * Configure default loggers if none are defined in strongswan.conf
+ *
+ * @param levels debug levels used to create default loggers if none are
+ * defined in strongswan.conf (NULL to disable)
* @param to_stderr TRUE to log to stderr/stdout if no loggers are defined
- * in strongswan.conf
+ * in strongswan.conf (logging to syslog is always enabled)
*/
- void (*load_loggers)(daemon_t *this, level_t levels[DBG_MAX],
- bool to_stderr);
+ void (*set_default_loggers)(daemon_t *this, level_t levels[DBG_MAX],
+ bool to_stderr);
/**
- * Set the log level for the given log group for all configured file-,
- * syslog and custom-loggers.
+ * Set the log level for the given log group for all loaded loggers.
+ *
+ * This change is not persistent and gets reset if loggers are reloaded
+ * via load_loggers().
*
* @param group log group
* @param level log level
diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c
index 7b39a02..ea5af9e 100644
--- a/src/libcharon/kernel/kernel_interface.c
+++ b/src/libcharon/kernel/kernel_interface.c
@@ -554,6 +554,16 @@ METHOD(kernel_interface_t, create_address_enumerator, enumerator_t*,
return this->net->create_address_enumerator(this->net, which);
}
+METHOD(kernel_interface_t, create_local_subnet_enumerator, enumerator_t*,
+ private_kernel_interface_t *this)
+{
+ if (!this->net || !this->net->create_local_subnet_enumerator)
+ {
+ return enumerator_create_empty();
+ }
+ return this->net->create_local_subnet_enumerator(this->net);
+}
+
METHOD(kernel_interface_t, add_ip, status_t,
private_kernel_interface_t *this, host_t *virtual_ip, int prefix,
char *iface)
@@ -1005,6 +1015,7 @@ kernel_interface_t *kernel_interface_create()
.get_nexthop = _get_nexthop,
.get_interface = _get_interface,
.create_address_enumerator = _create_address_enumerator,
+ .create_local_subnet_enumerator = _create_local_subnet_enumerator,
.add_ip = _add_ip,
.del_ip = _del_ip,
.add_route = _add_route,
diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h
index 225b409..d601ebd 100644
--- a/src/libcharon/kernel/kernel_interface.h
+++ b/src/libcharon/kernel/kernel_interface.h
@@ -57,6 +57,12 @@ typedef enum kernel_feature_t kernel_feature_t;
#include <kernel/kernel_net.h>
/**
+ * Default range for SPIs requested from kernels
+ */
+#define KERNEL_SPI_MIN 0xc0000000
+#define KERNEL_SPI_MAX 0xcfffffff
+
+/**
* Bitfield of optional features a kernel backend supports.
*
* This feature-set is for both, kernel_ipsec_t and kernel_net_t. Each
@@ -316,6 +322,17 @@ struct kernel_interface_t {
kernel_address_type_t which);
/**
+ * Creates an enumerator over all local subnets.
+ *
+ * Local subnets are subnets the host is directly connected to.
+ *
+ * The enumerator returns the network, subnet mask and interface.
+ *
+ * @return enumerator over host_t*, uint8_t, char*
+ */
+ enumerator_t *(*create_local_subnet_enumerator)(kernel_interface_t *this);
+
+ /**
* Add a virtual IP to an interface.
*
* Virtual IPs are attached to an interface. If an IP is added multiple
diff --git a/src/libcharon/kernel/kernel_net.h b/src/libcharon/kernel/kernel_net.h
index 1d78d6e..12475b1 100644
--- a/src/libcharon/kernel/kernel_net.h
+++ b/src/libcharon/kernel/kernel_net.h
@@ -119,6 +119,17 @@ struct kernel_net_t {
kernel_address_type_t which);
/**
+ * Creates an enumerator over all local subnets.
+ *
+ * Local subnets are subnets the host is directly connected to.
+ *
+ * The enumerator returns the network, subnet mask and interface.
+ *
+ * @return enumerator over host_t*, uint8_t, char*
+ */
+ enumerator_t *(*create_local_subnet_enumerator)(kernel_net_t *this);
+
+ /**
* Add a virtual IP to an interface.
*
* Virtual IPs are attached to an interface. If an IP is added multiple
diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in
index 7917d45..f5dfc14 100644
--- a/src/libcharon/plugins/addrblock/Makefile.in
+++ b/src/libcharon/plugins/addrblock/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/addrblock/addrblock_narrow.c b/src/libcharon/plugins/addrblock/addrblock_narrow.c
index f85fa78..3b3b72f 100644
--- a/src/libcharon/plugins/addrblock/addrblock_narrow.c
+++ b/src/libcharon/plugins/addrblock/addrblock_narrow.c
@@ -33,17 +33,15 @@ struct private_addrblock_narrow_t {
addrblock_narrow_t public;
};
-/**
- * Check if the negotiated TS list is acceptable by X509 ipAddrBlock constraints
- */
-static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list)
+static void narrow_addrblock(private_addrblock_narrow_t *this, ike_sa_t *ike_sa,
+ linked_list_t *list)
{
- auth_cfg_t *auth;
- enumerator_t *auth_enum;
certificate_t *cert = NULL;
+ enumerator_t *enumerator;
+ auth_cfg_t *auth;
- auth_enum = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
- while (auth_enum->enumerate(auth_enum, &auth))
+ enumerator = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE);
+ while (enumerator->enumerate(enumerator, &auth))
{
cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT);
if (cert)
@@ -51,7 +49,7 @@ static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list)
break;
}
}
- auth_enum->destroy(auth_enum);
+ enumerator->destroy(enumerator);
if (cert && cert->get_type(cert) == CERT_X509)
{
@@ -59,54 +57,45 @@ static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list)
if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS)
{
- enumerator_t *enumerator, *block_enum;
- traffic_selector_t *ts, *block_ts;
+ traffic_selector_t *ts, *block, *subset;
+ linked_list_t *original;
+
+ original = linked_list_create();
+ while (list->remove_last(list, (void**)&ts) == SUCCESS)
+ {
+ original->insert_first(original, ts);
+ }
DBG1(DBG_IKE, "checking certificate-based traffic selector "
- "constraints [RFC 3779]");
- enumerator = list->create_enumerator(list);
- while (enumerator->enumerate(enumerator, &ts))
+ "constraints [RFC 3779]");
+ while (original->remove_first(original, (void**)&ts) == SUCCESS)
{
bool contained = FALSE;
- block_enum = x509->create_ipAddrBlock_enumerator(x509);
- while (block_enum->enumerate(block_enum, &block_ts))
+ enumerator = x509->create_ipAddrBlock_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &block))
{
- if (ts->is_contained_in(ts, block_ts))
+ subset = ts->get_subset(ts, block);
+ if (subset)
{
DBG1(DBG_IKE, " TS %R is contained in address block"
- " constraint %R", ts, block_ts);
+ " constraint %R (subset %R)", ts, block, subset);
+ list->insert_last(list, subset);
contained = TRUE;
- break;
}
}
- block_enum->destroy(block_enum);
+ enumerator->destroy(enumerator);
if (!contained)
{
DBG1(DBG_IKE, " TS %R is not contained in any"
- " address block constraint", ts);
- enumerator->destroy(enumerator);
- return FALSE;
+ " address block constraint", ts);
}
+ ts->destroy(ts);
}
- enumerator->destroy(enumerator);
+ original->destroy(original);
}
}
- return TRUE;
-}
-
-/**
- * Delete all traffic selectors in a list
- */
-static void flush_ts_list(linked_list_t *list)
-{
- traffic_selector_t *ts;
-
- while (list->remove_last(list, (void**)&ts) == SUCCESS)
- {
- ts->destroy(ts);
- }
}
METHOD(listener_t, narrow, bool,
@@ -116,13 +105,10 @@ METHOD(listener_t, narrow, bool,
switch (type)
{
case NARROW_RESPONDER:
+ case NARROW_INITIATOR_PRE_AUTH:
case NARROW_INITIATOR_POST_AUTH:
case NARROW_INITIATOR_POST_NOAUTH:
- if (!check_constraints(ike_sa, remote))
- {
- flush_ts_list(local);
- flush_ts_list(remote);
- }
+ narrow_addrblock(this, ike_sa, remote);
break;
default:
break;
diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c
index 372c978..d16a117 100644
--- a/src/libcharon/plugins/addrblock/addrblock_validator.c
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.c
@@ -30,12 +30,18 @@ struct private_addrblock_validator_t {
* Public addrblock_validator_t interface.
*/
addrblock_validator_t public;
+
+ /**
+ * Whether to reject subject certificates not having a addrBlock extension
+ */
+ bool strict;
};
/**
* Do the addrblock check for two x509 plugins
*/
-static bool check_addrblock(x509_t *subject, x509_t *issuer)
+static bool check_addrblock(private_addrblock_validator_t *this,
+ x509_t *subject, x509_t *issuer)
{
bool subject_const, issuer_const, contained = TRUE;
enumerator_t *subject_enumerator, *issuer_enumerator;
@@ -51,7 +57,7 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer)
if (!subject_const)
{
DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
- return FALSE;
+ return !this->strict;
}
if (!issuer_const)
{
@@ -94,7 +100,7 @@ METHOD(cert_validator_t, validate, bool,
if (subject->get_type(subject) == CERT_X509 &&
issuer->get_type(issuer) == CERT_X509)
{
- if (!check_addrblock((x509_t*)subject, (x509_t*)issuer))
+ if (!check_addrblock(this, (x509_t*)subject, (x509_t*)issuer))
{
lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
subject);
@@ -124,6 +130,8 @@ addrblock_validator_t *addrblock_validator_create()
},
.destroy = _destroy,
},
+ .strict = lib->settings->get_bool(lib->settings,
+ "%s.plugins.addrblock.strict", TRUE, lib->ns),
);
return &this->public;
diff --git a/src/libcharon/plugins/android_dns/Makefile.in b/src/libcharon/plugins/android_dns/Makefile.in
index 3560d36..d79c753 100644
--- a/src/libcharon/plugins/android_dns/Makefile.in
+++ b/src/libcharon/plugins/android_dns/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/android_log/Makefile.in b/src/libcharon/plugins/android_log/Makefile.in
index 9d3f2f5..65cdcff 100644
--- a/src/libcharon/plugins/android_log/Makefile.in
+++ b/src/libcharon/plugins/android_log/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/attr/Makefile.in b/src/libcharon/plugins/attr/Makefile.in
index 4b900d1..217a42a 100644
--- a/src/libcharon/plugins/attr/Makefile.in
+++ b/src/libcharon/plugins/attr/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/attr_sql/Makefile.in b/src/libcharon/plugins/attr_sql/Makefile.in
index 077e2f3..668e23f 100644
--- a/src/libcharon/plugins/attr_sql/Makefile.in
+++ b/src/libcharon/plugins/attr_sql/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/bypass_lan/Makefile.am b/src/libcharon/plugins/bypass_lan/Makefile.am
new file mode 100644
index 0000000..c1313f6
--- /dev/null
+++ b/src/libcharon/plugins/bypass_lan/Makefile.am
@@ -0,0 +1,18 @@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-bypass-lan.la
+else
+plugin_LTLIBRARIES = libstrongswan-bypass-lan.la
+endif
+
+libstrongswan_bypass_lan_la_SOURCES = \
+ bypass_lan_plugin.h bypass_lan_plugin.c \
+ bypass_lan_listener.h bypass_lan_listener.c
+
+libstrongswan_bypass_lan_la_LDFLAGS = -module -avoid-version
diff --git a/src/libcharon/plugins/bypass_lan/Makefile.in b/src/libcharon/plugins/bypass_lan/Makefile.in
new file mode 100644
index 0000000..9f1dc71
--- /dev/null
+++ b/src/libcharon/plugins/bypass_lan/Makefile.in
@@ -0,0 +1,795 @@
+# Makefile.in generated by automake 1.15 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libcharon/plugins/bypass_lan
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_bypass_lan_la_LIBADD =
+am_libstrongswan_bypass_lan_la_OBJECTS = bypass_lan_plugin.lo \
+ bypass_lan_listener.lo
+libstrongswan_bypass_lan_la_OBJECTS = \
+ $(am_libstrongswan_bypass_lan_la_OBJECTS)
+AM_V_lt = $(am__v_lt_ at AM_V@)
+am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+libstrongswan_bypass_lan_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_bypass_lan_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+ at MONOLITHIC_FALSE@am_libstrongswan_bypass_lan_la_rpath = -rpath \
+ at MONOLITHIC_FALSE@ $(plugindir)
+ at MONOLITHIC_TRUE@am_libstrongswan_bypass_lan_la_rpath =
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_ at AM_V@)
+am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(libstrongswan_bypass_lan_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_bypass_lan_la_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+ATOMICLIB = @ATOMICLIB@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+ at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-bypass-lan.la
+ at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-bypass-lan.la
+libstrongswan_bypass_lan_la_SOURCES = \
+ bypass_lan_plugin.h bypass_lan_plugin.c \
+ bypass_lan_listener.h bypass_lan_listener.c
+
+libstrongswan_bypass_lan_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/bypass_lan/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libcharon/plugins/bypass_lan/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+libstrongswan-bypass-lan.la: $(libstrongswan_bypass_lan_la_OBJECTS) $(libstrongswan_bypass_lan_la_DEPENDENCIES) $(EXTRA_libstrongswan_bypass_lan_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libstrongswan_bypass_lan_la_LINK) $(am_libstrongswan_bypass_lan_la_rpath) $(libstrongswan_bypass_lan_la_OBJECTS) $(libstrongswan_bypass_lan_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bypass_lan_listener.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/bypass_lan_plugin.Plo at am__quote@
+
+.c.o:
+ at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+ at am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+ at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+ at am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+ at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+ at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+ at am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ cscopelist-am ctags ctags-am distclean distclean-compile \
+ distclean-generic distclean-libtool distclean-tags distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-man install-pdf \
+ install-pdf-am install-pluginLTLIBRARIES install-ps \
+ install-ps-am install-strip installcheck installcheck-am \
+ installdirs maintainer-clean maintainer-clean-generic \
+ mostlyclean mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+ uninstall-am uninstall-pluginLTLIBRARIES
+
+.PRECIOUS: Makefile
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
new file mode 100644
index 0000000..e690028
--- /dev/null
+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.c
@@ -0,0 +1,295 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bypass_lan_listener.h"
+
+#include <collections/hashtable.h>
+#include <collections/linked_list.h>
+#include <threading/mutex.h>
+#include <processing/jobs/callback_job.h>
+
+#include <daemon.h>
+
+typedef struct private_bypass_lan_listener_t private_bypass_lan_listener_t;
+
+/**
+ * Private data
+ */
+struct private_bypass_lan_listener_t {
+
+ /**
+ * Public interface.
+ */
+ bypass_lan_listener_t public;
+
+ /**
+ * Currently installed bypass policies, bypass_policy_t*.
+ */
+ hashtable_t *policies;
+
+ /**
+ * Mutex to access list of policies.
+ */
+ mutex_t *mutex;
+
+ /**
+ * List of interface names to include or exclude (char*), NULL if interfaces
+ * are not filtered.
+ */
+ linked_list_t *ifaces_filter;
+
+ /**
+ * TRUE to exclude interfaces listed in ifaces_filter, FALSE to consider
+ * only those listed there.
+ */
+ bool ifaces_exclude;
+};
+
+/**
+ * Data for bypass policies
+ */
+typedef struct {
+ private_bypass_lan_listener_t *listener;
+ host_t *net;
+ uint8_t mask;
+ child_cfg_t *cfg;
+} bypass_policy_t;
+
+/**
+ * Destroy a bypass policy
+ */
+static void bypass_policy_destroy(bypass_policy_t *this)
+{
+ traffic_selector_t *ts;
+
+ if (this->cfg)
+ {
+ ts = traffic_selector_create_from_subnet(this->net->clone(this->net),
+ this->mask, 0, 0, 65535);
+ DBG1(DBG_IKE, "uninstalling bypass policy for %R", ts);
+ charon->shunts->uninstall(charon->shunts, "bypass-lan",
+ this->cfg->get_name(this->cfg));
+ this->cfg->destroy(this->cfg);
+ ts->destroy(ts);
+ }
+ this->net->destroy(this->net);
+ free(this);
+}
+
+/**
+ * Hash a bypass policy
+ */
+static u_int policy_hash(bypass_policy_t *policy)
+{
+ return chunk_hash_inc(policy->net->get_address(policy->net),
+ chunk_hash(chunk_from_thing(policy->mask)));
+}
+
+/**
+ * Compare bypass policy
+ */
+static bool policy_equals(bypass_policy_t *a, bypass_policy_t *b)
+{
+ return a->mask == b->mask && a->net->equals(a->net, b->net);
+}
+
+/**
+ * Check if an interface should be considered
+ */
+static bool consider_interface(private_bypass_lan_listener_t *this, char *iface)
+{
+ status_t expected;
+
+ if (!iface || !this->ifaces_filter)
+ {
+ return TRUE;
+ }
+ expected = this->ifaces_exclude ? NOT_FOUND : SUCCESS;
+ return this->ifaces_filter->find_first(this->ifaces_filter, (void*)streq,
+ NULL, iface) == expected;
+}
+
+/**
+ * Job updating bypass policies
+ */
+static job_requeue_t update_bypass(private_bypass_lan_listener_t *this)
+{
+ enumerator_t *enumerator;
+ hashtable_t *seen;
+ bypass_policy_t *found, *lookup;
+ host_t *net;
+ uint8_t mask;
+ char *iface;
+
+ seen = hashtable_create((hashtable_hash_t)policy_hash,
+ (hashtable_equals_t)policy_equals, 4);
+
+ this->mutex->lock(this->mutex);
+
+ enumerator = charon->kernel->create_local_subnet_enumerator(charon->kernel);
+ while (enumerator->enumerate(enumerator, &net, &mask, &iface))
+ {
+ if (!consider_interface(this, iface))
+ {
+ continue;
+ }
+
+ INIT(lookup,
+ .net = net->clone(net),
+ .mask = mask,
+ );
+ found = seen->put(seen, lookup, lookup);
+ if (found)
+ { /* in case the same subnet is on multiple interfaces */
+ bypass_policy_destroy(found);
+ }
+
+ found = this->policies->get(this->policies, lookup);
+ if (!found)
+ {
+ child_cfg_create_t child = {
+ .mode = MODE_PASS,
+ };
+ child_cfg_t *cfg;
+ traffic_selector_t *ts;
+ char name[128];
+
+ ts = traffic_selector_create_from_subnet(net->clone(net), mask,
+ 0, 0, 65535);
+ snprintf(name, sizeof(name), "Bypass LAN %R", ts);
+
+ cfg = child_cfg_create(name, &child);
+ cfg->add_traffic_selector(cfg, FALSE, ts->clone(ts));
+ cfg->add_traffic_selector(cfg, TRUE, ts);
+ charon->shunts->install(charon->shunts, "bypass-lan", cfg);
+ DBG1(DBG_IKE, "installed bypass policy for %R", ts);
+
+ INIT(found,
+ .net = net->clone(net),
+ .mask = mask,
+ .cfg = cfg,
+ );
+ this->policies->put(this->policies, found, found);
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ enumerator = this->policies->create_enumerator(this->policies);
+ while (enumerator->enumerate(enumerator, NULL, &lookup))
+ {
+ if (!seen->get(seen, lookup))
+ {
+ this->policies->remove_at(this->policies, enumerator);
+ bypass_policy_destroy(lookup);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->mutex->unlock(this->mutex);
+
+ seen->destroy_function(seen, (void*)bypass_policy_destroy);
+ return JOB_REQUEUE_NONE;
+}
+
+METHOD(kernel_listener_t, roam, bool,
+ private_bypass_lan_listener_t *this, bool address)
+{
+ lib->processor->queue_job(lib->processor,
+ (job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
+ NULL, (callback_job_cancel_t)return_false));
+ return TRUE;
+}
+
+METHOD(bypass_lan_listener_t, reload_interfaces, void,
+ private_bypass_lan_listener_t *this)
+{
+ char *ifaces;
+
+ this->mutex->lock(this->mutex);
+ DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free);
+ this->ifaces_filter = NULL;
+ this->ifaces_exclude = FALSE;
+
+ ifaces = lib->settings->get_str(lib->settings,
+ "%s.plugins.bypass-lan.interfaces_use", NULL, lib->ns);
+ if (!ifaces)
+ {
+ this->ifaces_exclude = TRUE;
+ ifaces = lib->settings->get_str(lib->settings,
+ "%s.plugins.bypass-lan.interfaces_ignore", NULL, lib->ns);
+ }
+ if (ifaces)
+ {
+ enumerator_t *enumerator;
+ char *iface;
+
+ enumerator = enumerator_create_token(ifaces, ",", " ");
+ while (enumerator->enumerate(enumerator, &iface))
+ {
+ if (!this->ifaces_filter)
+ {
+ this->ifaces_filter = linked_list_create();
+ }
+ this->ifaces_filter->insert_last(this->ifaces_filter,
+ strdup(iface));
+ }
+ enumerator->destroy(enumerator);
+ }
+ this->mutex->unlock(this->mutex);
+ lib->processor->queue_job(lib->processor,
+ (job_t*)callback_job_create((callback_job_cb_t)update_bypass, this,
+ NULL, (callback_job_cancel_t)return_false));
+}
+
+METHOD(bypass_lan_listener_t, destroy, void,
+ private_bypass_lan_listener_t *this)
+{
+ enumerator_t *enumerator;
+ bypass_policy_t *policy;
+
+ enumerator = this->policies->create_enumerator(this->policies);
+ while (enumerator->enumerate(enumerator, NULL, &policy))
+ {
+ bypass_policy_destroy(policy);
+ }
+ enumerator->destroy(enumerator);
+ DESTROY_FUNCTION_IF(this->ifaces_filter, (void*)free);
+ this->policies->destroy(this->policies);
+ this->mutex->destroy(this->mutex);
+ free(this);
+}
+
+/*
+ * See header
+ */
+bypass_lan_listener_t *bypass_lan_listener_create()
+{
+ private_bypass_lan_listener_t *this;
+
+ INIT(this,
+ .public = {
+ .listener = {
+ .roam = _roam,
+ },
+ .reload_interfaces = _reload_interfaces,
+ .destroy = _destroy,
+ },
+ .policies = hashtable_create((hashtable_hash_t)policy_hash,
+ (hashtable_equals_t)policy_equals, 4),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ );
+
+ reload_interfaces(this);
+ return &this->public;
+}
diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_listener.h b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.h
new file mode 100644
index 0000000..737230d
--- /dev/null
+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_listener.h
@@ -0,0 +1,54 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bypass_lan_listener bypass_lan_listener
+ * @{ @ingroup bypass_lan
+ */
+
+#ifndef BYPASS_LAN_LISTENER_H_
+#define BYPASS_LAN_LISTENER_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct bypass_lan_listener_t bypass_lan_listener_t;
+
+/**
+ * Listener to install bypass policies
+ */
+struct bypass_lan_listener_t {
+
+ /**
+ * Implements kernel_listener_t interface.
+ */
+ kernel_listener_t listener;
+
+ /**
+ * Reload ignored/used interface names from config.
+ */
+ void (*reload_interfaces)(bypass_lan_listener_t *this);
+
+ /**
+ * Destroy a bypass_lan_listener_t.
+ */
+ void (*destroy)(bypass_lan_listener_t *this);
+};
+
+/**
+ * Create a bypass_lan_listener instance.
+ */
+bypass_lan_listener_t *bypass_lan_listener_create();
+
+#endif /** BYPASS_LAN_LISTENER_H_ @}*/
diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_plugin.c b/src/libcharon/plugins/bypass_lan/bypass_lan_plugin.c
new file mode 100644
index 0000000..ccc05f0
--- /dev/null
+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_plugin.c
@@ -0,0 +1,109 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "bypass_lan_plugin.h"
+#include "bypass_lan_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_bypass_lan_plugin_t private_bypass_lan_plugin_t;
+
+/**
+ * Private data
+ */
+struct private_bypass_lan_plugin_t {
+
+ /**
+ * Public interface
+ */
+ bypass_lan_plugin_t public;
+
+ /**
+ * Listener installing bypass policies
+ */
+ bypass_lan_listener_t *listener;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_bypass_lan_plugin_t *this)
+{
+ return "bypass-lan";
+}
+
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_bypass_lan_plugin_t *this,
+ plugin_feature_t *feature, bool reg, void *cb_data)
+{
+ if (reg)
+ {
+ charon->kernel->add_listener(charon->kernel,
+ &this->listener->listener);
+ }
+ else
+ {
+ charon->kernel->remove_listener(charon->kernel,
+ &this->listener->listener);
+ }
+ return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+ private_bypass_lan_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+ PLUGIN_PROVIDE(CUSTOM, "bypass-lan"),
+ };
+ *features = f;
+ return countof(f);
+}
+
+METHOD(plugin_t, reload, bool,
+ private_bypass_lan_plugin_t *this)
+{
+ this->listener->reload_interfaces(this->listener);
+ return TRUE;
+}
+
+METHOD(plugin_t, destroy, void,
+ private_bypass_lan_plugin_t *this)
+{
+ this->listener->destroy(this->listener);
+ free(this);
+}
+
+/**
+ * Plugin constructor
+ */
+plugin_t *bypass_lan_plugin_create()
+{
+ private_bypass_lan_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .reload = _reload,
+ .destroy = _destroy,
+ },
+ },
+ .listener = bypass_lan_listener_create(),
+ );
+
+ return &this->public.plugin;
+}
diff --git a/src/libcharon/plugins/bypass_lan/bypass_lan_plugin.h b/src/libcharon/plugins/bypass_lan/bypass_lan_plugin.h
new file mode 100644
index 0000000..934bf0c
--- /dev/null
+++ b/src/libcharon/plugins/bypass_lan/bypass_lan_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup bypass_lan bypass_lan
+ * @ingroup cplugins
+ *
+ * @defgroup bypass_lan_plugin bypass_lan_plugin
+ * @{ @ingroup bypass_lan
+ */
+
+#ifndef BYPASS_LAN_PLUGIN_H_
+#define BYPASS_LAN_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct bypass_lan_plugin_t bypass_lan_plugin_t;
+
+/**
+ * Plugin installing bypass policies for locally attached subnets.
+ */
+struct bypass_lan_plugin_t {
+
+ /**
+ * Implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** BYPASS_LAN_PLUGIN_H_ @}*/
diff --git a/src/libcharon/plugins/certexpire/Makefile.in b/src/libcharon/plugins/certexpire/Makefile.in
index 30873fa..ffde2d7 100644
--- a/src/libcharon/plugins/certexpire/Makefile.in
+++ b/src/libcharon/plugins/certexpire/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/connmark/Makefile.in b/src/libcharon/plugins/connmark/Makefile.in
index 3c9ba80..140f1b6 100644
--- a/src/libcharon/plugins/connmark/Makefile.in
+++ b/src/libcharon/plugins/connmark/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/connmark/connmark_plugin.c b/src/libcharon/plugins/connmark/connmark_plugin.c
index 3f276f9..ad44eba 100644
--- a/src/libcharon/plugins/connmark/connmark_plugin.c
+++ b/src/libcharon/plugins/connmark/connmark_plugin.c
@@ -90,6 +90,12 @@ plugin_t *connmark_plugin_create()
return NULL;
}
+ if (!lib->caps->keep(lib->caps, CAP_NET_RAW))
+ {
+ DBG1(DBG_NET, "connmark plugin requires CAP_NET_RAW capability");
+ return NULL;
+ }
+
INIT(this,
.public = {
.plugin = {
diff --git a/src/libcharon/plugins/coupling/Makefile.in b/src/libcharon/plugins/coupling/Makefile.in
index 61dd852..3910e4e 100644
--- a/src/libcharon/plugins/coupling/Makefile.in
+++ b/src/libcharon/plugins/coupling/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in
index 856ebaa..6033c6e 100644
--- a/src/libcharon/plugins/dhcp/Makefile.in
+++ b/src/libcharon/plugins/dhcp/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/dnscert/Makefile.in b/src/libcharon/plugins/dnscert/Makefile.in
index fd47162..cd66af8 100644
--- a/src/libcharon/plugins/dnscert/Makefile.in
+++ b/src/libcharon/plugins/dnscert/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/duplicheck/Makefile.in b/src/libcharon/plugins/duplicheck/Makefile.in
index 866af82..e4b60e6 100644
--- a/src/libcharon/plugins/duplicheck/Makefile.in
+++ b/src/libcharon/plugins/duplicheck/Makefile.in
@@ -367,7 +367,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -402,6 +401,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in
index 6ff71c2..20c0ddb 100644
--- a/src/libcharon/plugins/eap_aka/Makefile.in
+++ b/src/libcharon/plugins/eap_aka/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
index eabe0b4..f4fb8ec 100644
--- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
+++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_dynamic/Makefile.in b/src/libcharon/plugins/eap_dynamic/Makefile.in
index e6877f7..2dbc05f 100644
--- a/src/libcharon/plugins/eap_dynamic/Makefile.in
+++ b/src/libcharon/plugins/eap_dynamic/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
index d0f0595..83ccd3a 100644
--- a/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
+++ b/src/libcharon/plugins/eap_dynamic/eap_dynamic.c
@@ -94,6 +94,13 @@ static eap_method_t *load_method(private_eap_dynamic_t *this,
return method;
}
+METHOD(eap_method_t, get_auth, auth_cfg_t*,
+ private_eap_dynamic_t *this)
+{
+ /* get_auth() is only registered if the EAP method supports it */
+ return this->method->get_auth(this->method);
+}
+
/**
* Select the first method we can instantiate and is supported by both peers.
*/
@@ -135,6 +142,10 @@ static void select_method(private_eap_dynamic_t *this)
this->method = load_method(this, entry->type, entry->vendor);
if (this->method)
{
+ if (this->method->get_auth)
+ {
+ this->public.interface.get_auth = _get_auth;
+ }
if (entry->vendor)
{
DBG1(DBG_IKE, "vendor specific EAP method %d-%d selected",
@@ -211,6 +222,7 @@ METHOD(eap_method_t, process, status_t,
/* restart with a different method */
this->method->destroy(this->method);
this->method = NULL;
+ this->public.interface.get_auth = NULL;
return initiate(this, out);
}
if (!this->other_types)
diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in
index a1ebc2b..01d509e 100644
--- a/src/libcharon/plugins/eap_gtc/Makefile.in
+++ b/src/libcharon/plugins/eap_gtc/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in
index e2431fe..cc1f21e 100644
--- a/src/libcharon/plugins/eap_identity/Makefile.in
+++ b/src/libcharon/plugins/eap_identity/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in
index 2a47218..939bbf9 100644
--- a/src/libcharon/plugins/eap_md5/Makefile.in
+++ b/src/libcharon/plugins/eap_md5/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in
index 42c0795..1e1936c 100644
--- a/src/libcharon/plugins/eap_mschapv2/Makefile.in
+++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_peap/Makefile.in b/src/libcharon/plugins/eap_peap/Makefile.in
index 23d9d1d..b83a80f 100644
--- a/src/libcharon/plugins/eap_peap/Makefile.in
+++ b/src/libcharon/plugins/eap_peap/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in
index 7d0614d..29a2f38 100644
--- a/src/libcharon/plugins/eap_radius/Makefile.in
+++ b/src/libcharon/plugins/eap_radius/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in
index ba20c08..b4abce9 100644
--- a/src/libcharon/plugins/eap_sim/Makefile.in
+++ b/src/libcharon/plugins/eap_sim/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in
index 5d93852..914c8c0 100644
--- a/src/libcharon/plugins/eap_sim_file/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_file/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
index 8d0cd71..48ef921 100644
--- a/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
+++ b/src/libcharon/plugins/eap_sim_pcsc/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
index 60b7ef3..5f12e2e 100644
--- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
index 8608587..45e2b74 100644
--- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
index 4cf739e..8c134cf 100644
--- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in
+++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in
index d125c13..a9a2ded 100644
--- a/src/libcharon/plugins/eap_tls/Makefile.in
+++ b/src/libcharon/plugins/eap_tls/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in
index c32671a..cda1728 100644
--- a/src/libcharon/plugins/eap_tnc/Makefile.in
+++ b/src/libcharon/plugins/eap_tnc/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in
index 20a3dd8..a72b005 100644
--- a/src/libcharon/plugins/eap_ttls/Makefile.in
+++ b/src/libcharon/plugins/eap_ttls/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/error_notify/Makefile.in b/src/libcharon/plugins/error_notify/Makefile.in
index 96c6a63..33862f0 100644
--- a/src/libcharon/plugins/error_notify/Makefile.in
+++ b/src/libcharon/plugins/error_notify/Makefile.in
@@ -368,7 +368,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -403,6 +402,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/ext_auth/Makefile.in b/src/libcharon/plugins/ext_auth/Makefile.in
index 1178d65..de83d83 100644
--- a/src/libcharon/plugins/ext_auth/Makefile.in
+++ b/src/libcharon/plugins/ext_auth/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in
index f37ca65..daee657 100644
--- a/src/libcharon/plugins/farp/Makefile.in
+++ b/src/libcharon/plugins/farp/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c
index c2715bd..5753f79 100644
--- a/src/libcharon/plugins/farp/farp_spoofer.c
+++ b/src/libcharon/plugins/farp/farp_spoofer.c
@@ -143,7 +143,7 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener)
BPF_STMT(BPF_LD+BPF_B+BPF_ABS, offsetof(arp_t, hardware_size)),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 6, 0, 7),
BPF_STMT(BPF_LD+BPF_B+BPF_ABS, offsetof(arp_t, protocol_size)),
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 4, 0, 4),
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 4, 0, 5),
BPF_STMT(BPF_LD+BPF_H+BPF_ABS, offsetof(arp_t, opcode)),
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPOP_REQUEST, 0, 3),
BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0),
diff --git a/src/libcharon/plugins/forecast/Makefile.in b/src/libcharon/plugins/forecast/Makefile.in
index 2f78e77..5254bca 100644
--- a/src/libcharon/plugins/forecast/Makefile.in
+++ b/src/libcharon/plugins/forecast/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/forecast/forecast_listener.c b/src/libcharon/plugins/forecast/forecast_listener.c
index 3f252db..2024c26 100644
--- a/src/libcharon/plugins/forecast/forecast_listener.c
+++ b/src/libcharon/plugins/forecast/forecast_listener.c
@@ -212,7 +212,7 @@ static bool manage_pre_esp_in_udp(struct iptc_handle *ipth,
ADD_STRUCT(pos, struct xt_udp,
.spts = {
entry->rhost->get_port(entry->rhost),
- entry->rhost->get_port(entry->lhost)
+ entry->rhost->get_port(entry->rhost)
},
.dpts = {
entry->lhost->get_port(entry->lhost),
diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in
index 2be7ee4..dd2a7a9 100644
--- a/src/libcharon/plugins/ha/Makefile.in
+++ b/src/libcharon/plugins/ha/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c
index b20ef87..34d6efc 100644
--- a/src/libcharon/plugins/ha/ha_attribute.c
+++ b/src/libcharon/plugins/ha/ha_attribute.c
@@ -215,8 +215,12 @@ METHOD(attribute_provider_t, acquire_address, host_t*,
}
if (offset == -1)
{
- DBG1(DBG_CFG, "no address left in HA pool '%s' belonging to"
- "a responsible segment", name);
+ DBG1(DBG_CFG, "no address belonging to a responsible segment left "
+ "in HA pool '%s'", name);
+ }
+ else
+ {
+ break;
}
}
this->mutex->unlock(this->mutex);
diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c
index 992ccb0..0e83b16 100644
--- a/src/libcharon/plugins/ha/ha_ike.c
+++ b/src/libcharon/plugins/ha/ha_ike.c
@@ -237,6 +237,20 @@ METHOD(listener_t, ike_rekey, bool,
return TRUE;
}
+METHOD(listener_t, alert, bool,
+ private_ha_ike_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args)
+{
+ switch (alert)
+ {
+ case ALERT_HALF_OPEN_TIMEOUT:
+ ike_updown(this, ike_sa, FALSE);
+ break;
+ default:
+ break;
+ }
+ return TRUE;
+}
+
METHOD(listener_t, ike_state_change, bool,
private_ha_ike_t *this, ike_sa_t *ike_sa, ike_sa_state_t new)
{
@@ -393,6 +407,7 @@ ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel,
INIT(this,
.public = {
.listener = {
+ .alert = _alert,
.ike_keys = _ike_keys,
.ike_updown = _ike_updown,
.ike_rekey = _ike_rekey,
diff --git a/src/libcharon/plugins/ipseckey/Makefile.in b/src/libcharon/plugins/ipseckey/Makefile.in
index 971b72c..025a1a2 100644
--- a/src/libcharon/plugins/ipseckey/Makefile.in
+++ b/src/libcharon/plugins/ipseckey/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_iph/Makefile.in b/src/libcharon/plugins/kernel_iph/Makefile.in
index a2c8d22..fb8e42e 100644
--- a/src/libcharon/plugins/kernel_iph/Makefile.in
+++ b/src/libcharon/plugins/kernel_iph/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_libipsec/Makefile.in b/src/libcharon/plugins/kernel_libipsec/Makefile.in
index 011ec3f..4d5e460 100644
--- a/src/libcharon/plugins/kernel_libipsec/Makefile.in
+++ b/src/libcharon/plugins/kernel_libipsec/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in
index b2df52a..26a7090 100644
--- a/src/libcharon/plugins/kernel_netlink/Makefile.in
+++ b/src/libcharon/plugins/kernel_netlink/Makefile.in
@@ -399,7 +399,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -434,6 +433,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
index f3846ec..becf6b5 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2016 Tobias Brunner
+ * Copyright (C) 2006-2017 Tobias Brunner
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2008-2016 Andreas Steffen
* Copyright (C) 2006-2007 Fabian Hartmann, Noah Heusser
@@ -76,7 +76,7 @@
#endif
/** Base priority for installed policies */
-#define PRIO_BASE 100000
+#define PRIO_BASE 200000
/** Default lifetime of an acquire XFRM state (in seconds) */
#define DEFAULT_ACQUIRE_LIFETIME 165
@@ -117,7 +117,7 @@ struct kernel_algorithm_t {
/**
* Name of the algorithm in linux crypto API
*/
- char *name;
+ const char *name;
};
ENUM(xfrm_msg_names, XFRM_MSG_NEWSA, XFRM_MSG_MAPPING,
@@ -221,6 +221,7 @@ static kernel_algorithm_t integrity_algs[] = {
/* {AUTH_DES_MAC, "***" }, */
/* {AUTH_KPDK_MD5, "***" }, */
{AUTH_AES_XCBC_96, "xcbc(aes)" },
+ {AUTH_AES_CMAC_96, "cmac(aes)" },
};
/**
@@ -236,7 +237,7 @@ static kernel_algorithm_t compression_algs[] = {
/**
* Look up a kernel algorithm name and its key size
*/
-static char* lookup_algorithm(transform_type_t type, int ikev2)
+static const char* lookup_algorithm(transform_type_t type, int ikev2)
{
kernel_algorithm_t *list;
int i, count;
@@ -652,14 +653,15 @@ static inline uint32_t port_mask_bits(uint16_t port_mask)
/**
* Calculate the priority of a policy
*
- * bits 0-0: restriction to network interface (0..1) 1 bit
- * bits 1-6: src + dst port mask bits (2 * 0..16) 6 bits
- * bits 7-7: restriction to protocol (0..1) 1 bit
- * bits 8-16: src + dst network mask bits (2 * 0..128) 9 bits
- * 17 bits
+ * bits 0-0: separate trap and regular policies (0..1) 1 bit
+ * bits 1-1: restriction to network interface (0..1) 1 bit
+ * bits 2-7: src + dst port mask bits (2 * 0..16) 6 bits
+ * bits 8-8: restriction to protocol (0..1) 1 bit
+ * bits 9-17: src + dst network mask bits (2 * 0..128) 9 bits
+ * 18 bits
*
- * smallest value: 000000000 0 000000 0: 0, lowest priority = 100'000
- * largest value : 100000000 1 100000 1: 65'729, highst priority = 34'271
+ * smallest value: 000000000 0 000000 0 0: 0, lowest priority = 200'000
+ * largest value : 100000000 1 100000 1 1: 131'459, highst priority = 68'541
*/
static uint32_t get_priority(policy_entry_t *policy, policy_priority_t prio,
char *interface)
@@ -672,8 +674,6 @@ static uint32_t get_priority(policy_entry_t *policy, policy_priority_t prio,
priority += PRIO_BASE;
/* fall-through to next case */
case POLICY_PRIORITY_ROUTED:
- priority += PRIO_BASE;
- /* fall-through to next case */
case POLICY_PRIORITY_DEFAULT:
priority += PRIO_BASE;
/* fall-through to next case */
@@ -684,10 +684,11 @@ static uint32_t get_priority(policy_entry_t *policy, policy_priority_t prio,
dport_mask_bits = port_mask_bits(policy->sel.dport_mask);
/* calculate priority */
- priority -= (policy->sel.prefixlen_s + policy->sel.prefixlen_d) * 256;
- priority -= policy->sel.proto ? 128 : 0;
- priority -= (sport_mask_bits + dport_mask_bits) * 2;
- priority -= (interface != NULL);
+ priority -= (policy->sel.prefixlen_s + policy->sel.prefixlen_d) * 512;
+ priority -= policy->sel.proto ? 256 : 0;
+ priority -= (sport_mask_bits + dport_mask_bits) * 4;
+ priority -= (interface != NULL) * 2;
+ priority -= (prio != POLICY_PRIORITY_ROUTED);
return priority;
}
@@ -1210,8 +1211,15 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst,
uint8_t protocol, uint32_t *spi)
{
- if (get_spi_internal(this, src, dst, protocol,
- 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
+ uint32_t spi_min, spi_max;
+
+ spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
+ KERNEL_SPI_MIN, lib->ns);
+ spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
+ KERNEL_SPI_MAX, lib->ns);
+
+ if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max),
+ max(spi_min, spi_max), spi) != SUCCESS)
{
DBG1(DBG_KNL, "unable to get SPI");
return FAILED;
@@ -1276,7 +1284,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
kernel_ipsec_add_sa_t *data)
{
netlink_buf_t request;
- char *alg_name, markstr[32] = "";
+ const char *alg_name;
+ char markstr[32] = "";
struct nlmsghdr *hdr;
struct xfrm_usersa_info *sa;
uint16_t icv_size = 64, ipcomp = data->ipcomp;
@@ -1367,6 +1376,11 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
default:
break;
}
+ if (id->proto == IPPROTO_AH && sa->family == AF_INET)
+ { /* use alignment to 4 bytes for IPv4 instead of the incorrect 8 byte
+ * alignment that's used by default but is only valid for IPv6 */
+ sa->flags |= XFRM_STATE_ALIGN4;
+ }
sa->reqid = data->reqid;
sa->lft.soft_byte_limit = XFRM_LIMIT(data->lifetime->bytes.rekey);
@@ -2523,7 +2537,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t,
{ /* we don't update the policy if the priority is lower than that of
* the currently installed one */
policy_change_done(this, policy);
- DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u,"
+ DBG2(DBG_KNL, "not updating policy %R === %R %N%s [priority %u, "
"refcount %d]", id->src_ts, id->dst_ts, policy_dir_names,
id->dir, markstr, cur_priority, use_count);
return SUCCESS;
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
index 0132f72..2dc76d9 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_net.c
@@ -476,6 +476,11 @@ struct private_kernel_netlink_net_t {
bool roam_events;
/**
+ * whether to install IPsec policy routes
+ */
+ bool install_routes;
+
+ /**
* whether to actually install virtual IPs
*/
bool install_virtual_ip;
@@ -795,6 +800,68 @@ static u_char get_scope(host_t *ip)
}
/**
+ * Determine the label of the given unicast IP address.
+ *
+ * We currently only support the default table given in RFC 6724:
+ *
+ * Prefix Precedence Label
+ * ::1/128 50 0
+ * ::/0 40 1
+ * ::ffff:0:0/96 35 4
+ * 2002::/16 30 2
+ * 2001::/32 5 5
+ * fc00::/7 3 13
+ * ::/96 1 3
+ * fec0::/10 1 11
+ * 3ffe::/16 1 12
+ */
+static u_char get_label(host_t *ip)
+{
+ struct {
+ chunk_t net;
+ u_char prefix;
+ u_char label;
+ } priorities[] = {
+ /* priority table ordered by prefix */
+ /* ::1/128 */
+ { chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01), 128, 0 },
+ /* ::ffff:0:0/96 */
+ { chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00), 96, 4 },
+ /* ::/96 */
+ { chunk_from_chars(0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 96, 3 },
+ /* 2001::/32 */
+ { chunk_from_chars(0x20, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 32, 5 },
+ /* 2002::/16 */
+ { chunk_from_chars(0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 16, 2 },
+ /* 3ffe::/16 */
+ { chunk_from_chars(0x3f, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 16, 12 },
+ /* fec0::/10 */
+ { chunk_from_chars(0xfe, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 10, 11 },
+ /* fc00::/7 */
+ { chunk_from_chars(0xfc, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00), 7, 13 },
+ };
+ int i;
+
+ for (i = 0; i < countof(priorities); i++)
+ {
+ if (host_in_subnet(ip, priorities[i].net, priorities[i].prefix))
+ {
+ return priorities[i].label;
+ }
+ }
+ /* ::/0 */
+ return 1;
+}
+
+/**
* Returns the length of the common prefix in bits up to the length of a's
* prefix, defined by RFC 6724 as the portion of the address not including the
* interface ID, which is 64-bit for most unicast addresses (see RFC 4291).
@@ -829,7 +896,7 @@ static u_char common_prefix(host_t *a, host_t *b)
static bool is_address_better(private_kernel_netlink_net_t *this,
addr_entry_t *a, addr_entry_t *b, host_t *d)
{
- u_char sa, sb, sd, pa, pb;
+ u_char sa, sb, sd, la, lb, ld, pa, pb;
/* rule 2: prefer appropriate scope */
if (d)
@@ -858,9 +925,22 @@ static bool is_address_better(private_kernel_netlink_net_t *this,
/* rule 4 is not applicable as we don't know if an address is a home or
* care-of addresses.
* rule 5 does not apply as we only compare addresses from one interface
- * rule 6 requires a policy table (optionally configurable) to match
- * configurable labels
*/
+ /* rule 6: prefer matching label */
+ if (d)
+ {
+ la = get_label(a->ip);
+ lb = get_label(b->ip);
+ ld = get_label(d);
+ if (la == ld && lb != ld)
+ {
+ return FALSE;
+ }
+ else if (lb == ld && la != ld)
+ {
+ return TRUE;
+ }
+ }
/* rule 7: prefer temporary addresses (WE REVERSE THIS BY DEFAULT!) */
if ((a->flags & IFA_F_TEMPORARY) != (b->flags & IFA_F_TEMPORARY))
{
@@ -1795,12 +1875,22 @@ static host_t *get_route(private_kernel_netlink_net_t *this, host_t *dest,
{ /* kernels prior to 3.0 do not support RTA_PREFSRC for IPv6 routes.
* as we want to ignore routes with virtual IPs we cannot use DUMP
* if these routes are not installed in a separate table */
- hdr->nlmsg_flags |= NLM_F_DUMP;
+ if (this->install_routes)
+ {
+ hdr->nlmsg_flags |= NLM_F_DUMP;
+ }
}
if (candidate)
{
chunk = candidate->get_address(candidate);
- netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
+ if (hdr->nlmsg_flags & NLM_F_DUMP)
+ {
+ netlink_add_attribute(hdr, RTA_PREFSRC, chunk, sizeof(request));
+ }
+ else
+ {
+ netlink_add_attribute(hdr, RTA_SRC, chunk, sizeof(request));
+ }
}
/* we use this below to match against the routes */
chunk = dest->get_address(dest);
@@ -2050,6 +2140,146 @@ METHOD(kernel_net_t, get_nexthop, host_t*,
return get_route(this, dest, prefix, TRUE, src, iface, 0);
}
+/** enumerator over subnets */
+typedef struct {
+ enumerator_t public;
+ private_kernel_netlink_net_t *private;
+ /** message from the kernel */
+ struct nlmsghdr *msg;
+ /** current message from the kernel */
+ struct nlmsghdr *current;
+ /** remaining length */
+ size_t len;
+ /** last subnet enumerated */
+ host_t *net;
+ /** interface of current net */
+ char ifname[IFNAMSIZ];
+} subnet_enumerator_t;
+
+METHOD(enumerator_t, destroy_subnet_enumerator, void,
+ subnet_enumerator_t *this)
+{
+ DESTROY_IF(this->net);
+ free(this->msg);
+ free(this);
+}
+
+METHOD(enumerator_t, enumerate_subnets, bool,
+ subnet_enumerator_t *this, host_t **net, uint8_t *mask, char **ifname)
+{
+ if (!this->current)
+ {
+ this->current = this->msg;
+ }
+ else
+ {
+ this->current = NLMSG_NEXT(this->current, this->len);
+ DESTROY_IF(this->net);
+ this->net = NULL;
+ }
+
+ while (NLMSG_OK(this->current, this->len))
+ {
+ switch (this->current->nlmsg_type)
+ {
+ case NLMSG_DONE:
+ break;
+ case RTM_NEWROUTE:
+ {
+ struct rtmsg *msg;
+ struct rtattr *rta;
+ size_t rtasize;
+ chunk_t dst = chunk_empty;
+ uint32_t oif = 0;
+
+ msg = NLMSG_DATA(this->current);
+
+ if (!route_usable(this->current))
+ {
+ break;
+ }
+ else if (msg->rtm_table && (
+ msg->rtm_table == RT_TABLE_LOCAL ||
+ msg->rtm_table == this->private->routing_table))
+ { /* ignore our own and the local routing tables */
+ break;
+ }
+
+ rta = RTM_RTA(msg);
+ rtasize = RTM_PAYLOAD(this->current);
+ while (RTA_OK(rta, rtasize))
+ {
+ switch (rta->rta_type)
+ {
+ case RTA_DST:
+ dst = chunk_create(RTA_DATA(rta), RTA_PAYLOAD(rta));
+ break;
+ case RTA_OIF:
+ if (RTA_PAYLOAD(rta) == sizeof(oif))
+ {
+ oif = *(uint32_t*)RTA_DATA(rta);
+ }
+ break;
+ }
+ rta = RTA_NEXT(rta, rtasize);
+ }
+
+ if (dst.ptr && oif && if_indextoname(oif, this->ifname))
+ {
+ this->net = host_create_from_chunk(msg->rtm_family, dst, 0);
+ *net = this->net;
+ *mask = msg->rtm_dst_len;
+ *ifname = this->ifname;
+ return TRUE;
+ }
+ break;
+ }
+ default:
+ break;
+ }
+ this->current = NLMSG_NEXT(this->current, this->len);
+ }
+ return FALSE;
+}
+
+METHOD(kernel_net_t, create_local_subnet_enumerator, enumerator_t*,
+ private_kernel_netlink_net_t *this)
+{
+ netlink_buf_t request;
+ struct nlmsghdr *hdr, *out;
+ struct rtmsg *msg;
+ size_t len;
+ subnet_enumerator_t *enumerator;
+
+ memset(&request, 0, sizeof(request));
+
+ hdr = &request.hdr;
+ hdr->nlmsg_flags = NLM_F_REQUEST;
+ hdr->nlmsg_type = RTM_GETROUTE;
+ hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct rtmsg));
+ hdr->nlmsg_flags |= NLM_F_DUMP;
+
+ msg = NLMSG_DATA(hdr);
+ msg->rtm_scope = RT_SCOPE_LINK;
+
+ if (this->socket->send(this->socket, hdr, &out, &len) != SUCCESS)
+ {
+ DBG2(DBG_KNL, "enumerating local subnets failed");
+ return enumerator_create_empty();
+ }
+
+ INIT(enumerator,
+ .public = {
+ .enumerate = (void*)_enumerate_subnets,
+ .destroy = _destroy_subnet_enumerator,
+ },
+ .private = this,
+ .msg = out,
+ .len = len,
+ );
+ return &enumerator->public;
+}
+
/**
* Manages the creation and deletion of ip addresses on an interface.
* By setting the appropriate nlmsg_type, the ip will be set or unset.
@@ -2080,16 +2310,22 @@ static status_t manage_ipaddr(private_kernel_netlink_net_t *this, int nlmsg_type
netlink_add_attribute(hdr, IFA_LOCAL, chunk, sizeof(request));
- if (ip->get_family(ip) == AF_INET6 && this->rta_prefsrc_for_ipv6)
- { /* if source routes are possible we let the virtual IP get deprecated
- * immediately (but mark it as valid forever) so it gets only used if
- * forced by our route, and not by the default IPv6 address selection */
- struct ifa_cacheinfo cache = {
- .ifa_valid = 0xFFFFFFFF,
- .ifa_prefered = 0,
- };
- netlink_add_attribute(hdr, IFA_CACHEINFO, chunk_from_thing(cache),
- sizeof(request));
+ if (ip->get_family(ip) == AF_INET6)
+ {
+ msg->ifa_flags |= IFA_F_NODAD;
+ if (this->rta_prefsrc_for_ipv6)
+ {
+ /* if source routes are possible we let the virtual IP get
+ * deprecated immediately (but mark it as valid forever) so it gets
+ * only used if forced by our route, and not by the default IPv6
+ * address selection */
+ struct ifa_cacheinfo cache = {
+ .ifa_valid = 0xFFFFFFFF,
+ .ifa_prefered = 0,
+ };
+ netlink_add_attribute(hdr, IFA_CACHEINFO, chunk_from_thing(cache),
+ sizeof(request));
+ }
}
return this->socket->send_ack(this->socket, hdr);
}
@@ -2680,6 +2916,7 @@ kernel_netlink_net_t *kernel_netlink_net_create()
.interface = {
.get_interface = _get_interface_name,
.create_address_enumerator = _create_address_enumerator,
+ .create_local_subnet_enumerator = _create_local_subnet_enumerator,
.get_source_addr = _get_source_addr,
.get_nexthop = _get_nexthop,
.add_ip = _add_ip,
@@ -2715,6 +2952,8 @@ kernel_netlink_net_t *kernel_netlink_net_create()
"%s.routing_table_prio", ROUTING_TABLE_PRIO, lib->ns),
.process_route = lib->settings->get_bool(lib->settings,
"%s.process_route", TRUE, lib->ns),
+ .install_routes = lib->settings->get_bool(lib->settings,
+ "%s.install_routes", TRUE, lib->ns),
.install_virtual_ip = lib->settings->get_bool(lib->settings,
"%s.install_virtual_ip", TRUE, lib->ns),
.install_virtual_ip_on = lib->settings->get_str(lib->settings,
diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
index 7165b65..da54031 100644
--- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
+++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_shared.c
@@ -15,6 +15,29 @@
* for more details.
*/
+/*
+ * Copyright (C) 2016 secunet Security Networks AG
+ * Copyright (C) 2016 Thomas Egerer
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/rtnetlink.h>
@@ -281,8 +304,9 @@ static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in,
uintptr_t seq, struct nlmsghdr **out, size_t *out_len)
{
struct nlmsghdr *hdr;
- chunk_t result = {};
entry_t *entry;
+ u_char *ptr;
+ int i;
in->nlmsg_seq = seq;
in->nlmsg_pid = getpid();
@@ -343,6 +367,14 @@ static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in,
return OUT_OF_RES;
}
+ for (i = 0, *out_len = 0; i < array_count(entry->hdrs); i++)
+ {
+ array_get(entry->hdrs, i, &hdr);
+ *out_len += hdr->nlmsg_len;
+ }
+ ptr = malloc(*out_len);
+ *out = (struct nlmsghdr*)ptr;
+
while (array_remove(entry->hdrs, ARRAY_HEAD, &hdr))
{
if (this->names)
@@ -350,14 +382,11 @@ static status_t send_once(private_netlink_socket_t *this, struct nlmsghdr *in,
DBG3(DBG_KNL, "received %N %u: %b", this->names, hdr->nlmsg_type,
hdr->nlmsg_seq, hdr, hdr->nlmsg_len);
}
- result = chunk_cat("mm", result,
- chunk_create((char*)hdr, hdr->nlmsg_len));
+ memcpy(ptr, hdr, hdr->nlmsg_len);
+ ptr += hdr->nlmsg_len;
+ free(hdr);
}
destroy_entry(entry);
-
- *out_len = result.len;
- *out = (struct nlmsghdr*)result.ptr;
-
return SUCCESS;
}
@@ -557,6 +586,8 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names,
struct sockaddr_nl addr = {
.nl_family = AF_NETLINK,
};
+ bool force_buf = FALSE;
+ int rcvbuf_size = 0;
INIT(this,
.public = {
@@ -606,6 +637,25 @@ netlink_socket_t *netlink_socket_create(int protocol, enum_name_t *names,
destroy(this);
return NULL;
}
+ rcvbuf_size = lib->settings->get_int(lib->settings,
+ "%s.plugins.kernel-netlink.receive_buffer_size",
+ rcvbuf_size, lib->ns);
+ if (rcvbuf_size)
+ {
+ int optname;
+
+ force_buf = lib->settings->get_bool(lib->settings,
+ "%s.plugins.kernel-netlink.force_receive_buffer_size",
+ force_buf, lib->ns);
+ optname = force_buf ? SO_RCVBUFFORCE : SO_RCVBUF;
+
+ if (setsockopt(this->socket, SOL_SOCKET, optname, &rcvbuf_size,
+ sizeof(rcvbuf_size)) == -1)
+ {
+ DBG1(DBG_KNL, "failed to %supdate receive buffer size to %d: %s",
+ force_buf ? "forcibly " : "", rcvbuf_size, strerror(errno));
+ }
+ }
if (this->parallel)
{
lib->watcher->add(lib->watcher, this->socket, WATCHER_READ, watch, this);
diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in
index d00e8b3..b138a96 100644
--- a/src/libcharon/plugins/kernel_pfkey/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
index 1b22ea5..1787814 100644
--- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
+++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008-2016 Tobias Brunner
+ * Copyright (C) 2008-2017 Tobias Brunner
* Copyright (C) 2008 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@@ -142,7 +142,7 @@
#endif
/** Base priority for installed policies */
-#define PRIO_BASE 100000
+#define PRIO_BASE 200000
#ifdef __APPLE__
/** from xnu/bsd/net/pfkeyv2.h */
@@ -597,17 +597,18 @@ static inline bool policy_entry_match_byindex(policy_entry_t *current,
* This is the same formula we use in the kernel-netlink interface, but some
* features are currently not or only partially supported by PF_KEY.
*
- * bits 0-0: reserved for interface restriction (0..1) 1 bit
- * bits 1-6: src + dst port mask bits (2 * 0..16) 6 bits
- * bits 7-7: restriction to protocol (0..1) 1 bit
- * bits 8-16: src + dst network mask bits (2 * 0..128) 9 bits
- * 17 bits
+ * bits 0-0: separate trap and regular policies (0..1) 1 bit
+ * bits 1-1: reserved for interface restriction (0..1) 1 bit
+ * bits 2-7: src + dst port mask bits (2 * 0..16) 6 bits
+ * bits 8-8: restriction to protocol (0..1) 1 bit
+ * bits 9-17: src + dst network mask bits (2 * 0..128) 9 bits
+ * 18 bits
*
- * smallest value: 000000000 0 000000 0: 0, lowest priority = 100'000
- * largest value : 100000000 1 100000 0: 65'728, highst priority = 34'272
+ * smallest value: 000000000 0 000000 0 0: 0, lowest priority = 100'000
+ * largest value : 100000000 1 100000 0 1: 131'457, highst priority = 68'543
*/
static inline uint32_t get_priority(policy_entry_t *policy,
- policy_priority_t prio)
+ policy_priority_t prio)
{
uint32_t priority = PRIO_BASE;
@@ -617,8 +618,6 @@ static inline uint32_t get_priority(policy_entry_t *policy,
priority += PRIO_BASE;
/* fall-through */
case POLICY_PRIORITY_ROUTED:
- priority += PRIO_BASE;
- /* fall-through */
case POLICY_PRIORITY_DEFAULT:
priority += PRIO_BASE;
/* fall-through */
@@ -627,10 +626,11 @@ static inline uint32_t get_priority(policy_entry_t *policy,
}
/* calculate priority */
- priority -= (policy->src.mask + policy->dst.mask) * 256;
- priority -= policy->src.proto != IPSEC_PROTO_ANY ? 128 : 0;
- priority -= policy->src.net->get_port(policy->src.net) ? 32 : 0;
- priority -= policy->dst.net->get_port(policy->dst.net) ? 32 : 0;
+ priority -= (policy->src.mask + policy->dst.mask) * 512;
+ priority -= policy->src.proto != IPSEC_PROTO_ANY ? 256 : 0;
+ priority -= policy->src.net->get_port(policy->src.net) ? 64 : 0;
+ priority -= policy->dst.net->get_port(policy->dst.net) ? 64 : 0;
+ priority -= (prio != POLICY_PRIORITY_ROUTED);
return priority;
}
@@ -1586,8 +1586,15 @@ METHOD(kernel_ipsec_t, get_spi, status_t,
private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst,
uint8_t protocol, uint32_t *spi)
{
- if (get_spi_internal(this, src, dst, protocol,
- 0xc0000000, 0xcFFFFFFF, spi) != SUCCESS)
+ uint32_t spi_min, spi_max;
+
+ spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
+ KERNEL_SPI_MIN, lib->ns);
+ spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
+ KERNEL_SPI_MAX, lib->ns);
+
+ if (get_spi_internal(this, src, dst, protocol, min(spi_min, spi_max),
+ max(spi_min, spi_max), spi) != SUCCESS)
{
DBG1(DBG_KNL, "unable to get SPI");
return FAILED;
@@ -1717,6 +1724,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t,
sa->sadb_sa_exttype = SADB_EXT_SA;
sa->sadb_sa_len = PFKEY_LEN(len);
sa->sadb_sa_spi = id->spi;
+ sa->sadb_sa_state = SADB_SASTATE_MATURE;
if (id->proto == IPPROTO_COMP)
{
sa->sadb_sa_encrypt = lookup_algorithm(COMPRESSION_ALGORITHM,
@@ -1889,6 +1897,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t,
sa->sadb_sa_exttype = SADB_EXT_SA;
sa->sadb_sa_len = PFKEY_LEN(sizeof(struct sadb_sa));
sa->sadb_sa_spi = id->spi;
+ sa->sadb_sa_state = SADB_SASTATE_MATURE;
PFKEY_EXT_ADD(msg, sa);
/* the kernel wants a SADB_EXT_ADDRESS_SRC to be present even though
diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in
index fb1520d..1e4b3e2 100644
--- a/src/libcharon/plugins/kernel_pfroute/Makefile.in
+++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
index 236e341..efcf1c2 100644
--- a/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
+++ b/src/libcharon/plugins/kernel_pfroute/kernel_pfroute_net.c
@@ -15,6 +15,7 @@
#include <sys/types.h>
#include <sys/socket.h>
+#include <sys/sysctl.h>
#include <net/if.h>
#include <net/if_dl.h>
#include <ifaddrs.h>
@@ -1448,7 +1449,8 @@ static status_t manage_route(private_kernel_pfroute_net_t *this, int op,
}
break;
case RTAX_GATEWAY:
- if (gateway)
+ if (gateway &&
+ gateway->get_family(gateway) == dst->get_family(dst))
{
add_rt_addr(&msg.hdr, RTA_GATEWAY, gateway);
}
@@ -1704,6 +1706,198 @@ METHOD(kernel_net_t, get_nexthop, host_t*,
}
/**
+ * Get the number of set bits in the given netmask
+ */
+static uint8_t sockaddr_to_netmask(sockaddr_t *sockaddr, host_t *dst)
+{
+ uint8_t len = 0, i, byte, mask = 0;
+ struct sockaddr_storage ss;
+ char *addr;
+
+ /* at least some older FreeBSD versions send us shorter sockaddrs
+ * with the family set to -1 (255) */
+ if (sockaddr->sa_family == 255)
+ {
+ memset(&ss, 0, sizeof(ss));
+ memcpy(&ss, sockaddr, sockaddr->sa_len);
+ /* use the address family and length of the destination as hint */
+ ss.ss_len = *dst->get_sockaddr_len(dst);
+ ss.ss_family = dst->get_family(dst);
+ sockaddr = (sockaddr_t*)&ss;
+ }
+
+ switch (sockaddr->sa_family)
+ {
+ case AF_INET:
+ len = 4;
+ addr = (char*)&((struct sockaddr_in*)sockaddr)->sin_addr;
+ break;
+ case AF_INET6:
+ len = 16;
+ addr = (char*)&((struct sockaddr_in6*)sockaddr)->sin6_addr;
+ break;
+ default:
+ break;
+ }
+
+ for (i = 0; i < len; i++)
+ {
+ byte = addr[i];
+
+ if (byte == 0x00)
+ {
+ break;
+ }
+ if (byte == 0xff)
+ {
+ mask += 8;
+ }
+ else
+ {
+ while (byte & 0x80)
+ {
+ mask++;
+ byte <<= 1;
+ }
+ }
+ }
+ return mask;
+}
+
+/** enumerator over subnets */
+typedef struct {
+ enumerator_t public;
+ /** sysctl result */
+ char *buf;
+ /** length of the complete result */
+ size_t len;
+ /** start of the current route entry */
+ char *current;
+ /** last subnet enumerated */
+ host_t *net;
+ /** interface of current net */
+ char *ifname;
+} subnet_enumerator_t;
+
+METHOD(enumerator_t, destroy_subnet_enumerator, void,
+ subnet_enumerator_t *this)
+{
+ DESTROY_IF(this->net);
+ free(this->ifname);
+ free(this->buf);
+ free(this);
+}
+
+METHOD(enumerator_t, enumerate_subnets, bool,
+ subnet_enumerator_t *this, host_t **net, uint8_t *mask, char **ifname)
+{
+ enumerator_t *enumerator;
+ struct rt_msghdr *rtm;
+ struct sockaddr *addr;
+ int type;
+
+ if (!this->current)
+ {
+ this->current = this->buf;
+ }
+ else
+ {
+ rtm = (struct rt_msghdr*)this->current;
+ this->current += rtm->rtm_msglen;
+ DESTROY_IF(this->net);
+ this->net = NULL;
+ free(this->ifname);
+ this->ifname = NULL;
+ }
+
+ for (; this->current < this->buf + this->len;
+ this->current += rtm->rtm_msglen)
+ {
+ struct sockaddr *netmask;
+ uint8_t netbits = 0;
+
+ rtm = (struct rt_msghdr*)this->current;
+
+ if (rtm->rtm_version != RTM_VERSION)
+ {
+ continue;
+ }
+ if (rtm->rtm_flags & RTF_GATEWAY ||
+ rtm->rtm_flags & RTF_HOST ||
+ rtm->rtm_flags & RTF_REJECT)
+ {
+ continue;
+ }
+ enumerator = create_rtmsg_enumerator(rtm);
+ while (enumerator->enumerate(enumerator, &type, &addr))
+ {
+ if (type == RTAX_DST)
+ {
+ this->net = this->net ?: host_create_from_sockaddr(addr);
+ }
+ if (type == RTAX_NETMASK)
+ {
+ netmask = addr;
+ }
+ if (type == RTAX_IFP && addr->sa_family == AF_LINK)
+ {
+ struct sockaddr_dl *sdl = (struct sockaddr_dl*)addr;
+ free(this->ifname);
+ this->ifname = strndup(sdl->sdl_data, sdl->sdl_nlen);
+ }
+ }
+ if (this->net)
+ {
+ netbits = sockaddr_to_netmask(netmask, this->net);
+ }
+ enumerator->destroy(enumerator);
+
+ if (this->net && this->ifname)
+ {
+ *net = this->net;
+ *mask = netbits ?: this->net->get_address(this->net).len * 8;
+ *ifname = this->ifname;
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+METHOD(kernel_net_t, create_local_subnet_enumerator, enumerator_t*,
+ private_kernel_pfroute_net_t *this)
+{
+ subnet_enumerator_t *enumerator;
+ char *buf;
+ size_t len;
+ int mib[7] = {
+ CTL_NET, PF_ROUTE, 0, AF_UNSPEC, NET_RT_DUMP, 0, 0
+ };
+
+ if (sysctl(mib, countof(mib), NULL, &len, NULL, 0) < 0)
+ {
+ DBG2(DBG_KNL, "enumerating local subnets failed");
+ return enumerator_create_empty();
+ }
+ buf = malloc(len);
+ if (sysctl(mib, countof(mib), buf, &len, NULL, 0) < 0)
+ {
+ DBG2(DBG_KNL, "enumerating local subnets failed");
+ free(buf);
+ return enumerator_create_empty();
+ }
+
+ INIT(enumerator,
+ .public = {
+ .enumerate = (void*)_enumerate_subnets,
+ .destroy = _destroy_subnet_enumerator,
+ },
+ .buf = buf,
+ .len = len,
+ );
+ return &enumerator->public;
+}
+
+/**
* Initialize a list of local addresses.
*/
static status_t init_address_list(private_kernel_pfroute_net_t *this)
@@ -1848,6 +2042,7 @@ kernel_pfroute_net_t *kernel_pfroute_net_create()
.get_features = _get_features,
.get_interface = _get_interface_name,
.create_address_enumerator = _create_address_enumerator,
+ .create_local_subnet_enumerator = _create_local_subnet_enumerator,
.get_source_addr = _get_source_addr,
.get_nexthop = _get_nexthop,
.add_ip = _add_ip,
diff --git a/src/libcharon/plugins/kernel_wfp/Makefile.in b/src/libcharon/plugins/kernel_wfp/Makefile.in
index 2adb924..a3368d5 100644
--- a/src/libcharon/plugins/kernel_wfp/Makefile.in
+++ b/src/libcharon/plugins/kernel_wfp/Makefile.in
@@ -368,7 +368,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -403,6 +402,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
index 6ad26b7..774fcf5 100644
--- a/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
+++ b/src/libcharon/plugins/kernel_wfp/kernel_wfp_ipsec.c
@@ -25,8 +25,12 @@
#include <collections/hashtable.h>
#include <processing/jobs/callback_job.h>
+#ifndef IPPROTO_IPIP
#define IPPROTO_IPIP 4
+#endif
+#ifndef IPPROTO_IPV6
#define IPPROTO_IPV6 41
+#endif
typedef struct private_kernel_wfp_ipsec_t private_kernel_wfp_ipsec_t;
diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in
index 857e629..f16304d 100644
--- a/src/libcharon/plugins/led/Makefile.in
+++ b/src/libcharon/plugins/led/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in
index f5f3df6..c6e17fb 100644
--- a/src/libcharon/plugins/load_tester/Makefile.in
+++ b/src/libcharon/plugins/load_tester/Makefile.in
@@ -370,7 +370,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -405,6 +404,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/lookip/Makefile.in b/src/libcharon/plugins/lookip/Makefile.in
index 00258c3..9190604 100644
--- a/src/libcharon/plugins/lookip/Makefile.in
+++ b/src/libcharon/plugins/lookip/Makefile.in
@@ -366,7 +366,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -401,6 +400,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in
index eb7efd2..4db68a3 100644
--- a/src/libcharon/plugins/medcli/Makefile.in
+++ b/src/libcharon/plugins/medcli/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c
index 4452739..78159c8 100644
--- a/src/libcharon/plugins/medcli/medcli_config.c
+++ b/src/libcharon/plugins/medcli/medcli_config.c
@@ -24,6 +24,11 @@
typedef struct private_medcli_config_t private_medcli_config_t;
/**
+ * Name of the mediation connection
+ */
+#define MEDIATION_CONN_NAME "medcli-mediation"
+
+/**
* Private data of an medcli_config_t object
*/
struct private_medcli_config_t {
@@ -72,36 +77,19 @@ static traffic_selector_t *ts_from_string(char *str)
return traffic_selector_create_dynamic(0, 0, 65535);
}
-METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
- private_medcli_config_t *this, char *name)
+/**
+ * Build a mediation config
+ */
+static peer_cfg_t *build_mediation_config(private_medcli_config_t *this,
+ peer_cfg_create_t *defaults)
{
enumerator_t *e;
- peer_cfg_t *peer_cfg, *med_cfg;
auth_cfg_t *auth;
ike_cfg_t *ike_cfg;
- child_cfg_t *child_cfg;
+ peer_cfg_t *med_cfg;
+ peer_cfg_create_t peer = *defaults;
chunk_t me, other;
- char *address, *local_net, *remote_net;
- peer_cfg_create_t peer = {
- .cert_policy = CERT_NEVER_SEND,
- .unique = UNIQUE_REPLACE,
- .keyingtries = 1,
- .rekey_time = this->rekey * 60,
- .jitter_time = this->rekey * 5,
- .over_time = this->rekey * 3,
- .dpd = this->dpd,
- .mediation = TRUE,
- };
- child_cfg_create_t child = {
- .lifetime = {
- .time = {
- .life = this->rekey * 60 + this->rekey,
- .rekey = this->rekey,
- .jitter = this->rekey
- },
- },
- .mode = MODE_TUNNEL,
- };
+ char *address;
/* query mediation server config:
* - build ike_cfg/peer_cfg for mediation connection on-the-fly
@@ -120,7 +108,9 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
address, IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
ike_cfg->add_proposal(ike_cfg, proposal_create_default_aead(PROTO_IKE));
- med_cfg = peer_cfg_create("mediation", ike_cfg, &peer);
+
+ peer.mediation = TRUE;
+ med_cfg = peer_cfg_create(MEDIATION_CONN_NAME, ike_cfg, &peer);
e->destroy(e);
auth = auth_cfg_create();
@@ -133,6 +123,42 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
auth->add(auth, AUTH_RULE_IDENTITY,
identification_create_from_encoding(ID_KEY_ID, other));
med_cfg->add_auth_cfg(med_cfg, auth, FALSE);
+ return med_cfg;
+}
+
+METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
+ private_medcli_config_t *this, char *name)
+{
+ enumerator_t *e;
+ auth_cfg_t *auth;
+ peer_cfg_t *peer_cfg;
+ child_cfg_t *child_cfg;
+ chunk_t me, other;
+ char *local_net, *remote_net;
+ peer_cfg_create_t peer = {
+ .cert_policy = CERT_NEVER_SEND,
+ .unique = UNIQUE_REPLACE,
+ .keyingtries = 1,
+ .rekey_time = this->rekey * 60,
+ .jitter_time = this->rekey * 5,
+ .over_time = this->rekey * 3,
+ .dpd = this->dpd,
+ };
+ child_cfg_create_t child = {
+ .lifetime = {
+ .time = {
+ .life = this->rekey * 60 + this->rekey,
+ .rekey = this->rekey,
+ .jitter = this->rekey
+ },
+ },
+ .mode = MODE_TUNNEL,
+ };
+
+ if (streq(name, "medcli-mediation"))
+ {
+ return build_mediation_config(this, &peer);
+ }
/* query mediated config:
* - use any-any ike_cfg
@@ -150,8 +176,7 @@ METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*,
DESTROY_IF(e);
return NULL;
}
- peer.mediation = FALSE;
- peer.mediated_by = med_cfg;
+ peer.mediated_by = MEDIATION_CONN_NAME;
peer.peer_id = identification_create_from_encoding(ID_KEY_ID, other);
peer_cfg = peer_cfg_create(name, this->ike->get_ref(this->ike), &peer);
diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in
index 3dd849b..ceb06de 100644
--- a/src/libcharon/plugins/medsrv/Makefile.in
+++ b/src/libcharon/plugins/medsrv/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/osx_attr/Makefile.in b/src/libcharon/plugins/osx_attr/Makefile.in
index 83850fc..ab9ece5 100644
--- a/src/libcharon/plugins/osx_attr/Makefile.in
+++ b/src/libcharon/plugins/osx_attr/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/p_cscf/Makefile.in b/src/libcharon/plugins/p_cscf/Makefile.in
index 619bff1..7b3cb2f 100644
--- a/src/libcharon/plugins/p_cscf/Makefile.in
+++ b/src/libcharon/plugins/p_cscf/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/radattr/Makefile.in b/src/libcharon/plugins/radattr/Makefile.in
index 9d227a1..1fe3033 100644
--- a/src/libcharon/plugins/radattr/Makefile.in
+++ b/src/libcharon/plugins/radattr/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in
index 53af31f..f8b62ed 100644
--- a/src/libcharon/plugins/resolve/Makefile.in
+++ b/src/libcharon/plugins/resolve/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in
index d08a6f4..bf0791c 100644
--- a/src/libcharon/plugins/smp/Makefile.in
+++ b/src/libcharon/plugins/smp/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in
index dd1da8b..f66ae16 100644
--- a/src/libcharon/plugins/socket_default/Makefile.in
+++ b/src/libcharon/plugins/socket_default/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in
index b6152af..3d07b54 100644
--- a/src/libcharon/plugins/socket_dynamic/Makefile.in
+++ b/src/libcharon/plugins/socket_dynamic/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/socket_win/Makefile.in b/src/libcharon/plugins/socket_win/Makefile.in
index ed0af93..6924898 100644
--- a/src/libcharon/plugins/socket_win/Makefile.in
+++ b/src/libcharon/plugins/socket_win/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in
index 0a4000e..581225b 100644
--- a/src/libcharon/plugins/sql/Makefile.in
+++ b/src/libcharon/plugins/sql/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c
index bbc20dc..88cac7f 100644
--- a/src/libcharon/plugins/sql/sql_config.c
+++ b/src/libcharon/plugins/sql/sql_config.c
@@ -381,12 +381,14 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
ike = get_ike_cfg_by_id(this, ike_cfg);
#ifdef ME
- mediated_cfg = mediated_by ? get_peer_cfg_by_id(this, mediated_by) : NULL;
+ mediated_cfg = mediated_by ? get_peer_cfg_by_id(this, mediated_by)
+ : NULL;
if (p_type)
{
peer_id = identification_create_from_encoding(p_type, p_data);
}
-#endif
+#endif /* ME */
+
if (virtual)
{
vip = host_create_from_string(virtual, 0);
@@ -405,7 +407,8 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
.dpd = dpd_delay,
#ifdef ME
.mediation = mediation,
- .mediated_by = mediated_cfg,
+ .mediated_by = mediated_cfg ?
+ mediated_cfg->get_name(mediated_cfg) : NULL,
.peer_id = peer_id,
#endif /* ME */
};
@@ -443,6 +446,7 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e,
}
peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE);
add_child_cfgs(this, peer_cfg, id);
+ DESTROY_IF(mediated_cfg);
return peer_cfg;
}
DESTROY_IF(ike);
diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in
index 7eacc51..50a6d59 100644
--- a/src/libcharon/plugins/stroke/Makefile.in
+++ b/src/libcharon/plugins/stroke/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c
index f2d1104..bbdc211 100644
--- a/src/libcharon/plugins/stroke/stroke_config.c
+++ b/src/libcharon/plugins/stroke/stroke_config.c
@@ -642,28 +642,9 @@ static peer_cfg_t *build_peer_cfg(private_stroke_config_t *this,
/* force unique connections for mediation connections */
msg->add_conn.unique = 1;
}
-
- if (msg->add_conn.ikeme.mediated_by)
+ else if (msg->add_conn.ikeme.mediated_by)
{
- peer_cfg_t *mediated_by;
-
- mediated_by = charon->backends->get_peer_cfg_by_name(
- charon->backends, msg->add_conn.ikeme.mediated_by);
- if (!mediated_by)
- {
- DBG1(DBG_CFG, "mediation connection '%s' not found, aborting",
- msg->add_conn.ikeme.mediated_by);
- return NULL;
- }
- if (!mediated_by->is_mediation(mediated_by))
- {
- DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is "
- "no mediation connection, aborting",
- msg->add_conn.ikeme.mediated_by, msg->add_conn.name);
- mediated_by->destroy(mediated_by);
- return NULL;
- }
- peer.mediated_by = mediated_by;
+ peer.mediated_by = msg->add_conn.ikeme.mediated_by;
if (msg->add_conn.ikeme.peerid)
{
peer.peer_id = identification_create_from_string(
@@ -982,73 +963,60 @@ static void add_ts(private_stroke_config_t *this,
stroke_end_t *end, child_cfg_t *child_cfg, bool local)
{
traffic_selector_t *ts;
+ bool ts_added = FALSE;
- if (end->tohost)
- {
- ts = traffic_selector_create_dynamic(end->protocol,
- end->from_port, end->to_port);
- child_cfg->add_traffic_selector(child_cfg, local, ts);
- }
- else
+ if (end->subnets)
{
- if (!end->subnets)
- {
- host_t *net;
+ enumerator_t *enumerator;
+ char *subnet, *pos;
+ uint16_t from_port, to_port;
+ uint8_t proto;
- net = host_create_from_string(end->address, 0);
- if (net)
- {
- ts = traffic_selector_create_from_subnet(net, 0, end->protocol,
- end->from_port, end->to_port);
- child_cfg->add_traffic_selector(child_cfg, local, ts);
- }
- }
- else
+ enumerator = enumerator_create_token(end->subnets, ",", " ");
+ while (enumerator->enumerate(enumerator, &subnet))
{
- enumerator_t *enumerator;
- char *subnet, *pos;
- uint16_t from_port, to_port;
- uint8_t proto;
+ from_port = end->from_port;
+ to_port = end->to_port;
+ proto = end->protocol;
- enumerator = enumerator_create_token(end->subnets, ",", " ");
- while (enumerator->enumerate(enumerator, &subnet))
+ pos = strchr(subnet, '[');
+ if (pos)
{
- from_port = end->from_port;
- to_port = end->to_port;
- proto = end->protocol;
-
- pos = strchr(subnet, '[');
- if (pos)
- {
- *(pos++) = '\0';
- if (!parse_protoport(pos, &from_port, &to_port, &proto))
- {
- DBG1(DBG_CFG, "invalid proto/port: %s, skipped subnet",
- pos);
- continue;
- }
- }
- if (streq(subnet, "%dynamic"))
+ *(pos++) = '\0';
+ if (!parse_protoport(pos, &from_port, &to_port, &proto))
{
- ts = traffic_selector_create_dynamic(proto,
- from_port, to_port);
- }
- else
- {
- ts = traffic_selector_create_from_cidr(subnet, proto,
- from_port, to_port);
- }
- if (ts)
- {
- child_cfg->add_traffic_selector(child_cfg, local, ts);
- }
- else
- {
- DBG1(DBG_CFG, "invalid subnet: %s, skipped", subnet);
+ DBG1(DBG_CFG, "invalid proto/port: %s, skipped subnet",
+ pos);
+ continue;
}
}
- enumerator->destroy(enumerator);
+ if (streq(subnet, "%dynamic"))
+ {
+ ts = traffic_selector_create_dynamic(proto,
+ from_port, to_port);
+ }
+ else
+ {
+ ts = traffic_selector_create_from_cidr(subnet, proto,
+ from_port, to_port);
+ }
+ if (ts)
+ {
+ child_cfg->add_traffic_selector(child_cfg, local, ts);
+ ts_added = TRUE;
+ }
+ else
+ {
+ DBG1(DBG_CFG, "invalid subnet: %s, skipped", subnet);
+ }
}
+ enumerator->destroy(enumerator);
+ }
+ if (!ts_added)
+ {
+ ts = traffic_selector_create_dynamic(end->protocol,
+ end->from_port, end->to_port);
+ child_cfg->add_traffic_selector(child_cfg, local, ts);
}
}
diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c
index fb60d39..ee83067 100644
--- a/src/libcharon/plugins/stroke/stroke_control.c
+++ b/src/libcharon/plugins/stroke/stroke_control.c
@@ -641,7 +641,8 @@ static void charon_route(peer_cfg_t *peer_cfg, child_cfg_t *child_cfg,
mode = child_cfg->get_mode(child_cfg);
if (mode == MODE_PASS || mode == MODE_DROP)
{
- if (charon->shunts->install(charon->shunts, child_cfg))
+ if (charon->shunts->install(charon->shunts,
+ peer_cfg->get_name(peer_cfg), child_cfg))
{
fprintf(out, "'%s' shunt %N policy installed\n",
name, ipsec_mode_names, mode);
@@ -729,15 +730,30 @@ METHOD(stroke_control_t, route, void,
METHOD(stroke_control_t, unroute, void,
private_stroke_control_t *this, stroke_msg_t *msg, FILE *out)
{
+ child_cfg_t *child_cfg;
child_sa_t *child_sa;
enumerator_t *enumerator;
+ char *ns, *found = NULL;
uint32_t id = 0;
- if (charon->shunts->uninstall(charon->shunts, msg->unroute.name))
+ enumerator = charon->shunts->create_enumerator(charon->shunts);
+ while (enumerator->enumerate(enumerator, &ns, &child_cfg))
{
+ if (ns && streq(msg->unroute.name, child_cfg->get_name(child_cfg)))
+ {
+ found = strdup(ns);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ if (found && charon->shunts->uninstall(charon->shunts, found,
+ msg->unroute.name))
+ {
+ free(found);
fprintf(out, "shunt policy '%s' uninstalled\n", msg->unroute.name);
return;
}
+ free(found);
enumerator = charon->traps->create_enumerator(charon->traps);
while (enumerator->enumerate(enumerator, NULL, &child_sa))
diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
index 77911c7..9b61afb 100644
--- a/src/libcharon/plugins/stroke/stroke_cred.c
+++ b/src/libcharon/plugins/stroke/stroke_cred.c
@@ -1310,7 +1310,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
break;
}
if (match("RSA", &token) || match("ECDSA", &token) ||
- match("BLISS", &token))
+ match("BLISS", &token) || match("PKCS8", &token))
{
if (match("RSA", &token))
{
@@ -1320,10 +1320,14 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
{
key_type = KEY_ECDSA;
}
- else
+ else if (match("BLISS", &token))
{
key_type = KEY_BLISS;
}
+ else
+ {
+ key_type = KEY_ANY;
+ }
if (!load_private(secrets, line, line_nr, prompt, key_type))
{
break;
@@ -1356,7 +1360,7 @@ static void load_secrets(private_stroke_cred_t *this, mem_cred_t *secrets,
else
{
DBG1(DBG_CFG, "line %d: token must be either RSA, ECDSA, BLISS, "
- "P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
+ "PKCS8 P12, PIN, PSK, EAP, XAUTH or NTLM", line_nr);
break;
}
}
diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index cec2657..92e3686 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -603,7 +603,7 @@ METHOD(stroke_list_t, status, void,
/* Enumerate shunt policies */
first = TRUE;
enumerator = charon->shunts->create_enumerator(charon->shunts);
- while (enumerator->enumerate(enumerator, &child_cfg))
+ while (enumerator->enumerate(enumerator, NULL, &child_cfg))
{
if (name && !streq(name, child_cfg->get_name(child_cfg)))
{
diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c
index f64b99f..62095e3 100644
--- a/src/libcharon/plugins/stroke/stroke_plugin.c
+++ b/src/libcharon/plugins/stroke/stroke_plugin.c
@@ -70,6 +70,8 @@ METHOD(plugin_t, get_features, int,
PLUGIN_SDEPEND(PRIVKEY, KEY_ECDSA),
PLUGIN_SDEPEND(PRIVKEY, KEY_DSA),
PLUGIN_SDEPEND(PRIVKEY, KEY_BLISS),
+ PLUGIN_SDEPEND(PRIVKEY, KEY_ED25519),
+ PLUGIN_SDEPEND(PRIVKEY, KEY_ED448),
PLUGIN_SDEPEND(CERT_DECODE, CERT_ANY),
PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
PLUGIN_SDEPEND(CERT_DECODE, CERT_X509_CRL),
diff --git a/src/libcharon/plugins/systime_fix/Makefile.in b/src/libcharon/plugins/systime_fix/Makefile.in
index e219159..78fd6e8 100644
--- a/src/libcharon/plugins/systime_fix/Makefile.in
+++ b/src/libcharon/plugins/systime_fix/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/tnc_ifmap/Makefile.in b/src/libcharon/plugins/tnc_ifmap/Makefile.in
index 60618c0..7ec4eaa 100644
--- a/src/libcharon/plugins/tnc_ifmap/Makefile.in
+++ b/src/libcharon/plugins/tnc_ifmap/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/tnc_pdp/Makefile.in b/src/libcharon/plugins/tnc_pdp/Makefile.in
index 2b6c34c..215e3b3 100644
--- a/src/libcharon/plugins/tnc_pdp/Makefile.in
+++ b/src/libcharon/plugins/tnc_pdp/Makefile.in
@@ -364,7 +364,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -399,6 +398,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in
index 2f79391..64b4bca 100644
--- a/src/libcharon/plugins/uci/Makefile.in
+++ b/src/libcharon/plugins/uci/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/unity/Makefile.in b/src/libcharon/plugins/unity/Makefile.in
index fc9bff7..6811eb7 100644
--- a/src/libcharon/plugins/unity/Makefile.in
+++ b/src/libcharon/plugins/unity/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/unity/unity_handler.c b/src/libcharon/plugins/unity/unity_handler.c
index 5707278..25e0756 100644
--- a/src/libcharon/plugins/unity/unity_handler.c
+++ b/src/libcharon/plugins/unity/unity_handler.c
@@ -235,7 +235,7 @@ static job_requeue_t add_exclude_async(entry_t *entry)
enumerator->destroy(enumerator);
charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa);
- charon->shunts->install(charon->shunts, child_cfg);
+ charon->shunts->install(charon->shunts, "unity", child_cfg);
child_cfg->destroy(child_cfg);
DBG1(DBG_IKE, "installed %N bypass policy for %R",
@@ -310,7 +310,8 @@ static bool remove_exclude(private_unity_handler_t *this, chunk_t data)
DBG1(DBG_IKE, "uninstalling %N bypass policy for %R",
configuration_attribute_type_names, UNITY_LOCAL_LAN, ts);
ts->destroy(ts);
- success = charon->shunts->uninstall(charon->shunts, name) && success;
+ success = charon->shunts->uninstall(charon->shunts, "unity",
+ name) && success;
}
list->destroy(list);
return success;
diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in
index a2dd067..1a44e55 100644
--- a/src/libcharon/plugins/updown/Makefile.in
+++ b/src/libcharon/plugins/updown/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/vici/Makefile.in b/src/libcharon/plugins/vici/Makefile.in
index ce15204..cdefbff 100644
--- a/src/libcharon/plugins/vici/Makefile.in
+++ b/src/libcharon/plugins/vici/Makefile.in
@@ -456,7 +456,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -491,6 +490,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/vici/README.md b/src/libcharon/plugins/vici/README.md
index 18a3ef7..9bda949 100644
--- a/src/libcharon/plugins/vici/README.md
+++ b/src/libcharon/plugins/vici/README.md
@@ -1,8 +1,8 @@
# The Versatile IKE Control Interface (VICI) protocol #
-The vici plugin implements the server side of an IPC protocol to configure,
-monitor and control the IKE daemon charon. It uses request/response and event
-messages to communicate over a reliable stream based transport.
+The vici _[ˈvitʃi]_ plugin implements the server side of an IPC protocol to
+configure, monitor and control the IKE daemon charon. It uses request/response
+and event messages to communicate over a reliable stream based transport.
## Transport protocol ##
@@ -258,7 +258,7 @@ Initiates an SA while streaming _control-log_ events.
{
child = <CHILD_SA configuration name to initiate>
- ike = <optional IKE_SA configuraiton name to find child under>
+ ike = <optional IKE_SA configuration name to find child under>
timeout = <timeout in ms before returning>
init-limits = <whether limits may prevent initiating the CHILD_SA>
loglevel = <loglevel to issue "control-log" events for>
@@ -283,12 +283,29 @@ Terminates an SA while streaming _control-log_ events.
loglevel = <loglevel to issue "control-log" events for>
} => {
success = <yes or no>
+ matches = <number of matched SAs>
+ terminated = <number of terminated SAs>
errmsg = <error string on failure or timeout>
}
The default timeout of 0 waits indefinitely for a result, and a timeout value
of -1 returns a result immediately.
+### rekey() ###
+
+Initiate the rekeying of an SA.
+
+ {
+ child = <rekey a CHILD_SA by configuration name>
+ ike = <rekey an IKE_SA by configuration name>
+ child-id = <rekey a CHILD_SA by its reqid>
+ ike-id = <rekey an IKE_SA by its unique id>
+ } => {
+ success = <yes or no>
+ matches = <number of matched SAs>
+ errmsg = <error string on failure>
+ }
+
### redirect() ###
Redirect a client-initiated IKE_SA to another gateway. Only for IKEv2 and if
@@ -303,6 +320,7 @@ supported by the peer.
wildcards>
} => {
success = <yes or no>
+ matches = <number of matched SAs>
errmsg = <error string on failure>
}
@@ -312,7 +330,7 @@ Install a trap, drop or bypass policy defined by a CHILD_SA config.
{
child = <CHILD_SA configuration name to install>
- ike = <optional IKE_SA configuraiton name to find child under>
+ ike = <optional IKE_SA configuration name to find child under>
} => {
success = <yes or no>
errmsg = <error string on failure>
@@ -324,6 +342,8 @@ Uninstall a trap, drop or bypass policy defined by a CHILD_SA config.
{
child = <CHILD_SA configuration name to install>
+ ike = <optional IKE_SA configuration name to find child under,
+ if not given the first policy matching child is removed>
} => {
success = <yes or no>
errmsg = <error string on failure>
@@ -352,6 +372,7 @@ _list-policy_ events.
pass = <set to yes to list bypass policies>
trap = <set to yes to list trap policies>
child = <filter by CHILD_SA configuration name>
+ ike = <filter by IKE_SA configuration name>
} => {
# completes after streaming list-sa events
}
@@ -466,12 +487,53 @@ Load a private key into the daemon.
errmsg = <error string on failure>
}
+### unload-key() ###
+
+Unload the private key with the given key identifier.
+
+ {
+ id = <hex-encoded SHA-1 key identifier of the private key to unload>
+ } => {
+ success = <yes or no>
+ errmsg = <error string on failure>
+ }
+
+### get-keys() ###
+
+Return a list of identifiers of private keys loaded exclusively over vici, not
+including keys found in other backends.
+
+ {} => {
+ keys = [
+ <list of hex-encoded SHA-1 key identifiers>
+ ]
+ }
+
+### load-token() ###
+
+Load a private key located on a token into the daemon. Such keys may be listed
+and unloaded using the _get-keys_ and _unload-key_ commands, respectively (based
+on the key identifier derived from the public key).
+
+ {
+ handle = <hex-encoded CKA_ID of the private key on token>
+ slot = <optional slot number>
+ module = <optional PKCS#11 module>
+ pin = <optional PIN to access the key, has to be provided via other
+ means if not given>
+ } => {
+ success = <yes or no>
+ errmsg = <error string on failure>
+ id = <hex-encoded SHA-1 key identifier of the public key on success>
+ }
+
### load-shared() ###
Load a shared IKE PSK, EAP or XAuth secret into the daemon.
{
- type = <private key type, IKE|EAP|XAUTH>
+ id = <optional unique identifier of this shared key>
+ type = <shared key type, IKE|EAP|XAUTH>
data = <raw shared key data>
owners = [
<list of shared key owner identities>
@@ -481,6 +543,29 @@ Load a shared IKE PSK, EAP or XAuth secret into the daemon.
errmsg = <error string on failure>
}
+### unload-shared() ###
+
+Unload a previously loaded shared IKE PSK, EAP or XAuth secret by its unique
+identifier.
+
+ {
+ id = <unique identifier of the shared key to unload>
+ } => {
+ success = <yes or no>
+ errmsg = <error string on failure>
+ }
+
+### get-shared() ###
+
+Return a list of unique identifiers of shared keys loaded exclusively over vici,
+not including keys found in other backends.
+
+ {} => {
+ keys = [
+ <list of unique identifiers>
+ ]
+ }
+
### flush-certs() ###
Flushes the certificate cache. The optional type argument allows to flush
@@ -569,6 +654,7 @@ List the currently loaded pools.
{
leases = <set to yes to include leases>
+ name = <optional name of the pool to query>
} => {
<pool name>* = {
base = <virtual IP pool base address>
@@ -678,7 +764,8 @@ command.
<list of tasks currently handling passively>
]
child-sas = {
- <child-sa-name>* = {
+ <unique child-sa-name>* = {
+ name = <name of the CHILD_SA>
uniqueid = <unique CHILD_SA identifier>
reqid = <reqid of CHILD_SA>
state = <state string of CHILD_SA>
@@ -689,6 +776,10 @@ command.
spi-out = <hex encoded outbound SPI>
cpi-in = <hex encoded inbound CPI, if using compression>
cpi-out = <hex encoded outbound CPI, if using compression>
+ mark-in = <hex encoded inbound Netfilter mark value>
+ mark-mask-in = <hex encoded inbound Netfilter mark mask>
+ mark-out = <hex encoded outbound Netfilter mark value>
+ mark-mask-out = <hex encoded outbound Netfilter mark mask>
encr-alg = <ESP encryption algorithm name, if any>
encr-keysize = <ESP encryption key size, if applicable>
integ-alg = <ESP or AH integrity algorithm name, if any>
@@ -722,7 +813,9 @@ The _list-policy_ event is issued to stream installed policies during an active
_list-policies_ command.
{
- <child-sa-config-name> = {
+ <ike-sa-config-name/child-sa-config-name> = {
+ child = <CHILD_SA configuration name>
+ ike = <IKE_SA configuration name or namespace, if available>
mode = <policy mode, tunnel|transport|pass|drop>
local-ts = [
<list of local traffic selectors>
diff --git a/src/libcharon/plugins/vici/perl/Makefile.in b/src/libcharon/plugins/vici/perl/Makefile.in
index 523868c..385aa97 100644
--- a/src/libcharon/plugins/vici/perl/Makefile.in
+++ b/src/libcharon/plugins/vici/perl/Makefile.in
@@ -274,7 +274,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -309,6 +308,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/vici/python/Makefile.in b/src/libcharon/plugins/vici/python/Makefile.in
index 4f1a917..f783d70 100644
--- a/src/libcharon/plugins/vici/python/Makefile.in
+++ b/src/libcharon/plugins/vici/python/Makefile.in
@@ -296,7 +296,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -331,6 +330,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/vici/python/vici/protocol.py b/src/libcharon/plugins/vici/python/vici/protocol.py
index 4951817..919231d 100644
--- a/src/libcharon/plugins/vici/python/vici/protocol.py
+++ b/src/libcharon/plugins/vici/python/vici/protocol.py
@@ -33,7 +33,10 @@ class Transport(object):
"""Ensure to read count bytes from the socket"""
data = b""
while len(data) < count:
- data += self.socket.recv(count - len(data))
+ buf = self.socket.recv(count - len(data))
+ if not buf:
+ raise socket.error('Connection closed')
+ data += buf
return data
@@ -59,7 +62,7 @@ class Packet(object):
@classmethod
def _named_request(cls, request_type, request, message=None):
- request = request.encode()
+ requestdata = request.encode("UTF-8")
payload = struct.pack("!BB", request_type, len(request)) + request
if message is not None:
return payload + message
@@ -102,12 +105,12 @@ class Message(object):
@classmethod
def serialize(cls, message):
def encode_named_type(marker, name):
- name = name.encode()
+ name = name.encode("UTF-8")
return struct.pack("!BB", marker, len(name)) + name
def encode_blob(value):
if not isinstance(value, bytes):
- value = str(value).encode()
+ value = str(value).encode("UTF-8")
return struct.pack("!H", len(value)) + value
def serialize_list(lst):
@@ -144,7 +147,7 @@ class Message(object):
def deserialize(cls, stream):
def decode_named_type(stream):
length, = struct.unpack("!B", stream.read(1))
- return stream.read(length).decode()
+ return stream.read(length).decode("UTF-8")
def decode_blob(stream):
length, = struct.unpack("!H", stream.read(2))
diff --git a/src/libcharon/plugins/vici/python/vici/session.py b/src/libcharon/plugins/vici/python/vici/session.py
index 5bd4b7c..1383fa7 100644
--- a/src/libcharon/plugins/vici/python/vici/session.py
+++ b/src/libcharon/plugins/vici/python/vici/session.py
@@ -208,13 +208,15 @@ class Session(object):
"""
self.handler.request("unload-pool", pool_name)
- def get_pools(self):
+ def get_pools(self, options):
"""Retrieve loaded pools.
+ :param options: filter by name and/or retrieve leases (optional)
+ :type options: dict
:return: loaded pools
:rtype: dict
"""
- return self.handler.request("get-pools")
+ return self.handler.request("get-pools", options)
def listen(self, event_types):
"""Register and listen for the given events.
diff --git a/src/libcharon/plugins/vici/ruby/Makefile.in b/src/libcharon/plugins/vici/ruby/Makefile.in
index e176285..125f44e 100644
--- a/src/libcharon/plugins/vici/ruby/Makefile.in
+++ b/src/libcharon/plugins/vici/ruby/Makefile.in
@@ -274,7 +274,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -309,6 +308,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/vici/ruby/lib/vici.rb b/src/libcharon/plugins/vici/ruby/lib/vici.rb
index 1a95fc3..bcf1a17 100644
--- a/src/libcharon/plugins/vici/ruby/lib/vici.rb
+++ b/src/libcharon/plugins/vici/ruby/lib/vici.rb
@@ -492,8 +492,8 @@ module Vici
##
# Get the currently loaded pools.
- def get_pools()
- @transp.request("get-pools").root
+ def get_pools(options)
+ @transp.request("get-pools", Message.new(options)).root
end
##
diff --git a/src/libcharon/plugins/vici/vici_attribute.c b/src/libcharon/plugins/vici/vici_attribute.c
index e0d9b4a..4e1fa97 100644
--- a/src/libcharon/plugins/vici/vici_attribute.c
+++ b/src/libcharon/plugins/vici/vici_attribute.c
@@ -1,6 +1,6 @@
/*
- * Copyright (C) 2014-2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2014-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
@@ -668,10 +668,11 @@ CALLBACK(get_pools, vici_message_t*,
identification_t *uid;
host_t *lease;
bool list_leases, on;
- char buf[32];
+ char buf[32], *filter;
int i;
list_leases = message->get_bool(message, FALSE, "leases");
+ filter = message->get_str(message, NULL, "name");
builder = vici_builder_create();
@@ -679,6 +680,11 @@ CALLBACK(get_pools, vici_message_t*,
enumerator = this->pools->create_enumerator(this->pools);
while (enumerator->enumerate(enumerator, &name, &pool))
{
+ if (filter && !streq(name, filter))
+ {
+ continue;
+ }
+
vips = pool->vips;
builder->begin_section(builder, name);
diff --git a/src/libcharon/plugins/vici/vici_authority.c b/src/libcharon/plugins/vici/vici_authority.c
index 94a7f68..0fa158b 100644
--- a/src/libcharon/plugins/vici/vici_authority.c
+++ b/src/libcharon/plugins/vici/vici_authority.c
@@ -1,4 +1,5 @@
/*
+ * Copyright (C) 2016 Tobias Brunner
* Copyright (C) 2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@@ -199,9 +200,28 @@ typedef struct {
typedef struct {
request_data_t *request;
authority_t *authority;
+ char *handle;
+ uint32_t slot;
+ char *module;
+ char *file;
} load_data_t;
/**
+ * Clean up data associated with an authority load
+ */
+static void free_load_data(load_data_t *data)
+{
+ if (data->authority)
+ {
+ authority_destroy(data->authority);
+ }
+ free(data->handle);
+ free(data->module);
+ free(data->file);
+ free(data);
+}
+
+/**
* Parse a string
*/
CALLBACK(parse_string, bool,
@@ -217,6 +237,28 @@ CALLBACK(parse_string, bool,
}
/**
+ * Parse a uint32_t
+ */
+CALLBACK(parse_uint32, bool,
+ uint32_t *out, chunk_t v)
+{
+ char buf[16], *end;
+ u_long l;
+
+ if (!vici_stringify(v, buf, sizeof(buf)))
+ {
+ return FALSE;
+ }
+ l = strtoul(buf, &end, 0);
+ if (*end == 0)
+ {
+ *out = l;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
* Parse list of URIs
*/
CALLBACK(parse_uris, bool,
@@ -266,8 +308,12 @@ CALLBACK(authority_kv, bool,
load_data_t *data, vici_message_t *message, char *name, chunk_t value)
{
parse_rule_t rules[] = {
- { "cacert", parse_cacert, &data->authority->cert },
- { "cert_uri_base", parse_string, &data->authority->cert_uri_base },
+ { "cacert", parse_cacert, &data->authority->cert },
+ { "file", parse_string, &data->file },
+ { "handle", parse_string, &data->handle },
+ { "slot", parse_uint32, &data->slot },
+ { "module", parse_string, &data->module },
+ { "cert_uri_base", parse_string, &data->authority->cert_uri_base },
};
return parse_rules(rules, countof(rules), name, value,
@@ -341,21 +387,60 @@ CALLBACK(authority_sn, bool,
linked_list_t *authorities;
authority_t *authority;
vici_cred_t *cred;
+ load_data_t *data;
+ chunk_t handle;
- load_data_t data = {
+ INIT(data,
.request = request,
.authority = authority_create(name),
- };
+ .slot = -1,
+ );
DBG2(DBG_CFG, " authority %s:", name);
- if (!message->parse(message, ctx, NULL, authority_kv, authority_li, &data) ||
- !data.authority->cert)
+ if (!message->parse(message, ctx, NULL, authority_kv, authority_li, data))
+ {
+ free_load_data(data);
+ return FALSE;
+ }
+ if (!data->authority->cert)
+ {
+ if (data->file)
+ {
+ data->authority->cert = lib->creds->create(lib->creds,
+ CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, data->file, BUILD_END);
+ }
+ else if (data->handle)
+ {
+ handle = chunk_from_hex(chunk_from_str(data->handle), NULL);
+ if (data->slot != -1)
+ {
+ data->authority->cert = lib->creds->create(lib->creds,
+ CRED_CERTIFICATE, CERT_X509,
+ BUILD_PKCS11_KEYID, handle,
+ BUILD_PKCS11_SLOT, data->slot,
+ data->module ? BUILD_PKCS11_MODULE : BUILD_END,
+ data->module, BUILD_END);
+ }
+ else
+ {
+ data->authority->cert = lib->creds->create(lib->creds,
+ CRED_CERTIFICATE, CERT_X509,
+ BUILD_PKCS11_KEYID, handle,
+ data->module ? BUILD_PKCS11_MODULE : BUILD_END,
+ data->module, BUILD_END);
+ }
+ chunk_free(&handle);
+ }
+ }
+ if (!data->authority->cert)
{
- authority_destroy(data.authority);
+ request->reply = create_reply("CA certificate missing: %s", name);
+ free_load_data(data);
return FALSE;
}
- log_authority_data(data.authority);
+ log_authority_data(data->authority);
request->this->lock->write_lock(request->this->lock);
@@ -372,12 +457,14 @@ CALLBACK(authority_sn, bool,
}
}
enumerator->destroy(enumerator);
- authorities->insert_last(authorities, data.authority);
+ authorities->insert_last(authorities, data->authority);
cred = request->this->cred;
- data.authority->cert = cred->add_cert(cred, data.authority->cert);
+ data->authority->cert = cred->add_cert(cred, data->authority->cert);
+ data->authority = NULL;
request->this->lock->unlock(request->this->lock);
+ free_load_data(data);
return TRUE;
}
diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c
index 2110fd3..12497ec 100644
--- a/src/libcharon/plugins/vici/vici_config.c
+++ b/src/libcharon/plugins/vici/vici_config.c
@@ -2,7 +2,7 @@
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
- * Copyright (C) 2015-2016 Tobias Brunner
+ * Copyright (C) 2015-2017 Tobias Brunner
* Copyright (C) 2015-2016 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@@ -247,6 +247,28 @@ typedef struct {
} request_data_t;
/**
+ * Certificate data
+ */
+typedef struct {
+ request_data_t *request;
+ char *handle;
+ uint32_t slot;
+ char *module;
+ char *file;
+} cert_data_t;
+
+/**
+ * Clean up certificate data
+ */
+static void free_cert_data(cert_data_t *data)
+{
+ free(data->handle);
+ free(data->module);
+ free(data->file);
+ free(data);
+}
+
+/**
* Auth config data
*/
typedef struct {
@@ -295,6 +317,12 @@ typedef struct {
uint64_t rekey_time;
uint64_t over_time;
uint64_t rand_time;
+ uint8_t dscp;
+#ifdef ME
+ bool mediation;
+ char *mediated_by;
+ identification_t *peer_id;
+#endif /* ME */
} peer_data_t;
/**
@@ -370,6 +398,7 @@ static void log_peer_data(peer_data_t *data)
DBG2(DBG_CFG, " send_cert = %N", cert_policy_names, data->send_cert);
DBG2(DBG_CFG, " mobike = %u", data->mobike);
DBG2(DBG_CFG, " aggressive = %u", data->aggressive);
+ DBG2(DBG_CFG, " dscp = 0x%.2x", data->dscp);
DBG2(DBG_CFG, " encap = %u", data->encap);
DBG2(DBG_CFG, " dpd_delay = %llu", data->dpd_delay);
DBG2(DBG_CFG, " dpd_timeout = %llu", data->dpd_timeout);
@@ -381,6 +410,14 @@ static void log_peer_data(peer_data_t *data)
DBG2(DBG_CFG, " over_time = %llu", data->over_time);
DBG2(DBG_CFG, " rand_time = %llu", data->rand_time);
DBG2(DBG_CFG, " proposals = %#P", data->proposals);
+#ifdef ME
+ DBG2(DBG_CFG, " mediation = %u", data->mediation);
+ if (data->mediated_by)
+ {
+ DBG2(DBG_CFG, " mediated_by = %s", data->mediated_by);
+ DBG2(DBG_CFG, " mediation_peer = %Y", data->peer_id);
+ }
+#endif /* ME */
if (data->vips->get_count(data->vips))
{
@@ -425,6 +462,10 @@ static void free_peer_data(peer_data_t *data)
free(data->pools);
free(data->local_addrs);
free(data->remote_addrs);
+#ifdef ME
+ free(data->mediated_by);
+ DESTROY_IF(data->peer_id);
+#endif /* ME */
}
/**
@@ -461,7 +502,8 @@ static void log_child_data(child_data_t *data, char *name)
DBG2(DBG_CFG, " updown = %s", cfg->updown);
DBG2(DBG_CFG, " hostaccess = %u", cfg->hostaccess);
DBG2(DBG_CFG, " ipcomp = %u", cfg->ipcomp);
- DBG2(DBG_CFG, " mode = %N", ipsec_mode_names, cfg->mode);
+ DBG2(DBG_CFG, " mode = %N%s", ipsec_mode_names, cfg->mode,
+ cfg->proxy_mode ? "_PROXY" : "");
DBG2(DBG_CFG, " policies = %u", data->policies);
DBG2(DBG_CFG, " policies_fwd_out = %u", data->policies_fwd_out);
if (data->replay_window != REPLAY_UNDEFINED)
@@ -770,20 +812,22 @@ CALLBACK(parse_bool, bool,
* Parse a ipsec_mode_t
*/
CALLBACK(parse_mode, bool,
- ipsec_mode_t *out, chunk_t v)
+ child_cfg_create_t *cfg, chunk_t v)
{
enum_map_t map[] = {
- { "tunnel", MODE_TUNNEL },
- { "transport", MODE_TRANSPORT },
- { "beet", MODE_BEET },
- { "drop", MODE_DROP },
- { "pass", MODE_PASS },
+ { "tunnel", MODE_TUNNEL },
+ { "transport", MODE_TRANSPORT },
+ { "transport_proxy", MODE_TRANSPORT },
+ { "beet", MODE_BEET },
+ { "drop", MODE_DROP },
+ { "pass", MODE_PASS },
};
int d;
if (parse_map(map, countof(map), &d, v))
{
- *out = d;
+ cfg->mode = d;
+ cfg->proxy_mode = (d == MODE_TRANSPORT) && (v.len > 9);
return TRUE;
}
return FALSE;
@@ -814,10 +858,9 @@ CALLBACK(parse_action, bool,
}
/**
- * Parse a uint32_t
+ * Parse a uint32_t with the given base
*/
-CALLBACK(parse_uint32, bool,
- uint32_t *out, chunk_t v)
+static bool parse_uint32_base(uint32_t *out, chunk_t v, int base)
{
char buf[16], *end;
u_long l;
@@ -826,7 +869,7 @@ CALLBACK(parse_uint32, bool,
{
return FALSE;
}
- l = strtoul(buf, &end, 0);
+ l = strtoul(buf, &end, base);
if (*end == 0)
{
*out = l;
@@ -836,6 +879,24 @@ CALLBACK(parse_uint32, bool,
}
/**
+ * Parse a uint32_t
+ */
+CALLBACK(parse_uint32, bool,
+ uint32_t *out, chunk_t v)
+{
+ return parse_uint32_base(out, v, 0);
+}
+
+/**
+ * Parse a uint32_t in binary encoding
+ */
+CALLBACK(parse_uint32_bin, bool,
+ uint32_t *out, chunk_t v)
+{
+ return parse_uint32_base(out, v, 2);
+}
+
+/**
* Parse a uint64_t
*/
CALLBACK(parse_uint64, bool,
@@ -984,6 +1045,20 @@ CALLBACK(parse_tfc, bool,
}
/**
+ * Parse 6-bit DSCP value
+ */
+CALLBACK(parse_dscp, bool,
+ uint8_t *out, chunk_t v)
+{
+ if (parse_uint32_bin(out, v))
+ {
+ *out = *out & 0x3f;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+/**
* Parse authentication config
*/
CALLBACK(parse_auth, bool,
@@ -1109,27 +1184,52 @@ CALLBACK(parse_group, bool,
}
/**
- * Parse a certificate; add as auth rule to config
+ * Parse certificate policy
*/
-static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v)
+CALLBACK(parse_cert_policy, bool,
+ auth_cfg_t *cfg, chunk_t v)
+{
+ char buf[BUF_LEN];
+
+ if (!vici_stringify(v, buf, sizeof(buf)))
+ {
+ return FALSE;
+ }
+ cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(buf));
+ return TRUE;
+}
+
+/**
+ * Add a certificate as auth rule to config
+ */
+static bool add_cert(auth_data_t *auth, auth_rule_t rule, certificate_t *cert)
{
vici_authority_t *authority;
vici_cred_t *cred;
+
+ if (rule == AUTH_RULE_SUBJECT_CERT)
+ {
+ authority = auth->request->this->authority;
+ authority->check_for_hash_and_url(authority, cert);
+ }
+ cred = auth->request->this->cred;
+ cert = cred->add_cert(cred, cert);
+ auth->cfg->add(auth->cfg, rule, cert);
+ return TRUE;
+}
+
+/**
+ * Parse a certificate; add as auth rule to config
+ */
+static bool parse_cert(auth_data_t *auth, auth_rule_t rule, chunk_t v)
+{
certificate_t *cert;
cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
BUILD_BLOB_PEM, v, BUILD_END);
if (cert)
{
- if (rule == AUTH_RULE_SUBJECT_CERT)
- {
- authority = auth->request->this->authority;
- authority->check_for_hash_and_url(authority, cert);
- }
- cred = auth->request->this->cred;
- cert = cred->add_cert(cred, cert);
- auth->cfg->add(auth->cfg, rule, cert);
- return TRUE;
+ return add_cert(auth, rule, cert);
}
return FALSE;
}
@@ -1314,6 +1414,38 @@ CALLBACK(parse_hosts, bool,
return TRUE;
}
+#ifdef ME
+/**
+ * Parse peer ID
+ */
+CALLBACK(parse_peer_id, bool,
+ identification_t **out, chunk_t v)
+{
+ char buf[BUF_LEN];
+
+ if (!vici_stringify(v, buf, sizeof(buf)))
+ {
+ return FALSE;
+ }
+ *out = identification_create_from_string(buf);
+ return TRUE;
+}
+#endif /* ME */
+
+CALLBACK(cert_kv, bool,
+ cert_data_t *cert, vici_message_t *message, char *name, chunk_t value)
+{
+ parse_rule_t rules[] = {
+ { "handle", parse_string, &cert->handle },
+ { "slot", parse_uint32, &cert->slot },
+ { "module", parse_string, &cert->module },
+ { "file", parse_string, &cert->file },
+ };
+
+ return parse_rules(rules, countof(rules), name, value,
+ &cert->request->reply);
+}
+
CALLBACK(child_li, bool,
child_data_t *child, vici_message_t *message, char *name, chunk_t value)
{
@@ -1334,7 +1466,7 @@ CALLBACK(child_kv, bool,
parse_rule_t rules[] = {
{ "updown", parse_string, &child->cfg.updown },
{ "hostaccess", parse_bool, &child->cfg.hostaccess },
- { "mode", parse_mode, &child->cfg.mode },
+ { "mode", parse_mode, &child->cfg },
{ "policies", parse_bool, &child->policies },
{ "policies_fwd_out", parse_bool, &child->policies_fwd_out },
{ "replay_window", parse_uint32, &child->replay_window },
@@ -1369,6 +1501,7 @@ CALLBACK(auth_li, bool,
{
parse_rule_t rules[] = {
{ "groups", parse_group, auth->cfg },
+ { "cert_policy", parse_cert_policy, auth },
{ "certs", parse_certs, auth },
{ "cacerts", parse_cacerts, auth },
{ "pubkeys", parse_pubkeys, auth },
@@ -1417,6 +1550,7 @@ CALLBACK(peer_kv, bool,
{ "version", parse_uint32, &peer->version },
{ "aggressive", parse_bool, &peer->aggressive },
{ "pull", parse_bool, &peer->pull },
+ { "dscp", parse_dscp, &peer->dscp },
{ "encap", parse_bool, &peer->encap },
{ "mobike", parse_bool, &peer->mobike },
{ "dpd_delay", parse_time, &peer->dpd_delay },
@@ -1432,12 +1566,94 @@ CALLBACK(peer_kv, bool,
{ "rekey_time", parse_time, &peer->rekey_time },
{ "over_time", parse_time, &peer->over_time },
{ "rand_time", parse_time, &peer->rand_time },
+#ifdef ME
+ { "mediation", parse_bool, &peer->mediation },
+ { "mediated_by", parse_string, &peer->mediated_by },
+ { "mediation_peer", parse_peer_id, &peer->peer_id },
+#endif /* ME */
};
return parse_rules(rules, countof(rules), name, value,
&peer->request->reply);
}
+CALLBACK(auth_sn, bool,
+ auth_data_t *auth, vici_message_t *message, vici_parse_context_t *ctx,
+ char *name)
+{
+ if (strcasepfx(name, "cert") ||
+ strcasepfx(name, "cacert"))
+ {
+ cert_data_t *data;
+ auth_rule_t rule;
+ certificate_t *cert;
+ chunk_t handle;
+
+ INIT(data,
+ .request = auth->request,
+ .slot = -1,
+ );
+
+ if (!message->parse(message, ctx, NULL, cert_kv, NULL, data))
+ {
+ free_cert_data(data);
+ return FALSE;
+ }
+ if (!data->handle && !data->file)
+ {
+ auth->request->reply = create_reply("handle or file path missing: "
+ "%s", name);
+ free_cert_data(data);
+ return FALSE;
+ }
+ else if (data->handle && data->file)
+ {
+ auth->request->reply = create_reply("handle and file path given: "
+ "%s", name);
+ free_cert_data(data);
+ return FALSE;
+ }
+
+ if (data->file)
+ {
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
+ BUILD_FROM_FILE, data->file, BUILD_END);
+ }
+ else
+ {
+ handle = chunk_from_hex(chunk_from_str(data->handle), NULL);
+ if (data->slot != -1)
+ {
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+ CERT_X509, BUILD_PKCS11_KEYID, handle,
+ BUILD_PKCS11_SLOT, data->slot,
+ data->module ? BUILD_PKCS11_MODULE : BUILD_END,
+ data->module, BUILD_END);
+ }
+ else
+ {
+ cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+ CERT_X509, BUILD_PKCS11_KEYID, handle,
+ data->module ? BUILD_PKCS11_MODULE : BUILD_END,
+ data->module, BUILD_END);
+ }
+ chunk_free(&handle);
+ }
+ free_cert_data(data);
+ if (!cert)
+ {
+ auth->request->reply = create_reply("unable to load certificate: "
+ "%s", name);
+ return FALSE;
+ }
+ rule = strcasepfx(name, "cert") ? AUTH_RULE_SUBJECT_CERT
+ : AUTH_RULE_CA_CERT;
+ return add_cert(auth, rule, cert);
+ }
+ auth->request->reply = create_reply("invalid section: %s", name);
+ return FALSE;
+}
+
/**
* Check and update lifetimes
*/
@@ -1600,7 +1816,7 @@ CALLBACK(peer_sn, bool,
.cfg = auth_cfg_create(),
);
- if (!message->parse(message, ctx, NULL, auth_kv, auth_li, auth))
+ if (!message->parse(message, ctx, auth_sn, auth_kv, auth_li, auth))
{
free_auth_data(auth);
return FALSE;
@@ -1703,7 +1919,8 @@ static void run_start_action(private_vici_config_t *this, peer_cfg_t *peer_cfg,
{
case MODE_PASS:
case MODE_DROP:
- charon->shunts->install(charon->shunts, child_cfg);
+ charon->shunts->install(charon->shunts,
+ peer_cfg->get_name(peer_cfg), child_cfg);
break;
default:
charon->traps->install(charon->traps, peer_cfg, child_cfg,
@@ -1724,6 +1941,7 @@ static void clear_start_action(private_vici_config_t *this, char *peer_name,
{
enumerator_t *enumerator, *children;
child_sa_t *child_sa;
+ peer_cfg_t *peer_cfg;
ike_sa_t *ike_sa;
uint32_t id = 0, others;
array_t *ids = NULL, *ikeids = NULL;
@@ -1811,13 +2029,15 @@ static void clear_start_action(private_vici_config_t *this, char *peer_name,
{
case MODE_PASS:
case MODE_DROP:
- charon->shunts->uninstall(charon->shunts, name);
+ charon->shunts->uninstall(charon->shunts, peer_name, name);
break;
default:
enumerator = charon->traps->create_enumerator(charon->traps);
- while (enumerator->enumerate(enumerator, NULL, &child_sa))
+ while (enumerator->enumerate(enumerator, &peer_cfg,
+ &child_sa))
{
- if (streq(name, child_sa->get_name(child_sa)))
+ if (streq(peer_name, peer_cfg->get_name(peer_cfg)) &&
+ streq(name, child_sa->get_name(child_sa)))
{
id = child_sa->get_reqid(child_sa);
break;
@@ -2080,12 +2300,48 @@ CALLBACK(config_sn, bool,
peer.rand_time = min(peer.over_time, peer.rand_time / 2);
}
+#ifdef ME
+ if (peer.mediation && peer.mediated_by)
+ {
+ DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection "
+ "at the same time, config discarded");
+ free_peer_data(&peer);
+ return FALSE;
+ }
+ if (peer.mediation)
+ { /* force unique connections for mediation connections */
+ peer.unique = UNIQUE_REPLACE;
+ }
+ else if (peer.mediated_by)
+ { /* fallback to remote identity of first auth round if peer_id is not
+ * given explicitly */
+ auth_cfg_t *cfg;
+
+ if (!peer.peer_id &&
+ peer.remote->get_first(peer.remote, (void**)&cfg) == SUCCESS)
+ {
+ peer.peer_id = cfg->get(cfg, AUTH_RULE_IDENTITY);
+ if (peer.peer_id)
+ {
+ peer.peer_id = peer.peer_id->clone(peer.peer_id);
+ }
+ else
+ {
+ DBG1(DBG_CFG, "mediation peer missing for mediated connection, "
+ "config discarded");
+ free_peer_data(&peer);
+ return FALSE;
+ }
+ }
+ }
+#endif /* ME */
+
log_peer_data(&peer);
ike_cfg = ike_cfg_create(peer.version, peer.send_certreq, peer.encap,
peer.local_addrs, peer.local_port,
peer.remote_addrs, peer.remote_port,
- peer.fragmentation, 0);
+ peer.fragmentation, peer.dscp);
cfg = (peer_cfg_create_t){
.cert_policy = peer.send_cert,
@@ -2101,6 +2357,14 @@ CALLBACK(config_sn, bool,
.dpd = peer.dpd_delay,
.dpd_timeout = peer.dpd_timeout,
};
+#ifdef ME
+ cfg.mediation = peer.mediation;
+ if (peer.mediated_by)
+ {
+ cfg.mediated_by = peer.mediated_by;
+ cfg.peer_id = peer.peer_id->clone(peer.peer_id);
+ }
+#endif /* ME */
peer_cfg = peer_cfg_create(name, ike_cfg, &cfg);
while (peer.local->remove_first(peer.local,
diff --git a/src/libcharon/plugins/vici/vici_config.h b/src/libcharon/plugins/vici/vici_config.h
index 0c237e7..6bff41c 100644
--- a/src/libcharon/plugins/vici/vici_config.h
+++ b/src/libcharon/plugins/vici/vici_config.h
@@ -38,7 +38,7 @@ typedef struct vici_config_t vici_config_t;
struct vici_config_t {
/**
- * Implements a configuraiton backend.
+ * Implements a configuration backend.
*/
backend_t backend;
diff --git a/src/libcharon/plugins/vici/vici_control.c b/src/libcharon/plugins/vici/vici_control.c
index 4400381..afee649 100644
--- a/src/libcharon/plugins/vici/vici_control.c
+++ b/src/libcharon/plugins/vici/vici_control.c
@@ -1,6 +1,6 @@
/*
- * Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015-2017 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
@@ -23,6 +23,8 @@
#include <daemon.h>
#include <collections/array.h>
+#include <processing/jobs/rekey_ike_sa_job.h>
+#include <processing/jobs/rekey_child_sa_job.h>
#include <processing/jobs/redirect_job.h>
typedef struct private_vici_control_t private_vici_control_t;
@@ -360,6 +362,100 @@ CALLBACK(terminate, vici_message_t*,
return builder->finalize(builder);
}
+CALLBACK(rekey, vici_message_t*,
+ private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
+{
+ enumerator_t *isas, *csas;
+ char *child, *ike, *errmsg = NULL;
+ u_int child_id, ike_id, found = 0;
+ ike_sa_t *ike_sa;
+ child_sa_t *child_sa;
+ vici_builder_t *builder;
+
+ child = request->get_str(request, NULL, "child");
+ ike = request->get_str(request, NULL, "ike");
+ child_id = request->get_int(request, 0, "child-id");
+ ike_id = request->get_int(request, 0, "ike-id");
+
+ if (!child && !ike && !ike_id && !child_id)
+ {
+ return send_reply(this, "missing rekey selector");
+ }
+
+ if (ike_id)
+ {
+ DBG1(DBG_CFG, "vici rekey IKE_SA #%d", ike_id);
+ }
+ if (child_id)
+ {
+ DBG1(DBG_CFG, "vici rekey CHILD_SA #%d", child_id);
+ }
+ if (ike)
+ {
+ DBG1(DBG_CFG, "vici rekey IKE_SA '%s'", ike);
+ }
+ if (child)
+ {
+ DBG1(DBG_CFG, "vici rekey CHILD_SA '%s'", child);
+ }
+
+ isas = charon->controller->create_ike_sa_enumerator(charon->controller, TRUE);
+ while (isas->enumerate(isas, &ike_sa))
+ {
+ if (child || child_id)
+ {
+ if (ike && !streq(ike, ike_sa->get_name(ike_sa)))
+ {
+ continue;
+ }
+ if (ike_id && ike_id != ike_sa->get_unique_id(ike_sa))
+ {
+ continue;
+ }
+ csas = ike_sa->create_child_sa_enumerator(ike_sa);
+ while (csas->enumerate(csas, &child_sa))
+ {
+ if (child && !streq(child, child_sa->get_name(child_sa)))
+ {
+ continue;
+ }
+ if (child_id && child_sa->get_unique_id(child_sa) != child_id)
+ {
+ continue;
+ }
+ lib->processor->queue_job(lib->processor,
+ (job_t*)rekey_child_sa_job_create(
+ child_sa->get_protocol(child_sa),
+ child_sa->get_spi(child_sa, TRUE),
+ ike_sa->get_my_host(ike_sa)));
+ found++;
+ }
+ csas->destroy(csas);
+ }
+ else if ((ike && streq(ike, ike_sa->get_name(ike_sa))) ||
+ (ike_id && ike_id == ike_sa->get_unique_id(ike_sa)))
+ {
+ lib->processor->queue_job(lib->processor,
+ (job_t*)rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE));
+ found++;
+ }
+ }
+ isas->destroy(isas);
+
+ builder = vici_builder_create();
+ if (!found)
+ {
+ errmsg = "no matching SAs to rekey found";
+ }
+ builder->add_kv(builder, "success", errmsg ? "no" : "yes");
+ builder->add_kv(builder, "matches", "%u", found);
+ if (errmsg)
+ {
+ builder->add_kv(builder, "errmsg", "%s", errmsg);
+ }
+ return builder->finalize(builder);
+}
+
/**
* Parse a peer-ip specified, which can be a subnet in CIDR notation, a range
* or a single IP address.
@@ -494,6 +590,7 @@ CALLBACK(redirect, vici_message_t*,
errmsg = "no matching SAs to redirect found";
}
builder->add_kv(builder, "success", errmsg ? "no" : "yes");
+ builder->add_kv(builder, "matches", "%u", found);
if (errmsg)
{
builder->add_kv(builder, "errmsg", "%s", errmsg);
@@ -565,7 +662,8 @@ CALLBACK(install, vici_message_t*,
{
case MODE_PASS:
case MODE_DROP:
- ok = charon->shunts->install(charon->shunts, child_cfg);
+ ok = charon->shunts->install(charon->shunts,
+ peer_cfg->get_name(peer_cfg), child_cfg);
break;
default:
ok = charon->traps->install(charon->traps, peer_cfg, child_cfg,
@@ -581,12 +679,15 @@ CALLBACK(install, vici_message_t*,
CALLBACK(uninstall, vici_message_t*,
private_vici_control_t *this, char *name, u_int id, vici_message_t *request)
{
+ peer_cfg_t *peer_cfg;
+ child_cfg_t *child_cfg;
child_sa_t *child_sa;
enumerator_t *enumerator;
uint32_t reqid = 0;
- char *child;
+ char *child, *ike, *ns;
child = request->get_str(request, NULL, "child");
+ ike = request->get_str(request, NULL, "ike");
if (!child)
{
return send_reply(this, "missing configuration name");
@@ -594,15 +695,39 @@ CALLBACK(uninstall, vici_message_t*,
DBG1(DBG_CFG, "vici uninstall '%s'", child);
- if (charon->shunts->uninstall(charon->shunts, child))
+ if (!ike)
+ {
+ enumerator = charon->shunts->create_enumerator(charon->shunts);
+ while (enumerator->enumerate(enumerator, &ns, &child_cfg))
+ {
+ if (ns && streq(child, child_cfg->get_name(child_cfg)))
+ {
+ ike = strdup(ns);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ if (ike)
+ {
+ if (charon->shunts->uninstall(charon->shunts, ike, child))
+ {
+ free(ike);
+ return send_reply(this, NULL);
+ }
+ free(ike);
+ return send_reply(this, "uninstalling policy '%s' failed", child);
+ }
+ }
+ else if (charon->shunts->uninstall(charon->shunts, ike, child))
{
return send_reply(this, NULL);
}
enumerator = charon->traps->create_enumerator(charon->traps);
- while (enumerator->enumerate(enumerator, NULL, &child_sa))
+ while (enumerator->enumerate(enumerator, &peer_cfg, &child_sa))
{
- if (streq(child, child_sa->get_name(child_sa)))
+ if ((!ike || streq(ike, peer_cfg->get_name(peer_cfg))) &&
+ streq(child, child_sa->get_name(child_sa)))
{
reqid = child_sa->get_reqid(child_sa);
break;
@@ -626,6 +751,7 @@ CALLBACK(reload_settings, vici_message_t*,
{
if (lib->settings->load_files(lib->settings, lib->conf, FALSE))
{
+ charon->load_loggers(charon);
lib->plugins->reload(lib->plugins, NULL);
return send_reply(this, NULL);
}
@@ -646,6 +772,7 @@ static void manage_commands(private_vici_control_t *this, bool reg)
{
manage_command(this, "initiate", initiate, reg);
manage_command(this, "terminate", terminate, reg);
+ manage_command(this, "rekey", rekey, reg);
manage_command(this, "redirect", redirect, reg);
manage_command(this, "install", install, reg);
manage_command(this, "uninstall", uninstall, reg);
diff --git a/src/libcharon/plugins/vici/vici_cred.c b/src/libcharon/plugins/vici/vici_cred.c
index baf285f..6c7c194 100644
--- a/src/libcharon/plugins/vici/vici_cred.c
+++ b/src/libcharon/plugins/vici/vici_cred.c
@@ -1,9 +1,11 @@
/*
+ * Copyright (C) 2015-2016 Andreas Steffen
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
*
- * Copyright (C) 2015-2016 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -55,6 +57,11 @@ struct private_vici_cred_t {
mem_cred_t *creds;
/**
+ * separate credential set for token PINs
+ */
+ mem_cred_t *pins;
+
+ /**
* cache CRLs to disk?
*/
bool cachecrl;
@@ -249,6 +256,139 @@ CALLBACK(load_key, vici_message_t*,
return create_reply(NULL);
}
+CALLBACK(unload_key, vici_message_t*,
+ private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+ chunk_t keyid;
+ char buf[BUF_LEN], *hex, *msg = NULL;
+
+ hex = message->get_str(message, NULL, "id");
+ if (!hex)
+ {
+ return create_reply("key id missing");
+ }
+ keyid = chunk_from_hex(chunk_from_str(hex), NULL);
+ snprintf(buf, sizeof(buf), "%+B", &keyid);
+ DBG1(DBG_CFG, "unloaded private key with id %s", buf);
+ if (this->creds->remove_key(this->creds, keyid))
+ { /* also remove any potential PIN associated with this id */
+ this->pins->remove_shared_unique(this->pins, buf);
+ }
+ else
+ {
+ msg = "key not found";
+ }
+ chunk_free(&keyid);
+ return create_reply(msg);
+}
+
+CALLBACK(get_keys, vici_message_t*,
+ private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+ vici_builder_t *builder;
+ enumerator_t *enumerator;
+ private_key_t *private;
+ chunk_t keyid;
+
+ builder = vici_builder_create();
+ builder->begin_list(builder, "keys");
+
+ enumerator = this->creds->set.create_private_enumerator(&this->creds->set,
+ KEY_ANY, NULL);
+ while (enumerator->enumerate(enumerator, &private))
+ {
+ if (private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &keyid))
+ {
+ builder->add_li(builder, "%+B", &keyid);
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ builder->end_list(builder);
+ return builder->finalize(builder);
+}
+
+CALLBACK(load_token, vici_message_t*,
+ private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+ vici_builder_t *builder;
+ private_key_t *key;
+ shared_key_t *shared = NULL;
+ identification_t *owner;
+ mem_cred_t *set = NULL;
+ chunk_t handle, fp;
+ char buf[BUF_LEN], *hex, *module, *pin, *unique = NULL;
+ int slot;
+
+ hex = message->get_str(message, NULL, "handle");
+ if (!hex)
+ {
+ return create_reply("keyid missing");
+ }
+ handle = chunk_from_hex(chunk_from_str(hex), NULL);
+ slot = message->get_int(message, -1, "slot");
+ module = message->get_str(message, NULL, "module");
+ pin = message->get_str(message, NULL, "pin");
+
+ if (pin)
+ { /* provide the pin in a temporary credential set to access the key */
+ shared = shared_key_create(SHARED_PIN, chunk_clone(chunk_from_str(pin)));
+ owner = identification_create_from_encoding(ID_KEY_ID, handle);
+ set = mem_cred_create();
+ set->add_shared(set, shared->get_ref(shared), owner, NULL);
+ lib->credmgr->add_local_set(lib->credmgr, &set->set, FALSE);
+ }
+ if (slot >= 0)
+ {
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+ BUILD_PKCS11_KEYID, handle,
+ BUILD_PKCS11_SLOT, slot,
+ module ? BUILD_PKCS11_MODULE : BUILD_END, module,
+ BUILD_END);
+ }
+ else
+ {
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+ BUILD_PKCS11_KEYID, handle,
+ module ? BUILD_PKCS11_MODULE : BUILD_END, module,
+ BUILD_END);
+ }
+ if (set)
+ {
+ lib->credmgr->remove_local_set(lib->credmgr, &set->set);
+ set->destroy(set);
+ }
+ if (!key)
+ {
+ chunk_free(&handle);
+ DESTROY_IF(shared);
+ return create_reply("loading private key from token failed");
+ }
+ builder = vici_builder_create();
+ builder->add_kv(builder, "success", "yes");
+ if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp))
+ {
+ snprintf(buf, sizeof(buf), "%+B", &fp);
+ builder->add_kv(builder, "id", "%s", buf);
+ unique = buf;
+ }
+ if (shared && unique)
+ { /* use the handle as owner, but the key identifier as unique ID */
+ owner = identification_create_from_encoding(ID_KEY_ID, handle);
+ this->pins->add_shared_unique(this->pins, unique, shared,
+ linked_list_create_with_items(owner, NULL));
+ }
+ else
+ {
+ DESTROY_IF(shared);
+ }
+ DBG1(DBG_CFG, "loaded %N private key from token", key_type_names,
+ key->get_type(key));
+ this->creds->add_key(this->creds, key);
+ chunk_free(&handle);
+ return builder->finalize(builder);
+}
+
CALLBACK(shared_owners, bool,
linked_list_t *owners, vici_message_t *message, char *name, chunk_t value)
{
@@ -271,11 +411,12 @@ CALLBACK(load_shared, vici_message_t*,
shared_key_type_t type;
linked_list_t *owners;
chunk_t data;
- char *str, buf[512] = "";
+ char *unique, *str, buf[512] = "";
enumerator_t *enumerator;
identification_t *owner;
int len;
+ unique = message->get_str(message, NULL, "id");
str = message->get_str(message, NULL, "type");
if (!str)
{
@@ -289,6 +430,10 @@ CALLBACK(load_shared, vici_message_t*,
{
type = SHARED_EAP;
}
+ else if (strcaseeq(str, "ntlm"))
+ {
+ type = SHARED_NT_HASH;
+ }
else
{
return create_reply("invalid shared key type: %s", str);
@@ -322,15 +467,59 @@ CALLBACK(load_shared, vici_message_t*,
}
enumerator->destroy(enumerator);
- DBG1(DBG_CFG, "loaded %N shared key for: %s",
- shared_key_type_names, type, buf);
+ if (unique)
+ {
+ DBG1(DBG_CFG, "loaded %N shared key with id '%s' for: %s",
+ shared_key_type_names, type, unique, buf);
+ }
+ else
+ {
+ DBG1(DBG_CFG, "loaded %N shared key for: %s",
+ shared_key_type_names, type, buf);
+ }
- this->creds->add_shared_list(this->creds,
+ this->creds->add_shared_unique(this->creds, unique,
shared_key_create(type, chunk_clone(data)), owners);
return create_reply(NULL);
}
+CALLBACK(unload_shared, vici_message_t*,
+ private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+ char *unique;
+
+ unique = message->get_str(message, NULL, "id");
+ if (!unique)
+ {
+ return create_reply("unique identifier missing");
+ }
+ DBG1(DBG_CFG, "unloaded shared key with id '%s'", unique);
+ this->creds->remove_shared_unique(this->creds, unique);
+ return create_reply(NULL);
+}
+
+CALLBACK(get_shared, vici_message_t*,
+ private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
+{
+ vici_builder_t *builder;
+ enumerator_t *enumerator;
+ char *unique;
+
+ builder = vici_builder_create();
+ builder->begin_list(builder, "keys");
+
+ enumerator = this->creds->create_unique_shared_enumerator(this->creds);
+ while (enumerator->enumerate(enumerator, &unique))
+ {
+ builder->add_li(builder, "%s", unique);
+ }
+ enumerator->destroy(enumerator);
+
+ builder->end_list(builder);
+ return builder->finalize(builder);
+}
+
CALLBACK(clear_creds, vici_message_t*,
private_vici_cred_t *this, char *name, u_int id, vici_message_t *message)
{
@@ -374,7 +563,12 @@ static void manage_commands(private_vici_cred_t *this, bool reg)
manage_command(this, "flush-certs", flush_certs, reg);
manage_command(this, "load-cert", load_cert, reg);
manage_command(this, "load-key", load_key, reg);
+ manage_command(this, "unload-key", unload_key, reg);
+ manage_command(this, "get-keys", get_keys, reg);
+ manage_command(this, "load-token", load_token, reg);
manage_command(this, "load-shared", load_shared, reg);
+ manage_command(this, "unload-shared", unload_shared, reg);
+ manage_command(this, "get-shared", get_shared, reg);
}
METHOD(vici_cred_t, add_cert, certificate_t*,
@@ -390,6 +584,8 @@ METHOD(vici_cred_t, destroy, void,
lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
this->creds->destroy(this->creds);
+ lib->credmgr->remove_set(lib->credmgr, &this->pins->set);
+ this->pins->destroy(this->pins);
free(this);
}
@@ -414,6 +610,7 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
},
.dispatcher = dispatcher,
.creds = mem_cred_create(),
+ .pins = mem_cred_create(),
);
if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
@@ -422,6 +619,7 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
DBG1(DBG_CFG, "crl caching to %s enabled", CRL_DIR);
}
lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+ lib->credmgr->add_set(lib->credmgr, &this->pins->set);
manage_commands(this, TRUE);
diff --git a/src/libcharon/plugins/vici/vici_dispatcher.c b/src/libcharon/plugins/vici/vici_dispatcher.c
index ffe0d61..596255b 100644
--- a/src/libcharon/plugins/vici/vici_dispatcher.c
+++ b/src/libcharon/plugins/vici/vici_dispatcher.c
@@ -471,15 +471,17 @@ METHOD(vici_dispatcher_t, manage_event, void,
METHOD(vici_dispatcher_t, has_event_listeners, bool,
private_vici_dispatcher_t *this, char *name)
{
+ event_t *event;
bool retval = FALSE;
this->mutex->lock(this->mutex);
- if (this->events->get(this->events, name))
+ event = this->events->get(this->events, name);
+ if (event)
{
/* the entry might be getting destroyed, but returning
* false positive is not a problem as a later raise_event
* will check things again. */
- retval = TRUE;
+ retval = array_count(event->clients);
}
this->mutex->unlock(this->mutex);
diff --git a/src/libcharon/plugins/vici/vici_logger.c b/src/libcharon/plugins/vici/vici_logger.c
index 6d3584e..8e7bcfa 100644
--- a/src/libcharon/plugins/vici/vici_logger.c
+++ b/src/libcharon/plugins/vici/vici_logger.c
@@ -95,6 +95,11 @@ METHOD(logger_t, log_, void,
private_vici_logger_t *this, debug_t group, level_t level, int thread,
ike_sa_t* ike_sa, const char *msg)
{
+ if (!this->dispatcher->has_event_listeners(this->dispatcher, "log"))
+ {
+ return;
+ }
+
this->mutex->lock(this->mutex);
/* avoid recursive invocations by the vici subsystem */
@@ -130,6 +135,8 @@ METHOD(logger_t, log_, void,
METHOD(logger_t, get_level, level_t,
private_vici_logger_t *this, debug_t group)
{
+ /* anything higher might produce a loop as sending messages or listening
+ * for clients might cause log messages itself */
return LEVEL_CTRL;
}
diff --git a/src/libcharon/plugins/vici/vici_query.c b/src/libcharon/plugins/vici/vici_query.c
index 828b619..c0f4e2d 100644
--- a/src/libcharon/plugins/vici/vici_query.c
+++ b/src/libcharon/plugins/vici/vici_query.c
@@ -79,6 +79,42 @@ struct private_vici_query_t {
time_t uptime;
};
+static void add_mark(vici_builder_t *b, mark_t mark,
+ char *label, char *mask_label)
+{
+ if (mark.value | mark.mask)
+ {
+ b->add_kv(b, label, "%.8x", mark.value);
+ if (~mark.mask)
+ {
+ b->add_kv(b, mask_label, "%.8x", mark.mask);
+ }
+ }
+}
+
+/**
+ * List the mode of a CHILD_SA or config
+ */
+static void list_mode(vici_builder_t *b, child_sa_t *child, child_cfg_t *cfg)
+{
+ ipsec_mode_t mode;
+ char *sub_mode = "";
+
+ if (child || cfg)
+ {
+ if (!cfg)
+ {
+ cfg = child->get_config(child);
+ }
+ mode = child ? child->get_mode(child) : cfg->get_mode(cfg);
+ if (mode == MODE_TRANSPORT && cfg->use_proxy_mode(cfg))
+ { /* only report this if the negotiated mode is actually TRANSPORT */
+ sub_mode = "_PROXY";
+ }
+ b->add_kv(b, "mode", "%N%s", ipsec_mode_names, mode, sub_mode);
+ }
+}
+
/**
* List details of a CHILD_SA
*/
@@ -92,10 +128,11 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
enumerator_t *enumerator;
traffic_selector_t *ts;
+ b->add_kv(b, "name", "%s", child->get_name(child));
b->add_kv(b, "uniqueid", "%u", child->get_unique_id(child));
b->add_kv(b, "reqid", "%u", child->get_reqid(child));
b->add_kv(b, "state", "%N", child_sa_state_names, child->get_state(child));
- b->add_kv(b, "mode", "%N", ipsec_mode_names, child->get_mode(child));
+ list_mode(b, child, NULL);
if (child->get_state(child) == CHILD_INSTALLED ||
child->get_state(child) == CHILD_REKEYING ||
child->get_state(child) == CHILD_REKEYED)
@@ -114,6 +151,8 @@ static void list_child(private_vici_query_t *this, vici_builder_t *b,
b->add_kv(b, "cpi-in", "%.4x", ntohs(child->get_cpi(child, TRUE)));
b->add_kv(b, "cpi-out", "%.4x", ntohs(child->get_cpi(child, FALSE)));
}
+ add_mark(b, child->get_mark(child, TRUE), "mark-in", "mark-mask-in");
+ add_mark(b, child->get_mark(child, FALSE), "mark-out", "mark-mask-out");
proposal = child->get_proposal(child);
if (proposal)
{
@@ -382,6 +421,7 @@ CALLBACK(list_sas, vici_message_t*,
char *ike;
u_int ike_id;
bool bl;
+ char buf[BUF_LEN];
bl = request->get_str(request, NULL, "noblock") == NULL;
ike = request->get_str(request, NULL, "ike");
@@ -410,7 +450,9 @@ CALLBACK(list_sas, vici_message_t*,
csas = ike_sa->create_child_sa_enumerator(ike_sa);
while (csas->enumerate(csas, &child_sa))
{
- b->begin_section(b, child_sa->get_name(child_sa));
+ snprintf(buf, sizeof(buf), "%s-%u", child_sa->get_name(child_sa),
+ child_sa->get_unique_id(child_sa));
+ b->begin_section(b, buf);
list_child(this, b, child_sa, now);
b->end_section(b);
}
@@ -431,16 +473,21 @@ CALLBACK(list_sas, vici_message_t*,
/**
* Raise a list-policy event for given CHILD_SA
*/
-static void raise_policy(private_vici_query_t *this, u_int id, child_sa_t *child)
+static void raise_policy(private_vici_query_t *this, u_int id, char *ike,
+ child_sa_t *child)
{
enumerator_t *enumerator;
traffic_selector_t *ts;
vici_builder_t *b;
+ char buf[BUF_LEN];
b = vici_builder_create();
- b->begin_section(b, child->get_name(child));
+ snprintf(buf, sizeof(buf), "%s/%s", ike, child->get_name(child));
+ b->begin_section(b, buf);
+ b->add_kv(b, "child", "%s", child->get_name(child));
+ b->add_kv(b, "ike", "%s", ike);
- b->add_kv(b, "mode", "%N", ipsec_mode_names, child->get_mode(child));
+ list_mode(b, child, NULL);
b->begin_list(b, "local-ts");
enumerator = child->create_ts_enumerator(child, TRUE);
@@ -469,18 +516,26 @@ static void raise_policy(private_vici_query_t *this, u_int id, child_sa_t *child
/**
* Raise a list-policy event for given CHILD_SA config
*/
-static void raise_policy_cfg(private_vici_query_t *this, u_int id,
+static void raise_policy_cfg(private_vici_query_t *this, u_int id, char *ike,
child_cfg_t *cfg)
{
enumerator_t *enumerator;
linked_list_t *list;
traffic_selector_t *ts;
vici_builder_t *b;
+ char buf[BUF_LEN];
b = vici_builder_create();
- b->begin_section(b, cfg->get_name(cfg));
+ snprintf(buf, sizeof(buf), "%s%s%s", ike ? ike : "", ike ? "/" : "",
+ cfg->get_name(cfg));
+ b->begin_section(b, buf);
+ b->add_kv(b, "child", "%s", cfg->get_name(cfg));
+ if (ike)
+ {
+ b->add_kv(b, "ike", "%s", ike);
+ }
- b->add_kv(b, "mode", "%N", ipsec_mode_names, cfg->get_mode(cfg));
+ list_mode(b, NULL, cfg);
b->begin_list(b, "local-ts");
list = cfg->get_traffic_selectors(cfg, TRUE, NULL, NULL);
@@ -516,25 +571,28 @@ CALLBACK(list_policies, vici_message_t*,
enumerator_t *enumerator;
vici_builder_t *b;
child_sa_t *child_sa;
+ peer_cfg_t *peer_cfg;
child_cfg_t *child_cfg;
bool drop, pass, trap;
- char *child;
+ char *child, *ike, *ns;
drop = request->get_str(request, NULL, "drop") != NULL;
pass = request->get_str(request, NULL, "pass") != NULL;
trap = request->get_str(request, NULL, "trap") != NULL;
child = request->get_str(request, NULL, "child");
+ ike = request->get_str(request, NULL, "ike");
if (trap)
{
enumerator = charon->traps->create_enumerator(charon->traps);
- while (enumerator->enumerate(enumerator, NULL, &child_sa))
+ while (enumerator->enumerate(enumerator, &peer_cfg, &child_sa))
{
- if (child && !streq(child, child_sa->get_name(child_sa)))
+ if ((ike && !streq(ike, peer_cfg->get_name(peer_cfg))) ||
+ (child && !streq(child, child_sa->get_name(child_sa))))
{
continue;
}
- raise_policy(this, id, child_sa);
+ raise_policy(this, id, peer_cfg->get_name(peer_cfg), child_sa);
}
enumerator->destroy(enumerator);
}
@@ -542,9 +600,10 @@ CALLBACK(list_policies, vici_message_t*,
if (drop || pass)
{
enumerator = charon->shunts->create_enumerator(charon->shunts);
- while (enumerator->enumerate(enumerator, &child_cfg))
+ while (enumerator->enumerate(enumerator, &ns, &child_cfg))
{
- if (child && !streq(child, child_cfg->get_name(child_cfg)))
+ if ((ike && !streq(ike, ns)) ||
+ (child && !streq(child, child_cfg->get_name(child_cfg))))
{
continue;
}
@@ -553,13 +612,13 @@ CALLBACK(list_policies, vici_message_t*,
case MODE_DROP:
if (drop)
{
- raise_policy_cfg(this, id, child_cfg);
+ raise_policy_cfg(this, id, ns, child_cfg);
}
break;
case MODE_PASS:
if (pass)
{
- raise_policy_cfg(this, id, child_cfg);
+ raise_policy_cfg(this, id, ns, child_cfg);
}
break;
default:
@@ -731,6 +790,8 @@ CALLBACK(list_conns, vici_message_t*,
peer_cfg->get_reauth_time(peer_cfg, FALSE));
b->add_kv(b, "rekey_time", "%u",
peer_cfg->get_rekey_time(peer_cfg, FALSE));
+ b->add_kv(b, "unique", "%N", unique_policy_names,
+ peer_cfg->get_unique_policy(peer_cfg));
build_auth_cfgs(peer_cfg, TRUE, b);
build_auth_cfgs(peer_cfg, FALSE, b);
@@ -742,8 +803,7 @@ CALLBACK(list_conns, vici_message_t*,
{
b->begin_section(b, child_cfg->get_name(child_cfg));
- b->add_kv(b, "mode", "%N", ipsec_mode_names,
- child_cfg->get_mode(child_cfg));
+ list_mode(b, NULL, child_cfg);
lft = child_cfg->get_lifetime(child_cfg, FALSE);
b->add_kv(b, "rekey_time", "%"PRIu64, lft->time.rekey);
diff --git a/src/libcharon/plugins/whitelist/Makefile.in b/src/libcharon/plugins/whitelist/Makefile.in
index 2e7bf02..b859613 100644
--- a/src/libcharon/plugins/whitelist/Makefile.in
+++ b/src/libcharon/plugins/whitelist/Makefile.in
@@ -367,7 +367,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -402,6 +401,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_eap/Makefile.in b/src/libcharon/plugins/xauth_eap/Makefile.in
index 541bec9..a6554d6 100644
--- a/src/libcharon/plugins/xauth_eap/Makefile.in
+++ b/src/libcharon/plugins/xauth_eap/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_generic/Makefile.in b/src/libcharon/plugins/xauth_generic/Makefile.in
index 50a6c80..87d627b 100644
--- a/src/libcharon/plugins/xauth_generic/Makefile.in
+++ b/src/libcharon/plugins/xauth_generic/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_noauth/Makefile.in b/src/libcharon/plugins/xauth_noauth/Makefile.in
index e2353a4..13fb71a 100644
--- a/src/libcharon/plugins/xauth_noauth/Makefile.in
+++ b/src/libcharon/plugins/xauth_noauth/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/plugins/xauth_pam/Makefile.in b/src/libcharon/plugins/xauth_pam/Makefile.in
index 048e4d5..821d46e 100644
--- a/src/libcharon/plugins/xauth_pam/Makefile.in
+++ b/src/libcharon/plugins/xauth_pam/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.c b/src/libcharon/processing/jobs/delete_ike_sa_job.c
index a394e9d..53a1705 100644
--- a/src/libcharon/processing/jobs/delete_ike_sa_job.c
+++ b/src/libcharon/processing/jobs/delete_ike_sa_job.c
@@ -93,7 +93,8 @@ METHOD(job_t, execute, job_requeue_t,
}
else
{
- DBG1(DBG_JOB, "deleting half open IKE_SA after timeout");
+ DBG1(DBG_JOB, "deleting half open IKE_SA with %H after "
+ "timeout", ike_sa->get_other_host(ike_sa));
charon->bus->alert(charon->bus, ALERT_HALF_OPEN_TIMEOUT);
charon->ike_sa_manager->checkin_and_destroy(
charon->ike_sa_manager, ike_sa);
diff --git a/src/libcharon/processing/jobs/initiate_mediation_job.c b/src/libcharon/processing/jobs/initiate_mediation_job.c
index 6c01ffe..1082eae 100644
--- a/src/libcharon/processing/jobs/initiate_mediation_job.c
+++ b/src/libcharon/processing/jobs/initiate_mediation_job.c
@@ -82,8 +82,25 @@ METHOD(job_t, initiate, job_requeue_t,
charon->ike_sa_manager->checkin(charon->ike_sa_manager, mediated_sa);
- mediation_cfg = mediated_cfg->get_mediated_by(mediated_cfg);
- mediation_cfg->get_ref(mediation_cfg);
+ mediation_cfg = charon->backends->get_peer_cfg_by_name(charon->backends,
+ mediated_cfg->get_mediated_by(mediated_cfg));
+ if (!mediation_cfg)
+ {
+ DBG1(DBG_IKE, "mediation connection '%s' not found, aborting",
+ mediated_cfg->get_mediated_by(mediated_cfg));
+ mediated_cfg->destroy(mediated_cfg);
+ return JOB_REQUEUE_NONE;
+ }
+ if (!mediation_cfg->is_mediation(mediation_cfg))
+ {
+ DBG1(DBG_CFG, "connection '%s' as referred to by '%s' is no "
+ "mediation connection, aborting",
+ mediated_cfg->get_mediated_by(mediated_cfg),
+ mediated_cfg->get_name(mediated_cfg));
+ mediated_cfg->destroy(mediated_cfg);
+ mediation_cfg->destroy(mediation_cfg);
+ return JOB_REQUEUE_NONE;
+ }
enumerator = mediation_cfg->create_auth_cfg_enumerator(mediation_cfg,
TRUE);
diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c
index 5e88ac2..654ec6a 100644
--- a/src/libcharon/processing/jobs/start_action_job.c
+++ b/src/libcharon/processing/jobs/start_action_job.c
@@ -68,7 +68,9 @@ METHOD(job_t, execute, job_requeue_t,
mode = child_cfg->get_mode(child_cfg);
if (mode == MODE_PASS || mode == MODE_DROP)
{
- charon->shunts->install(charon->shunts, child_cfg);
+ charon->shunts->install(charon->shunts,
+ peer_cfg->get_name(peer_cfg),
+ child_cfg);
}
else
{
diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c
index e4364de..b9dd59b 100644
--- a/src/libcharon/sa/child_sa.c
+++ b/src/libcharon/sa/child_sa.c
@@ -1,5 +1,5 @@
/*
- * Coypright (C) 2016 Andreas Steffen
+ * Copyright (C) 2016 Andreas Steffen
* Copyright (C) 2006-2016 Tobias Brunner
* Copyright (C) 2005-2008 Martin Willi
* Copyright (C) 2006 Daniel Roethlisberger
@@ -479,7 +479,6 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
.dst = this->my_addr,
.spi = this->my_spi,
.proto = proto_ike2ip(this->protocol),
- .mark = this->mark_in,
};
kernel_ipsec_query_sa_t query = {};
@@ -495,9 +494,11 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
{
this->my_usetime = time;
}
- return SUCCESS;
}
- return FAILED;
+ else
+ {
+ status = FAILED;
+ }
}
}
}
@@ -526,9 +527,11 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound)
{
this->other_usetime = time;
}
- return SUCCESS;
}
- return FAILED;
+ else
+ {
+ status = FAILED;
+ }
}
}
}
@@ -797,7 +800,7 @@ METHOD(child_sa_t, install, status_t,
.dst = dst,
.spi = spi,
.proto = proto_ike2ip(this->protocol),
- .mark = inbound ? this->mark_in : this->mark_out,
+ .mark = inbound ? (mark_t){} : this->mark_out,
};
sa = (kernel_ipsec_add_sa_t){
.reqid = this->reqid,
@@ -1144,7 +1147,6 @@ METHOD(child_sa_t, update, status_t,
.dst = this->my_addr,
.spi = this->my_spi,
.proto = proto_ike2ip(this->protocol),
- .mark = this->mark_in,
};
kernel_ipsec_update_sa_t sa = {
.cpi = this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0,
@@ -1319,7 +1321,6 @@ METHOD(child_sa_t, destroy, void,
.dst = this->my_addr,
.spi = this->my_spi,
.proto = proto_ike2ip(this->protocol),
- .mark = this->mark_in,
};
kernel_ipsec_del_sa_t sa = {
.cpi = this->my_cpi,
diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c
index 7b87918..76e1069 100644
--- a/src/libcharon/sa/ike_sa.c
+++ b/src/libcharon/sa/ike_sa.c
@@ -617,6 +617,12 @@ METHOD(ike_sa_t, set_message_id, void,
}
}
+METHOD(ike_sa_t, get_message_id, uint32_t,
+ private_ike_sa_t *this, bool initiate)
+{
+ return this->task_manager->get_mid(this->task_manager, initiate);
+}
+
METHOD(ike_sa_t, send_keepalive, void,
private_ike_sa_t *this, bool scheduled)
{
@@ -756,6 +762,10 @@ METHOD(ike_sa_t, send_dpd, status_t,
{
return INVALID_STATE;
}
+ if (this->version == IKEV1 && this->state == IKE_REKEYING)
+ { /* don't send DPDs for rekeyed IKEv1 SAs */
+ return SUCCESS;
+ }
delay = this->peer_cfg->get_dpd(this->peer_cfg);
if (this->task_manager->busy(this->task_manager))
{
@@ -2436,6 +2446,25 @@ static bool is_current_path_valid(private_ike_sa_t *this)
{
bool valid = FALSE;
host_t *src;
+
+ if (supports_extension(this, EXT_MOBIKE) &&
+ lib->settings->get_bool(lib->settings,
+ "%s.prefer_best_path", FALSE, lib->ns))
+ {
+ /* check if the current path is the best path; migrate otherwise */
+ src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
+ NULL);
+ if (src)
+ {
+ valid = src->ip_equals(src, this->my_host);
+ src->destroy(src);
+ }
+ if (!valid)
+ {
+ DBG1(DBG_IKE, "old path is not preferred anymore");
+ }
+ return valid;
+ }
src = charon->kernel->get_source_addr(charon->kernel, this->other_host,
this->my_host);
if (src)
@@ -2446,6 +2475,10 @@ static bool is_current_path_valid(private_ike_sa_t *this)
}
src->destroy(src);
}
+ if (!valid)
+ {
+ DBG1(DBG_IKE, "old path is not available anymore, try to find another");
+ }
return valid;
}
@@ -2472,7 +2505,6 @@ static bool is_any_path_valid(private_ike_sa_t *this)
break;
}
- DBG1(DBG_IKE, "old path is not available anymore, try to find another");
enumerator = create_peer_address_enumerator(this);
while (enumerator->enumerate(enumerator, &addr))
{
@@ -2511,6 +2543,16 @@ METHOD(ike_sa_t, roam, status_t,
break;
}
+ /* ignore roam events if MOBIKE is not supported/enabled and the local
+ * address is statically configured */
+ if (this->version == IKEV2 && !supports_extension(this, EXT_MOBIKE) &&
+ ike_cfg_has_address(this->ike_cfg, this->my_host, TRUE))
+ {
+ DBG2(DBG_IKE, "keeping statically configured path %H - %H",
+ this->my_host, this->other_host);
+ return SUCCESS;
+ }
+
/* keep existing path if possible */
if (is_current_path_valid(this))
{
@@ -2885,6 +2927,7 @@ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
.get_other_host = _get_other_host,
.set_other_host = _set_other_host,
.set_message_id = _set_message_id,
+ .get_message_id = _get_message_id,
.float_ports = _float_ports,
.update_hosts = _update_hosts,
.get_my_id = _get_my_id,
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 6f5040d..c8ba2fd 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -151,6 +151,11 @@ enum ike_extension_t {
* IKEv2 Redirect Mechanism, RFC 5685
*/
EXT_IKE_REDIRECTION = (1<<13),
+
+ /**
+ * IKEv2 Message ID sync, RFC 6311
+ */
+ EXT_IKE_MESSAGE_ID_SYNC = (1<<14),
};
/**
@@ -554,7 +559,7 @@ struct ike_sa_t {
void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
/**
- * Set the message id of the IKE_SA.
+ * Set the message ID of the IKE_SA.
*
* The IKE_SA stores two message IDs, one for initiating exchanges (send)
* and one to respond to exchanges (expect).
@@ -565,6 +570,17 @@ struct ike_sa_t {
void (*set_message_id)(ike_sa_t *this, bool initiate, uint32_t mid);
/**
+ * Get the message ID of the IKE_SA.
+ *
+ * The IKE_SA stores two message IDs, one for initiating exchanges (send)
+ * and one to respond to exchanges (expect).
+ *
+ * @param initiate TRUE to get message ID for initiating
+ * @return current message
+ */
+ uint32_t (*get_message_id)(ike_sa_t *this, bool initiate);
+
+ /**
* Add an additional address for the peer.
*
* In MOBIKE, a peer may transmit additional addresses where it is
diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c
index ce44207..6bd49a0 100644
--- a/src/libcharon/sa/ike_sa_manager.c
+++ b/src/libcharon/sa/ike_sa_manager.c
@@ -2303,7 +2303,6 @@ ike_sa_manager_t *ike_sa_manager_create()
for (i = 0; i < this->segment_count; i++)
{
this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
- this->segments[i].count = 0;
}
/* we use the same table parameters for the table to track half-open SAs */
@@ -2312,7 +2311,6 @@ ike_sa_manager_t *ike_sa_manager_create()
for (i = 0; i < this->segment_count; i++)
{
this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
- this->half_open_segments[i].count = 0;
}
/* also for the hash table used for duplicate tests */
@@ -2321,7 +2319,6 @@ ike_sa_manager_t *ike_sa_manager_create()
for (i = 0; i < this->segment_count; i++)
{
this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT);
- this->connected_peers_segments[i].count = 0;
}
/* and again for the table of hashes of seen initial IKE messages */
@@ -2330,7 +2327,6 @@ ike_sa_manager_t *ike_sa_manager_create()
for (i = 0; i < this->segment_count; i++)
{
this->init_hashes_segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE);
- this->init_hashes_segments[i].count = 0;
}
this->reuse_ikesa = lib->settings->get_bool(lib->settings,
diff --git a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
index 5debeeb..ddb8c65 100644
--- a/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/psk_v1_authenticator.c
@@ -81,7 +81,7 @@ METHOD(authenticator_t, build, status_t,
keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
if (!keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
this->ike_sa->get_id(this->ike_sa), this->sa_payload,
- this->id_payload, &hash))
+ this->id_payload, &hash, NULL))
{
free(dh.ptr);
return FAILED;
@@ -118,7 +118,7 @@ METHOD(authenticator_t, process, status_t,
keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
if (!keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
this->ike_sa->get_id(this->ike_sa), this->sa_payload,
- this->id_payload, &hash))
+ this->id_payload, &hash, NULL))
{
free(dh.ptr);
return FAILED;
diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
index eee7dd1..344c1bf 100644
--- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
+++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
@@ -102,7 +102,7 @@ METHOD(authenticator_t, build, status_t,
keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
if (!keymat->get_hash(keymat, this->initiator, dh, this->dh_value,
this->ike_sa->get_id(this->ike_sa), this->sa_payload,
- this->id_payload, &hash))
+ this->id_payload, &hash, &scheme))
{
private->destroy(private);
free(dh.ptr);
@@ -163,7 +163,7 @@ METHOD(authenticator_t, process, status_t,
keymat = (keymat_v1_t*)this->ike_sa->get_keymat(this->ike_sa);
if (!keymat->get_hash(keymat, !this->initiator, this->dh_value, dh,
this->ike_sa->get_id(this->ike_sa), this->sa_payload,
- this->id_payload, &hash))
+ this->id_payload, &hash, &scheme))
{
free(dh.ptr);
return FAILED;
diff --git a/src/libcharon/sa/ikev1/iv_manager.c b/src/libcharon/sa/ikev1/iv_manager.c
new file mode 100644
index 0000000..c9f737c
--- /dev/null
+++ b/src/libcharon/sa/ikev1/iv_manager.c
@@ -0,0 +1,355 @@
+/*
+ * Copyright (C) 2011-2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "iv_manager.h"
+
+#include <collections/linked_list.h>
+
+/**
+ * Max. number of IVs/QMs to track.
+ */
+#define MAX_EXCHANGES_DEFAULT 3
+
+typedef struct private_iv_manager_t private_iv_manager_t;
+typedef struct iv_data_t iv_data_t;
+typedef struct qm_data_t qm_data_t;
+
+/**
+ * Data stored for IVs.
+ */
+struct iv_data_t {
+ /**
+ * message ID
+ */
+ uint32_t mid;
+
+ /**
+ * current IV
+ */
+ chunk_t iv;
+
+ /**
+ * last block of encrypted message
+ */
+ chunk_t last_block;
+};
+
+/**
+ * Private data of a iv_manager_t object.
+ */
+struct private_iv_manager_t {
+ /**
+ * Implement public interface.
+ */
+ iv_manager_t public;
+
+ /**
+ * Phase 1 IV.
+ */
+ iv_data_t phase1_iv;
+
+ /**
+ * Keep track of IVs for exchanges after phase 1. We store only a limited
+ * number of IVs in an MRU sort of way. Stores iv_data_t objects.
+ */
+ linked_list_t *ivs;
+
+ /**
+ * Keep track of Nonces during Quick Mode exchanges. Only a limited number
+ * of QMs are tracked at the same time. Stores qm_data_t objects.
+ */
+ linked_list_t *qms;
+
+ /**
+ * Max. number of IVs/Quick Modes to track.
+ */
+ int max_exchanges;
+
+ /**
+ * Hasher used for IV generation.
+ */
+ hasher_t *hasher;
+
+ /*
+ * Encryption algorithm the block size.
+ */
+ size_t block_size;
+};
+
+/**
+ * Data stored for Quick Mode exchanges.
+ */
+struct qm_data_t {
+ /**
+ * Message ID.
+ */
+ uint32_t mid;
+
+ /**
+ * Ni_b (Nonce from first message).
+ */
+ chunk_t n_i;
+
+ /**
+ * Nr_b (Nonce from second message).
+ */
+ chunk_t n_r;
+};
+
+/**
+ * Destroy an iv_data_t object.
+ */
+static void iv_data_destroy(iv_data_t *this)
+{
+ chunk_free(&this->last_block);
+ chunk_free(&this->iv);
+ free(this);
+}
+
+/**
+ * Destroy a qm_data_t object.
+ */
+static void qm_data_destroy(qm_data_t *this)
+{
+ chunk_free(&this->n_i);
+ chunk_free(&this->n_r);
+ free(this);
+}
+
+/**
+ * Generate an IV.
+ */
+static bool generate_iv(private_iv_manager_t *this, iv_data_t *iv)
+{
+ if (iv->mid == 0 || iv->iv.ptr)
+ { /* use last block of previous encrypted message */
+ chunk_free(&iv->iv);
+ iv->iv = iv->last_block;
+ iv->last_block = chunk_empty;
+ }
+ else
+ {
+ /* initial phase 2 IV = hash(last_phase1_block | mid) */
+ uint32_t net;;
+ chunk_t data;
+
+ net = htonl(iv->mid);
+ data = chunk_cata("cc", this->phase1_iv.iv, chunk_from_thing(net));
+ if (!this->hasher->allocate_hash(this->hasher, data, &iv->iv))
+ {
+ return FALSE;
+ }
+ if (iv->iv.len > this->block_size)
+ {
+ iv->iv.len = this->block_size;
+ }
+ }
+ DBG4(DBG_IKE, "next IV for MID %u %B", iv->mid, &iv->iv);
+ return TRUE;
+}
+
+/**
+ * Try to find an IV for the given message ID, if not found, generate it.
+ */
+static iv_data_t *lookup_iv(private_iv_manager_t *this, uint32_t mid)
+{
+ enumerator_t *enumerator;
+ iv_data_t *iv, *found = NULL;
+
+ if (mid == 0)
+ {
+ return &this->phase1_iv;
+ }
+
+ enumerator = this->ivs->create_enumerator(this->ivs);
+ while (enumerator->enumerate(enumerator, &iv))
+ {
+ if (iv->mid == mid)
+ { /* IV gets moved to the front of the list */
+ this->ivs->remove_at(this->ivs, enumerator);
+ found = iv;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ if (!found)
+ {
+ INIT(found,
+ .mid = mid,
+ );
+ if (!generate_iv(this, found))
+ {
+ iv_data_destroy(found);
+ return NULL;
+ }
+ }
+ this->ivs->insert_first(this->ivs, found);
+ /* remove least recently used IV if maximum reached */
+ if (this->ivs->get_count(this->ivs) > this->max_exchanges &&
+ this->ivs->remove_last(this->ivs, (void**)&iv) == SUCCESS)
+ {
+ iv_data_destroy(iv);
+ }
+ return found;
+}
+
+METHOD(iv_manager_t, init_iv_chain, bool,
+ private_iv_manager_t *this, chunk_t data, hasher_t *hasher,
+ size_t block_size)
+{
+ this->hasher = hasher;
+ this->block_size = block_size;
+
+ if (!this->hasher->allocate_hash(this->hasher, data, &this->phase1_iv.iv))
+ {
+ return FALSE;
+ }
+ if (this->phase1_iv.iv.len > this->block_size)
+ {
+ this->phase1_iv.iv.len = this->block_size;
+ }
+ DBG4(DBG_IKE, "initial IV %B", &this->phase1_iv.iv);
+ return TRUE;
+}
+
+METHOD(iv_manager_t, get_iv, bool,
+ private_iv_manager_t *this, uint32_t mid, chunk_t *out)
+{
+ iv_data_t *iv;
+
+ iv = lookup_iv(this, mid);
+ if (iv)
+ {
+ *out = iv->iv;
+ return TRUE;
+ }
+ return FALSE;
+}
+
+METHOD(iv_manager_t, update_iv, bool,
+ private_iv_manager_t *this, uint32_t mid, chunk_t last_block)
+{
+ iv_data_t *iv = lookup_iv(this, mid);
+ if (iv)
+ { /* update last block */
+ chunk_free(&iv->last_block);
+ iv->last_block = chunk_clone(last_block);
+ return TRUE;
+ }
+ return FALSE;
+}
+
+METHOD(iv_manager_t, confirm_iv, bool,
+ private_iv_manager_t *this, uint32_t mid)
+{
+ iv_data_t *iv = lookup_iv(this, mid);
+ if (iv)
+ {
+ return generate_iv(this, iv);
+ }
+ return FALSE;
+}
+
+METHOD(iv_manager_t, lookup_quick_mode, void,
+ private_iv_manager_t *this, uint32_t mid, chunk_t **n_i, chunk_t **n_r)
+{
+ enumerator_t *enumerator;
+ qm_data_t *qm, *found = NULL;
+
+ enumerator = this->qms->create_enumerator(this->qms);
+ while (enumerator->enumerate(enumerator, &qm))
+ {
+ if (qm->mid == mid)
+ { /* state gets moved to the front of the list */
+ this->qms->remove_at(this->qms, enumerator);
+ found = qm;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ if (!found)
+ {
+ INIT(found,
+ .mid = mid,
+ );
+ }
+
+ *n_i = &found->n_i;
+ *n_r = &found->n_r;
+
+ this->qms->insert_first(this->qms, found);
+ /* remove least recently used state if maximum reached */
+ if (this->qms->get_count(this->qms) > this->max_exchanges &&
+ this->qms->remove_last(this->qms, (void**)&qm) == SUCCESS)
+ {
+ qm_data_destroy(qm);
+ }
+}
+
+METHOD(iv_manager_t, remove_quick_mode, void,
+ private_iv_manager_t *this, uint32_t mid)
+{
+ enumerator_t *enumerator;
+ qm_data_t *qm;
+
+ enumerator = this->qms->create_enumerator(this->qms);
+ while (enumerator->enumerate(enumerator, &qm))
+ {
+ if (qm->mid == mid)
+ {
+ this->qms->remove_at(this->qms, enumerator);
+ qm_data_destroy(qm);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+METHOD(iv_manager_t, destroy, void,
+ private_iv_manager_t *this)
+{
+ chunk_free(&this->phase1_iv.iv);
+ chunk_free(&this->phase1_iv.last_block);
+ this->ivs->destroy_function(this->ivs, (void*)iv_data_destroy);
+ this->qms->destroy_function(this->qms, (void*)qm_data_destroy);
+ free(this);
+}
+
+iv_manager_t *iv_manager_create(int max_exchanges)
+{
+ private_iv_manager_t *this;
+
+ INIT(this,
+ .public = {
+ .init_iv_chain = _init_iv_chain,
+ .get_iv = _get_iv,
+ .update_iv = _update_iv,
+ .confirm_iv = _confirm_iv,
+ .lookup_quick_mode = _lookup_quick_mode,
+ .remove_quick_mode = _remove_quick_mode,
+ .destroy = _destroy,
+ },
+ .ivs = linked_list_create(),
+ .qms = linked_list_create(),
+ .max_exchanges = max_exchanges,
+ );
+
+ if (!this->max_exchanges)
+ {
+ this->max_exchanges = lib->settings->get_int(lib->settings,
+ "%s.max_ikev1_exchanges", MAX_EXCHANGES_DEFAULT, lib->ns);
+ }
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev1/iv_manager.h b/src/libcharon/sa/ikev1/iv_manager.h
new file mode 100644
index 0000000..c5273fe
--- /dev/null
+++ b/src/libcharon/sa/ikev1/iv_manager.h
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2011-2016 Tobias Brunner
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup iv_manager iv_manager
+ * @{ @ingroup ikev1
+ */
+
+#ifndef IV_MANAGER_H_
+#define IV_MANAGER_H_
+
+#include <utils/chunk.h>
+#include <crypto/hashers/hasher.h>
+
+typedef struct iv_manager_t iv_manager_t;
+
+/**
+ * IV and QM managing instance for IKEv1. Keeps track of phase 2 exchanges
+ * and IV, as well as the phase 1 IV.
+ */
+struct iv_manager_t {
+
+ /**
+ * Set the value of the first phase1 IV.
+ *
+ * @param data input to calc initial IV from (g^xi | g^xr)
+ * @param hasher hasher to be used for IV calculation
+ * (shared with keymat, must not be destroyed here)
+ * @param block_size cipher block size of aead
+ * @return TRUE for success, FALSE otherwise
+ */
+ bool (*init_iv_chain)(iv_manager_t *this, chunk_t data, hasher_t *hasher,
+ size_t block_size);
+
+ /**
+ * Returns the IV for a message with the given message ID.
+ *
+ * The return chunk contains internal data and is valid until the next
+ * get_iv/udpate_iv/confirm_iv() call.
+ *
+ * @param mid message ID
+ * @param iv chunk receiving IV, internal data
+ * @return TRUE if IV allocated successfully
+ */
+ bool (*get_iv)(iv_manager_t *this, uint32_t mid, chunk_t *iv);
+
+ /**
+ * Updates the IV for the next message with the given message ID.
+ *
+ * A call of confirm_iv() is required in order to actually make the IV
+ * available. This is needed for the inbound case where we store the last
+ * block of the encrypted message but want to update the IV only after
+ * verification of the decrypted message.
+ *
+ * @param mid message ID
+ * @param last_block last block of encrypted message (gets cloned)
+ * @return TRUE if IV updated successfully
+ */
+ bool (*update_iv)(iv_manager_t *this, uint32_t mid, chunk_t last_block);
+
+ /**
+ * Confirms the updated IV for the given message ID.
+ *
+ * To actually make the new IV available via get_iv() this method has to
+ * be called after update_iv().
+ *
+ * @param mid message ID
+ * @return TRUE if IV confirmed successfully
+ */
+ bool (*confirm_iv)(iv_manager_t *this, uint32_t mid);
+
+ /**
+ * Try to find a QM for the given message ID, if not found, generate it.
+ * The nonces shall be assigned by the caller if they are not set yet.
+ *
+ * @param mid message ID
+ * @param n_i chunk pointer to contain Ni_b (Nonce from first
+ * message)
+ * @param n_r chunk pointer to contain Nr_b (Nonce from second
+ * message)
+ */
+ void (*lookup_quick_mode)(iv_manager_t *this, uint32_t mid, chunk_t **n_i,
+ chunk_t **n_r);
+
+ /**
+ * Remove the QM for the given message ID.
+ *
+ * @param mid message ID
+ */
+ void (*remove_quick_mode)(iv_manager_t *this, uint32_t mid);
+
+ /*
+ * Destroy a iv_manager_t.
+ */
+ void (*destroy)(iv_manager_t *this);
+};
+
+/**
+ * Create an IV and QM manager which is able to store up to max_exchanges
+ * initialization vectors and quick modes.
+ *
+ * @param max_exchanges maximum number of IVs and QMs to be stored, set
+ * to 0 to use default (3, or as configured)
+ * @return IV and QM manager instance
+ */
+iv_manager_t *iv_manager_create(int max_exchanges);
+
+#endif /** IV_MANAGER_H_ @}*/
diff --git a/src/libcharon/sa/ikev1/keymat_v1.c b/src/libcharon/sa/ikev1/keymat_v1.c
index d1d4cbd..673a7a1 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.c
+++ b/src/libcharon/sa/ikev1/keymat_v1.c
@@ -16,30 +16,13 @@
#include "keymat_v1.h"
#include <daemon.h>
+#include <sa/ikev1/iv_manager.h>
#include <encoding/generator.h>
#include <encoding/payloads/nonce_payload.h>
-#include <collections/linked_list.h>
typedef struct private_keymat_v1_t private_keymat_v1_t;
/**
- * Max. number of IVs/QMs to track.
- */
-#define MAX_EXCHANGES_DEFAULT 3
-
-/**
- * Data stored for IVs
- */
-typedef struct {
- /** message ID */
- uint32_t mid;
- /** current IV */
- chunk_t iv;
- /** last block of encrypted message */
- chunk_t last_block;
-} iv_data_t;
-
-/**
* Private data of an keymat_t object.
*/
struct private_keymat_v1_t {
@@ -85,61 +68,11 @@ struct private_keymat_v1_t {
chunk_t skeyid_a;
/**
- * Phase 1 IV
- */
- iv_data_t phase1_iv;
-
- /**
- * Keep track of IVs for exchanges after phase 1. We store only a limited
- * number of IVs in an MRU sort of way. Stores iv_data_t objects.
- */
- linked_list_t *ivs;
-
- /**
- * Keep track of Nonces during Quick Mode exchanges. Only a limited number
- * of QMs are tracked at the same time. Stores qm_data_t objects.
+ * IV and QM manager
*/
- linked_list_t *qms;
-
- /**
- * Max. number of IVs/Quick Modes to track.
- */
- int max_exchanges;
+ iv_manager_t *iv_manager;
};
-
-/**
- * Destroy an iv_data_t object.
- */
-static void iv_data_destroy(iv_data_t *this)
-{
- chunk_free(&this->last_block);
- chunk_free(&this->iv);
- free(this);
-}
-
-/**
- * Data stored for Quick Mode exchanges
- */
-typedef struct {
- /** message ID */
- uint32_t mid;
- /** Ni_b (Nonce from first message) */
- chunk_t n_i;
- /** Nr_b (Nonce from second message) */
- chunk_t n_r;
-} qm_data_t;
-
-/**
- * Destroy a qm_data_t object.
- */
-static void qm_data_destroy(qm_data_t *this)
-{
- chunk_free(&this->n_i);
- chunk_free(&this->n_r);
- free(this);
-}
-
/**
* Constants used in key derivation.
*/
@@ -567,17 +500,8 @@ METHOD(keymat_v1_t, derive_ike_keys, bool,
/* initial IV = hash(g^xi | g^xr) */
data = chunk_cata("cc", g_xi, g_xr);
chunk_free(&dh_me);
- if (!this->hasher->allocate_hash(this->hasher, data, &this->phase1_iv.iv))
- {
- return FALSE;
- }
- if (this->phase1_iv.iv.len > this->aead->get_block_size(this->aead))
- {
- this->phase1_iv.iv.len = this->aead->get_block_size(this->aead);
- }
- DBG4(DBG_IKE, "initial IV %B", &this->phase1_iv.iv);
-
- return TRUE;
+ return this->iv_manager->init_iv_chain(this->iv_manager, data, this->hasher,
+ this->aead->get_block_size(this->aead));
}
METHOD(keymat_v1_t, derive_child_keys, bool,
@@ -748,7 +672,8 @@ METHOD(keymat_v1_t, get_hasher, hasher_t*,
METHOD(keymat_v1_t, get_hash, bool,
private_keymat_v1_t *this, bool initiator, chunk_t dh, chunk_t dh_other,
- ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id, chunk_t *hash)
+ ike_sa_id_t *ike_sa_id, chunk_t sa_i, chunk_t id, chunk_t *hash,
+ signature_scheme_t *scheme)
{
chunk_t data;
uint64_t spi, spi_other;
@@ -843,47 +768,11 @@ static chunk_t get_message_data(message_t *message, generator_t *generator)
return generator->get_chunk(generator, &lenpos);
}
-/**
- * Try to find data about a Quick Mode with the given message ID,
- * if none is found, state is generated.
- */
-static qm_data_t *lookup_quick_mode(private_keymat_v1_t *this, uint32_t mid)
-{
- enumerator_t *enumerator;
- qm_data_t *qm, *found = NULL;
-
- enumerator = this->qms->create_enumerator(this->qms);
- while (enumerator->enumerate(enumerator, &qm))
- {
- if (qm->mid == mid)
- { /* state gets moved to the front of the list */
- this->qms->remove_at(this->qms, enumerator);
- found = qm;
- break;
- }
- }
- enumerator->destroy(enumerator);
- if (!found)
- {
- INIT(found,
- .mid = mid,
- );
- }
- this->qms->insert_first(this->qms, found);
- /* remove least recently used state if maximum reached */
- if (this->qms->get_count(this->qms) > this->max_exchanges &&
- this->qms->remove_last(this->qms, (void**)&qm) == SUCCESS)
- {
- qm_data_destroy(qm);
- }
- return found;
-}
-
METHOD(keymat_v1_t, get_hash_phase2, bool,
private_keymat_v1_t *this, message_t *message, chunk_t *hash)
{
uint32_t mid, mid_n;
- chunk_t data = chunk_empty;
+ chunk_t data = chunk_empty, *n_i, *n_r;
bool add_message = TRUE;
char *name = "Hash";
@@ -907,34 +796,34 @@ METHOD(keymat_v1_t, get_hash_phase2, bool,
{
case QUICK_MODE:
{
- qm_data_t *qm = lookup_quick_mode(this, mid);
- if (!qm->n_i.ptr)
+ this->iv_manager->lookup_quick_mode(this->iv_manager, mid, &n_i,
+ &n_r);
+ if (!n_i->ptr)
{ /* Hash(1) = prf(SKEYID_a, M-ID | Message after HASH payload) */
name = "Hash(1)";
- if (!get_nonce(message, &qm->n_i))
+ if (!get_nonce(message, n_i))
{
return FALSE;
}
data = chunk_from_thing(mid_n);
}
- else if (!qm->n_r.ptr)
+ else if (!n_r->ptr)
{ /* Hash(2) = prf(SKEYID_a, M-ID | Ni_b | Message after HASH) */
name = "Hash(2)";
- if (!get_nonce(message, &qm->n_r))
+ if (!get_nonce(message, n_r))
{
return FALSE;
}
- data = chunk_cata("cc", chunk_from_thing(mid_n), qm->n_i);
+ data = chunk_cata("cc", chunk_from_thing(mid_n), *n_i);
}
else
{ /* Hash(3) = prf(SKEYID_a, 0 | M-ID | Ni_b | Nr_b) */
name = "Hash(3)";
data = chunk_cata("cccc", octet_0, chunk_from_thing(mid_n),
- qm->n_i, qm->n_r);
+ *n_i, *n_r);
add_message = FALSE;
/* we don't need the state anymore */
- this->qms->remove(this->qms, qm, NULL);
- qm_data_destroy(qm);
+ this->iv_manager->remove_quick_mode(this->iv_manager, mid);
}
break;
}
@@ -976,119 +865,22 @@ METHOD(keymat_v1_t, get_hash_phase2, bool,
return TRUE;
}
-/**
- * Generate an IV
- */
-static bool generate_iv(private_keymat_v1_t *this, iv_data_t *iv)
-{
- if (iv->mid == 0 || iv->iv.ptr)
- { /* use last block of previous encrypted message */
- chunk_free(&iv->iv);
- iv->iv = iv->last_block;
- iv->last_block = chunk_empty;
- }
- else
- {
- /* initial phase 2 IV = hash(last_phase1_block | mid) */
- uint32_t net;;
- chunk_t data;
-
- net = htonl(iv->mid);
- data = chunk_cata("cc", this->phase1_iv.iv, chunk_from_thing(net));
- if (!this->hasher->allocate_hash(this->hasher, data, &iv->iv))
- {
- return FALSE;
- }
- if (iv->iv.len > this->aead->get_block_size(this->aead))
- {
- iv->iv.len = this->aead->get_block_size(this->aead);
- }
- }
- DBG4(DBG_IKE, "next IV for MID %u %B", iv->mid, &iv->iv);
- return TRUE;
-}
-
-/**
- * Try to find an IV for the given message ID, if not found, generate it.
- */
-static iv_data_t *lookup_iv(private_keymat_v1_t *this, uint32_t mid)
-{
- enumerator_t *enumerator;
- iv_data_t *iv, *found = NULL;
-
- if (mid == 0)
- {
- return &this->phase1_iv;
- }
-
- enumerator = this->ivs->create_enumerator(this->ivs);
- while (enumerator->enumerate(enumerator, &iv))
- {
- if (iv->mid == mid)
- { /* IV gets moved to the front of the list */
- this->ivs->remove_at(this->ivs, enumerator);
- found = iv;
- break;
- }
- }
- enumerator->destroy(enumerator);
- if (!found)
- {
- INIT(found,
- .mid = mid,
- );
- if (!generate_iv(this, found))
- {
- iv_data_destroy(found);
- return NULL;
- }
- }
- this->ivs->insert_first(this->ivs, found);
- /* remove least recently used IV if maximum reached */
- if (this->ivs->get_count(this->ivs) > this->max_exchanges &&
- this->ivs->remove_last(this->ivs, (void**)&iv) == SUCCESS)
- {
- iv_data_destroy(iv);
- }
- return found;
-}
-
METHOD(keymat_v1_t, get_iv, bool,
private_keymat_v1_t *this, uint32_t mid, chunk_t *out)
{
- iv_data_t *iv;
-
- iv = lookup_iv(this, mid);
- if (iv)
- {
- *out = iv->iv;
- return TRUE;
- }
- return FALSE;
+ return this->iv_manager->get_iv(this->iv_manager, mid, out);
}
METHOD(keymat_v1_t, update_iv, bool,
private_keymat_v1_t *this, uint32_t mid, chunk_t last_block)
{
- iv_data_t *iv = lookup_iv(this, mid);
- if (iv)
- { /* update last block */
- chunk_free(&iv->last_block);
- iv->last_block = chunk_clone(last_block);
- return TRUE;
- }
- return FALSE;
+ return this->iv_manager->update_iv(this->iv_manager, mid, last_block);
}
METHOD(keymat_v1_t, confirm_iv, bool,
private_keymat_v1_t *this, uint32_t mid)
{
- iv_data_t *iv = lookup_iv(this, mid);
- if (iv)
- {
- return generate_iv(this, iv);
- }
- return FALSE;
+ return this->iv_manager->confirm_iv(this->iv_manager, mid);
}
METHOD(keymat_t, get_version, ike_version_t,
@@ -1124,10 +916,7 @@ METHOD(keymat_t, destroy, void,
DESTROY_IF(this->hasher);
chunk_clear(&this->skeyid_d);
chunk_clear(&this->skeyid_a);
- chunk_free(&this->phase1_iv.iv);
- chunk_free(&this->phase1_iv.last_block);
- this->ivs->destroy_function(this->ivs, (void*)iv_data_destroy);
- this->qms->destroy_function(this->qms, (void*)qm_data_destroy);
+ this->iv_manager->destroy(this->iv_manager);
free(this);
}
@@ -1157,12 +946,8 @@ keymat_v1_t *keymat_v1_create(bool initiator)
.update_iv = _update_iv,
.confirm_iv = _confirm_iv,
},
- .ivs = linked_list_create(),
- .qms = linked_list_create(),
.initiator = initiator,
- .max_exchanges = lib->settings->get_int(lib->settings,
- "%s.max_ikev1_exchanges", MAX_EXCHANGES_DEFAULT, lib->ns),
+ .iv_manager = iv_manager_create(0),
);
-
return &this->public;
}
diff --git a/src/libcharon/sa/ikev1/keymat_v1.h b/src/libcharon/sa/ikev1/keymat_v1.h
index 46eeea8..ada5bdb 100644
--- a/src/libcharon/sa/ikev1/keymat_v1.h
+++ b/src/libcharon/sa/ikev1/keymat_v1.h
@@ -102,11 +102,14 @@ struct keymat_v1_t {
* @param sa_i encoded SA payload of initiator
* @param id encoded IDii payload for HASH_I (IDir for HASH_R)
* @param hash chunk receiving allocated HASH data
+ * @param scheme pointer to signature scheme in case it needs to be
+ * modified by the keymat implementation
* @return TRUE if hash allocated successfully
*/
bool (*get_hash)(keymat_v1_t *this, bool initiator,
chunk_t dh, chunk_t dh_other, ike_sa_id_t *ike_sa_id,
- chunk_t sa_i, chunk_t id, chunk_t *hash);
+ chunk_t sa_i, chunk_t id, chunk_t *hash,
+ signature_scheme_t *scheme);
/**
* Get HASH data for integrity/authentication in Phase 2 exchanges.
@@ -118,39 +121,17 @@ struct keymat_v1_t {
bool (*get_hash_phase2)(keymat_v1_t *this, message_t *message, chunk_t *hash);
/**
- * Returns the IV for a message with the given message ID.
- *
- * The return chunk contains internal data and is valid until the next
- * get_iv/udpate_iv/confirm_iv call.
- *
- * @param mid message ID
- * @param iv chunk receiving IV, internal data
- * @return TRUE if IV allocated successfully
+ * @see iv_manager_t.get_iv
*/
bool (*get_iv)(keymat_v1_t *this, uint32_t mid, chunk_t *iv);
/**
- * Updates the IV for the next message with the given message ID.
- *
- * A call of confirm_iv() is required in order to actually make the IV
- * available. This is needed for the inbound case where we store the last
- * block of the encrypted message but want to update the IV only after
- * verification of the decrypted message.
- *
- * @param mid message ID
- * @param last_block last block of encrypted message (gets cloned)
- * @return TRUE if IV updated successfully
+ * @see iv_manager_t.update_iv
*/
bool (*update_iv)(keymat_v1_t *this, uint32_t mid, chunk_t last_block);
/**
- * Confirms the updated IV for the given message ID.
- *
- * To actually make the new IV available via get_iv this method has to
- * be called after update_iv.
- *
- * @param mid message ID
- * @return TRUE if IV confirmed successfully
+ * @see iv_manager_t.confirm_iv
*/
bool (*confirm_iv)(keymat_v1_t *this, uint32_t mid);
};
diff --git a/src/libcharon/sa/ikev1/phase1.c b/src/libcharon/sa/ikev1/phase1.c
index c968b2a..adce59f 100644
--- a/src/libcharon/sa/ikev1/phase1.c
+++ b/src/libcharon/sa/ikev1/phase1.c
@@ -113,22 +113,8 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this,
auth_cfg_t *my_auth, *other_auth;
enumerator_t *enumerator;
- /* try to get a PSK for IP addresses */
me = this->ike_sa->get_my_host(this->ike_sa);
other = this->ike_sa->get_other_host(this->ike_sa);
- my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
- other_id = identification_create_from_sockaddr(other->get_sockaddr(other));
- if (my_id && other_id)
- {
- shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
- my_id, other_id);
- }
- DESTROY_IF(my_id);
- DESTROY_IF(other_id);
- if (shared_key)
- {
- return shared_key;
- }
if (peer_cfg)
{ /* as initiator or aggressive responder, use identities */
@@ -156,39 +142,51 @@ static shared_key_t *lookup_shared_key(private_phase1_t *this,
}
}
}
- return shared_key;
}
- /* as responder, we try to find a config by IP */
- enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends,
- me, other, NULL, NULL, IKEV1);
- while (enumerator->enumerate(enumerator, &peer_cfg))
- {
- my_auth = get_auth_cfg(peer_cfg, TRUE);
- other_auth = get_auth_cfg(peer_cfg, FALSE);
- if (my_auth && other_auth)
+ else
+ { /* as responder, we try to find a config by IP addresses and use the
+ * configured identities to find the PSK */
+ enumerator = charon->backends->create_peer_cfg_enumerator(
+ charon->backends, me, other, NULL, NULL, IKEV1);
+ while (enumerator->enumerate(enumerator, &peer_cfg))
{
- my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY);
- other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
- if (my_id)
+ my_auth = get_auth_cfg(peer_cfg, TRUE);
+ other_auth = get_auth_cfg(peer_cfg, FALSE);
+ if (my_auth && other_auth)
{
- shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
- my_id, other_id);
- if (shared_key)
- {
- break;
- }
- else
+ my_id = my_auth->get(my_auth, AUTH_RULE_IDENTITY);
+ other_id = other_auth->get(other_auth, AUTH_RULE_IDENTITY);
+ if (my_id)
{
+ shared_key = lib->credmgr->get_shared(lib->credmgr,
+ SHARED_IKE, my_id, other_id);
+ if (shared_key)
+ {
+ break;
+ }
DBG1(DBG_IKE, "no shared key found for '%Y'[%H] - '%Y'[%H]",
my_id, me, other_id, other);
}
}
}
+ enumerator->destroy(enumerator);
}
- enumerator->destroy(enumerator);
if (!shared_key)
- {
- DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
+ { /* try to get a PSK for IP addresses */
+ my_id = identification_create_from_sockaddr(me->get_sockaddr(me));
+ other_id = identification_create_from_sockaddr(
+ other->get_sockaddr(other));
+ if (my_id && other_id)
+ {
+ shared_key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE,
+ my_id, other_id);
+ }
+ DESTROY_IF(my_id);
+ DESTROY_IF(other_id);
+ if (!shared_key)
+ {
+ DBG1(DBG_IKE, "no shared key found for %H - %H", me, other);
+ }
}
return shared_key;
}
diff --git a/src/libcharon/sa/ikev1/task_manager_v1.c b/src/libcharon/sa/ikev1/task_manager_v1.c
index 3b0c1cf..1da17ee 100644
--- a/src/libcharon/sa/ikev1/task_manager_v1.c
+++ b/src/libcharon/sa/ikev1/task_manager_v1.c
@@ -367,7 +367,7 @@ static status_t retransmit_packet(private_task_manager_t *this, uint32_t seqnr,
send_packets(this, packets);
lib->scheduler->schedule_job_ms(lib->scheduler, (job_t*)
retransmit_job_create(seqnr, this->ike_sa->get_id(this->ike_sa)), t);
- return NEED_MORE;
+ return SUCCESS;
}
METHOD(task_manager_t, retransmit, status_t,
@@ -380,10 +380,9 @@ METHOD(task_manager_t, retransmit, status_t,
{
status = retransmit_packet(this, seqnr, this->initiating.mid,
this->initiating.retransmitted, this->initiating.packets);
- if (status == NEED_MORE)
+ if (status == SUCCESS)
{
this->initiating.retransmitted++;
- status = SUCCESS;
}
}
if (seqnr == this->responding.seqnr &&
@@ -391,10 +390,9 @@ METHOD(task_manager_t, retransmit, status_t,
{
status = retransmit_packet(this, seqnr, this->responding.mid,
this->responding.retransmitted, this->responding.packets);
- if (status == NEED_MORE)
+ if (status == SUCCESS)
{
this->responding.retransmitted++;
- status = SUCCESS;
}
}
return status;
@@ -554,6 +552,12 @@ METHOD(task_manager_t, initiate, status_t,
new_mid = TRUE;
break;
}
+ if (activate_task(this, TASK_ISAKMP_DPD))
+ {
+ exchange = INFORMATIONAL_V1;
+ new_mid = TRUE;
+ break;
+ }
break;
default:
break;
@@ -685,13 +689,9 @@ METHOD(task_manager_t, initiate, status_t,
message->destroy(message);
return retransmit(this, this->initiating.seqnr);
}
- if (keep)
- { /* keep the packet for retransmission, the responder might request it */
- send_packets(this, this->initiating.packets);
- }
- else
+ send_packets(this, this->initiating.packets);
+ if (!keep)
{
- send_packets(this, this->initiating.packets);
clear_packets(this->initiating.packets);
}
message->destroy(message);
@@ -1902,6 +1902,12 @@ METHOD(task_manager_t, incr_mid, void,
{
}
+METHOD(task_manager_t, get_mid, uint32_t,
+ private_task_manager_t *this, bool initiate)
+{
+ return initiate ? this->initiating.mid : this->responding.mid;
+}
+
METHOD(task_manager_t, reset, void,
private_task_manager_t *this, uint32_t initiate, uint32_t respond)
{
@@ -2005,6 +2011,7 @@ task_manager_v1_t *task_manager_v1_create(ike_sa_t *ike_sa)
.initiate = _initiate,
.retransmit = _retransmit,
.incr_mid = _incr_mid,
+ .get_mid = _get_mid,
.reset = _reset,
.adopt_tasks = _adopt_tasks,
.adopt_child_tasks = _adopt_child_tasks,
diff --git a/src/libcharon/sa/ikev1/tasks/quick_mode.c b/src/libcharon/sa/ikev1/tasks/quick_mode.c
index 6b89641..bbb8858 100644
--- a/src/libcharon/sa/ikev1/tasks/quick_mode.c
+++ b/src/libcharon/sa/ikev1/tasks/quick_mode.c
@@ -703,25 +703,30 @@ static void add_nat_oa_payloads(private_quick_mode_t *this, message_t *message)
{
identification_t *id;
id_payload_t *nat_oa;
- host_t *src, *dst;
+ host_t *init, *resp;
payload_type_t nat_oa_payload_type;
- src = message->get_source(message);
- dst = message->get_destination(message);
-
- src = this->initiator ? src : dst;
- dst = this->initiator ? dst : src;
+ if (this->initiator)
+ {
+ init = message->get_source(message);
+ resp = message->get_destination(message);
+ }
+ else
+ {
+ init = message->get_destination(message);
+ resp = message->get_source(message);
+ }
nat_oa_payload_type = get_nat_oa_payload_type(this->ike_sa);
/* first NAT-OA is the initiator's address */
- id = identification_create_from_sockaddr(src->get_sockaddr(src));
+ id = identification_create_from_sockaddr(init->get_sockaddr(init));
nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id);
message->add_payload(message, (payload_t*)nat_oa);
id->destroy(id);
/* second NAT-OA is that of the responder */
- id = identification_create_from_sockaddr(dst->get_sockaddr(dst));
+ id = identification_create_from_sockaddr(resp->get_sockaddr(resp));
nat_oa = id_payload_create_from_identification(nat_oa_payload_type, id);
message->add_payload(message, (payload_t*)nat_oa);
id->destroy(id);
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 592f497..19ea72d 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -217,7 +217,8 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
}
if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
- this->nonce, id, this->reserved, &octets))
+ this->nonce, id, this->reserved, &octets,
+ schemes))
{
enumerator = array_create_enumerator(schemes);
while (enumerator->enumerate(enumerator, &schemep))
@@ -247,6 +248,32 @@ static status_t sign_signature_auth(private_pubkey_authenticator_t *this,
}
/**
+ * Get the auth octets and the signature scheme (in case it is changed by the
+ * keymat).
+ */
+static bool get_auth_octets_scheme(private_pubkey_authenticator_t *this,
+ bool verify, identification_t *id,
+ chunk_t *octets, signature_scheme_t *scheme)
+{
+ keymat_v2_t *keymat;
+ array_t *schemes;
+ bool success = FALSE;
+
+ schemes = array_create(sizeof(signature_scheme_t), 0);
+ array_insert(schemes, ARRAY_TAIL, scheme);
+
+ keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
+ if (keymat->get_auth_octets(keymat, verify, this->ike_sa_init, this->nonce,
+ id, this->reserved, octets, schemes) &&
+ array_get(schemes, 0, &scheme))
+ {
+ success = TRUE;
+ }
+ array_destroy(schemes);
+ return success;
+}
+
+/**
* Create a classic IKEv2 signature
*/
static status_t sign_classic(private_pubkey_authenticator_t *this,
@@ -255,7 +282,6 @@ static status_t sign_classic(private_pubkey_authenticator_t *this,
chunk_t *auth_data)
{
signature_scheme_t scheme;
- keymat_v2_t *keymat;
chunk_t octets = chunk_empty;
status_t status = FAILED;
@@ -293,9 +319,7 @@ static status_t sign_classic(private_pubkey_authenticator_t *this,
return FAILED;
}
- keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
- if (keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init,
- this->nonce, id, this->reserved, &octets) &&
+ if (get_auth_octets_scheme(this, FALSE, id, &octets, &scheme) &&
private->sign(private, scheme, octets, auth_data))
{
status = SUCCESS;
@@ -363,7 +387,6 @@ METHOD(authenticator_t, process, status_t,
key_type_t key_type = KEY_ECDSA;
signature_scheme_t scheme;
status_t status = NOT_FOUND;
- keymat_v2_t *keymat;
const char *reason = "unsupported";
bool online;
@@ -402,9 +425,7 @@ METHOD(authenticator_t, process, status_t,
return INVALID_ARG;
}
id = this->ike_sa->get_other_id(this->ike_sa);
- keymat = (keymat_v2_t*)this->ike_sa->get_keymat(this->ike_sa);
- if (!keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init,
- this->nonce, id, this->reserved, &octets))
+ if (!get_auth_octets_scheme(this, TRUE, id, &octets, &scheme))
{
return FAILED;
}
diff --git a/src/libcharon/sa/ikev2/keymat_v2.c b/src/libcharon/sa/ikev2/keymat_v2.c
index 58efdba..70dacd1 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.c
+++ b/src/libcharon/sa/ikev2/keymat_v2.c
@@ -629,7 +629,8 @@ METHOD(keymat_t, get_aead, aead_t*,
METHOD(keymat_v2_t, get_auth_octets, bool,
private_keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
- chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets)
+ chunk_t nonce, identification_t *id, char reserved[3], chunk_t *octets,
+ array_t *schemes)
{
chunk_t chunk, idx;
chunk_t skp;
@@ -669,7 +670,8 @@ METHOD(keymat_v2_t, get_psk_sig, bool,
{ /* EAP uses SK_p if no MSK has been established */
secret = verify ? this->skp_verify : this->skp_build;
}
- if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved, &octets))
+ if (!get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved,
+ &octets, NULL))
{
return FALSE;
}
diff --git a/src/libcharon/sa/ikev2/keymat_v2.h b/src/libcharon/sa/ikev2/keymat_v2.h
index 927b62b..36bf149 100644
--- a/src/libcharon/sa/ikev2/keymat_v2.h
+++ b/src/libcharon/sa/ikev2/keymat_v2.h
@@ -22,6 +22,7 @@
#define KEYMAT_V2_H_
#include <sa/keymat.h>
+#include <collections/array.h>
typedef struct keymat_v2_t keymat_v2_t;
@@ -100,11 +101,14 @@ struct keymat_v2_t {
* @param id identity
* @param reserved reserved bytes of id_payload
* @param octests chunk receiving allocated auth octets
+ * @param schemes array containing signature schemes in case they
+ * need to be modified by the keymat implementation
* @return TRUE if octets created successfully
*/
bool (*get_auth_octets)(keymat_v2_t *this, bool verify, chunk_t ike_sa_init,
chunk_t nonce, identification_t *id,
- char reserved[3], chunk_t *octets);
+ char reserved[3], chunk_t *octets,
+ array_t *schemes);
/**
* Build the shared secret signature used for PSK and EAP authentication.
*
diff --git a/src/libcharon/sa/ikev2/task_manager_v2.c b/src/libcharon/sa/ikev2/task_manager_v2.c
index 60a262f..e4a16fa 100644
--- a/src/libcharon/sa/ikev2/task_manager_v2.c
+++ b/src/libcharon/sa/ikev2/task_manager_v2.c
@@ -34,6 +34,7 @@
#include <sa/ikev2/tasks/ike_delete.h>
#include <sa/ikev2/tasks/ike_config.h>
#include <sa/ikev2/tasks/ike_dpd.h>
+#include <sa/ikev2/tasks/ike_mid_sync.h>
#include <sa/ikev2/tasks/ike_vendor.h>
#include <sa/ikev2/tasks/ike_verify_peer_cert.h>
#include <sa/ikev2/tasks/child_create.h>
@@ -817,7 +818,7 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
task_t *task;
message_t *message;
host_t *me, *other;
- bool delete = FALSE, hook = FALSE;
+ bool delete = FALSE, hook = FALSE, mid_sync = FALSE;
ike_sa_id_t *id = NULL;
uint64_t responder_spi = 0;
bool result;
@@ -836,6 +837,10 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
enumerator = array_create_enumerator(this->passive_tasks);
while (enumerator->enumerate(enumerator, (void*)&task))
{
+ if (task->get_type(task) == TASK_IKE_MID_SYNC)
+ {
+ mid_sync = TRUE;
+ }
switch (task->build(task, message))
{
case SUCCESS:
@@ -908,6 +913,15 @@ static status_t build_response(private_task_manager_t *this, message_t *request)
}
return DESTROY_ME;
}
+ else if (mid_sync)
+ {
+ /* we don't want to resend messages to sync MIDs if requests with the
+ * previous MID arrive */
+ clear_packets(this->responding.packets);
+ /* avoid increasing the expected message ID after handling a message
+ * to sync MIDs with MID 0 */
+ return NEED_MORE;
+ }
array_compress(this->passive_tasks);
@@ -1069,6 +1083,10 @@ static status_t process_request(private_task_manager_t *this,
task = (task_t*)ike_redirect_create(
this->ike_sa, NULL);
break;
+ case IKEV2_MESSAGE_ID_SYNC:
+ task = (task_t*)ike_mid_sync_create(
+ this->ike_sa);
+ break;
default:
break;
}
@@ -1200,6 +1218,12 @@ METHOD(task_manager_t, incr_mid, void,
}
}
+METHOD(task_manager_t, get_mid, uint32_t,
+ private_task_manager_t *this, bool initiate)
+{
+ return initiate ? this->initiating.mid : this->responding.mid;
+}
+
/**
* Handle the given IKE fragment, if it is one.
*
@@ -1373,6 +1397,64 @@ static status_t parse_message(private_task_manager_t *this, message_t *msg)
return status;
}
+/**
+ * Check if a message with message ID 0 looks like it is used to synchronize
+ * the message IDs.
+ */
+static bool looks_like_mid_sync(private_task_manager_t *this, message_t *msg,
+ bool strict)
+{
+ enumerator_t *enumerator;
+ notify_payload_t *notify;
+ payload_t *payload;
+ bool found = FALSE, other = FALSE;
+
+ if (msg->get_exchange_type(msg) == INFORMATIONAL)
+ {
+ enumerator = msg->create_payload_enumerator(msg);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) == PLV2_NOTIFY)
+ {
+ notify = (notify_payload_t*)payload;
+ switch (notify->get_notify_type(notify))
+ {
+ case IKEV2_MESSAGE_ID_SYNC:
+ case IPSEC_REPLAY_COUNTER_SYNC:
+ found = TRUE;
+ continue;
+ default:
+ break;
+ }
+ }
+ if (strict)
+ {
+ other = TRUE;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ return found && !other;
+}
+
+/**
+ * Check if a message with message ID 0 looks like it is used to synchronize
+ * the message IDs and we are prepared to process it.
+ *
+ * Note: This is not called if the responder never sent a message before (i.e.
+ * we expect MID 0).
+ */
+static bool is_mid_sync(private_task_manager_t *this, message_t *msg)
+{
+ if (this->ike_sa->get_state(this->ike_sa) == IKE_ESTABLISHED &&
+ this->ike_sa->supports_extension(this->ike_sa,
+ EXT_IKE_MESSAGE_ID_SYNC))
+ {
+ return looks_like_mid_sync(this, msg, TRUE);
+ }
+ return FALSE;
+}
METHOD(task_manager_t, process_message, status_t,
private_task_manager_t *this, message_t *msg)
@@ -1421,7 +1503,7 @@ METHOD(task_manager_t, process_message, status_t,
mid = msg->get_message_id(msg);
if (msg->get_request(msg))
{
- if (mid == this->responding.mid)
+ if (mid == this->responding.mid || (mid == 0 && is_mid_sync(this, msg)))
{
/* reject initial messages if not received in specific states,
* after rekeying we only expect a DELETE in an INFORMATIONAL */
@@ -1462,7 +1544,8 @@ METHOD(task_manager_t, process_message, status_t,
}
}
else if ((mid == this->responding.mid - 1) &&
- array_count(this->responding.packets))
+ array_count(this->responding.packets) &&
+ !(mid == 0 && looks_like_mid_sync(this, msg, FALSE)))
{
status = handle_fragment(this, &this->responding.defrag, msg);
if (status != SUCCESS)
@@ -1477,7 +1560,7 @@ METHOD(task_manager_t, process_message, status_t,
}
else
{
- DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
+ DBG1(DBG_IKE, "received message ID %d, expected %d, ignored",
mid, this->responding.mid);
}
}
@@ -1515,7 +1598,7 @@ METHOD(task_manager_t, process_message, status_t,
}
else
{
- DBG1(DBG_IKE, "received message ID %d, expected %d. Ignored",
+ DBG1(DBG_IKE, "received message ID %d, expected %d, ignored",
mid, this->initiating.mid);
return SUCCESS;
}
@@ -2046,6 +2129,7 @@ task_manager_v2_t *task_manager_v2_create(ike_sa_t *ike_sa)
.initiate = _initiate,
.retransmit = _retransmit,
.incr_mid = _incr_mid,
+ .get_mid = _get_mid,
.reset = _reset,
.adopt_tasks = _adopt_tasks,
.adopt_child_tasks = _adopt_child_tasks,
diff --git a/src/libcharon/sa/ikev2/tasks/ike_auth.c b/src/libcharon/sa/ikev2/tasks/ike_auth.c
index 036910d..53daaf2 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_auth.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_auth.c
@@ -417,6 +417,9 @@ METHOD(task_t, build_i, status_t,
/* indicate support for EAP-only authentication */
message->add_notify(message, FALSE, EAP_ONLY_AUTHENTICATION,
chunk_empty);
+ /* indicate support for RFC 6311 Message ID synchronization */
+ message->add_notify(message, FALSE, IKEV2_MESSAGE_ID_SYNC_SUPPORTED,
+ chunk_empty);
}
if (!this->do_another_auth && !this->my_auth)
@@ -466,7 +469,8 @@ METHOD(task_t, build_i, status_t,
get_reserved_id_bytes(this, id_payload);
message->add_payload(message, (payload_t*)id_payload);
- if (idr && message->get_message_id(message) == 1 &&
+ if (idr && !idr->contains_wildcards(idr) &&
+ message->get_message_id(message) == 1 &&
this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO &&
this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NEVER)
{
@@ -991,6 +995,10 @@ METHOD(task_t, process_i, status_t,
DBG1(DBG_IKE, "received invalid REDIRECT notify");
}
break;
+ case IKEV2_MESSAGE_ID_SYNC_SUPPORTED:
+ this->ike_sa->enable_extension(this->ike_sa,
+ EXT_IKE_MESSAGE_ID_SYNC);
+ break;
default:
{
if (type <= 16383)
diff --git a/src/libcharon/sa/ikev2/tasks/ike_init.c b/src/libcharon/sa/ikev2/tasks/ike_init.c
index d82e206..58b7106 100644
--- a/src/libcharon/sa/ikev2/tasks/ike_init.c
+++ b/src/libcharon/sa/ikev2/tasks/ike_init.c
@@ -159,6 +159,10 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
auth_cfg_t *auth;
auth_rule_t rule;
uintptr_t config;
+ int written;
+ size_t len = BUF_LEN;
+ char buf[len];
+ char *pos = buf;
char *plugin_name;
algos = hash_algorithm_set_create();
@@ -205,11 +209,23 @@ static void send_supported_hash_algorithms(private_ike_init_t *this,
while (enumerator->enumerate(enumerator, &hash))
{
writer->write_uint16(writer, hash);
+
+ /* generate debug output */
+ written = snprintf(pos, len, " %N", hash_algorithm_short_names,
+ hash);
+ if (written > 0 && written < len)
+ {
+ pos += written;
+ len -= written;
+ }
}
enumerator->destroy(enumerator);
message->add_notify(message, FALSE, SIGNATURE_HASH_ALGORITHMS,
writer->get_buf(writer));
writer->destroy(writer);
+
+ *pos = '\0';
+ DBG2(DBG_CFG, "sending supported signature hash algorithms:%s", buf);
}
algos->destroy(algos);
}
@@ -222,6 +238,10 @@ static void handle_supported_hash_algorithms(private_ike_init_t *this,
{
bio_reader_t *reader;
uint16_t algo;
+ int written;
+ size_t len = BUF_LEN;
+ char buf[len];
+ char *pos = buf;
bool added = FALSE;
reader = bio_reader_create(notify->get_notification_data(notify));
@@ -231,10 +251,22 @@ static void handle_supported_hash_algorithms(private_ike_init_t *this,
{
this->keymat->add_hash_algorithm(this->keymat, algo);
added = TRUE;
+
+ /* generate debug output */
+ written = snprintf(pos, len, " %N", hash_algorithm_short_names,
+ algo);
+ if (written > 0 && written < len)
+ {
+ pos += written;
+ len -= written;
+ }
}
}
reader->destroy(reader);
+ *pos = '\0';
+ DBG2(DBG_CFG, "received supported signature hash algorithms:%s", buf);
+
if (added)
{
this->ike_sa->enable_extension(this->ike_sa, EXT_SIGNATURE_AUTH);
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c b/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c
new file mode 100644
index 0000000..24cf276
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_mid_sync.c
@@ -0,0 +1,264 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+/*
+ * Copyright (C) 2016 Stephen J. Bevan
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+#include "ike_mid_sync.h"
+
+#include <daemon.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+#include <encoding/payloads/notify_payload.h>
+
+typedef struct private_ike_mid_sync_t private_ike_mid_sync_t;
+
+/**
+ * Private members
+ */
+struct private_ike_mid_sync_t {
+
+ /**
+ * Public methods and task_t interface.
+ */
+ ike_mid_sync_t public;
+
+ /**
+ * Assigned IKE_SA.
+ */
+ ike_sa_t *ike_sa;
+
+ /**
+ * Nonce sent by the peer and expected to be returned
+ */
+ chunk_t nonce;
+
+ /**
+ * Expected next sender message ID
+ */
+ uint32_t send;
+
+ /**
+ * Expected received message ID
+ */
+ uint32_t recv;
+};
+
+/*
+ * Encoding of IKEV2_MESSAGE_SYNC_ID notify, RFC 6311
+ *
+ * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Next Payload |C| RESERVED | Payload Length |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |Protocol ID(=0)| SPI Size (=0) | Notify Message Type |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | Nonce Data |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | EXPECTED_SEND_REQ_MESSAGE_ID |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | EXPECTED_RECV_REQ_MESSAGE_ID |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/*
+ * RFC 6311 section 5.1
+ *
+ * o The peer MUST silently drop any received synchronization message
+ * if M1 is lower than or equal to the highest value it has seen from
+ * the cluster. This includes any previous received synchronization
+ * messages.
+ */
+METHOD(task_t, pre_process, status_t,
+ private_ike_mid_sync_t *this, message_t *message)
+{
+ notify_payload_t *notify;
+ bio_reader_t *reader;
+ chunk_t nonce;
+ uint32_t resp;
+
+ if (message->get_message_id(message) != 0)
+ { /* ignore the notify if it was contained in an INFORMATIONAL with
+ * unexpected message ID */
+ return SUCCESS;
+ }
+ if (!this->ike_sa->supports_extension(this->ike_sa,
+ EXT_IKE_MESSAGE_ID_SYNC))
+ {
+ DBG1(DBG_ENC, "unexpected %N notify, ignored", notify_type_names,
+ IKEV2_MESSAGE_ID_SYNC);
+ return FAILED;
+ }
+ notify = message->get_notify(message, IKEV2_MESSAGE_ID_SYNC);
+
+ reader = bio_reader_create(notify->get_notification_data(notify));
+ if (!reader->read_data(reader, 4, &nonce) ||
+ !reader->read_uint32(reader, &this->send) ||
+ !reader->read_uint32(reader, &this->recv))
+ {
+ reader->destroy(reader);
+ DBG1(DBG_ENC, "received invalid %N notify",
+ notify_type_names, IKEV2_MESSAGE_ID_SYNC);
+ return FAILED;
+ }
+ reader->destroy(reader);
+ resp = this->ike_sa->get_message_id(this->ike_sa, FALSE);
+ if (this->send < resp)
+ {
+ DBG1(DBG_ENC, "ignore %N notify with lower (%d) than expected (%d) "
+ "sender MID", notify_type_names, IKEV2_MESSAGE_ID_SYNC, this->send,
+ resp);
+ return FAILED;
+ }
+ this->nonce = chunk_clone(nonce);
+ return SUCCESS;
+}
+
+/**
+ * Check if there are any active tasks, indicating that we already
+ * used the currents message ID and are waiting for a response.
+ */
+static bool has_active_tasks(private_ike_mid_sync_t *this)
+{
+ enumerator_t *enumerator;
+ task_t *task;
+ bool active;
+
+ enumerator = this->ike_sa->create_task_enumerator(this->ike_sa,
+ TASK_QUEUE_ACTIVE);
+ active = enumerator->enumerate(enumerator, &task);
+ enumerator->destroy(enumerator);
+ return active;
+}
+
+/*
+ * RFC 6311 section 5.1
+ *
+ * o M2 MUST be at least the higher of the received M1, and one more
+ * than the highest sender value received from the cluster. This
+ * includes any previous received synchronization messages.
+ *
+ * o P2 MUST be the higher of the received P1 value, and one more than
+ * the highest sender value used by the peer.
+ *
+ * M1 is this->send, P1 is this->recv
+ */
+METHOD(task_t, process, status_t,
+ private_ike_mid_sync_t *this, message_t *message)
+{
+ uint32_t resp, init, m2, p2;
+
+ if (message->get_message_id(message) != 0)
+ { /* ignore the notify if it was contained in an INFORMATIONAL with
+ * unexpected message id */
+ return SUCCESS;
+ }
+ resp = this->ike_sa->get_message_id(this->ike_sa, FALSE);
+ m2 = max(this->send, resp);
+ if (resp != m2)
+ {
+ this->ike_sa->set_message_id(this->ike_sa, FALSE, m2);
+ }
+ init = this->ike_sa->get_message_id(this->ike_sa, TRUE);
+ p2 = max(this->recv, has_active_tasks(this) ? init + 1 : init);
+ if (init != p2)
+ {
+ this->ike_sa->set_message_id(this->ike_sa, TRUE, p2);
+ }
+ DBG1(DBG_IKE, "responder requested MID sync: initiating %d[%d], "
+ "responding %d[%d]", p2, init, m2, resp);
+ this->send = p2;
+ this->recv = m2;
+ return NEED_MORE;
+}
+
+METHOD(task_t, build, status_t,
+ private_ike_mid_sync_t *this, message_t *message)
+{
+ bio_writer_t *writer;
+
+ writer = bio_writer_create(12);
+ writer->write_data(writer, this->nonce);
+ writer->write_uint32(writer, this->send);
+ writer->write_uint32(writer, this->recv);
+
+ message->set_message_id(message, 0);
+ message->add_notify(message, FALSE, IKEV2_MESSAGE_ID_SYNC,
+ writer->get_buf(writer));
+
+ writer->destroy(writer);
+ return SUCCESS;
+}
+
+METHOD(task_t, get_type, task_type_t,
+ private_ike_mid_sync_t *this)
+{
+ return TASK_IKE_MID_SYNC;
+}
+
+METHOD(task_t, migrate, void,
+ private_ike_mid_sync_t *this, ike_sa_t *ike_sa)
+{
+ this->ike_sa = ike_sa;
+ chunk_free(&this->nonce);
+}
+
+METHOD(task_t, destroy, void,
+ private_ike_mid_sync_t *this)
+{
+ chunk_free(&this->nonce);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+ike_mid_sync_t *ike_mid_sync_create(ike_sa_t *ike_sa)
+{
+ private_ike_mid_sync_t *this;
+
+ INIT(this,
+ .public = {
+ .task = {
+ .get_type = _get_type,
+ .build = _build,
+ .pre_process = _pre_process,
+ .process = _process,
+ .migrate = _migrate,
+ .destroy = _destroy,
+ },
+ },
+ .ike_sa = ike_sa,
+ );
+ return &this->public;
+}
diff --git a/src/libcharon/sa/ikev2/tasks/ike_mid_sync.h b/src/libcharon/sa/ikev2/tasks/ike_mid_sync.h
new file mode 100644
index 0000000..9dd46f9
--- /dev/null
+++ b/src/libcharon/sa/ikev2/tasks/ike_mid_sync.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+/*
+ * Copyright (C) 2016 Stephen J. Bevan
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+
+/**
+ * @defgroup ike_mid_sync ike_mid_sync
+ * @{ @ingroup tasks_v2
+ */
+
+#ifndef IKE_MID_SYNC_H_
+#define IKE_MID_SYNC_H_
+
+typedef struct ike_mid_sync_t ike_mid_sync_t;
+
+#include <library.h>
+#include <sa/ike_sa.h>
+#include <sa/task.h>
+
+/**
+ * Task of type TASK_IKE_MID_SYNC, implements RFC 6311 responder.
+ *
+ * This task handles an IKEV2_MESSAGE_ID_SYNC notify sent by a peer
+ * and if acceptable updates the SA MIDs and replies with the updated
+ * MID values.
+ */
+struct ike_mid_sync_t {
+
+ /**
+ * Implements the task_t interface
+ */
+ task_t task;
+};
+
+/**
+ * Create a new TASK_IKE_MID_SYNC task.
+ *
+ * @param ike_sa IKE_SA this task works for
+ * @return task to handle by the task_manager
+ */
+ike_mid_sync_t *ike_mid_sync_create(ike_sa_t *ike_sa);
+
+#endif /** IKE_MID_SYNC_H_ @}*/
diff --git a/src/libcharon/sa/shunt_manager.c b/src/libcharon/sa/shunt_manager.c
index 40e291b..b016275 100644
--- a/src/libcharon/sa/shunt_manager.c
+++ b/src/libcharon/sa/shunt_manager.c
@@ -36,7 +36,7 @@ struct private_shunt_manager_t {
shunt_manager_t public;
/**
- * Installed shunts, as child_cfg_t
+ * Installed shunts, as entry_t
*/
linked_list_t *shunts;
@@ -57,6 +57,32 @@ struct private_shunt_manager_t {
};
/**
+ * Config entry for a shunt
+ */
+typedef struct {
+ /**
+ * Configured namespace
+ */
+ char *ns;
+
+ /**
+ * Child config
+ */
+ child_cfg_t *cfg;
+
+} entry_t;
+
+/**
+ * Destroy a config entry
+ */
+static void entry_destroy(entry_t *this)
+{
+ this->cfg->destroy(this->cfg);
+ free(this->ns);
+ free(this);
+}
+
+/**
* Install in and out shunt policies in the kernel
*/
static bool install_shunt_policy(child_cfg_t *child)
@@ -162,10 +188,10 @@ static bool install_shunt_policy(child_cfg_t *child)
}
METHOD(shunt_manager_t, install, bool,
- private_shunt_manager_t *this, child_cfg_t *child)
+ private_shunt_manager_t *this, char *ns, child_cfg_t *cfg)
{
enumerator_t *enumerator;
- child_cfg_t *child_cfg;
+ entry_t *entry;
bool found = FALSE, success;
/* check if not already installed */
@@ -176,9 +202,10 @@ METHOD(shunt_manager_t, install, bool,
return FALSE;
}
enumerator = this->shunts->create_enumerator(this->shunts);
- while (enumerator->enumerate(enumerator, &child_cfg))
+ while (enumerator->enumerate(enumerator, &entry))
{
- if (streq(child_cfg->get_name(child_cfg), child->get_name(child)))
+ if (streq(ns, entry->ns) &&
+ streq(cfg->get_name(cfg), entry->cfg->get_name(entry->cfg)))
{
found = TRUE;
break;
@@ -188,21 +215,25 @@ METHOD(shunt_manager_t, install, bool,
if (found)
{
DBG1(DBG_CFG, "shunt %N policy '%s' already installed",
- ipsec_mode_names, child->get_mode(child), child->get_name(child));
+ ipsec_mode_names, cfg->get_mode(cfg), cfg->get_name(cfg));
this->lock->unlock(this->lock);
return TRUE;
}
- this->shunts->insert_last(this->shunts, child->get_ref(child));
+ INIT(entry,
+ .ns = strdupnull(ns),
+ .cfg = cfg->get_ref(cfg),
+ );
+ this->shunts->insert_last(this->shunts, entry);
this->installing++;
this->lock->unlock(this->lock);
- success = install_shunt_policy(child);
+ success = install_shunt_policy(cfg);
this->lock->write_lock(this->lock);
if (!success)
{
- this->shunts->remove(this->shunts, child, NULL);
- child->destroy(child);
+ this->shunts->remove(this->shunts, entry, NULL);
+ entry_destroy(entry);
}
this->installing--;
this->condvar->signal(this->condvar);
@@ -320,19 +351,20 @@ static void uninstall_shunt_policy(child_cfg_t *child)
}
METHOD(shunt_manager_t, uninstall, bool,
- private_shunt_manager_t *this, char *name)
+ private_shunt_manager_t *this, char *ns, char *name)
{
enumerator_t *enumerator;
- child_cfg_t *child, *found = NULL;
+ entry_t *entry, *found = NULL;
this->lock->write_lock(this->lock);
enumerator = this->shunts->create_enumerator(this->shunts);
- while (enumerator->enumerate(enumerator, &child))
+ while (enumerator->enumerate(enumerator, &entry))
{
- if (streq(name, child->get_name(child)))
+ if (streq(ns, entry->ns) &&
+ streq(name, entry->cfg->get_name(entry->cfg)))
{
this->shunts->remove_at(this->shunts, enumerator);
- found = child;
+ found = entry;
break;
}
}
@@ -343,8 +375,19 @@ METHOD(shunt_manager_t, uninstall, bool,
{
return FALSE;
}
- uninstall_shunt_policy(child);
- child->destroy(child);
+ uninstall_shunt_policy(found->cfg);
+ entry_destroy(found);
+ return TRUE;
+}
+
+CALLBACK(filter_entries, bool,
+ void *unused, entry_t **entry, char **ns, void **in, child_cfg_t **cfg)
+{
+ if (ns)
+ {
+ *ns = (*entry)->ns;
+ }
+ *cfg = (*entry)->cfg;
return TRUE;
}
@@ -352,25 +395,26 @@ METHOD(shunt_manager_t, create_enumerator, enumerator_t*,
private_shunt_manager_t *this)
{
this->lock->read_lock(this->lock);
- return enumerator_create_cleaner(
+ return enumerator_create_filter(
this->shunts->create_enumerator(this->shunts),
- (void*)this->lock->unlock, this->lock);
+ (void*)filter_entries, this->lock,
+ (void*)this->lock->unlock);
}
METHOD(shunt_manager_t, flush, void,
private_shunt_manager_t *this)
{
- child_cfg_t *child;
+ entry_t *entry;
this->lock->write_lock(this->lock);
while (this->installing)
{
this->condvar->wait(this->condvar, this->lock);
}
- while (this->shunts->remove_last(this->shunts, (void**)&child) == SUCCESS)
+ while (this->shunts->remove_last(this->shunts, (void**)&entry) == SUCCESS)
{
- uninstall_shunt_policy(child);
- child->destroy(child);
+ uninstall_shunt_policy(entry->cfg);
+ entry_destroy(entry);
}
this->installing = INSTALL_DISABLED;
this->lock->unlock(this->lock);
diff --git a/src/libcharon/sa/shunt_manager.h b/src/libcharon/sa/shunt_manager.h
index c43f5db..f2b7210 100644
--- a/src/libcharon/sa/shunt_manager.h
+++ b/src/libcharon/sa/shunt_manager.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Tobias Brunner
+ * Copyright (C) 2015-2016 Tobias Brunner
* Copyright (C) 2011 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
@@ -36,23 +36,26 @@ struct shunt_manager_t {
/**
* Install a policy as a shunt.
*
- * @param child child configuration to install as a shunt
+ * @param ns optional namespace (e.g. name of a connection or
+ * plugin), cloned
+ * @param child child configuration to install as a shunt
* @return TRUE if installed successfully
*/
- bool (*install)(shunt_manager_t *this, child_cfg_t *child);
+ bool (*install)(shunt_manager_t *this, char *ns, child_cfg_t *child);
/**
* Uninstall a shunt policy.
*
+ * @param ns namespace (same as given during installation)
* @param name name of child configuration to uninstall as a shunt
* @return TRUE if uninstalled successfully
*/
- bool (*uninstall)(shunt_manager_t *this, char *name);
+ bool (*uninstall)(shunt_manager_t *this, char *ns, char *name);
/**
* Create an enumerator over all installed shunts.
*
- * @return enumerator over (child_sa_t)
+ * @return enumerator over (char*, child_cfg_t*)
*/
enumerator_t* (*create_enumerator)(shunt_manager_t *this);
diff --git a/src/libcharon/sa/task.c b/src/libcharon/sa/task.c
index 405eda6..30de08c 100644
--- a/src/libcharon/sa/task.c
+++ b/src/libcharon/sa/task.c
@@ -30,6 +30,7 @@ ENUM(task_type_names, TASK_IKE_INIT, TASK_ISAKMP_CERT_POST,
"IKE_REAUTH_COMPLETE",
"IKE_REDIRECT",
"IKE_VERIFY_PEER_CERT",
+ "IKE_MID_SYNC",
"IKE_DELETE",
"IKE_DPD",
"IKE_VENDOR",
diff --git a/src/libcharon/sa/task.h b/src/libcharon/sa/task.h
index 31d70fb..5f77149 100644
--- a/src/libcharon/sa/task.h
+++ b/src/libcharon/sa/task.h
@@ -61,6 +61,8 @@ enum task_type_t {
TASK_IKE_REDIRECT,
/** verify a peer's certificate */
TASK_IKE_VERIFY_PEER_CERT,
+ /** synchronize message IDs, RFC6311 */
+ TASK_IKE_MID_SYNC,
/** delete an IKE_SA */
TASK_IKE_DELETE,
/** liveness check */
diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h
index 86077d3..7e92622 100644
--- a/src/libcharon/sa/task_manager.h
+++ b/src/libcharon/sa/task_manager.h
@@ -240,6 +240,14 @@ struct task_manager_t {
void (*incr_mid)(task_manager_t *this, bool initiate);
/**
+ * Get the current message ID counter, in- or outbound.
+ *
+ * @param initiate TRUE to get the initiating ID
+ * @return current message ID
+ */
+ uint32_t (*get_mid)(task_manager_t *this, bool initiate);
+
+ /**
* Reset message ID counters of the task manager.
*
* The IKEv2 protocol requires to restart exchanges with message IDs
@@ -253,7 +261,7 @@ struct task_manager_t {
* @param initiate message ID / DPD seq to initiate exchanges (send)
* @param respond message ID / DPD seq to respond to exchanges (expect)
*/
- void (*reset) (task_manager_t *this, uint32_t initiate, uint32_t respond);
+ void (*reset)(task_manager_t *this, uint32_t initiate, uint32_t respond);
/**
* Check if we are currently waiting for a reply.
diff --git a/src/libcharon/tests/Makefile.am b/src/libcharon/tests/Makefile.am
index b867024..8f762a2 100644
--- a/src/libcharon/tests/Makefile.am
+++ b/src/libcharon/tests/Makefile.am
@@ -29,6 +29,7 @@ exchange_tests_SOURCES = \
suites/test_child_delete.c \
suites/test_child_rekey.c \
suites/test_ike_delete.c \
+ suites/test_ike_mid_sync.c \
suites/test_ike_rekey.c \
utils/exchange_test_asserts.h utils/exchange_test_asserts.c \
utils/exchange_test_helper.h utils/exchange_test_helper.c \
diff --git a/src/libcharon/tests/Makefile.in b/src/libcharon/tests/Makefile.in
index 7b6beae..e922a71 100644
--- a/src/libcharon/tests/Makefile.in
+++ b/src/libcharon/tests/Makefile.in
@@ -115,6 +115,7 @@ am_exchange_tests_OBJECTS = \
suites/exchange_tests-test_child_delete.$(OBJEXT) \
suites/exchange_tests-test_child_rekey.$(OBJEXT) \
suites/exchange_tests-test_ike_delete.$(OBJEXT) \
+ suites/exchange_tests-test_ike_mid_sync.$(OBJEXT) \
suites/exchange_tests-test_ike_rekey.$(OBJEXT) \
utils/exchange_tests-exchange_test_asserts.$(OBJEXT) \
utils/exchange_tests-exchange_test_helper.$(OBJEXT) \
@@ -381,7 +382,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -416,6 +416,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -491,6 +492,7 @@ exchange_tests_SOURCES = \
suites/test_child_delete.c \
suites/test_child_rekey.c \
suites/test_ike_delete.c \
+ suites/test_ike_mid_sync.c \
suites/test_ike_rekey.c \
utils/exchange_test_asserts.h utils/exchange_test_asserts.c \
utils/exchange_test_helper.h utils/exchange_test_helper.c \
@@ -572,6 +574,8 @@ suites/exchange_tests-test_child_rekey.$(OBJEXT): \
suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
suites/exchange_tests-test_ike_delete.$(OBJEXT): \
suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
+suites/exchange_tests-test_ike_mid_sync.$(OBJEXT): \
+ suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
suites/exchange_tests-test_ike_rekey.$(OBJEXT): \
suites/$(am__dirstamp) suites/$(DEPDIR)/$(am__dirstamp)
utils/$(am__dirstamp):
@@ -623,6 +627,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/exchange_tests-test_child_delete.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/exchange_tests-test_child_rekey.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/exchange_tests-test_ike_delete.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/libcharon_tests-test_ike_cfg.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/libcharon_tests-test_mem_pool.Po at am__quote@
@@ -715,6 +720,20 @@ suites/exchange_tests-test_ike_delete.obj: suites/test_ike_delete.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_ike_delete.obj `if test -f 'suites/test_ike_delete.c'; then $(CYGPATH_W) 'suites/test_ike_delete.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_delete.c'; fi`
+suites/exchange_tests-test_ike_mid_sync.o: suites/test_ike_mid_sync.c
+ at am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_ike_mid_sync.o -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Tpo -c -o suites/exchange_tests-test_ike_mid_sync.o `test -f 'suites/test_ike_mid_sync.c' || echo '$(srcdir)/'`suites/test_ike_mid_sync.c
+ at am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Tpo suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ike_mid_sync.c' object='suites/exchange_tests-test_ike_mid_sync.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_ike_mid_sync.o `test -f 'suites/test_ike_mid_sync.c' || echo '$(srcdir)/'`suites/test_ike_mid_sync.c
+
+suites/exchange_tests-test_ike_mid_sync.obj: suites/test_ike_mid_sync.c
+ at am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_ike_mid_sync.obj -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Tpo -c -o suites/exchange_tests-test_ike_mid_sync.obj `if test -f 'suites/test_ike_mid_sync.c'; then $(CYGPATH_W) 'suites/test_ike_mid_sync.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_mid_sync.c'; fi`
+ at am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Tpo suites/$(DEPDIR)/exchange_tests-test_ike_mid_sync.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ike_mid_sync.c' object='suites/exchange_tests-test_ike_mid_sync.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -c -o suites/exchange_tests-test_ike_mid_sync.obj `if test -f 'suites/test_ike_mid_sync.c'; then $(CYGPATH_W) 'suites/test_ike_mid_sync.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ike_mid_sync.c'; fi`
+
suites/exchange_tests-test_ike_rekey.o: suites/test_ike_rekey.c
@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(exchange_tests_CFLAGS) $(CFLAGS) -MT suites/exchange_tests-test_ike_rekey.o -MD -MP -MF suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Tpo -c -o suites/exchange_tests-test_ike_rekey.o `test -f 'suites/test_ike_rekey.c' || echo '$(srcdir)/'`suites/test_ike_rekey.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Tpo suites/$(DEPDIR)/exchange_tests-test_ike_rekey.Po
diff --git a/src/libcharon/tests/exchange_tests.h b/src/libcharon/tests/exchange_tests.h
index 3008672..6b35ea5 100644
--- a/src/libcharon/tests/exchange_tests.h
+++ b/src/libcharon/tests/exchange_tests.h
@@ -14,6 +14,7 @@
*/
TEST_SUITE(ike_delete_suite_create)
+TEST_SUITE(ike_mid_sync_suite_create)
TEST_SUITE(ike_rekey_suite_create)
TEST_SUITE(child_create_suite_create)
TEST_SUITE(child_delete_suite_create)
diff --git a/src/libcharon/tests/libcharon_tests.c b/src/libcharon/tests/libcharon_tests.c
index 1ef13e9..3fe5b0e 100644
--- a/src/libcharon/tests/libcharon_tests.c
+++ b/src/libcharon/tests/libcharon_tests.c
@@ -45,7 +45,7 @@ static void initialize_logging()
lib->settings->set_int(lib->settings, "%s.filelog.stderr.default",
lib->settings->get_int(lib->settings, "%s.filelog.stderr.default",
level, lib->ns), lib->ns);
- charon->load_loggers(charon, NULL, TRUE);
+ charon->load_loggers(charon);
}
static bool test_runner_init(bool init)
diff --git a/src/libcharon/tests/suites/test_ike_mid_sync.c b/src/libcharon/tests/suites/test_ike_mid_sync.c
new file mode 100644
index 0000000..3776f39
--- /dev/null
+++ b/src/libcharon/tests/suites/test_ike_mid_sync.c
@@ -0,0 +1,535 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <tests/utils/exchange_test_helper.h>
+#include <tests/utils/exchange_test_asserts.h>
+#include <tests/utils/sa_asserts.h>
+#include <bio/bio_reader.h>
+#include <bio/bio_writer.h>
+
+/**
+ * FIXME: Since we don't have the server side yet, this is kind of a hack!!!
+ */
+
+/**
+ * Add the IKEV2_MESSAGE_ID_SYNC_SUPPORTED notify to the IKE_AUTH response
+ */
+static bool add_notify(listener_t *listener, ike_sa_t *ike_sa,
+ message_t *message, bool incoming, bool plain)
+{
+ if (plain && !incoming && message->get_exchange_type(message) == IKE_AUTH &&
+ !message->get_request(message))
+ {
+ message->add_notify(message, FALSE, IKEV2_MESSAGE_ID_SYNC_SUPPORTED,
+ chunk_empty);
+ return FALSE;
+ }
+ return TRUE;
+}
+#define add_notify_to_ike_auth() ({ \
+ listener_t _notify_listener = { \
+ .message = add_notify, \
+ }; \
+ exchange_test_helper->add_listener(exchange_test_helper, &_notify_listener); \
+})
+
+/**
+ * Handle IKEV2_MESSAGE_ID_SYNC notifies
+ */
+typedef struct {
+ listener_t listener;
+ struct {
+ chunk_t nonce;
+ uint32_t send;
+ uint32_t recv;
+ } init, resp;
+} mid_sync_listener_t;
+
+static bool handle_mid(listener_t *listener,
+ ike_sa_t *ike_sa, message_t *message, bool incoming, bool plain)
+{
+ mid_sync_listener_t *this = (mid_sync_listener_t*)listener;
+
+ if (!plain || incoming)
+ {
+ return TRUE;
+ }
+
+ if (message->get_exchange_type(message) == INFORMATIONAL)
+ {
+ if (streq("resp", ike_sa->get_name(ike_sa)))
+ {
+ bio_writer_t *writer;
+ rng_t *rng;
+
+ rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
+ ignore_result(rng->allocate_bytes(rng, 4, &this->init.nonce));
+ rng->destroy(rng);
+ writer = bio_writer_create(12);
+ writer->write_data(writer, this->init.nonce);
+ writer->write_uint32(writer, this->init.send);
+ writer->write_uint32(writer, this->init.recv);
+ message->set_message_id(message, 0);
+ message->add_notify(message, FALSE, IKEV2_MESSAGE_ID_SYNC,
+ writer->get_buf(writer));
+ writer->destroy(writer);
+ }
+ else
+ {
+ notify_payload_t *notify;
+ bio_reader_t *reader;
+
+ notify = message->get_notify(message, IKEV2_MESSAGE_ID_SYNC);
+ reader = bio_reader_create(notify->get_notification_data(notify));
+ chunk_clear(&this->resp.nonce);
+ reader->read_data(reader, 4, &this->resp.nonce);
+ this->resp.nonce = chunk_clone(this->resp.nonce);
+ reader->read_uint32(reader, &this->resp.send);
+ reader->read_uint32(reader, &this->resp.recv);
+ reader->destroy(reader);
+ }
+ }
+ return TRUE;
+}
+
+/**
+ * Send a MESSAGE_ID_SYNC notify in an INFORMATIONAL. We reset the state
+ * afterwards so this seems as if nothing happened.
+ */
+static void send_mid_sync(ike_sa_t *sa, uint32_t send, uint32_t recv)
+{
+ call_ikesa(sa, send_dpd);
+ sa->set_message_id(sa, TRUE, send);
+ sa->set_message_id(sa, FALSE, recv);
+ sa->flush_queue(sa, TASK_QUEUE_QUEUED);
+}
+
+/**
+ * Send a regular DPD from one IKE_SA to another
+ */
+static void send_dpd(ike_sa_t *from, ike_sa_t *to)
+{
+ uint32_t send, recv;
+
+ send = from->get_message_id(from, TRUE);
+ recv = to->get_message_id(to, FALSE);
+ call_ikesa(from, send_dpd);
+ exchange_test_helper->process_message(exchange_test_helper, to, NULL);
+ exchange_test_helper->process_message(exchange_test_helper, from, NULL);
+ ck_assert_int_eq(send + 1, from->get_message_id(from, TRUE));
+ ck_assert_int_eq(recv + 1, to->get_message_id(to, FALSE));
+}
+
+/**
+ * Send a number of DPDs from on IKE_SA to the other
+ */
+static void send_dpds(ike_sa_t *from, ike_sa_t *to, int count)
+{
+ while (count--)
+ {
+ send_dpd(from, to);
+ }
+}
+
+static struct {
+ int dpds_a, dpds_b;
+ uint32_t send, recv;
+} data[] = {
+ { 0, 0, 0, 2 },
+ { 0, 0, 1, 3 },
+ { 1, 0, 0, 3 },
+ { 1, 0, 5, 8 },
+ { 0, 1, 1, 2 },
+ { 0, 1, 2, 2 },
+ { 1, 1, 1, 3 },
+ { 1, 1, 2, 4 },
+ { 1, 2, 2, 4 },
+};
+
+/**
+ * The responder syncs message IDs with the initiator
+ */
+START_TEST(test_responder)
+{
+ ike_sa_t *a, *b;
+ mid_sync_listener_t mid = {
+ .listener = { .message = (void*)handle_mid, },
+ .init = {
+ .send = data[_i].send,
+ .recv = data[_i].recv,
+ },
+ };
+
+ add_notify_to_ike_auth();
+ exchange_test_helper->establish_sa(exchange_test_helper,
+ &a, &b, NULL);
+
+ send_dpds(a, b, data[_i].dpds_a);
+ send_dpds(b, a, data[_i].dpds_b);
+
+ exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+ send_mid_sync(b, data[_i].send, data[_i].recv);
+ exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+ ck_assert_chunk_eq(mid.init.nonce, mid.resp.nonce);
+ ck_assert_int_eq(data[_i].recv, mid.resp.send);
+ ck_assert_int_eq(data[_i].send, mid.resp.recv);
+ ck_assert_int_eq(data[_i].recv, a->get_message_id(a, TRUE));
+ ck_assert_int_eq(data[_i].send, a->get_message_id(a, FALSE));
+ /* this currently won't be handled */
+ exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+ charon->bus->remove_listener(charon->bus, &mid.listener);
+
+ send_dpd(a, b);
+ send_dpd(b, a);
+
+ call_ikesa(a, destroy);
+ call_ikesa(b, destroy);
+ chunk_free(&mid.init.nonce);
+ chunk_free(&mid.resp.nonce);
+}
+END_TEST
+
+/**
+ * Make sure a retransmit is handled properly.
+ */
+START_TEST(test_retransmit)
+{
+ ike_sa_t *a, *b;
+ mid_sync_listener_t mid = {
+ .listener = { .message = (void*)handle_mid, },
+ .init = {
+ .send = data[_i].send,
+ .recv = data[_i].recv,
+ },
+ };
+ message_t *msg, *retransmit;
+
+ add_notify_to_ike_auth();
+ exchange_test_helper->establish_sa(exchange_test_helper,
+ &a, &b, NULL);
+
+ send_dpds(a, b, data[_i].dpds_a);
+ send_dpds(b, a, data[_i].dpds_b);
+
+ exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+ send_mid_sync(b, data[_i].send, data[_i].recv);
+ msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+ retransmit = message_create_from_packet(msg->get_packet(msg));
+ retransmit->parse_header(retransmit);
+ exchange_test_helper->process_message(exchange_test_helper, a, msg);
+ msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+ msg->destroy(msg);
+ exchange_test_helper->process_message(exchange_test_helper, a, retransmit);
+ exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+ charon->bus->remove_listener(charon->bus, &mid.listener);
+
+ send_dpd(a, b);
+ send_dpd(b, a);
+
+ call_ikesa(a, destroy);
+ call_ikesa(b, destroy);
+ chunk_free(&mid.init.nonce);
+ chunk_free(&mid.resp.nonce);
+}
+END_TEST
+
+/**
+ * Make sure a replayed or delayed notify is ignored.
+ */
+START_TEST(test_replay)
+{
+ ike_sa_t *a, *b;
+ mid_sync_listener_t mid = {
+ .listener = { .message = (void*)handle_mid, },
+ .init = {
+ .send = data[_i].send,
+ .recv = data[_i].recv,
+ },
+ };
+ message_t *msg, *replay;
+
+ add_notify_to_ike_auth();
+ exchange_test_helper->establish_sa(exchange_test_helper,
+ &a, &b, NULL);
+
+ send_dpds(a, b, data[_i].dpds_a);
+ send_dpds(b, a, data[_i].dpds_b);
+
+ exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+ send_mid_sync(b, data[_i].send, data[_i].recv);
+ msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+ replay = message_create_from_packet(msg->get_packet(msg));
+ replay->parse_header(replay);
+ exchange_test_helper->process_message(exchange_test_helper, a, msg);
+ exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+ charon->bus->remove_listener(charon->bus, &mid.listener);
+
+ send_dpd(a, b);
+ send_dpd(b, a);
+
+ exchange_test_helper->process_message(exchange_test_helper, a, replay);
+ ck_assert(!exchange_test_helper->sender->dequeue(exchange_test_helper->sender));
+
+ call_ikesa(a, destroy);
+ call_ikesa(b, destroy);
+ chunk_free(&mid.init.nonce);
+ chunk_free(&mid.resp.nonce);
+}
+END_TEST
+
+/**
+ * Make sure the notify is ignored if the extension is not enabled.
+ */
+START_TEST(test_disabled)
+{
+ ike_sa_t *a, *b;
+ mid_sync_listener_t mid = {
+ .listener = { .message = (void*)handle_mid, },
+ .init = {
+ .send = data[_i].send,
+ .recv = data[_i].recv,
+ },
+ };
+
+ exchange_test_helper->establish_sa(exchange_test_helper,
+ &a, &b, NULL);
+
+ send_dpds(a, b, data[_i].dpds_a);
+ send_dpds(b, a, data[_i].dpds_b);
+
+ exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+ send_mid_sync(b, data[_i].dpds_b, UINT_MAX);
+ exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+ /* we don't expect a response and unchanged MIDs */
+ ck_assert(!exchange_test_helper->sender->dequeue(exchange_test_helper->sender));
+ ck_assert_int_eq(2 + data[_i].dpds_a, a->get_message_id(a, TRUE));
+ ck_assert_int_eq(data[_i].dpds_b, a->get_message_id(a, FALSE));
+ charon->bus->remove_listener(charon->bus, &mid.listener);
+
+ send_dpd(a, b);
+ send_dpd(b, a);
+
+ call_ikesa(a, destroy);
+ call_ikesa(b, destroy);
+ chunk_free(&mid.init.nonce);
+ chunk_free(&mid.resp.nonce);
+}
+END_TEST
+
+static struct {
+ int dpds_a, dpds_b;
+ uint32_t send, recv;
+} data_too_low[] = {
+ { 0, 1, 0, 2 },
+ { 1, 2, 0, 0 },
+ { 1, 2, 1, 3 },
+};
+
+/**
+ * The responder syncs message IDs with the initiator but uses too low sender
+ * MIDs so the initiator ignores the notify.
+ */
+START_TEST(test_sender_too_low)
+{
+ ike_sa_t *a, *b;
+ mid_sync_listener_t mid = {
+ .listener = { .message = (void*)handle_mid, },
+ .init = {
+ .send = data_too_low[_i].send,
+ .recv = data_too_low[_i].recv,
+ },
+ };
+
+ add_notify_to_ike_auth();
+ exchange_test_helper->establish_sa(exchange_test_helper,
+ &a, &b, NULL);
+
+ send_dpds(a, b, data_too_low[_i].dpds_a);
+ send_dpds(b, a, data_too_low[_i].dpds_b);
+
+ exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+ send_mid_sync(b, data_too_low[_i].dpds_b, UINT_MAX);
+ exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+ /* we don't expect a response and unchanged MIDs */
+ ck_assert(!exchange_test_helper->sender->dequeue(exchange_test_helper->sender));
+ ck_assert_int_eq(2 + data_too_low[_i].dpds_a, a->get_message_id(a, TRUE));
+ ck_assert_int_eq(data_too_low[_i].dpds_b, a->get_message_id(a, FALSE));
+ charon->bus->remove_listener(charon->bus, &mid.listener);
+
+ send_dpd(a, b);
+ send_dpd(b, a);
+
+ call_ikesa(a, destroy);
+ call_ikesa(b, destroy);
+ chunk_free(&mid.init.nonce);
+}
+END_TEST
+
+static struct {
+ int dpds_a, dpds_b;
+ uint32_t send, recv;
+ /* reversed so the table below is clearer */
+ uint32_t recv_exp, send_exp;
+} data_recv_update[] = {
+ { 0, 0, 0, 0, 0, 2 },
+ { 0, 0, 0, 1, 0, 2 },
+ { 0, 0, 1, 1, 1, 2 },
+ { 1, 0, 0, 1, 0, 3 },
+ { 1, 0, 5, 2, 5, 3 },
+};
+
+/**
+ * The responder syncs message IDs with the initiator but uses too low receiver
+ * MID, which is updated by the initiator in the response.
+ */
+START_TEST(test_recv_update)
+{
+ ike_sa_t *a, *b;
+ mid_sync_listener_t mid = {
+ .listener = { .message = (void*)handle_mid, },
+ .init = {
+ .send = data_recv_update[_i].send,
+ .recv = data_recv_update[_i].recv,
+ },
+ };
+
+ add_notify_to_ike_auth();
+ exchange_test_helper->establish_sa(exchange_test_helper,
+ &a, &b, NULL);
+
+ send_dpds(a, b, data_recv_update[_i].dpds_a);
+ send_dpds(b, a, data_recv_update[_i].dpds_b);
+
+ exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+ send_mid_sync(b, data_recv_update[_i].send, data_recv_update[_i].recv);
+ exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+ ck_assert_chunk_eq(mid.init.nonce, mid.resp.nonce);
+ ck_assert_int_eq(data_recv_update[_i].send_exp, mid.resp.send);
+ ck_assert_int_eq(data_recv_update[_i].recv_exp, mid.resp.recv);
+ ck_assert_int_eq(data_recv_update[_i].send_exp, a->get_message_id(a, TRUE));
+ ck_assert_int_eq(data_recv_update[_i].recv_exp, a->get_message_id(a, FALSE));
+ exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+ charon->bus->remove_listener(charon->bus, &mid.listener);
+ /* fake the receipt of the notify */
+ b->set_message_id(b, TRUE, data_recv_update[_i].recv_exp);
+ b->set_message_id(b, FALSE, data_recv_update[_i].send_exp);
+
+ send_dpd(a, b);
+ send_dpd(b, a);
+
+ call_ikesa(a, destroy);
+ call_ikesa(b, destroy);
+ chunk_free(&mid.init.nonce);
+ chunk_free(&mid.resp.nonce);
+}
+END_TEST
+
+static struct {
+ int dpds_a, dpds_b;
+ uint32_t send, recv;
+ /* reversed so the table below is clearer */
+ uint32_t recv_exp, send_exp;
+} data_active[] = {
+ { 0, 0, 0, 2, 0, 3 },
+ { 0, 0, 1, 3, 1, 3 },
+ { 1, 0, 0, 3, 0, 4 },
+ { 1, 0, 5, 8, 5, 8 },
+ { 0, 1, 1, 2, 1, 3 },
+ { 0, 1, 2, 2, 2, 2 },
+ { 1, 1, 1, 3, 1, 4 },
+ { 1, 1, 2, 4, 2, 4 },
+};
+
+/**
+ * The responder syncs message IDs with the initiator that waits for the
+ * response for an active task.
+ */
+START_TEST(test_active)
+{
+ ike_sa_t *a, *b;
+ mid_sync_listener_t mid = {
+ .listener = { .message = (void*)handle_mid, },
+ .init = {
+ .send = data_active[_i].send,
+ .recv = data_active[_i].recv,
+ },
+ };
+ message_t *msg;
+
+ add_notify_to_ike_auth();
+ exchange_test_helper->establish_sa(exchange_test_helper,
+ &a, &b, NULL);
+
+ send_dpds(a, b, data_active[_i].dpds_a);
+ send_dpds(b, a, data_active[_i].dpds_b);
+
+ call_ikesa(a, send_dpd);
+ msg = exchange_test_helper->sender->dequeue(exchange_test_helper->sender);
+ msg->destroy(msg);
+
+ exchange_test_helper->add_listener(exchange_test_helper, &mid.listener);
+ send_mid_sync(b, data_active[_i].recv_exp, data_active[_i].send_exp);
+ exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+ ck_assert_chunk_eq(mid.init.nonce, mid.resp.nonce);
+ ck_assert_int_eq(data_active[_i].send_exp, mid.resp.send);
+ ck_assert_int_eq(data_active[_i].recv_exp, mid.resp.recv);
+ ck_assert_int_eq(data_active[_i].send_exp, a->get_message_id(a, TRUE));
+ ck_assert_int_eq(data_active[_i].recv_exp, a->get_message_id(a, FALSE));
+ exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+ charon->bus->remove_listener(charon->bus, &mid.listener);
+
+ /* the active task was queued again */
+ call_ikesa(a, initiate, NULL, 0, NULL, NULL);
+ exchange_test_helper->process_message(exchange_test_helper, b, NULL);
+ exchange_test_helper->process_message(exchange_test_helper, a, NULL);
+ send_dpd(b, a);
+
+ call_ikesa(a, destroy);
+ call_ikesa(b, destroy);
+ chunk_free(&mid.init.nonce);
+ chunk_free(&mid.resp.nonce);
+}
+END_TEST
+
+Suite *ike_mid_sync_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("ike MID sync");
+
+ tc = tcase_create("responder");
+ tcase_add_loop_test(tc, test_responder, 0, countof(data));
+ tcase_add_loop_test(tc, test_retransmit, 0, countof(data));
+ tcase_add_loop_test(tc, test_replay, 0, countof(data));
+ tcase_add_loop_test(tc, test_disabled, 0, countof(data));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("sender MID too low");
+ tcase_add_loop_test(tc, test_sender_too_low, 0, countof(data_too_low));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("receiver MID updated");
+ tcase_add_loop_test(tc, test_recv_update, 0, countof(data_recv_update));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("active task");
+ tcase_add_loop_test(tc, test_active, 0, countof(data_active));
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libcharon/tests/suites/test_proposal.c b/src/libcharon/tests/suites/test_proposal.c
index 19f4cd1..f159179 100644
--- a/src/libcharon/tests/suites/test_proposal.c
+++ b/src/libcharon/tests/suites/test_proposal.c
@@ -108,7 +108,7 @@ START_TEST(test_select)
select_data[_i].self);
other = proposal_create_from_string(select_data[_i].proto,
select_data[_i].other);
- selected = self->select(self, other, FALSE);
+ selected = self->select(self, other, TRUE, FALSE);
if (select_data[_i].expected)
{
expected = proposal_create_from_string(select_data[_i].proto,
@@ -128,6 +128,29 @@ START_TEST(test_select)
}
END_TEST
+START_TEST(test_select_spi)
+{
+ proposal_t *self, *other, *selected;
+
+ self = proposal_create_from_string(PROTO_ESP, "aes128-sha256-modp3072");
+ other = proposal_create_from_string(PROTO_ESP, "aes128-sha256-modp3072");
+ other->set_spi(other, 0x12345678);
+
+ selected = self->select(self, other, TRUE, FALSE);
+ ck_assert(selected);
+ ck_assert_int_eq(selected->get_spi(selected), other->get_spi(other));
+ selected->destroy(selected);
+
+ selected = self->select(self, other, FALSE, FALSE);
+ ck_assert(selected);
+ ck_assert_int_eq(selected->get_spi(selected), self->get_spi(self));
+ selected->destroy(selected);
+
+ other->destroy(other);
+ self->destroy(self);
+}
+END_TEST
+
Suite *proposal_suite_create()
{
Suite *s;
@@ -141,6 +164,7 @@ Suite *proposal_suite_create()
tc = tcase_create("select");
tcase_add_loop_test(tc, test_select, 0, countof(select_data));
+ tcase_add_test(tc, test_select_spi);
suite_add_tcase(s, tc);
return s;
diff --git a/src/libcharon/tests/utils/exchange_test_helper.c b/src/libcharon/tests/utils/exchange_test_helper.c
index f32906d..fce0cce 100644
--- a/src/libcharon/tests/utils/exchange_test_helper.c
+++ b/src/libcharon/tests/utils/exchange_test_helper.c
@@ -282,7 +282,7 @@ static void initialize_logging()
level, lib->ns), lib->ns);
lib->settings->set_bool(lib->settings, "%s.filelog.stderr.ike_name", TRUE,
lib->ns);
- charon->load_loggers(charon, NULL, TRUE);
+ charon->load_loggers(charon);
}
/**
diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in
index 79a9d74..c3512b6 100644
--- a/src/libfast/Makefile.in
+++ b/src/libfast/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in
index 4e5be54..b0b55fb 100644
--- a/src/libimcv/Makefile.in
+++ b/src/libimcv/Makefile.in
@@ -532,7 +532,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -567,6 +566,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in
index f5c73ef..0475cee 100644
--- a/src/libimcv/plugins/imc_attestation/Makefile.in
+++ b/src/libimcv/plugins/imc_attestation/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_hcd/Makefile.in b/src/libimcv/plugins/imc_hcd/Makefile.in
index ffc5710..e2f1dc5 100644
--- a/src/libimcv/plugins/imc_hcd/Makefile.in
+++ b/src/libimcv/plugins/imc_hcd/Makefile.in
@@ -355,7 +355,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -390,6 +389,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index 4d6eff5..0fa0d19 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -355,7 +355,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -390,6 +389,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in
index 7e18b3c..1b776b2 100644
--- a/src/libimcv/plugins/imc_scanner/Makefile.in
+++ b/src/libimcv/plugins/imc_scanner/Makefile.in
@@ -356,7 +356,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -391,6 +390,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in
index f97a7ba..13d1924 100644
--- a/src/libimcv/plugins/imc_swid/Makefile.in
+++ b/src/libimcv/plugins/imc_swid/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in
index 95acd4b..7a4149e 100644
--- a/src/libimcv/plugins/imc_test/Makefile.in
+++ b/src/libimcv/plugins/imc_test/Makefile.in
@@ -355,7 +355,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -390,6 +389,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in
index 2be4e15..9782757 100644
--- a/src/libimcv/plugins/imv_attestation/Makefile.in
+++ b/src/libimcv/plugins/imv_attestation/Makefile.in
@@ -369,7 +369,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -404,6 +403,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_hcd/Makefile.in b/src/libimcv/plugins/imv_hcd/Makefile.in
index 1c3d0ac..62bd827 100644
--- a/src/libimcv/plugins/imv_hcd/Makefile.in
+++ b/src/libimcv/plugins/imv_hcd/Makefile.in
@@ -355,7 +355,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -390,6 +389,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in
index b119559..efefdc8 100644
--- a/src/libimcv/plugins/imv_os/Makefile.in
+++ b/src/libimcv/plugins/imv_os/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in
index 22eb4ae..535e28f 100644
--- a/src/libimcv/plugins/imv_scanner/Makefile.in
+++ b/src/libimcv/plugins/imv_scanner/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in
index 21bbe4a..1150f12 100644
--- a/src/libimcv/plugins/imv_swid/Makefile.in
+++ b/src/libimcv/plugins/imv_swid/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in
index a32a465..055d6fd 100644
--- a/src/libimcv/plugins/imv_test/Makefile.in
+++ b/src/libimcv/plugins/imv_test/Makefile.in
@@ -356,7 +356,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -391,6 +390,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libipsec/Makefile.am b/src/libipsec/Makefile.am
index 90b4561..a35aba2 100644
--- a/src/libipsec/Makefile.am
+++ b/src/libipsec/Makefile.am
@@ -16,6 +16,10 @@ ipsec_sa_mgr.c ipsec_sa_mgr.h
libipsec_la_LIBADD = \
$(top_builddir)/src/libstrongswan/libstrongswan.la
+if USE_WINDOWS
+ libipsec_la_LIBADD += -lws2_32
+endif
+
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan
diff --git a/src/libipsec/Makefile.in b/src/libipsec/Makefile.in
index ea73c60..7d514fd 100644
--- a/src/libipsec/Makefile.in
+++ b/src/libipsec/Makefile.in
@@ -88,6 +88,7 @@ PRE_UNINSTALL = :
POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
+ at USE_WINDOWS_TRUE@am__append_1 = -lws2_32
subdir = src/libipsec
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -136,8 +137,10 @@ am__uninstall_files_from_dir = { \
}
am__installdirs = "$(DESTDIR)$(ipseclibdir)"
LTLIBRARIES = $(ipseclib_LTLIBRARIES)
+am__DEPENDENCIES_1 =
libipsec_la_DEPENDENCIES = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(am__DEPENDENCIES_1)
am_libipsec_la_OBJECTS = ipsec.lo esp_context.lo esp_packet.lo \
ip_packet.lo ipsec_event_relay.lo ipsec_policy.lo \
ipsec_policy_mgr.lo ipsec_processor.lo ipsec_sa.lo \
@@ -397,7 +400,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -432,6 +434,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -495,9 +498,9 @@ ipsec_processor.c ipsec_processor.h \
ipsec_sa.c ipsec_sa.h \
ipsec_sa_mgr.c ipsec_sa_mgr.h
-libipsec_la_LIBADD = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la
-
+libipsec_la_LIBADD = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(am__append_1)
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan
diff --git a/src/libipsec/esp_context.c b/src/libipsec/esp_context.c
index 6c7e9a1..c014e68 100644
--- a/src/libipsec/esp_context.c
+++ b/src/libipsec/esp_context.c
@@ -210,19 +210,32 @@ METHOD(esp_context_t, destroy, void,
static bool create_aead(private_esp_context_t *this, int alg,
chunk_t key)
{
+ size_t salt = 0;
+
switch (alg)
{
case ENCR_AES_GCM_ICV8:
case ENCR_AES_GCM_ICV12:
case ENCR_AES_GCM_ICV16:
case ENCR_CHACHA20_POLY1305:
- /* the key includes a 4 byte salt */
- this->aead = lib->crypto->create_aead(lib->crypto, alg,
- key.len - 4, 4);
+ salt = 4;
+ break;
+ case ENCR_AES_CCM_ICV8:
+ case ENCR_AES_CCM_ICV12:
+ case ENCR_AES_CCM_ICV16:
+ case ENCR_CAMELLIA_CCM_ICV8:
+ case ENCR_CAMELLIA_CCM_ICV12:
+ case ENCR_CAMELLIA_CCM_ICV16:
+ salt = 3;
break;
default:
break;
}
+ if (salt)
+ {
+ this->aead = lib->crypto->create_aead(lib->crypto, alg,
+ key.len - salt, salt);
+ }
if (!this->aead)
{
DBG1(DBG_ESP, "failed to create ESP context: unsupported AEAD "
diff --git a/src/libipsec/esp_packet.c b/src/libipsec/esp_packet.c
index 50bc8b4..2c52177 100644
--- a/src/libipsec/esp_packet.c
+++ b/src/libipsec/esp_packet.c
@@ -25,7 +25,9 @@
#include <bio/bio_reader.h>
#include <bio/bio_writer.h>
+#ifndef WIN32
#include <netinet/in.h>
+#endif
typedef struct private_esp_packet_t private_esp_packet_t;
diff --git a/src/libipsec/ip_packet.c b/src/libipsec/ip_packet.c
index 0fdd5d3..78b4c40 100644
--- a/src/libipsec/ip_packet.c
+++ b/src/libipsec/ip_packet.c
@@ -20,11 +20,40 @@
#include <utils/debug.h>
#include <sys/types.h>
+
+#ifndef WIN32
#include <netinet/in.h>
#include <netinet/ip.h>
#ifdef HAVE_NETINET_IP6_H
#include <netinet/ip6.h>
#endif
+#else
+struct ip {
+#if BYTE_ORDER == LITTLE_ENDIAN
+ uint8_t ip_hl: 4;
+ uint8_t ip_v: 4;
+#elif BYTE_ORDER == BIG_ENDIAN
+ uint8_t ip_v: 4;
+ uint8_t ip_hl: 4;
+#endif
+ uint8_t ip_tos;
+ uint16_t ip_len;
+ uint16_t ip_id;
+ uint16_t ip_off;
+ uint8_t ip_ttl;
+ uint8_t ip_p;
+ uint16_t ip_sum;
+ struct in_addr ip_src, ip_dst;
+} __attribute__((packed));
+struct ip6_hdr {
+ uint32_t ip6_flow; /* 4 bit version, 8 bit TC, 20 bit flow label */
+ uint16_t ip6_plen;
+ uint8_t ip6_nxt;
+ uint8_t ip6_hlim;
+ struct in6_addr ip6_src, ip6_dst;
+} __attribute__((packed));
+#define HAVE_NETINET_IP6_H /* not really, but we only need the struct above */
+#endif
/**
* TCP header, defined here because platforms disagree regarding member names
diff --git a/src/libipsec/ipsec_policy.c b/src/libipsec/ipsec_policy.c
index 8077d3c..98201b8 100644
--- a/src/libipsec/ipsec_policy.c
+++ b/src/libipsec/ipsec_policy.c
@@ -101,6 +101,24 @@ METHOD(ipsec_policy_t, match, bool,
this->dst_ts->equals(this->dst_ts, dst_ts));
}
+/**
+ * Match the port of the given host against the given traffic selector.
+ */
+static inline bool match_port(traffic_selector_t *ts, host_t *host)
+{
+ uint16_t from, to, port;
+
+ from = ts->get_from_port(ts);
+ to = ts->get_to_port(ts);
+ if ((from == 0 && to == 0xffff) ||
+ (from == 0xffff && to == 0))
+ {
+ return TRUE;
+ }
+ port = host->get_port(host);
+ return from <= port && port <= to;
+}
+
METHOD(ipsec_policy_t, match_packet, bool,
private_ipsec_policy_t *this, ip_packet_t *packet)
{
@@ -110,7 +128,9 @@ METHOD(ipsec_policy_t, match_packet, bool,
return (!this->protocol || this->protocol == proto) &&
this->src_ts->includes(this->src_ts, src) &&
- this->dst_ts->includes(this->dst_ts, dst);
+ match_port(this->src_ts, src) &&
+ this->dst_ts->includes(this->dst_ts, dst) &&
+ match_port(this->dst_ts, dst);
}
METHOD(ipsec_policy_t, get_source_ts, traffic_selector_t*,
diff --git a/src/libipsec/ipsec_processor.c b/src/libipsec/ipsec_processor.c
index af79707..23b8ad2 100644
--- a/src/libipsec/ipsec_processor.c
+++ b/src/libipsec/ipsec_processor.c
@@ -148,9 +148,10 @@ static job_requeue_t process_inbound(private_ipsec_processor_t *this)
policy->destroy(policy);
break;
}
- DBG1(DBG_ESP, "discarding inbound IP packet %H == %H due to "
- "policy", ip_packet->get_source(ip_packet),
- ip_packet->get_destination(ip_packet));
+ DBG1(DBG_ESP, "discarding inbound IP packet %#H == %#H [%hhu] due "
+ "to policy", ip_packet->get_source(ip_packet),
+ ip_packet->get_destination(ip_packet),
+ ip_packet->get_next_header(ip_packet));
/* no matching policy found, fall-through */
}
case IPPROTO_NONE:
@@ -198,8 +199,9 @@ static job_requeue_t process_outbound(private_ipsec_processor_t *this)
policy = ipsec->policies->find_by_packet(ipsec->policies, packet, FALSE, 0);
if (!policy)
{
- DBG2(DBG_ESP, "no matching outbound IPsec policy for %H == %H",
- packet->get_source(packet), packet->get_destination(packet));
+ DBG2(DBG_ESP, "no matching outbound IPsec policy for %#H == %#H [%hhu]",
+ packet->get_source(packet), packet->get_destination(packet),
+ packet->get_next_header(packet));
packet->destroy(packet);
return JOB_REQUEUE_DIRECT;
}
diff --git a/src/libipsec/ipsec_sa_mgr.c b/src/libipsec/ipsec_sa_mgr.c
index ec35c6e..a1fa23e 100644
--- a/src/libipsec/ipsec_sa_mgr.c
+++ b/src/libipsec/ipsec_sa_mgr.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012-2017 Tobias Brunner
* Copyright (C) 2012 Giuliano Grassi
* Copyright (C) 2012 Ralf Sager
* Hochschule fuer Technik Rapperswil
@@ -398,7 +398,21 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
private_ipsec_sa_mgr_t *this, host_t *src, host_t *dst, uint8_t protocol,
uint32_t *spi)
{
- uint32_t spi_new;
+ uint32_t spi_min, spi_max, spi_new;
+
+ spi_min = lib->settings->get_int(lib->settings, "%s.spi_min",
+ 0x00000100, lib->ns);
+ spi_max = lib->settings->get_int(lib->settings, "%s.spi_max",
+ 0xffffffff, lib->ns);
+ if (spi_min > spi_max)
+ {
+ spi_new = spi_min;
+ spi_min = spi_max;
+ spi_max = spi_new;
+ }
+ /* make sure the SPI is valid (not in range 0-255) */
+ spi_min = max(spi_min, 0x00000100);
+ spi_max = max(spi_max, 0x00000100);
this->mutex->lock(this->mutex);
if (!this->rng)
@@ -421,8 +435,7 @@ METHOD(ipsec_sa_mgr_t, get_spi, status_t,
DBG1(DBG_ESP, "failed to allocate SPI");
return FAILED;
}
- /* make sure the SPI is valid (not in range 0-255) */
- spi_new |= 0x00000100;
+ spi_new = spi_min + spi_new % (spi_max - spi_min + 1);
spi_new = htonl(spi_new);
}
while (!allocate_spi(this, spi_new));
diff --git a/src/libipsec/tests/Makefile.in b/src/libipsec/tests/Makefile.in
index 0c1d858..e81d6fc 100644
--- a/src/libipsec/tests/Makefile.in
+++ b/src/libipsec/tests/Makefile.in
@@ -353,7 +353,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -388,6 +387,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libpttls/Makefile.in b/src/libpttls/Makefile.in
index 14e4a6b..fd3e763 100644
--- a/src/libpttls/Makefile.in
+++ b/src/libpttls/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libradius/Makefile.in b/src/libradius/Makefile.in
index 8106295..8f91275 100644
--- a/src/libradius/Makefile.in
+++ b/src/libradius/Makefile.in
@@ -353,7 +353,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -388,6 +387,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in
index ea053a3..6af66e3 100644
--- a/src/libsimaka/Makefile.in
+++ b/src/libsimaka/Makefile.in
@@ -356,7 +356,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -391,6 +390,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk
index 0e8f7f3..a5e6b72 100644
--- a/src/libstrongswan/Android.mk
+++ b/src/libstrongswan/Android.mk
@@ -64,12 +64,17 @@ LOCAL_SRC_FILES := $(libstrongswan_la_SOURCES)
LOCAL_SRC_FILES += $(call add_plugin, aes)
+LOCAL_SRC_FILES += $(call add_plugin, chapoly)
+
LOCAL_SRC_FILES += $(call add_plugin, curl)
ifneq ($(call plugin_enabled, curl),)
LOCAL_C_INCLUDES += $(libcurl_PATH)
LOCAL_SHARED_LIBRARIES += libcurl
endif
+LOCAL_SRC_FILES += $(call add_plugin, curve25519)
+LOCAL_SRC_FILES += $(call add_plugin_subdirs, curve25519, ref10)
+
LOCAL_SRC_FILES += $(call add_plugin, des)
LOCAL_SRC_FILES += $(call add_plugin, fips-prf)
diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am
index 52ae7c6..f6d6f54 100644
--- a/src/libstrongswan/Makefile.am
+++ b/src/libstrongswan/Makefile.am
@@ -313,6 +313,13 @@ if MONOLITHIC
endif
endif
+if USE_CURVE25519
+ SUBDIRS += plugins/curve25519
+if MONOLITHIC
+ libstrongswan_la_LIBADD += plugins/curve25519/libstrongswan-curve25519.la
+endif
+endif
+
if USE_RDRAND
SUBDIRS += plugins/rdrand
if MONOLITHIC
diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in
index 3eec966..99bb115 100644
--- a/src/libstrongswan/Makefile.in
+++ b/src/libstrongswan/Makefile.in
@@ -152,97 +152,99 @@ host_triplet = @host@
@MONOLITHIC_TRUE@@USE_SHA3_TRUE at am__append_38 = plugins/sha3/libstrongswan-sha3.la
@USE_GMP_TRUE at am__append_39 = plugins/gmp
@MONOLITHIC_TRUE@@USE_GMP_TRUE at am__append_40 = plugins/gmp/libstrongswan-gmp.la
- at USE_RDRAND_TRUE@am__append_41 = plugins/rdrand
- at MONOLITHIC_TRUE@@USE_RDRAND_TRUE at am__append_42 = plugins/rdrand/libstrongswan-rdrand.la
- at USE_AESNI_TRUE@am__append_43 = plugins/aesni
- at MONOLITHIC_TRUE@@USE_AESNI_TRUE at am__append_44 = plugins/aesni/libstrongswan-aesni.la
- at USE_RANDOM_TRUE@am__append_45 = plugins/random
- at MONOLITHIC_TRUE@@USE_RANDOM_TRUE at am__append_46 = plugins/random/libstrongswan-random.la
- at USE_NONCE_TRUE@am__append_47 = plugins/nonce
- at MONOLITHIC_TRUE@@USE_NONCE_TRUE at am__append_48 = plugins/nonce/libstrongswan-nonce.la
- at USE_HMAC_TRUE@am__append_49 = plugins/hmac
- at MONOLITHIC_TRUE@@USE_HMAC_TRUE at am__append_50 = plugins/hmac/libstrongswan-hmac.la
- at USE_CMAC_TRUE@am__append_51 = plugins/cmac
- at MONOLITHIC_TRUE@@USE_CMAC_TRUE at am__append_52 = plugins/cmac/libstrongswan-cmac.la
- at USE_XCBC_TRUE@am__append_53 = plugins/xcbc
- at MONOLITHIC_TRUE@@USE_XCBC_TRUE at am__append_54 = plugins/xcbc/libstrongswan-xcbc.la
- at USE_X509_TRUE@am__append_55 = plugins/x509
- at MONOLITHIC_TRUE@@USE_X509_TRUE at am__append_56 = plugins/x509/libstrongswan-x509.la
- at USE_REVOCATION_TRUE@am__append_57 = plugins/revocation
- at MONOLITHIC_TRUE@@USE_REVOCATION_TRUE at am__append_58 = plugins/revocation/libstrongswan-revocation.la
- at USE_CONSTRAINTS_TRUE@am__append_59 = plugins/constraints
- at MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE at am__append_60 = plugins/constraints/libstrongswan-constraints.la
- at USE_ACERT_TRUE@am__append_61 = plugins/acert
- at MONOLITHIC_TRUE@@USE_ACERT_TRUE at am__append_62 = plugins/acert/libstrongswan-acert.la
- at USE_PUBKEY_TRUE@am__append_63 = plugins/pubkey
- at MONOLITHIC_TRUE@@USE_PUBKEY_TRUE at am__append_64 = plugins/pubkey/libstrongswan-pubkey.la
- at USE_PKCS1_TRUE@am__append_65 = plugins/pkcs1
- at MONOLITHIC_TRUE@@USE_PKCS1_TRUE at am__append_66 = plugins/pkcs1/libstrongswan-pkcs1.la
- at USE_PKCS7_TRUE@am__append_67 = plugins/pkcs7
- at MONOLITHIC_TRUE@@USE_PKCS7_TRUE at am__append_68 = plugins/pkcs7/libstrongswan-pkcs7.la
- at USE_PKCS8_TRUE@am__append_69 = plugins/pkcs8
- at MONOLITHIC_TRUE@@USE_PKCS8_TRUE at am__append_70 = plugins/pkcs8/libstrongswan-pkcs8.la
- at USE_PKCS12_TRUE@am__append_71 = plugins/pkcs12
- at MONOLITHIC_TRUE@@USE_PKCS12_TRUE at am__append_72 = plugins/pkcs12/libstrongswan-pkcs12.la
- at USE_PGP_TRUE@am__append_73 = plugins/pgp
- at MONOLITHIC_TRUE@@USE_PGP_TRUE at am__append_74 = plugins/pgp/libstrongswan-pgp.la
- at USE_DNSKEY_TRUE@am__append_75 = plugins/dnskey
- at MONOLITHIC_TRUE@@USE_DNSKEY_TRUE at am__append_76 = plugins/dnskey/libstrongswan-dnskey.la
- at USE_SSHKEY_TRUE@am__append_77 = plugins/sshkey
- at MONOLITHIC_TRUE@@USE_SSHKEY_TRUE at am__append_78 = plugins/sshkey/libstrongswan-sshkey.la
- at USE_PEM_TRUE@am__append_79 = plugins/pem
- at MONOLITHIC_TRUE@@USE_PEM_TRUE at am__append_80 = plugins/pem/libstrongswan-pem.la
- at USE_CURL_TRUE@am__append_81 = plugins/curl
- at MONOLITHIC_TRUE@@USE_CURL_TRUE at am__append_82 = plugins/curl/libstrongswan-curl.la
- at USE_FILES_TRUE@am__append_83 = plugins/files
- at MONOLITHIC_TRUE@@USE_FILES_TRUE at am__append_84 = plugins/files/libstrongswan-files.la
- at USE_WINHTTP_TRUE@am__append_85 = plugins/winhttp
- at MONOLITHIC_TRUE@@USE_WINHTTP_TRUE at am__append_86 = plugins/winhttp/libstrongswan-winhttp.la
- at USE_UNBOUND_TRUE@am__append_87 = plugins/unbound
- at MONOLITHIC_TRUE@@USE_UNBOUND_TRUE at am__append_88 = plugins/unbound/libstrongswan-unbound.la
- at USE_SOUP_TRUE@am__append_89 = plugins/soup
- at MONOLITHIC_TRUE@@USE_SOUP_TRUE at am__append_90 = plugins/soup/libstrongswan-soup.la
- at USE_LDAP_TRUE@am__append_91 = plugins/ldap
- at MONOLITHIC_TRUE@@USE_LDAP_TRUE at am__append_92 = plugins/ldap/libstrongswan-ldap.la
- at USE_MYSQL_TRUE@am__append_93 = plugins/mysql
- at MONOLITHIC_TRUE@@USE_MYSQL_TRUE at am__append_94 = plugins/mysql/libstrongswan-mysql.la
- at USE_SQLITE_TRUE@am__append_95 = plugins/sqlite
- at MONOLITHIC_TRUE@@USE_SQLITE_TRUE at am__append_96 = plugins/sqlite/libstrongswan-sqlite.la
- at USE_PADLOCK_TRUE@am__append_97 = plugins/padlock
- at MONOLITHIC_TRUE@@USE_PADLOCK_TRUE at am__append_98 = plugins/padlock/libstrongswan-padlock.la
- at USE_OPENSSL_TRUE@am__append_99 = plugins/openssl
- at MONOLITHIC_TRUE@@USE_OPENSSL_TRUE at am__append_100 = plugins/openssl/libstrongswan-openssl.la
- at USE_GCRYPT_TRUE@am__append_101 = plugins/gcrypt
- at MONOLITHIC_TRUE@@USE_GCRYPT_TRUE at am__append_102 = plugins/gcrypt/libstrongswan-gcrypt.la
- at USE_FIPS_PRF_TRUE@am__append_103 = plugins/fips_prf
- at MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE at am__append_104 = plugins/fips_prf/libstrongswan-fips-prf.la
- at USE_AGENT_TRUE@am__append_105 = plugins/agent
- at MONOLITHIC_TRUE@@USE_AGENT_TRUE at am__append_106 = plugins/agent/libstrongswan-agent.la
- at USE_KEYCHAIN_TRUE@am__append_107 = plugins/keychain
- at MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE at am__append_108 = plugins/keychain/libstrongswan-keychain.la
- at USE_PKCS11_TRUE@am__append_109 = plugins/pkcs11
- at MONOLITHIC_TRUE@@USE_PKCS11_TRUE at am__append_110 = plugins/pkcs11/libstrongswan-pkcs11.la
- at USE_CHAPOLY_TRUE@am__append_111 = plugins/chapoly
- at MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE at am__append_112 = plugins/chapoly/libstrongswan-chapoly.la
- at USE_CTR_TRUE@am__append_113 = plugins/ctr
- at MONOLITHIC_TRUE@@USE_CTR_TRUE at am__append_114 = plugins/ctr/libstrongswan-ctr.la
- at USE_CCM_TRUE@am__append_115 = plugins/ccm
- at MONOLITHIC_TRUE@@USE_CCM_TRUE at am__append_116 = plugins/ccm/libstrongswan-ccm.la
- at USE_GCM_TRUE@am__append_117 = plugins/gcm
- at MONOLITHIC_TRUE@@USE_GCM_TRUE at am__append_118 = plugins/gcm/libstrongswan-gcm.la
- at USE_MGF1_TRUE@am__append_119 = plugins/mgf1
- at MONOLITHIC_TRUE@@USE_MGF1_TRUE at am__append_120 = plugins/mgf1/libstrongswan-mgf1.la
- at USE_NTRU_TRUE@am__append_121 = plugins/ntru
- at MONOLITHIC_TRUE@@USE_NTRU_TRUE at am__append_122 = plugins/ntru/libstrongswan-ntru.la
- at USE_BLISS_TRUE@am__append_123 = plugins/bliss
- at MONOLITHIC_TRUE@@USE_BLISS_TRUE at am__append_124 = plugins/bliss/libstrongswan-bliss.la
- at USE_NEWHOPE_TRUE@am__append_125 = plugins/newhope
- at MONOLITHIC_TRUE@@USE_NEWHOPE_TRUE at am__append_126 = plugins/newhope/libstrongswan-newhope.la
- at USE_TEST_VECTORS_TRUE@am__append_127 = plugins/test_vectors
- at MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE at am__append_128 = plugins/test_vectors/libstrongswan-test-vectors.la
- at USE_LIBNTTFFT_TRUE@am__append_129 = math/libnttfft/tests
- at USE_BLISS_TRUE@am__append_130 = plugins/bliss/tests
- at USE_NEWHOPE_TRUE@am__append_131 = plugins/newhope/tests
+ at USE_CURVE25519_TRUE@am__append_41 = plugins/curve25519
+ at MONOLITHIC_TRUE@@USE_CURVE25519_TRUE at am__append_42 = plugins/curve25519/libstrongswan-curve25519.la
+ at USE_RDRAND_TRUE@am__append_43 = plugins/rdrand
+ at MONOLITHIC_TRUE@@USE_RDRAND_TRUE at am__append_44 = plugins/rdrand/libstrongswan-rdrand.la
+ at USE_AESNI_TRUE@am__append_45 = plugins/aesni
+ at MONOLITHIC_TRUE@@USE_AESNI_TRUE at am__append_46 = plugins/aesni/libstrongswan-aesni.la
+ at USE_RANDOM_TRUE@am__append_47 = plugins/random
+ at MONOLITHIC_TRUE@@USE_RANDOM_TRUE at am__append_48 = plugins/random/libstrongswan-random.la
+ at USE_NONCE_TRUE@am__append_49 = plugins/nonce
+ at MONOLITHIC_TRUE@@USE_NONCE_TRUE at am__append_50 = plugins/nonce/libstrongswan-nonce.la
+ at USE_HMAC_TRUE@am__append_51 = plugins/hmac
+ at MONOLITHIC_TRUE@@USE_HMAC_TRUE at am__append_52 = plugins/hmac/libstrongswan-hmac.la
+ at USE_CMAC_TRUE@am__append_53 = plugins/cmac
+ at MONOLITHIC_TRUE@@USE_CMAC_TRUE at am__append_54 = plugins/cmac/libstrongswan-cmac.la
+ at USE_XCBC_TRUE@am__append_55 = plugins/xcbc
+ at MONOLITHIC_TRUE@@USE_XCBC_TRUE at am__append_56 = plugins/xcbc/libstrongswan-xcbc.la
+ at USE_X509_TRUE@am__append_57 = plugins/x509
+ at MONOLITHIC_TRUE@@USE_X509_TRUE at am__append_58 = plugins/x509/libstrongswan-x509.la
+ at USE_REVOCATION_TRUE@am__append_59 = plugins/revocation
+ at MONOLITHIC_TRUE@@USE_REVOCATION_TRUE at am__append_60 = plugins/revocation/libstrongswan-revocation.la
+ at USE_CONSTRAINTS_TRUE@am__append_61 = plugins/constraints
+ at MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE at am__append_62 = plugins/constraints/libstrongswan-constraints.la
+ at USE_ACERT_TRUE@am__append_63 = plugins/acert
+ at MONOLITHIC_TRUE@@USE_ACERT_TRUE at am__append_64 = plugins/acert/libstrongswan-acert.la
+ at USE_PUBKEY_TRUE@am__append_65 = plugins/pubkey
+ at MONOLITHIC_TRUE@@USE_PUBKEY_TRUE at am__append_66 = plugins/pubkey/libstrongswan-pubkey.la
+ at USE_PKCS1_TRUE@am__append_67 = plugins/pkcs1
+ at MONOLITHIC_TRUE@@USE_PKCS1_TRUE at am__append_68 = plugins/pkcs1/libstrongswan-pkcs1.la
+ at USE_PKCS7_TRUE@am__append_69 = plugins/pkcs7
+ at MONOLITHIC_TRUE@@USE_PKCS7_TRUE at am__append_70 = plugins/pkcs7/libstrongswan-pkcs7.la
+ at USE_PKCS8_TRUE@am__append_71 = plugins/pkcs8
+ at MONOLITHIC_TRUE@@USE_PKCS8_TRUE at am__append_72 = plugins/pkcs8/libstrongswan-pkcs8.la
+ at USE_PKCS12_TRUE@am__append_73 = plugins/pkcs12
+ at MONOLITHIC_TRUE@@USE_PKCS12_TRUE at am__append_74 = plugins/pkcs12/libstrongswan-pkcs12.la
+ at USE_PGP_TRUE@am__append_75 = plugins/pgp
+ at MONOLITHIC_TRUE@@USE_PGP_TRUE at am__append_76 = plugins/pgp/libstrongswan-pgp.la
+ at USE_DNSKEY_TRUE@am__append_77 = plugins/dnskey
+ at MONOLITHIC_TRUE@@USE_DNSKEY_TRUE at am__append_78 = plugins/dnskey/libstrongswan-dnskey.la
+ at USE_SSHKEY_TRUE@am__append_79 = plugins/sshkey
+ at MONOLITHIC_TRUE@@USE_SSHKEY_TRUE at am__append_80 = plugins/sshkey/libstrongswan-sshkey.la
+ at USE_PEM_TRUE@am__append_81 = plugins/pem
+ at MONOLITHIC_TRUE@@USE_PEM_TRUE at am__append_82 = plugins/pem/libstrongswan-pem.la
+ at USE_CURL_TRUE@am__append_83 = plugins/curl
+ at MONOLITHIC_TRUE@@USE_CURL_TRUE at am__append_84 = plugins/curl/libstrongswan-curl.la
+ at USE_FILES_TRUE@am__append_85 = plugins/files
+ at MONOLITHIC_TRUE@@USE_FILES_TRUE at am__append_86 = plugins/files/libstrongswan-files.la
+ at USE_WINHTTP_TRUE@am__append_87 = plugins/winhttp
+ at MONOLITHIC_TRUE@@USE_WINHTTP_TRUE at am__append_88 = plugins/winhttp/libstrongswan-winhttp.la
+ at USE_UNBOUND_TRUE@am__append_89 = plugins/unbound
+ at MONOLITHIC_TRUE@@USE_UNBOUND_TRUE at am__append_90 = plugins/unbound/libstrongswan-unbound.la
+ at USE_SOUP_TRUE@am__append_91 = plugins/soup
+ at MONOLITHIC_TRUE@@USE_SOUP_TRUE at am__append_92 = plugins/soup/libstrongswan-soup.la
+ at USE_LDAP_TRUE@am__append_93 = plugins/ldap
+ at MONOLITHIC_TRUE@@USE_LDAP_TRUE at am__append_94 = plugins/ldap/libstrongswan-ldap.la
+ at USE_MYSQL_TRUE@am__append_95 = plugins/mysql
+ at MONOLITHIC_TRUE@@USE_MYSQL_TRUE at am__append_96 = plugins/mysql/libstrongswan-mysql.la
+ at USE_SQLITE_TRUE@am__append_97 = plugins/sqlite
+ at MONOLITHIC_TRUE@@USE_SQLITE_TRUE at am__append_98 = plugins/sqlite/libstrongswan-sqlite.la
+ at USE_PADLOCK_TRUE@am__append_99 = plugins/padlock
+ at MONOLITHIC_TRUE@@USE_PADLOCK_TRUE at am__append_100 = plugins/padlock/libstrongswan-padlock.la
+ at USE_OPENSSL_TRUE@am__append_101 = plugins/openssl
+ at MONOLITHIC_TRUE@@USE_OPENSSL_TRUE at am__append_102 = plugins/openssl/libstrongswan-openssl.la
+ at USE_GCRYPT_TRUE@am__append_103 = plugins/gcrypt
+ at MONOLITHIC_TRUE@@USE_GCRYPT_TRUE at am__append_104 = plugins/gcrypt/libstrongswan-gcrypt.la
+ at USE_FIPS_PRF_TRUE@am__append_105 = plugins/fips_prf
+ at MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE at am__append_106 = plugins/fips_prf/libstrongswan-fips-prf.la
+ at USE_AGENT_TRUE@am__append_107 = plugins/agent
+ at MONOLITHIC_TRUE@@USE_AGENT_TRUE at am__append_108 = plugins/agent/libstrongswan-agent.la
+ at USE_KEYCHAIN_TRUE@am__append_109 = plugins/keychain
+ at MONOLITHIC_TRUE@@USE_KEYCHAIN_TRUE at am__append_110 = plugins/keychain/libstrongswan-keychain.la
+ at USE_PKCS11_TRUE@am__append_111 = plugins/pkcs11
+ at MONOLITHIC_TRUE@@USE_PKCS11_TRUE at am__append_112 = plugins/pkcs11/libstrongswan-pkcs11.la
+ at USE_CHAPOLY_TRUE@am__append_113 = plugins/chapoly
+ at MONOLITHIC_TRUE@@USE_CHAPOLY_TRUE at am__append_114 = plugins/chapoly/libstrongswan-chapoly.la
+ at USE_CTR_TRUE@am__append_115 = plugins/ctr
+ at MONOLITHIC_TRUE@@USE_CTR_TRUE at am__append_116 = plugins/ctr/libstrongswan-ctr.la
+ at USE_CCM_TRUE@am__append_117 = plugins/ccm
+ at MONOLITHIC_TRUE@@USE_CCM_TRUE at am__append_118 = plugins/ccm/libstrongswan-ccm.la
+ at USE_GCM_TRUE@am__append_119 = plugins/gcm
+ at MONOLITHIC_TRUE@@USE_GCM_TRUE at am__append_120 = plugins/gcm/libstrongswan-gcm.la
+ at USE_MGF1_TRUE@am__append_121 = plugins/mgf1
+ at MONOLITHIC_TRUE@@USE_MGF1_TRUE at am__append_122 = plugins/mgf1/libstrongswan-mgf1.la
+ at USE_NTRU_TRUE@am__append_123 = plugins/ntru
+ at MONOLITHIC_TRUE@@USE_NTRU_TRUE at am__append_124 = plugins/ntru/libstrongswan-ntru.la
+ at USE_BLISS_TRUE@am__append_125 = plugins/bliss
+ at MONOLITHIC_TRUE@@USE_BLISS_TRUE at am__append_126 = plugins/bliss/libstrongswan-bliss.la
+ at USE_NEWHOPE_TRUE@am__append_127 = plugins/newhope
+ at MONOLITHIC_TRUE@@USE_NEWHOPE_TRUE at am__append_128 = plugins/newhope/libstrongswan-newhope.la
+ at USE_TEST_VECTORS_TRUE@am__append_129 = plugins/test_vectors
+ at MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE at am__append_130 = plugins/test_vectors/libstrongswan-test-vectors.la
+ at USE_LIBNTTFFT_TRUE@am__append_131 = math/libnttfft/tests
+ at USE_BLISS_TRUE@am__append_132 = plugins/bliss/tests
+ at USE_NEWHOPE_TRUE@am__append_133 = plugins/newhope/tests
subdir = src/libstrongswan
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -320,7 +322,8 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \
$(am__append_106) $(am__append_108) $(am__append_110) \
$(am__append_112) $(am__append_114) $(am__append_116) \
$(am__append_118) $(am__append_120) $(am__append_122) \
- $(am__append_124) $(am__append_126) $(am__append_128)
+ $(am__append_124) $(am__append_126) $(am__append_128) \
+ $(am__append_130)
am__libstrongswan_la_SOURCES_DIST = library.c asn1/asn1.c \
asn1/asn1_parser.c asn1/oid.c bio/bio_reader.c \
bio/bio_writer.c collections/blocking_queue.c \
@@ -641,19 +644,19 @@ CTAGS = ctags
DIST_SUBDIRS = . math/libnttfft plugins/af_alg plugins/aes plugins/des \
plugins/blowfish plugins/rc2 plugins/md4 plugins/md5 \
plugins/sha1 plugins/sha2 plugins/sha3 plugins/gmp \
- plugins/rdrand plugins/aesni plugins/random plugins/nonce \
- plugins/hmac plugins/cmac plugins/xcbc plugins/x509 \
- plugins/revocation plugins/constraints plugins/acert \
- plugins/pubkey plugins/pkcs1 plugins/pkcs7 plugins/pkcs8 \
- plugins/pkcs12 plugins/pgp plugins/dnskey plugins/sshkey \
- plugins/pem plugins/curl plugins/files plugins/winhttp \
- plugins/unbound plugins/soup plugins/ldap plugins/mysql \
- plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \
- plugins/fips_prf plugins/agent plugins/keychain plugins/pkcs11 \
- plugins/chapoly plugins/ctr plugins/ccm plugins/gcm \
- plugins/mgf1 plugins/ntru plugins/bliss plugins/newhope \
- plugins/test_vectors tests math/libnttfft/tests \
- plugins/bliss/tests plugins/newhope/tests
+ plugins/curve25519 plugins/rdrand plugins/aesni plugins/random \
+ plugins/nonce plugins/hmac plugins/cmac plugins/xcbc \
+ plugins/x509 plugins/revocation plugins/constraints \
+ plugins/acert plugins/pubkey plugins/pkcs1 plugins/pkcs7 \
+ plugins/pkcs8 plugins/pkcs12 plugins/pgp plugins/dnskey \
+ plugins/sshkey plugins/pem plugins/curl plugins/files \
+ plugins/winhttp plugins/unbound plugins/soup plugins/ldap \
+ plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \
+ plugins/gcrypt plugins/fips_prf plugins/agent plugins/keychain \
+ plugins/pkcs11 plugins/chapoly plugins/ctr plugins/ccm \
+ plugins/gcm plugins/mgf1 plugins/ntru plugins/bliss \
+ plugins/newhope plugins/test_vectors tests \
+ math/libnttfft/tests plugins/bliss/tests plugins/newhope/tests
am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp \
$(top_srcdir)/ylwrap settings/settings_lexer.c \
settings/settings_parser.c settings/settings_parser.h
@@ -829,7 +832,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -864,6 +866,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -1052,7 +1055,8 @@ libstrongswan_la_LIBADD = $(DLLIB) $(ATOMICLIB) $(BTLIB) $(SOCKLIB) \
$(am__append_106) $(am__append_108) $(am__append_110) \
$(am__append_112) $(am__append_114) $(am__append_116) \
$(am__append_118) $(am__append_120) $(am__append_122) \
- $(am__append_124) $(am__append_126) $(am__append_128)
+ $(am__append_124) $(am__append_126) $(am__append_128) \
+ $(am__append_130)
AM_CPPFLAGS = -I$(top_srcdir)/src/libstrongswan \
-DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_LIB_DIR=\"${ipseclibdir}\" \
-DPLUGINDIR=\"${plugindir}\" \
@@ -1109,9 +1113,9 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
@MONOLITHIC_FALSE@ $(am__append_113) $(am__append_115) \
@MONOLITHIC_FALSE@ $(am__append_117) $(am__append_119) \
@MONOLITHIC_FALSE@ $(am__append_121) $(am__append_123) \
- at MONOLITHIC_FALSE@ $(am__append_125) $(am__append_127) tests \
- at MONOLITHIC_FALSE@ $(am__append_129) $(am__append_130) \
- at MONOLITHIC_FALSE@ $(am__append_131)
+ at MONOLITHIC_FALSE@ $(am__append_125) $(am__append_127) \
+ at MONOLITHIC_FALSE@ $(am__append_129) tests $(am__append_131) \
+ at MONOLITHIC_FALSE@ $(am__append_132) $(am__append_133)
# build unit tests
##################
@@ -1142,9 +1146,9 @@ $(srcdir)/crypto/proposal/proposal_keywords_static.c
@MONOLITHIC_TRUE@ $(am__append_113) $(am__append_115) \
@MONOLITHIC_TRUE@ $(am__append_117) $(am__append_119) \
@MONOLITHIC_TRUE@ $(am__append_121) $(am__append_123) \
- at MONOLITHIC_TRUE@ $(am__append_125) $(am__append_127) . tests \
- at MONOLITHIC_TRUE@ $(am__append_129) $(am__append_130) \
- at MONOLITHIC_TRUE@ $(am__append_131)
+ at MONOLITHIC_TRUE@ $(am__append_125) $(am__append_127) \
+ at MONOLITHIC_TRUE@ $(am__append_129) . tests $(am__append_131) \
+ at MONOLITHIC_TRUE@ $(am__append_132) $(am__append_133)
all: $(BUILT_SOURCES)
$(MAKE) $(AM_MAKEFLAGS) all-recursive
diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c
index 2ee414a..5ce8403 100644
--- a/src/libstrongswan/asn1/asn1.c
+++ b/src/libstrongswan/asn1/asn1.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Martin Will
- * Copyright (C) 2000-2008 Andreas Steffen
+ * Copyright (C) 2000-2016 Andreas Steffen
*
* Hochschule fuer Technik Rapperswil
*
@@ -47,6 +47,8 @@ chunk_t asn1_algorithmIdentifier(int oid)
case OID_ECDSA_WITH_SHA256:
case OID_ECDSA_WITH_SHA384:
case OID_ECDSA_WITH_SHA512:
+ case OID_ED25519:
+ case OID_ED448:
parameters = chunk_empty;
break;
default:
diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c
index 4017444..bb423dc 100644
--- a/src/libstrongswan/asn1/oid.c
+++ b/src/libstrongswan/asn1/oid.c
@@ -201,7 +201,7 @@ const oid_t oid_names[] = {
{ 0x02, 189, 0, 7, "ecdsa-with-SHA256" }, /* 188 */
{ 0x03, 190, 0, 7, "ecdsa-with-SHA384" }, /* 189 */
{ 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 190 */
- {0x2B, 418, 1, 0, "" }, /* 191 */
+ {0x2B, 421, 1, 0, "" }, /* 191 */
{ 0x06, 332, 1, 1, "dod" }, /* 192 */
{ 0x01, 0, 1, 2, "internet" }, /* 193 */
{ 0x04, 283, 1, 3, "private" }, /* 194 */
@@ -394,109 +394,112 @@ const oid_t oid_names[] = {
{ 0x0C, 382, 0, 8, "brainpoolP384t1" }, /* 381 */
{ 0x0D, 383, 0, 8, "brainpoolP512r1" }, /* 382 */
{ 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 383 */
- { 0x81, 0, 1, 1, "" }, /* 384 */
- { 0x04, 0, 1, 2, "Certicom" }, /* 385 */
- { 0x00, 0, 1, 3, "curve" }, /* 386 */
- { 0x01, 388, 0, 4, "sect163k1" }, /* 387 */
- { 0x02, 389, 0, 4, "sect163r1" }, /* 388 */
- { 0x03, 390, 0, 4, "sect239k1" }, /* 389 */
- { 0x04, 391, 0, 4, "sect113r1" }, /* 390 */
- { 0x05, 392, 0, 4, "sect113r2" }, /* 391 */
- { 0x06, 393, 0, 4, "secp112r1" }, /* 392 */
- { 0x07, 394, 0, 4, "secp112r2" }, /* 393 */
- { 0x08, 395, 0, 4, "secp160r1" }, /* 394 */
- { 0x09, 396, 0, 4, "secp160k1" }, /* 395 */
- { 0x0A, 397, 0, 4, "secp256k1" }, /* 396 */
- { 0x0F, 398, 0, 4, "sect163r2" }, /* 397 */
- { 0x10, 399, 0, 4, "sect283k1" }, /* 398 */
- { 0x11, 400, 0, 4, "sect283r1" }, /* 399 */
- { 0x16, 401, 0, 4, "sect131r1" }, /* 400 */
- { 0x17, 402, 0, 4, "sect131r2" }, /* 401 */
- { 0x18, 403, 0, 4, "sect193r1" }, /* 402 */
- { 0x19, 404, 0, 4, "sect193r2" }, /* 403 */
- { 0x1A, 405, 0, 4, "sect233k1" }, /* 404 */
- { 0x1B, 406, 0, 4, "sect233r1" }, /* 405 */
- { 0x1C, 407, 0, 4, "secp128r1" }, /* 406 */
- { 0x1D, 408, 0, 4, "secp128r2" }, /* 407 */
- { 0x1E, 409, 0, 4, "secp160r2" }, /* 408 */
- { 0x1F, 410, 0, 4, "secp192k1" }, /* 409 */
- { 0x20, 411, 0, 4, "secp224k1" }, /* 410 */
- { 0x21, 412, 0, 4, "secp224r1" }, /* 411 */
- { 0x22, 413, 0, 4, "secp384r1" }, /* 412 */
- { 0x23, 414, 0, 4, "secp521r1" }, /* 413 */
- { 0x24, 415, 0, 4, "sect409k1" }, /* 414 */
- { 0x25, 416, 0, 4, "sect409r1" }, /* 415 */
- { 0x26, 417, 0, 4, "sect571k1" }, /* 416 */
- { 0x27, 0, 0, 4, "sect571r1" }, /* 417 */
- {0x60, 481, 1, 0, "" }, /* 418 */
- { 0x86, 0, 1, 1, "" }, /* 419 */
- { 0x48, 0, 1, 2, "" }, /* 420 */
- { 0x01, 0, 1, 3, "organization" }, /* 421 */
- { 0x65, 457, 1, 4, "gov" }, /* 422 */
- { 0x03, 0, 1, 5, "csor" }, /* 423 */
- { 0x04, 0, 1, 6, "nistalgorithm" }, /* 424 */
- { 0x01, 435, 1, 7, "aes" }, /* 425 */
- { 0x02, 427, 0, 8, "id-aes128-CBC" }, /* 426 */
- { 0x06, 428, 0, 8, "id-aes128-GCM" }, /* 427 */
- { 0x07, 429, 0, 8, "id-aes128-CCM" }, /* 428 */
- { 0x16, 430, 0, 8, "id-aes192-CBC" }, /* 429 */
- { 0x1A, 431, 0, 8, "id-aes192-GCM" }, /* 430 */
- { 0x1B, 432, 0, 8, "id-aes192-CCM" }, /* 431 */
- { 0x2A, 433, 0, 8, "id-aes256-CBC" }, /* 432 */
- { 0x2E, 434, 0, 8, "id-aes256-GCM" }, /* 433 */
- { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 434 */
- { 0x02, 448, 1, 7, "hashAlgs" }, /* 435 */
- { 0x01, 437, 0, 8, "id-sha256" }, /* 436 */
- { 0x02, 438, 0, 8, "id-sha384" }, /* 437 */
- { 0x03, 439, 0, 8, "id-sha512" }, /* 438 */
- { 0x04, 440, 0, 8, "id-sha224" }, /* 439 */
- { 0x05, 441, 0, 8, "id-sha512-224" }, /* 440 */
- { 0x06, 442, 0, 8, "id-sha512-256" }, /* 441 */
- { 0x07, 443, 0, 8, "id-sha3-224" }, /* 442 */
- { 0x08, 444, 0, 8, "id-sha3-256" }, /* 443 */
- { 0x09, 445, 0, 8, "id-sha3-384" }, /* 444 */
- { 0x0A, 446, 0, 8, "id-sha3-512" }, /* 445 */
- { 0x0B, 447, 0, 8, "id-shake128" }, /* 446 */
- { 0x0C, 0, 0, 8, "id-shake256" }, /* 447 */
- { 0x03, 0, 1, 7, "sigAlgs" }, /* 448 */
- { 0x09, 450, 0, 8, "id-ecdsa-with-sha3-224" }, /* 449 */
- { 0x0A, 451, 0, 8, "id-ecdsa-with-sha3-256" }, /* 450 */
- { 0x0B, 452, 0, 8, "id-ecdsa-with-sha3-384" }, /* 451 */
- { 0x0C, 453, 0, 8, "id-ecdsa-with-sha3-512" }, /* 452 */
- { 0x0D, 454, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 453 */
- { 0x0E, 455, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 454 */
- { 0x0F, 456, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 455 */
- { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 456 */
- { 0x86, 0, 1, 4, "" }, /* 457 */
- { 0xf8, 0, 1, 5, "" }, /* 458 */
- { 0x42, 471, 1, 6, "netscape" }, /* 459 */
- { 0x01, 466, 1, 7, "" }, /* 460 */
- { 0x01, 462, 0, 8, "nsCertType" }, /* 461 */
- { 0x03, 463, 0, 8, "nsRevocationUrl" }, /* 462 */
- { 0x04, 464, 0, 8, "nsCaRevocationUrl" }, /* 463 */
- { 0x08, 465, 0, 8, "nsCaPolicyUrl" }, /* 464 */
- { 0x0d, 0, 0, 8, "nsComment" }, /* 465 */
- { 0x03, 469, 1, 7, "directory" }, /* 466 */
- { 0x01, 0, 1, 8, "" }, /* 467 */
- { 0x03, 0, 0, 9, "employeeNumber" }, /* 468 */
- { 0x04, 0, 1, 7, "policy" }, /* 469 */
- { 0x01, 0, 0, 8, "nsSGC" }, /* 470 */
- { 0x45, 0, 1, 6, "verisign" }, /* 471 */
- { 0x01, 0, 1, 7, "pki" }, /* 472 */
- { 0x09, 0, 1, 8, "attributes" }, /* 473 */
- { 0x02, 475, 0, 9, "messageType" }, /* 474 */
- { 0x03, 476, 0, 9, "pkiStatus" }, /* 475 */
- { 0x04, 477, 0, 9, "failInfo" }, /* 476 */
- { 0x05, 478, 0, 9, "senderNonce" }, /* 477 */
- { 0x06, 479, 0, 9, "recipientNonce" }, /* 478 */
- { 0x07, 480, 0, 9, "transID" }, /* 479 */
- { 0x08, 0, 0, 9, "extensionReq" }, /* 480 */
- {0x67, 0, 1, 0, "" }, /* 481 */
- { 0x81, 0, 1, 1, "" }, /* 482 */
- { 0x05, 0, 1, 2, "" }, /* 483 */
- { 0x02, 0, 1, 3, "tcg-attribute" }, /* 484 */
- { 0x01, 486, 0, 4, "tcg-at-tpmManufacturer" }, /* 485 */
- { 0x02, 487, 0, 4, "tcg-at-tpmModel" }, /* 486 */
- { 0x03, 488, 0, 4, "tcg-at-tpmVersion" }, /* 487 */
- { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 488 */
+ { 0x65, 387, 1, 1, "Thawte" }, /* 384 */
+ { 0x70, 386, 0, 2, "id-Ed25519" }, /* 385 */
+ { 0x71, 0, 0, 2, "id-Ed448" }, /* 386 */
+ { 0x81, 0, 1, 1, "" }, /* 387 */
+ { 0x04, 0, 1, 2, "Certicom" }, /* 388 */
+ { 0x00, 0, 1, 3, "curve" }, /* 389 */
+ { 0x01, 391, 0, 4, "sect163k1" }, /* 390 */
+ { 0x02, 392, 0, 4, "sect163r1" }, /* 391 */
+ { 0x03, 393, 0, 4, "sect239k1" }, /* 392 */
+ { 0x04, 394, 0, 4, "sect113r1" }, /* 393 */
+ { 0x05, 395, 0, 4, "sect113r2" }, /* 394 */
+ { 0x06, 396, 0, 4, "secp112r1" }, /* 395 */
+ { 0x07, 397, 0, 4, "secp112r2" }, /* 396 */
+ { 0x08, 398, 0, 4, "secp160r1" }, /* 397 */
+ { 0x09, 399, 0, 4, "secp160k1" }, /* 398 */
+ { 0x0A, 400, 0, 4, "secp256k1" }, /* 399 */
+ { 0x0F, 401, 0, 4, "sect163r2" }, /* 400 */
+ { 0x10, 402, 0, 4, "sect283k1" }, /* 401 */
+ { 0x11, 403, 0, 4, "sect283r1" }, /* 402 */
+ { 0x16, 404, 0, 4, "sect131r1" }, /* 403 */
+ { 0x17, 405, 0, 4, "sect131r2" }, /* 404 */
+ { 0x18, 406, 0, 4, "sect193r1" }, /* 405 */
+ { 0x19, 407, 0, 4, "sect193r2" }, /* 406 */
+ { 0x1A, 408, 0, 4, "sect233k1" }, /* 407 */
+ { 0x1B, 409, 0, 4, "sect233r1" }, /* 408 */
+ { 0x1C, 410, 0, 4, "secp128r1" }, /* 409 */
+ { 0x1D, 411, 0, 4, "secp128r2" }, /* 410 */
+ { 0x1E, 412, 0, 4, "secp160r2" }, /* 411 */
+ { 0x1F, 413, 0, 4, "secp192k1" }, /* 412 */
+ { 0x20, 414, 0, 4, "secp224k1" }, /* 413 */
+ { 0x21, 415, 0, 4, "secp224r1" }, /* 414 */
+ { 0x22, 416, 0, 4, "secp384r1" }, /* 415 */
+ { 0x23, 417, 0, 4, "secp521r1" }, /* 416 */
+ { 0x24, 418, 0, 4, "sect409k1" }, /* 417 */
+ { 0x25, 419, 0, 4, "sect409r1" }, /* 418 */
+ { 0x26, 420, 0, 4, "sect571k1" }, /* 419 */
+ { 0x27, 0, 0, 4, "sect571r1" }, /* 420 */
+ {0x60, 484, 1, 0, "" }, /* 421 */
+ { 0x86, 0, 1, 1, "" }, /* 422 */
+ { 0x48, 0, 1, 2, "" }, /* 423 */
+ { 0x01, 0, 1, 3, "organization" }, /* 424 */
+ { 0x65, 460, 1, 4, "gov" }, /* 425 */
+ { 0x03, 0, 1, 5, "csor" }, /* 426 */
+ { 0x04, 0, 1, 6, "nistalgorithm" }, /* 427 */
+ { 0x01, 438, 1, 7, "aes" }, /* 428 */
+ { 0x02, 430, 0, 8, "id-aes128-CBC" }, /* 429 */
+ { 0x06, 431, 0, 8, "id-aes128-GCM" }, /* 430 */
+ { 0x07, 432, 0, 8, "id-aes128-CCM" }, /* 431 */
+ { 0x16, 433, 0, 8, "id-aes192-CBC" }, /* 432 */
+ { 0x1A, 434, 0, 8, "id-aes192-GCM" }, /* 433 */
+ { 0x1B, 435, 0, 8, "id-aes192-CCM" }, /* 434 */
+ { 0x2A, 436, 0, 8, "id-aes256-CBC" }, /* 435 */
+ { 0x2E, 437, 0, 8, "id-aes256-GCM" }, /* 436 */
+ { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 437 */
+ { 0x02, 451, 1, 7, "hashAlgs" }, /* 438 */
+ { 0x01, 440, 0, 8, "id-sha256" }, /* 439 */
+ { 0x02, 441, 0, 8, "id-sha384" }, /* 440 */
+ { 0x03, 442, 0, 8, "id-sha512" }, /* 441 */
+ { 0x04, 443, 0, 8, "id-sha224" }, /* 442 */
+ { 0x05, 444, 0, 8, "id-sha512-224" }, /* 443 */
+ { 0x06, 445, 0, 8, "id-sha512-256" }, /* 444 */
+ { 0x07, 446, 0, 8, "id-sha3-224" }, /* 445 */
+ { 0x08, 447, 0, 8, "id-sha3-256" }, /* 446 */
+ { 0x09, 448, 0, 8, "id-sha3-384" }, /* 447 */
+ { 0x0A, 449, 0, 8, "id-sha3-512" }, /* 448 */
+ { 0x0B, 450, 0, 8, "id-shake128" }, /* 449 */
+ { 0x0C, 0, 0, 8, "id-shake256" }, /* 450 */
+ { 0x03, 0, 1, 7, "sigAlgs" }, /* 451 */
+ { 0x09, 453, 0, 8, "id-ecdsa-with-sha3-224" }, /* 452 */
+ { 0x0A, 454, 0, 8, "id-ecdsa-with-sha3-256" }, /* 453 */
+ { 0x0B, 455, 0, 8, "id-ecdsa-with-sha3-384" }, /* 454 */
+ { 0x0C, 456, 0, 8, "id-ecdsa-with-sha3-512" }, /* 455 */
+ { 0x0D, 457, 0, 8, "id-rsassa-pkcs1v15-with-sha3-224"}, /* 456 */
+ { 0x0E, 458, 0, 8, "id-rsassa-pkcs1v15-with-sha3-256"}, /* 457 */
+ { 0x0F, 459, 0, 8, "id-rsassa-pkcs1v15-with-sha3-384"}, /* 458 */
+ { 0x10, 0, 0, 8, "id-rsassa-pkcs1v15-with-sha3-512"}, /* 459 */
+ { 0x86, 0, 1, 4, "" }, /* 460 */
+ { 0xf8, 0, 1, 5, "" }, /* 461 */
+ { 0x42, 474, 1, 6, "netscape" }, /* 462 */
+ { 0x01, 469, 1, 7, "" }, /* 463 */
+ { 0x01, 465, 0, 8, "nsCertType" }, /* 464 */
+ { 0x03, 466, 0, 8, "nsRevocationUrl" }, /* 465 */
+ { 0x04, 467, 0, 8, "nsCaRevocationUrl" }, /* 466 */
+ { 0x08, 468, 0, 8, "nsCaPolicyUrl" }, /* 467 */
+ { 0x0d, 0, 0, 8, "nsComment" }, /* 468 */
+ { 0x03, 472, 1, 7, "directory" }, /* 469 */
+ { 0x01, 0, 1, 8, "" }, /* 470 */
+ { 0x03, 0, 0, 9, "employeeNumber" }, /* 471 */
+ { 0x04, 0, 1, 7, "policy" }, /* 472 */
+ { 0x01, 0, 0, 8, "nsSGC" }, /* 473 */
+ { 0x45, 0, 1, 6, "verisign" }, /* 474 */
+ { 0x01, 0, 1, 7, "pki" }, /* 475 */
+ { 0x09, 0, 1, 8, "attributes" }, /* 476 */
+ { 0x02, 478, 0, 9, "messageType" }, /* 477 */
+ { 0x03, 479, 0, 9, "pkiStatus" }, /* 478 */
+ { 0x04, 480, 0, 9, "failInfo" }, /* 479 */
+ { 0x05, 481, 0, 9, "senderNonce" }, /* 480 */
+ { 0x06, 482, 0, 9, "recipientNonce" }, /* 481 */
+ { 0x07, 483, 0, 9, "transID" }, /* 482 */
+ { 0x08, 0, 0, 9, "extensionReq" }, /* 483 */
+ {0x67, 0, 1, 0, "" }, /* 484 */
+ { 0x81, 0, 1, 1, "" }, /* 485 */
+ { 0x05, 0, 1, 2, "" }, /* 486 */
+ { 0x02, 0, 1, 3, "tcg-attribute" }, /* 487 */
+ { 0x01, 489, 0, 4, "tcg-at-tpmManufacturer" }, /* 488 */
+ { 0x02, 490, 0, 4, "tcg-at-tpmModel" }, /* 489 */
+ { 0x03, 491, 0, 4, "tcg-at-tpmVersion" }, /* 490 */
+ { 0x0F, 0, 0, 4, "tcg-at-tpmIdLabel" } /* 491 */
};
diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h
index bca2999..f316c0c 100644
--- a/src/libstrongswan/asn1/oid.h
+++ b/src/libstrongswan/asn1/oid.h
@@ -192,78 +192,80 @@ extern const oid_t oid_names[];
#define OID_ECGDSA_SIG_WITH_SHA256 362
#define OID_ECGDSA_SIG_WITH_SHA384 363
#define OID_ECGDSA_SIG_WITH_SHA512 364
-#define OID_SECT163K1 387
-#define OID_SECT163R1 388
-#define OID_SECT239K1 389
-#define OID_SECT113R1 390
-#define OID_SECT113R2 391
-#define OID_SECT112R1 392
-#define OID_SECT112R2 393
-#define OID_SECT160R1 394
-#define OID_SECT160K1 395
-#define OID_SECT256K1 396
-#define OID_SECT163R2 397
-#define OID_SECT283K1 398
-#define OID_SECT283R1 399
-#define OID_SECT131R1 400
-#define OID_SECT131R2 401
-#define OID_SECT193R1 402
-#define OID_SECT193R2 403
-#define OID_SECT233K1 404
-#define OID_SECT233R1 405
-#define OID_SECT128R1 406
-#define OID_SECT128R2 407
-#define OID_SECT160R2 408
-#define OID_SECT192K1 409
-#define OID_SECT224K1 410
-#define OID_SECT224R1 411
-#define OID_SECT384R1 412
-#define OID_SECT521R1 413
-#define OID_SECT409K1 414
-#define OID_SECT409R1 415
-#define OID_SECT571K1 416
-#define OID_SECT571R1 417
-#define OID_AES128_CBC 426
-#define OID_AES128_GCM 427
-#define OID_AES128_CCM 428
-#define OID_AES192_CBC 429
-#define OID_AES192_GCM 430
-#define OID_AES192_CCM 431
-#define OID_AES256_CBC 432
-#define OID_AES256_GCM 433
-#define OID_AES256_CCM 434
-#define OID_SHA256 436
-#define OID_SHA384 437
-#define OID_SHA512 438
-#define OID_SHA224 439
-#define OID_SHA3_224 442
-#define OID_SHA3_256 443
-#define OID_SHA3_384 444
-#define OID_SHA3_512 445
-#define OID_ECDSA_WITH_SHA3_224 449
-#define OID_ECDSA_WITH_SHA3_256 450
-#define OID_ECDSA_WITH_SHA3_384 451
-#define OID_ECDSA_WITH_SHA3_512 452
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 453
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 454
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 455
-#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 456
-#define OID_NS_REVOCATION_URL 462
-#define OID_NS_CA_REVOCATION_URL 463
-#define OID_NS_CA_POLICY_URL 464
-#define OID_NS_COMMENT 465
-#define OID_EMPLOYEE_NUMBER 468
-#define OID_PKI_MESSAGE_TYPE 474
-#define OID_PKI_STATUS 475
-#define OID_PKI_FAIL_INFO 476
-#define OID_PKI_SENDER_NONCE 477
-#define OID_PKI_RECIPIENT_NONCE 478
-#define OID_PKI_TRANS_ID 479
-#define OID_TPM_MANUFACTURER 485
-#define OID_TPM_MODEL 486
-#define OID_TPM_VERSION 487
-#define OID_TPM_ID_LABEL 488
+#define OID_ED25519 385
+#define OID_ED448 386
+#define OID_SECT163K1 390
+#define OID_SECT163R1 391
+#define OID_SECT239K1 392
+#define OID_SECT113R1 393
+#define OID_SECT113R2 394
+#define OID_SECT112R1 395
+#define OID_SECT112R2 396
+#define OID_SECT160R1 397
+#define OID_SECT160K1 398
+#define OID_SECT256K1 399
+#define OID_SECT163R2 400
+#define OID_SECT283K1 401
+#define OID_SECT283R1 402
+#define OID_SECT131R1 403
+#define OID_SECT131R2 404
+#define OID_SECT193R1 405
+#define OID_SECT193R2 406
+#define OID_SECT233K1 407
+#define OID_SECT233R1 408
+#define OID_SECT128R1 409
+#define OID_SECT128R2 410
+#define OID_SECT160R2 411
+#define OID_SECT192K1 412
+#define OID_SECT224K1 413
+#define OID_SECT224R1 414
+#define OID_SECT384R1 415
+#define OID_SECT521R1 416
+#define OID_SECT409K1 417
+#define OID_SECT409R1 418
+#define OID_SECT571K1 419
+#define OID_SECT571R1 420
+#define OID_AES128_CBC 429
+#define OID_AES128_GCM 430
+#define OID_AES128_CCM 431
+#define OID_AES192_CBC 432
+#define OID_AES192_GCM 433
+#define OID_AES192_CCM 434
+#define OID_AES256_CBC 435
+#define OID_AES256_GCM 436
+#define OID_AES256_CCM 437
+#define OID_SHA256 439
+#define OID_SHA384 440
+#define OID_SHA512 441
+#define OID_SHA224 442
+#define OID_SHA3_224 445
+#define OID_SHA3_256 446
+#define OID_SHA3_384 447
+#define OID_SHA3_512 448
+#define OID_ECDSA_WITH_SHA3_224 452
+#define OID_ECDSA_WITH_SHA3_256 453
+#define OID_ECDSA_WITH_SHA3_384 454
+#define OID_ECDSA_WITH_SHA3_512 455
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_224 456
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_256 457
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_384 458
+#define OID_RSASSA_PKCS1V15_WITH_SHA3_512 459
+#define OID_NS_REVOCATION_URL 465
+#define OID_NS_CA_REVOCATION_URL 466
+#define OID_NS_CA_POLICY_URL 467
+#define OID_NS_COMMENT 468
+#define OID_EMPLOYEE_NUMBER 471
+#define OID_PKI_MESSAGE_TYPE 477
+#define OID_PKI_STATUS 478
+#define OID_PKI_FAIL_INFO 479
+#define OID_PKI_SENDER_NONCE 480
+#define OID_PKI_RECIPIENT_NONCE 481
+#define OID_PKI_TRANS_ID 482
+#define OID_TPM_MANUFACTURER 488
+#define OID_TPM_MODEL 489
+#define OID_TPM_VERSION 490
+#define OID_TPM_ID_LABEL 491
-#define OID_MAX 489
+#define OID_MAX 492
#endif /* OID_H_ */
diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt
index 761a38a..a0c2aad 100644
--- a/src/libstrongswan/asn1/oid.txt
+++ b/src/libstrongswan/asn1/oid.txt
@@ -382,6 +382,9 @@
0x0C "brainpoolP384t1"
0x0D "brainpoolP512r1"
0x0E "brainpoolP512t1"
+ 0x65 "Thawte"
+ 0x70 "id-Ed25519" OID_ED25519
+ 0x71 "id-Ed448" OID_ED448
0x81 ""
0x04 "Certicom"
0x00 "curve"
diff --git a/src/libstrongswan/collections/linked_list.h b/src/libstrongswan/collections/linked_list.h
index 5edaa07..0b73079 100644
--- a/src/libstrongswan/collections/linked_list.h
+++ b/src/libstrongswan/collections/linked_list.h
@@ -212,7 +212,7 @@ struct linked_list_t {
/**
* Clones a list and its objects using the objects' clone method.
*
- * @param offset offset ot the objects clone function
+ * @param offset offset to the objects clone function
* @return cloned list
*/
linked_list_t *(*clone_offset) (linked_list_t *this, size_t offset);
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c
index 3ec9491..8a3e659 100644
--- a/src/libstrongswan/credentials/auth_cfg.c
+++ b/src/libstrongswan/credentials/auth_cfg.c
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2008-2016 Tobias Brunner
* Copyright (C) 2007-2009 Martin Willi
- * Copyright (C) 2016 Andreas Steffeb
+ * Copyright (C) 2016 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -547,22 +547,24 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
signature_scheme_t scheme;
key_type_t key;
} schemes[] = {
- { "md5", SIGN_RSA_EMSA_PKCS1_MD5, KEY_RSA, },
- { "sha1", SIGN_RSA_EMSA_PKCS1_SHA1, KEY_RSA, },
- { "sha224", SIGN_RSA_EMSA_PKCS1_SHA2_224, KEY_RSA, },
- { "sha256", SIGN_RSA_EMSA_PKCS1_SHA2_256, KEY_RSA, },
- { "sha384", SIGN_RSA_EMSA_PKCS1_SHA2_384, KEY_RSA, },
- { "sha512", SIGN_RSA_EMSA_PKCS1_SHA2_512, KEY_RSA, },
- { "sha1", SIGN_ECDSA_WITH_SHA1_DER, KEY_ECDSA, },
- { "sha256", SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, },
- { "sha384", SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, },
- { "sha512", SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, },
- { "sha256", SIGN_ECDSA_256, KEY_ECDSA, },
- { "sha384", SIGN_ECDSA_384, KEY_ECDSA, },
- { "sha512", SIGN_ECDSA_521, KEY_ECDSA, },
- { "sha256", SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, },
- { "sha384", SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, },
- { "sha512", SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, },
+ { "md5", SIGN_RSA_EMSA_PKCS1_MD5, KEY_RSA, },
+ { "sha1", SIGN_RSA_EMSA_PKCS1_SHA1, KEY_RSA, },
+ { "sha224", SIGN_RSA_EMSA_PKCS1_SHA2_224, KEY_RSA, },
+ { "sha256", SIGN_RSA_EMSA_PKCS1_SHA2_256, KEY_RSA, },
+ { "sha384", SIGN_RSA_EMSA_PKCS1_SHA2_384, KEY_RSA, },
+ { "sha512", SIGN_RSA_EMSA_PKCS1_SHA2_512, KEY_RSA, },
+ { "sha1", SIGN_ECDSA_WITH_SHA1_DER, KEY_ECDSA, },
+ { "sha256", SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, },
+ { "sha384", SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, },
+ { "sha512", SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, },
+ { "sha256", SIGN_ECDSA_256, KEY_ECDSA, },
+ { "sha384", SIGN_ECDSA_384, KEY_ECDSA, },
+ { "sha512", SIGN_ECDSA_521, KEY_ECDSA, },
+ { "sha256", SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, },
+ { "sha384", SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, },
+ { "sha512", SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, },
+ { "identity", SIGN_ED25519, KEY_ED25519, },
+ { "identity", SIGN_ED448, KEY_ED448, },
};
if (expected_strength != AUTH_RULE_MAX)
@@ -592,6 +594,18 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void,
is_ike = strpfx(token, "ike:");
continue;
}
+ if (streq(token, "ed25519") || streq(token, "ike:ed25519"))
+ {
+ expected_type = KEY_ED25519;
+ is_ike = strpfx(token, "ike:");
+ continue;
+ }
+ if (streq(token, "ed448") || streq(token, "ike:ed448"))
+ {
+ expected_type = KEY_ED448;
+ is_ike = strpfx(token, "ike:");
+ continue;
+ }
if (streq(token, "bliss") || streq(token, "ike:bliss"))
{
expected_type = KEY_BLISS;
diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c
index ddb64ef..baa17c4 100644
--- a/src/libstrongswan/credentials/builder.c
+++ b/src/libstrongswan/credentials/builder.c
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -44,6 +45,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_CRL_DISTRIBUTION_POINTS",
"BUILD_OCSP_ACCESS_LOCATIONS",
"BUILD_PATHLEN",
+ "BUILD_ADDRBLOCKS",
"BUILD_PERMITTED_NAME_CONSTRAINTS",
"BUILD_EXCLUDED_NAME_CONSTRAINTS",
"BUILD_CERTIFICATE_POLICIES",
@@ -70,5 +72,6 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END,
"BUILD_SAFE_PRIMES",
"BUILD_SHARES",
"BUILD_THRESHOLD",
+ "BUILD_EDDSA_PRIV_ASN1_DER",
"BUILD_END",
);
diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h
index 627e093..1c6f500 100644
--- a/src/libstrongswan/credentials/builder.h
+++ b/src/libstrongswan/credentials/builder.h
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -99,6 +100,8 @@ enum builder_part_t {
BUILD_OCSP_ACCESS_LOCATIONS,
/** certificate path length constraint */
BUILD_PATHLEN,
+ /** RFC3779 addressBlock, linked_list_t* of traffic_selector_t* */
+ BUILD_ADDRBLOCKS,
/** permitted X509 name constraints, linked_list_t* of identification_t* */
BUILD_PERMITTED_NAME_CONSTRAINTS,
/** excluded X509 name constraints, linked_list_t* of identification_t* */
@@ -151,6 +154,8 @@ enum builder_part_t {
BUILD_SHARES,
/** minimum number of participating private key shares */
BUILD_THRESHOLD,
+ /** DER encoded ASN.1 EdDSA private key */
+ BUILD_EDDSA_PRIV_ASN1_DER,
/** end of variable argument builder list */
BUILD_END,
};
diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h
index b4d1f4c..0b65364 100644
--- a/src/libstrongswan/credentials/cred_encoding.h
+++ b/src/libstrongswan/credentials/cred_encoding.h
@@ -144,6 +144,10 @@ enum cred_encoding_part_t {
CRED_PART_PKCS10_ASN1_DER,
/** a PGP encoded certificate */
CRED_PART_PGP_CERT,
+ /** a DER encoded EdDSA public key */
+ CRED_PART_EDDSA_PUB_ASN1_DER,
+ /** a DER encoded EdDSA private key */
+ CRED_PART_EDDSA_PRIV_ASN1_DER,
/** a DER encoded BLISS public key */
CRED_PART_BLISS_PUB_ASN1_DER,
/** a DER encoded BLISS private key */
diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c
index 03f93b1..2c76ad6 100644
--- a/src/libstrongswan/credentials/keys/public_key.c
+++ b/src/libstrongswan/credentials/keys/public_key.c
@@ -24,6 +24,8 @@ ENUM(key_type_names, KEY_ANY, KEY_BLISS,
"RSA",
"ECDSA",
"DSA",
+ "ED25519",
+ "ED448",
"BLISS"
);
@@ -48,6 +50,8 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_BLISS_WITH_SHA3_512,
"ECDSA-256",
"ECDSA-384",
"ECDSA-521",
+ "ED25519",
+ "ED448",
"BLISS_WITH_SHA2_256",
"BLISS_WITH_SHA2_384",
"BLISS_WITH_SHA2_512",
@@ -151,6 +155,10 @@ signature_scheme_t signature_scheme_from_oid(int oid)
return SIGN_ECDSA_WITH_SHA384_DER;
case OID_ECDSA_WITH_SHA512:
return SIGN_ECDSA_WITH_SHA512_DER;
+ case OID_ED25519:
+ return SIGN_ED25519;
+ case OID_ED448:
+ return SIGN_ED448;
case OID_BLISS_PUBLICKEY:
case OID_BLISS_WITH_SHA2_512:
return SIGN_BLISS_WITH_SHA2_512;
@@ -210,6 +218,10 @@ int signature_scheme_to_oid(signature_scheme_t scheme)
return OID_ECDSA_WITH_SHA384;
case SIGN_ECDSA_WITH_SHA512_DER:
return OID_ECDSA_WITH_SHA512;
+ case SIGN_ED25519:
+ return OID_ED25519;
+ case SIGN_ED448:
+ return OID_ED448;
case SIGN_BLISS_WITH_SHA2_256:
return OID_BLISS_WITH_SHA2_256;
case SIGN_BLISS_WITH_SHA2_384:
@@ -236,15 +248,17 @@ static struct {
key_type_t type;
int max_keysize;
} scheme_map[] = {
- { SIGN_RSA_EMSA_PKCS1_SHA2_256, KEY_RSA, 3072 },
- { SIGN_RSA_EMSA_PKCS1_SHA2_384, KEY_RSA, 7680 },
- { SIGN_RSA_EMSA_PKCS1_SHA2_512, KEY_RSA, 0 },
- { SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 },
- { SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 },
- { SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 },
- { SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, 128 },
- { SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, 192 },
- { SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, 0 }
+ { SIGN_RSA_EMSA_PKCS1_SHA2_256, KEY_RSA, 3072 },
+ { SIGN_RSA_EMSA_PKCS1_SHA2_384, KEY_RSA, 7680 },
+ { SIGN_RSA_EMSA_PKCS1_SHA2_512, KEY_RSA, 0 },
+ { SIGN_ECDSA_WITH_SHA256_DER, KEY_ECDSA, 256 },
+ { SIGN_ECDSA_WITH_SHA384_DER, KEY_ECDSA, 384 },
+ { SIGN_ECDSA_WITH_SHA512_DER, KEY_ECDSA, 0 },
+ { SIGN_ED25519, KEY_ED25519, 0 },
+ { SIGN_ED448, KEY_ED448, 0 },
+ { SIGN_BLISS_WITH_SHA2_256, KEY_BLISS, 128 },
+ { SIGN_BLISS_WITH_SHA2_384, KEY_BLISS, 192 },
+ { SIGN_BLISS_WITH_SHA2_512, KEY_BLISS, 0 }
};
/**
@@ -323,6 +337,10 @@ key_type_t key_type_from_signature_scheme(signature_scheme_t scheme)
case SIGN_ECDSA_384:
case SIGN_ECDSA_521:
return KEY_ECDSA;
+ case SIGN_ED25519:
+ return KEY_ED25519;
+ case SIGN_ED448:
+ return KEY_ED448;
case SIGN_BLISS_WITH_SHA2_256:
case SIGN_BLISS_WITH_SHA2_384:
case SIGN_BLISS_WITH_SHA2_512:
diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h
index 2361282..06c1aa4 100644
--- a/src/libstrongswan/credentials/keys/public_key.h
+++ b/src/libstrongswan/credentials/keys/public_key.h
@@ -1,7 +1,7 @@
/*
* Copyright (C) 2015 Tobias Brunner
* Copyright (C) 2007 Martin Willi
- * Copyright (C) 2014-2016 Andreas Steffen
+ * Copyright (C) 2014-2017 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -37,16 +37,19 @@ typedef enum encryption_scheme_t encryption_scheme_t;
*/
enum key_type_t {
/** key type wildcard */
- KEY_ANY = 0,
+ KEY_ANY = 0,
/** RSA crypto system as in PKCS#1 */
- KEY_RSA = 1,
+ KEY_RSA = 1,
/** ECDSA as in ANSI X9.62 */
- KEY_ECDSA = 2,
+ KEY_ECDSA = 2,
/** DSA */
- KEY_DSA = 3,
+ KEY_DSA = 3,
+ /** Ed25519 PureEdDSA instance as in RFC 8032 */
+ KEY_ED25519 = 4,
+ /** Ed448 PureEdDSA instance as in RFC 8032 */
+ KEY_ED448 = 5,
/** BLISS */
- KEY_BLISS = 4,
- /** ElGamal, ... */
+ KEY_BLISS = 6,
};
/**
@@ -102,6 +105,10 @@ enum signature_scheme_t {
SIGN_ECDSA_384,
/** ECDSA on the P-521 curve with SHA-512 as in RFC 4754 */
SIGN_ECDSA_521,
+ /** PureEdDSA on Curve25519 as in draft-ietf-curdle-pkix (RFC TBA) */
+ SIGN_ED25519,
+ /** PureEdDSA on Curve448 as in draft-ietf-curdle-pkix (RFC TBA) */
+ SIGN_ED448,
/** BLISS with SHA-2_256 */
SIGN_BLISS_WITH_SHA2_256,
/** BLISS with SHA-2_384 */
diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c
index 60720dc..24fdb19 100644
--- a/src/libstrongswan/credentials/sets/cert_cache.c
+++ b/src/libstrongswan/credentials/sets/cert_cache.c
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -20,6 +21,7 @@
#include <library.h>
#include <threading/rwlock.h>
#include <collections/linked_list.h>
+#include <credentials/certificates/crl.h>
/** cache size, a power of 2 for fast modulo */
#define CACHE_SIZE 32
@@ -88,6 +90,43 @@ static void cache(private_cert_cache_t *this,
int i, offset, try;
u_int total_hits = 0;
+ /* cache a CRL by replacing a previous CRL cache entry if present */
+ if (subject->get_type(subject) == CERT_X509_CRL)
+ {
+ crl_t *crl, *cached_crl;
+
+ /* cache a delta CRL ? */
+ crl = (crl_t*)subject;
+
+ for (i = 0; i < CACHE_SIZE; i++)
+ {
+ rel = &this->relations[i];
+
+ if (rel->subject &&
+ rel->subject->get_type(rel->subject) == CERT_X509_CRL &&
+ rel->lock->try_write_lock(rel->lock))
+ {
+ /* double-check having lock */
+ if (rel->subject->get_type(rel->subject) == CERT_X509_CRL &&
+ rel->issuer->equals(rel->issuer, issuer))
+ {
+ cached_crl = (crl_t*)rel->subject;
+
+ if (cached_crl->is_delta_crl(cached_crl, NULL) ==
+ crl->is_delta_crl(crl, NULL) &&
+ crl_is_newer(crl, cached_crl))
+ {
+ rel->subject->destroy(rel->subject);
+ rel->subject = subject->get_ref(subject);
+ rel->scheme = scheme;
+ return rel->lock->unlock(rel->lock);
+ }
+ }
+ rel->lock->unlock(rel->lock);
+ }
+ }
+ }
+
/* check for a unused relation slot first */
for (i = 0; i < CACHE_SIZE; i++)
{
diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c
index 0f8bff2..53e035f 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.c
+++ b/src/libstrongswan/credentials/sets/mem_cred.c
@@ -370,14 +370,42 @@ METHOD(mem_cred_t, add_key, void,
this->lock->unlock(this->lock);
}
+METHOD(mem_cred_t, remove_key, bool,
+ private_mem_cred_t *this, chunk_t fp)
+{
+ enumerator_t *enumerator;
+ private_key_t *current;
+ bool found = FALSE;
+
+ this->lock->write_lock(this->lock);
+
+ enumerator = this->keys->create_enumerator(this->keys);
+ while (enumerator->enumerate(enumerator, ¤t))
+ {
+ if (current->has_fingerprint(current, fp))
+ {
+ this->keys->remove_at(this->keys, enumerator);
+ current->destroy(current);
+ found = TRUE;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ this->lock->unlock(this->lock);
+ return found;
+}
+
/**
* Shared key entry
*/
typedef struct {
- /* shared key */
+ /** shared key */
shared_key_t *shared;
- /* list of owners, identification_t */
+ /** list of owners, identification_t */
linked_list_t *owners;
+ /** optional unique identifier */
+ char *id;
} shared_entry_t;
/**
@@ -388,11 +416,12 @@ static void shared_entry_destroy(shared_entry_t *entry)
entry->owners->destroy_offset(entry->owners,
offsetof(identification_t, destroy));
entry->shared->destroy(entry->shared);
+ free(entry->id);
free(entry);
}
/**
- * Check if two shared key entries equal
+ * Check if two shared key entries are equal (ignoring the unique identifier)
*/
static bool shared_entry_equals(shared_entry_t *a, shared_entry_t *b)
{
@@ -528,8 +557,9 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*,
(void*)shared_filter, data, (void*)shared_data_destroy);
}
-METHOD(mem_cred_t, add_shared_list, void,
- private_mem_cred_t *this, shared_key_t *shared, linked_list_t* owners)
+METHOD(mem_cred_t, add_shared_unique, void,
+ private_mem_cred_t *this, char *id, shared_key_t *shared,
+ linked_list_t* owners)
{
shared_entry_t *current, *new;
enumerator_t *enumerator;
@@ -537,6 +567,7 @@ METHOD(mem_cred_t, add_shared_list, void,
INIT(new,
.shared = shared,
.owners = owners,
+ .id = strdupnull(id),
);
this->lock->write_lock(this->lock);
@@ -544,7 +575,10 @@ METHOD(mem_cred_t, add_shared_list, void,
enumerator = this->shared->create_enumerator(this->shared);
while (enumerator->enumerate(enumerator, ¤t))
{
- if (shared_entry_equals(current, new))
+ /* always replace keys with the same unique identifier, only compare
+ * them if both have no unique id assigned */
+ if ((id && streq(id, current->id)) ||
+ (!id && !current->id && shared_entry_equals(current, new)))
{
this->shared->remove_at(this->shared, enumerator);
shared_entry_destroy(current);
@@ -558,6 +592,12 @@ METHOD(mem_cred_t, add_shared_list, void,
this->lock->unlock(this->lock);
}
+METHOD(mem_cred_t, add_shared_list, void,
+ private_mem_cred_t *this, shared_key_t *shared, linked_list_t* owners)
+{
+ add_shared_unique(this, NULL, shared, owners);
+}
+
METHOD(mem_cred_t, add_shared, void,
private_mem_cred_t *this, shared_key_t *shared, ...)
{
@@ -580,6 +620,63 @@ METHOD(mem_cred_t, add_shared, void,
add_shared_list(this, shared, owners);
}
+METHOD(mem_cred_t, remove_shared_unique, void,
+ private_mem_cred_t *this, char *id)
+{
+ enumerator_t *enumerator;
+ shared_entry_t *current;
+
+ if (!id)
+ {
+ return;
+ }
+
+ this->lock->write_lock(this->lock);
+
+ enumerator = this->shared->create_enumerator(this->shared);
+ while (enumerator->enumerate(enumerator, ¤t))
+ {
+ if (streq(id, current->id))
+ {
+ this->shared->remove_at(this->shared, enumerator);
+ shared_entry_destroy(current);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ this->lock->unlock(this->lock);
+}
+
+/**
+ * Filter unique ids of shared keys (ingore secrets without unique id)
+ */
+static bool unique_filter(void *unused,
+ shared_entry_t **in, char **id)
+{
+ shared_entry_t *entry = *in;
+
+ if (!entry->id)
+ {
+ return FALSE;
+ }
+ if (id)
+ {
+ *id = entry->id;
+ }
+ return TRUE;
+}
+
+METHOD(mem_cred_t, create_unique_shared_enumerator, enumerator_t*,
+ private_mem_cred_t *this)
+{
+ this->lock->read_lock(this->lock);
+ return enumerator_create_filter(
+ this->shared->create_enumerator(this->shared),
+ (void*)unique_filter, this->lock,
+ (void*)this->lock->unlock);
+}
+
/**
* Certificate distribution point
*/
@@ -817,8 +914,12 @@ mem_cred_t *mem_cred_create()
.get_cert_ref = _get_cert_ref,
.add_crl = _add_crl,
.add_key = _add_key,
+ .remove_key = _remove_key,
.add_shared = _add_shared,
.add_shared_list = _add_shared_list,
+ .add_shared_unique = _add_shared_unique,
+ .remove_shared_unique = _remove_shared_unique,
+ .create_unique_shared_enumerator = _create_unique_shared_enumerator,
.add_cdp = _add_cdp,
.replace_certs = _replace_certs,
.replace_secrets = _replace_secrets,
diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h
index 51f0b8c..1355152 100644
--- a/src/libstrongswan/credentials/sets/mem_cred.h
+++ b/src/libstrongswan/credentials/sets/mem_cred.h
@@ -1,6 +1,7 @@
/*
- * Copyright (C) 2010-2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2010-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
@@ -87,6 +88,14 @@ struct mem_cred_t {
void (*add_key)(mem_cred_t *this, private_key_t *key);
/**
+ * Remove a private key from the credential set.
+ *
+ * @param fp fingerprint of the key to remove
+ * @return TRUE if the key was found and removed
+ */
+ bool (*remove_key)(mem_cred_t *this, chunk_t fp);
+
+ /**
* Add a shared key to the credential set.
*
* @param shared shared key to add, gets owned by set
@@ -104,6 +113,33 @@ struct mem_cred_t {
linked_list_t *owners);
/**
+ * Add a shared key to the credential set, associated with the given unique
+ * identifier.
+ *
+ * If a shared key with the same id already exists it is replaced.
+ *
+ * @param id unique identifier of this key (cloned)
+ * @param shared shared key to add, gets owned by set
+ * @param ... NULL terminated list of owners (identification_t*)
+ */
+ void (*add_shared_unique)(mem_cred_t *this, char *id, shared_key_t *shared,
+ linked_list_t *owners);
+
+ /**
+ * Remove a shared key by its unique identifier.
+ *
+ * @param id unique identifier of this key
+ */
+ void (*remove_shared_unique)(mem_cred_t *this, char *id);
+
+ /**
+ * Create an enumerator over the unique identifiers of shared keys.
+ *
+ * @return enumerator over char*
+ */
+ enumerator_t *(*create_unique_shared_enumerator)(mem_cred_t *this);
+
+ /**
* Add a certificate distribution point to the set.
*
* @param type type of the certificate
diff --git a/src/libstrongswan/crypto/diffie_hellman.c b/src/libstrongswan/crypto/diffie_hellman.c
index 6dcb6cb..820b8d1 100644
--- a/src/libstrongswan/crypto/diffie_hellman.c
+++ b/src/libstrongswan/crypto/diffie_hellman.c
@@ -32,7 +32,7 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_2048_BIT, ECP_521_BIT, MODP_1536_BIT,
"ECP_256",
"ECP_384",
"ECP_521");
-ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT,
+ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, CURVE_448, ECP_521_BIT,
"MODP_1024_160",
"MODP_2048_224",
"MODP_2048_256",
@@ -41,8 +41,10 @@ ENUM_NEXT(diffie_hellman_group_names, MODP_1024_160, ECP_512_BP, ECP_521_BIT,
"ECP_224_BP",
"ECP_256_BP",
"ECP_384_BP",
- "ECP_512_BP");
-ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, ECP_512_BP,
+ "ECP_512_BP",
+ "CURVE_25519",
+ "CURVE_448");
+ENUM_NEXT(diffie_hellman_group_names, MODP_NULL, MODP_NULL, CURVE_448,
"MODP_NULL");
ENUM_NEXT(diffie_hellman_group_names, NTRU_112_BIT, NTRU_256_BIT, MODP_NULL,
"NTRU_112",
@@ -552,6 +554,12 @@ bool diffie_hellman_verify_value(diffie_hellman_group_t group, chunk_t value)
case ECP_521_BIT:
valid = value.len == 132;
break;
+ case CURVE_25519:
+ valid = value.len == 32;
+ break;
+ case CURVE_448:
+ valid = value.len == 56;
+ break;
case NTRU_112_BIT:
case NTRU_128_BIT:
case NTRU_192_BIT:
diff --git a/src/libstrongswan/crypto/diffie_hellman.h b/src/libstrongswan/crypto/diffie_hellman.h
index f457153..1a8110a 100644
--- a/src/libstrongswan/crypto/diffie_hellman.h
+++ b/src/libstrongswan/crypto/diffie_hellman.h
@@ -37,6 +37,7 @@ typedef struct diffie_hellman_params_t diffie_hellman_params_t;
*
* ECP groups are defined in RFC 4753 and RFC 5114.
* ECC Brainpool groups are defined in RFC 6954.
+ * Curve25519 and Curve448 groups are defined in RFC 8031.
*/
enum diffie_hellman_group_t {
MODP_NONE = 0,
@@ -60,6 +61,8 @@ enum diffie_hellman_group_t {
ECP_256_BP = 28,
ECP_384_BP = 29,
ECP_512_BP = 30,
+ CURVE_25519 = 31,
+ CURVE_448 = 32,
/** insecure NULL diffie hellman group for testing, in PRIVATE USE */
MODP_NULL = 1024,
/** MODP group with custom generator/prime */
diff --git a/src/libstrongswan/crypto/hashers/hasher.c b/src/libstrongswan/crypto/hashers/hasher.c
index d136799..26aab0c 100644
--- a/src/libstrongswan/crypto/hashers/hasher.c
+++ b/src/libstrongswan/crypto/hashers/hasher.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2012-2015 Tobias Brunner
- * Copyright (C) 2015-2016 Andreas Steffen
+ * Copyright (C) 2015-2017 Andreas Steffen
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* HSR Hochschule fuer Technik Rapperswil
@@ -20,12 +20,13 @@
#include <asn1/oid.h>
-ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_SHA512,
+ENUM_BEGIN(hash_algorithm_names, HASH_SHA1, HASH_IDENTITY,
"HASH_SHA1",
"HASH_SHA256",
"HASH_SHA384",
- "HASH_SHA512");
-ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_SHA512,
+ "HASH_SHA512",
+ "HASH_IDENTITY");
+ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
"HASH_UNKNOWN",
"HASH_MD2",
"HASH_MD4",
@@ -37,12 +38,13 @@ ENUM_NEXT(hash_algorithm_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_SHA512,
"HASH_SHA3_512");
ENUM_END(hash_algorithm_names, HASH_SHA3_512);
-ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_SHA512,
+ENUM_BEGIN(hash_algorithm_short_names, HASH_SHA1, HASH_IDENTITY,
"sha1",
"sha256",
"sha384",
- "sha512");
-ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_SHA512,
+ "sha512",
+ "identity");
+ENUM_NEXT(hash_algorithm_short_names, HASH_UNKNOWN, HASH_SHA3_512, HASH_IDENTITY,
"unknown",
"md2",
"md4",
@@ -94,6 +96,9 @@ hash_algorithm_t hasher_algorithm_from_oid(int oid)
case OID_SHA3_512:
case OID_RSASSA_PKCS1V15_WITH_SHA3_512:
return HASH_SHA3_512;
+ case OID_ED25519:
+ case OID_ED448:
+ return HASH_IDENTITY;
default:
return HASH_UNKNOWN;
}
@@ -267,6 +272,7 @@ integrity_algorithm_t hasher_algorithm_to_integrity(hash_algorithm_t alg,
case HASH_SHA3_256:
case HASH_SHA3_384:
case HASH_SHA3_512:
+ case HASH_IDENTITY:
case HASH_UNKNOWN:
break;
}
@@ -280,6 +286,7 @@ bool hasher_algorithm_for_ikev2(hash_algorithm_t alg)
{
switch (alg)
{
+ case HASH_IDENTITY:
case HASH_SHA1:
case HASH_SHA256:
case HASH_SHA384:
@@ -396,6 +403,22 @@ int hasher_signature_algorithm_to_oid(hash_algorithm_t alg, key_type_t key)
default:
return OID_UNKNOWN;
}
+ case KEY_ED25519:
+ switch (alg)
+ {
+ case HASH_IDENTITY:
+ return OID_ED25519;
+ default:
+ return OID_UNKNOWN;
+ }
+ case KEY_ED448:
+ switch (alg)
+ {
+ case HASH_IDENTITY:
+ return OID_ED448;
+ default:
+ return OID_UNKNOWN;
+ }
case KEY_BLISS:
switch (alg)
{
@@ -430,6 +453,9 @@ hash_algorithm_t hasher_from_signature_scheme(signature_scheme_t scheme)
case SIGN_RSA_EMSA_PKCS1_NULL:
case SIGN_ECDSA_WITH_NULL:
break;
+ case SIGN_ED25519:
+ case SIGN_ED448:
+ return HASH_IDENTITY;
case SIGN_RSA_EMSA_PKCS1_MD5:
return HASH_MD5;
case SIGN_RSA_EMSA_PKCS1_SHA1:
diff --git a/src/libstrongswan/crypto/hashers/hasher.h b/src/libstrongswan/crypto/hashers/hasher.h
index 2d28b20..ec0c632 100644
--- a/src/libstrongswan/crypto/hashers/hasher.h
+++ b/src/libstrongswan/crypto/hashers/hasher.h
@@ -1,8 +1,9 @@
/*
+ * Copyright (C) 2016-2017 Andreas Steffen
* Copyright (C) 2012-2015 Tobias Brunner
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -32,13 +33,16 @@ typedef struct hasher_t hasher_t;
#include <credentials/keys/public_key.h>
/**
- * Hash algorithms as defined for IKEv2 by RFC 7427
+ * Hash algorithms as defined for IKEv2
*/
enum hash_algorithm_t {
+ /* RFC 7427 */
HASH_SHA1 = 1,
HASH_SHA256 = 2,
HASH_SHA384 = 3,
HASH_SHA512 = 4,
+ /* draft-ietf-ipsecme-eddsa (RFC TBA) */
+ HASH_IDENTITY = 5,
/* use private use range for algorithms not defined/permitted by RFC 7427 */
HASH_UNKNOWN = 1024,
HASH_MD2 = 1025,
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
index b058ad2..420a66d 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.c
@@ -59,12 +59,12 @@ struct proposal_token {
uint16_t keysize;
};
-#define TOTAL_KEYWORDS 141
+#define TOTAL_KEYWORDS 143
#define MIN_WORD_LENGTH 3
#define MAX_WORD_LENGTH 17
#define MIN_HASH_VALUE 7
-#define MAX_HASH_VALUE 282
-/* maximum key range = 276, duplicates = 0 */
+#define MAX_HASH_VALUE 259
+/* maximum key range = 253, duplicates = 0 */
#ifdef __GNUC__
__inline
@@ -80,32 +80,32 @@ hash (str, len)
{
static const unsigned short asso_values[] =
{
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 75, 2,
- 16, 16, 30, 26, 8, 35, 3, 1, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 29, 283, 10, 2, 16,
- 46, 1, 23, 78, 4, 4, 283, 283, 1, 9,
- 5, 2, 124, 117, 77, 106, 85, 27, 283, 283,
- 1, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283, 283, 283, 283,
- 283, 283, 283, 283, 283, 283, 283
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 73, 2,
+ 16, 40, 30, 26, 8, 15, 3, 1, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 106, 260, 2, 2, 16,
+ 46, 75, 1, 78, 2, 4, 260, 260, 1, 18,
+ 7, 2, 164, 5, 94, 116, 23, 41, 260, 260,
+ 1, 2, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260, 260, 260, 260,
+ 260, 260, 260, 260, 260, 260, 260
};
register int hval = len;
@@ -145,19 +145,25 @@ hash (str, len)
static const struct proposal_token wordlist[] =
{
{"null", ENCRYPTION_ALGORITHM, ENCR_NULL, 0},
+ {"esn", EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0},
+ {"x25519", DIFFIE_HELLMAN_GROUP, CURVE_25519, 0},
+ {"prfsha1", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0},
{"noesn", EXTENDED_SEQUENCE_NUMBERS, NO_EXT_SEQ_NUMBERS, 0},
- {"modpnone", DIFFIE_HELLMAN_GROUP, MODP_NONE, 0},
+ {"ecp521", DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0},
+ {"sha", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0},
+ {"sha1", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0},
{"aes128", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128},
- {"esn", EXTENDED_SEQUENCE_NUMBERS, EXT_SEQ_NUMBERS, 0},
{"ntru128", DIFFIE_HELLMAN_GROUP, NTRU_128_BIT, 0},
{"md5", INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_96, 0},
{"modp8192", DIFFIE_HELLMAN_GROUP, MODP_8192_BIT, 0},
{"md5_128", INTEGRITY_ALGORITHM, AUTH_HMAC_MD5_128, 0},
+ {"ecp192", DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0},
{"aes192", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 192},
+ {"prfsha256", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0},
+ {"modp768", DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0},
{"ntru192", DIFFIE_HELLMAN_GROUP, NTRU_192_BIT, 0},
{"ntru112", DIFFIE_HELLMAN_GROUP, NTRU_112_BIT, 0},
- {"modpnull", DIFFIE_HELLMAN_GROUP, MODP_NULL, 0},
- {"ecp521", DIFFIE_HELLMAN_GROUP, ECP_521_BIT, 0},
+ {"ecp256", DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0},
{"aes256", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 256},
{"aes192ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192},
{"aes192ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 192},
@@ -168,17 +174,18 @@ static const struct proposal_token wordlist[] =
{"aes128ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128},
{"aes128ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 128},
{"aesxcbc", INTEGRITY_ALGORITHM, AUTH_AES_XCBC_96, 0},
+ {"prfsha512", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0},
{"aescmac", INTEGRITY_ALGORITHM, AUTH_AES_CMAC_96, 0},
- {"modp768", DIFFIE_HELLMAN_GROUP, MODP_768_BIT, 0},
- {"ecp192", DIFFIE_HELLMAN_GROUP, ECP_192_BIT, 0},
+ {"camellia", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128},
+ {"sha512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0},
{"aes192ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 192},
- {"modp1536", DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0},
+ {"modpnull", DIFFIE_HELLMAN_GROUP, MODP_NULL, 0},
{"aes128ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 128},
{"ntru256", DIFFIE_HELLMAN_GROUP, NTRU_256_BIT, 0},
{"aes256ccm8", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256},
{"aes256ccm128", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256},
- {"camellia", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128},
- {"ecp256", DIFFIE_HELLMAN_GROUP, ECP_256_BIT, 0},
+ {"ecp384", DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0},
+ {"sha256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0},
{"aes256ccm96", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256},
{"aes256ccm16", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV16, 256},
{"camellia192ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192},
@@ -189,29 +196,29 @@ static const struct proposal_token wordlist[] =
{"camellia192", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 192},
{"aes256ccm12", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV12, 256},
{"camellia128", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 128},
- {"modp6144", DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0},
+ {"ecp224", DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0},
{"aes192ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 192},
+ {"modp6144", DIFFIE_HELLMAN_GROUP, MODP_6144_BIT, 0},
{"aes128ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 128},
{"camellia192ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 192},
+ {"prfsha384", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0},
{"camellia128ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128},
{"camellia128ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
- {"sha1", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0},
- {"ecp384", DIFFIE_HELLMAN_GROUP, ECP_384_BIT, 0},
+ {"modp1536", DIFFIE_HELLMAN_GROUP, MODP_1536_BIT, 0},
+ {"sha384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0},
{"camellia128ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
{"camellia128ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 128},
{"camelliaxcbc", INTEGRITY_ALGORITHM, AUTH_CAMELLIA_XCBC_96, 0},
{"camellia256", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CBC, 256},
- {"sha", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_96, 0},
{"camellia256ccm8", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256},
{"camellia256ccm128",ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
{"aes256ccm64", ENCRYPTION_ALGORITHM, ENCR_AES_CCM_ICV8, 256},
{"camellia128ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 128},
{"camellia256ccm96", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
{"camellia256ccm16", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV16, 256},
- {"ecp224", DIFFIE_HELLMAN_GROUP, ECP_224_BIT, 0},
+ {"modpnone", DIFFIE_HELLMAN_GROUP, MODP_NONE, 0},
{"camellia192ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 192},
- {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0},
- {"aes", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128},
+ {"prfmd5", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0},
{"camellia256ccm12", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV12, 256},
{"aes192gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192},
{"aes192gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192},
@@ -221,103 +228,95 @@ static const struct proposal_token wordlist[] =
{"aes192gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 192},
{"aes128gcm96", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128},
{"aes128gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 128},
- {"aes192ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192},
+ {"aes", ENCRYPTION_ALGORITHM, ENCR_AES_CBC, 128},
{"camellia128ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 128},
- {"aes128ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 128},
- {"sha512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0},
{"aes192gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 192},
{"modp4096", DIFFIE_HELLMAN_GROUP, MODP_4096_BIT, 0},
{"aes128gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 128},
{"aes256gcm8", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256},
{"aes256gcm128", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256},
{"camellia256ccm64", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CCM_ICV8, 256},
- {"sha256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0},
{"aes256gcm96", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256},
{"aes256gcm16", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV16, 256},
{"modp1024", DIFFIE_HELLMAN_GROUP, MODP_1024_BIT, 0},
{"modp2048", DIFFIE_HELLMAN_GROUP, MODP_2048_BIT, 0},
- {"aes256ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 256},
+ {"aes192ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 192},
{"aes192gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 192},
- {"3des", ENCRYPTION_ALGORITHM, ENCR_3DES, 0},
+ {"aes128ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 128},
{"aes128gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 128},
- {"prfsha1", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA1, 0},
{"aes256gcm12", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV12, 256},
- {"camellia192ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 192},
- {"newhope128", DIFFIE_HELLMAN_GROUP, NH_128_BIT, 0},
+ {"serpent128", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128},
{"aes192gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 192},
+ {"blowfish", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128},
{"aes128gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 128},
- {"twofish", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128},
- {"sha384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0},
- {"modp3072", DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0},
+ {"3des", ENCRYPTION_ALGORITHM, ENCR_3DES, 0},
+ {"prfcamelliaxcbc", PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC, 0},
+ {"serpent256", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256},
+ {"aes256ctr", ENCRYPTION_ALGORITHM, ENCR_AES_CTR, 256},
{"aes256gmac", ENCRYPTION_ALGORITHM, ENCR_NULL_AUTH_AES_GMAC, 256},
- {"twofish128", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128},
- {"camellia128ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 128},
- {"blowfish", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128},
+ {"serpent", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128},
+ {"modp3072", DIFFIE_HELLMAN_GROUP, MODP_3072_BIT, 0},
+ {"camellia192ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 192},
{"modp2048s256", DIFFIE_HELLMAN_GROUP, MODP_2048_256, 0},
{"aes256gcm64", ENCRYPTION_ALGORITHM, ENCR_AES_GCM_ICV8, 256},
- {"prfsha256", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_256, 0},
+ {"blowfish192", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192},
+ {"blowfish128", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128},
+ {"serpent192", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192},
+ {"twofish", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128},
+ {"curve25519", DIFFIE_HELLMAN_GROUP, CURVE_25519, 0},
+ {"camellia128ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 128},
+ {"twofish128", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 128},
{"sha256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0},
{"sha2_512", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_512_256, 0},
- {"twofish256", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 256},
+ {"blowfish256", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256},
+ {"chacha20poly1305", ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305, 256},
+ {"modp2048s224", DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0},
+ {"modp1024s160", DIFFIE_HELLMAN_GROUP, MODP_1024_160, 0},
{"camellia256ctr", ENCRYPTION_ALGORITHM, ENCR_CAMELLIA_CTR, 256},
- {"sha2_384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0},
{"sha2_256", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_128, 0},
- {"ecp512bp", DIFFIE_HELLMAN_GROUP, ECP_512_BP, 0},
+ {"twofish256", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 256},
{"sha2_256_96", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_256_96, 0},
- {"blowfish192", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 192},
- {"blowfish128", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 128},
- {"prfsha512", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_512, 0},
+ {"ecp512bp", DIFFIE_HELLMAN_GROUP, ECP_512_BP, 0},
+ {"des", ENCRYPTION_ALGORITHM, ENCR_DES, 0},
{"twofish192", ENCRYPTION_ALGORITHM, ENCR_TWOFISH_CBC, 192},
- {"modp2048s224", DIFFIE_HELLMAN_GROUP, MODP_2048_224, 0},
- {"prfsha384", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_SHA2_384, 0},
- {"modp1024s160", DIFFIE_HELLMAN_GROUP, MODP_1024_160, 0},
- {"prfcamelliaxcbc", PSEUDO_RANDOM_FUNCTION, PRF_CAMELLIA128_XCBC, 0},
{"ecp384bp", DIFFIE_HELLMAN_GROUP, ECP_384_BP, 0},
{"ecp256bp", DIFFIE_HELLMAN_GROUP, ECP_256_BP, 0},
- {"serpent128", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128},
- {"blowfish256", ENCRYPTION_ALGORITHM, ENCR_BLOWFISH, 256},
- {"chacha20poly1305", ENCRYPTION_ALGORITHM, ENCR_CHACHA20_POLY1305, 256},
- {"serpent256", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 256},
- {"ecp224bp", DIFFIE_HELLMAN_GROUP, ECP_224_BP, 0},
+ {"sha2_384", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA2_384_192, 0},
{"sha1_160", INTEGRITY_ALGORITHM, AUTH_HMAC_SHA1_160, 0},
- {"serpent192", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 192},
- {"prfmd5", PSEUDO_RANDOM_FUNCTION, PRF_HMAC_MD5, 0},
+ {"ecp224bp", DIFFIE_HELLMAN_GROUP, ECP_224_BP, 0},
{"prfaesxcbc", PSEUDO_RANDOM_FUNCTION, PRF_AES128_XCBC, 0},
- {"serpent", ENCRYPTION_ALGORITHM, ENCR_SERPENT_CBC, 128},
- {"prfaescmac", PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC, 0}
+ {"prfaescmac", PSEUDO_RANDOM_FUNCTION, PRF_AES128_CMAC, 0},
+ {"newhope128", DIFFIE_HELLMAN_GROUP, NH_128_BIT, 0}
};
static const short lookup[] =
{
-1, -1, -1, -1, -1, -1, -1, 0, -1, -1,
- -1, -1, -1, -1, -1, -1, -1, 1, -1, -1,
- -1, -1, -1, -1, -1, -1, 2, -1, -1, -1,
- 3, 4, -1, 5, 6, 7, 8, -1, -1, -1,
- -1, 9, -1, -1, 10, 11, -1, 12, -1, 13,
- 14, 15, 16, 17, 18, 19, 20, 21, 22, 23,
- 24, 25, 26, -1, 27, 28, 29, 30, 31, 32,
- 33, 34, 35, 36, 37, 38, -1, 39, 40, 41,
- 42, 43, 44, 45, 46, -1, 47, 48, -1, 49,
- 50, 51, 52, 53, 54, -1, 55, 56, 57, 58,
- 59, 60, 61, 62, 63, 64, -1, 65, -1, -1,
- 66, 67, 68, 69, 70, 71, 72, 73, 74, 75,
- 76, 77, 78, 79, -1, 80, 81, 82, 83, -1,
- 84, 85, 86, 87, 88, 89, 90, 91, 92, 93,
- 94, 95, 96, 97, 98, 99, 100, -1, 101, -1,
- -1, -1, 102, -1, 103, 104, 105, 106, -1, 107,
- -1, 108, 109, 110, 111, 112, 113, 114, -1, 115,
- -1, 116, 117, -1, -1, 118, 119, 120, -1, 121,
- -1, -1, 122, 123, 124, -1, 125, 126, 127, -1,
- 128, 129, 130, -1, 131, 132, -1, -1, -1, -1,
- -1, -1, 133, 134, -1, -1, -1, 135, -1, -1,
- -1, -1, -1, -1, -1, -1, -1, -1, 136, -1,
- -1, 137, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, -1, -1, -1, -1, 138, 139, -1,
+ -1, 1, 2, -1, -1, -1, -1, -1, -1, -1,
+ 3, 4, -1, -1, -1, -1, -1, 5, 6, 7,
+ 8, -1, -1, 9, -1, -1, 10, 11, 12, -1,
+ 13, 14, 15, 16, 17, 18, -1, -1, -1, 19,
+ 20, 21, 22, 23, 24, 25, 26, 27, 28, 29,
+ 30, 31, 32, 33, 34, 35, 36, 37, 38, 39,
+ 40, 41, 42, 43, 44, 45, -1, 46, 47, 48,
+ 49, 50, 51, 52, 53, 54, 55, 56, 57, 58,
+ 59, 60, 61, 62, 63, -1, 64, 65, -1, 66,
+ 67, 68, 69, 70, 71, -1, 72, 73, -1, 74,
+ -1, -1, 75, 76, 77, 78, 79, 80, 81, 82,
+ 83, 84, 85, -1, -1, -1, 86, 87, 88, -1,
+ 89, 90, 91, -1, 92, 93, 94, 95, 96, 97,
+ 98, 99, -1, 100, 101, -1, 102, 103, 104, -1,
+ 105, 106, -1, -1, 107, 108, 109, -1, 110, 111,
+ -1, 112, 113, 114, -1, 115, -1, 116, -1, -1,
+ 117, -1, 118, -1, -1, 119, 120, -1, -1, 121,
+ 122, 123, 124, 125, 126, 127, 128, 129, -1, 130,
+ -1, 131, -1, 132, 133, -1, -1, -1, -1, -1,
+ -1, -1, -1, -1, -1, 134, -1, -1, 135, 136,
+ 137, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+ 138, 139, -1, -1, -1, -1, -1, -1, -1, -1,
+ -1, -1, -1, -1, -1, -1, -1, -1, -1, 140,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, 140
+ -1, -1, -1, -1, 141, -1, -1, -1, -1, 142
};
#ifdef __GNUC__
diff --git a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
index 3ac7729..c44ed96 100644
--- a/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
+++ b/src/libstrongswan/crypto/proposal/proposal_keywords_static.txt
@@ -163,6 +163,8 @@ ecp224bp, DIFFIE_HELLMAN_GROUP, ECP_224_BP, 0
ecp256bp, DIFFIE_HELLMAN_GROUP, ECP_256_BP, 0
ecp384bp, DIFFIE_HELLMAN_GROUP, ECP_384_BP, 0
ecp512bp, DIFFIE_HELLMAN_GROUP, ECP_512_BP, 0
+curve25519, DIFFIE_HELLMAN_GROUP, CURVE_25519, 0
+x25519, DIFFIE_HELLMAN_GROUP, CURVE_25519, 0
ntru112, DIFFIE_HELLMAN_GROUP, NTRU_112_BIT, 0
ntru128, DIFFIE_HELLMAN_GROUP, NTRU_128_BIT, 0
ntru192, DIFFIE_HELLMAN_GROUP, NTRU_192_BIT, 0
diff --git a/src/libstrongswan/math/libnttfft/Makefile.in b/src/libstrongswan/math/libnttfft/Makefile.in
index 1a56213..ff41f9b 100644
--- a/src/libstrongswan/math/libnttfft/Makefile.in
+++ b/src/libstrongswan/math/libnttfft/Makefile.in
@@ -351,7 +351,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -386,6 +385,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/math/libnttfft/tests/Makefile.in b/src/libstrongswan/math/libnttfft/tests/Makefile.in
index 54e02ed..4f85449 100644
--- a/src/libstrongswan/math/libnttfft/tests/Makefile.in
+++ b/src/libstrongswan/math/libnttfft/tests/Makefile.in
@@ -355,7 +355,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -390,6 +389,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/math/libnttfft/tests/suites/test_ntt_fft.c b/src/libstrongswan/math/libnttfft/tests/suites/test_ntt_fft.c
index d827718..2a0f3bd 100644
--- a/src/libstrongswan/math/libnttfft/tests/suites/test_ntt_fft.c
+++ b/src/libstrongswan/math/libnttfft/tests/suites/test_ntt_fft.c
@@ -130,6 +130,12 @@ START_TEST(test_ntt_fft_speed)
}
END_TEST
+START_TEST(test_ntt_fft_init)
+{
+ libnttfft_init();
+}
+END_TEST
+
Suite *ntt_fft_suite_create()
{
Suite *s;
@@ -137,6 +143,10 @@ Suite *ntt_fft_suite_create()
s = suite_create("ntt_fft");
+ tc = tcase_create("init");
+ tcase_add_test(tc, test_ntt_fft_init);
+ suite_add_tcase(s, tc);
+
tc = tcase_create("impulse");
tcase_add_loop_test(tc, test_ntt_fft_impulse, 0, countof(fft_params));
suite_add_tcase(s, tc);
diff --git a/src/libstrongswan/networking/host.c b/src/libstrongswan/networking/host.c
index b71d2da..9537204 100644
--- a/src/libstrongswan/networking/host.c
+++ b/src/libstrongswan/networking/host.c
@@ -139,7 +139,7 @@ int host_printf_hook(printf_hook_data_t *data, printf_hook_spec_t *spec,
snprintf(buffer, sizeof(buffer),
"(address conversion failed)");
}
- else if (spec->hash)
+ else if (spec->hash && port)
{
len = strlen(buffer);
snprintf(buffer + len, sizeof(buffer) - len,
diff --git a/src/libstrongswan/plugins/acert/Makefile.in b/src/libstrongswan/plugins/acert/Makefile.in
index 210d7c2..ee69a89 100644
--- a/src/libstrongswan/plugins/acert/Makefile.in
+++ b/src/libstrongswan/plugins/acert/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in
index 9e926ac..0a8046b 100644
--- a/src/libstrongswan/plugins/aes/Makefile.in
+++ b/src/libstrongswan/plugins/aes/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/aesni/Makefile.in b/src/libstrongswan/plugins/aesni/Makefile.in
index ea41ab3..ceb8676 100644
--- a/src/libstrongswan/plugins/aesni/Makefile.in
+++ b/src/libstrongswan/plugins/aesni/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in
index aa3be42..bad31ca 100644
--- a/src/libstrongswan/plugins/af_alg/Makefile.in
+++ b/src/libstrongswan/plugins/af_alg/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in
index 4441558..cd9036b 100644
--- a/src/libstrongswan/plugins/agent/Makefile.in
+++ b/src/libstrongswan/plugins/agent/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/bliss/Makefile.in b/src/libstrongswan/plugins/bliss/Makefile.in
index 746709b..918a018 100644
--- a/src/libstrongswan/plugins/bliss/Makefile.in
+++ b/src/libstrongswan/plugins/bliss/Makefile.in
@@ -382,7 +382,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -417,6 +416,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/bliss/tests/Makefile.in b/src/libstrongswan/plugins/bliss/tests/Makefile.in
index 05f95dc..1964f19 100644
--- a/src/libstrongswan/plugins/bliss/tests/Makefile.in
+++ b/src/libstrongswan/plugins/bliss/tests/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
index 26c5b60..8770e07 100644
--- a/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
+++ b/src/libstrongswan/plugins/bliss/tests/suites/test_bliss_sampler.c
@@ -70,7 +70,7 @@ START_TEST(test_bliss_sampler_gaussian)
sampler->destroy(sampler);
free(seed.ptr);
- DBG1(DBG_LIB, "histogram");
+ DBG1(DBG_LIB, "histogram");
for (k = 0; k < 8; k++)
{
DBG1(DBG_LIB, "%d %7d", k, hist[k]);
@@ -89,7 +89,7 @@ Suite *bliss_sampler_suite_create()
s = suite_create("bliss_sampler");
tc = tcase_create("sampler_gaussian");
- tcase_set_timeout(tc, 10);
+ tcase_set_timeout(tc, 30);
tcase_add_loop_test(tc, test_bliss_sampler_gaussian, 0, countof(key_size));
suite_add_tcase(s, tc);
diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in
index 895af62..c2bc5ac 100644
--- a/src/libstrongswan/plugins/blowfish/Makefile.in
+++ b/src/libstrongswan/plugins/blowfish/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in
index 39caacd..f0065d0 100644
--- a/src/libstrongswan/plugins/ccm/Makefile.in
+++ b/src/libstrongswan/plugins/ccm/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/chapoly/Makefile.in b/src/libstrongswan/plugins/chapoly/Makefile.in
index c0de9d8..3e1d634 100644
--- a/src/libstrongswan/plugins/chapoly/Makefile.in
+++ b/src/libstrongswan/plugins/chapoly/Makefile.in
@@ -372,7 +372,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -407,6 +406,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/cmac/Makefile.in b/src/libstrongswan/plugins/cmac/Makefile.in
index 24702df..77d68bd 100644
--- a/src/libstrongswan/plugins/cmac/Makefile.in
+++ b/src/libstrongswan/plugins/cmac/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in
index 56b4835..edd519f 100644
--- a/src/libstrongswan/plugins/constraints/Makefile.in
+++ b/src/libstrongswan/plugins/constraints/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in
index 16d177e..a9d0b2e 100644
--- a/src/libstrongswan/plugins/ctr/Makefile.in
+++ b/src/libstrongswan/plugins/ctr/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in
index 7aad683..996d258 100644
--- a/src/libstrongswan/plugins/curl/Makefile.in
+++ b/src/libstrongswan/plugins/curl/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/curve25519/Makefile.am b/src/libstrongswan/plugins/curve25519/Makefile.am
new file mode 100644
index 0000000..f3e1e92
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/Makefile.am
@@ -0,0 +1,23 @@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-curve25519.la
+else
+plugin_LTLIBRARIES = libstrongswan-curve25519.la
+endif
+
+libstrongswan_curve25519_la_SOURCES = \
+ curve25519_dh.h curve25519_dh.c \
+ curve25519_drv.h curve25519_drv.c \
+ curve25519_drv_portable.h curve25519_drv_portable.c \
+ curve25519_identity_hasher.h curve25519_identity_hasher.c \
+ curve25519_plugin.h curve25519_plugin.c \
+ curve25519_private_key.h curve25519_private_key.c \
+ curve25519_public_key.h curve25519_public_key.c \
+ ref10/ref10.h ref10/ref10.c ref10/base.h ref10/base2.h
+
+libstrongswan_curve25519_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/curve25519/Makefile.in b/src/libstrongswan/plugins/curve25519/Makefile.in
new file mode 100644
index 0000000..1fa2b17
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/Makefile.in
@@ -0,0 +1,822 @@
+# Makefile.in generated by automake 1.15 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libstrongswan/plugins/curve25519
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+libstrongswan_curve25519_la_LIBADD =
+am__dirstamp = $(am__leading_dot)dirstamp
+am_libstrongswan_curve25519_la_OBJECTS = curve25519_dh.lo \
+ curve25519_drv.lo curve25519_drv_portable.lo \
+ curve25519_identity_hasher.lo curve25519_plugin.lo \
+ curve25519_private_key.lo curve25519_public_key.lo \
+ ref10/ref10.lo
+libstrongswan_curve25519_la_OBJECTS = \
+ $(am_libstrongswan_curve25519_la_OBJECTS)
+AM_V_lt = $(am__v_lt_ at AM_V@)
+am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+libstrongswan_curve25519_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_curve25519_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+ at MONOLITHIC_FALSE@am_libstrongswan_curve25519_la_rpath = -rpath \
+ at MONOLITHIC_FALSE@ $(plugindir)
+ at MONOLITHIC_TRUE@am_libstrongswan_curve25519_la_rpath =
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_ at AM_V@)
+am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(libstrongswan_curve25519_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_curve25519_la_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+ATOMICLIB = @ATOMICLIB@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+ at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-curve25519.la
+ at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-curve25519.la
+libstrongswan_curve25519_la_SOURCES = \
+ curve25519_dh.h curve25519_dh.c \
+ curve25519_drv.h curve25519_drv.c \
+ curve25519_drv_portable.h curve25519_drv_portable.c \
+ curve25519_identity_hasher.h curve25519_identity_hasher.c \
+ curve25519_plugin.h curve25519_plugin.c \
+ curve25519_private_key.h curve25519_private_key.c \
+ curve25519_public_key.h curve25519_public_key.c \
+ ref10/ref10.h ref10/ref10.c ref10/base.h ref10/base2.h
+
+libstrongswan_curve25519_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/curve25519/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libstrongswan/plugins/curve25519/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+ref10/$(am__dirstamp):
+ @$(MKDIR_P) ref10
+ @: > ref10/$(am__dirstamp)
+ref10/$(DEPDIR)/$(am__dirstamp):
+ @$(MKDIR_P) ref10/$(DEPDIR)
+ @: > ref10/$(DEPDIR)/$(am__dirstamp)
+ref10/ref10.lo: ref10/$(am__dirstamp) ref10/$(DEPDIR)/$(am__dirstamp)
+
+libstrongswan-curve25519.la: $(libstrongswan_curve25519_la_OBJECTS) $(libstrongswan_curve25519_la_DEPENDENCIES) $(EXTRA_libstrongswan_curve25519_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libstrongswan_curve25519_la_LINK) $(am_libstrongswan_curve25519_la_rpath) $(libstrongswan_curve25519_la_OBJECTS) $(libstrongswan_curve25519_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+ -rm -f ref10/*.$(OBJEXT)
+ -rm -f ref10/*.lo
+
+distclean-compile:
+ -rm -f *.tab.c
+
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_dh.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_drv.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_drv_portable.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_identity_hasher.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_plugin.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_private_key.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/curve25519_public_key.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ref10/$(DEPDIR)/ref10.Plo at am__quote@
+
+.c.o:
+ at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+ at am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+ at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+ at am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+ at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+ at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+ at am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+ -rm -rf ref10/.libs ref10/_libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+ -rm -f ref10/$(DEPDIR)/$(am__dirstamp)
+ -rm -f ref10/$(am__dirstamp)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR) ref10/$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR) ref10/$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ cscopelist-am ctags ctags-am distclean distclean-compile \
+ distclean-generic distclean-libtool distclean-tags distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-man install-pdf \
+ install-pdf-am install-pluginLTLIBRARIES install-ps \
+ install-ps-am install-strip installcheck installcheck-am \
+ installdirs maintainer-clean maintainer-clean-generic \
+ mostlyclean mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+ uninstall-am uninstall-pluginLTLIBRARIES
+
+.PRECIOUS: Makefile
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_dh.c b/src/libstrongswan/plugins/curve25519/curve25519_dh.c
new file mode 100644
index 0000000..c550263
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_dh.c
@@ -0,0 +1,174 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <string.h>
+#include <stdint.h>
+
+#include "curve25519_dh.h"
+#include "curve25519_drv.h"
+
+typedef struct private_curve25519_dh_t private_curve25519_dh_t;
+
+/**
+ * Private data of an curve25519_dh_t object.
+ */
+struct private_curve25519_dh_t {
+
+ /**
+ * Public curve25519_dh_t interface.
+ */
+ curve25519_dh_t public;
+
+ /**
+ * Shared key, if computed
+ */
+ u_char shared[CURVE25519_KEY_SIZE];
+
+ /**
+ * TRUE if shared secret is computed
+ */
+ bool computed;
+
+ /**
+ * Curve25519 backend
+ */
+ curve25519_drv_t *drv;
+};
+
+/**
+ * Generate a valid Curve25519 key
+ */
+static bool generate_key(private_curve25519_dh_t *this)
+{
+ u_char key[CURVE25519_KEY_SIZE];
+ rng_t *rng;
+
+ rng = lib->crypto->create_rng(lib->crypto, RNG_STRONG);
+ if (!rng)
+ {
+ DBG1(DBG_LIB, "no RNG found for quality %N",
+ rng_quality_names, RNG_STRONG);
+ return FALSE;
+ }
+ if (!rng->get_bytes(rng, CURVE25519_KEY_SIZE, key))
+ {
+ rng->destroy(rng);
+ return FALSE;
+ }
+ rng->destroy(rng);
+
+ return this->drv->set_key(this->drv, key);
+}
+
+METHOD(diffie_hellman_t, set_other_public_value, bool,
+ private_curve25519_dh_t *this, chunk_t value)
+{
+ if (value.len == CURVE25519_KEY_SIZE)
+ {
+ if (this->drv->curve25519(this->drv, value.ptr, this->shared))
+ {
+ this->computed = TRUE;
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+METHOD(diffie_hellman_t, get_my_public_value, bool,
+ private_curve25519_dh_t *this, chunk_t *value)
+{
+ u_char basepoint[CURVE25519_KEY_SIZE] = { 9 };
+
+ *value = chunk_alloc(CURVE25519_KEY_SIZE);
+ if (this->drv->curve25519(this->drv, basepoint, value->ptr))
+ {
+ return TRUE;
+ }
+ free(value->ptr);
+ return FALSE;
+}
+
+METHOD(diffie_hellman_t, set_private_value, bool,
+ private_curve25519_dh_t *this, chunk_t value)
+{
+ if (value.len != CURVE25519_KEY_SIZE)
+ {
+ return FALSE;
+ }
+ return this->drv->set_key(this->drv, value.ptr);
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, bool,
+ private_curve25519_dh_t *this, chunk_t *secret)
+{
+ if (!this->computed)
+ {
+ return FALSE;
+ }
+ *secret = chunk_clone(chunk_from_thing(this->shared));
+ return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+ private_curve25519_dh_t *this)
+{
+ return CURVE_25519;
+}
+
+METHOD(diffie_hellman_t, destroy, void,
+ private_curve25519_dh_t *this)
+{
+ this->drv->destroy(this->drv);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+curve25519_dh_t *curve25519_dh_create(diffie_hellman_group_t group)
+{
+ private_curve25519_dh_t *this;
+
+ if (group != CURVE_25519)
+ {
+ return FALSE;
+ }
+
+ INIT(this,
+ .public = {
+ .dh = {
+ .get_shared_secret = _get_shared_secret,
+ .set_other_public_value = _set_other_public_value,
+ .get_my_public_value = _get_my_public_value,
+ .set_private_value = _set_private_value,
+ .get_dh_group = _get_dh_group,
+ .destroy = _destroy,
+ },
+ },
+ .drv = curve25519_drv_probe(),
+ );
+
+ if (!this->drv)
+ {
+ free(this);
+ return NULL;
+ }
+ if (!generate_key(this))
+ {
+ destroy(this);
+ return NULL;
+ }
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_dh.h b/src/libstrongswan/plugins/curve25519/curve25519_dh.h
new file mode 100644
index 0000000..40bc6d1
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_dh.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_dh curve25519_dh
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef CURVE25519_DH_H_
+#define CURVE25519_DH_H_
+
+typedef struct curve25519_dh_t curve25519_dh_t;
+
+#include <library.h>
+
+/**
+ * Diffie-Hellman implementation using Curve25519.
+ */
+struct curve25519_dh_t {
+
+ /**
+ * Implements diffie_hellman_t interface.
+ */
+ diffie_hellman_t dh;
+};
+
+/**
+ * Creates a new curve25519_dh_t object.
+ *
+ * @param group DH group, CURVE_25519
+ * @return curve25519_dh_t object, NULL on error
+ */
+curve25519_dh_t *curve25519_dh_create(diffie_hellman_group_t group);
+
+#endif /** CURVE25519_DH_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_drv.c b/src/libstrongswan/plugins/curve25519/curve25519_drv.c
new file mode 100644
index 0000000..df39e71
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_drv.c
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "curve25519_drv.h"
+#include "curve25519_drv_portable.h"
+
+typedef curve25519_drv_t*(*curve25519_drv_create)();
+
+/**
+ * See header.
+ */
+curve25519_drv_t *curve25519_drv_probe()
+{
+ curve25519_drv_create drivers[] = {
+ curve25519_drv_portable_create,
+ };
+ curve25519_drv_t *driver;
+ int i;
+
+ for (i = 0; i < countof(drivers); i++)
+ {
+ driver = drivers[i]();
+ if (driver)
+ {
+ return driver;
+ }
+ }
+ return NULL;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_drv.h b/src/libstrongswan/plugins/curve25519/curve25519_drv.h
new file mode 100644
index 0000000..bdf0c4c
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_drv.h
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_drv curve25519_drv
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef CURVE25519_DRV_H_
+#define CURVE25519_DRV_H_
+
+typedef struct curve25519_drv_t curve25519_drv_t;
+
+#include <library.h>
+
+/**
+ * Private key size of Curve25519
+ */
+#define CURVE25519_KEY_SIZE 32
+
+/**
+ * Backend driver abstraction for Curve25519.
+ */
+struct curve25519_drv_t {
+
+ /**
+ * Set the private key.
+ *
+ * @param key 32 byte private key, clamped
+ * @return TRUE if key set
+ */
+ bool (*set_key)(curve25519_drv_t *this, u_char *key);
+
+ /**
+ * Calculate Curve25519 for the set key.
+ *
+ * @param in input data, 32 bytes
+ * @param out output data, 32 bytes
+ * @return TRUE if calculated
+ */
+ bool (*curve25519)(curve25519_drv_t *this, u_char *in, u_char *out);
+
+ /**
+ * Destroy a curve25519_drv_t.
+ */
+ void (*destroy)(curve25519_drv_t *this);
+};
+
+/**
+ * Create a curve25519_drv instance.
+ */
+curve25519_drv_t *curve25519_drv_probe();
+
+#endif /** CURVE25519_DRV_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_drv_portable.c b/src/libstrongswan/plugins/curve25519/curve25519_drv_portable.c
new file mode 100644
index 0000000..9182de5
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_drv_portable.c
@@ -0,0 +1,613 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * Based on public domain code by Andrew Moon (curve22519-donna).
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "curve25519_drv_portable.h"
+
+typedef struct private_curve25519_drv_t private_curve25519_drv_t;
+
+/**
+ * Private data of an curve25519_drv_portable_t object.
+ */
+struct private_curve25519_drv_t {
+
+ /**
+ * Public curve25519_drv_t interface.
+ */
+ curve25519_drv_t public;
+
+ /**
+ * Private key
+ */
+ u_char key[CURVE25519_KEY_SIZE];
+};
+
+METHOD(curve25519_drv_t, set_key, bool,
+ private_curve25519_drv_t *this, u_char *key)
+{
+ memcpy(this->key, key, sizeof(this->key));
+
+ this->key[0] &= 0xf8;
+ this->key[31] &= 0x7f;
+ this->key[31] |= 0x40;
+ return TRUE;
+}
+
+/**
+ * OR a 32-bit integer to an unaligned little-endian
+ */
+static inline void horule32(void *p, uint32_t x)
+{
+ uint32_t r;
+
+ memcpy(&r, p, sizeof(r));
+ r |= htole32(x);
+ memcpy(p, &r, sizeof(r));
+}
+
+/**
+ * Reduce a 32-bit integer to 26 bits
+ */
+static inline uint32_t rdc26(uint32_t v)
+{
+ return v & ((1 << 26) - 1);
+}
+
+/**
+ * Reduce a 32-bit integer to 25 bits
+ */
+static inline uint32_t rdc25(uint32_t v)
+{
+ return v & ((1 << 25) - 1);
+}
+
+/**
+ * Shift right a 64-bit integer by 26 bits
+ */
+static inline uint32_t sr26(uint64_t v)
+{
+ return v >> 26;
+}
+
+/**
+ * Shift right a 64-bit integer by 25 bits
+ */
+static inline uint32_t sr25(uint64_t v)
+{
+ return v >> 25;
+}
+
+/**
+ * Multiply a 64-bit integer with a 32-bit integer
+ */
+static inline uint64_t mul64(uint64_t a, uint32_t b)
+{
+ return a * b;
+}
+
+/**
+ * out = a + b
+ */
+static inline void add(uint32_t out[10], uint32_t a[10], uint32_t b[10])
+{
+ out[0] = a[0] + b[0];
+ out[1] = a[1] + b[1];
+ out[2] = a[2] + b[2];
+ out[3] = a[3] + b[3];
+ out[4] = a[4] + b[4];
+ out[5] = a[5] + b[5];
+ out[6] = a[6] + b[6];
+ out[7] = a[7] + b[7];
+ out[8] = a[8] + b[8];
+ out[9] = a[9] + b[9];
+}
+
+/**
+ * out = a - b
+ */
+static inline void sub(uint32_t out[10], uint32_t a[10], uint32_t b[10])
+{
+ uint32_t x;
+
+ x = 0x7ffffda + a[0] - b[0]; out[0] = rdc26(x);
+ x = 0x3fffffe + a[1] - b[1] + sr26(x); out[1] = rdc25(x);
+ x = 0x7fffffe + a[2] - b[2] + sr25(x); out[2] = rdc26(x);
+ x = 0x3fffffe + a[3] - b[3] + sr26(x); out[3] = rdc25(x);
+ x = 0x7fffffe + a[4] - b[4] + sr25(x); out[4] = rdc26(x);
+ x = 0x3fffffe + a[5] - b[5] + sr26(x); out[5] = rdc25(x);
+ x = 0x7fffffe + a[6] - b[6] + sr25(x); out[6] = rdc26(x);
+ x = 0x3fffffe + a[7] - b[7] + sr26(x); out[7] = rdc25(x);
+ x = 0x7fffffe + a[8] - b[8] + sr25(x); out[8] = rdc26(x);
+ x = 0x3fffffe + a[9] - b[9] + sr26(x); out[9] = rdc25(x);
+ out[0] += sr25(x) * 19;
+}
+
+/**
+ * out = in * scalar
+ */
+static void scalar_product(uint32_t out[10], uint32_t in[10], uint32_t scalar)
+{
+ uint64_t x;
+
+ x = mul64(in[0], scalar); out[0] = rdc26(x);
+ x = mul64(in[1], scalar) + sr26(x); out[1] = rdc25(x);
+ x = mul64(in[2], scalar) + sr25(x); out[2] = rdc26(x);
+ x = mul64(in[3], scalar) + sr26(x); out[3] = rdc25(x);
+ x = mul64(in[4], scalar) + sr25(x); out[4] = rdc26(x);
+ x = mul64(in[5], scalar) + sr26(x); out[5] = rdc25(x);
+ x = mul64(in[6], scalar) + sr25(x); out[6] = rdc26(x);
+ x = mul64(in[7], scalar) + sr26(x); out[7] = rdc25(x);
+ x = mul64(in[8], scalar) + sr25(x); out[8] = rdc26(x);
+ x = mul64(in[9], scalar) + sr26(x); out[9] = rdc25(x);
+ out[0] += sr25(x) * 19;
+}
+
+/**
+ * out = a * b
+ */
+static inline void mul(uint32_t out[10], uint32_t a[10], uint32_t b[10])
+{
+ uint32_t r0, r1, r2, r3, r4, r5, r6, r7, r8, r9;
+ uint32_t s0, s1, s2, s3, s4, s5, s6, s7, s8, s9;
+ uint64_t m0, m1, m2, m3, m4, m5, m6, m7, m8, m9;
+
+ r0 = b[0];
+ r1 = b[1];
+ r2 = b[2];
+ r3 = b[3];
+ r4 = b[4];
+ r5 = b[5];
+ r6 = b[6];
+ r7 = b[7];
+ r8 = b[8];
+ r9 = b[9];
+
+ s0 = a[0];
+ s1 = a[1];
+ s2 = a[2];
+ s3 = a[3];
+ s4 = a[4];
+ s5 = a[5];
+ s6 = a[6];
+ s7 = a[7];
+ s8 = a[8];
+ s9 = a[9];
+
+ m1 = mul64(r0, s1) + mul64(r1, s0);
+ m3 = mul64(r0, s3) + mul64(r1, s2) + mul64(r2, s1) + mul64(r3, s0);
+ m5 = mul64(r0, s5) + mul64(r1, s4) + mul64(r2, s3) + mul64(r3, s2)
+ + mul64(r4, s1) + mul64(r5, s0);
+ m7 = mul64(r0, s7) + mul64(r1, s6) + mul64(r2, s5) + mul64(r3, s4)
+ + mul64(r4, s3) + mul64(r5, s2) + mul64(r6, s1) + mul64(r7, s0);
+ m9 = mul64(r0, s9) + mul64(r1, s8) + mul64(r2, s7) + mul64(r3, s6)
+ + mul64(r4, s5) + mul64(r5, s4) + mul64(r6, s3) + mul64(r7, s2)
+ + mul64(r8, s1) + mul64(r9, s0);
+
+ r1 *= 2;
+ r3 *= 2;
+ r5 *= 2;
+ r7 *= 2;
+
+ m0 = mul64(r0, s0);
+ m2 = mul64(r0, s2) + mul64(r1, s1) + mul64(r2, s0);
+ m4 = mul64(r0, s4) + mul64(r1, s3) + mul64(r2, s2) + mul64(r3, s1)
+ + mul64(r4, s0);
+ m6 = mul64(r0, s6) + mul64(r1, s5) + mul64(r2, s4) + mul64(r3, s3)
+ + mul64(r4, s2) + mul64(r5, s1) + mul64(r6, s0);
+ m8 = mul64(r0, s8) + mul64(r1, s7) + mul64(r2, s6) + mul64(r3, s5)
+ + mul64(r4, s4) + mul64(r5, s3) + mul64(r6, s2) + mul64(r7, s1)
+ + mul64(r8, s0);
+
+ r1 *= 19;
+ r2 *= 19;
+ r3 = (r3 / 2) * 19;
+ r4 *= 19;
+ r5 = (r5 / 2) * 19;
+ r6 *= 19;
+ r7 = (r7 / 2) * 19;
+ r8 *= 19;
+ r9 *= 19;
+
+ m1 += mul64(r9, s2) + mul64(r8, s3) + mul64(r7, s4) + mul64(r6, s5)
+ + mul64(r5, s6) + mul64(r4, s7) + mul64(r3, s8) + mul64(r2, s9);
+ m3 += mul64(r9, s4) + mul64(r8, s5) + mul64(r7, s6) + mul64(r6, s7)
+ + mul64(r5, s8) + mul64(r4, s9);
+ m5 += mul64(r9, s6) + mul64(r8, s7) + mul64(r7, s8) + mul64(r6, s9);
+ m7 += mul64(r9, s8) + mul64(r8, s9);
+
+ r3 *= 2;
+ r5 *= 2;
+ r7 *= 2;
+ r9 *= 2;
+
+ m0 += mul64(r9, s1) + mul64(r8, s2) + mul64(r7, s3) + mul64(r6, s4)
+ + mul64(r5, s5) + mul64(r4, s6) + mul64(r3, s7) + mul64(r2, s8)
+ + mul64(r1, s9);
+ m2 += mul64(r9, s3) + mul64(r8, s4) + mul64(r7, s5) + mul64(r6, s6)
+ + mul64(r5, s7) + mul64(r4, s8) + mul64(r3, s9);
+ m4 += mul64(r9, s5) + mul64(r8, s6) + mul64(r7, s7) + mul64(r6, s8)
+ + mul64(r5, s9);
+ m6 += mul64(r9, s7) + mul64(r8, s8) + mul64(r7, s9);
+ m8 += mul64(r9, s9);
+
+ m1 += m0 >> 26; r1 = rdc25(m1);
+ m2 += m1 >> 25; r2 = rdc26(m2);
+ m3 += m2 >> 26; r3 = rdc25(m3);
+ m4 += m3 >> 25; r4 = rdc26(m4);
+ m5 += m4 >> 26; r5 = rdc25(m5);
+ m6 += m5 >> 25; r6 = rdc26(m6);
+ m7 += m6 >> 26; r7 = rdc25(m7);
+ m8 += m7 >> 25; r8 = rdc26(m8);
+ m9 += m8 >> 26; r9 = rdc25(m9);
+ m0 = rdc26(m0) + mul64(m9 >> 25, 19);
+ r0 = rdc26(m0); r1 += m0 >> 26;
+
+ out[0] = r0;
+ out[1] = r1;
+ out[2] = r2;
+ out[3] = r3;
+ out[4] = r4;
+ out[5] = r5;
+ out[6] = r6;
+ out[7] = r7;
+ out[8] = r8;
+ out[9] = r9;
+}
+
+/**
+ * out = in^(2 * count), inlining
+ */
+static inline void square_times(uint32_t out[10], uint32_t in[10], int count)
+{
+ uint32_t r0, r1, r2, r3, r4, r5, r6, r7, r8, r9;
+ uint32_t d6, d7, d8, d9;
+ uint64_t m0, m1, m2, m3, m4, m5, m6, m7, m8, m9;
+
+ r0 = in[0];
+ r1 = in[1];
+ r2 = in[2];
+ r3 = in[3];
+ r4 = in[4];
+ r5 = in[5];
+ r6 = in[6];
+ r7 = in[7];
+ r8 = in[8];
+ r9 = in[9];
+
+ while (count--)
+ {
+ m0 = mul64(r0, r0 );
+ r0 *= 2;
+ m1 = mul64(r0, r1 );
+ m2 = mul64(r0, r2 ) + mul64(r1, r1 * 2);
+ r1 *= 2;
+ m3 = mul64(r0, r3 ) + mul64(r1, r2 );
+ m4 = mul64(r0, r4 ) + mul64(r1, r3 * 2) + mul64(r2, r2);
+ r2 *= 2;
+ m5 = mul64(r0, r5 ) + mul64(r1, r4 ) + mul64(r2, r3);
+ m6 = mul64(r0, r6 ) + mul64(r1, r5 * 2) + mul64(r2, r4)
+ + mul64(r3, r3 * 2);
+ r3 *= 2;
+ m7 = mul64(r0, r7 ) + mul64(r1, r6 ) + mul64(r2, r5)
+ + mul64(r3, r4 );
+ m8 = mul64(r0, r8 ) + mul64(r1, r7 * 2) + mul64(r2, r6)
+ + mul64(r3, r5 * 2) + mul64(r4, r4 );
+ m9 = mul64(r0, r9 ) + mul64(r1, r8 ) + mul64(r2, r7)
+ + mul64(r3, r6 ) + mul64(r4, r5 * 2);
+
+ d6 = r6 * 19;
+ d7 = r7 * 2 * 19;
+ d8 = r8 * 19;
+ d9 = r9 * 2 * 19;
+
+ m0 += mul64(d9, r1 ) + mul64(d8, r2 ) + mul64(d7, r3 )
+ + mul64(d6, r4 * 2) + mul64(r5, r5 * 2 * 19);
+ m1 += mul64(d9, r2 / 2) + mul64(d8, r3 ) + mul64(d7, r4 )
+ + mul64(d6, r5 * 2);
+ m2 += mul64(d9, r3 ) + mul64(d8, r4 * 2) + mul64(d7, r5 * 2)
+ + mul64(d6, r6 );
+ m3 += mul64(d9, r4 ) + mul64(d8, r5 * 2) + mul64(d7, r6 );
+ m4 += mul64(d9, r5 * 2) + mul64(d8, r6 * 2) + mul64(d7, r7 );
+ m5 += mul64(d9, r6 ) + mul64(d8, r7 * 2);
+ m6 += mul64(d9, r7 * 2) + mul64(d8, r8 );
+ m7 += mul64(d9, r8 );
+ m8 += mul64(d9, r9 );
+
+ m1 += m0 >> 26; r1 = rdc25(m1);
+ m2 += m1 >> 25; r2 = rdc26(m2);
+ m3 += m2 >> 26; r3 = rdc25(m3);
+ m4 += m3 >> 25; r4 = rdc26(m4);
+ m5 += m4 >> 26; r5 = rdc25(m5);
+ m6 += m5 >> 25; r6 = rdc26(m6);
+ m7 += m6 >> 26; r7 = rdc25(m7);
+ m8 += m7 >> 25; r8 = rdc26(m8);
+ m9 += m8 >> 26; r9 = rdc25(m9);
+ m0 = rdc26(m0) + mul64(sr25(m9), 19);
+ r0 = rdc26(m0); r1 += sr26(m0);
+ }
+
+ out[0] = r0;
+ out[1] = r1;
+ out[2] = r2;
+ out[3] = r3;
+ out[4] = r4;
+ out[5] = r5;
+ out[6] = r6;
+ out[7] = r7;
+ out[8] = r8;
+ out[9] = r9;
+}
+
+/**
+ * out = in * in
+ */
+static void square(uint32_t out[10], uint32_t in[10])
+{
+ return square_times(out, in, 1);
+}
+
+/**
+ * Take a little-endian, 32-byte number and expand it into polynomial form
+ */
+static void expand(uint32_t out[10], u_char *in)
+{
+ uint32_t x0, x1, x2, x3, x4, x5, x6, x7;
+
+ x0 = uletoh32(in + 0);
+ x1 = uletoh32(in + 4);
+ x2 = uletoh32(in + 8);
+ x3 = uletoh32(in + 12);
+ x4 = uletoh32(in + 16);
+ x5 = uletoh32(in + 20);
+ x6 = uletoh32(in + 24);
+ x7 = uletoh32(in + 28);
+
+ out[0] = rdc26( x0 );
+ out[1] = rdc25((((uint64_t)x1 << 32) | x0) >> 26);
+ out[2] = rdc26((((uint64_t)x2 << 32) | x1) >> 19);
+ out[3] = rdc25((((uint64_t)x3 << 32) | x2) >> 13);
+ out[4] = rdc26(( x3) >> 6);
+ out[5] = rdc25( x4 );
+ out[6] = rdc26((((uint64_t)x5 << 32) | x4) >> 25);
+ out[7] = rdc25((((uint64_t)x6 << 32) | x5) >> 19);
+ out[8] = rdc26((((uint64_t)x7 << 32) | x6) >> 12);
+ out[9] = rdc25(( x7) >> 6);
+}
+
+/**
+ * Propagate carries in f
+ */
+static inline void carry(uint32_t f[10])
+{
+ f[1] += f[0] >> 26; f[0] = rdc26(f[0]);
+ f[2] += f[1] >> 25; f[1] = rdc25(f[1]);
+ f[3] += f[2] >> 26; f[2] = rdc26(f[2]);
+ f[4] += f[3] >> 25; f[3] = rdc25(f[3]);
+ f[5] += f[4] >> 26; f[4] = rdc26(f[4]);
+ f[6] += f[5] >> 25; f[5] = rdc25(f[5]);
+ f[7] += f[6] >> 26; f[6] = rdc26(f[6]);
+ f[8] += f[7] >> 25; f[7] = rdc25(f[7]);
+ f[9] += f[8] >> 26; f[8] = rdc26(f[8]);
+}
+
+/**
+ * Take a fully reduced polynomial form number and contract it into a
+ * little-endian, 32-byte array
+ */
+static void contract(u_char *out, uint32_t f[10])
+{
+ carry(f);
+ f[0] += 19 * (f[9] >> 25); f[9] = rdc25(f[9]);
+ carry(f);
+ f[0] += 19 * (f[9] >> 25); f[9] = rdc25(f[9]);
+
+ /* now t is between 0 and 2^255-1, properly carried.
+ * case 1: between 0 and 2^255-20.
+ * case 2: between 2^255-19 and 2^255-1.
+ */
+ f[0] += 19;
+ carry(f);
+ f[0] += 19 * (f[9] >> 25); f[9] = rdc25(f[9]);
+
+ /* now between 19 and 2^255-1 in both cases, and offset by 19. */
+ f[0] += (1 << 26) - 19;
+ f[1] += (1 << 25) - 1;
+ f[2] += (1 << 26) - 1;
+ f[3] += (1 << 25) - 1;
+ f[4] += (1 << 26) - 1;
+ f[5] += (1 << 25) - 1;
+ f[6] += (1 << 26) - 1;
+ f[7] += (1 << 25) - 1;
+ f[8] += (1 << 26) - 1;
+ f[9] += (1 << 25) - 1;
+
+ /* now between 2^255 and 2^256-20, and offset by 2^255. */
+ carry(f);
+ f[9] = rdc25(f[9]);
+
+ f[1] <<= 2;
+ f[2] <<= 3;
+ f[3] <<= 5;
+ f[4] <<= 6;
+ f[6] <<= 1;
+ f[7] <<= 3;
+ f[8] <<= 4;
+ f[9] <<= 6;
+
+ memset(out, 0, 32);
+ horule32(out + 0, f[0]);
+ horule32(out + 3, f[1]);
+ horule32(out + 6, f[2]);
+ horule32(out + 9, f[3]);
+ horule32(out + 12, f[4]);
+ horule32(out + 16, f[5]);
+ horule32(out + 19, f[6]);
+ horule32(out + 22, f[7]);
+ horule32(out + 25, f[8]);
+ horule32(out + 28, f[9]);
+}
+
+/**
+ * Swap the contents of x and q if swap is non-zero
+ */
+static void swap_conditional(uint32_t a[10], uint32_t b[10], uint32_t swap)
+{
+ uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9;
+
+ swap = -swap;
+
+ x0 = swap & (a[0] ^ b[0]); a[0] ^= x0; b[0] ^= x0;
+ x1 = swap & (a[1] ^ b[1]); a[1] ^= x1; b[1] ^= x1;
+ x2 = swap & (a[2] ^ b[2]); a[2] ^= x2; b[2] ^= x2;
+ x3 = swap & (a[3] ^ b[3]); a[3] ^= x3; b[3] ^= x3;
+ x4 = swap & (a[4] ^ b[4]); a[4] ^= x4; b[4] ^= x4;
+ x5 = swap & (a[5] ^ b[5]); a[5] ^= x5; b[5] ^= x5;
+ x6 = swap & (a[6] ^ b[6]); a[6] ^= x6; b[6] ^= x6;
+ x7 = swap & (a[7] ^ b[7]); a[7] ^= x7; b[7] ^= x7;
+ x8 = swap & (a[8] ^ b[8]); a[8] ^= x8; b[8] ^= x8;
+ x9 = swap & (a[9] ^ b[9]); a[9] ^= x9; b[9] ^= x9;
+}
+
+/*
+ * In: b = 2^5 - 2^0
+ * Out: b = 2^250 - 2^0
+ */
+static void pow_two5mtwo0_two250mtwo0(uint32_t b[10])
+{
+ uint32_t t0[10], c[10];
+
+ /* 2^5 - 2^0 */ /* b */
+ /* 2^10 - 2^5 */ square_times(t0, b, 5);
+ /* 2^10 - 2^0 */ mul(b, t0, b);
+ /* 2^20 - 2^10 */ square_times(t0, b, 10);
+ /* 2^20 - 2^0 */ mul(c, t0, b);
+ /* 2^40 - 2^20 */ square_times(t0, c, 20);
+ /* 2^40 - 2^0 */ mul(t0, t0, c);
+ /* 2^50 - 2^10 */ square_times(t0, t0, 10);
+ /* 2^50 - 2^0 */ mul(b, t0, b);
+ /* 2^100 - 2^50 */ square_times(t0, b, 50);
+ /* 2^100 - 2^0 */ mul(c, t0, b);
+ /* 2^200 - 2^100 */ square_times(t0, c, 100);
+ /* 2^200 - 2^0 */ mul(t0, t0, c);
+ /* 2^250 - 2^50 */ square_times(t0, t0, 50);
+ /* 2^250 - 2^0 */ mul(b, t0, b);
+}
+
+/*
+ * z^(p - 2) = z(2^255 - 21)
+ */
+static void recip(uint32_t out[10], uint32_t z[10])
+{
+ uint32_t a[10], t0[10], b[10];
+
+ /* 2 */ square(a, z); /* a = 2 */
+ /* 8 */ square_times(t0, a, 2);
+ /* 9 */ mul(b, t0, z); /* b = 9 */
+ /* 11 */ mul(a, b, a); /* a = 11 */
+ /* 22 */ square(t0, a);
+ /* 2^5 - 2^0 = 31 */ mul(b, t0, b);
+ /* 2^250 - 2^0 */ pow_two5mtwo0_two250mtwo0(b);
+ /* 2^255 - 2^5 */ square_times(b, b, 5);
+ /* 2^255 - 21 */ mul(out, b, a);
+}
+
+METHOD(curve25519_drv_t, curve25519, bool,
+ private_curve25519_drv_t *this, u_char *in, u_char *out)
+{
+ uint32_t nqpqx[10] = {1}, nqpqz[10] = {0}, nqz[10] = {1}, nqx[10];
+ uint32_t q[10], qx[10], qpqx[10], qqx[10], zzz[10], zmone[10];
+ uint32_t bit, lastbit, i;
+
+ expand(q, in);
+ memcpy(nqx, q, sizeof(nqx));
+
+ /* bit 255 is always 0, and bit 254 is always 1, so skip bit 255 and
+ * start pre-swapped on bit 254 */
+ lastbit = 1;
+
+ /* we are doing bits 254..3 in the loop, but are swapping in bits 253..2 */
+ for (i = 253; i >= 2; i--)
+ {
+ add(qx, nqx, nqz);
+ sub(nqz, nqx, nqz);
+ add(qpqx, nqpqx, nqpqz);
+ sub(nqpqz, nqpqx, nqpqz);
+ mul(nqpqx, qpqx, nqz);
+ mul(nqpqz, qx, nqpqz);
+ add(qqx, nqpqx, nqpqz);
+ sub(nqpqz, nqpqx, nqpqz);
+ square(nqpqz, nqpqz);
+ square(nqpqx, qqx);
+ mul(nqpqz, nqpqz, q);
+ square(qx, qx);
+ square(nqz, nqz);
+ mul(nqx, qx, nqz);
+ sub(nqz, qx, nqz);
+ scalar_product(zzz, nqz, 121665);
+ add(zzz, zzz, qx);
+ mul(nqz, nqz, zzz);
+
+ bit = (this->key[i/8] >> (i & 7)) & 1;
+ swap_conditional(nqx, nqpqx, bit ^ lastbit);
+ swap_conditional(nqz, nqpqz, bit ^ lastbit);
+ lastbit = bit;
+ }
+
+ /* the final 3 bits are always zero, so we only need to double */
+ for (i = 0; i < 3; i++)
+ {
+ add(qx, nqx, nqz);
+ sub(nqz, nqx, nqz);
+ square(qx, qx);
+ square(nqz, nqz);
+ mul(nqx, qx, nqz);
+ sub(nqz, qx, nqz);
+ scalar_product(zzz, nqz, 121665);
+ add(zzz, zzz, qx);
+ mul(nqz, nqz, zzz);
+ }
+
+ recip(zmone, nqz);
+ mul(nqz, nqx, zmone);
+ contract(out, nqz);
+
+ return TRUE;
+}
+
+METHOD(curve25519_drv_t, destroy, void,
+ private_curve25519_drv_t *this)
+{
+ memwipe(this->key, sizeof(this->key));
+ free(this);
+}
+
+/**
+ * See header
+ */
+curve25519_drv_t *curve25519_drv_portable_create()
+{
+ private_curve25519_drv_t *this;
+
+ INIT(this,
+ .public = {
+ .set_key = _set_key,
+ .curve25519 = _curve25519,
+ .destroy = _destroy,
+ },
+ );
+
+ return &this->public;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_drv_portable.h b/src/libstrongswan/plugins/curve25519/curve25519_drv_portable.h
new file mode 100644
index 0000000..f0de0bd
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_drv_portable.h
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_drv_portable curve25519_drv_portable
+ * @{ @ingroup curve25519_p
+ */
+
+#include "curve25519_drv.h"
+
+#ifndef CURVE25519_DRV_PORTABLE_H_
+#define CURVE25519_DRV_PORTABLE_H_
+
+/**
+ * Create a curve25519_drv_portable instance.
+ */
+curve25519_drv_t *curve25519_drv_portable_create();
+
+#endif /** CURVE25519_DRV_PORTABLE_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_identity_hasher.c b/src/libstrongswan/plugins/curve25519/curve25519_identity_hasher.c
new file mode 100644
index 0000000..a7ffdb1
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_identity_hasher.c
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "curve25519_identity_hasher.h"
+
+/*
+ * Described in header.
+ */
+curve25519_identity_hasher_t *curve25519_identity_hasher_create(hash_algorithm_t algo)
+{
+ /* since the identity hasher is never actually used, always return NULL */
+ return NULL;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_identity_hasher.h b/src/libstrongswan/plugins/curve25519/curve25519_identity_hasher.h
new file mode 100644
index 0000000..bf643b5
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_identity_hasher.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_identity_hasher curve25519_identity_hasher
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef CURVE25519_IDENTITY_HASHER_H_
+#define CURVE25519_IDENTITY_HASHER_H_
+
+typedef struct curve25519_identity_hasher_t curve25519_identity_hasher_t;
+
+#include <crypto/hashers/hasher.h>
+
+/**
+ * Implementation of hasher_t interface using the Identity algorithm.
+ */
+struct curve25519_identity_hasher_t {
+
+ /**
+ * Implements hasher_t interface.
+ */
+ hasher_t hasher_interface;
+};
+
+/**
+ * Creates a new curve25519_identity_hasher_t.
+ *
+ * @param algo algorithm, must be HASH_IDENTITY
+ * @return curve25519_identity_hasher_t object
+ */
+curve25519_identity_hasher_t *curve25519_identity_hasher_create(hash_algorithm_t algo);
+
+#endif /** CURVE25519_IDENTITY_HASHER_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_plugin.c b/src/libstrongswan/plugins/curve25519/curve25519_plugin.c
new file mode 100644
index 0000000..48ca43a
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_plugin.c
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "curve25519_plugin.h"
+#include "curve25519_dh.h"
+#include "curve25519_private_key.h"
+#include "curve25519_public_key.h"
+#include "curve25519_identity_hasher.h"
+
+#include <library.h>
+
+typedef struct private_curve25519_plugin_t private_curve25519_plugin_t;
+
+/**
+ * private data of curve25519_plugin
+ */
+struct private_curve25519_plugin_t {
+
+ /**
+ * public functions
+ */
+ curve25519_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_curve25519_plugin_t *this)
+{
+ return "curve25519";
+}
+
+METHOD(plugin_t, get_features, int,
+ private_curve25519_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ /* X25519 DH group */
+ PLUGIN_REGISTER(DH, curve25519_dh_create),
+ PLUGIN_PROVIDE(DH, CURVE_25519),
+ PLUGIN_DEPENDS(RNG, RNG_STRONG),
+ /* Ed25519 private/public keys */
+ PLUGIN_REGISTER(PRIVKEY, curve25519_private_key_load, TRUE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+ PLUGIN_REGISTER(PRIVKEY_GEN, curve25519_private_key_gen, FALSE),
+ PLUGIN_PROVIDE(PRIVKEY_GEN, KEY_ED25519),
+ PLUGIN_DEPENDS(RNG, RNG_TRUE),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+ PLUGIN_REGISTER(PUBKEY, curve25519_public_key_load, TRUE),
+ PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+ /* Ed25519 signature scheme, private */
+ PLUGIN_PROVIDE(PRIVKEY_SIGN, SIGN_ED25519),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+ /* Ed25519 signature verification scheme, public */
+ PLUGIN_PROVIDE(PUBKEY_VERIFY, SIGN_ED25519),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA512),
+ /* register a pro forma identity hasher */
+ PLUGIN_REGISTER(HASHER, curve25519_identity_hasher_create),
+ PLUGIN_PROVIDE(HASHER, HASH_IDENTITY),
+ };
+ *features = f;
+ return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+ private_curve25519_plugin_t *this)
+{
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *curve25519_plugin_create()
+{
+ private_curve25519_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ return &this->public.plugin;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_plugin.h b/src/libstrongswan/plugins/curve25519/curve25519_plugin.h
new file mode 100644
index 0000000..94f2e48
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_p curve25519
+ * @ingroup plugins
+ *
+ * @defgroup curve25519_plugin curve25519_plugin
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef CURVE25519_PLUGIN_H_
+#define CURVE25519_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct curve25519_plugin_t curve25519_plugin_t;
+
+/**
+ * Plugin providing a Curve25519 DH implementation
+ */
+struct curve25519_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** CURVE25519_PLUGIN_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_private_key.c b/src/libstrongswan/plugins/curve25519/curve25519_private_key.c
new file mode 100644
index 0000000..2a7303c
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_private_key.c
@@ -0,0 +1,346 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "curve25519_private_key.h"
+#include "curve25519_public_key.h"
+#include "ref10/ref10.h"
+
+#include <asn1/asn1.h>
+#include <asn1/oid.h>
+
+#define _GNU_SOURCE
+#include <stdlib.h>
+
+typedef struct private_curve25519_private_key_t private_curve25519_private_key_t;
+
+/**
+ * Private data of a curve25519_private_key_t object.
+ */
+struct private_curve25519_private_key_t {
+ /**
+ * Public interface for this signer.
+ */
+ curve25519_private_key_t public;
+
+ /**
+ * Secret scalar s derived from private key.
+ */
+ uint8_t s[HASH_SIZE_SHA512];
+
+ /**
+ * Ed25519 private key
+ */
+ chunk_t key;
+
+ /**
+ * Ed25519 public key
+ */
+ chunk_t pubkey;
+
+ /**
+ * Reference count
+ */
+ refcount_t ref;
+};
+
+METHOD(private_key_t, get_type, key_type_t,
+ private_curve25519_private_key_t *this)
+{
+ return KEY_ED25519;
+}
+
+METHOD(private_key_t, sign, bool,
+ private_curve25519_private_key_t *this, signature_scheme_t scheme,
+ chunk_t data, chunk_t *signature)
+{
+ uint8_t r[HASH_SIZE_SHA512], k[HASH_SIZE_SHA512], sig[HASH_SIZE_SHA512];
+ hasher_t *hasher;
+ chunk_t prefix;
+ ge_p3 R;
+ bool success = FALSE;
+
+ if (scheme != SIGN_ED25519)
+ {
+ DBG1(DBG_LIB, "signature scheme %N not supported by Ed25519",
+ signature_scheme_names, scheme);
+ return FALSE;
+ }
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
+ if (!hasher)
+ {
+ return FALSE;
+ }
+ prefix = chunk_create(this->s + 32, 32);
+
+ if (!hasher->get_hash(hasher, prefix, NULL) ||
+ !hasher->get_hash(hasher, data, r))
+ {
+ goto end;
+ }
+ sc_reduce(r);
+ ge_scalarmult_base(&R, r);
+ ge_p3_tobytes(sig, &R);
+
+ if (!hasher->get_hash(hasher, chunk_create(sig, 32), NULL) ||
+ !hasher->get_hash(hasher, this->pubkey, NULL) ||
+ !hasher->get_hash(hasher, data, k))
+ {
+ goto end;
+ }
+ sc_reduce(k);
+ sc_muladd(sig + 32, k, this->s, r);
+
+ *signature = chunk_clone(chunk_create(sig, sizeof(sig)));
+ success = TRUE;
+
+end:
+ hasher->destroy(hasher);
+ return success;
+}
+
+METHOD(private_key_t, decrypt, bool,
+ private_curve25519_private_key_t *this, encryption_scheme_t scheme,
+ chunk_t crypto, chunk_t *plain)
+{
+ DBG1(DBG_LIB, "encryption scheme %N not supported", encryption_scheme_names,
+ scheme);
+ return FALSE;
+}
+
+METHOD(private_key_t, get_keysize, int,
+ private_curve25519_private_key_t *this)
+{
+ return 8 * ED25519_KEY_LEN;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+ private_curve25519_private_key_t *this)
+{
+ public_key_t *public;
+ chunk_t pubkey;
+
+ pubkey = curve25519_public_key_info_encode(this->pubkey);
+ public = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
+ BUILD_BLOB_ASN1_DER, pubkey, BUILD_END);
+ free(pubkey.ptr);
+
+ return public;
+}
+
+METHOD(private_key_t, get_encoding, bool,
+ private_curve25519_private_key_t *this, cred_encoding_type_t type,
+ chunk_t *encoding)
+{
+ switch (type)
+ {
+ case PRIVKEY_ASN1_DER:
+ case PRIVKEY_PEM:
+ {
+ bool success = TRUE;
+
+ *encoding = asn1_wrap(ASN1_SEQUENCE, "cms",
+ ASN1_INTEGER_0,
+ asn1_algorithmIdentifier(OID_ED25519),
+ asn1_wrap(ASN1_OCTET_STRING, "s",
+ asn1_simple_object(ASN1_OCTET_STRING, this->key)
+ )
+ );
+ if (type == PRIVKEY_PEM)
+ {
+ chunk_t asn1_encoding = *encoding;
+
+ success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM,
+ NULL, encoding, CRED_PART_EDDSA_PRIV_ASN1_DER,
+ asn1_encoding, CRED_PART_END);
+ chunk_clear(&asn1_encoding);
+ }
+ return success;
+ }
+ default:
+ return FALSE;
+ }
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+ private_curve25519_private_key_t *this, cred_encoding_type_t type,
+ chunk_t *fp)
+{
+ bool success;
+
+ if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+ {
+ return TRUE;
+ }
+ success = curve25519_public_key_fingerprint(this->pubkey, type, fp);
+ if (success)
+ {
+ lib->encoding->cache(lib->encoding, type, this, *fp);
+ }
+ return success;
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+ private_curve25519_private_key_t *this)
+{
+ ref_get(&this->ref);
+ return &this->public.key;
+}
+
+METHOD(private_key_t, destroy, void,
+ private_curve25519_private_key_t *this)
+{
+ if (ref_put(&this->ref))
+ {
+ lib->encoding->clear_cache(lib->encoding, this);
+ memwipe(this->s, HASH_SIZE_SHA512);
+ chunk_clear(&this->key);
+ chunk_free(&this->pubkey);
+ free(this);
+ }
+}
+
+/**
+ * Internal generic constructor
+ */
+static private_curve25519_private_key_t *curve25519_private_key_create(chunk_t key)
+{
+ private_curve25519_private_key_t *this;
+ hasher_t *hasher;
+ ge_p3 A;
+
+ /* derive public key from private key */
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
+ if (!hasher)
+ {
+ chunk_clear(&key);
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .key = {
+ .get_type = _get_type,
+ .sign = _sign,
+ .decrypt = _decrypt,
+ .get_keysize = _get_keysize,
+ .get_public_key = _get_public_key,
+ .equals = private_key_equals,
+ .belongs_to = private_key_belongs_to,
+ .get_fingerprint = _get_fingerprint,
+ .has_fingerprint = private_key_has_fingerprint,
+ .get_encoding = _get_encoding,
+ .get_ref = _get_ref,
+ .destroy = _destroy,
+ },
+ },
+ .key = key,
+ .pubkey = chunk_alloc(ED25519_KEY_LEN),
+ .ref = 1,
+ );
+
+ /* derive secret scalar s from private key */
+ if (!hasher->get_hash(hasher, key, this->s))
+ {
+ destroy(this);
+ hasher->destroy(hasher);
+ return NULL;
+ }
+ hasher->destroy(hasher);
+
+ this->s[0] &= 0xf8;
+ this->s[31] &= 0x3f;
+ this->s[31] |= 0x40;
+
+ /* derive public key */
+ ge_scalarmult_base(&A, this->s);
+ ge_p3_tobytes(this->pubkey.ptr, &A);
+
+ return this;
+}
+
+/**
+ * See header.
+ */
+curve25519_private_key_t *curve25519_private_key_gen(key_type_t type,
+ va_list args)
+{
+ private_curve25519_private_key_t *this;
+ chunk_t key;
+ rng_t *rng;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_KEY_SIZE:
+ /* key_size argument is not needed */
+ va_arg(args, u_int);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ /* generate 256 bit true random private key */
+ rng = lib->crypto->create_rng(lib->crypto, RNG_TRUE);
+ if (!rng || !rng->allocate_bytes(rng, ED25519_KEY_LEN, &key))
+ {
+ DESTROY_IF(rng);
+ return NULL;
+ }
+ rng->destroy(rng);
+
+ this = curve25519_private_key_create(key);
+
+ return this ? &this->public : NULL;
+}
+
+/**
+ * See header.
+ */
+curve25519_private_key_t *curve25519_private_key_load(key_type_t type,
+ va_list args)
+{
+ private_curve25519_private_key_t *this;
+ chunk_t key = chunk_empty;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_EDDSA_PRIV_ASN1_DER:
+ key = va_arg(args, chunk_t);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ if (!asn1_parse_simple_object(&key, ASN1_OCTET_STRING, 0, "EdPrivateKey") ||
+ key.len != ED25519_KEY_LEN)
+ {
+ return NULL;
+ }
+ this = curve25519_private_key_create(chunk_clone(key));
+
+ return this ? &this->public : NULL;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_private_key.h b/src/libstrongswan/plugins/curve25519/curve25519_private_key.h
new file mode 100644
index 0000000..26f474f
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_private_key.h
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_private_key curve25519_private_key
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef CURVE25519_PRIVATE_KEY_H_
+#define CURVE25519_PRIVATE_KEY_H_
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+typedef struct curve25519_private_key_t curve25519_private_key_t;
+
+/**
+ * Private_key_t implementation of Ed25519 signature algorithm.
+ */
+struct curve25519_private_key_t {
+
+ /**
+ * Implements private_key_t interface
+ */
+ private_key_t key;
+};
+
+/**
+ * Generate an Ed25519 private key.
+ *
+ * @param type type of the key, must be KEY_ED25519
+ * @param args builder_part_t argument list
+ * @return generated key, NULL on failure
+ */
+curve25519_private_key_t *curve25519_private_key_gen(key_type_t type,
+ va_list args);
+
+/**
+ * Load an Ed25519 private key.
+ *
+ * @param type type of the key, must be KEY_ED25519
+ * @param args builder_part_t argument list
+ * @return loaded key, NULL on failure
+ */
+curve25519_private_key_t *curve25519_private_key_load(key_type_t type,
+ va_list args);
+
+#endif /** CURVE25519_PRIVATE_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_public_key.c b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c
new file mode 100644
index 0000000..d077763
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_public_key.c
@@ -0,0 +1,331 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "curve25519_public_key.h"
+#include "ref10/ref10.h"
+
+#include <asn1/asn1.h>
+#include <asn1/asn1_parser.h>
+#include <asn1/oid.h>
+
+typedef struct private_curve25519_public_key_t private_curve25519_public_key_t;
+
+/**
+ * Private data structure with signing context.
+ */
+struct private_curve25519_public_key_t {
+ /**
+ * Public interface for this signer.
+ */
+ curve25519_public_key_t public;
+
+ /**
+ * Ed25519 public key
+ */
+ chunk_t pubkey;
+
+ /**
+ * Reference counter
+ */
+ refcount_t ref;
+};
+
+METHOD(public_key_t, get_type, key_type_t,
+ private_curve25519_public_key_t *this)
+{
+ return KEY_ED25519;
+}
+
+METHOD(public_key_t, verify, bool,
+ private_curve25519_public_key_t *this, signature_scheme_t scheme,
+ chunk_t data, chunk_t signature)
+{
+ hasher_t *hasher;
+ uint8_t d = 0, k[HASH_SIZE_SHA512], r[32], *sig;
+ int i;
+ ge_p3 A;
+ ge_p2 R;
+
+ if (scheme != SIGN_ED25519)
+ {
+ DBG1(DBG_LIB, "signature scheme %N not supported by Ed25519",
+ signature_scheme_names, scheme);
+ return FALSE;
+ }
+
+ if (signature.len != 64)
+ {
+ DBG1(DBG_LIB, "size of Ed25519 signature is not 64 bytes");
+ return FALSE;
+ }
+ sig = signature.ptr;
+
+ if (sig[63] & 0xe0)
+ {
+ DBG1(DBG_LIB, "the three most significant bits of Ed25519 signature "
+ "are not zero");
+ return FALSE;
+ }
+
+ if (ge_frombytes_negate_vartime(&A, this->pubkey.ptr) != 0)
+ {
+ return FALSE;
+ }
+
+ /* check for all-zeroes public key */
+ for (i = 0; i < 32; i++)
+ {
+ d |= this->pubkey.ptr[i];
+ }
+ if (!d)
+ {
+ return FALSE;
+ }
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512);
+ if (!hasher)
+ {
+ return FALSE;
+ }
+ if (!hasher->get_hash(hasher, chunk_create(sig, 32), NULL) ||
+ !hasher->get_hash(hasher, this->pubkey, NULL) ||
+ !hasher->get_hash(hasher, data, k))
+ {
+ hasher->destroy(hasher);
+ return FALSE;
+ }
+ hasher->destroy(hasher);
+
+ sc_reduce(k);
+ ge_double_scalarmult_vartime(&R, k, &A, sig + 32);
+ ge_tobytes(r, &R);
+
+ return memeq_const(sig, r, 32);
+}
+
+METHOD(public_key_t, encrypt_, bool,
+ private_curve25519_public_key_t *this, encryption_scheme_t scheme,
+ chunk_t plain, chunk_t *crypto)
+{
+ DBG1(DBG_LIB, "encryption scheme %N not supported", encryption_scheme_names,
+ scheme);
+ return FALSE;
+}
+
+METHOD(public_key_t, get_keysize, int,
+ private_curve25519_public_key_t *this)
+{
+ return 8 * ED25519_KEY_LEN;
+}
+
+METHOD(public_key_t, get_encoding, bool,
+ private_curve25519_public_key_t *this, cred_encoding_type_t type,
+ chunk_t *encoding)
+{
+ bool success = TRUE;
+
+ *encoding = curve25519_public_key_info_encode(this->pubkey);
+
+ if (type != PUBKEY_SPKI_ASN1_DER)
+ {
+ chunk_t asn1_encoding = *encoding;
+
+ success = lib->encoding->encode(lib->encoding, type,
+ NULL, encoding, CRED_PART_EDDSA_PUB_ASN1_DER,
+ asn1_encoding, CRED_PART_END);
+ chunk_clear(&asn1_encoding);
+ }
+ return success;
+}
+
+METHOD(public_key_t, get_fingerprint, bool,
+ private_curve25519_public_key_t *this, cred_encoding_type_t type,
+ chunk_t *fp)
+{
+ bool success;
+
+ if (lib->encoding->get_cache(lib->encoding, type, this, fp))
+ {
+ return TRUE;
+ }
+ success = curve25519_public_key_fingerprint(this->pubkey, type, fp);
+ if (success)
+ {
+ lib->encoding->cache(lib->encoding, type, this, *fp);
+ }
+ return success;
+}
+
+METHOD(public_key_t, get_ref, public_key_t*,
+ private_curve25519_public_key_t *this)
+{
+ ref_get(&this->ref);
+ return &this->public.key;
+}
+
+METHOD(public_key_t, destroy, void,
+ private_curve25519_public_key_t *this)
+{
+ if (ref_put(&this->ref))
+ {
+ lib->encoding->clear_cache(lib->encoding, this);
+ free(this->pubkey.ptr);
+ free(this);
+ }
+}
+
+/**
+ * ASN.1 definition of an Ed25519 public key
+ */
+static const asn1Object_t pubkeyObjects[] = {
+ { 0, "subjectPublicKeyInfo",ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "algorithm", ASN1_EOC, ASN1_RAW }, /* 1 */
+ { 1, "subjectPublicKey", ASN1_BIT_STRING, ASN1_BODY }, /* 2 */
+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
+};
+
+#define ED25519_SUBJECT_PUBLIC_KEY_ALGORITHM 1
+#define ED25519_SUBJECT_PUBLIC_KEY 2
+
+/**
+ * See header.
+ */
+curve25519_public_key_t *curve25519_public_key_load(key_type_t type,
+ va_list args)
+{
+ private_curve25519_public_key_t *this;
+ chunk_t blob = chunk_empty, object;
+ asn1_parser_t *parser;
+ bool success = FALSE;
+ int objectID, oid;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_BLOB_ASN1_DER:
+ blob = va_arg(args, chunk_t);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ INIT(this,
+ .public = {
+ .key = {
+ .get_type = _get_type,
+ .verify = _verify,
+ .encrypt = _encrypt_,
+ .equals = public_key_equals,
+ .get_keysize = _get_keysize,
+ .get_fingerprint = _get_fingerprint,
+ .has_fingerprint = public_key_has_fingerprint,
+ .get_encoding = _get_encoding,
+ .get_ref = _get_ref,
+ .destroy = _destroy,
+ },
+ },
+ .ref = 1,
+ );
+
+ parser = asn1_parser_create(pubkeyObjects, blob);
+
+ while (parser->iterate(parser, &objectID, &object))
+ {
+ switch (objectID)
+ {
+ case ED25519_SUBJECT_PUBLIC_KEY_ALGORITHM:
+ {
+ oid = asn1_parse_algorithmIdentifier(object,
+ parser->get_level(parser) + 1, NULL);
+ if (oid != OID_ED25519)
+ {
+ goto end;
+ }
+ break;
+ }
+ case ED25519_SUBJECT_PUBLIC_KEY:
+ {
+ /* encoded as an ASN1 BIT STRING */
+ if (object.len != 1 + ED25519_KEY_LEN)
+ {
+ goto end;
+ }
+ this->pubkey = chunk_clone(chunk_skip(object, 1));
+ break;
+ }
+ }
+ }
+ success = parser->success(parser);
+
+end:
+ parser->destroy(parser);
+ if (!success)
+ {
+ destroy(this);
+ return NULL;
+ }
+ return &this->public;
+}
+
+/**
+ * See header.
+ */
+chunk_t curve25519_public_key_info_encode(chunk_t pubkey)
+{
+ return asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_wrap(ASN1_SEQUENCE, "m",
+ asn1_build_known_oid(OID_ED25519)),
+ asn1_bitstring("c", pubkey));
+}
+
+/**
+ * See header.
+ */
+bool curve25519_public_key_fingerprint(chunk_t pubkey,
+ cred_encoding_type_t type, chunk_t *fp)
+{
+ hasher_t *hasher;
+ chunk_t key;
+
+ switch (type)
+ {
+ case KEYID_PUBKEY_SHA1:
+ key = chunk_clone(pubkey);
+ break;
+ case KEYID_PUBKEY_INFO_SHA1:
+ key = curve25519_public_key_info_encode(pubkey);
+ break;
+ default:
+ return FALSE;
+ }
+
+ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+ if (!hasher || !hasher->allocate_hash(hasher, key, fp))
+ {
+ DBG1(DBG_LIB, "SHA1 hash algorithm not supported, "
+ "fingerprinting failed");
+ DESTROY_IF(hasher);
+ free(key.ptr);
+ return FALSE;
+ }
+ hasher->destroy(hasher);
+ free(key.ptr);
+ return TRUE;
+}
diff --git a/src/libstrongswan/plugins/curve25519/curve25519_public_key.h b/src/libstrongswan/plugins/curve25519/curve25519_public_key.h
new file mode 100644
index 0000000..5f6ae17
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/curve25519_public_key.h
@@ -0,0 +1,74 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup curve25519_public_key curve25519_public_key
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef CURVE25519_PUBLIC_KEY_H_
+#define CURVE25519_PUBLIC_KEY_H_
+
+#include <credentials/builder.h>
+#include <credentials/cred_encoding.h>
+#include <credentials/keys/public_key.h>
+
+typedef struct curve25519_public_key_t curve25519_public_key_t;
+
+#define ED25519_KEY_LEN 32
+
+/**
+ * public_key_t implementation of Ed25519 signature algorithm
+ */
+struct curve25519_public_key_t {
+
+ /**
+ * Implements the public_key_t interface
+ */
+ public_key_t key;
+};
+
+/**
+ * Load an Ed25519 public key.
+ *
+ * @param type type of the key, must be KEY_ED25519
+ * @param args builder_part_t argument list
+ * @return loaded key, NULL on failure
+ */
+curve25519_public_key_t *curve25519_public_key_load(key_type_t type,
+ va_list args);
+
+/* The following functions are shared with the curve25519_private_key class */
+
+/**
+ * Encode a Ed25519 subjectPublicKeyInfo record in ASN.1 DER format
+ *
+ * @param pubkey Ed25519 public key
+ * @result ASN.1 encoded subjectPublicKeyInfo record
+ */
+chunk_t curve25519_public_key_info_encode(chunk_t pubkey);
+
+/**
+ * Generate a Ed25519 public key fingerprint
+ *
+ * @param pubkey Ed25519 public key
+ * @param type type of fingerprint to be generated
+ * @param fp generated fingerprint (must be freed by caller)
+ * @result TRUE if generation was successful
+ */
+bool curve25519_public_key_fingerprint(chunk_t pubkey,
+ cred_encoding_type_t type, chunk_t *fp);
+
+#endif /** CURVE25519_PUBLIC_KEY_H_ @}*/
diff --git a/src/libstrongswan/plugins/curve25519/ref10/base.h b/src/libstrongswan/plugins/curve25519/ref10/base.h
new file mode 100644
index 0000000..d3f60ca
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/ref10/base.h
@@ -0,0 +1,2121 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Based on the public domain libsodium adaptation by Frank Denis
+ * of the SUPERCOP ref10 implementation by Daniel J. Bernstein,
+ * Niels Duif, Peter Schwabe, Tanja Lange and Bo-Yin Yang.
+ */
+
+ {
+ {
+ { 25967493, -14356035, 29566456, 3660896, -12694345,
+ 4014787, 27544626, -11754271, -6079156, 2047605 },
+ { -12545711, 934262, -2722910, 3049990, -727428,
+ 9406986, 12720692, 5043384, 19500929, -15469378 },
+ { -8738181, 4489570, 9688441, -14785194, 10184609,
+ -12363380, 29287919, 11864899, -24514362, -4438546 }
+ },
+ {
+ { -12815894, -12976347, -21581243, 11784320, -25355658,
+ -2750717, -11717903, -3814571, -358445, -10211303 },
+ { -21703237, 6903825, 27185491, 6451973, -29577724,
+ -9554005, -15616551, 11189268, -26829678, -5319081 },
+ { 26966642, 11152617, 32442495, 15396054, 14353839,
+ -12752335, -3128826, -9541118, -15472047, -4166697 }
+ },
+ {
+ { 15636291, -9688557, 24204773, -7912398, 616977,
+ -16685262, 27787600, -14772189, 28944400, -1550024 },
+ { 16568933, 4717097, -11556148, -1102322, 15682896,
+ -11807043, 16354577, -11775962, 7689662, 11199574 },
+ { 30464156, -5976125, -11779434, -15670865, 23220365,
+ 15915852, 7512774, 10017326, -17749093, -9920357 }
+ },
+ {
+ { -17036878, 13921892, 10945806, -6033431, 27105052,
+ -16084379, -28926210, 15006023, 3284568, -6276540 },
+ { 23599295, -8306047, -11193664, -7687416, 13236774,
+ 10506355, 7464579, 9656445, 13059162, 10374397 },
+ { 7798556, 16710257, 3033922, 2874086, 28997861,
+ 2835604, 32406664, -3839045, -641708, -101325 }
+ },
+ {
+ { 10861363, 11473154, 27284546, 1981175, -30064349,
+ 12577861, 32867885, 14515107, -15438304, 10819380 },
+ { 4708026, 6336745, 20377586, 9066809, -11272109,
+ 6594696, -25653668, 12483688, -12668491, 5581306 },
+ { 19563160, 16186464, -29386857, 4097519, 10237984,
+ -4348115, 28542350, 13850243, -23678021, -15815942 }
+ },
+ {
+ { -15371964, -12862754, 32573250, 4720197, -26436522,
+ 5875511, -19188627, -15224819, -9818940, -12085777 },
+ { -8549212, 109983, 15149363, 2178705, 22900618,
+ 4543417, 3044240, -15689887, 1762328, 14866737 },
+ { -18199695, -15951423, -10473290, 1707278, -17185920,
+ 3916101, -28236412, 3959421, 27914454, 4383652 }
+ },
+ {
+ { 5153746, 9909285, 1723747, -2777874, 30523605,
+ 5516873, 19480852, 5230134, -23952439, -15175766 },
+ { -30269007, -3463509, 7665486, 10083793, 28475525,
+ 1649722, 20654025, 16520125, 30598449, 7715701 },
+ { 28881845, 14381568, 9657904, 3680757, -20181635,
+ 7843316, -31400660, 1370708, 29794553, -1409300 }
+ },
+ {
+ { 14499471, -2729599, -33191113, -4254652, 28494862,
+ 14271267, 30290735, 10876454, -33154098, 2381726 },
+ { -7195431, -2655363, -14730155, 462251, -27724326,
+ 3941372, -6236617, 3696005, -32300832, 15351955 },
+ { 27431194, 8222322, 16448760, -3907995, -18707002,
+ 11938355, -32961401, -2970515, 29551813, 10109425 }
+ }
+ },
+ {
+ {
+ { -13657040, -13155431, -31283750, 11777098, 21447386,
+ 6519384, -2378284, -1627556, 10092783, -4764171 },
+ { 27939166, 14210322, 4677035, 16277044, -22964462,
+ -12398139, -32508754, 12005538, -17810127, 12803510 },
+ { 17228999, -15661624, -1233527, 300140, -1224870,
+ -11714777, 30364213, -9038194, 18016357, 4397660 }
+ },
+ {
+ { -10958843, -7690207, 4776341, -14954238, 27850028,
+ -15602212, -26619106, 14544525, -17477504, 982639 },
+ { 29253598, 15796703, -2863982, -9908884, 10057023,
+ 3163536, 7332899, -4120128, -21047696, 9934963 },
+ { 5793303, 16271923, -24131614, -10116404, 29188560,
+ 1206517, -14747930, 4559895, -30123922, -10897950 }
+ },
+ {
+ { -27643952, -11493006, 16282657, -11036493, 28414021,
+ -15012264, 24191034, 4541697, -13338309, 5500568 },
+ { 12650548, -1497113, 9052871, 11355358, -17680037,
+ -8400164, -17430592, 12264343, 10874051, 13524335 },
+ { 25556948, -3045990, 714651, 2510400, 23394682,
+ -10415330, 33119038, 5080568, -22528059, 5376628 }
+ },
+ {
+ { -26088264, -4011052, -17013699, -3537628, -6726793,
+ 1920897, -22321305, -9447443, 4535768, 1569007 },
+ { -2255422, 14606630, -21692440, -8039818, 28430649,
+ 8775819, -30494562, 3044290, 31848280, 12543772 },
+ { -22028579, 2943893, -31857513, 6777306, 13784462,
+ -4292203, -27377195, -2062731, 7718482, 14474653 }
+ },
+ {
+ { 2385315, 2454213, -22631320, 46603, -4437935,
+ -15680415, 656965, -7236665, 24316168, -5253567 },
+ { 13741529, 10911568, -33233417, -8603737, -20177830,
+ -1033297, 33040651, -13424532, -20729456, 8321686 },
+ { 21060490, -2212744, 15712757, -4336099, 1639040,
+ 10656336, 23845965, -11874838, -9984458, 608372 }
+ },
+ {
+ { -13672732, -15087586, -10889693, -7557059, -6036909,
+ 11305547, 1123968, -6780577, 27229399, 23887 },
+ { -23244140, -294205, -11744728, 14712571, -29465699,
+ -2029617, 12797024, -6440308, -1633405, 16678954 },
+ { -29500620, 4770662, -16054387, 14001338, 7830047,
+ 9564805, -1508144, -4795045, -17169265, 4904953 }
+ },
+ {
+ { 24059557, 14617003, 19037157, -15039908, 19766093,
+ -14906429, 5169211, 16191880, 2128236, -4326833 },
+ { -16981152, 4124966, -8540610, -10653797, 30336522,
+ -14105247, -29806336, 916033, -6882542, -2986532 },
+ { -22630907, 12419372, -7134229, -7473371, -16478904,
+ 16739175, 285431, 2763829, 15736322, 4143876 }
+ },
+ {
+ { 2379352, 11839345, -4110402, -5988665, 11274298,
+ 794957, 212801, -14594663, 23527084, -16458268 },
+ { 33431127, -11130478, -17838966, -15626900, 8909499,
+ 8376530, -32625340, 4087881, -15188911, -14416214 },
+ { 1767683, 7197987, -13205226, -2022635, -13091350,
+ 448826, 5799055, 4357868, -4774191, -16323038 }
+ }
+ },
+ {
+ {
+ { 6721966, 13833823, -23523388, -1551314, 26354293,
+ -11863321, 23365147, -3949732, 7390890, 2759800 },
+ { 4409041, 2052381, 23373853, 10530217, 7676779,
+ -12885954, 21302353, -4264057, 1244380, -12919645 },
+ { -4421239, 7169619, 4982368, -2957590, 30256825,
+ -2777540, 14086413, 9208236, 15886429, 16489664 }
+ },
+ {
+ { 1996075, 10375649, 14346367, 13311202, -6874135,
+ -16438411, -13693198, 398369, -30606455, -712933 },
+ { -25307465, 9795880, -2777414, 14878809, -33531835,
+ 14780363, 13348553, 12076947, -30836462, 5113182 },
+ { -17770784, 11797796, 31950843, 13929123, -25888302,
+ 12288344, -30341101, -7336386, 13847711, 5387222 }
+ },
+ {
+ { -18582163, -3416217, 17824843, -2340966, 22744343,
+ -10442611, 8763061, 3617786, -19600662, 10370991 },
+ { 20246567, -14369378, 22358229, -543712, 18507283,
+ -10413996, 14554437, -8746092, 32232924, 16763880 },
+ { 9648505, 10094563, 26416693, 14745928, -30374318,
+ -6472621, 11094161, 15689506, 3140038, -16510092 }
+ },
+ {
+ { -16160072, 5472695, 31895588, 4744994, 8823515,
+ 10365685, -27224800, 9448613, -28774454, 366295 },
+ { 19153450, 11523972, -11096490, -6503142, -24647631,
+ 5420647, 28344573, 8041113, 719605, 11671788 },
+ { 8678025, 2694440, -6808014, 2517372, 4964326,
+ 11152271, -15432916, -15266516, 27000813, -10195553 }
+ },
+ {
+ { -15157904, 7134312, 8639287, -2814877, -7235688,
+ 10421742, 564065, 5336097, 6750977, -14521026 },
+ { 11836410, -3979488, 26297894, 16080799, 23455045,
+ 15735944, 1695823, -8819122, 8169720, 16220347 },
+ { -18115838, 8653647, 17578566, -6092619, -8025777,
+ -16012763, -11144307, -2627664, -5990708, -14166033 }
+ },
+ {
+ { -23308498, -10968312, 15213228, -10081214, -30853605,
+ -11050004, 27884329, 2847284, 2655861, 1738395 },
+ { -27537433, -14253021, -25336301, -8002780, -9370762,
+ 8129821, 21651608, -3239336, -19087449, -11005278 },
+ { 1533110, 3437855, 23735889, 459276, 29970501,
+ 11335377, 26030092, 5821408, 10478196, 8544890 }
+ },
+ {
+ { 32173121, -16129311, 24896207, 3921497, 22579056,
+ -3410854, 19270449, 12217473, 17789017, -3395995 },
+ { -30552961, -2228401, -15578829, -10147201, 13243889,
+ 517024, 15479401, -3853233, 30460520, 1052596 },
+ { -11614875, 13323618, 32618793, 8175907, -15230173,
+ 12596687, 27491595, -4612359, 3179268, -9478891 }
+ },
+ {
+ { 31947069, -14366651, -4640583, -15339921, -15125977,
+ -6039709, -14756777, -16411740, 19072640, -9511060 },
+ { 11685058, 11822410, 3158003, -13952594, 33402194,
+ -4165066, 5977896, -5215017, 473099, 5040608 },
+ { -20290863, 8198642, -27410132, 11602123, 1290375,
+ -2799760, 28326862, 1721092, -19558642, -3131606 }
+ }
+ },
+ {
+ {
+ { 7881532, 10687937, 7578723, 7738378, -18951012,
+ -2553952, 21820786, 8076149, -27868496, 11538389 },
+ { -19935666, 3899861, 18283497, -6801568, -15728660,
+ -11249211, 8754525, 7446702, -5676054, 5797016 },
+ { -11295600, -3793569, -15782110, -7964573, 12708869,
+ -8456199, 2014099, -9050574, -2369172, -5877341 }
+ },
+ {
+ { -22472376, -11568741, -27682020, 1146375, 18956691,
+ 16640559, 1192730, -3714199, 15123619, 10811505 },
+ { 14352098, -3419715, -18942044, 10822655, 32750596,
+ 4699007, -70363, 15776356, -28886779, -11974553 },
+ { -28241164, -8072475, -4978962, -5315317, 29416931,
+ 1847569, -20654173, -16484855, 4714547, -9600655 }
+ },
+ {
+ { 15200332, 8368572, 19679101, 15970074, -31872674,
+ 1959451, 24611599, -4543832, -11745876, 12340220 },
+ { 12876937, -10480056, 33134381, 6590940, -6307776,
+ 14872440, 9613953, 8241152, 15370987, 9608631 },
+ { -4143277, -12014408, 8446281, -391603, 4407738,
+ 13629032, -7724868, 15866074, -28210621, -8814099 }
+ },
+ {
+ { 26660628, -15677655, 8393734, 358047, -7401291,
+ 992988, -23904233, 858697, 20571223, 8420556 },
+ { 14620715, 13067227, -15447274, 8264467, 14106269,
+ 15080814, 33531827, 12516406, -21574435, -12476749 },
+ { 236881, 10476226, 57258, -14677024, 6472998,
+ 2466984, 17258519, 7256740, 8791136, 15069930 }
+ },
+ {
+ { 1276410, -9371918, 22949635, -16322807, -23493039,
+ -5702186, 14711875, 4874229, -30663140, -2331391 },
+ { 5855666, 4990204, -13711848, 7294284, -7804282,
+ 1924647, -1423175, -7912378, -33069337, 9234253 },
+ { 20590503, -9018988, 31529744, -7352666, -2706834,
+ 10650548, 31559055, -11609587, 18979186, 13396066 }
+ },
+ {
+ { 24474287, 4968103, 22267082, 4407354, 24063882,
+ -8325180, -18816887, 13594782, 33514650, 7021958 },
+ { -11566906, -6565505, -21365085, 15928892, -26158305,
+ 4315421, -25948728, -3916677, -21480480, 12868082 },
+ { -28635013, 13504661, 19988037, -2132761, 21078225,
+ 6443208, -21446107, 2244500, -12455797, -8089383 }
+ },
+ {
+ { -30595528, 13793479, -5852820, 319136, -25723172,
+ -6263899, 33086546, 8957937, -15233648, 5540521 },
+ { -11630176, -11503902, -8119500, -7643073, 2620056,
+ 1022908, -23710744, -1568984, -16128528, -14962807 },
+ { 23152971, 775386, 27395463, 14006635, -9701118,
+ 4649512, 1689819, 892185, -11513277, -15205948 }
+ },
+ {
+ { 9770129, 9586738, 26496094, 4324120, 1556511,
+ -3550024, 27453819, 4763127, -19179614, 5867134 },
+ { -32765025, 1927590, 31726409, -4753295, 23962434,
+ -16019500, 27846559, 5931263, -29749703, -16108455 },
+ { 27461885, -2977536, 22380810, 1815854, -23033753,
+ -3031938, 7283490, -15148073, -19526700, 7734629 }
+ }
+ },
+ {
+ {
+ { -8010264, -9590817, -11120403, 6196038, 29344158,
+ -13430885, 7585295, -3176626, 18549497, 15302069 },
+ { -32658337, -6171222, -7672793, -11051681, 6258878,
+ 13504381, 10458790, -6418461, -8872242, 8424746 },
+ { 24687205, 8613276, -30667046, -3233545, 1863892,
+ -1830544, 19206234, 7134917, -11284482, -828919 }
+ },
+ {
+ { 11334899, -9218022, 8025293, 12707519, 17523892,
+ -10476071, 10243738, -14685461, -5066034, 16498837 },
+ { 8911542, 6887158, -9584260, -6958590, 11145641,
+ -9543680, 17303925, -14124238, 6536641, 10543906 },
+ { -28946384, 15479763, -17466835, 568876, -1497683,
+ 11223454, -2669190, -16625574, -27235709, 8876771 }
+ },
+ {
+ { -25742899, -12566864, -15649966, -846607, -33026686,
+ -796288, -33481822, 15824474, -604426, -9039817 },
+ { 10330056, 70051, 7957388, -9002667, 9764902,
+ 15609756, 27698697, -4890037, 1657394, 3084098 },
+ { 10477963, -7470260, 12119566, -13250805, 29016247,
+ -5365589, 31280319, 14396151, -30233575, 15272409 }
+ },
+ {
+ { -12288309, 3169463, 28813183, 16658753, 25116432,
+ -5630466, -25173957, -12636138, -25014757, 1950504 },
+ { -26180358, 9489187, 11053416, -14746161, -31053720,
+ 5825630, -8384306, -8767532, 15341279, 8373727 },
+ { 28685821, 7759505, -14378516, -12002860, -31971820,
+ 4079242, 298136, -10232602, -2878207, 15190420 }
+ },
+ {
+ { -32932876, 13806336, -14337485, -15794431, -24004620,
+ 10940928, 8669718, 2742393, -26033313, -6875003 },
+ { -1580388, -11729417, -25979658, -11445023, -17411874,
+ -10912854, 9291594, -16247779, -12154742, 6048605 },
+ { -30305315, 14843444, 1539301, 11864366, 20201677,
+ 1900163, 13934231, 5128323, 11213262, 9168384 }
+ },
+ {
+ { -26280513, 11007847, 19408960, -940758, -18592965,
+ -4328580, -5088060, -11105150, 20470157, -16398701 },
+ { -23136053, 9282192, 14855179, -15390078, -7362815,
+ -14408560, -22783952, 14461608, 14042978, 5230683 },
+ { 29969567, -2741594, -16711867, -8552442, 9175486,
+ -2468974, 21556951, 3506042, -5933891, -12449708 }
+ },
+ {
+ { -3144746, 8744661, 19704003, 4581278, -20430686,
+ 6830683, -21284170, 8971513, -28539189, 15326563 },
+ { -19464629, 10110288, -17262528, -3503892, -23500387,
+ 1355669, -15523050, 15300988, -20514118, 9168260 },
+ { -5353335, 4488613, -23803248, 16314347, 7780487,
+ -15638939, -28948358, 9601605, 33087103, -9011387 }
+ },
+ {
+ { -19443170, -15512900, -20797467, -12445323, -29824447,
+ 10229461, -27444329, -15000531, -5996870, 15664672 },
+ { 23294591, -16632613, -22650781, -8470978, 27844204,
+ 11461195, 13099750, -2460356, 18151676, 13417686 },
+ { -24722913, -4176517, -31150679, 5988919, -26858785,
+ 6685065, 1661597, -12551441, 15271676, -15452665 }
+ }
+ },
+ {
+ {
+ { 11433042, -13228665, 8239631, -5279517, -1985436,
+ -725718, -18698764, 2167544, -6921301, -13440182 },
+ { -31436171, 15575146, 30436815, 12192228, -22463353,
+ 9395379, -9917708, -8638997, 12215110, 12028277 },
+ { 14098400, 6555944, 23007258, 5757252, -15427832,
+ -12950502, 30123440, 4617780, -16900089, -655628 }
+ },
+ {
+ { -4026201, -15240835, 11893168, 13718664, -14809462,
+ 1847385, -15819999, 10154009, 23973261, -12684474 },
+ { -26531820, -3695990, -1908898, 2534301, -31870557,
+ -16550355, 18341390, -11419951, 32013174, -10103539 },
+ { -25479301, 10876443, -11771086, -14625140, -12369567,
+ 1838104, 21911214, 6354752, 4425632, -837822 }
+ },
+ {
+ { -10433389, -14612966, 22229858, -3091047, -13191166,
+ 776729, -17415375, -12020462, 4725005, 14044970 },
+ { 19268650, -7304421, 1555349, 8692754, -21474059,
+ -9910664, 6347390, -1411784, -19522291, -16109756 },
+ { -24864089, 12986008, -10898878, -5558584, -11312371,
+ -148526, 19541418, 8180106, 9282262, 10282508 }
+ },
+ {
+ { -26205082, 4428547, -8661196, -13194263, 4098402,
+ -14165257, 15522535, 8372215, 5542595, -10702683 },
+ { -10562541, 14895633, 26814552, -16673850, -17480754,
+ -2489360, -2781891, 6993761, -18093885, 10114655 },
+ { -20107055, -929418, 31422704, 10427861, -7110749,
+ 6150669, -29091755, -11529146, 25953725, -106158 }
+ },
+ {
+ { -4234397, -8039292, -9119125, 3046000, 2101609,
+ -12607294, 19390020, 6094296, -3315279, 12831125 },
+ { -15998678, 7578152, 5310217, 14408357, -33548620,
+ -224739, 31575954, 6326196, 7381791, -2421839 },
+ { -20902779, 3296811, 24736065, -16328389, 18374254,
+ 7318640, 6295303, 8082724, -15362489, 12339664 }
+ },
+ {
+ { 27724736, 2291157, 6088201, -14184798, 1792727,
+ 5857634, 13848414, 15768922, 25091167, 14856294 },
+ { -18866652, 8331043, 24373479, 8541013, -701998,
+ -9269457, 12927300, -12695493, -22182473, -9012899 },
+ { -11423429, -5421590, 11632845, 3405020, 30536730,
+ -11674039, -27260765, 13866390, 30146206, 9142070 }
+ },
+ {
+ { 3924129, -15307516, -13817122, -10054960, 12291820,
+ -668366, -27702774, 9326384, -8237858, 4171294 },
+ { -15921940, 16037937, 6713787, 16606682, -21612135,
+ 2790944, 26396185, 3731949, 345228, -5462949 },
+ { -21327538, 13448259, 25284571, 1143661, 20614966,
+ -8849387, 2031539, -12391231, -16253183, -13582083 }
+ },
+ {
+ { 31016211, -16722429, 26371392, -14451233, -5027349,
+ 14854137, 17477601, 3842657, 28012650, -16405420 },
+ { -5075835, 9368966, -8562079, -4600902, -15249953,
+ 6970560, -9189873, 16292057, -8867157, 3507940 },
+ { 29439664, 3537914, 23333589, 6997794, -17555561,
+ -11018068, -15209202, -15051267, -9164929, 6580396 }
+ }
+ },
+ {
+ {
+ { -12185861, -7679788, 16438269, 10826160, -8696817,
+ -6235611, 17860444, -9273846, -2095802, 9304567 },
+ { 20714564, -4336911, 29088195, 7406487, 11426967,
+ -5095705, 14792667, -14608617, 5289421, -477127 },
+ { -16665533, -10650790, -6160345, -13305760, 9192020,
+ -1802462, 17271490, 12349094, 26939669, -3752294 }
+ },
+ {
+ { -12889898, 9373458, 31595848, 16374215, 21471720,
+ 13221525, -27283495, -12348559, -3698806, 117887 },
+ { 22263325, -6560050, 3984570, -11174646, -15114008,
+ -566785, 28311253, 5358056, -23319780, 541964 },
+ { 16259219, 3261970, 2309254, -15534474, -16885711,
+ -4581916, 24134070, -16705829, -13337066, -13552195 }
+ },
+ {
+ { 9378160, -13140186, -22845982, -12745264, 28198281,
+ -7244098, -2399684, -717351, 690426, 14876244 },
+ { 24977353, -314384, -8223969, -13465086, 28432343,
+ -1176353, -13068804, -12297348, -22380984, 6618999 },
+ { -1538174, 11685646, 12944378, 13682314, -24389511,
+ -14413193, 8044829, -13817328, 32239829, -5652762 }
+ },
+ {
+ { -18603066, 4762990, -926250, 8885304, -28412480,
+ -3187315, 9781647, -10350059, 32779359, 5095274 },
+ { -33008130, -5214506, -32264887, -3685216, 9460461,
+ -9327423, -24601656, 14506724, 21639561, -2630236 },
+ { -16400943, -13112215, 25239338, 15531969, 3987758,
+ -4499318, -1289502, -6863535, 17874574, 558605 }
+ },
+ {
+ { -13600129, 10240081, 9171883, 16131053, -20869254,
+ 9599700, 33499487, 5080151, 2085892, 5119761 },
+ { -22205145, -2519528, -16381601, 414691, -25019550,
+ 2170430, 30634760, -8363614, -31999993, -5759884 },
+ { -6845704, 15791202, 8550074, -1312654, 29928809,
+ -12092256, 27534430, -7192145, -22351378, 12961482 }
+ },
+ {
+ { -24492060, -9570771, 10368194, 11582341, -23397293,
+ -2245287, 16533930, 8206996, -30194652, -5159638 },
+ { -11121496, -3382234, 2307366, 6362031, -135455,
+ 8868177, -16835630, 7031275, 7589640, 8945490 },
+ { -32152748, 8917967, 6661220, -11677616, -1192060,
+ -15793393, 7251489, -11182180, 24099109, -14456170 }
+ },
+ {
+ { 5019558, -7907470, 4244127, -14714356, -26933272,
+ 6453165, -19118182, -13289025, -6231896, -10280736 },
+ { 10853594, 10721687, 26480089, 5861829, -22995819,
+ 1972175, -1866647, -10557898, -3363451, -6441124 },
+ { -17002408, 5906790, 221599, -6563147, 7828208,
+ -13248918, 24362661, -2008168, -13866408, 7421392 }
+ },
+ {
+ { 8139927, -6546497, 32257646, -5890546, 30375719,
+ 1886181, -21175108, 15441252, 28826358, -4123029 },
+ { 6267086, 9695052, 7709135, -16603597, -32869068,
+ -1886135, 14795160, -7840124, 13746021, -1742048 },
+ { 28584902, 7787108, -6732942, -15050729, 22846041,
+ -7571236, -3181936, -363524, 4771362, -8419958 }
+ }
+ },
+ {
+ {
+ { 24949256, 6376279, -27466481, -8174608, -18646154,
+ -9930606, 33543569, -12141695, 3569627, 11342593 },
+ { 26514989, 4740088, 27912651, 3697550, 19331575,
+ -11472339, 6809886, 4608608, 7325975, -14801071 },
+ { -11618399, -14554430, -24321212, 7655128, -1369274,
+ 5214312, -27400540, 10258390, -17646694, -8186692 }
+ },
+ {
+ { 11431204, 15823007, 26570245, 14329124, 18029990,
+ 4796082, -31446179, 15580664, 9280358, -3973687 },
+ { -160783, -10326257, -22855316, -4304997, -20861367,
+ -13621002, -32810901, -11181622, -15545091, 4387441 },
+ { -20799378, 12194512, 3937617, -5805892, -27154820,
+ 9340370, -24513992, 8548137, 20617071, -7482001 }
+ },
+ {
+ { -938825, -3930586, -8714311, 16124718, 24603125,
+ -6225393, -13775352, -11875822, 24345683, 10325460 },
+ { -19855277, -1568885, -22202708, 8714034, 14007766,
+ 6928528, 16318175, -1010689, 4766743, 3552007 },
+ { -21751364, -16730916, 1351763, -803421, -4009670,
+ 3950935, 3217514, 14481909, 10988822, -3994762 }
+ },
+ {
+ { 15564307, -14311570, 3101243, 5684148, 30446780,
+ -8051356, 12677127, -6505343, -8295852, 13296005 },
+ { -9442290, 6624296, -30298964, -11913677, -4670981,
+ -2057379, 31521204, 9614054, -30000824, 12074674 },
+ { 4771191, -135239, 14290749, -13089852, 27992298,
+ 14998318, -1413936, -1556716, 29832613, -16391035 }
+ },
+ {
+ { 7064884, -7541174, -19161962, -5067537, -18891269,
+ -2912736, 25825242, 5293297, -27122660, 13101590 },
+ { -2298563, 2439670, -7466610, 1719965, -27267541,
+ -16328445, 32512469, -5317593, -30356070, -4190957 },
+ { -30006540, 10162316, -33180176, 3981723, -16482138,
+ -13070044, 14413974, 9515896, 19568978, 9628812 }
+ },
+ {
+ { 33053803, 199357, 15894591, 1583059, 27380243,
+ -4580435, -17838894, -6106839, -6291786, 3437740 },
+ { -18978877, 3884493, 19469877, 12726490, 15913552,
+ 13614290, -22961733, 70104, 7463304, 4176122 },
+ { -27124001, 10659917, 11482427, -16070381, 12771467,
+ -6635117, -32719404, -5322751, 24216882, 5944158 }
+ },
+ {
+ { 8894125, 7450974, -2664149, -9765752, -28080517,
+ -12389115, 19345746, 14680796, 11632993, 5847885 },
+ { 26942781, -2315317, 9129564, -4906607, 26024105,
+ 11769399, -11518837, 6367194, -9727230, 4782140 },
+ { 19916461, -4828410, -22910704, -11414391, 25606324,
+ -5972441, 33253853, 8220911, 6358847, -1873857 }
+ },
+ {
+ { 801428, -2081702, 16569428, 11065167, 29875704,
+ 96627, 7908388, -4480480, -13538503, 1387155 },
+ { 19646058, 5720633, -11416706, 12814209, 11607948,
+ 12749789, 14147075, 15156355, -21866831, 11835260 },
+ { 19299512, 1155910, 28703737, 14890794, 2925026,
+ 7269399, 26121523, 15467869, -26560550, 5052483 }
+ }
+ },
+ {
+ {
+ { -3017432, 10058206, 1980837, 3964243, 22160966,
+ 12322533, -6431123, -12618185, 12228557, -7003677 },
+ { 32944382, 14922211, -22844894, 5188528, 21913450,
+ -8719943, 4001465, 13238564, -6114803, 8653815 },
+ { 22865569, -4652735, 27603668, -12545395, 14348958,
+ 8234005, 24808405, 5719875, 28483275, 2841751 }
+ },
+ {
+ { -16420968, -1113305, -327719, -12107856, 21886282,
+ -15552774, -1887966, -315658, 19932058, -12739203 },
+ { -11656086, 10087521, -8864888, -5536143, -19278573,
+ -3055912, 3999228, 13239134, -4777469, -13910208 },
+ { 1382174, -11694719, 17266790, 9194690, -13324356,
+ 9720081, 20403944, 11284705, -14013818, 3093230 }
+ },
+ {
+ { 16650921, -11037932, -1064178, 1570629, -8329746,
+ 7352753, -302424, 16271225, -24049421, -6691850 },
+ { -21911077, -5927941, -4611316, -5560156, -31744103,
+ -10785293, 24123614, 15193618, -21652117, -16739389 },
+ { -9935934, -4289447, -25279823, 4372842, 2087473,
+ 10399484, 31870908, 14690798, 17361620, 11864968 }
+ },
+ {
+ { -11307610, 6210372, 13206574, 5806320, -29017692,
+ -13967200, -12331205, -7486601, -25578460, -16240689 },
+ { 14668462, -12270235, 26039039, 15305210, 25515617,
+ 4542480, 10453892, 6577524, 9145645, -6443880 },
+ { 5974874, 3053895, -9433049, -10385191, -31865124,
+ 3225009, -7972642, 3936128, -5652273, -3050304 }
+ },
+ {
+ { 30625386, -4729400, -25555961, -12792866, -20484575,
+ 7695099, 17097188, -16303496, -27999779, 1803632 },
+ { -3553091, 9865099, -5228566, 4272701, -5673832,
+ -16689700, 14911344, 12196514, -21405489, 7047412 },
+ { 20093277, 9920966, -11138194, -5343857, 13161587,
+ 12044805, -32856851, 4124601, -32343828, -10257566 }
+ },
+ {
+ { -20788824, 14084654, -13531713, 7842147, 19119038,
+ -13822605, 4752377, -8714640, -21679658, 2288038 },
+ { -26819236, -3283715, 29965059, 3039786, -14473765,
+ 2540457, 29457502, 14625692, -24819617, 12570232 },
+ { -1063558, -11551823, 16920318, 12494842, 1278292,
+ -5869109, -21159943, -3498680, -11974704, 4724943 }
+ },
+ {
+ { 17960970, -11775534, -4140968, -9702530, -8876562,
+ -1410617, -12907383, -8659932, -29576300, 1903856 },
+ { 23134274, -14279132, -10681997, -1611936, 20684485,
+ 15770816, -12989750, 3190296, 26955097, 14109738 },
+ { 15308788, 5320727, -30113809, -14318877, 22902008,
+ 7767164, 29425325, -11277562, 31960942, 11934971 }
+ },
+ {
+ { -27395711, 8435796, 4109644, 12222639, -24627868,
+ 14818669, 20638173, 4875028, 10491392, 1379718 },
+ { -13159415, 9197841, 3875503, -8936108, -1383712,
+ -5879801, 33518459, 16176658, 21432314, 12180697 },
+ { -11787308, 11500838, 13787581, -13832590, -22430679,
+ 10140205, 1465425, 12689540, -10301319, -13872883 }
+ }
+ },
+ {
+ {
+ { 5414091, -15386041, -21007664, 9643570, 12834970,
+ 1186149, -2622916, -1342231, 26128231, 6032912 },
+ { -26337395, -13766162, 32496025, -13653919, 17847801,
+ -12669156, 3604025, 8316894, -25875034, -10437358 },
+ { 3296484, 6223048, 24680646, -12246460, -23052020,
+ 5903205, -8862297, -4639164, 12376617, 3188849 }
+ },
+ {
+ { 29190488, -14659046, 27549113, -1183516, 3520066,
+ -10697301, 32049515, -7309113, -16109234, -9852307 },
+ { -14744486, -9309156, 735818, -598978, -20407687,
+ -5057904, 25246078, -15795669, 18640741, -960977 },
+ { -6928835, -16430795, 10361374, 5642961, 4910474,
+ 12345252, -31638386, -494430, 10530747, 1053335 }
+ },
+ {
+ { -29265967, -14186805, -13538216, -12117373, -19457059,
+ -10655384, -31462369, -2948985, 24018831, 15026644 },
+ { -22592535, -3145277, -2289276, 5953843, -13440189,
+ 9425631, 25310643, 13003497, -2314791, -15145616 },
+ { -27419985, -603321, -8043984, -1669117, -26092265,
+ 13987819, -27297622, 187899, -23166419, -2531735 }
+ },
+ {
+ { -21744398, -13810475, 1844840, 5021428, -10434399,
+ -15911473, 9716667, 16266922, -5070217, 726099 },
+ { 29370922, -6053998, 7334071, -15342259, 9385287,
+ 2247707, -13661962, -4839461, 30007388, -15823341 },
+ { -936379, 16086691, 23751945, -543318, -1167538,
+ -5189036, 9137109, 730663, 9835848, 4555336 }
+ },
+ {
+ { -23376435, 1410446, -22253753, -12899614, 30867635,
+ 15826977, 17693930, 544696, -11985298, 12422646 },
+ { 31117226, -12215734, -13502838, 6561947, -9876867,
+ -12757670, -5118685, -4096706, 29120153, 13924425 },
+ { -17400879, -14233209, 19675799, -2734756, -11006962,
+ -5858820, -9383939, -11317700, 7240931, -237388 }
+ },
+ {
+ { -31361739, -11346780, -15007447, -5856218, -22453340,
+ -12152771, 1222336, 4389483, 3293637, -15551743 },
+ { -16684801, -14444245, 11038544, 11054958, -13801175,
+ -3338533, -24319580, 7733547, 12796905, -6335822 },
+ { -8759414, -10817836, -25418864, 10783769, -30615557,
+ -9746811, -28253339, 3647836, 3222231, -11160462 }
+ },
+ {
+ { 18606113, 1693100, -25448386, -15170272, 4112353,
+ 10045021, 23603893, -2048234, -7550776, 2484985 },
+ { 9255317, -3131197, -12156162, -1004256, 13098013,
+ -9214866, 16377220, -2102812, -19802075, -3034702 },
+ { -22729289, 7496160, -5742199, 11329249, 19991973,
+ -3347502, -31718148, 9936966, -30097688, -10618797 }
+ },
+ {
+ { 21878590, -5001297, 4338336, 13643897, -3036865,
+ 13160960, 19708896, 5415497, -7360503, -4109293 },
+ { 27736861, 10103576, 12500508, 8502413, -3413016,
+ -9633558, 10436918, -1550276, -23659143, -8132100 },
+ { 19492550, -12104365, -29681976, -852630, -3208171,
+ 12403437, 30066266, 8367329, 13243957, 8709688 }
+ }
+ },
+ {
+ {
+ { 12015105, 2801261, 28198131, 10151021, 24818120,
+ -4743133, -11194191, -5645734, 5150968, 7274186 },
+ { 2831366, -12492146, 1478975, 6122054, 23825128,
+ -12733586, 31097299, 6083058, 31021603, -9793610 },
+ { -2529932, -2229646, 445613, 10720828, -13849527,
+ -11505937, -23507731, 16354465, 15067285, -14147707 }
+ },
+ {
+ { 7840942, 14037873, -33364863, 15934016, -728213,
+ -3642706, 21403988, 1057586, -19379462, -12403220 },
+ { 915865, -16469274, 15608285, -8789130, -24357026,
+ 6060030, -17371319, 8410997, -7220461, 16527025 },
+ { 32922597, -556987, 20336074, -16184568, 10903705,
+ -5384487, 16957574, 52992, 23834301, 6588044 }
+ },
+ {
+ { 32752030, 11232950, 3381995, -8714866, 22652988,
+ -10744103, 17159699, 16689107, -20314580, -1305992 },
+ { -4689649, 9166776, -25710296, -10847306, 11576752,
+ 12733943, 7924251, -2752281, 1976123, -7249027 },
+ { 21251222, 16309901, -2983015, -6783122, 30810597,
+ 12967303, 156041, -3371252, 12331345, -8237197 }
+ },
+ {
+ { 8651614, -4477032, -16085636, -4996994, 13002507,
+ 2950805, 29054427, -5106970, 10008136, -4667901 },
+ { 31486080, 15114593, -14261250, 12951354, 14369431,
+ -7387845, 16347321, -13662089, 8684155, -10532952 },
+ { 19443825, 11385320, 24468943, -9659068, -23919258,
+ 2187569, -26263207, -6086921, 31316348, 14219878 }
+ },
+ {
+ { -28594490, 1193785, 32245219, 11392485, 31092169,
+ 15722801, 27146014, 6992409, 29126555, 9207390 },
+ { 32382935, 1110093, 18477781, 11028262, -27411763,
+ -7548111, -4980517, 10843782, -7957600, -14435730 },
+ { 2814918, 7836403, 27519878, -7868156, -20894015,
+ -11553689, -21494559, 8550130, 28346258, 1994730 }
+ },
+ {
+ { -19578299, 8085545, -14000519, -3948622, 2785838,
+ -16231307, -19516951, 7174894, 22628102, 8115180 },
+ { -30405132, 955511, -11133838, -15078069, -32447087,
+ -13278079, -25651578, 3317160, -9943017, 930272 },
+ { -15303681, -6833769, 28856490, 1357446, 23421993,
+ 1057177, 24091212, -1388970, -22765376, -10650715 }
+ },
+ {
+ { -22751231, -5303997, -12907607, -12768866, -15811511,
+ -7797053, -14839018, -16554220, -1867018, 8398970 },
+ { -31969310, 2106403, -4736360, 1362501, 12813763,
+ 16200670, 22981545, -6291273, 18009408, -15772772 },
+ { -17220923, -9545221, -27784654, 14166835, 29815394,
+ 7444469, 29551787, -3727419, 19288549, 1325865 }
+ },
+ {
+ { 15100157, -15835752, -23923978, -1005098, -26450192,
+ 15509408, 12376730, -3479146, 33166107, -8042750 },
+ { 20909231, 13023121, -9209752, 16251778, -5778415,
+ -8094914, 12412151, 10018715, 2213263, -13878373 },
+ { 32529814, -11074689, 30361439, -16689753, -9135940,
+ 1513226, 22922121, 6382134, -5766928, 8371348 }
+ }
+ },
+ {
+ {
+ { 9923462, 11271500, 12616794, 3544722, -29998368,
+ -1721626, 12891687, -8193132, -26442943, 10486144 },
+ { -22597207, -7012665, 8587003, -8257861, 4084309,
+ -12970062, 361726, 2610596, -23921530, -11455195 },
+ { 5408411, -1136691, -4969122, 10561668, 24145918,
+ 14240566, 31319731, -4235541, 19985175, -3436086 }
+ },
+ {
+ { -13994457, 16616821, 14549246, 3341099, 32155958,
+ 13648976, -17577068, 8849297, 65030, 8370684 },
+ { -8320926, -12049626, 31204563, 5839400, -20627288,
+ -1057277, -19442942, 6922164, 12743482, -9800518 },
+ { -2361371, 12678785, 28815050, 4759974, -23893047,
+ 4884717, 23783145, 11038569, 18800704, 255233 }
+ },
+ {
+ { -5269658, -1773886, 13957886, 7990715, 23132995,
+ 728773, 13393847, 9066957, 19258688, -14753793 },
+ { -2936654, -10827535, -10432089, 14516793, -3640786,
+ 4372541, -31934921, 2209390, -1524053, 2055794 },
+ { 580882, 16705327, 5468415, -2683018, -30926419,
+ -14696000, -7203346, -8994389, -30021019, 7394435 }
+ },
+ {
+ { 23838809, 1822728, -15738443, 15242727, 8318092,
+ -3733104, -21672180, -3492205, -4821741, 14799921 },
+ { 13345610, 9759151, 3371034, -16137791, 16353039,
+ 8577942, 31129804, 13496856, -9056018, 7402518 },
+ { 2286874, -4435931, -20042458, -2008336, -13696227,
+ 5038122, 11006906, -15760352, 8205061, 1607563 }
+ },
+ {
+ { 14414086, -8002132, 3331830, -3208217, 22249151,
+ -5594188, 18364661, -2906958, 30019587, -9029278 },
+ { -27688051, 1585953, -10775053, 931069, -29120221,
+ -11002319, -14410829, 12029093, 9944378, 8024 },
+ { 4368715, -3709630, 29874200, -15022983, -20230386,
+ -11410704, -16114594, -999085, -8142388, 5640030 }
+ },
+ {
+ { 10299610, 13746483, 11661824, 16234854, 7630238,
+ 5998374, 9809887, -16694564, 15219798, -14327783 },
+ { 27425505, -5719081, 3055006, 10660664, 23458024,
+ 595578, -15398605, -1173195, -18342183, 9742717 },
+ { 6744077, 2427284, 26042789, 2720740, -847906,
+ 1118974, 32324614, 7406442, 12420155, 1994844 }
+ },
+ {
+ { 14012521, -5024720, -18384453, -9578469, -26485342,
+ -3936439, -13033478, -10909803, 24319929, -6446333 },
+ { 16412690, -4507367, 10772641, 15929391, -17068788,
+ -4658621, 10555945, -10484049, -30102368, -4739048 },
+ { 22397382, -7767684, -9293161, -12792868, 17166287,
+ -9755136, -27333065, 6199366, 21880021, -12250760 }
+ },
+ {
+ { -4283307, 5368523, -31117018, 8163389, -30323063,
+ 3209128, 16557151, 8890729, 8840445, 4957760 },
+ { -15447727, 709327, -6919446, -10870178, -29777922,
+ 6522332, -21720181, 12130072, -14796503, 5005757 },
+ { -2114751, -14308128, 23019042, 15765735, -25269683,
+ 6002752, 10183197, -13239326, -16395286, -2176112 }
+ }
+ },
+ {
+ {
+ { -19025756, 1632005, 13466291, -7995100, -23640451,
+ 16573537, -32013908, -3057104, 22208662, 2000468 },
+ { 3065073, -1412761, -25598674, -361432, -17683065,
+ -5703415, -8164212, 11248527, -3691214, -7414184 },
+ { 10379208, -6045554, 8877319, 1473647, -29291284,
+ -12507580, 16690915, 2553332, -3132688, 16400289 }
+ },
+ {
+ { 15716668, 1254266, -18472690, 7446274, -8448918,
+ 6344164, -22097271, -7285580, 26894937, 9132066 },
+ { 24158887, 12938817, 11085297, -8177598, -28063478,
+ -4457083, -30576463, 64452, -6817084, -2692882 },
+ { 13488534, 7794716, 22236231, 5989356, 25426474,
+ -12578208, 2350710, -3418511, -4688006, 2364226 }
+ },
+ {
+ { 16335052, 9132434, 25640582, 6678888, 1725628,
+ 8517937, -11807024, -11697457, 15445875, -7798101 },
+ { 29004207, -7867081, 28661402, -640412, -12794003,
+ -7943086, 31863255, -4135540, -278050, -15759279 },
+ { -6122061, -14866665, -28614905, 14569919, -10857999,
+ -3591829, 10343412, -6976290, -29828287, -10815811 }
+ },
+ {
+ { 27081650, 3463984, 14099042, -4517604, 1616303,
+ -6205604, 29542636, 15372179, 17293797, 960709 },
+ { 20263915, 11434237, -5765435, 11236810, 13505955,
+ -10857102, -16111345, 6493122, -19384511, 7639714 },
+ { -2830798, -14839232, 25403038, -8215196, -8317012,
+ -16173699, 18006287, -16043750, 29994677, -15808121 }
+ },
+ {
+ { 9769828, 5202651, -24157398, -13631392, -28051003,
+ -11561624, -24613141, -13860782, -31184575, 709464 },
+ { 12286395, 13076066, -21775189, -1176622, -25003198,
+ 4057652, -32018128, -8890874, 16102007, 13205847 },
+ { 13733362, 5599946, 10557076, 3195751, -5557991,
+ 8536970, -25540170, 8525972, 10151379, 10394400 }
+ },
+ {
+ { 4024660, -16137551, 22436262, 12276534, -9099015,
+ -2686099, 19698229, 11743039, -33302334, 8934414 },
+ { -15879800, -4525240, -8580747, -2934061, 14634845,
+ -698278, -9449077, 3137094, -11536886, 11721158 },
+ { 17555939, -5013938, 8268606, 2331751, -22738815,
+ 9761013, 9319229, 8835153, -9205489, -1280045 }
+ },
+ {
+ { -461409, -7830014, 20614118, 16688288, -7514766,
+ -4807119, 22300304, 505429, 6108462, -6183415 },
+ { -5070281, 12367917, -30663534, 3234473, 32617080,
+ -8422642, 29880583, -13483331, -26898490, -7867459 },
+ { -31975283, 5726539, 26934134, 10237677, -3173717,
+ -605053, 24199304, 3795095, 7592688, -14992079 }
+ },
+ {
+ { 21594432, -14964228, 17466408, -4077222, 32537084,
+ 2739898, 6407723, 12018833, -28256052, 4298412 },
+ { -20650503, -11961496, -27236275, 570498, 3767144,
+ -1717540, 13891942, -1569194, 13717174, 10805743 },
+ { -14676630, -15644296, 15287174, 11927123, 24177847,
+ -8175568, -796431, 14860609, -26938930, -5863836 }
+ }
+ },
+ {
+ {
+ { 12962541, 5311799, -10060768, 11658280, 18855286,
+ -7954201, 13286263, -12808704, -4381056, 9882022 },
+ { 18512079, 11319350, -20123124, 15090309, 18818594,
+ 5271736, -22727904, 3666879, -23967430, -3299429 },
+ { -6789020, -3146043, 16192429, 13241070, 15898607,
+ -14206114, -10084880, -6661110, -2403099, 5276065 }
+ },
+ {
+ { 30169808, -5317648, 26306206, -11750859, 27814964,
+ 7069267, 7152851, 3684982, 1449224, 13082861 },
+ { 10342826, 3098505, 2119311, 193222, 25702612,
+ 12233820, 23697382, 15056736, -21016438, -8202000 },
+ { -33150110, 3261608, 22745853, 7948688, 19370557,
+ -15177665, -26171976, 6482814, -10300080, -11060101 }
+ },
+ {
+ { 32869458, -5408545, 25609743, 15678670, -10687769,
+ -15471071, 26112421, 2521008, -22664288, 6904815 },
+ { 29506923, 4457497, 3377935, -9796444, -30510046,
+ 12935080, 1561737, 3841096, -29003639, -6657642 },
+ { 10340844, -6630377, -18656632, -2278430, 12621151,
+ -13339055, 30878497, -11824370, -25584551, 5181966 }
+ },
+ {
+ { 25940115, -12658025, 17324188, -10307374, -8671468,
+ 15029094, 24396252, -16450922, -2322852, -12388574 },
+ { -21765684, 9916823, -1300409, 4079498, -1028346,
+ 11909559, 1782390, 12641087, 20603771, -6561742 },
+ { -18882287, -11673380, 24849422, 11501709, 13161720,
+ -4768874, 1925523, 11914390, 4662781, 7820689 }
+ },
+ {
+ { 12241050, -425982, 8132691, 9393934, 32846760,
+ -1599620, 29749456, 12172924, 16136752, 15264020 },
+ { -10349955, -14680563, -8211979, 2330220, -17662549,
+ -14545780, 10658213, 6671822, 19012087, 3772772 },
+ { 3753511, -3421066, 10617074, 2028709, 14841030,
+ -6721664, 28718732, -15762884, 20527771, 12988982 }
+ },
+ {
+ { -14822485, -5797269, -3707987, 12689773, -898983,
+ -10914866, -24183046, -10564943, 3299665, -12424953 },
+ { -16777703, -15253301, -9642417, 4978983, 3308785,
+ 8755439, 6943197, 6461331, -25583147, 8991218 },
+ { -17226263, 1816362, -1673288, -6086439, 31783888,
+ -8175991, -32948145, 7417950, -30242287, 1507265 }
+ },
+ {
+ { 29692663, 6829891, -10498800, 4334896, 20945975,
+ -11906496, -28887608, 8209391, 14606362, -10647073 },
+ { -3481570, 8707081, 32188102, 5672294, 22096700,
+ 1711240, -33020695, 9761487, 4170404, -2085325 },
+ { -11587470, 14855945, -4127778, -1531857, -26649089,
+ 15084046, 22186522, 16002000, -14276837, -8400798 }
+ },
+ {
+ { -4811456, 13761029, -31703877, -2483919, -3312471,
+ 7869047, -7113572, -9620092, 13240845, 10965870 },
+ { -7742563, -8256762, -14768334, -13656260, -23232383,
+ 12387166, 4498947, 14147411, 29514390, 4302863 },
+ { -13413405, -12407859, 20757302, -13801832, 14785143,
+ 8976368, -5061276, -2144373, 17846988, -13971927 }
+ }
+ },
+ {
+ {
+ { -2244452, -754728, -4597030, -1066309, -6247172,
+ 1455299, -21647728, -9214789, -5222701, 12650267 },
+ { -9906797, -16070310, 21134160, 12198166, -27064575,
+ 708126, 387813, 13770293, -19134326, 10958663 },
+ { 22470984, 12369526, 23446014, -5441109, -21520802,
+ -9698723, -11772496, -11574455, -25083830, 4271862 }
+ },
+ {
+ { -25169565, -10053642, -19909332, 15361595, -5984358,
+ 2159192, 75375, -4278529, -32526221, 8469673 },
+ { 15854970, 4148314, -8893890, 7259002, 11666551,
+ 13824734, -30531198, 2697372, 24154791, -9460943 },
+ { 15446137, -15806644, 29759747, 14019369, 30811221,
+ -9610191, -31582008, 12840104, 24913809, 9815020 }
+ },
+ {
+ { -4709286, -5614269, -31841498, -12288893, -14443537,
+ 10799414, -9103676, 13438769, 18735128, 9466238 },
+ { 11933045, 9281483, 5081055, -5183824, -2628162,
+ -4905629, -7727821, -10896103, -22728655, 16199064 },
+ { 14576810, 379472, -26786533, -8317236, -29426508,
+ -10812974, -102766, 1876699, 30801119, 2164795 }
+ },
+ {
+ { 15995086, 3199873, 13672555, 13712240, -19378835,
+ -4647646, -13081610, -15496269, -13492807, 1268052 },
+ { -10290614, -3659039, -3286592, 10948818, 23037027,
+ 3794475, -3470338, -12600221, -17055369, 3565904 },
+ { 29210088, -9419337, -5919792, -4952785, 10834811,
+ -13327726, -16512102, -10820713, -27162222, -14030531 }
+ },
+ {
+ { -13161890, 15508588, 16663704, -8156150, -28349942,
+ 9019123, -29183421, -3769423, 2244111, -14001979 },
+ { -5152875, -3800936, -9306475, -6071583, 16243069,
+ 14684434, -25673088, -16180800, 13491506, 4641841 },
+ { 10813417, 643330, -19188515, -728916, 30292062,
+ -16600078, 27548447, -7721242, 14476989, -12767431 }
+ },
+ {
+ { 10292079, 9984945, 6481436, 8279905, -7251514,
+ 7032743, 27282937, -1644259, -27912810, 12651324 },
+ { -31185513, -813383, 22271204, 11835308, 10201545,
+ 15351028, 17099662, 3988035, 21721536, -3148940 },
+ { 10202177, -6545839, -31373232, -9574638, -32150642,
+ -8119683, -12906320, 3852694, 13216206, 14842320 }
+ },
+ {
+ { -15815640, -10601066, -6538952, -7258995, -6984659,
+ -6581778, -31500847, 13765824, -27434397, 9900184 },
+ { 14465505, -13833331, -32133984, -14738873, -27443187,
+ 12990492, 33046193, 15796406, -7051866, -8040114 },
+ { 30924417, -8279620, 6359016, -12816335, 16508377,
+ 9071735, -25488601, 15413635, 9524356, -7018878 }
+ },
+ {
+ { 12274201, -13175547, 32627641, -1785326, 6736625,
+ 13267305, 5237659, -5109483, 15663516, 4035784 },
+ { -2951309, 8903985, 17349946, 601635, -16432815,
+ -4612556, -13732739, -15889334, -22258478, 4659091 },
+ { -16916263, -4952973, -30393711, -15158821, 20774812,
+ 15897498, 5736189, 15026997, -2178256, -13455585 }
+ }
+ },
+ {
+ {
+ { -8858980, -2219056, 28571666, -10155518, -474467,
+ -10105698, -3801496, 278095, 23440562, -290208 },
+ { 10226241, -5928702, 15139956, 120818, -14867693,
+ 5218603, 32937275, 11551483, -16571960, -7442864 },
+ { 17932739, -12437276, -24039557, 10749060, 11316803,
+ 7535897, 22503767, 5561594, -3646624, 3898661 }
+ },
+ {
+ { 7749907, -969567, -16339731, -16464, -25018111,
+ 15122143, -1573531, 7152530, 21831162, 1245233 },
+ { 26958459, -14658026, 4314586, 8346991, -5677764,
+ 11960072, -32589295, -620035, -30402091, -16716212 },
+ { -12165896, 9166947, 33491384, 13673479, 29787085,
+ 13096535, 6280834, 14587357, -22338025, 13987525 }
+ },
+ {
+ { -24349909, 7778775, 21116000, 15572597, -4833266,
+ -5357778, -4300898, -5124639, -7469781, -2858068 },
+ { 9681908, -6737123, -31951644, 13591838, -6883821,
+ 386950, 31622781, 6439245, -14581012, 4091397 },
+ { -8426427, 1470727, -28109679, -1596990, 3978627,
+ -5123623, -19622683, 12092163, 29077877, -14741988 }
+ },
+ {
+ { 5269168, -6859726, -13230211, -8020715, 25932563,
+ 1763552, -5606110, -5505881, -20017847, 2357889 },
+ { 32264008, -15407652, -5387735, -1160093, -2091322,
+ -3946900, 23104804, -12869908, 5727338, 189038 },
+ { 14609123, -8954470, -6000566, -16622781, -14577387,
+ -7743898, -26745169, 10942115, -25888931, -14884697 }
+ },
+ {
+ { 20513500, 5557931, -15604613, 7829531, 26413943,
+ -2019404, -21378968, 7471781, 13913677, -5137875 },
+ { -25574376, 11967826, 29233242, 12948236, -6754465,
+ 4713227, -8940970, 14059180, 12878652, 8511905 },
+ { -25656801, 3393631, -2955415, -7075526, -2250709,
+ 9366908, -30223418, 6812974, 5568676, -3127656 }
+ },
+ {
+ { 11630004, 12144454, 2116339, 13606037, 27378885,
+ 15676917, -17408753, -13504373, -14395196, 8070818 },
+ { 27117696, -10007378, -31282771, -5570088, 1127282,
+ 12772488, -29845906, 10483306, -11552749, -1028714 },
+ { 10637467, -5688064, 5674781, 1072708, -26343588,
+ -6982302, -1683975, 9177853, -27493162, 15431203 }
+ },
+ {
+ { 20525145, 10892566, -12742472, 12779443, -29493034,
+ 16150075, -28240519, 14943142, -15056790, -7935931 },
+ { -30024462, 5626926, -551567, -9981087, 753598,
+ 11981191, 25244767, -3239766, -3356550, 9594024 },
+ { -23752644, 2636870, -5163910, -10103818, 585134,
+ 7877383, 11345683, -6492290, 13352335, -10977084 }
+ },
+ {
+ { -1931799, -5407458, 3304649, -12884869, 17015806,
+ -4877091, -29783850, -7752482, -13215537, -319204 },
+ { 20239939, 6607058, 6203985, 3483793, -18386976,
+ -779229, -20723742, 15077870, -22750759, 14523817 },
+ { 27406042, -6041657, 27423596, -4497394, 4996214,
+ 10002360, -28842031, -4545494, -30172742, -4805667 }
+ }
+ },
+ {
+ {
+ { 11374242, 12660715, 17861383, -12540833, 10935568,
+ 1099227, -13886076, -9091740, -27727044, 11358504 },
+ { -12730809, 10311867, 1510375, 10778093, -2119455,
+ -9145702, 32676003, 11149336, -26123651, 4985768 },
+ { -19096303, 341147, -6197485, -239033, 15756973,
+ -8796662, -983043, 13794114, -19414307, -15621255 }
+ },
+ {
+ { 6490081, 11940286, 25495923, -7726360, 8668373,
+ -8751316, 3367603, 6970005, -1691065, -9004790 },
+ { 1656497, 13457317, 15370807, 6364910, 13605745,
+ 8362338, -19174622, -5475723, -16796596, -5031438 },
+ { -22273315, -13524424, -64685, -4334223, -18605636,
+ -10921968, -20571065, -7007978, -99853, -10237333 }
+ },
+ {
+ { 17747465, 10039260, 19368299, -4050591, -20630635,
+ -16041286, 31992683, -15857976, -29260363, -5511971 },
+ { 31932027, -4986141, -19612382, 16366580, 22023614,
+ 88450, 11371999, -3744247, 4882242, -10626905 },
+ { 29796507, 37186, 19818052, 10115756, -11829032,
+ 3352736, 18551198, 3272828, -5190932, -4162409 }
+ },
+ {
+ { 12501286, 4044383, -8612957, -13392385, -32430052,
+ 5136599, -19230378, -3529697, 330070, -3659409 },
+ { 6384877, 2899513, 17807477, 7663917, -2358888,
+ 12363165, 25366522, -8573892, -271295, 12071499 },
+ { -8365515, -4042521, 25133448, -4517355, -6211027,
+ 2265927, -32769618, 1936675, -5159697, 3829363 }
+ },
+ {
+ { 28425966, -5835433, -577090, -4697198, -14217555,
+ 6870930, 7921550, -6567787, 26333140, 14267664 },
+ { -11067219, 11871231, 27385719, -10559544, -4585914,
+ -11189312, 10004786, -8709488, -21761224, 8930324 },
+ { -21197785, -16396035, 25654216, -1725397, 12282012,
+ 11008919, 1541940, 4757911, -26491501, -16408940 }
+ },
+ {
+ { 13537262, -7759490, -20604840, 10961927, -5922820,
+ -13218065, -13156584, 6217254, -15943699, 13814990 },
+ { -17422573, 15157790, 18705543, 29619, 24409717,
+ -260476, 27361681, 9257833, -1956526, -1776914 },
+ { -25045300, -10191966, 15366585, 15166509, -13105086,
+ 8423556, -29171540, 12361135, -18685978, 4578290 }
+ },
+ {
+ { 24579768, 3711570, 1342322, -11180126, -27005135,
+ 14124956, -22544529, 14074919, 21964432, 8235257 },
+ { -6528613, -2411497, 9442966, -5925588, 12025640,
+ -1487420, -2981514, -1669206, 13006806, 2355433 },
+ { -16304899, -13605259, -6632427, -5142349, 16974359,
+ -10911083, 27202044, 1719366, 1141648, -12796236 }
+ },
+ {
+ { -12863944, -13219986, -8318266, -11018091, -6810145,
+ -4843894, 13475066, -3133972, 32674895, 13715045 },
+ { 11423335, -5468059, 32344216, 8962751, 24989809,
+ 9241752, -13265253, 16086212, -28740881, -15642093 },
+ { -1409668, 12530728, -6368726, 10847387, 19531186,
+ -14132160, -11709148, 7791794, -27245943, 4383347 }
+ }
+ },
+ {
+ {
+ { -28970898, 5271447, -1266009, -9736989, -12455236,
+ 16732599, -4862407, -4906449, 27193557, 6245191 },
+ { -15193956, 5362278, -1783893, 2695834, 4960227,
+ 12840725, 23061898, 3260492, 22510453, 8577507 },
+ { -12632451, 11257346, -32692994, 13548177, -721004,
+ 10879011, 31168030, 13952092, -29571492, -3635906 }
+ },
+ {
+ { 3877321, -9572739, 32416692, 5405324, -11004407,
+ -13656635, 3759769, 11935320, 5611860, 8164018 },
+ { -16275802, 14667797, 15906460, 12155291, -22111149,
+ -9039718, 32003002, -8832289, 5773085, -8422109 },
+ { -23788118, -8254300, 1950875, 8937633, 18686727,
+ 16459170, -905725, 12376320, 31632953, 190926 }
+ },
+ {
+ { -24593607, -16138885, -8423991, 13378746, 14162407,
+ 6901328, -8288749, 4508564, -25341555, -3627528 },
+ { 8884438, -5884009, 6023974, 10104341, -6881569,
+ -4941533, 18722941, -14786005, -1672488, 827625 },
+ { -32720583, -16289296, -32503547, 7101210, 13354605,
+ 2659080, -1800575, -14108036, -24878478, 1541286 }
+ },
+ {
+ { 2901347, -1117687, 3880376, -10059388, -17620940,
+ -3612781, -21802117, -3567481, 20456845, -1885033 },
+ { 27019610, 12299467, -13658288, -1603234, -12861660,
+ -4861471, -19540150, -5016058, 29439641, 15138866 },
+ { 21536104, -6626420, -32447818, -10690208, -22408077,
+ 5175814, -5420040, -16361163, 7779328, 109896 }
+ },
+ {
+ { 30279744, 14648750, -8044871, 6425558, 13639621,
+ -743509, 28698390, 12180118, 23177719, -554075 },
+ { 26572847, 3405927, -31701700, 12890905, -19265668,
+ 5335866, -6493768, 2378492, 4439158, -13279347 },
+ { -22716706, 3489070, -9225266, -332753, 18875722,
+ -1140095, 14819434, -12731527, -17717757, -5461437 }
+ },
+ {
+ { -5056483, 16566551, 15953661, 3767752, -10436499,
+ 15627060, -820954, 2177225, 8550082, -15114165 },
+ { -18473302, 16596775, -381660, 15663611, 22860960,
+ 15585581, -27844109, -3582739, -23260460, -8428588 },
+ { -32480551, 15707275, -8205912, -5652081, 29464558,
+ 2713815, -22725137, 15860482, -21902570, 1494193 }
+ },
+ {
+ { -19562091, -14087393, -25583872, -9299552, 13127842,
+ 759709, 21923482, 16529112, 8742704, 12967017 },
+ { -28464899, 1553205, 32536856, -10473729, -24691605,
+ -406174, -8914625, -2933896, -29903758, 15553883 },
+ { 21877909, 3230008, 9881174, 10539357, -4797115,
+ 2841332, 11543572, 14513274, 19375923, -12647961 }
+ },
+ {
+ { 8832269, -14495485, 13253511, 5137575, 5037871,
+ 4078777, 24880818, -6222716, 2862653, 9455043 },
+ { 29306751, 5123106, 20245049, -14149889, 9592566,
+ 8447059, -2077124, -2990080, 15511449, 4789663 },
+ { -20679756, 7004547, 8824831, -9434977, -4045704,
+ -3750736, -5754762, 108893, 23513200, 16652362 }
+ }
+ },
+ {
+ {
+ { -33256173, 4144782, -4476029, -6579123, 10770039,
+ -7155542, -6650416, -12936300, -18319198, 10212860 },
+ { 2756081, 8598110, 7383731, -6859892, 22312759,
+ -1105012, 21179801, 2600940, -9988298, -12506466 },
+ { -24645692, 13317462, -30449259, -15653928, 21365574,
+ -10869657, 11344424, 864440, -2499677, -16710063 }
+ },
+ {
+ { -26432803, 6148329, -17184412, -14474154, 18782929,
+ -275997, -22561534, 211300, 2719757, 4940997 },
+ { -1323882, 3911313, -6948744, 14759765, -30027150,
+ 7851207, 21690126, 8518463, 26699843, 5276295 },
+ { -13149873, -6429067, 9396249, 365013, 24703301,
+ -10488939, 1321586, 149635, -15452774, 7159369 }
+ },
+ {
+ { 9987780, -3404759, 17507962, 9505530, 9731535,
+ -2165514, 22356009, 8312176, 22477218, -8403385 },
+ { 18155857, -16504990, 19744716, 9006923, 15154154,
+ -10538976, 24256460, -4864995, -22548173, 9334109 },
+ { 2986088, -4911893, 10776628, -3473844, 10620590,
+ -7083203, -21413845, 14253545, -22587149, 536906 }
+ },
+ {
+ { 4377756, 8115836, 24567078, 15495314, 11625074,
+ 13064599, 7390551, 10589625, 10838060, -15420424 },
+ { -19342404, 867880, 9277171, -3218459, -14431572,
+ -1986443, 19295826, -15796950, 6378260, 699185 },
+ { 7895026, 4057113, -7081772, -13077756, -17886831,
+ -323126, -716039, 15693155, -5045064, -13373962 }
+ },
+ {
+ { -7737563, -5869402, -14566319, -7406919, 11385654,
+ 13201616, 31730678, -10962840, -3918636, -9669325 },
+ { 10188286, -15770834, -7336361, 13427543, 22223443,
+ 14896287, 30743455, 7116568, -21786507, 5427593 },
+ { 696102, 13206899, 27047647, -10632082, 15285305,
+ -9853179, 10798490, -4578720, 19236243, 12477404 }
+ },
+ {
+ { -11229439, 11243796, -17054270, -8040865, -788228,
+ -8167967, -3897669, 11180504, -23169516, 7733644 },
+ { 17800790, -14036179, -27000429, -11766671, 23887827,
+ 3149671, 23466177, -10538171, 10322027, 15313801 },
+ { 26246234, 11968874, 32263343, -5468728, 6830755,
+ -13323031, -15794704, -101982, -24449242, 10890804 }
+ },
+ {
+ { -31365647, 10271363, -12660625, -6267268, 16690207,
+ -13062544, -14982212, 16484931, 25180797, -5334884 },
+ { -586574, 10376444, -32586414, -11286356, 19801893,
+ 10997610, 2276632, 9482883, 316878, 13820577 },
+ { -9882808, -4510367, -2115506, 16457136, -11100081,
+ 11674996, 30756178, -7515054, 30696930, -3712849 }
+ },
+ {
+ { 32988917, -9603412, 12499366, 7910787, -10617257,
+ -11931514, -7342816, -9985397, -32349517, 7392473 },
+ { -8855661, 15927861, 9866406, -3649411, -2396914,
+ -16655781, -30409476, -9134995, 25112947, -2926644 },
+ { -2504044, -436966, 25621774, -5678772, 15085042,
+ -5479877, -24884878, -13526194, 5537438, -13914319 }
+ }
+ },
+ {
+ {
+ { -11225584, 2320285, -9584280, 10149187, -33444663,
+ 5808648, -14876251, -1729667, 31234590, 6090599 },
+ { -9633316, 116426, 26083934, 2897444, -6364437,
+ -2688086, 609721, 15878753, -6970405, -9034768 },
+ { -27757857, 247744, -15194774, -9002551, 23288161,
+ -10011936, -23869595, 6503646, 20650474, 1804084 }
+ },
+ {
+ { -27589786, 15456424, 8972517, 8469608, 15640622,
+ 4439847, 3121995, -10329713, 27842616, -202328 },
+ { -15306973, 2839644, 22530074, 10026331, 4602058,
+ 5048462, 28248656, 5031932, -11375082, 12714369 },
+ { 20807691, -7270825, 29286141, 11421711, -27876523,
+ -13868230, -21227475, 1035546, -19733229, 12796920 }
+ },
+ {
+ { 12076899, -14301286, -8785001, -11848922, -25012791,
+ 16400684, -17591495, -12899438, 3480665, -15182815 },
+ { -32361549, 5457597, 28548107, 7833186, 7303070,
+ -11953545, -24363064, -15921875, -33374054, 2771025 },
+ { -21389266, 421932, 26597266, 6860826, 22486084,
+ -6737172, -17137485, -4210226, -24552282, 15673397 }
+ },
+ {
+ { -20184622, 2338216, 19788685, -9620956, -4001265,
+ -8740893, -20271184, 4733254, 3727144, -12934448 },
+ { 6120119, 814863, -11794402, -622716, 6812205,
+ -15747771, 2019594, 7975683, 31123697, -10958981 },
+ { 30069250, -11435332, 30434654, 2958439, 18399564,
+ -976289, 12296869, 9204260, -16432438, 9648165 }
+ },
+ {
+ { 32705432, -1550977, 30705658, 7451065, -11805606,
+ 9631813, 3305266, 5248604, -26008332, -11377501 },
+ { 17219865, 2375039, -31570947, -5575615, -19459679,
+ 9219903, 294711, 15298639, 2662509, -16297073 },
+ { -1172927, -7558695, -4366770, -4287744, -21346413,
+ -8434326, 32087529, -1222777, 32247248, -14389861 }
+ },
+ {
+ { 14312628, 1221556, 17395390, -8700143, -4945741,
+ -8684635, -28197744, -9637817, -16027623, -13378845 },
+ { -1428825, -9678990, -9235681, 6549687, -7383069,
+ -468664, 23046502, 9803137, 17597934, 2346211 },
+ { 18510800, 15337574, 26171504, 981392, -22241552,
+ 7827556, -23491134, -11323352, 3059833, -11782870 }
+ },
+ {
+ { 10141598, 6082907, 17829293, -1947643, 9830092,
+ 13613136, -25556636, -5544586, -33502212, 3592096 },
+ { 33114168, -15889352, -26525686, -13343397, 33076705,
+ 8716171, 1151462, 1521897, -982665, -6837803 },
+ { -32939165, -4255815, 23947181, -324178, -33072974,
+ -12305637, -16637686, 3891704, 26353178, 693168 }
+ },
+ {
+ { 30374239, 1595580, -16884039, 13186931, 4600344,
+ 406904, 9585294, -400668, 31375464, 14369965 },
+ { -14370654, -7772529, 1510301, 6434173, -18784789,
+ -6262728, 32732230, -13108839, 17901441, 16011505 },
+ { 18171223, -11934626, -12500402, 15197122, -11038147,
+ -15230035, -19172240, -16046376, 8764035, 12309598 }
+ }
+ },
+ {
+ {
+ { 5975908, -5243188, -19459362, -9681747, -11541277,
+ 14015782, -23665757, 1228319, 17544096, -10593782 },
+ { 5811932, -1715293, 3442887, -2269310, -18367348,
+ -8359541, -18044043, -15410127, -5565381, 12348900 },
+ { -31399660, 11407555, 25755363, 6891399, -3256938,
+ 14872274, -24849353, 8141295, -10632534, -585479 }
+ },
+ {
+ { -12675304, 694026, -5076145, 13300344, 14015258,
+ -14451394, -9698672, -11329050, 30944593, 1130208 },
+ { 8247766, -6710942, -26562381, -7709309, -14401939,
+ -14648910, 4652152, 2488540, 23550156, -271232 },
+ { 17294316, -3788438, 7026748, 15626851, 22990044,
+ 113481, 2267737, -5908146, -408818, -137719 }
+ },
+ {
+ { 16091085, -16253926, 18599252, 7340678, 2137637,
+ -1221657, -3364161, 14550936, 3260525, -7166271 },
+ { -4910104, -13332887, 18550887, 10864893, -16459325,
+ -7291596, -23028869, -13204905, -12748722, 2701326 },
+ { -8574695, 16099415, 4629974, -16340524, -20786213,
+ -6005432, -10018363, 9276971, 11329923, 1862132 }
+ },
+ {
+ { 14763076, -15903608, -30918270, 3689867, 3511892,
+ 10313526, -21951088, 12219231, -9037963, -940300 },
+ { 8894987, -3446094, 6150753, 3013931, 301220,
+ 15693451, -31981216, -2909717, -15438168, 11595570 },
+ { 15214962, 3537601, -26238722, -14058872, 4418657,
+ -15230761, 13947276, 10730794, -13489462, -4363670 }
+ },
+ {
+ { -2538306, 7682793, 32759013, 263109, -29984731,
+ -7955452, -22332124, -10188635, 977108, 699994 },
+ { -12466472, 4195084, -9211532, 550904, -15565337,
+ 12917920, 19118110, -439841, -30534533, -14337913 },
+ { 31788461, -14507657, 4799989, 7372237, 8808585,
+ -14747943, 9408237, -10051775, 12493932, -5409317 }
+ },
+ {
+ { -25680606, 5260744, -19235809, -6284470, -3695942,
+ 16566087, 27218280, 2607121, 29375955, 6024730 },
+ { 842132, -2794693, -4763381, -8722815, 26332018,
+ -12405641, 11831880, 6985184, -9940361, 2854096 },
+ { -4847262, -7969331, 2516242, -5847713, 9695691,
+ -7221186, 16512645, 960770, 12121869, 16648078 }
+ },
+ {
+ { -15218652, 14667096, -13336229, 2013717, 30598287,
+ -464137, -31504922, -7882064, 20237806, 2838411 },
+ { -19288047, 4453152, 15298546, -16178388, 22115043,
+ -15972604, 12544294, -13470457, 1068881, -12499905 },
+ { -9558883, -16518835, 33238498, 13506958, 30505848,
+ -1114596, -8486907, -2630053, 12521378, 4845654 }
+ },
+ {
+ { -28198521, 10744108, -2958380, 10199664, 7759311,
+ -13088600, 3409348, -873400, -6482306, -12885870 },
+ { -23561822, 6230156, -20382013, 10655314, -24040585,
+ -11621172, 10477734, -1240216, -3113227, 13974498 },
+ { 12966261, 15550616, -32038948, -1615346, 21025980,
+ -629444, 5642325, 7188737, 18895762, 12629579 }
+ }
+ },
+ {
+ {
+ { 14741879, -14946887, 22177208, -11721237, 1279741,
+ 8058600, 11758140, 789443, 32195181, 3895677 },
+ { 10758205, 15755439, -4509950, 9243698, -4879422,
+ 6879879, -2204575, -3566119, -8982069, 4429647 },
+ { -2453894, 15725973, -20436342, -10410672, -5803908,
+ -11040220, -7135870, -11642895, 18047436, -15281743 }
+ },
+ {
+ { -25173001, -11307165, 29759956, 11776784, -22262383,
+ -15820455, 10993114, -12850837, -17620701, -9408468 },
+ { 21987233, 700364, -24505048, 14972008, -7774265,
+ -5718395, 32155026, 2581431, -29958985, 8773375 },
+ { -25568350, 454463, -13211935, 16126715, 25240068,
+ 8594567, 20656846, 12017935, -7874389, -13920155 }
+ },
+ {
+ { 6028182, 6263078, -31011806, -11301710, -818919,
+ 2461772, -31841174, -5468042, -1721788, -2776725 },
+ { -12278994, 16624277, 987579, -5922598, 32908203,
+ 1248608, 7719845, -4166698, 28408820, 6816612 },
+ { -10358094, -8237829, 19549651, -12169222, 22082623,
+ 16147817, 20613181, 13982702, -10339570, 5067943 }
+ },
+ {
+ { -30505967, -3821767, 12074681, 13582412, -19877972,
+ 2443951, -19719286, 12746132, 5331210, -10105944 },
+ { 30528811, 3601899, -1957090, 4619785, -27361822,
+ -15436388, 24180793, -12570394, 27679908, -1648928 },
+ { 9402404, -13957065, 32834043, 10838634, -26580150,
+ -13237195, 26653274, -8685565, 22611444, -12715406 }
+ },
+ {
+ { 22190590, 1118029, 22736441, 15130463, -30460692,
+ -5991321, 19189625, -4648942, 4854859, 6622139 },
+ { -8310738, -2953450, -8262579, -3388049, -10401731,
+ -271929, 13424426, -3567227, 26404409, 13001963 },
+ { -31241838, -15415700, -2994250, 8939346, 11562230,
+ -12840670, -26064365, -11621720, -15405155, 11020693 }
+ },
+ {
+ { 1866042, -7949489, -7898649, -10301010, 12483315,
+ 13477547, 3175636, -12424163, 28761762, 1406734 },
+ { -448555, -1777666, 13018551, 3194501, -9580420,
+ -11161737, 24760585, -4347088, 25577411, -13378680 },
+ { -24290378, 4759345, -690653, -1852816, 2066747,
+ 10693769, -29595790, 9884936, -9368926, 4745410 }
+ },
+ {
+ { -9141284, 6049714, -19531061, -4341411, -31260798,
+ 9944276, -15462008, -11311852, 10931924, -11931931 },
+ { -16561513, 14112680, -8012645, 4817318, -8040464,
+ -11414606, -22853429, 10856641, -20470770, 13434654 },
+ { 22759489, -10073434, -16766264, -1871422, 13637442,
+ -10168091, 1765144, -12654326, 28445307, -5364710 }
+ },
+ {
+ { 29875063, 12493613, 2795536, -3786330, 1710620,
+ 15181182, -10195717, -8788675, 9074234, 1167180 },
+ { -26205683, 11014233, -9842651, -2635485, -26908120,
+ 7532294, -18716888, -9535498, 3843903, 9367684 },
+ { -10969595, -6403711, 9591134, 9582310, 11349256,
+ 108879, 16235123, 8601684, -139197, 4242895 }
+ }
+ },
+ {
+ {
+ { 22092954, -13191123, -2042793, -11968512, 32186753,
+ -11517388, -6574341, 2470660, -27417366, 16625501 },
+ { -11057722, 3042016, 13770083, -9257922, 584236,
+ -544855, -7770857, 2602725, -27351616, 14247413 },
+ { 6314175, -10264892, -32772502, 15957557, -10157730,
+ 168750, -8618807, 14290061, 27108877, -1180880 }
+ },
+ {
+ { -8586597, -7170966, 13241782, 10960156, -32991015,
+ -13794596, 33547976, -11058889, -27148451, 981874 },
+ { 22833440, 9293594, -32649448, -13618667, -9136966,
+ 14756819, -22928859, -13970780, -10479804, -16197962 },
+ { -7768587, 3326786, -28111797, 10783824, 19178761,
+ 14905060, 22680049, 13906969, -15933690, 3797899 }
+ },
+ {
+ { 21721356, -4212746, -12206123, 9310182, -3882239,
+ -13653110, 23740224, -2709232, 20491983, -8042152 },
+ { 9209270, -15135055, -13256557, -6167798, -731016,
+ 15289673, 25947805, 15286587, 30997318, -6703063 },
+ { 7392032, 16618386, 23946583, -8039892, -13265164,
+ -1533858, -14197445, -2321576, 17649998, -250080 }
+ },
+ {
+ { -9301088, -14193827, 30609526, -3049543, -25175069,
+ -1283752, -15241566, -9525724, -2233253, 7662146 },
+ { -17558673, 1763594, -33114336, 15908610, -30040870,
+ -12174295, 7335080, -8472199, -3174674, 3440183 },
+ { -19889700, -5977008, -24111293, -9688870, 10799743,
+ -16571957, 40450, -4431835, 4862400, 1133 }
+ },
+ {
+ { -32856209, -7873957, -5422389, 14860950, -16319031,
+ 7956142, 7258061, 311861, -30594991, -7379421 },
+ { -3773428, -1565936, 28985340, 7499440, 24445838,
+ 9325937, 29727763, 16527196, 18278453, 15405622 },
+ { -4381906, 8508652, -19898366, -3674424, -5984453,
+ 15149970, -13313598, 843523, -21875062, 13626197 }
+ },
+ {
+ { 2281448, -13487055, -10915418, -2609910, 1879358,
+ 16164207, -10783882, 3953792, 13340839, 15928663 },
+ { 31727126, -7179855, -18437503, -8283652, 2875793,
+ -16390330, -25269894, -7014826, -23452306, 5964753 },
+ { 4100420, -5959452, -17179337, 6017714, -18705837,
+ 12227141, -26684835, 11344144, 2538215, -7570755 }
+ },
+ {
+ { -9433605, 6123113, 11159803, -2156608, 30016280,
+ 14966241, -20474983, 1485421, -629256, -15958862 },
+ { -26804558, 4260919, 11851389, 9658551, -32017107,
+ 16367492, -20205425, -13191288, 11659922, -11115118 },
+ { 26180396, 10015009, -30844224, -8581293, 5418197,
+ 9480663, 2231568, -10170080, 33100372, -1306171 }
+ },
+ {
+ { 15121113, -5201871, -10389905, 15427821, -27509937,
+ -15992507, 21670947, 4486675, -5931810, -14466380 },
+ { 16166486, -9483733, -11104130, 6023908, -31926798,
+ -1364923, 2340060, -16254968, -10735770, -10039824 },
+ { 28042865, -3557089, -12126526, 12259706, -3717498,
+ -6945899, 6766453, -8689599, 18036436, 5803270 }
+ }
+ },
+ {
+ {
+ { -817581, 6763912, 11803561, 1585585, 10958447,
+ -2671165, 23855391, 4598332, -6159431, -14117438 },
+ { -31031306, -14256194, 17332029, -2383520, 31312682,
+ -5967183, 696309, 50292, -20095739, 11763584 },
+ { -594563, -2514283, -32234153, 12643980, 12650761,
+ 14811489, 665117, -12613632, -19773211, -10713562 }
+ },
+ {
+ { 30464590, -11262872, -4127476, -12734478, 19835327,
+ -7105613, -24396175, 2075773, -17020157, 992471 },
+ { 18357185, -6994433, 7766382, 16342475, -29324918,
+ 411174, 14578841, 8080033, -11574335, -10601610 },
+ { 19598397, 10334610, 12555054, 2555664, 18821899,
+ -10339780, 21873263, 16014234, 26224780, 16452269 }
+ },
+ {
+ { -30223925, 5145196, 5944548, 16385966, 3976735,
+ 2009897, -11377804, -7618186, -20533829, 3698650 },
+ { 14187449, 3448569, -10636236, -10810935, -22663880,
+ -3433596, 7268410, -10890444, 27394301, 12015369 },
+ { 19695761, 16087646, 28032085, 12999827, 6817792,
+ 11427614, 20244189, -1312777, -13259127, -3402461 }
+ },
+ {
+ { 30860103, 12735208, -1888245, -4699734, -16974906,
+ 2256940, -8166013, 12298312, -8550524, -10393462 },
+ { -5719826, -11245325, -1910649, 15569035, 26642876,
+ -7587760, -5789354, -15118654, -4976164, 12651793 },
+ { -2848395, 9953421, 11531313, -5282879, 26895123,
+ -12697089, -13118820, -16517902, 9768698, -2533218 }
+ },
+ {
+ { -24719459, 1894651, -287698, -4704085, 15348719,
+ -8156530, 32767513, 12765450, 4940095, 10678226 },
+ { 18860224, 15980149, -18987240, -1562570, -26233012,
+ -11071856, -7843882, 13944024, -24372348, 16582019 },
+ { -15504260, 4970268, -29893044, 4175593, -20993212,
+ -2199756, -11704054, 15444560, -11003761, 7989037 }
+ },
+ {
+ { 31490452, 5568061, -2412803, 2182383, -32336847,
+ 4531686, -32078269, 6200206, -19686113, -14800171 },
+ { -17308668, -15879940, -31522777, -2831, -32887382,
+ 16375549, 8680158, -16371713, 28550068, -6857132 },
+ { -28126887, -5688091, 16837845, -1820458, -6850681,
+ 12700016, -30039981, 4364038, 1155602, 5988841 }
+ },
+ {
+ { 21890435, -13272907, -12624011, 12154349, -7831873,
+ 15300496, 23148983, -4470481, 24618407, 8283181 },
+ { -33136107, -10512751, 9975416, 6841041, -31559793,
+ 16356536, 3070187, -7025928, 1466169, 10740210 },
+ { -1509399, -15488185, -13503385, -10655916, 32799044,
+ 909394, -13938903, -5779719, -32164649, -15327040 }
+ },
+ {
+ { 3960823, -14267803, -28026090, -15918051, -19404858,
+ 13146868, 15567327, 951507, -3260321, -573935 },
+ { 24740841, 5052253, -30094131, 8961361, 25877428,
+ 6165135, -24368180, 14397372, -7380369, -6144105 },
+ { -28888365, 3510803, -28103278, -1158478, -11238128,
+ -10631454, -15441463, -14453128, -1625486, -6494814 }
+ }
+ },
+ {
+ {
+ { 793299, -9230478, 8836302, -6235707, -27360908,
+ -2369593, 33152843, -4885251, -9906200, -621852 },
+ { 5666233, 525582, 20782575, -8038419, -24538499,
+ 14657740, 16099374, 1468826, -6171428, -15186581 },
+ { -4859255, -3779343, -2917758, -6748019, 7778750,
+ 11688288, -30404353, -9871238, -1558923, -9863646 }
+ },
+ {
+ { 10896332, -7719704, 824275, 472601, -19460308,
+ 3009587, 25248958, 14783338, -30581476, -15757844 },
+ { 10566929, 12612572, -31944212, 11118703, -12633376,
+ 12362879, 21752402, 8822496, 24003793, 14264025 },
+ { 27713862, -7355973, -11008240, 9227530, 27050101,
+ 2504721, 23886875, -13117525, 13958495, -5732453 }
+ },
+ {
+ { -23481610, 4867226, -27247128, 3900521, 29838369,
+ -8212291, -31889399, -10041781, 7340521, -15410068 },
+ { 4646514, -8011124, -22766023, -11532654, 23184553,
+ 8566613, 31366726, -1381061, -15066784, -10375192 },
+ { -17270517, 12723032, -16993061, 14878794, 21619651,
+ -6197576, 27584817, 3093888, -8843694, 3849921 }
+ },
+ {
+ { -9064912, 2103172, 25561640, -15125738, -5239824,
+ 9582958, 32477045, -9017955, 5002294, -15550259 },
+ { -12057553, -11177906, 21115585, -13365155, 8808712,
+ -12030708, 16489530, 13378448, -25845716, 12741426 },
+ { -5946367, 10645103, -30911586, 15390284, -3286982,
+ -7118677, 24306472, 15852464, 28834118, -7646072 }
+ },
+ {
+ { -17335748, -9107057, -24531279, 9434953, -8472084,
+ -583362, -13090771, 455841, 20461858, 5491305 },
+ { 13669248, -16095482, -12481974, -10203039, -14569770,
+ -11893198, -24995986, 11293807, -28588204, -9421832 },
+ { 28497928, 6272777, -33022994, 14470570, 8906179,
+ -1225630, 18504674, -14165166, 29867745, -8795943 }
+ },
+ {
+ { -16207023, 13517196, -27799630, -13697798, 24009064,
+ -6373891, -6367600, -13175392, 22853429, -4012011 },
+ { 24191378, 16712145, -13931797, 15217831, 14542237,
+ 1646131, 18603514, -11037887, 12876623, -2112447 },
+ { 17902668, 4518229, -411702, -2829247, 26878217,
+ 5258055, -12860753, 608397, 16031844, 3723494 }
+ },
+ {
+ { -28632773, 12763728, -20446446, 7577504, 33001348,
+ -13017745, 17558842, -7872890, 23896954, -4314245 },
+ { -20005381, -12011952, 31520464, 605201, 2543521,
+ 5991821, -2945064, 7229064, -9919646, -8826859 },
+ { 28816045, 298879, -28165016, -15920938, 19000928,
+ -1665890, -12680833, -2949325, -18051778, -2082915 }
+ },
+ {
+ { 16000882, -344896, 3493092, -11447198, -29504595,
+ -13159789, 12577740, 16041268, -19715240, 7847707 },
+ { 10151868, 10572098, 27312476, 7922682, 14825339,
+ 4723128, -32855931, -6519018, -10020567, 3852848 },
+ { -11430470, 15697596, -21121557, -4420647, 5386314,
+ 15063598, 16514493, -15932110, 29330899, -15076224 }
+ }
+ },
+ {
+ {
+ { -25499735, -4378794, -15222908, -6901211, 16615731,
+ 2051784, 3303702, 15490, -27548796, 12314391 },
+ { 15683520, -6003043, 18109120, -9980648, 15337968,
+ -5997823, -16717435, 15921866, 16103996, -3731215 },
+ { -23169824, -10781249, 13588192, -1628807, -3798557,
+ -1074929, -19273607, 5402699, -29815713, -9841101 }
+ },
+ {
+ { 23190676, 2384583, -32714340, 3462154, -29903655,
+ -1529132, -11266856, 8911517, -25205859, 2739713 },
+ { 21374101, -3554250, -33524649, 9874411, 15377179,
+ 11831242, -33529904, 6134907, 4931255, 11987849 },
+ { -7732, -2978858, -16223486, 7277597, 105524,
+ -322051, -31480539, 13861388, -30076310, 10117930 }
+ },
+ {
+ { -29501170, -10744872, -26163768, 13051539, -25625564,
+ 5089643, -6325503, 6704079, 12890019, 15728940 },
+ { -21972360, -11771379, -951059, -4418840, 14704840,
+ 2695116, 903376, -10428139, 12885167, 8311031 },
+ { -17516482, 5352194, 10384213, -13811658, 7506451,
+ 13453191, 26423267, 4384730, 1888765, -5435404 }
+ },
+ {
+ { -25817338, -3107312, -13494599, -3182506, 30896459,
+ -13921729, -32251644, -12707869, -19464434, -3340243 },
+ { -23607977, -2665774, -526091, 4651136, 5765089,
+ 4618330, 6092245, 14845197, 17151279, -9854116 },
+ { -24830458, -12733720, -15165978, 10367250, -29530908,
+ -265356, 22825805, -7087279, -16866484, 16176525 }
+ },
+ {
+ { -23583256, 6564961, 20063689, 3798228, -4740178,
+ 7359225, 2006182, -10363426, -28746253, -10197509 },
+ { -10626600, -4486402, -13320562, -5125317, 3432136,
+ -6393229, 23632037, -1940610, 32808310, 1099883 },
+ { 15030977, 5768825, -27451236, -2887299, -6427378,
+ -15361371, -15277896, -6809350, 2051441, -15225865 }
+ },
+ {
+ { -3362323, -7239372, 7517890, 9824992, 23555850,
+ 295369, 5148398, -14154188, -22686354, 16633660 },
+ { 4577086, -16752288, 13249841, -15304328, 19958763,
+ -14537274, 18559670, -10759549, 8402478, -9864273 },
+ { -28406330, -1051581, -26790155, -907698, -17212414,
+ -11030789, 9453451, -14980072, 17983010, 9967138 }
+ },
+ {
+ { -25762494, 6524722, 26585488, 9969270, 24709298,
+ 1220360, -1677990, 7806337, 17507396, 3651560 },
+ { -10420457, -4118111, 14584639, 15971087, -15768321,
+ 8861010, 26556809, -5574557, -18553322, -11357135 },
+ { 2839101, 14284142, 4029895, 3472686, 14402957,
+ 12689363, -26642121, 8459447, -5605463, -7621941 }
+ },
+ {
+ { -4839289, -3535444, 9744961, 2871048, 25113978,
+ 3187018, -25110813, -849066, 17258084, -7977739 },
+ { 18164541, -10595176, -17154882, -1542417, 19237078,
+ -9745295, 23357533, -15217008, 26908270, 12150756 },
+ { -30264870, -7647865, 5112249, -7036672, -1499807,
+ -6974257, 43168, -5537701, -32302074, 16215819 }
+ }
+ },
+ {
+ {
+ { -6898905, 9824394, -12304779, -4401089, -31397141,
+ -6276835, 32574489, 12532905, -7503072, -8675347 },
+ { -27343522, -16515468, -27151524, -10722951, 946346,
+ 16291093, 254968, 7168080, 21676107, -1943028 },
+ { 21260961, -8424752, -16831886, -11920822, -23677961,
+ 3968121, -3651949, -6215466, -3556191, -7913075 }
+ },
+ {
+ { 16544754, 13250366, -16804428, 15546242, -4583003,
+ 12757258, -2462308, -8680336, -18907032, -9662799 },
+ { -2415239, -15577728, 18312303, 4964443, -15272530,
+ -12653564, 26820651, 16690659, 25459437, -4564609 },
+ { -25144690, 11425020, 28423002, -11020557, -6144921,
+ -15826224, 9142795, -2391602, -6432418, -1644817 }
+ },
+ {
+ { -23104652, 6253476, 16964147, -3768872, -25113972,
+ -12296437, -27457225, -16344658, 6335692, 7249989 },
+ { -30333227, 13979675, 7503222, -12368314, -11956721,
+ -4621693, -30272269, 2682242, 25993170, -12478523 },
+ { 4364628, 5930691, 32304656, -10044554, -8054781,
+ 15091131, 22857016, -10598955, 31820368, 15075278 }
+ },
+ {
+ { 31879134, -8918693, 17258761, 90626, -8041836,
+ -4917709, 24162788, -9650886, -17970238, 12833045 },
+ { 19073683, 14851414, -24403169, -11860168, 7625278,
+ 11091125, -19619190, 2074449, -9413939, 14905377 },
+ { 24483667, -11935567, -2518866, -11547418, -1553130,
+ 15355506, -25282080, 9253129, 27628530, -7555480 }
+ },
+ {
+ { 17597607, 8340603, 19355617, 552187, 26198470,
+ -3176583, 4593324, -9157582, -14110875, 15297016 },
+ { 510886, 14337390, -31785257, 16638632, 6328095,
+ 2713355, -20217417, -11864220, 8683221, 2921426 },
+ { 18606791, 11874196, 27155355, -5281482, -24031742,
+ 6265446, -25178240, -1278924, 4674690, 13890525 }
+ },
+ {
+ { 13609624, 13069022, -27372361, -13055908, 24360586,
+ 9592974, 14977157, 9835105, 4389687, 288396 },
+ { 9922506, -519394, 13613107, 5883594, -18758345,
+ -434263, -12304062, 8317628, 23388070, 16052080 },
+ { 12720016, 11937594, -31970060, -5028689, 26900120,
+ 8561328, -20155687, -11632979, -14754271, -10812892 }
+ },
+ {
+ { 15961858, 14150409, 26716931, -665832, -22794328,
+ 13603569, 11829573, 7467844, -28822128, 929275 },
+ { 11038231, -11582396, -27310482, -7316562, -10498527,
+ -16307831, -23479533, -9371869, -21393143, 2465074 },
+ { 20017163, -4323226, 27915242, 1529148, 12396362,
+ 15675764, 13817261, -9658066, 2463391, -4622140 }
+ },
+ {
+ { -16358878, -12663911, -12065183, 4996454, -1256422,
+ 1073572, 9583558, 12851107, 4003896, 12673717 },
+ { -1731589, -15155870, -3262930, 16143082, 19294135,
+ 13385325, 14741514, -9103726, 7903886, 2348101 },
+ { 24536016, -16515207, 12715592, -3862155, 1511293,
+ 10047386, -3842346, -7129159, -28377538, 10048127 }
+ }
+ },
+ {
+ {
+ { -12622226, -6204820, 30718825, 2591312, -10617028,
+ 12192840, 18873298, -7297090, -32297756, 15221632 },
+ { -26478122, -11103864, 11546244, -1852483, 9180880,
+ 7656409, -21343950, 2095755, 29769758, 6593415 },
+ { -31994208, -2907461, 4176912, 3264766, 12538965,
+ -868111, 26312345, -6118678, 30958054, 8292160 }
+ },
+ {
+ { 31429822, -13959116, 29173532, 15632448, 12174511,
+ -2760094, 32808831, 3977186, 26143136, -3148876 },
+ { 22648901, 1402143, -22799984, 13746059, 7936347,
+ 365344, -8668633, -1674433, -3758243, -2304625 },
+ { -15491917, 8012313, -2514730, -12702462, -23965846,
+ -10254029, -1612713, -1535569, -16664475, 8194478 }
+ },
+ {
+ { 27338066, -7507420, -7414224, 10140405, -19026427,
+ -6589889, 27277191, 8855376, 28572286, 3005164 },
+ { 26287124, 4821776, 25476601, -4145903, -3764513,
+ -15788984, -18008582, 1182479, -26094821, -13079595 },
+ { -7171154, 3178080, 23970071, 6201893, -17195577,
+ -4489192, -21876275, -13982627, 32208683, -1198248 }
+ },
+ {
+ { -16657702, 2817643, -10286362, 14811298, 6024667,
+ 13349505, -27315504, -10497842, -27672585, -11539858 },
+ { 15941029, -9405932, -21367050, 8062055, 31876073,
+ -238629, -15278393, -1444429, 15397331, -4130193 },
+ { 8934485, -13485467, -23286397, -13423241, -32446090,
+ 14047986, 31170398, -1441021, -27505566, 15087184 }
+ },
+ {
+ { -18357243, -2156491, 24524913, -16677868, 15520427,
+ -6360776, -15502406, 11461896, 16788528, -5868942 },
+ { -1947386, 16013773, 21750665, 3714552, -17401782,
+ -16055433, -3770287, -10323320, 31322514, -11615635 },
+ { 21426655, -5650218, -13648287, -5347537, -28812189,
+ -4920970, -18275391, -14621414, 13040862, -12112948 }
+ },
+ {
+ { 11293895, 12478086, -27136401, 15083750, -29307421,
+ 14748872, 14555558, -13417103, 1613711, 4896935 },
+ { -25894883, 15323294, -8489791, -8057900, 25967126,
+ -13425460, 2825960, -4897045, -23971776, -11267415 },
+ { -15924766, -5229880, -17443532, 6410664, 3622847,
+ 10243618, 20615400, 12405433, -23753030, -8436416 }
+ },
+ {
+ { -7091295, 12556208, -20191352, 9025187, -17072479,
+ 4333801, 4378436, 2432030, 23097949, -566018 },
+ { 4565804, -16025654, 20084412, -7842817, 1724999,
+ 189254, 24767264, 10103221, -18512313, 2424778 },
+ { 366633, -11976806, 8173090, -6890119, 30788634,
+ 5745705, -7168678, 1344109, -3642553, 12412659 }
+ },
+ {
+ { -24001791, 7690286, 14929416, -168257, -32210835,
+ -13412986, 24162697, -15326504, -3141501, 11179385 },
+ { 18289522, -14724954, 8056945, 16430056, -21729724,
+ 7842514, -6001441, -1486897, -18684645, -11443503 },
+ { 476239, 6601091, -6152790, -9723375, 17503545,
+ -4863900, 27672959, 13403813, 11052904, 5219329 }
+ }
+ },
+ {
+ {
+ { 20678546, -8375738, -32671898, 8849123, -5009758,
+ 14574752, 31186971, -3973730, 9014762, -8579056 },
+ { -13644050, -10350239, -15962508, 5075808, -1514661,
+ -11534600, -33102500, 9160280, 8473550, -3256838 },
+ { 24900749, 14435722, 17209120, -15292541, -22592275,
+ 9878983, -7689309, -16335821, -24568481, 11788948 }
+ },
+ {
+ { -3118155, -11395194, -13802089, 14797441, 9652448,
+ -6845904, -20037437, 10410733, -24568470, -1458691 },
+ { -15659161, 16736706, -22467150, 10215878, -9097177,
+ 7563911, 11871841, -12505194, -18513325, 8464118 },
+ { -23400612, 8348507, -14585951, -861714, -3950205,
+ -6373419, 14325289, 8628612, 33313881, -8370517 }
+ },
+ {
+ { -20186973, -4967935, 22367356, 5271547, -1097117,
+ -4788838, -24805667, -10236854, -8940735, -5818269 },
+ { -6948785, -1795212, -32625683, -16021179, 32635414,
+ -7374245, 15989197, -12838188, 28358192, -4253904 },
+ { -23561781, -2799059, -32351682, -1661963, -9147719,
+ 10429267, -16637684, 4072016, -5351664, 5596589 }
+ },
+ {
+ { -28236598, -3390048, 12312896, 6213178, 3117142,
+ 16078565, 29266239, 2557221, 1768301, 15373193 },
+ { -7243358, -3246960, -4593467, -7553353, -127927,
+ -912245, -1090902, -4504991, -24660491, 3442910 },
+ { -30210571, 5124043, 14181784, 8197961, 18964734,
+ -11939093, 22597931, 7176455, -18585478, 13365930 }
+ },
+ {
+ { -7877390, -1499958, 8324673, 4690079, 6261860,
+ 890446, 24538107, -8570186, -9689599, -3031667 },
+ { 25008904, -10771599, -4305031, -9638010, 16265036,
+ 15721635, 683793, -11823784, 15723479, -15163481 },
+ { -9660625, 12374379, -27006999, -7026148, -7724114,
+ -12314514, 11879682, 5400171, 519526, -1235876 }
+ },
+ {
+ { 22258397, -16332233, -7869817, 14613016, -22520255,
+ -2950923, -20353881, 7315967, 16648397, 7605640 },
+ { -8081308, -8464597, -8223311, 9719710, 19259459,
+ -15348212, 23994942, -5281555, -9468848, 4763278 },
+ { -21699244, 9220969, -15730624, 1084137, -25476107,
+ -2852390, 31088447, -7764523, -11356529, 728112 }
+ },
+ {
+ { 26047220, -11751471, -6900323, -16521798, 24092068,
+ 9158119, -4273545, -12555558, -29365436, -5498272 },
+ { 17510331, -322857, 5854289, 8403524, 17133918,
+ -3112612, -28111007, 12327945, 10750447, 10014012 },
+ { -10312768, 3936952, 9156313, -8897683, 16498692,
+ -994647, -27481051, -666732, 3424691, 7540221 }
+ },
+ {
+ { 30322361, -6964110, 11361005, -4143317, 7433304,
+ 4989748, -7071422, -16317219, -9244265, 15258046 },
+ { 13054562, -2779497, 19155474, 469045, -12482797,
+ 4566042, 5631406, 2711395, 1062915, -5136345 },
+ { -19240248, -11254599, -29509029, -7499965, -5835763,
+ 13005411, -6066489, 12194497, 32960380, 1459310 }
+ }
+ },
+ {
+ {
+ { 19852034, 7027924, 23669353, 10020366, 8586503,
+ -6657907, 394197, -6101885, 18638003, -11174937 },
+ { 31395534, 15098109, 26581030, 8030562, -16527914,
+ -5007134, 9012486, -7584354, -6643087, -5442636 },
+ { -9192165, -2347377, -1997099, 4529534, 25766844,
+ 607986, -13222, 9677543, -32294889, -6456008 }
+ },
+ {
+ { -2444496, -149937, 29348902, 8186665, 1873760,
+ 12489863, -30934579, -7839692, -7852844, -8138429 },
+ { -15236356, -15433509, 7766470, 746860, 26346930,
+ -10221762, -27333451, 10754588, -9431476, 5203576 },
+ { 31834314, 14135496, -770007, 5159118, 20917671,
+ -16768096, -7467973, -7337524, 31809243, 7347066 }
+ },
+ {
+ { -9606723, -11874240, 20414459, 13033986, 13716524,
+ -11691881, 19797970, -12211255, 15192876, -2087490 },
+ { -12663563, -2181719, 1168162, -3804809, 26747877,
+ -14138091, 10609330, 12694420, 33473243, -13382104 },
+ { 33184999, 11180355, 15832085, -11385430, -1633671,
+ 225884, 15089336, -11023903, -6135662, 14480053 }
+ },
+ {
+ { 31308717, -5619998, 31030840, -1897099, 15674547,
+ -6582883, 5496208, 13685227, 27595050, 8737275 },
+ { -20318852, -15150239, 10933843, -16178022, 8335352,
+ -7546022, -31008351, -12610604, 26498114, 66511 },
+ { 22644454, -8761729, -16671776, 4884562, -3105614,
+ -13559366, 30540766, -4286747, -13327787, -7515095 }
+ },
+ {
+ { -28017847, 9834845, 18617207, -2681312, -3401956,
+ -13307506, 8205540, 13585437, -17127465, 15115439 },
+ { 23711543, -672915, 31206561, -8362711, 6164647,
+ -9709987, -33535882, -1426096, 8236921, 16492939 },
+ { -23910559, -13515526, -26299483, -4503841, 25005590,
+ -7687270, 19574902, 10071562, 6708380, -6222424 }
+ },
+ {
+ { 2101391, -4930054, 19702731, 2367575, -15427167,
+ 1047675, 5301017, 9328700, 29955601, -11678310 },
+ { 3096359, 9271816, -21620864, -15521844, -14847996,
+ -7592937, -25892142, -12635595, -9917575, 6216608 },
+ { -32615849, 338663, -25195611, 2510422, -29213566,
+ -13820213, 24822830, -6146567, -26767480, 7525079 }
+ },
+ {
+ { -23066649, -13985623, 16133487, -7896178, -3389565,
+ 778788, -910336, -2782495, -19386633, 11994101 },
+ { 21691500, -13624626, -641331, -14367021, 3285881,
+ -3483596, -25064666, 9718258, -7477437, 13381418 },
+ { 18445390, -4202236, 14979846, 11622458, -1727110,
+ -3582980, 23111648, -6375247, 28535282, 15779576 }
+ },
+ {
+ { 30098053, 3089662, -9234387, 16662135, -21306940,
+ 11308411, -14068454, 12021730, 9955285, -16303356 },
+ { 9734894, -14576830, -7473633, -9138735, 2060392,
+ 11313496, -18426029, 9924399, 20194861, 13380996 },
+ { -26378102, -7965207, -22167821, 15789297, -18055342,
+ -6168792, -1984914, 15707771, 26342023, 10146099 }
+ }
+ },
+ {
+ {
+ { -26016874, -219943, 21339191, -41388, 19745256,
+ -2878700, -29637280, 2227040, 21612326, -545728 },
+ { -13077387, 1184228, 23562814, -5970442, -20351244,
+ -6348714, 25764461, 12243797, -20856566, 11649658 },
+ { -10031494, 11262626, 27384172, 2271902, 26947504,
+ -15997771, 39944, 6114064, 33514190, 2333242 }
+ },
+ {
+ { -21433588, -12421821, 8119782, 7219913, -21830522,
+ -9016134, -6679750, -12670638, 24350578, -13450001 },
+ { -4116307, -11271533, -23886186, 4843615, -30088339,
+ 690623, -31536088, -10406836, 8317860, 12352766 },
+ { 18200138, -14475911, -33087759, -2696619, -23702521,
+ -9102511, -23552096, -2287550, 20712163, 6719373 }
+ },
+ {
+ { 26656208, 6075253, -7858556, 1886072, -28344043,
+ 4262326, 11117530, -3763210, 26224235, -3297458 },
+ { -17168938, -14854097, -3395676, -16369877, -19954045,
+ 14050420, 21728352, 9493610, 18620611, -16428628 },
+ { -13323321, 13325349, 11432106, 5964811, 18609221,
+ 6062965, -5269471, -9725556, -30701573, -16479657 }
+ },
+ {
+ { -23860538, -11233159, 26961357, 1640861, -32413112,
+ -16737940, 12248509, -5240639, 13735342, 1934062 },
+ { 25089769, 6742589, 17081145, -13406266, 21909293,
+ -16067981, -15136294, -3765346, -21277997, 5473616 },
+ { 31883677, -7961101, 1083432, -11572403, 22828471,
+ 13290673, -7125085, 12469656, 29111212, -5451014 }
+ },
+ {
+ { 24244947, -15050407, -26262976, 2791540, -14997599,
+ 16666678, 24367466, 6388839, -10295587, 452383 },
+ { -25640782, -3417841, 5217916, 16224624, 19987036,
+ -4082269, -24236251, -5915248, 15766062, 8407814 },
+ { -20406999, 13990231, 15495425, 16395525, 5377168,
+ 15166495, -8917023, -4388953, -8067909, 2276718 }
+ },
+ {
+ { 30157918, 12924066, -17712050, 9245753, 19895028,
+ 3368142, -23827587, 5096219, 22740376, -7303417 },
+ { 2041139, -14256350, 7783687, 13876377, -25946985,
+ -13352459, 24051124, 13742383, -15637599, 13295222 },
+ { 33338237, -8505733, 12532113, 7977527, 9106186,
+ -1715251, -17720195, -4612972, -4451357, -14669444 }
+ },
+ {
+ { -20045281, 5454097, -14346548, 6447146, 28862071,
+ 1883651, -2469266, -4141880, 7770569, 9620597 },
+ { 23208068, 7979712, 33071466, 8149229, 1758231,
+ -10834995, 30945528, -1694323, -33502340, -14767970 },
+ { 1439958, -16270480, -1079989, -793782, 4625402,
+ 10647766, -5043801, 1220118, 30494170, -11440799 }
+ },
+ {
+ { -5037580, -13028295, -2970559, -3061767, 15640974,
+ -6701666, -26739026, 926050, -1684339, -13333647 },
+ { 13908495, -3549272, 30919928, -6273825, -21521863,
+ 7989039, 9021034, 9078865, 3353509, 4033511 },
+ { -29663431, -15113610, 32259991, -344482, 24295849,
+ -12912123, 23161163, 8839127, 27485041, 7356032 }
+ }
+ },
+ {
+ {
+ { 9661027, 705443, 11980065, -5370154, -1628543,
+ 14661173, -6346142, 2625015, 28431036, -16771834 },
+ { -23839233, -8311415, -25945511, 7480958, -17681669,
+ -8354183, -22545972, 14150565, 15970762, 4099461 },
+ { 29262576, 16756590, 26350592, -8793563, 8529671,
+ -11208050, 13617293, -9937143, 11465739, 8317062 }
+ },
+ {
+ { -25493081, -6962928, 32500200, -9419051, -23038724,
+ -2302222, 14898637, 3848455, 20969334, -5157516 },
+ { -20384450, -14347713, -18336405, 13884722, -33039454,
+ 2842114, -21610826, -3649888, 11177095, 14989547 },
+ { -24496721, -11716016, 16959896, 2278463, 12066309,
+ 10137771, 13515641, 2581286, -28487508, 9930240 }
+ },
+ {
+ { -17751622, -2097826, 16544300, -13009300, -15914807,
+ -14949081, 18345767, -13403753, 16291481, -5314038 },
+ { -33229194, 2553288, 32678213, 9875984, 8534129,
+ 6889387, -9676774, 6957617, 4368891, 9788741 },
+ { 16660756, 7281060, -10830758, 12911820, 20108584,
+ -8101676, -21722536, -8613148, 16250552, -11111103 }
+ },
+ {
+ { -19765507, 2390526, -16551031, 14161980, 1905286,
+ 6414907, 4689584, 10604807, -30190403, 4782747 },
+ { -1354539, 14736941, -7367442, -13292886, 7710542,
+ -14155590, -9981571, 4383045, 22546403, 437323 },
+ { 31665577, -12180464, -16186830, 1491339, -18368625,
+ 3294682, 27343084, 2786261, -30633590, -14097016 }
+ },
+ {
+ { -14467279, -683715, -33374107, 7448552, 19294360,
+ 14334329, -19690631, 2355319, -19284671, -6114373 },
+ { 15121312, -15796162, 6377020, -6031361, -10798111,
+ -12957845, 18952177, 15496498, -29380133, 11754228 },
+ { -2637277, -13483075, 8488727, -14303896, 12728761,
+ -1622493, 7141596, 11724556, 22761615, -10134141 }
+ },
+ {
+ { 16918416, 11729663, -18083579, 3022987, -31015732,
+ -13339659, -28741185, -12227393, 32851222, 11717399 },
+ { 11166634, 7338049, -6722523, 4531520, -29468672,
+ -7302055, 31474879, 3483633, -1193175, -4030831 },
+ { -185635, 9921305, 31456609, -13536438, -12013818,
+ 13348923, 33142652, 6546660, -19985279, -3948376 }
+ },
+ {
+ { -32460596, 11266712, -11197107, -7899103, 31703694,
+ 3855903, -8537131, -12833048, -30772034, -15486313 },
+ { -18006477, 12709068, 3991746, -6479188, -21491523,
+ -10550425, -31135347, -16049879, 10928917, 3011958 },
+ { -6957757, -15594337, 31696059, 334240, 29576716,
+ 14796075, -30831056, -12805180, 18008031, 10258577 }
+ },
+ {
+ { -22448644, 15655569, 7018479, -4410003, -30314266,
+ -1201591, -1853465, 1367120, 25127874, 6671743 },
+ { 29701166, -14373934, -10878120, 9279288, -17568,
+ 13127210, 21382910, 11042292, 25838796, 4642684 },
+ { -20430234, 14955537, -24126347, 8124619, -5369288,
+ -5990470, 30468147, -13900640, 18423289, 4177476 }
+ }
+ }
diff --git a/src/libstrongswan/plugins/curve25519/ref10/base2.h b/src/libstrongswan/plugins/curve25519/ref10/base2.h
new file mode 100644
index 0000000..f0f2b19
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/ref10/base2.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Based on the public domain libsodium adaptation by Frank Denis
+ * of the SUPERCOP ref10 implementation by Daniel J. Bernstein,
+ * Niels Duif, Peter Schwabe, Tanja Lange and Bo-Yin Yang.
+ */
+
+ {
+ { 25967493, -14356035, 29566456, 3660896, -12694345,
+ 4014787, 27544626, -11754271, -6079156, 2047605 },
+ { -12545711, 934262, -2722910, 3049990, -727428,
+ 9406986, 12720692, 5043384, 19500929, -15469378 },
+ { -8738181, 4489570, 9688441, -14785194, 10184609,
+ -12363380, 29287919, 11864899, -24514362, -4438546 }
+ },
+ {
+ { 15636291, -9688557, 24204773, -7912398, 616977,
+ -16685262, 27787600, -14772189, 28944400, -1550024 },
+ { 16568933, 4717097, -11556148, -1102322, 15682896,
+ -11807043, 16354577, -11775962, 7689662, 11199574 },
+ { 30464156, -5976125, -11779434, -15670865, 23220365,
+ 15915852, 7512774, 10017326, -17749093, -9920357 }
+ },
+ {
+ { 10861363, 11473154, 27284546, 1981175, -30064349,
+ 12577861, 32867885, 14515107, -15438304, 10819380 },
+ { 4708026, 6336745, 20377586, 9066809, -11272109,
+ 6594696, -25653668, 12483688, -12668491, 5581306 },
+ { 19563160, 16186464, -29386857, 4097519, 10237984,
+ -4348115, 28542350, 13850243, -23678021, -15815942 }
+ },
+ {
+ { 5153746, 9909285, 1723747, -2777874, 30523605,
+ 5516873, 19480852, 5230134, -23952439, -15175766 },
+ { -30269007, -3463509, 7665486, 10083793, 28475525,
+ 1649722, 20654025, 16520125, 30598449, 7715701 },
+ { 28881845, 14381568, 9657904, 3680757, -20181635,
+ 7843316, -31400660, 1370708, 29794553, -1409300 }
+ },
+ {
+ { -22518993, -6692182, 14201702, -8745502, -23510406,
+ 8844726, 18474211, -1361450, -13062696, 13821877 },
+ { -6455177, -7839871, 3374702, -4740862, -27098617,
+ -10571707, 31655028, -7212327, 18853322, -14220951 },
+ { 4566830, -12963868, -28974889, -12240689, -7602672,
+ -2830569, -8514358, -10431137, 2207753, -3209784 }
+ },
+ {
+ { -25154831, -4185821, 29681144, 7868801, -6854661,
+ -9423865, -12437364, -663000, -31111463, -16132436 },
+ { 25576264, -2703214, 7349804, -11814844, 16472782,
+ 9300885, 3844789, 15725684, 171356, 6466918 },
+ { 23103977, 13316479, 9739013, -16149481, 817875,
+ -15038942, 8965339, -14088058, -30714912, 16193877 }
+ },
+ {
+ { -33521811, 3180713, -2394130, 14003687, -16903474,
+ -16270840, 17238398, 4729455, -18074513, 9256800 },
+ { -25182317, -4174131, 32336398, 5036987, -21236817,
+ 11360617, 22616405, 9761698, -19827198, 630305 },
+ { -13720693, 2639453, -24237460, -7406481, 9494427,
+ -5774029, -6554551, -15960994, -2449256, -14291300 }
+ },
+ {
+ { -3151181, -5046075, 9282714, 6866145, -31907062,
+ -863023, -18940575, 15033784, 25105118, -7894876 },
+ { -24326370, 15950226, -31801215, -14592823, -11662737,
+ -5090925, 1573892, -2625887, 2198790, -15804619 },
+ { -3099351, 10324967, -2241613, 7453183, -5446979,
+ -2735503, -13812022, -16236442, -32461234, -12290683 }
+ }
diff --git a/src/libstrongswan/plugins/curve25519/ref10/ref10.c b/src/libstrongswan/plugins/curve25519/ref10/ref10.c
new file mode 100644
index 0000000..1e6ff77
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/ref10/ref10.c
@@ -0,0 +1,2731 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Based on the public domain libsodium adaptation by Frank Denis
+ * of the SUPERCOP ref10 implementation by Daniel J. Bernstein,
+ * Niels Duif, Peter Schwabe, Tanja Lange and Bo-Yin Yang.
+ */
+
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "ref10.h"
+
+#include <utils/utils.h>
+
+static uint64_t load_3(const uint8_t *in)
+{
+ uint64_t result;
+
+ result = (uint64_t) in[0];
+ result |= ((uint64_t) in[1]) << 8;
+ result |= ((uint64_t) in[2]) << 16;
+
+ return result;
+}
+
+static uint64_t load_4(const uint8_t *in)
+{
+ uint64_t result;
+
+ result = (uint64_t) in[0];
+ result |= ((uint64_t) in[1]) << 8;
+ result |= ((uint64_t) in[2]) << 16;
+ result |= ((uint64_t) in[3]) << 24;
+
+ return result;
+}
+
+/**
+ * h = 0
+ */
+static void fe_0(fe h)
+{
+ memset(&h[0], 0, 10 * sizeof h[0]);
+}
+
+/**
+ * h = 1
+ */
+static void fe_1(fe h)
+{
+ h[0] = 1;
+ h[1] = 0;
+ memset(&h[2], 0, 8 * sizeof h[0]);
+}
+
+/**
+ * h = f + g
+ * Can overlap h with f or g.
+ *
+ * Preconditions:
+ * |f| bounded by 1.1*2^25, 1.1*2^24, 1.1*2^25, 1.1*2^24, etc.
+ * |g| bounded by 1.1*2^25, 1.1*2^24, 1.1*2^25, 1.1*2^24, etc.
+ *
+ * Postconditions:
+ * |h| bounded by 1.1*2^26, 1.1*2^25, 1.1*2^26, 1.1*2^25, etc.
+ */
+static void fe_add(fe h, const fe f, const fe g)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+
+ int32_t g0 = g[0];
+ int32_t g1 = g[1];
+ int32_t g2 = g[2];
+ int32_t g3 = g[3];
+ int32_t g4 = g[4];
+ int32_t g5 = g[5];
+ int32_t g6 = g[6];
+ int32_t g7 = g[7];
+ int32_t g8 = g[8];
+ int32_t g9 = g[9];
+
+ int32_t h0 = f0 + g0;
+ int32_t h1 = f1 + g1;
+ int32_t h2 = f2 + g2;
+ int32_t h3 = f3 + g3;
+ int32_t h4 = f4 + g4;
+ int32_t h5 = f5 + g5;
+ int32_t h6 = f6 + g6;
+ int32_t h7 = f7 + g7;
+ int32_t h8 = f8 + g8;
+ int32_t h9 = f9 + g9;
+
+ h[0] = h0;
+ h[1] = h1;
+ h[2] = h2;
+ h[3] = h3;
+ h[4] = h4;
+ h[5] = h5;
+ h[6] = h6;
+ h[7] = h7;
+ h[8] = h8;
+ h[9] = h9;
+}
+
+/**
+ * Replace (f,g) with (g,g) if b == 1;
+ * replace (f,g) with (f,g) if b == 0.
+ *
+ * Preconditions: b in {0,1}.
+ */
+static void fe_cmov(fe f, const fe g, unsigned int b)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+
+ int32_t g0 = g[0];
+ int32_t g1 = g[1];
+ int32_t g2 = g[2];
+ int32_t g3 = g[3];
+ int32_t g4 = g[4];
+ int32_t g5 = g[5];
+ int32_t g6 = g[6];
+ int32_t g7 = g[7];
+ int32_t g8 = g[8];
+ int32_t g9 = g[9];
+
+ int32_t x0 = f0 ^ g0;
+ int32_t x1 = f1 ^ g1;
+ int32_t x2 = f2 ^ g2;
+ int32_t x3 = f3 ^ g3;
+ int32_t x4 = f4 ^ g4;
+ int32_t x5 = f5 ^ g5;
+ int32_t x6 = f6 ^ g6;
+ int32_t x7 = f7 ^ g7;
+ int32_t x8 = f8 ^ g8;
+ int32_t x9 = f9 ^ g9;
+
+ b = (unsigned int) (- (int) b);
+
+ x0 &= b;
+ x1 &= b;
+ x2 &= b;
+ x3 &= b;
+ x4 &= b;
+ x5 &= b;
+ x6 &= b;
+ x7 &= b;
+ x8 &= b;
+ x9 &= b;
+
+ f[0] = f0 ^ x0;
+ f[1] = f1 ^ x1;
+ f[2] = f2 ^ x2;
+ f[3] = f3 ^ x3;
+ f[4] = f4 ^ x4;
+ f[5] = f5 ^ x5;
+ f[6] = f6 ^ x6;
+ f[7] = f7 ^ x7;
+ f[8] = f8 ^ x8;
+ f[9] = f9 ^ x9;
+}
+
+/**
+ * h = f
+ */
+static void fe_copy(fe h, const fe f)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+
+ h[0] = f0;
+ h[1] = f1;
+ h[2] = f2;
+ h[3] = f3;
+ h[4] = f4;
+ h[5] = f5;
+ h[6] = f6;
+ h[7] = f7;
+ h[8] = f8;
+ h[9] = f9;
+}
+
+/**
+ * Ignores top bit of h.
+ */
+static void fe_frombytes(fe h, const uint8_t *s)
+{
+ int64_t h0 = load_4(s);
+ int64_t h1 = load_3(s + 4) << 6;
+ int64_t h2 = load_3(s + 7) << 5;
+ int64_t h3 = load_3(s + 10) << 3;
+ int64_t h4 = load_3(s + 13) << 2;
+ int64_t h5 = load_4(s + 16);
+ int64_t h6 = load_3(s + 20) << 7;
+ int64_t h7 = load_3(s + 23) << 5;
+ int64_t h8 = load_3(s + 26) << 4;
+ int64_t h9 = (load_3(s + 29) & 8388607) << 2;
+
+ int64_t carry0, carry1, carry2, carry3, carry4;
+ int64_t carry5, carry6, carry7, carry8, carry9;
+
+ carry9 = (h9 + (int64_t) (1L << 24)) >> 25;
+ h0 += carry9 * 19;
+ h9 -= carry9 * ((uint64_t) 1L << 25);
+
+ carry1 = (h1 + (int64_t) (1L << 24)) >> 25;
+ h2 += carry1;
+ h1 -= carry1 * ((uint64_t) 1L << 25);
+
+ carry3 = (h3 + (int64_t) (1L << 24)) >> 25;
+ h4 += carry3;
+ h3 -= carry3 * ((uint64_t) 1L << 25);
+
+ carry5 = (h5 + (int64_t) (1L << 24)) >> 25;
+ h6 += carry5;
+ h5 -= carry5 * ((uint64_t) 1L << 25);
+
+ carry7 = (h7 + (int64_t) (1L << 24)) >> 25;
+ h8 += carry7;
+ h7 -= carry7 * ((uint64_t) 1L << 25);
+
+ carry0 = (h0 + (int64_t) (1L << 25)) >> 26;
+ h1 += carry0;
+ h0 -= carry0 * ((uint64_t) 1L << 26);
+
+ carry2 = (h2 + (int64_t) (1L << 25)) >> 26;
+ h3 += carry2;
+ h2 -= carry2 * ((uint64_t) 1L << 26);
+
+ carry4 = (h4 + (int64_t) (1L << 25)) >> 26;
+ h5 += carry4;
+ h4 -= carry4 * ((uint64_t) 1L << 26);
+
+ carry6 = (h6 + (int64_t) (1L << 25)) >> 26;
+ h7 += carry6;
+ h6 -= carry6 * ((uint64_t) 1L << 26);
+
+ carry8 = (h8 + (int64_t) (1L << 25)) >> 26;
+ h9 += carry8;
+ h8 -= carry8 * ((uint64_t) 1L << 26);
+
+ h[0] = (int32_t) h0;
+ h[1] = (int32_t) h1;
+ h[2] = (int32_t) h2;
+ h[3] = (int32_t) h3;
+ h[4] = (int32_t) h4;
+ h[5] = (int32_t) h5;
+ h[6] = (int32_t) h6;
+ h[7] = (int32_t) h7;
+ h[8] = (int32_t) h8;
+ h[9] = (int32_t) h9;
+}
+
+/**
+ * Preconditions:
+ * |h| bounded by 1.1*2^26, 1.1*2^25, 1.1*2^26, 1.1*2^25, etc.
+ *
+ * Write p=2^255-19; q=floor(h/p).
+ * Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
+ *
+ * Proof:
+ * Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
+ * Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
+ *
+ * Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
+ * Then 0<y<1.
+ *
+ * Write r=h-pq.
+ * Have 0<=r<=p-1=2^255-20.
+ * Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
+ *
+ * Write x=r+19(2^-255)r+y.
+ * Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
+ *
+ * Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
+ * so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
+ */
+static void fe_tobytes(uint8_t *s, const fe h)
+{
+ int32_t h0 = h[0];
+ int32_t h1 = h[1];
+ int32_t h2 = h[2];
+ int32_t h3 = h[3];
+ int32_t h4 = h[4];
+ int32_t h5 = h[5];
+ int32_t h6 = h[6];
+ int32_t h7 = h[7];
+ int32_t h8 = h[8];
+ int32_t h9 = h[9];
+
+ int32_t carry0, carry1, carry2, carry3, carry4;
+ int32_t carry5, carry6, carry7, carry8, carry9;
+ int32_t q;
+
+ q = (19 * h9 + ((uint32_t) 1L << 24)) >> 25;
+ q = (h0 + q) >> 26;
+ q = (h1 + q) >> 25;
+ q = (h2 + q) >> 26;
+ q = (h3 + q) >> 25;
+ q = (h4 + q) >> 26;
+ q = (h5 + q) >> 25;
+ q = (h6 + q) >> 26;
+ q = (h7 + q) >> 25;
+ q = (h8 + q) >> 26;
+ q = (h9 + q) >> 25;
+
+ /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */
+ h0 += 19 * q;
+ /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
+
+ carry0 = h0 >> 26;
+ h1 += carry0;
+ h0 -= carry0 * ((uint32_t) 1L << 26);
+
+ carry1 = h1 >> 25;
+ h2 += carry1;
+ h1 -= carry1 * ((uint32_t) 1L << 25);
+
+ carry2 = h2 >> 26;
+ h3 += carry2;
+ h2 -= carry2 * ((uint32_t) 1L << 26);
+
+ carry3 = h3 >> 25;
+ h4 += carry3;
+ h3 -= carry3 * ((uint32_t) 1L << 25);
+
+ carry4 = h4 >> 26;
+ h5 += carry4;
+ h4 -= carry4 * ((uint32_t) 1L << 26);
+
+ carry5 = h5 >> 25;
+ h6 += carry5;
+ h5 -= carry5 * ((uint32_t) 1L << 25);
+
+ carry6 = h6 >> 26;
+ h7 += carry6;
+ h6 -= carry6 * ((uint32_t) 1L << 26);
+
+ carry7 = h7 >> 25;
+ h8 += carry7;
+ h7 -= carry7 * ((uint32_t) 1L << 25);
+
+ carry8 = h8 >> 26;
+ h9 += carry8;
+ h8 -= carry8 * ((uint32_t) 1L << 26);
+
+ carry9 = h9 >> 25;
+ h9 -= carry9 * ((uint32_t) 1L << 25);
+ /* h10 = carry9 */
+
+ /**
+ * Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
+ * Have h0+...+2^230 h9 between 0 and 2^255-1;
+ * evidently 2^255 h10-2^255 q = 0.
+ * Goal: Output h0+...+2^230 h9.
+ */
+ s[0] = h0 >> 0;
+ s[1] = h0 >> 8;
+ s[2] = h0 >> 16;
+ s[3] = (h0 >> 24) | (h1 * ((uint32_t) 1 << 2));
+ s[4] = h1 >> 6;
+ s[5] = h1 >> 14;
+ s[6] = (h1 >> 22) | (h2 * ((uint32_t) 1 << 3));
+ s[7] = h2 >> 5;
+ s[8] = h2 >> 13;
+ s[9] = (h2 >> 21) | (h3 * ((uint32_t) 1 << 5));
+ s[10] = h3 >> 3;
+ s[11] = h3 >> 11;
+ s[12] = (h3 >> 19) | (h4 * ((uint32_t) 1 << 6));
+ s[13] = h4 >> 2;
+ s[14] = h4 >> 10;
+ s[15] = h4 >> 18;
+ s[16] = h5 >> 0;
+ s[17] = h5 >> 8;
+ s[18] = h5 >> 16;
+ s[19] = (h5 >> 24) | (h6 * ((uint32_t) 1 << 1));
+ s[20] = h6 >> 7;
+ s[21] = h6 >> 15;
+ s[22] = (h6 >> 23) | (h7 * ((uint32_t) 1 << 3));
+ s[23] = h7 >> 5;
+ s[24] = h7 >> 13;
+ s[25] = (h7 >> 21) | (h8 * ((uint32_t) 1 << 4));
+ s[26] = h8 >> 4;
+ s[27] = h8 >> 12;
+ s[28] = (h8 >> 20) | (h9 * ((uint32_t) 1 << 6));
+ s[29] = h9 >> 2;
+ s[30] = h9 >> 10;
+ s[31] = h9 >> 18;
+}
+
+/**
+ * return 1 if f is in {1,3,5,...,q-2}
+ * return 0 if f is in {0,2,4,...,q-1}
+ *
+ * Preconditions:
+ * |f| bounded by 1.1*2^26, 1.1*2^25, 1.1*2^26, 1.1*2^25, etc.
+ */
+static int fe_isnegative(const fe f)
+{
+ uint8_t s[32];
+
+ fe_tobytes(s,f);
+
+ return s[0] & 1;
+}
+
+/**
+ * return 1 if f != 0
+ * return 0 if f == 0
+ *
+ * Preconditions:
+ * |f| bounded by 1.1*2^26, 1.1*2^25, 1.1*2^26, 1.1*2^25,etc.
+ */
+static uint8_t zero[32];
+
+static int fe_isnonzero(const fe f)
+{
+ uint8_t s[32];
+
+ fe_tobytes(s, f);
+
+ return !memeq_const(s, zero, 32);
+}
+
+/**
+ * h = f * g
+ * Can overlap h with f or g.
+ *
+ * Preconditions:
+ * |f| bounded by 1.65*2^26, 1.65*2^25, 1.65*2^26, 1.65*2^25, etc.
+ * |g| bounded by 1.65*2^26, 1.65*2^25, 1.65*2^26, 1.65*2^25, etc.
+ *
+ * Postconditions:
+ * |h| bounded by 1.01*2^25, 1.01*2^24, 1.01*2^25, 1.01*2^24, etc.
+ */
+
+/**
+ * Notes on implementation strategy:
+ *
+ * Using schoolbook multiplication.
+ * Karatsuba would save a little in some cost models.
+ *
+ * Most multiplications by 2 and 19 are 32-bit precomputations;
+ * cheaper than 64-bit postcomputations.
+ *
+ * There is one remaining multiplication by 19 in the carry chain;
+ * one *19 precomputation can be merged into this,
+ * but the resulting data flow is considerably less clean.
+ *
+ * There are 12 carries below.
+ * 10 of them are 2-way parallelizable and vectorizable.
+ * Can get away with 11 carries, but then data flow is much deeper.
+ *
+ * With tighter constraints on inputs can squeeze carries into int32.
+ */
+
+static void fe_mul(fe h, const fe f, const fe g)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+
+ int32_t g0 = g[0];
+ int32_t g1 = g[1];
+ int32_t g2 = g[2];
+ int32_t g3 = g[3];
+ int32_t g4 = g[4];
+ int32_t g5 = g[5];
+ int32_t g6 = g[6];
+ int32_t g7 = g[7];
+ int32_t g8 = g[8];
+ int32_t g9 = g[9];
+
+ int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
+ int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
+ int32_t g3_19 = 19 * g3;
+ int32_t g4_19 = 19 * g4;
+ int32_t g5_19 = 19 * g5;
+ int32_t g6_19 = 19 * g6;
+ int32_t g7_19 = 19 * g7;
+ int32_t g8_19 = 19 * g8;
+ int32_t g9_19 = 19 * g9;
+
+ int32_t f1_2 = 2 * f1;
+ int32_t f3_2 = 2 * f3;
+ int32_t f5_2 = 2 * f5;
+ int32_t f7_2 = 2 * f7;
+ int32_t f9_2 = 2 * f9;
+
+ int64_t f0g0 = f0 * (int64_t) g0;
+ int64_t f0g1 = f0 * (int64_t) g1;
+ int64_t f0g2 = f0 * (int64_t) g2;
+ int64_t f0g3 = f0 * (int64_t) g3;
+ int64_t f0g4 = f0 * (int64_t) g4;
+ int64_t f0g5 = f0 * (int64_t) g5;
+ int64_t f0g6 = f0 * (int64_t) g6;
+ int64_t f0g7 = f0 * (int64_t) g7;
+ int64_t f0g8 = f0 * (int64_t) g8;
+ int64_t f0g9 = f0 * (int64_t) g9;
+
+ int64_t f1g0 = f1 * (int64_t) g0;
+ int64_t f1g1_2 = f1_2 * (int64_t) g1;
+ int64_t f1g2 = f1 * (int64_t) g2;
+ int64_t f1g3_2 = f1_2 * (int64_t) g3;
+ int64_t f1g4 = f1 * (int64_t) g4;
+ int64_t f1g5_2 = f1_2 * (int64_t) g5;
+ int64_t f1g6 = f1 * (int64_t) g6;
+ int64_t f1g7_2 = f1_2 * (int64_t) g7;
+ int64_t f1g8 = f1 * (int64_t) g8;
+ int64_t f1g9_38 = f1_2 * (int64_t) g9_19;
+
+ int64_t f2g0 = f2 * (int64_t) g0;
+ int64_t f2g1 = f2 * (int64_t) g1;
+ int64_t f2g2 = f2 * (int64_t) g2;
+ int64_t f2g3 = f2 * (int64_t) g3;
+ int64_t f2g4 = f2 * (int64_t) g4;
+ int64_t f2g5 = f2 * (int64_t) g5;
+ int64_t f2g6 = f2 * (int64_t) g6;
+ int64_t f2g7 = f2 * (int64_t) g7;
+ int64_t f2g8_19 = f2 * (int64_t) g8_19;
+ int64_t f2g9_19 = f2 * (int64_t) g9_19;
+
+ int64_t f3g0 = f3 * (int64_t) g0;
+ int64_t f3g1_2 = f3_2 * (int64_t) g1;
+ int64_t f3g2 = f3 * (int64_t) g2;
+ int64_t f3g3_2 = f3_2 * (int64_t) g3;
+ int64_t f3g4 = f3 * (int64_t) g4;
+ int64_t f3g5_2 = f3_2 * (int64_t) g5;
+ int64_t f3g6 = f3 * (int64_t) g6;
+ int64_t f3g7_38 = f3_2 * (int64_t) g7_19;
+ int64_t f3g8_19 = f3 * (int64_t) g8_19;
+ int64_t f3g9_38 = f3_2 * (int64_t) g9_19;
+
+ int64_t f4g0 = f4 * (int64_t) g0;
+ int64_t f4g1 = f4 * (int64_t) g1;
+ int64_t f4g2 = f4 * (int64_t) g2;
+ int64_t f4g3 = f4 * (int64_t) g3;
+ int64_t f4g4 = f4 * (int64_t) g4;
+ int64_t f4g5 = f4 * (int64_t) g5;
+ int64_t f4g6_19 = f4 * (int64_t) g6_19;
+ int64_t f4g7_19 = f4 * (int64_t) g7_19;
+ int64_t f4g8_19 = f4 * (int64_t) g8_19;
+ int64_t f4g9_19 = f4 * (int64_t) g9_19;
+
+ int64_t f5g0 = f5 * (int64_t) g0;
+ int64_t f5g1_2 = f5_2 * (int64_t) g1;
+ int64_t f5g2 = f5 * (int64_t) g2;
+ int64_t f5g3_2 = f5_2 * (int64_t) g3;
+ int64_t f5g4 = f5 * (int64_t) g4;
+ int64_t f5g5_38 = f5_2 * (int64_t) g5_19;
+ int64_t f5g6_19 = f5 * (int64_t) g6_19;
+ int64_t f5g7_38 = f5_2 * (int64_t) g7_19;
+ int64_t f5g8_19 = f5 * (int64_t) g8_19;
+ int64_t f5g9_38 = f5_2 * (int64_t) g9_19;
+
+ int64_t f6g0 = f6 * (int64_t) g0;
+ int64_t f6g1 = f6 * (int64_t) g1;
+ int64_t f6g2 = f6 * (int64_t) g2;
+ int64_t f6g3 = f6 * (int64_t) g3;
+ int64_t f6g4_19 = f6 * (int64_t) g4_19;
+ int64_t f6g5_19 = f6 * (int64_t) g5_19;
+ int64_t f6g6_19 = f6 * (int64_t) g6_19;
+ int64_t f6g7_19 = f6 * (int64_t) g7_19;
+ int64_t f6g8_19 = f6 * (int64_t) g8_19;
+ int64_t f6g9_19 = f6 * (int64_t) g9_19;
+
+ int64_t f7g0 = f7 * (int64_t) g0;
+ int64_t f7g1_2 = f7_2 * (int64_t) g1;
+ int64_t f7g2 = f7 * (int64_t) g2;
+ int64_t f7g3_38 = f7_2 * (int64_t) g3_19;
+ int64_t f7g4_19 = f7 * (int64_t) g4_19;
+ int64_t f7g5_38 = f7_2 * (int64_t) g5_19;
+ int64_t f7g6_19 = f7 * (int64_t) g6_19;
+ int64_t f7g7_38 = f7_2 * (int64_t) g7_19;
+ int64_t f7g8_19 = f7 * (int64_t) g8_19;
+ int64_t f7g9_38 = f7_2 * (int64_t) g9_19;
+
+ int64_t f8g0 = f8 * (int64_t) g0;
+ int64_t f8g1 = f8 * (int64_t) g1;
+ int64_t f8g2_19 = f8 * (int64_t) g2_19;
+ int64_t f8g3_19 = f8 * (int64_t) g3_19;
+ int64_t f8g4_19 = f8 * (int64_t) g4_19;
+ int64_t f8g5_19 = f8 * (int64_t) g5_19;
+ int64_t f8g6_19 = f8 * (int64_t) g6_19;
+ int64_t f8g7_19 = f8 * (int64_t) g7_19;
+ int64_t f8g8_19 = f8 * (int64_t) g8_19;
+ int64_t f8g9_19 = f8 * (int64_t) g9_19;
+
+ int64_t f9g0 = f9 * (int64_t) g0;
+ int64_t f9g1_38 = f9_2 * (int64_t) g1_19;
+ int64_t f9g2_19 = f9 * (int64_t) g2_19;
+ int64_t f9g3_38 = f9_2 * (int64_t) g3_19;
+ int64_t f9g4_19 = f9 * (int64_t) g4_19;
+ int64_t f9g5_38 = f9_2 * (int64_t) g5_19;
+ int64_t f9g6_19 = f9 * (int64_t) g6_19;
+ int64_t f9g7_38 = f9_2 * (int64_t) g7_19;
+ int64_t f9g8_19 = f9 * (int64_t) g8_19;
+ int64_t f9g9_38 = f9_2 * (int64_t) g9_19;
+
+ int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 +
+ f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38;
+ int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 +
+ f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19;
+ int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 +
+ f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38;
+ int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 +
+ f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19;
+ int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 +
+ f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38;
+ int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 +
+ f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19;
+ int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 +
+ f6g0 + f7g9_38 + f8g8_19 + f9g7_38;
+ int64_t h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 +
+ f6g1 + f7g0 + f8g9_19 + f9g8_19;
+ int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 +
+ f6g2 + f7g1_2 + f8g0 + f9g9_38;
+ int64_t h9 = f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 +
+ f6g3 + f7g2 + f8g1 + f9g0 ;
+
+ int64_t carry0, carry1, carry2, carry3, carry4;
+ int64_t carry5, carry6, carry7, carry8, carry9;
+
+ /**
+ * |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38))
+ * i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8
+ * |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19))
+ * i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9
+ */
+
+ carry0 = (h0 + (int64_t) (1L << 25)) >> 26;
+ h1 += carry0;
+ h0 -= carry0 * ((uint64_t) 1L << 26);
+ /* |h0| <= 2^25 */
+ /* |h1| <= 1.71*2^59 */
+
+ carry4 = (h4 + (int64_t) (1L << 25)) >> 26;
+ h5 += carry4;
+ h4 -= carry4 * ((uint64_t) 1L << 26);
+ /* |h4| <= 2^25 */
+ /* |h5| <= 1.71*2^59 */
+
+ carry1 = (h1 + (int64_t) (1L << 24)) >> 25;
+ h2 += carry1;
+ h1 -= carry1 * ((uint64_t) 1L << 25);
+ /* |h1| <= 2^24; from now on fits into int32 */
+ /* |h2| <= 1.41*2^60 */
+
+ carry5 = (h5 + (int64_t) (1L << 24)) >> 25;
+ h6 += carry5;
+ h5 -= carry5 * ((uint64_t) 1L << 25);
+ /* |h5| <= 2^24; from now on fits into int32 */
+ /* |h6| <= 1.41*2^60 */
+
+ carry2 = (h2 + (int64_t) (1L << 25)) >> 26;
+ h3 += carry2;
+ h2 -= carry2 * ((uint64_t) 1L << 26);
+ /* |h2| <= 2^25; from now on fits into int32 unchanged */
+ /* |h3| <= 1.71*2^59 */
+
+ carry6 = (h6 + (int64_t) (1L << 25)) >> 26;
+ h7 += carry6;
+ h6 -= carry6 * ((uint64_t) 1L << 26);
+ /* |h6| <= 2^25; from now on fits into int32 unchanged */
+ /* |h7| <= 1.71*2^59 */
+
+ carry3 = (h3 + (int64_t) (1L << 24)) >> 25;
+ h4 += carry3;
+ h3 -= carry3 * ((uint64_t) 1L << 25);
+ /* |h3| <= 2^24; from now on fits into int32 unchanged */
+ /* |h4| <= 1.72*2^34 */
+
+ carry7 = (h7 + (int64_t) (1L << 24)) >> 25;
+ h8 += carry7;
+ h7 -= carry7 * ((uint64_t) 1L << 25);
+ /* |h7| <= 2^24; from now on fits into int32 unchanged */
+ /* |h8| <= 1.41*2^60 */
+
+ carry4 = (h4 + (int64_t) (1L << 25)) >> 26;
+ h5 += carry4;
+ h4 -= carry4 * ((uint64_t) 1L << 26);
+ /* |h4| <= 2^25; from now on fits into int32 unchanged */
+ /* |h5| <= 1.01*2^24 */
+
+ carry8 = (h8 + (int64_t) (1L << 25)) >> 26;
+ h9 += carry8;
+ h8 -= carry8 * ((uint64_t) 1L << 26);
+ /* |h8| <= 2^25; from now on fits into int32 unchanged */
+ /* |h9| <= 1.71*2^59 */
+
+ carry9 = (h9 + (int64_t) (1L << 24)) >> 25;
+ h0 += carry9 * 19;
+ h9 -= carry9 * ((uint64_t) 1L << 25);
+ /* |h9| <= 2^24; from now on fits into int32 unchanged */
+ /* |h0| <= 1.1*2^39 */
+
+ carry0 = (h0 + (int64_t) (1L << 25)) >> 26;
+ h1 += carry0;
+ h0 -= carry0 * ((uint64_t) 1L << 26);
+ /* |h0| <= 2^25; from now on fits into int32 unchanged */
+ /* |h1| <= 1.01*2^24 */
+
+ h[0] = (int32_t) h0;
+ h[1] = (int32_t) h1;
+ h[2] = (int32_t) h2;
+ h[3] = (int32_t) h3;
+ h[4] = (int32_t) h4;
+ h[5] = (int32_t) h5;
+ h[6] = (int32_t) h6;
+ h[7] = (int32_t) h7;
+ h[8] = (int32_t) h8;
+ h[9] = (int32_t) h9;
+}
+
+/**
+ * h = -f
+ *
+ * Preconditions:
+ * |f| bounded by 1.1*2^25, 1.1*2^24, 1.1*2^25, 1.1*2^24, etc.
+ *
+ * Postconditions:
+ * |h| bounded by 1.1*2^25, 1.1*2^24, 1.1*2^25, 1.1*2^24, etc.
+ */
+static void fe_neg(fe h,const fe f)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+
+ int32_t h0 = -f0;
+ int32_t h1 = -f1;
+ int32_t h2 = -f2;
+ int32_t h3 = -f3;
+ int32_t h4 = -f4;
+ int32_t h5 = -f5;
+ int32_t h6 = -f6;
+ int32_t h7 = -f7;
+ int32_t h8 = -f8;
+ int32_t h9 = -f9;
+
+ h[0] = h0;
+ h[1] = h1;
+ h[2] = h2;
+ h[3] = h3;
+ h[4] = h4;
+ h[5] = h5;
+ h[6] = h6;
+ h[7] = h7;
+ h[8] = h8;
+ h[9] = h9;
+}
+
+/**
+ * h = f * f
+ * Can overlap h with f.
+ *
+ * Preconditions:
+ * |f| bounded by 1.65*2^26, 1.65*2^25, 1.65*2^26, 1.65*2^25, etc.
+ *
+ * Postconditions:
+ * |h| bounded by 1.01*2^25, 1.01*2^24, 1.01*2^25, 1.01*2^24, etc.
+ *
+ * See fe_mul.c for discussion of implementation strategy.
+ */
+static void fe_sq(fe h, const fe f)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+
+ int32_t f0_2 = 2 * f0;
+ int32_t f1_2 = 2 * f1;
+ int32_t f2_2 = 2 * f2;
+ int32_t f3_2 = 2 * f3;
+ int32_t f4_2 = 2 * f4;
+ int32_t f5_2 = 2 * f5;
+ int32_t f6_2 = 2 * f6;
+ int32_t f7_2 = 2 * f7;
+
+ int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
+ int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
+ int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
+ int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
+ int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
+
+ int64_t f0f0 = f0 * (int64_t) f0;
+ int64_t f0f1_2 = f0_2 * (int64_t) f1;
+ int64_t f0f2_2 = f0_2 * (int64_t) f2;
+ int64_t f0f3_2 = f0_2 * (int64_t) f3;
+ int64_t f0f4_2 = f0_2 * (int64_t) f4;
+ int64_t f0f5_2 = f0_2 * (int64_t) f5;
+ int64_t f0f6_2 = f0_2 * (int64_t) f6;
+ int64_t f0f7_2 = f0_2 * (int64_t) f7;
+ int64_t f0f8_2 = f0_2 * (int64_t) f8;
+ int64_t f0f9_2 = f0_2 * (int64_t) f9;
+
+ int64_t f1f1_2 = f1_2 * (int64_t) f1;
+ int64_t f1f2_2 = f1_2 * (int64_t) f2;
+ int64_t f1f3_4 = f1_2 * (int64_t) f3_2;
+ int64_t f1f4_2 = f1_2 * (int64_t) f4;
+ int64_t f1f5_4 = f1_2 * (int64_t) f5_2;
+ int64_t f1f6_2 = f1_2 * (int64_t) f6;
+ int64_t f1f7_4 = f1_2 * (int64_t) f7_2;
+ int64_t f1f8_2 = f1_2 * (int64_t) f8;
+ int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
+
+ int64_t f2f2 = f2 * (int64_t) f2;
+ int64_t f2f3_2 = f2_2 * (int64_t) f3;
+ int64_t f2f4_2 = f2_2 * (int64_t) f4;
+ int64_t f2f5_2 = f2_2 * (int64_t) f5;
+ int64_t f2f6_2 = f2_2 * (int64_t) f6;
+ int64_t f2f7_2 = f2_2 * (int64_t) f7;
+ int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
+ int64_t f2f9_38 = f2 * (int64_t) f9_38;
+
+ int64_t f3f3_2 = f3_2 * (int64_t) f3;
+ int64_t f3f4_2 = f3_2 * (int64_t) f4;
+ int64_t f3f5_4 = f3_2 * (int64_t) f5_2;
+ int64_t f3f6_2 = f3_2 * (int64_t) f6;
+ int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
+ int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
+ int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
+
+ int64_t f4f4 = f4 * (int64_t) f4;
+ int64_t f4f5_2 = f4_2 * (int64_t) f5;
+ int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
+ int64_t f4f7_38 = f4 * (int64_t) f7_38;
+ int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
+ int64_t f4f9_38 = f4 * (int64_t) f9_38;
+
+ int64_t f5f5_38 = f5 * (int64_t) f5_38;
+ int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
+ int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
+ int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
+ int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
+
+ int64_t f6f6_19 = f6 * (int64_t) f6_19;
+ int64_t f6f7_38 = f6 * (int64_t) f7_38;
+ int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
+ int64_t f6f9_38 = f6 * (int64_t) f9_38;
+
+ int64_t f7f7_38 = f7 * (int64_t) f7_38;
+ int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
+ int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
+
+ int64_t f8f8_19 = f8 * (int64_t) f8_19;
+ int64_t f8f9_38 = f8 * (int64_t) f9_38;
+
+ int64_t f9f9_38 = f9 * (int64_t) f9_38;
+
+ int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
+ int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
+ int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
+ int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
+ int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
+ int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
+ int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
+ int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
+ int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
+ int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
+
+ int64_t carry0, carry1, carry2, carry3, carry4;
+ int64_t carry5, carry6, carry7, carry8, carry9;
+
+ carry0 = (h0 + (int64_t) (1L << 25)) >> 26;
+ h1 += carry0;
+ h0 -= carry0 * ((uint64_t) 1L << 26);
+
+ carry4 = (h4 + (int64_t) (1L << 25)) >> 26;
+ h5 += carry4;
+ h4 -= carry4 * ((uint64_t) 1L << 26);
+
+ carry1 = (h1 + (int64_t) (1L << 24)) >> 25;
+ h2 += carry1;
+ h1 -= carry1 * ((uint64_t) 1L << 25);
+
+ carry5 = (h5 + (int64_t) (1L << 24)) >> 25;
+ h6 += carry5;
+ h5 -= carry5 * ((uint64_t) 1L << 25);
+
+ carry2 = (h2 + (int64_t) (1L << 25)) >> 26;
+ h3 += carry2;
+ h2 -= carry2 * ((uint64_t) 1L << 26);
+
+ carry6 = (h6 + (int64_t) (1L << 25)) >> 26;
+ h7 += carry6;
+ h6 -= carry6 * ((uint64_t) 1L << 26);
+
+ carry3 = (h3 + (int64_t) (1L << 24)) >> 25;
+ h4 += carry3;
+ h3 -= carry3 * ((uint64_t) 1L << 25);
+
+ carry7 = (h7 + (int64_t) (1L << 24)) >> 25;
+ h8 += carry7;
+ h7 -= carry7 * ((uint64_t) 1L << 25);
+
+ carry4 = (h4 + (int64_t) (1L << 25)) >> 26;
+ h5 += carry4;
+ h4 -= carry4 * ((uint64_t) 1L << 26);
+
+ carry8 = (h8 + (int64_t) (1L << 25)) >> 26;
+ h9 += carry8;
+ h8 -= carry8 * ((uint64_t) 1L << 26);
+
+ carry9 = (h9 + (int64_t) (1L << 24)) >> 25;
+ h0 += carry9 * 19;
+ h9 -= carry9 * ((uint64_t) 1L << 25);
+
+ carry0 = (h0 + (int64_t) (1L << 25)) >> 26;
+ h1 += carry0;
+ h0 -= carry0 * ((uint64_t) 1L << 26);
+
+ h[0] = (int32_t) h0;
+ h[1] = (int32_t) h1;
+ h[2] = (int32_t) h2;
+ h[3] = (int32_t) h3;
+ h[4] = (int32_t) h4;
+ h[5] = (int32_t) h5;
+ h[6] = (int32_t) h6;
+ h[7] = (int32_t) h7;
+ h[8] = (int32_t) h8;
+ h[9] = (int32_t) h9;
+}
+
+/**
+ * h = 2 * f * f
+ * Can overlap h with f.
+ *
+ * Preconditions:
+ *|f| bounded by 1.65*2^26, 1.65*2^25, 1.65*2^26, 1.65*2^25, etc.
+ *
+ * Postconditions:
+ * |h| bounded by 1.01*2^25, 1.01*2^24, 1.01*2^25, 1.01*2^24, etc.
+ *
+ * See fe_mul.c for discussion of implementation strategy.
+ */
+static void fe_sq2(fe h, const fe f)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+
+ int32_t f0_2 = 2 * f0;
+ int32_t f1_2 = 2 * f1;
+ int32_t f2_2 = 2 * f2;
+ int32_t f3_2 = 2 * f3;
+ int32_t f4_2 = 2 * f4;
+ int32_t f5_2 = 2 * f5;
+ int32_t f6_2 = 2 * f6;
+ int32_t f7_2 = 2 * f7;
+
+ int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
+ int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
+ int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
+ int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
+ int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
+
+ int64_t f0f0 = f0 * (int64_t) f0;
+ int64_t f0f1_2 = f0_2 * (int64_t) f1;
+ int64_t f0f2_2 = f0_2 * (int64_t) f2;
+ int64_t f0f3_2 = f0_2 * (int64_t) f3;
+ int64_t f0f4_2 = f0_2 * (int64_t) f4;
+ int64_t f0f5_2 = f0_2 * (int64_t) f5;
+ int64_t f0f6_2 = f0_2 * (int64_t) f6;
+ int64_t f0f7_2 = f0_2 * (int64_t) f7;
+ int64_t f0f8_2 = f0_2 * (int64_t) f8;
+ int64_t f0f9_2 = f0_2 * (int64_t) f9;
+
+ int64_t f1f1_2 = f1_2 * (int64_t) f1;
+ int64_t f1f2_2 = f1_2 * (int64_t) f2;
+ int64_t f1f3_4 = f1_2 * (int64_t) f3_2;
+ int64_t f1f4_2 = f1_2 * (int64_t) f4;
+ int64_t f1f5_4 = f1_2 * (int64_t) f5_2;
+ int64_t f1f6_2 = f1_2 * (int64_t) f6;
+ int64_t f1f7_4 = f1_2 * (int64_t) f7_2;
+ int64_t f1f8_2 = f1_2 * (int64_t) f8;
+ int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
+
+ int64_t f2f2 = f2 * (int64_t) f2;
+ int64_t f2f3_2 = f2_2 * (int64_t) f3;
+ int64_t f2f4_2 = f2_2 * (int64_t) f4;
+ int64_t f2f5_2 = f2_2 * (int64_t) f5;
+ int64_t f2f6_2 = f2_2 * (int64_t) f6;
+ int64_t f2f7_2 = f2_2 * (int64_t) f7;
+ int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
+ int64_t f2f9_38 = f2 * (int64_t) f9_38;
+
+ int64_t f3f3_2 = f3_2 * (int64_t) f3;
+ int64_t f3f4_2 = f3_2 * (int64_t) f4;
+ int64_t f3f5_4 = f3_2 * (int64_t) f5_2;
+ int64_t f3f6_2 = f3_2 * (int64_t) f6;
+ int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
+ int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
+ int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
+
+ int64_t f4f4 = f4 * (int64_t) f4;
+ int64_t f4f5_2 = f4_2 * (int64_t) f5;
+ int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
+ int64_t f4f7_38 = f4 * (int64_t) f7_38;
+ int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
+ int64_t f4f9_38 = f4 * (int64_t) f9_38;
+
+ int64_t f5f5_38 = f5 * (int64_t) f5_38;
+ int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
+ int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
+ int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
+ int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
+
+ int64_t f6f6_19 = f6 * (int64_t) f6_19;
+ int64_t f6f7_38 = f6 * (int64_t) f7_38;
+ int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
+ int64_t f6f9_38 = f6 * (int64_t) f9_38;
+
+ int64_t f7f7_38 = f7 * (int64_t) f7_38;
+ int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
+ int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
+
+ int64_t f8f8_19 = f8 * (int64_t) f8_19;
+ int64_t f8f9_38 = f8 * (int64_t) f9_38;
+
+ int64_t f9f9_38 = f9 * (int64_t) f9_38;
+
+ int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
+ int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
+ int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
+ int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
+ int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
+ int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
+ int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
+ int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
+ int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
+ int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
+
+ int64_t carry0, carry1, carry2, carry3, carry4;
+ int64_t carry5, carry6, carry7, carry8, carry9;
+
+ h0 += h0;
+ h1 += h1;
+ h2 += h2;
+ h3 += h3;
+ h4 += h4;
+ h5 += h5;
+ h6 += h6;
+ h7 += h7;
+ h8 += h8;
+ h9 += h9;
+
+ carry0 = (h0 + (int64_t) (1L << 25)) >> 26;
+ h1 += carry0;
+ h0 -= carry0 * ((uint64_t) 1L << 26);
+
+ carry4 = (h4 + (int64_t) (1L << 25)) >> 26;
+ h5 += carry4;
+ h4 -= carry4 * ((uint64_t) 1L << 26);
+
+ carry1 = (h1 + (int64_t) (1L << 24)) >> 25;
+ h2 += carry1;
+ h1 -= carry1 * ((uint64_t) 1L << 25);
+
+ carry5 = (h5 + (int64_t) (1L << 24)) >> 25;
+ h6 += carry5;
+ h5 -= carry5 * ((uint64_t) 1L << 25);
+
+ carry2 = (h2 + (int64_t) (1L << 25)) >> 26;
+ h3 += carry2;
+ h2 -= carry2 * ((uint64_t) 1L << 26);
+
+ carry6 = (h6 + (int64_t) (1L << 25)) >> 26;
+ h7 += carry6;
+ h6 -= carry6 * ((uint64_t) 1L << 26);
+
+ carry3 = (h3 + (int64_t) (1L << 24)) >> 25;
+ h4 += carry3;
+ h3 -= carry3 * ((uint64_t) 1L << 25);
+
+ carry7 = (h7 + (int64_t) (1L << 24)) >> 25;
+ h8 += carry7;
+ h7 -= carry7 * ((uint64_t) 1L << 25);
+
+ carry4 = (h4 + (int64_t) (1L << 25)) >> 26;
+ h5 += carry4;
+ h4 -= carry4 * ((uint64_t) 1L << 26);
+
+ carry8 = (h8 + (int64_t) (1L << 25)) >> 26;
+ h9 += carry8;
+ h8 -= carry8 * ((uint64_t) 1L << 26);
+
+ carry9 = (h9 + (int64_t) (1L << 24)) >> 25;
+ h0 += carry9 * 19;
+ h9 -= carry9 * ((uint64_t) 1L << 25);
+
+ carry0 = (h0 + (int64_t) (1L << 25)) >> 26;
+ h1 += carry0;
+ h0 -= carry0 * ((uint64_t) 1L << 26);
+
+ h[0] = (int32_t) h0;
+ h[1] = (int32_t) h1;
+ h[2] = (int32_t) h2;
+ h[3] = (int32_t) h3;
+ h[4] = (int32_t) h4;
+ h[5] = (int32_t) h5;
+ h[6] = (int32_t) h6;
+ h[7] = (int32_t) h7;
+ h[8] = (int32_t) h8;
+ h[9] = (int32_t) h9;
+}
+
+static void fe_invert(fe out, const fe z)
+{
+ fe t0, t1, t2, t3;
+ int i;
+
+ fe_sq(t0, z);
+ fe_sq(t1, t0);
+ fe_sq(t1, t1);
+ fe_mul(t1, z, t1);
+ fe_mul(t0, t0, t1);
+ fe_sq(t2, t0);
+ fe_mul(t1, t1, t2);
+ fe_sq(t2, t1);
+
+ for (i = 1; i < 5; ++i)
+ {
+ fe_sq(t2, t2);
+ }
+
+ fe_mul(t1, t2, t1);
+ fe_sq(t2, t1);
+
+ for (i = 1; i < 10; ++i)
+ {
+ fe_sq(t2, t2);
+ }
+
+ fe_mul(t2, t2, t1);
+ fe_sq(t3, t2);
+
+ for (i = 1; i < 20; ++i)
+ {
+ fe_sq(t3, t3);
+ }
+
+ fe_mul(t2, t3, t2);
+ fe_sq(t2, t2);
+
+ for (i = 1; i < 10; ++i)
+ {
+ fe_sq(t2, t2);
+ }
+
+ fe_mul(t1, t2, t1);
+ fe_sq(t2, t1);
+
+ for (i = 1; i < 50; ++i)
+ {
+ fe_sq(t2, t2);
+ }
+
+ fe_mul(t2, t2, t1);
+ fe_sq(t3, t2);
+
+ for (i = 1; i < 100; ++i)
+ {
+ fe_sq(t3, t3);
+ }
+
+ fe_mul(t2, t3, t2);
+ fe_sq(t2, t2);
+
+ for (i = 1; i < 50; ++i)
+ {
+ fe_sq(t2, t2);
+ }
+
+ fe_mul(t1, t2, t1);
+ fe_sq(t1, t1);
+
+ for (i = 1; i < 5; ++i)
+ {
+ fe_sq(t1, t1);
+ }
+
+ fe_mul(out, t1, t0);
+}
+
+static void fe_pow22523(fe out, const fe z)
+{
+ fe t0, t1, t2;
+ int i;
+
+ fe_sq(t0, z);
+ fe_sq(t1, t0);
+ fe_sq(t1, t1);
+ fe_mul(t1, z, t1);
+ fe_mul(t0, t0, t1);
+ fe_sq(t0, t0);
+ fe_mul(t0, t1, t0);
+ fe_sq(t1, t0);
+
+ for (i = 1; i < 5; ++i)
+ {
+ fe_sq(t1, t1);
+ }
+
+ fe_mul(t0, t1, t0);
+ fe_sq(t1, t0);
+
+ for (i = 1; i < 10; ++i)
+ {
+ fe_sq(t1, t1);
+ }
+
+ fe_mul(t1, t1, t0);
+ fe_sq(t2, t1);
+
+ for (i = 1; i < 20; ++i)
+ {
+ fe_sq(t2, t2);
+ }
+
+ fe_mul(t1, t2, t1);
+ fe_sq(t1, t1);
+
+ for (i = 1; i < 10; ++i)
+ {
+ fe_sq(t1, t1);
+ }
+
+ fe_mul(t0, t1, t0);
+ fe_sq(t1, t0);
+
+ for (i = 1; i < 50; ++i)
+ {
+ fe_sq(t1, t1);
+ }
+
+ fe_mul(t1, t1, t0);
+ fe_sq(t2, t1);
+ for (i = 1; i < 100; ++i)
+ {
+ fe_sq(t2, t2);
+ }
+
+ fe_mul(t1, t2, t1);
+ fe_sq(t1, t1);
+
+ for (i = 1; i < 50; ++i)
+ {
+ fe_sq(t1, t1);
+ }
+
+ fe_mul(t0, t1, t0);
+ fe_sq(t0, t0);
+ fe_sq(t0, t0);
+ fe_mul(out, t0, z);
+}
+
+/**
+ * h = f - g
+ * Can overlap h with f or g.
+ *
+ * Preconditions:
+ * |f| bounded by 1.1*2^25, 1.1*2^24, 1.1*2^25, 1.1*2^24, etc.
+ * |g| bounded by 1.1*2^25, 1.1*2^24, 1.1*2^25, 1.1*2^24, etc.
+ *
+ * Postconditions:
+ * |h| bounded by 1.1*2^26, 1.1*2^25, 1.1*2^26, 1.1*2^25, etc.
+ */
+static void fe_sub(fe h, const fe f, const fe g)
+{
+ int32_t f0 = f[0];
+ int32_t f1 = f[1];
+ int32_t f2 = f[2];
+ int32_t f3 = f[3];
+ int32_t f4 = f[4];
+ int32_t f5 = f[5];
+ int32_t f6 = f[6];
+ int32_t f7 = f[7];
+ int32_t f8 = f[8];
+ int32_t f9 = f[9];
+
+ int32_t g0 = g[0];
+ int32_t g1 = g[1];
+ int32_t g2 = g[2];
+ int32_t g3 = g[3];
+ int32_t g4 = g[4];
+ int32_t g5 = g[5];
+ int32_t g6 = g[6];
+ int32_t g7 = g[7];
+ int32_t g8 = g[8];
+ int32_t g9 = g[9];
+
+ int32_t h0 = f0 - g0;
+ int32_t h1 = f1 - g1;
+ int32_t h2 = f2 - g2;
+ int32_t h3 = f3 - g3;
+ int32_t h4 = f4 - g4;
+ int32_t h5 = f5 - g5;
+ int32_t h6 = f6 - g6;
+ int32_t h7 = f7 - g7;
+ int32_t h8 = f8 - g8;
+ int32_t h9 = f9 - g9;
+
+ h[0] = h0;
+ h[1] = h1;
+ h[2] = h2;
+ h[3] = h3;
+ h[4] = h4;
+ h[5] = h5;
+ h[6] = h6;
+ h[7] = h7;
+ h[8] = h8;
+ h[9] = h9;
+}
+
+/**
+ * r = p + q
+ */
+static void ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q)
+{
+ fe t0;
+
+ fe_add(r->X, p->Y, p->X);
+ fe_sub(r->Y, p->Y, p->X);
+ fe_mul(r->Z, r->X, q->YplusX);
+ fe_mul(r->Y, r->Y, q->YminusX);
+ fe_mul(r->T, q->T2d, p->T);
+ fe_mul(r->X, p->Z, q->Z);
+ fe_add(t0, r->X, r->X);
+ fe_sub(r->X, r->Z, r->Y);
+ fe_add(r->Y, r->Z, r->Y);
+ fe_add(r->Z, t0, r->T);
+ fe_sub(r->T, t0, r->T);
+}
+
+static void slide(int8_t *r, const uint8_t *a)
+{
+ int i, b, k;
+
+ for (i = 0; i < 256; ++i)
+ {
+ r[i] = 1 & (a[i >> 3] >> (i & 7));
+ }
+
+ for (i = 0; i < 256; ++i)
+ {
+ if (r[i])
+ {
+ for (b = 1; b <= 6 && i + b < 256; ++b)
+ {
+ if (r[i + b])
+ {
+ if (r[i] + (r[i + b] << b) <= 15)
+ {
+ r[i] += r[i + b] << b; r[i + b] = 0;
+ }
+ else if (r[i] - (r[i + b] << b) >= -15)
+ {
+ r[i] -= r[i + b] << b;
+
+ for (k = i + b; k < 256; ++k)
+ {
+ if (!r[k])
+ {
+ r[k] = 1;
+ break;
+ }
+ r[k] = 0;
+ }
+ }
+ else
+ {
+ break;
+ }
+ }
+ }
+ }
+ }
+}
+
+static const ge_precomp Bi[8] = {
+#include "base2.h"
+};
+
+/* 37095705934669439343138083508754565189542113879843219016388785533085940283555 */
+static const fe d = {
+ -10913610, 13857413, -15372611, 6949391, 114729,
+ -8787816, -6275908, -3247719, -18696448, -12055116
+};
+
+/* sqrt(-1) */
+static const fe sqrtm1 = {
+ -32595792, -7943725, 9377950, 3500415, 12389472,
+ -272473, -25146209, -2005654, 326686, 11406482
+};
+
+int ge_frombytes_negate_vartime(ge_p3 *h, const uint8_t *s)
+{
+ fe u, v, v3, vxx, check;
+
+ fe_frombytes(h->Y,s);
+ fe_1(h->Z);
+ fe_sq(u,h->Y);
+ fe_mul(v,u,d);
+ fe_sub(u,u,h->Z); /* u = y^2-1 */
+ fe_add(v,v,h->Z); /* v = dy^2+1 */
+
+ fe_sq(v3,v);
+ fe_mul(v3,v3,v); /* v3 = v^3 */
+ fe_sq(h->X,v3);
+ fe_mul(h->X,h->X,v);
+ fe_mul(h->X,h->X,u); /* x = uv^7 */
+
+ fe_pow22523(h->X,h->X); /* x = (uv^7)^((q-5)/8) */
+ fe_mul(h->X,h->X,v3);
+ fe_mul(h->X,h->X,u); /* x = uv^3(uv^7)^((q-5)/8) */
+
+ fe_sq(vxx,h->X);
+ fe_mul(vxx,vxx,v);
+ fe_sub(check,vxx,u); /* vx^2-u */
+
+ if (fe_isnonzero(check))
+ {
+ fe_add(check,vxx,u); /* vx^2+u */
+
+ if (fe_isnonzero(check))
+ {
+ return -1;
+ }
+ fe_mul(h->X,h->X,sqrtm1);
+ }
+
+ if (fe_isnegative(h->X) == (s[31] >> 7))
+ {
+ fe_neg(h->X,h->X);
+ }
+ fe_mul(h->T,h->X,h->Y);
+
+ return 0;
+}
+
+/**
+ * r = p + q
+ */
+static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q)
+{
+ fe t0;
+
+ fe_add(r->X, p->Y, p->X);
+ fe_sub(r->Y, p->Y, p->X);
+ fe_mul(r->Z, r->X, q->yplusx);
+ fe_mul(r->Y, r->Y, q->yminusx);
+ fe_mul(r->T, q->xy2d, p->T);
+ fe_add(t0, p->Z, p->Z);
+ fe_sub(r->X, r->Z, r->Y);
+ fe_add(r->Y, r->Z, r->Y);
+ fe_add(r->Z, t0, r->T);
+ fe_sub(r->T, t0, r->T);
+}
+
+/**
+ * r = p - q
+ */
+static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q)
+{
+ fe t0;
+
+ fe_add(r->X, p->Y, p->X);
+ fe_sub(r->Y, p->Y, p->X);
+ fe_mul(r->Z, r->X, q->yminusx);
+ fe_mul(r->Y, r->Y, q->yplusx);
+ fe_mul(r->T, q->xy2d, p->T);
+ fe_add(t0, p->Z, p->Z);
+ fe_sub(r->X, r->Z, r->Y);
+ fe_add(r->Y, r->Z, r->Y);
+ fe_sub(r->Z, t0, r->T);
+ fe_add(r->T, t0, r->T);
+}
+
+/**
+ * r = p
+ */
+static void ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p)
+{
+ fe_mul(r->X,p->X,p->T);
+ fe_mul(r->Y,p->Y,p->Z);
+ fe_mul(r->Z,p->Z,p->T);
+}
+
+/**
+ * r = p
+ */
+static void ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p)
+{
+ fe_mul(r->X,p->X,p->T);
+ fe_mul(r->Y,p->Y,p->Z);
+ fe_mul(r->Z,p->Z,p->T);
+ fe_mul(r->T,p->X,p->Y);
+}
+
+static void ge_p2_0(ge_p2 *h)
+{
+ fe_0(h->X);
+ fe_1(h->Y);
+ fe_1(h->Z);
+}
+
+/**
+ * r = 2 * p
+ */
+static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p)
+{
+ fe t0;
+
+ fe_sq(r->X, p->X);
+ fe_sq(r->Z, p->Y);
+ fe_sq2(r->T, p->Z);
+ fe_add(r->Y, p->X, p->Y);
+ fe_sq(t0, r->Y);
+ fe_add(r->Y, r->Z, r->X);
+ fe_sub(r->Z, r->Z, r->X);
+ fe_sub(r->X, t0, r->Y);
+ fe_sub(r->T, r->T, r->Z);
+}
+
+static void ge_p3_0(ge_p3 *h)
+{
+ fe_0(h->X);
+ fe_1(h->Y);
+ fe_1(h->Z);
+ fe_0(h->T);
+}
+
+/**
+ * r = p
+ */
+
+/* 2 * d = 16295367250680780974490674513165176452449235426866156013048779062215315747161 */
+static const fe d2 = {
+ -21827239, -5839606, -30745221, 13898782, 229458,
+ 15978800, -12551817, -6495438, 29715968, 9444199
+};
+
+static void ge_p3_to_cached(ge_cached *r, const ge_p3 *p)
+{
+ fe_add(r->YplusX,p->Y,p->X);
+ fe_sub(r->YminusX,p->Y,p->X);
+ fe_copy(r->Z,p->Z);
+ fe_mul(r->T2d,p->T,d2);
+}
+
+/**
+ * r = p
+ */
+static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p)
+{
+ fe_copy(r->X,p->X);
+ fe_copy(r->Y,p->Y);
+ fe_copy(r->Z,p->Z);
+}
+
+void ge_p3_tobytes(uint8_t *s, const ge_p3 *h)
+{
+ fe recip, x, y;
+
+ fe_invert(recip,h->Z);
+ fe_mul(x,h->X,recip);
+ fe_mul(y,h->Y,recip);
+ fe_tobytes(s,y);
+
+ s[31] ^= fe_isnegative(x) << 7;
+}
+
+/**
+ * r = 2 * p
+ */
+static void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p)
+{
+ ge_p2 q;
+ ge_p3_to_p2(&q,p);
+ ge_p2_dbl(r,&q);
+}
+
+static void ge_precomp_0(ge_precomp *h)
+{
+ fe_1(h->yplusx);
+ fe_1(h->yminusx);
+ fe_0(h->xy2d);
+}
+
+static uint8_t equal(int8_t b, int8_t c)
+{
+ uint8_t ub = b;
+ uint8_t uc = c;
+ uint8_t x = ub ^ uc; /* 0: yes; 1..255: no */
+ uint32_t y = x; /* 0: yes; 1..255: no */
+
+ y -= 1; /* 4294967295: yes; 0..254: no */
+ y >>= 31; /* 1: yes; 0: no */
+
+ return y;
+}
+
+static uint8_t negative(int8_t b)
+{
+ uint64_t x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */
+
+ x >>= 63; /* 1: yes; 0: no */
+
+ return x;
+}
+
+static void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b)
+{
+ fe_cmov(t->yplusx,u->yplusx,b);
+ fe_cmov(t->yminusx,u->yminusx,b);
+ fe_cmov(t->xy2d,u->xy2d,b);
+}
+
+/**
+ * base[i][j] = (j+1)*256^i*B
+ */
+static const ge_precomp base[32][8] = {
+#include "base.h"
+};
+
+static void ge_select(ge_precomp *t, int pos, int8_t b)
+{
+ ge_precomp minust;
+ uint8_t bnegative = negative(b);
+ uint8_t babs = b - (((-bnegative) & b) * ((int8_t) 1 << 1));
+
+ ge_precomp_0(t);
+ cmov(t,&base[pos][0],equal(babs,1));
+ cmov(t,&base[pos][1],equal(babs,2));
+ cmov(t,&base[pos][2],equal(babs,3));
+ cmov(t,&base[pos][3],equal(babs,4));
+ cmov(t,&base[pos][4],equal(babs,5));
+ cmov(t,&base[pos][5],equal(babs,6));
+ cmov(t,&base[pos][6],equal(babs,7));
+ cmov(t,&base[pos][7],equal(babs,8));
+ fe_copy(minust.yplusx,t->yminusx);
+ fe_copy(minust.yminusx,t->yplusx);
+ fe_neg(minust.xy2d,t->xy2d);
+ cmov(t,&minust,bnegative);
+}
+
+/**
+ *r = p - q
+ */
+static void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q)
+{
+ fe t0;
+
+ fe_add(r->X, p->Y, p->X);
+ fe_sub(r->Y, p->Y, p->X);
+ fe_mul(r->Z, r->X, q->YminusX);
+ fe_mul(r->Y, r->Y, q->YplusX);
+ fe_mul(r->T, q->T2d, p->T);
+ fe_mul(r->X, p->Z, q->Z);
+ fe_add(t0, r->X, r->X);
+ fe_sub(r->X, r->Z, r->Y);
+ fe_add(r->Y, r->Z, r->Y);
+ fe_sub(r->Z, t0, r->T);
+ fe_add(r->T, t0, r->T);
+}
+
+void ge_tobytes(uint8_t *s, const ge_p2 *h)
+{
+ fe recip, x, y;
+
+ fe_invert(recip,h->Z);
+ fe_mul(x,h->X,recip);
+ fe_mul(y,h->Y,recip);
+ fe_tobytes(s,y);
+
+ s[31] ^= fe_isnegative(x) << 7;
+}
+
+/**
+ * h = a * B
+ * where a = a[0]+256*a[1]+...+256^31 a[31]
+ * B is the Ed25519 base point (x,4/5) with x positive.
+ *
+ * Preconditions:
+ * a[31] <= 127
+ */
+
+/**
+ * r = a * A + b * B
+ * where a = a[0]+256*a[1]+...+256^31 a[31].
+ * and b = b[0]+256*b[1]+...+256^31 b[31].
+ * B is the Ed25519 base point (x,4/5) with x positive.
+ */
+void ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a, const ge_p3 *A,
+ const uint8_t *b)
+{
+ int8_t aslide[256];
+ int8_t bslide[256];
+ ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
+ ge_p1p1 t;
+ ge_p3 u, A2;
+ int i;
+
+ slide(aslide,a);
+ slide(bslide,b);
+
+ ge_p3_to_cached(&Ai[0],A);
+ ge_p3_dbl(&t,A);
+ ge_p1p1_to_p3(&A2,&t);
+
+ ge_add(&t,&A2,&Ai[0]);
+ ge_p1p1_to_p3(&u,&t);
+ ge_p3_to_cached(&Ai[1],&u);
+
+ ge_add(&t,&A2,&Ai[1]);
+ ge_p1p1_to_p3(&u,&t);
+ ge_p3_to_cached(&Ai[2],&u);
+
+ ge_add(&t,&A2,&Ai[2]);
+ ge_p1p1_to_p3(&u,&t);
+ ge_p3_to_cached(&Ai[3],&u);
+
+ ge_add(&t,&A2,&Ai[3]);
+ ge_p1p1_to_p3(&u,&t);
+ ge_p3_to_cached(&Ai[4],&u);
+
+ ge_add(&t,&A2,&Ai[4]);
+ ge_p1p1_to_p3(&u,&t);
+ ge_p3_to_cached(&Ai[5],&u);
+
+ ge_add(&t,&A2,&Ai[5]);
+ ge_p1p1_to_p3(&u,&t);
+ ge_p3_to_cached(&Ai[6],&u);
+
+ ge_add(&t,&A2,&Ai[6]);
+ ge_p1p1_to_p3(&u,&t);
+ ge_p3_to_cached(&Ai[7],&u);
+
+ ge_p2_0(r);
+
+ for (i = 255; i >= 0; --i)
+ {
+ if (aslide[i] || bslide[i])
+ {
+ break;
+ }
+ }
+
+ for (; i >= 0 ;--i)
+ {
+ ge_p2_dbl(&t,r);
+
+ if (aslide[i] > 0)
+ {
+ ge_p1p1_to_p3(&u,&t);
+ ge_add(&t,&u,&Ai[aslide[i]/2]);
+ }
+ else if (aslide[i] < 0)
+ {
+ ge_p1p1_to_p3(&u,&t);
+ ge_sub(&t,&u,&Ai[(-aslide[i])/2]);
+ }
+
+ if (bslide[i] > 0)
+ {
+ ge_p1p1_to_p3(&u,&t);
+ ge_madd(&t,&u,&Bi[bslide[i]/2]);
+ }
+ else if (bslide[i] < 0)
+ {
+ ge_p1p1_to_p3(&u,&t);
+ ge_msub(&t,&u,&Bi[(-bslide[i])/2]);
+ }
+ ge_p1p1_to_p2(r,&t);
+ }
+}
+
+void ge_scalarmult_base(ge_p3 *h, const uint8_t *a)
+{
+ int8_t e[64];
+ int8_t carry = 0;
+ ge_p1p1 r;
+ ge_p2 s;
+ ge_precomp t;
+ int i;
+
+ for (i = 0; i < 32; ++i)
+ {
+ e[2 * i + 0] = (a[i] >> 0) & 15;
+ e[2 * i + 1] = (a[i] >> 4) & 15;
+ }
+ /* each e[i] is between 0 and 15 */
+ /* e[63] is between 0 and 7 */
+
+ for (i = 0; i < 63; ++i) {
+ e[i] += carry;
+ carry = e[i] + 8;
+ carry >>= 4;
+ e[i] -= carry * ((int8_t) 1 << 4);
+ }
+ e[63] += carry;
+ /* each e[i] is between -8 and 8 */
+
+ ge_p3_0(h);
+ for (i = 1; i < 64; i += 2)
+ {
+ ge_select(&t,i / 2,e[i]);
+ ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r);
+ }
+
+ ge_p3_dbl(&r,h); ge_p1p1_to_p2(&s,&r);
+ ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r);
+ ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r);
+ ge_p2_dbl(&r,&s); ge_p1p1_to_p3(h,&r);
+
+ for (i = 0; i < 64; i += 2)
+ {
+ ge_select(&t,i / 2,e[i]);
+ ge_madd(&r,h,&t);
+ ge_p1p1_to_p3(h,&r);
+ }
+}
+
+/**
+ * Input:
+ * a[0]+256*a[1]+...+256^31*a[31] = a
+ * b[0]+256*b[1]+...+256^31*b[31] = b
+ * c[0]+256*c[1]+...+256^31*c[31] = c
+ *
+ * Output:
+ * s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
+ * where l = 2^252 + 27742317777372353535851937790883648493.
+ */
+void sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, const uint8_t *c)
+{
+ int64_t a0 = 2097151 & load_3(a);
+ int64_t a1 = 2097151 & (load_4(a + 2) >> 5);
+ int64_t a2 = 2097151 & (load_3(a + 5) >> 2);
+ int64_t a3 = 2097151 & (load_4(a + 7) >> 7);
+ int64_t a4 = 2097151 & (load_4(a + 10) >> 4);
+ int64_t a5 = 2097151 & (load_3(a + 13) >> 1);
+ int64_t a6 = 2097151 & (load_4(a + 15) >> 6);
+ int64_t a7 = 2097151 & (load_3(a + 18) >> 3);
+ int64_t a8 = 2097151 & load_3(a + 21);
+ int64_t a9 = 2097151 & (load_4(a + 23) >> 5);
+ int64_t a10 = 2097151 & (load_3(a + 26) >> 2);
+ int64_t a11 = (load_4(a + 28) >> 7);
+
+ int64_t b0 = 2097151 & load_3(b);
+ int64_t b1 = 2097151 & (load_4(b + 2) >> 5);
+ int64_t b2 = 2097151 & (load_3(b + 5) >> 2);
+ int64_t b3 = 2097151 & (load_4(b + 7) >> 7);
+ int64_t b4 = 2097151 & (load_4(b + 10) >> 4);
+ int64_t b5 = 2097151 & (load_3(b + 13) >> 1);
+ int64_t b6 = 2097151 & (load_4(b + 15) >> 6);
+ int64_t b7 = 2097151 & (load_3(b + 18) >> 3);
+ int64_t b8 = 2097151 & load_3(b + 21);
+ int64_t b9 = 2097151 & (load_4(b + 23) >> 5);
+ int64_t b10 = 2097151 & (load_3(b + 26) >> 2);
+ int64_t b11 = (load_4(b + 28) >> 7);
+
+ int64_t c0 = 2097151 & load_3(c);
+ int64_t c1 = 2097151 & (load_4(c + 2) >> 5);
+ int64_t c2 = 2097151 & (load_3(c + 5) >> 2);
+ int64_t c3 = 2097151 & (load_4(c + 7) >> 7);
+ int64_t c4 = 2097151 & (load_4(c + 10) >> 4);
+ int64_t c5 = 2097151 & (load_3(c + 13) >> 1);
+ int64_t c6 = 2097151 & (load_4(c + 15) >> 6);
+ int64_t c7 = 2097151 & (load_3(c + 18) >> 3);
+ int64_t c8 = 2097151 & load_3(c + 21);
+ int64_t c9 = 2097151 & (load_4(c + 23) >> 5);
+ int64_t c10 = 2097151 & (load_3(c + 26) >> 2);
+ int64_t c11 = (load_4(c + 28) >> 7);
+
+ int64_t s0, s1, s2, s3, s4, s5, s6, s7, s8, s9, s10, s11;
+ int64_t s12, s13, s14, s15, s16, s17, s18, s19, s20, s21, s22, s23;
+
+ int64_t carry0, carry1, carry2, carry3, carry4, carry5, carry6;
+ int64_t carry7, carry8, carry9, carry10, carry11, carry12, carry13;
+ int64_t carry14, carry15, carry16, carry17, carry18, carry19, carry20;
+ int64_t carry21, carry22;
+
+ s0 = c0 + a0*b0;
+ s1 = c1 + a0*b1 + a1*b0;
+ s2 = c2 + a0*b2 + a1*b1 + a2*b0;
+ s3 = c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0;
+ s4 = c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0;
+ s5 = c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0;
+ s6 = c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0;
+ s7 = c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0;
+ s8 = c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0;
+ s9 = c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0;
+ s10 = c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0;
+ s11 = c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0;
+ s12 = a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1;
+ s13 = a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2;
+ s14 = a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3;
+ s15 = a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4;
+ s16 = a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5;
+ s17 = a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6;
+ s18 = a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7;
+ s19 = a8*b11 + a9*b10 + a10*b9 + a11*b8;
+ s20 = a9*b11 + a10*b10 + a11*b9;
+ s21 = a10*b11 + a11*b10;
+ s22 = a11*b11;
+ s23 = 0;
+
+ carry0 = (s0 + (int64_t) (1L << 20)) >> 21;
+ s1 += carry0;
+ s0 -= carry0 * ((uint64_t) 1L << 21);
+
+ carry2 = (s2 + (int64_t) (1L << 20)) >> 21;
+ s3 += carry2;
+ s2 -= carry2 * ((uint64_t) 1L << 21);
+
+ carry4 = (s4 + (int64_t) (1L << 20)) >> 21;
+ s5 += carry4;
+ s4 -= carry4 * ((uint64_t) 1L << 21);
+
+ carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
+ s7 += carry6;
+ s6 -= carry6 * ((uint64_t) 1L << 21);
+
+ carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
+ s9 += carry8;
+ s8 -= carry8 * ((uint64_t) 1L << 21);
+
+ carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
+ s11 += carry10;
+ s10 -= carry10 * ((uint64_t) 1L << 21);
+
+ carry12 = (s12 + (int64_t) (1L << 20)) >> 21;
+ s13 += carry12;
+ s12 -= carry12 * ((uint64_t) 1L << 21);
+
+ carry14 = (s14 + (int64_t) (1L << 20)) >> 21;
+ s15 += carry14;
+ s14 -= carry14 * ((uint64_t) 1L << 21);
+
+ carry16 = (s16 + (int64_t) (1L << 20)) >> 21;
+ s17 += carry16;
+ s16 -= carry16 * ((uint64_t) 1L << 21);
+
+ carry18 = (s18 + (int64_t) (1L << 20)) >> 21;
+ s19 += carry18;
+ s18 -= carry18 * ((uint64_t) 1L << 21);
+
+ carry20 = (s20 + (int64_t) (1L << 20)) >> 21;
+ s21 += carry20;
+ s20 -= carry20 * ((uint64_t) 1L << 21);
+
+ carry22 = (s22 + (int64_t) (1L << 20)) >> 21;
+ s23 += carry22;
+ s22 -= carry22 * ((uint64_t) 1L << 21);
+
+ carry1 = (s1 + (int64_t) (1L << 20)) >> 21;
+ s2 += carry1;
+ s1 -= carry1 * ((uint64_t) 1L << 21);
+
+ carry3 = (s3 + (int64_t) (1L << 20)) >> 21;
+ s4 += carry3;
+ s3 -= carry3 * ((uint64_t) 1L << 21);
+
+ carry5 = (s5 + (int64_t) (1L << 20)) >> 21;
+ s6 += carry5;
+ s5 -= carry5 * ((uint64_t) 1L << 21);
+
+ carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
+ s8 += carry7;
+ s7 -= carry7 * ((uint64_t) 1L << 21);
+
+ carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
+ s10 += carry9;
+ s9 -= carry9 * ((uint64_t) 1L << 21);
+
+ carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
+ s12 += carry11;
+ s11 -= carry11 * ((uint64_t) 1L << 21);
+
+ carry13 = (s13 + (int64_t) (1L << 20)) >> 21;
+ s14 += carry13;
+ s13 -= carry13 * ((uint64_t) 1L << 21);
+
+ carry15 = (s15 + (int64_t) (1L << 20)) >> 21;
+ s16 += carry15;
+ s15 -= carry15 * ((uint64_t) 1L << 21);
+
+ carry17 = (s17 + (int64_t) (1L << 20)) >> 21;
+ s18 += carry17;
+ s17 -= carry17 * ((uint64_t) 1L << 21);
+
+ carry19 = (s19 + (int64_t) (1L << 20)) >> 21;
+ s20 += carry19;
+ s19 -= carry19 * ((uint64_t) 1L << 21);
+
+ carry21 = (s21 + (int64_t) (1L << 20)) >> 21;
+ s22 += carry21;
+ s21 -= carry21 * ((uint64_t) 1L << 21);
+
+ s11 += s23 * 666643;
+ s12 += s23 * 470296;
+ s13 += s23 * 654183;
+ s14 -= s23 * 997805;
+ s15 += s23 * 136657;
+ s16 -= s23 * 683901;
+
+ s10 += s22 * 666643;
+ s11 += s22 * 470296;
+ s12 += s22 * 654183;
+ s13 -= s22 * 997805;
+ s14 += s22 * 136657;
+ s15 -= s22 * 683901;
+
+ s9 += s21 * 666643;
+ s10 += s21 * 470296;
+ s11 += s21 * 654183;
+ s12 -= s21 * 997805;
+ s13 += s21 * 136657;
+ s14 -= s21 * 683901;
+
+ s8 += s20 * 666643;
+ s9 += s20 * 470296;
+ s10 += s20 * 654183;
+ s11 -= s20 * 997805;
+ s12 += s20 * 136657;
+ s13 -= s20 * 683901;
+
+ s7 += s19 * 666643;
+ s8 += s19 * 470296;
+ s9 += s19 * 654183;
+ s10 -= s19 * 997805;
+ s11 += s19 * 136657;
+ s12 -= s19 * 683901;
+
+ s6 += s18 * 666643;
+ s7 += s18 * 470296;
+ s8 += s18 * 654183;
+ s9 -= s18 * 997805;
+ s10 += s18 * 136657;
+ s11 -= s18 * 683901;
+
+ carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
+ s7 += carry6;
+ s6 -= carry6 * ((uint64_t) 1L << 21);
+
+ carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
+ s9 += carry8;
+ s8 -= carry8 * ((uint64_t) 1L << 21);
+
+ carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
+ s11 += carry10;
+ s10 -= carry10 * ((uint64_t) 1L << 21);
+
+ carry12 = (s12 + (int64_t) (1L << 20)) >> 21;
+ s13 += carry12;
+ s12 -= carry12 * ((uint64_t) 1L << 21);
+
+ carry14 = (s14 + (int64_t) (1L << 20)) >> 21;
+ s15 += carry14;
+ s14 -= carry14 * ((uint64_t) 1L << 21);
+
+ carry16 = (s16 + (int64_t) (1L << 20)) >> 21;
+ s17 += carry16;
+ s16 -= carry16 * ((uint64_t) 1L << 21);
+
+ carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
+ s8 += carry7;
+ s7 -= carry7 * ((uint64_t) 1L << 21);
+
+ carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
+ s10 += carry9;
+ s9 -= carry9 * ((uint64_t) 1L << 21);
+
+ carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
+ s12 += carry11;
+ s11 -= carry11 * ((uint64_t) 1L << 21);
+
+ carry13 = (s13 + (int64_t) (1L << 20)) >> 21;
+ s14 += carry13;
+ s13 -= carry13 * ((uint64_t) 1L << 21);
+
+ carry15 = (s15 + (int64_t) (1L << 20)) >> 21;
+ s16 += carry15;
+ s15 -= carry15 * ((uint64_t) 1L << 21);
+
+ s5 += s17 * 666643;
+ s6 += s17 * 470296;
+ s7 += s17 * 654183;
+ s8 -= s17 * 997805;
+ s9 += s17 * 136657;
+ s10 -= s17 * 683901;
+
+ s4 += s16 * 666643;
+ s5 += s16 * 470296;
+ s6 += s16 * 654183;
+ s7 -= s16 * 997805;
+ s8 += s16 * 136657;
+ s9 -= s16 * 683901;
+
+ s3 += s15 * 666643;
+ s4 += s15 * 470296;
+ s5 += s15 * 654183;
+ s6 -= s15 * 997805;
+ s7 += s15 * 136657;
+ s8 -= s15 * 683901;
+
+ s2 += s14 * 666643;
+ s3 += s14 * 470296;
+ s4 += s14 * 654183;
+ s5 -= s14 * 997805;
+ s6 += s14 * 136657;
+ s7 -= s14 * 683901;
+
+ s1 += s13 * 666643;
+ s2 += s13 * 470296;
+ s3 += s13 * 654183;
+ s4 -= s13 * 997805;
+ s5 += s13 * 136657;
+ s6 -= s13 * 683901;
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+ s12 = 0;
+
+ carry0 = (s0 + (int64_t) (1L << 20)) >> 21;
+ s1 += carry0;
+ s0 -= carry0 * ((uint64_t) 1L << 21);
+
+ carry2 = (s2 + (int64_t) (1L << 20)) >> 21;
+ s3 += carry2;
+ s2 -= carry2 * ((uint64_t) 1L << 21);
+
+ carry4 = (s4 + (int64_t) (1L << 20)) >> 21;
+ s5 += carry4;
+ s4 -= carry4 * ((uint64_t) 1L << 21);
+
+ carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
+ s7 += carry6;
+ s6 -= carry6 * ((uint64_t) 1L << 21);
+
+ carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
+ s9 += carry8;
+ s8 -= carry8 * ((uint64_t) 1L << 21);
+
+ carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
+ s11 += carry10;
+ s10 -= carry10 * ((uint64_t) 1L << 21);
+
+ carry1 = (s1 + (int64_t) (1L << 20)) >> 21;
+ s2 += carry1;
+ s1 -= carry1 * ((uint64_t) 1L << 21);
+
+ carry3 = (s3 + (int64_t) (1L << 20)) >> 21;
+ s4 += carry3;
+ s3 -= carry3 * ((uint64_t) 1L << 21);
+
+ carry5 = (s5 + (int64_t) (1L << 20)) >> 21;
+ s6 += carry5;
+ s5 -= carry5 * ((uint64_t) 1L << 21);
+
+ carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
+ s8 += carry7;
+ s7 -= carry7 * ((uint64_t) 1L << 21);
+
+ carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
+ s10 += carry9;
+ s9 -= carry9 * ((uint64_t) 1L << 21);
+
+ carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
+ s12 += carry11;
+ s11 -= carry11 * ((uint64_t) 1L << 21);
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+ s12 = 0;
+
+ carry0 = s0 >> 21;
+ s1 += carry0;
+ s0 -= carry0 * ((uint64_t) 1L << 21);
+
+ carry1 = s1 >> 21;
+ s2 += carry1;
+ s1 -= carry1 * ((uint64_t) 1L << 21);
+
+ carry2 = s2 >> 21;
+ s3 += carry2;
+ s2 -= carry2 * ((uint64_t) 1L << 21);
+
+ carry3 = s3 >> 21;
+ s4 += carry3;
+ s3 -= carry3 * ((uint64_t) 1L << 21);
+
+ carry4 = s4 >> 21;
+ s5 += carry4;
+ s4 -= carry4 * ((uint64_t) 1L << 21);
+
+ carry5 = s5 >> 21;
+ s6 += carry5;
+ s5 -= carry5 * ((uint64_t) 1L << 21);
+
+ carry6 = s6 >> 21;
+ s7 += carry6;
+ s6 -= carry6 * ((uint64_t) 1L << 21);
+
+ carry7 = s7 >> 21;
+ s8 += carry7;
+ s7 -= carry7 * ((uint64_t) 1L << 21);
+
+ carry8 = s8 >> 21;
+ s9 += carry8;
+ s8 -= carry8 * ((uint64_t) 1L << 21);
+
+ carry9 = s9 >> 21;
+ s10 += carry9;
+ s9 -= carry9 * ((uint64_t) 1L << 21);
+
+ carry10 = s10 >> 21;
+ s11 += carry10;
+ s10 -= carry10 * ((uint64_t) 1L << 21);
+
+ carry11 = s11 >> 21;
+ s12 += carry11;
+ s11 -= carry11 * ((uint64_t) 1L << 21);
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+
+ carry0 = s0 >> 21;
+ s1 += carry0;
+ s0 -= carry0 * ((uint64_t) 1L << 21);
+
+ carry1 = s1 >> 21;
+ s2 += carry1;
+ s1 -= carry1 * ((uint64_t) 1L << 21);
+
+ carry2 = s2 >> 21;
+ s3 += carry2;
+ s2 -= carry2 * ((uint64_t) 1L << 21);
+
+ carry3 = s3 >> 21;
+ s4 += carry3;
+ s3 -= carry3 * ((uint64_t) 1L << 21);
+
+ carry4 = s4 >> 21;
+ s5 += carry4;
+ s4 -= carry4 * ((uint64_t) 1L << 21);
+
+ carry5 = s5 >> 21;
+ s6 += carry5;
+ s5 -= carry5 * ((uint64_t) 1L << 21);
+
+ carry6 = s6 >> 21;
+ s7 += carry6;
+ s6 -= carry6 * ((uint64_t) 1L << 21);
+
+ carry7 = s7 >> 21;
+ s8 += carry7;
+ s7 -= carry7 * ((uint64_t) 1L << 21);
+
+ carry8 = s8 >> 21;
+ s9 += carry8;
+ s8 -= carry8 * ((uint64_t) 1L << 21);
+
+ carry9 = s9 >> 21;
+ s10 += carry9;
+ s9 -= carry9 * ((uint64_t) 1L << 21);
+
+ carry10 = s10 >> 21;
+ s11 += carry10;
+ s10 -= carry10 * ((uint64_t) 1L << 21);
+
+ s[0] = s0 >> 0;
+ s[1] = s0 >> 8;
+ s[2] = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5));
+ s[3] = s1 >> 3;
+ s[4] = s1 >> 11;
+ s[5] = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2));
+ s[6] = s2 >> 6;
+ s[7] = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7));
+ s[8] = s3 >> 1;
+ s[9] = s3 >> 9;
+ s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4));
+ s[11] = s4 >> 4;
+ s[12] = s4 >> 12;
+ s[13] = (s4 >> 20) | (s5 * ((uint64_t) 1 << 1));
+ s[14] = s5 >> 7;
+ s[15] = (s5 >> 15) | (s6 * ((uint64_t) 1 << 6));
+ s[16] = s6 >> 2;
+ s[17] = s6 >> 10;
+ s[18] = (s6 >> 18) | (s7 * ((uint64_t) 1 << 3));
+ s[19] = s7 >> 5;
+ s[20] = s7 >> 13;
+ s[21] = s8 >> 0;
+ s[22] = s8 >> 8;
+ s[23] = (s8 >> 16) | (s9 * ((uint64_t) 1 << 5));
+ s[24] = s9 >> 3;
+ s[25] = s9 >> 11;
+ s[26] = (s9 >> 19) | (s10 * ((uint64_t) 1 << 2));
+ s[27] = s10 >> 6;
+ s[28] = (s10 >> 14) | (s11 * ((uint64_t) 1 << 7));
+ s[29] = s11 >> 1;
+ s[30] = s11 >> 9;
+ s[31] = s11 >> 17;
+}
+
+/**
+ * Input:
+ * s[0]+256*s[1]+...+256^63*s[63] = s
+ *
+ * Output:
+ * s[0]+256*s[1]+...+256^31*s[31] = s mod l
+ * where l = 2^252 + 27742317777372353535851937790883648493.
+ * Overwrites s in place.
+ */
+void sc_reduce(uint8_t *s)
+{
+ int64_t s0 = 2097151 & load_3(s);
+ int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
+ int64_t s2 = 2097151 & (load_3(s + 5) >> 2);
+ int64_t s3 = 2097151 & (load_4(s + 7) >> 7);
+ int64_t s4 = 2097151 & (load_4(s + 10) >> 4);
+ int64_t s5 = 2097151 & (load_3(s + 13) >> 1);
+ int64_t s6 = 2097151 & (load_4(s + 15) >> 6);
+ int64_t s7 = 2097151 & (load_3(s + 18) >> 3);
+ int64_t s8 = 2097151 & load_3(s + 21);
+ int64_t s9 = 2097151 & (load_4(s + 23) >> 5);
+ int64_t s10 = 2097151 & (load_3(s + 26) >> 2);
+ int64_t s11 = 2097151 & (load_4(s + 28) >> 7);
+ int64_t s12 = 2097151 & (load_4(s + 31) >> 4);
+ int64_t s13 = 2097151 & (load_3(s + 34) >> 1);
+ int64_t s14 = 2097151 & (load_4(s + 36) >> 6);
+ int64_t s15 = 2097151 & (load_3(s + 39) >> 3);
+ int64_t s16 = 2097151 & load_3(s + 42);
+ int64_t s17 = 2097151 & (load_4(s + 44) >> 5);
+ int64_t s18 = 2097151 & (load_3(s + 47) >> 2);
+ int64_t s19 = 2097151 & (load_4(s + 49) >> 7);
+ int64_t s20 = 2097151 & (load_4(s + 52) >> 4);
+ int64_t s21 = 2097151 & (load_3(s + 55) >> 1);
+ int64_t s22 = 2097151 & (load_4(s + 57) >> 6);
+ int64_t s23 = (load_4(s + 60) >> 3);
+
+ int64_t carry0, carry1, carry2, carry3, carry4, carry5, carry6;
+ int64_t carry7, carry8, carry9, carry10, carry11, carry12, carry13;
+ int64_t carry14, carry15, carry16;
+
+ s11 += s23 * 666643;
+ s12 += s23 * 470296;
+ s13 += s23 * 654183;
+ s14 -= s23 * 997805;
+ s15 += s23 * 136657;
+ s16 -= s23 * 683901;
+
+ s10 += s22 * 666643;
+ s11 += s22 * 470296;
+ s12 += s22 * 654183;
+ s13 -= s22 * 997805;
+ s14 += s22 * 136657;
+ s15 -= s22 * 683901;
+
+ s9 += s21 * 666643;
+ s10 += s21 * 470296;
+ s11 += s21 * 654183;
+ s12 -= s21 * 997805;
+ s13 += s21 * 136657;
+ s14 -= s21 * 683901;
+
+ s8 += s20 * 666643;
+ s9 += s20 * 470296;
+ s10 += s20 * 654183;
+ s11 -= s20 * 997805;
+ s12 += s20 * 136657;
+ s13 -= s20 * 683901;
+
+ s7 += s19 * 666643;
+ s8 += s19 * 470296;
+ s9 += s19 * 654183;
+ s10 -= s19 * 997805;
+ s11 += s19 * 136657;
+ s12 -= s19 * 683901;
+
+ s6 += s18 * 666643;
+ s7 += s18 * 470296;
+ s8 += s18 * 654183;
+ s9 -= s18 * 997805;
+ s10 += s18 * 136657;
+ s11 -= s18 * 683901;
+
+ carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
+ s7 += carry6;
+ s6 -= carry6 * ((uint64_t) 1L << 21);
+
+ carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
+ s9 += carry8;
+ s8 -= carry8 * ((uint64_t) 1L << 21);
+
+ carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
+ s11 += carry10;
+ s10 -= carry10 * ((uint64_t) 1L << 21);
+
+ carry12 = (s12 + (int64_t) (1L << 20)) >> 21;
+ s13 += carry12;
+ s12 -= carry12 * ((uint64_t) 1L << 21);
+
+ carry14 = (s14 + (int64_t) (1L << 20)) >> 21;
+ s15 += carry14;
+ s14 -= carry14 * ((uint64_t) 1L << 21);
+
+ carry16 = (s16 + (int64_t) (1L << 20)) >> 21;
+ s17 += carry16;
+ s16 -= carry16 * ((uint64_t) 1L << 21);
+
+ carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
+ s8 += carry7;
+ s7 -= carry7 * ((uint64_t) 1L << 21);
+
+ carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
+ s10 += carry9;
+ s9 -= carry9 * ((uint64_t) 1L << 21);
+
+ carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
+ s12 += carry11;
+ s11 -= carry11 * ((uint64_t) 1L << 21);
+
+ carry13 = (s13 + (int64_t) (1L << 20)) >> 21;
+ s14 += carry13;
+ s13 -= carry13 * ((uint64_t) 1L << 21);
+
+ carry15 = (s15 + (int64_t) (1L << 20)) >> 21;
+ s16 += carry15;
+ s15 -= carry15 * ((uint64_t) 1L << 21);
+
+ s5 += s17 * 666643;
+ s6 += s17 * 470296;
+ s7 += s17 * 654183;
+ s8 -= s17 * 997805;
+ s9 += s17 * 136657;
+ s10 -= s17 * 683901;
+
+ s4 += s16 * 666643;
+ s5 += s16 * 470296;
+ s6 += s16 * 654183;
+ s7 -= s16 * 997805;
+ s8 += s16 * 136657;
+ s9 -= s16 * 683901;
+
+ s3 += s15 * 666643;
+ s4 += s15 * 470296;
+ s5 += s15 * 654183;
+ s6 -= s15 * 997805;
+ s7 += s15 * 136657;
+ s8 -= s15 * 683901;
+
+ s2 += s14 * 666643;
+ s3 += s14 * 470296;
+ s4 += s14 * 654183;
+ s5 -= s14 * 997805;
+ s6 += s14 * 136657;
+ s7 -= s14 * 683901;
+
+ s1 += s13 * 666643;
+ s2 += s13 * 470296;
+ s3 += s13 * 654183;
+ s4 -= s13 * 997805;
+ s5 += s13 * 136657;
+ s6 -= s13 * 683901;
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+ s12 = 0;
+
+ carry0 = (s0 + (int64_t) (1L << 20)) >> 21;
+ s1 += carry0;
+ s0 -= carry0 * ((uint64_t) 1L << 21);
+
+ carry2 = (s2 + (int64_t) (1L << 20)) >> 21;
+ s3 += carry2;
+ s2 -= carry2 * ((uint64_t) 1L << 21);
+
+ carry4 = (s4 + (int64_t) (1L << 20)) >> 21;
+ s5 += carry4;
+ s4 -= carry4 * ((uint64_t) 1L << 21);
+
+ carry6 = (s6 + (int64_t) (1L << 20)) >> 21;
+ s7 += carry6;
+ s6 -= carry6 * ((uint64_t) 1L << 21);
+
+ carry8 = (s8 + (int64_t) (1L << 20)) >> 21;
+ s9 += carry8;
+ s8 -= carry8 * ((uint64_t) 1L << 21);
+
+ carry10 = (s10 + (int64_t) (1L << 20)) >> 21;
+ s11 += carry10;
+ s10 -= carry10 * ((uint64_t) 1L << 21);
+
+ carry1 = (s1 + (int64_t) (1L << 20)) >> 21;
+ s2 += carry1;
+ s1 -= carry1 * ((uint64_t) 1L << 21);
+
+ carry3 = (s3 + (int64_t) (1L << 20)) >> 21;
+ s4 += carry3;
+ s3 -= carry3 * ((uint64_t) 1L << 21);
+
+ carry5 = (s5 + (int64_t) (1L << 20)) >> 21;
+ s6 += carry5;
+ s5 -= carry5 * ((uint64_t) 1L << 21);
+
+ carry7 = (s7 + (int64_t) (1L << 20)) >> 21;
+ s8 += carry7;
+ s7 -= carry7 * ((uint64_t) 1L << 21);
+
+ carry9 = (s9 + (int64_t) (1L << 20)) >> 21;
+ s10 += carry9;
+ s9 -= carry9 * ((uint64_t) 1L << 21);
+
+ carry11 = (s11 + (int64_t) (1L << 20)) >> 21;
+ s12 += carry11;
+ s11 -= carry11 * ((uint64_t) 1L << 21);
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+ s12 = 0;
+
+ carry0 = s0 >> 21;
+ s1 += carry0;
+ s0 -= carry0 * ((uint64_t) 1L << 21);
+
+ carry1 = s1 >> 21;
+ s2 += carry1;
+ s1 -= carry1 * ((uint64_t) 1L << 21);
+
+ carry2 = s2 >> 21;
+ s3 += carry2;
+ s2 -= carry2 * ((uint64_t) 1L << 21);
+
+ carry3 = s3 >> 21;
+ s4 += carry3;
+ s3 -= carry3 * ((uint64_t) 1L << 21);
+
+ carry4 = s4 >> 21;
+ s5 += carry4;
+ s4 -= carry4 * ((uint64_t) 1L << 21);
+
+ carry5 = s5 >> 21;
+ s6 += carry5;
+ s5 -= carry5 * ((uint64_t) 1L << 21);
+
+ carry6 = s6 >> 21;
+ s7 += carry6;
+ s6 -= carry6 * ((uint64_t) 1L << 21);
+
+ carry7 = s7 >> 21;
+ s8 += carry7;
+ s7 -= carry7 * ((uint64_t) 1L << 21);
+
+ carry8 = s8 >> 21;
+ s9 += carry8;
+ s8 -= carry8 * ((uint64_t) 1L << 21);
+
+ carry9 = s9 >> 21;
+ s10 += carry9;
+ s9 -= carry9 * ((uint64_t) 1L << 21);
+
+ carry10 = s10 >> 21;
+ s11 += carry10;
+ s10 -= carry10 * ((uint64_t) 1L << 21);
+
+ carry11 = s11 >> 21;
+ s12 += carry11;
+ s11 -= carry11 * ((uint64_t) 1L << 21);
+
+ s0 += s12 * 666643;
+ s1 += s12 * 470296;
+ s2 += s12 * 654183;
+ s3 -= s12 * 997805;
+ s4 += s12 * 136657;
+ s5 -= s12 * 683901;
+
+ carry0 = s0 >> 21;
+ s1 += carry0;
+ s0 -= carry0 * ((uint64_t) 1L << 21);
+
+ carry1 = s1 >> 21;
+ s2 += carry1;
+ s1 -= carry1 * ((uint64_t) 1L << 21);
+
+ carry2 = s2 >> 21;
+ s3 += carry2;
+ s2 -= carry2 * ((uint64_t) 1L << 21);
+
+ carry3 = s3 >> 21;
+ s4 += carry3;
+ s3 -= carry3 * ((uint64_t) 1L << 21);
+
+ carry4 = s4 >> 21;
+ s5 += carry4;
+ s4 -= carry4 * ((uint64_t) 1L << 21);
+
+ carry5 = s5 >> 21;
+ s6 += carry5;
+ s5 -= carry5 * ((uint64_t) 1L << 21);
+
+ carry6 = s6 >> 21;
+ s7 += carry6;
+ s6 -= carry6 * ((uint64_t) 1L << 21);
+
+ carry7 = s7 >> 21;
+ s8 += carry7;
+ s7 -= carry7 * ((uint64_t) 1L << 21);
+
+ carry8 = s8 >> 21;
+ s9 += carry8;
+ s8 -= carry8 * ((uint64_t) 1L << 21);
+
+ carry9 = s9 >> 21;
+ s10 += carry9;
+ s9 -= carry9 * ((uint64_t) 1L << 21);
+
+ carry10 = s10 >> 21;
+ s11 += carry10;
+ s10 -= carry10 * ((uint64_t) 1L << 21);
+
+ s[0] = s0 >> 0;
+ s[1] = s0 >> 8;
+ s[2] = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5));
+ s[3] = s1 >> 3;
+ s[4] = s1 >> 11;
+ s[5] = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2));
+ s[6] = s2 >> 6;
+ s[7] = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7));
+ s[8] = s3 >> 1;
+ s[9] = s3 >> 9;
+ s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4));
+ s[11] = s4 >> 4;
+ s[12] = s4 >> 12;
+ s[13] = (s4 >> 20) | (s5 * ((uint64_t) 1 << 1));
+ s[14] = s5 >> 7;
+ s[15] = (s5 >> 15) | (s6 * ((uint64_t) 1 << 6));
+ s[16] = s6 >> 2;
+ s[17] = s6 >> 10;
+ s[18] = (s6 >> 18) | (s7 * ((uint64_t) 1 << 3));
+ s[19] = s7 >> 5;
+ s[20] = s7 >> 13;
+ s[21] = s8 >> 0;
+ s[22] = s8 >> 8;
+ s[23] = (s8 >> 16) | (s9 * ((uint64_t) 1 << 5));
+ s[24] = s9 >> 3;
+ s[25] = s9 >> 11;
+ s[26] = (s9 >> 19) | (s10 * ((uint64_t) 1 << 2));
+ s[27] = s10 >> 6;
+ s[28] = (s10 >> 14) | (s11 * ((uint64_t) 1 << 7));
+ s[29] = s11 >> 1;
+ s[30] = s11 >> 9;
+ s[31] = s11 >> 17;
+}
diff --git a/src/libstrongswan/plugins/curve25519/ref10/ref10.h b/src/libstrongswan/plugins/curve25519/ref10/ref10.h
new file mode 100644
index 0000000..b1d76da
--- /dev/null
+++ b/src/libstrongswan/plugins/curve25519/ref10/ref10.h
@@ -0,0 +1,93 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * Based on the public domain libsodium adaptation by Frank Denis
+ * of the SUPERCOP ref10 implementation by Daniel J. Bernstein,
+ * Niels Duif, Peter Schwabe, Tanja Lange and Bo-Yin Yang.
+ */
+
+/**
+ * @defgroup curve25519_ref10 curve25519_ref10
+ * @{ @ingroup curve25519_p
+ */
+
+#ifndef REF10_H_
+#define REF10_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+typedef int32_t fe[10];
+
+/**
+ * fe means field element.
+ * Here the field is \\Z/(2^255-19).
+ * An element t, entries t[0]...t[9], represents the integer
+ * t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
+ * Bounds on each t[i] vary depending on context.
+ */
+
+/**
+ * ge means group element.
+ *
+ * Here the group is the set of pairs (x,y) of field elements (see fe.h)
+ * satisfying -x^2 + y^2 = 1 + d x^2y^2
+ * where d = -121665/121666.
+ *
+ * Representations:
+ * ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z
+ * ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
+ * ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
+ * ge_precomp (Duif): (y+x,y-x,2dxy)
+ */
+
+typedef struct {
+ fe X;
+ fe Y;
+ fe Z;
+} ge_p2;
+
+typedef struct {
+ fe X;
+ fe Y;
+ fe Z;
+ fe T;
+} ge_p3;
+
+typedef struct {
+ fe X;
+ fe Y;
+ fe Z;
+ fe T;
+} ge_p1p1;
+
+typedef struct {
+ fe yplusx;
+ fe yminusx;
+ fe xy2d;
+} ge_precomp;
+
+typedef struct {
+ fe YplusX;
+ fe YminusX;
+ fe Z;
+ fe T2d;
+} ge_cached;
+
+extern void ge_tobytes(uint8_t *, const ge_p2 *);
+extern void ge_p3_tobytes(uint8_t *, const ge_p3 *);
+extern int ge_frombytes_negate_vartime(ge_p3 *, const uint8_t *);
+extern void ge_scalarmult_base(ge_p3 *, const uint8_t *);
+extern void ge_double_scalarmult_vartime(ge_p2 *, const uint8_t *,
+ const ge_p3 *, const uint8_t *);
+
+/**
+ * The set of scalars is \\Z/l
+ * where l = 2^252 + 27742317777372353535851937790883648493.
+ */
+
+extern void sc_reduce(uint8_t *);
+extern void sc_muladd(uint8_t *, const uint8_t *, const uint8_t *, const uint8_t *);
+
+#endif /** REF10_H_ @}*/
diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in
index 7890585..b6cedd8 100644
--- a/src/libstrongswan/plugins/des/Makefile.in
+++ b/src/libstrongswan/plugins/des/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in
index 327ebd3..347c697 100644
--- a/src/libstrongswan/plugins/dnskey/Makefile.in
+++ b/src/libstrongswan/plugins/dnskey/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/files/Makefile.in b/src/libstrongswan/plugins/files/Makefile.in
index 4bfe127..10cbc6e 100644
--- a/src/libstrongswan/plugins/files/Makefile.in
+++ b/src/libstrongswan/plugins/files/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in
index cceb705..8b5e162 100644
--- a/src/libstrongswan/plugins/fips_prf/Makefile.in
+++ b/src/libstrongswan/plugins/fips_prf/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in
index fb649f4..0f3878f 100644
--- a/src/libstrongswan/plugins/gcm/Makefile.in
+++ b/src/libstrongswan/plugins/gcm/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in
index f2396f4..ef246f9 100644
--- a/src/libstrongswan/plugins/gcrypt/Makefile.in
+++ b/src/libstrongswan/plugins/gcrypt/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in
index bee1f80..de8f8fe 100644
--- a/src/libstrongswan/plugins/gmp/Makefile.in
+++ b/src/libstrongswan/plugins/gmp/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in
index c6e4e8d..3a87fcc 100644
--- a/src/libstrongswan/plugins/hmac/Makefile.in
+++ b/src/libstrongswan/plugins/hmac/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/keychain/Makefile.in b/src/libstrongswan/plugins/keychain/Makefile.in
index 1f5ae35..d113d9e 100644
--- a/src/libstrongswan/plugins/keychain/Makefile.in
+++ b/src/libstrongswan/plugins/keychain/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in
index 9c448cd..2005aaf 100644
--- a/src/libstrongswan/plugins/ldap/Makefile.in
+++ b/src/libstrongswan/plugins/ldap/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in
index d336a53..dad5327 100644
--- a/src/libstrongswan/plugins/md4/Makefile.in
+++ b/src/libstrongswan/plugins/md4/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in
index a31d0a2..5f1ced2 100644
--- a/src/libstrongswan/plugins/md5/Makefile.in
+++ b/src/libstrongswan/plugins/md5/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/mgf1/Makefile.in b/src/libstrongswan/plugins/mgf1/Makefile.in
index 189e214..42904a7 100644
--- a/src/libstrongswan/plugins/mgf1/Makefile.in
+++ b/src/libstrongswan/plugins/mgf1/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in
index 57dab35..b617557 100644
--- a/src/libstrongswan/plugins/mysql/Makefile.in
+++ b/src/libstrongswan/plugins/mysql/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/newhope/Makefile.in b/src/libstrongswan/plugins/newhope/Makefile.in
index be31fb2..24857b3 100644
--- a/src/libstrongswan/plugins/newhope/Makefile.in
+++ b/src/libstrongswan/plugins/newhope/Makefile.in
@@ -366,7 +366,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -401,6 +400,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/newhope/tests/Makefile.in b/src/libstrongswan/plugins/newhope/tests/Makefile.in
index 07ded5d..884a2eb 100644
--- a/src/libstrongswan/plugins/newhope/tests/Makefile.in
+++ b/src/libstrongswan/plugins/newhope/tests/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/nonce/Makefile.in b/src/libstrongswan/plugins/nonce/Makefile.in
index a19b2c4..8e04841 100644
--- a/src/libstrongswan/plugins/nonce/Makefile.in
+++ b/src/libstrongswan/plugins/nonce/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/ntru/Makefile.in b/src/libstrongswan/plugins/ntru/Makefile.in
index 5cbba39..c47f90b 100644
--- a/src/libstrongswan/plugins/ntru/Makefile.in
+++ b/src/libstrongswan/plugins/ntru/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in
index dd8a17e..798ee5f 100644
--- a/src/libstrongswan/plugins/openssl/Makefile.in
+++ b/src/libstrongswan/plugins/openssl/Makefile.in
@@ -367,7 +367,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -402,6 +401,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
index 11d6e8e..11185e0 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c
@@ -327,9 +327,12 @@ METHOD(diffie_hellman_t, destroy, void,
/**
* ECC Brainpool curves are not available in OpenSSL releases < 1.0.2, but we
* don't check the version in case somebody backported them.
+ *
+ * BoringSSL defines the constants but not the curves.
*/
#if (!defined(NID_brainpoolP224r1) || !defined(NID_brainpoolP256r1) || \
- !defined(NID_brainpoolP384r1) || !defined(NID_brainpoolP512r1))
+ !defined(NID_brainpoolP384r1) || !defined(NID_brainpoolP512r1) || \
+ defined(OPENSSL_IS_BORINGSSL))
/**
* Parameters for ECC Brainpool curves
diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in
index abca5f7..1fe0e7b 100644
--- a/src/libstrongswan/plugins/padlock/Makefile.in
+++ b/src/libstrongswan/plugins/padlock/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in
index 8cafb9e..e3d7c77 100644
--- a/src/libstrongswan/plugins/pem/Makefile.in
+++ b/src/libstrongswan/plugins/pem/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c
index 35ea3e8..76b0b7b 100644
--- a/src/libstrongswan/plugins/pem/pem_encoder.c
+++ b/src/libstrongswan/plugins/pem/pem_encoder.c
@@ -1,6 +1,6 @@
/*
- * Copyright (C) 2010 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2010-2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -37,7 +37,11 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER,
&asn1, CRED_PART_END) ||
cred_encoding_args(args, CRED_PART_ECDSA_PUB_ASN1_DER,
- &asn1, CRED_PART_END))
+ &asn1, CRED_PART_END) ||
+ cred_encoding_args(args, CRED_PART_EDDSA_PUB_ASN1_DER,
+ &asn1, CRED_PART_END) ||
+ cred_encoding_args(args, CRED_PART_BLISS_PUB_ASN1_DER,
+ &asn1, CRED_PART_END))
{
break;
}
@@ -53,11 +57,6 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
break;
}
}
- if (cred_encoding_args(args, CRED_PART_BLISS_PUB_ASN1_DER,
- &asn1, CRED_PART_END))
- {
- break;
- }
return FALSE;
case PRIVKEY_PEM:
label ="RSA PRIVATE KEY";
@@ -97,6 +96,12 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding,
label ="BLISS PRIVATE KEY";
break;
}
+ if (cred_encoding_args(args, CRED_PART_EDDSA_PRIV_ASN1_DER,
+ &asn1, CRED_PART_END))
+ {
+ label ="PRIVATE KEY";
+ break;
+ }
return FALSE;
case CERT_PEM:
if (cred_encoding_args(args, CRED_PART_X509_ASN1_DER,
diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c
index d5bcbb6..662b0fe 100644
--- a/src/libstrongswan/plugins/pem/pem_plugin.c
+++ b/src/libstrongswan/plugins/pem/pem_plugin.c
@@ -63,6 +63,9 @@ METHOD(plugin_t, get_features, int,
PLUGIN_REGISTER(PRIVKEY, pem_private_key_load, FALSE),
PLUGIN_PROVIDE(PRIVKEY, KEY_BLISS),
PLUGIN_DEPENDS(PRIVKEY, KEY_BLISS),
+ PLUGIN_REGISTER(PRIVKEY, pem_private_key_load, FALSE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+ PLUGIN_DEPENDS(PRIVKEY, KEY_ED25519),
/* public key PEM decoding */
PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
@@ -79,6 +82,10 @@ METHOD(plugin_t, get_features, int,
PLUGIN_DEPENDS(PUBKEY, KEY_DSA),
PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
PLUGIN_PROVIDE(PUBKEY, KEY_BLISS),
+ PLUGIN_DEPENDS(PUBKEY, KEY_BLISS),
+ PLUGIN_REGISTER(PUBKEY, pem_public_key_load, FALSE),
+ PLUGIN_PROVIDE(PUBKEY, KEY_ED25519),
+ PLUGIN_DEPENDS(PUBKEY, KEY_ED25519),
/* certificate PEM decoding */
PLUGIN_REGISTER(CERT_DECODE, pem_certificate_load, FALSE),
diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in
index 0bddf9c..5523402 100644
--- a/src/libstrongswan/plugins/pgp/Makefile.in
+++ b/src/libstrongswan/plugins/pgp/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in
index 708f5a6..3cdc731 100644
--- a/src/libstrongswan/plugins/pkcs1/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs1/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
index 766832d..f642947 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_builder.c
@@ -75,6 +75,13 @@ static public_key_t *parse_public_key(chunk_t blob)
KEY_BLISS, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
goto end;
}
+ else if (oid == OID_ED25519)
+ {
+ /* Need the whole subjectPublicKeyInfo for Ed25519 public keys */
+ key = lib->creds->create(lib->creds, CRED_PUBLIC_KEY,
+ KEY_ED25519, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+ goto end;
+ }
else
{
/* key type not supported */
@@ -259,7 +266,7 @@ end:
* }
*
* While the parameters and publicKey fields are OPTIONAL, RFC 5915 says that
- * paramaters MUST be included and publicKey SHOULD be.
+ * parameters MUST be included and publicKey SHOULD be.
*/
static bool is_ec_private_key(chunk_t blob)
{
diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
index ec1bdf5..b887740 100644
--- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
+++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c
@@ -52,6 +52,9 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(PUBKEY, KEY_ANY),
PLUGIN_SDEPEND(PUBKEY, KEY_RSA),
PLUGIN_SDEPEND(PUBKEY, KEY_ECDSA),
+ PLUGIN_SDEPEND(PUBKEY, KEY_ED25519),
+ PLUGIN_SDEPEND(PUBKEY, KEY_ED448),
+ PLUGIN_SDEPEND(PUBKEY, KEY_BLISS),
PLUGIN_SDEPEND(PUBKEY, KEY_DSA),
PLUGIN_REGISTER(PUBKEY, pkcs1_public_key_load, FALSE),
PLUGIN_PROVIDE(PUBKEY, KEY_RSA),
diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in
index 6c10c08..f4fffd3 100644
--- a/src/libstrongswan/plugins/pkcs11/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs11/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs12/Makefile.in b/src/libstrongswan/plugins/pkcs12/Makefile.in
index 7e81b05..72996f1 100644
--- a/src/libstrongswan/plugins/pkcs12/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs12/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs7/Makefile.in b/src/libstrongswan/plugins/pkcs7/Makefile.in
index cbd1996..6224b1b 100644
--- a/src/libstrongswan/plugins/pkcs7/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs7/Makefile.in
@@ -361,7 +361,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -396,6 +395,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs8/Makefile.in b/src/libstrongswan/plugins/pkcs8/Makefile.in
index 3d27d61..475de08 100644
--- a/src/libstrongswan/plugins/pkcs8/Makefile.in
+++ b/src/libstrongswan/plugins/pkcs8/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
index e93a836..beb8866 100644
--- a/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
+++ b/src/libstrongswan/plugins/pkcs8/pkcs8_builder.c
@@ -47,6 +47,7 @@ static private_key_t *parse_private_key(chunk_t blob)
int objectID;
private_key_t *key = NULL;
key_type_t type = KEY_ANY;
+ builder_part_t part = BUILD_BLOB_ASN1_DER;
parser = asn1_parser_create(pkinfoObjects, blob);
parser->set_flags(parser, FALSE, TRUE);
@@ -68,6 +69,14 @@ static private_key_t *parse_private_key(chunk_t blob)
case OID_EC_PUBLICKEY:
type = KEY_ECDSA;
break;
+ case OID_ED25519:
+ type = KEY_ED25519;
+ part = BUILD_EDDSA_PRIV_ASN1_DER;
+ break;
+ case OID_ED448:
+ type = KEY_ED448;
+ part = BUILD_EDDSA_PRIV_ASN1_DER;
+ break;
default:
/* key type not supported */
goto end;
@@ -81,14 +90,12 @@ static private_key_t *parse_private_key(chunk_t blob)
{
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
type, BUILD_BLOB_ALGID_PARAMS,
- params, BUILD_BLOB_ASN1_DER,
- object, BUILD_END);
+ params, part, object, BUILD_END);
}
else
{
key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
- type, BUILD_BLOB_ASN1_DER, object,
- BUILD_END);
+ type, part, object, BUILD_END);
}
DBG2(DBG_ASN, "-- < --");
break;
diff --git a/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c b/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c
index 129fbb0..fcd8f11 100644
--- a/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c
+++ b/src/libstrongswan/plugins/pkcs8/pkcs8_plugin.c
@@ -46,6 +46,8 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
PLUGIN_PROVIDE(PRIVKEY, KEY_RSA),
PLUGIN_PROVIDE(PRIVKEY, KEY_ECDSA),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ED25519),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ED448),
};
*features = f;
return countof(f);
diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c
index 5787eac..e4698fa 100644
--- a/src/libstrongswan/plugins/plugin_loader.c
+++ b/src/libstrongswan/plugins/plugin_loader.c
@@ -107,7 +107,7 @@ struct registered_feature_t {
/**
* Hash a registered feature
*/
-static bool registered_feature_hash(registered_feature_t *this)
+static u_int registered_feature_hash(registered_feature_t *this)
{
return plugin_feature_hash(this->feature);
}
@@ -1367,7 +1367,7 @@ void plugin_loader_add_plugindirs(char *basedir, char *plugins)
enumerator_t *enumerator;
char *name, path[PATH_MAX], dir[64];
- enumerator = enumerator_create_token(plugins, " ", "");
+ enumerator = enumerator_create_token(plugins, " ", "!");
while (enumerator->enumerate(enumerator, &name))
{
snprintf(dir, sizeof(dir), "%s", name);
diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in
index 40fd626..4b0b13e 100644
--- a/src/libstrongswan/plugins/pubkey/Makefile.in
+++ b/src/libstrongswan/plugins/pubkey/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in
index edd8eda..1cf00a5 100644
--- a/src/libstrongswan/plugins/random/Makefile.in
+++ b/src/libstrongswan/plugins/random/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/rc2/Makefile.in b/src/libstrongswan/plugins/rc2/Makefile.in
index 0fd1ad9..a57e15b 100644
--- a/src/libstrongswan/plugins/rc2/Makefile.in
+++ b/src/libstrongswan/plugins/rc2/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/rdrand/Makefile.in b/src/libstrongswan/plugins/rdrand/Makefile.in
index 88bc0af..a5d76c1 100644
--- a/src/libstrongswan/plugins/rdrand/Makefile.in
+++ b/src/libstrongswan/plugins/rdrand/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 4ec73ef..cfbbcd8 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index f2e3cdd..16ee0ec 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -36,6 +36,17 @@ struct private_revocation_validator_t {
* Public revocation_validator_t interface.
*/
revocation_validator_t public;
+
+ /**
+ * Enable OCSP validation
+ */
+ bool enable_ocsp;
+
+ /**
+ * Enable CRL validation
+ */
+ bool enable_crl;
+
};
/**
@@ -732,54 +743,63 @@ METHOD(cert_validator_t, validate, bool,
certificate_t *issuer, bool online, u_int pathlen, bool anchor,
auth_cfg_t *auth)
{
- if (subject->get_type(subject) == CERT_X509 &&
- issuer->get_type(issuer) == CERT_X509 &&
- online)
+ if (online && (this->enable_ocsp || this->enable_crl) &&
+ subject->get_type(subject) == CERT_X509 &&
+ issuer->get_type(issuer) == CERT_X509)
{
DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
subject->get_subject(subject));
- switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
- pathlen ? NULL : auth))
+
+ if (this->enable_ocsp)
{
- case VALIDATION_GOOD:
- DBG1(DBG_CFG, "certificate status is good");
- return TRUE;
- case VALIDATION_REVOKED:
- case VALIDATION_ON_HOLD:
- /* has already been logged */
- lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
- subject);
- return FALSE;
- case VALIDATION_SKIPPED:
- DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
- break;
- case VALIDATION_STALE:
- DBG1(DBG_CFG, "ocsp information stale, fallback to crl");
- break;
- case VALIDATION_FAILED:
- DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
- break;
+ switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
+ pathlen ? NULL : auth))
+ {
+ case VALIDATION_GOOD:
+ DBG1(DBG_CFG, "certificate status is good");
+ return TRUE;
+ case VALIDATION_REVOKED:
+ case VALIDATION_ON_HOLD:
+ /* has already been logged */
+ lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
+ subject);
+ return FALSE;
+ case VALIDATION_SKIPPED:
+ DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
+ break;
+ case VALIDATION_STALE:
+ DBG1(DBG_CFG, "ocsp information stale, fallback to crl");
+ break;
+ case VALIDATION_FAILED:
+ DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
+ break;
+ }
}
- switch (check_crl((x509_t*)subject, (x509_t*)issuer,
- pathlen ? NULL : auth))
+
+ if (this->enable_crl)
{
- case VALIDATION_GOOD:
- DBG1(DBG_CFG, "certificate status is good");
- return TRUE;
- case VALIDATION_REVOKED:
- case VALIDATION_ON_HOLD:
- /* has already been logged */
- lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
- subject);
- return FALSE;
- case VALIDATION_FAILED:
- case VALIDATION_SKIPPED:
- DBG1(DBG_CFG, "certificate status is not available");
- break;
- case VALIDATION_STALE:
- DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
- break;
+ switch (check_crl((x509_t*)subject, (x509_t*)issuer,
+ pathlen ? NULL : auth))
+ {
+ case VALIDATION_GOOD:
+ DBG1(DBG_CFG, "certificate status is good");
+ return TRUE;
+ case VALIDATION_REVOKED:
+ case VALIDATION_ON_HOLD:
+ /* has already been logged */
+ lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
+ subject);
+ return FALSE;
+ case VALIDATION_FAILED:
+ case VALIDATION_SKIPPED:
+ DBG1(DBG_CFG, "certificate status is not available");
+ break;
+ case VALIDATION_STALE:
+ DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
+ break;
+ }
}
+
lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_VALIDATION_FAILED,
subject);
}
@@ -804,7 +824,19 @@ revocation_validator_t *revocation_validator_create()
.validator.validate = _validate,
.destroy = _destroy,
},
+ .enable_ocsp = lib->settings->get_bool(lib->settings,
+ "%s.plugins.revocation.enable_ocsp", TRUE, lib->ns),
+ .enable_crl = lib->settings->get_bool(lib->settings,
+ "%s.plugins.revocation.enable_crl", TRUE, lib->ns),
);
+ if (!this->enable_ocsp)
+ {
+ DBG1(DBG_LIB, "all OCSP validation disabled");
+ }
+ if (!this->enable_crl)
+ {
+ DBG1(DBG_LIB, "all CRL validation disabled");
+ }
return &this->public;
}
diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in
index 1933aa0..8e3301e 100644
--- a/src/libstrongswan/plugins/sha1/Makefile.in
+++ b/src/libstrongswan/plugins/sha1/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in
index 3fbb081..045d6e0 100644
--- a/src/libstrongswan/plugins/sha2/Makefile.in
+++ b/src/libstrongswan/plugins/sha2/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/sha3/Makefile.in b/src/libstrongswan/plugins/sha3/Makefile.in
index 9e237a9..9fc0a1a 100644
--- a/src/libstrongswan/plugins/sha3/Makefile.in
+++ b/src/libstrongswan/plugins/sha3/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in
index 97ab307..5179004 100644
--- a/src/libstrongswan/plugins/soup/Makefile.in
+++ b/src/libstrongswan/plugins/soup/Makefile.in
@@ -358,7 +358,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +392,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in
index 4551ff7..8ffc4aa 100644
--- a/src/libstrongswan/plugins/sqlite/Makefile.in
+++ b/src/libstrongswan/plugins/sqlite/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/sshkey/Makefile.in b/src/libstrongswan/plugins/sshkey/Makefile.in
index 47e2234..8528b87 100644
--- a/src/libstrongswan/plugins/sshkey/Makefile.in
+++ b/src/libstrongswan/plugins/sshkey/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.am b/src/libstrongswan/plugins/test_vectors/Makefile.am
index c29b6fd..c4d9f2f 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.am
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.am
@@ -48,6 +48,7 @@ libstrongswan_test_vectors_la_SOURCES = \
test_vectors/modpsub.c \
test_vectors/ecp.c \
test_vectors/ecpbp.c \
+ test_vectors/curve25519.c \
test_vectors/rng.c
libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in
index 56ae8dc..27741dd 100644
--- a/src/libstrongswan/plugins/test_vectors/Makefile.in
+++ b/src/libstrongswan/plugins/test_vectors/Makefile.in
@@ -155,7 +155,8 @@ am_libstrongswan_test_vectors_la_OBJECTS = test_vectors_plugin.lo \
test_vectors/sha2_hmac.lo test_vectors/sha3.lo \
test_vectors/sha3_shake.lo test_vectors/fips_prf.lo \
test_vectors/modp.lo test_vectors/modpsub.lo \
- test_vectors/ecp.lo test_vectors/ecpbp.lo test_vectors/rng.lo
+ test_vectors/ecp.lo test_vectors/ecpbp.lo \
+ test_vectors/curve25519.lo test_vectors/rng.lo
libstrongswan_test_vectors_la_OBJECTS = \
$(am_libstrongswan_test_vectors_la_OBJECTS)
AM_V_lt = $(am__v_lt_ at AM_V@)
@@ -377,7 +378,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -412,6 +412,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -507,6 +508,7 @@ libstrongswan_test_vectors_la_SOURCES = \
test_vectors/modpsub.c \
test_vectors/ecp.c \
test_vectors/ecpbp.c \
+ test_vectors/curve25519.c \
test_vectors/rng.c
libstrongswan_test_vectors_la_LDFLAGS = -module -avoid-version
@@ -667,6 +669,8 @@ test_vectors/ecp.lo: test_vectors/$(am__dirstamp) \
test_vectors/$(DEPDIR)/$(am__dirstamp)
test_vectors/ecpbp.lo: test_vectors/$(am__dirstamp) \
test_vectors/$(DEPDIR)/$(am__dirstamp)
+test_vectors/curve25519.lo: test_vectors/$(am__dirstamp) \
+ test_vectors/$(DEPDIR)/$(am__dirstamp)
test_vectors/rng.lo: test_vectors/$(am__dirstamp) \
test_vectors/$(DEPDIR)/$(am__dirstamp)
@@ -696,6 +700,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/cast.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/chacha20_xof.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/chacha20poly1305.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/curve25519.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/des.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/ecp.Plo at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at test_vectors/$(DEPDIR)/ecpbp.Plo at am__quote@
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors.h b/src/libstrongswan/plugins/test_vectors/test_vectors.h
index 43633e3..a68f436 100644
--- a/src/libstrongswan/plugins/test_vectors/test_vectors.h
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors.h
@@ -303,3 +303,4 @@ TEST_VECTOR_DH(ecp224bp)
TEST_VECTOR_DH(ecp256bp)
TEST_VECTOR_DH(ecp384bp)
TEST_VECTOR_DH(ecp512bp)
+TEST_VECTOR_DH(curve25519)
diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c b/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c
new file mode 100644
index 0000000..f46d81c
--- /dev/null
+++ b/src/libstrongswan/plugins/test_vectors/test_vectors/curve25519.c
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) 2015 Martin Willi
+ * Copyright (C) 2015 revosec AG
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the Licenseor (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be usefulbut
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <crypto/crypto_tester.h>
+
+/**
+ * From RFC 8031
+ */
+
+dh_test_vector_t curve25519 = {
+ .group = CURVE_25519, .priv_len = 32, .pub_len = 32, .shared_len = 32,
+ .priv_a = "\x77\x07\x6d\x0a\x73\x18\xa5\x7d\x3c\x16\xc1\x72\x51\xb2\x66\x45"
+ "\xdf\x4c\x2f\x87\xeb\xc0\x99\x2a\xb1\x77\xfb\xa5\x1d\xb9\x2c\x2a",
+ .priv_b = "\x5d\xab\x08\x7e\x62\x4a\x8a\x4b\x79\xe1\x7f\x8b\x83\x80\x0e\xe6"
+ "\x6f\x3b\xb1\x29\x26\x18\xb6\xfd\x1c\x2f\x8b\x27\xff\x88\xe0\xeb",
+ .pub_a = "\x85\x20\xf0\x09\x89\x30\xa7\x54\x74\x8b\x7d\xdc\xb4\x3e\xf7\x5a"
+ "\x0d\xbf\x3a\x0d\x26\x38\x1a\xf4\xeb\xa4\xa9\x8e\xaa\x9b\x4e\x6a",
+ .pub_b = "\xde\x9e\xdb\x7d\x7b\x7d\xc1\xb4\xd3\x5b\x61\xc2\xec\xe4\x35\x37"
+ "\x3f\x83\x43\xc8\x5b\x78\x67\x4d\xad\xfc\x7e\x14\x6f\x88\x2b\x4f",
+ .shared = "\x4a\x5d\x9d\x5b\xa4\xce\x2d\xe1\x72\x8e\x3b\xf4\x80\x35\x0f\x25"
+ "\xe0\x7e\x21\xc9\x47\xd1\x9e\x33\x76\xf0\x9b\x3c\x1e\x16\x17\x42",
+};
diff --git a/src/libstrongswan/plugins/unbound/Makefile.in b/src/libstrongswan/plugins/unbound/Makefile.in
index 665f770..4822283 100644
--- a/src/libstrongswan/plugins/unbound/Makefile.in
+++ b/src/libstrongswan/plugins/unbound/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/winhttp/Makefile.in b/src/libstrongswan/plugins/winhttp/Makefile.in
index 672ff5f..9a26a98 100644
--- a/src/libstrongswan/plugins/winhttp/Makefile.in
+++ b/src/libstrongswan/plugins/winhttp/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in
index c96dac0..8d7f9a8 100644
--- a/src/libstrongswan/plugins/x509/Makefile.in
+++ b/src/libstrongswan/plugins/x509/Makefile.in
@@ -359,7 +359,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -394,6 +393,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 2b83f33..b77c5db 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1992,6 +1992,72 @@ chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn)
asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints)));
}
+static chunk_t generate_ts(traffic_selector_t *ts)
+{
+ chunk_t from, to;
+ uint8_t minbits = 0, maxbits = 0, unused;
+ host_t *net;
+ int bit, byte;
+
+ if (ts->to_subnet(ts, &net, &minbits))
+ {
+ unused = round_up(minbits, BITS_PER_BYTE) - minbits;
+ from = asn1_wrap(ASN1_BIT_STRING, "m",
+ chunk_cat("cc", chunk_from_thing(unused),
+ chunk_create(net->get_address(net).ptr,
+ (minbits + unused) / BITS_PER_BYTE)));
+ net->destroy(net);
+ return from;
+ }
+ net->destroy(net);
+
+ from = ts->get_from_address(ts);
+ for (byte = from.len - 1; byte >= 0; byte--)
+ {
+ if (from.ptr[byte] != 0)
+ {
+ minbits = byte * BITS_PER_BYTE + BITS_PER_BYTE;
+ for (bit = 0; bit < BITS_PER_BYTE; bit++)
+ {
+ if (from.ptr[byte] & 1 << bit)
+ {
+ break;
+ }
+ minbits--;
+ }
+ break;
+ }
+ }
+ to = ts->get_to_address(ts);
+ for (byte = to.len - 1; byte >= 0; byte--)
+ {
+ if (to.ptr[byte] != 0xFF)
+ {
+ maxbits = byte * BITS_PER_BYTE + BITS_PER_BYTE;
+ for (bit = 0; bit < BITS_PER_BYTE; bit++)
+ {
+ if ((to.ptr[byte] & 1 << bit) == 0)
+ {
+ break;
+ }
+ maxbits--;
+ }
+ break;
+ }
+ }
+ unused = round_up(minbits, BITS_PER_BYTE) - minbits;
+ from = asn1_wrap(ASN1_BIT_STRING, "m",
+ chunk_cat("cc", chunk_from_thing(unused),
+ chunk_create(from.ptr,
+ (minbits + unused) / BITS_PER_BYTE)));
+ unused = round_up(maxbits, BITS_PER_BYTE) - maxbits;
+ to = asn1_wrap(ASN1_BIT_STRING, "m",
+ chunk_cat("cc", chunk_from_thing(unused),
+ chunk_create(to.ptr,
+ (maxbits + unused) / BITS_PER_BYTE)));
+ return asn1_wrap(ASN1_SEQUENCE, "mm", from, to);
+}
+
/**
* Generate and sign a new certificate
*/
@@ -2008,6 +2074,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
chunk_t ikeIntermediate = chunk_empty, msSmartcardLogon = chunk_empty;
+ chunk_t ipAddrBlocks = chunk_empty;
identification_t *issuer, *subject;
chunk_t key_info;
signature_scheme_t scheme;
@@ -2184,6 +2251,52 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
}
}
+ if (cert->ipAddrBlocks->get_count(cert->ipAddrBlocks))
+ {
+ chunk_t v4blocks = chunk_empty, v6blocks = chunk_empty, block;
+ traffic_selector_t *ts;
+
+ enumerator = cert->ipAddrBlocks->create_enumerator(cert->ipAddrBlocks);
+ while (enumerator->enumerate(enumerator, &ts))
+ {
+ switch (ts->get_type(ts))
+ {
+ case TS_IPV4_ADDR_RANGE:
+ block = generate_ts(ts);
+ v4blocks = chunk_cat("mm", v4blocks, block);
+ break;
+ case TS_IPV6_ADDR_RANGE:
+ block = generate_ts(ts);
+ v6blocks = chunk_cat("mm", v6blocks, block);
+ break;
+ default:
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (v4blocks.ptr)
+ {
+ v4blocks = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_wrap(ASN1_OCTET_STRING, "c",
+ chunk_from_chars(0x00,0x01)),
+ asn1_wrap(ASN1_SEQUENCE, "m", v4blocks));
+ }
+ if (v6blocks.ptr)
+ {
+ v6blocks = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_wrap(ASN1_OCTET_STRING, "c",
+ chunk_from_chars(0x00,0x02)),
+ asn1_wrap(ASN1_SEQUENCE, "m", v6blocks));
+ }
+ ipAddrBlocks = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_build_known_oid(OID_IP_ADDR_BLOCKS),
+ asn1_wrap(ASN1_OCTET_STRING, "m",
+ asn1_wrap(ASN1_SEQUENCE, "mm",
+ v4blocks, v6blocks)));
+ cert->flags |= X509_IP_ADDR_BLOCKS;
+ }
+
if (cert->permitted_names->get_count(cert->permitted_names) ||
cert->excluded_names->get_count(cert->excluded_names))
{
@@ -2321,15 +2434,16 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
}
if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr ||
- crlDistributionPoints.ptr || nameConstraints.ptr)
+ crlDistributionPoints.ptr || nameConstraints.ptr || ipAddrBlocks.ptr)
{
extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m",
- asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmm",
+ asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmmm",
basicConstraints, keyUsage, subjectKeyIdentifier,
authKeyIdentifier, subjectAltNames,
extendedKeyUsage, crlDistributionPoints,
authorityInfoAccess, nameConstraints, certPolicies,
- policyMappings, policyConstraints, inhibitAnyPolicy));
+ policyMappings, policyConstraints, inhibitAnyPolicy,
+ ipAddrBlocks));
}
cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm",
@@ -2492,6 +2606,22 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
cert->pathLenConstraint = (constraint < 128) ?
constraint : X509_NO_CONSTRAINT;
continue;
+ case BUILD_ADDRBLOCKS:
+ {
+ enumerator_t *enumerator;
+ traffic_selector_t *ts;
+ linked_list_t *list;
+
+ list = va_arg(args, linked_list_t*);
+ enumerator = list->create_enumerator(list);
+ while (enumerator->enumerate(enumerator, &ts))
+ {
+ cert->ipAddrBlocks->insert_last(cert->ipAddrBlocks,
+ ts->clone(ts));
+ }
+ enumerator->destroy(enumerator);
+ continue;
+ }
case BUILD_PERMITTED_NAME_CONSTRAINTS:
{
enumerator_t *enumerator;
diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in
index 44021e4..78f9268 100644
--- a/src/libstrongswan/plugins/xcbc/Makefile.in
+++ b/src/libstrongswan/plugins/xcbc/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c
index da3ba97..0653b95 100644
--- a/src/libstrongswan/selectors/traffic_selector.c
+++ b/src/libstrongswan/selectors/traffic_selector.c
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2013 Tobias Brunner
+ * Copyright (C) 2007-2017 Tobias Brunner
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -550,26 +550,23 @@ METHOD(traffic_selector_t, is_dynamic, bool,
METHOD(traffic_selector_t, set_address, void,
private_traffic_selector_t *this, host_t *host)
{
- if (is_host(this, NULL))
- {
- this->type = host->get_family(host) == AF_INET ?
- TS_IPV4_ADDR_RANGE : TS_IPV6_ADDR_RANGE;
+ this->type = host->get_family(host) == AF_INET ? TS_IPV4_ADDR_RANGE
+ : TS_IPV6_ADDR_RANGE;
- if (host->is_anyaddr(host))
- {
- memset(this->from6, 0x00, sizeof(this->from6));
- memset(this->to6, 0xFF, sizeof(this->to6));
- this->netbits = 0;
- }
- else
- {
- chunk_t from = host->get_address(host);
- memcpy(this->from, from.ptr, from.len);
- memcpy(this->to, from.ptr, from.len);
- this->netbits = from.len * 8;
- }
- this->dynamic = FALSE;
+ if (host->is_anyaddr(host))
+ {
+ memset(this->from6, 0x00, sizeof(this->from6));
+ memset(this->to6, 0xFF, sizeof(this->to6));
+ this->netbits = 0;
+ }
+ else
+ {
+ chunk_t from = host->get_address(host);
+ memcpy(this->from, from.ptr, from.len);
+ memcpy(this->to, from.ptr, from.len);
+ this->netbits = from.len * 8;
}
+ this->dynamic = FALSE;
}
METHOD(traffic_selector_t, is_contained_in, bool,
diff --git a/src/libstrongswan/selectors/traffic_selector.h b/src/libstrongswan/selectors/traffic_selector.h
index cc66c34..a9f7830 100644
--- a/src/libstrongswan/selectors/traffic_selector.h
+++ b/src/libstrongswan/selectors/traffic_selector.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007-2013 Tobias Brunner
+ * Copyright (C) 2007-2017 Tobias Brunner
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
@@ -82,15 +82,15 @@ struct traffic_selector_t {
* - created subset of them
* - or NULL if no match between this and other
*/
- traffic_selector_t *(*get_subset) (traffic_selector_t *this,
- traffic_selector_t *other);
+ traffic_selector_t *(*get_subset)(traffic_selector_t *this,
+ traffic_selector_t *other);
/**
* Clone a traffic selector.
*
* @return clone of it
*/
- traffic_selector_t *(*clone) (traffic_selector_t *this);
+ traffic_selector_t *(*clone)(traffic_selector_t *this);
/**
* Get starting address of this ts as a chunk.
@@ -99,7 +99,7 @@ struct traffic_selector_t {
*
* @return chunk containing the address
*/
- chunk_t (*get_from_address) (traffic_selector_t *this);
+ chunk_t (*get_from_address)(traffic_selector_t *this);
/**
* Get ending address of this ts as a chunk.
@@ -108,7 +108,7 @@ struct traffic_selector_t {
*
* @return chunk containing the address
*/
- chunk_t (*get_to_address) (traffic_selector_t *this);
+ chunk_t (*get_to_address)(traffic_selector_t *this);
/**
* Get starting port of this ts.
@@ -122,7 +122,7 @@ struct traffic_selector_t {
*
* @return port
*/
- uint16_t (*get_from_port) (traffic_selector_t *this);
+ uint16_t (*get_from_port)(traffic_selector_t *this);
/**
* Get ending port of this ts.
@@ -136,21 +136,21 @@ struct traffic_selector_t {
*
* @return port
*/
- uint16_t (*get_to_port) (traffic_selector_t *this);
+ uint16_t (*get_to_port)(traffic_selector_t *this);
/**
* Get the type of the traffic selector.
*
* @return ts_type_t specifying the type
*/
- ts_type_t (*get_type) (traffic_selector_t *this);
+ ts_type_t (*get_type)(traffic_selector_t *this);
/**
* Get the protocol id of this ts.
*
* @return protocol id
*/
- uint8_t (*get_protocol) (traffic_selector_t *this);
+ uint8_t (*get_protocol)(traffic_selector_t *this);
/**
* Check if the traffic selector is for a single host.
@@ -158,29 +158,39 @@ struct traffic_selector_t {
* Traffic selector may describe the end of *-to-host tunnel. In this
* case, the address range is a single address equal to the hosts
* peer address.
- * If host is NULL, the traffic selector is checked if it is a single host,
- * but not a specific one.
*
- * @param host host_t specifying the address range
+ * If host is specified, the traffic selector must equal that specific
+ * IP address. If it is not specified, TRUE is also returned for dynamic
+ * traffic selectors.
+ *
+ * @param host IP address to check for, or NULL
+ * @return TRUE if TS is for a single host
*/
- bool (*is_host) (traffic_selector_t *this, host_t* host);
+ bool (*is_host)(traffic_selector_t *this, host_t* host);
/**
- * Check if a traffic selector has been created by create_dynamic().
+ * Check if this traffic selector was created by
+ * traffic_selector_create_dynamic() but no address has yet been set with
+ * set_address().
*
* @return TRUE if TS is dynamic
*/
bool (*is_dynamic)(traffic_selector_t *this);
/**
- * Update the address of a traffic selector.
+ * Set the traffic selector to the given IP address.
+ *
+ * If host is %any or %any6 the traffic selector gets set to 0.0.0.0/0 or
+ * ::/0, respectively.
+ *
+ * Checking is_host(), is_dynamic() or includes() might be appropriate
+ * before calling this.
*
- * Update the address range of a traffic selector, if it is
- * constructed with the traffic_selector_create_dynamic().
+ * is_dynamic() will return FALSE after calling this.
*
- * @param host host_t specifying the address
+ * @param host target IP address
*/
- void (*set_address) (traffic_selector_t *this, host_t* host);
+ void (*set_address)(traffic_selector_t *this, host_t* host);
/**
* Compare two traffic selectors for equality.
@@ -188,17 +198,17 @@ struct traffic_selector_t {
* @param other ts to compare with this
* @return TRUE if equal, FALSE otherwise
*/
- bool (*equals) (traffic_selector_t *this, traffic_selector_t *other);
+ bool (*equals)(traffic_selector_t *this, traffic_selector_t *other);
/**
- * Check if a traffic selector is contained completly in another.
+ * Check if a traffic selector is contained completely in another.
*
* contains() allows to check if multiple traffic selectors are redundant.
*
* @param other ts that contains this
- * @return TRUE if other contains this completly, FALSE otherwise
+ * @return TRUE if other contains this completely, FALSE otherwise
*/
- bool (*is_contained_in) (traffic_selector_t *this, traffic_selector_t *other);
+ bool (*is_contained_in)(traffic_selector_t *this, traffic_selector_t *other);
/**
* Check if a specific host is included in the address range of
@@ -206,7 +216,7 @@ struct traffic_selector_t {
*
* @param host the host to check
*/
- bool (*includes) (traffic_selector_t *this, host_t *host);
+ bool (*includes)(traffic_selector_t *this, host_t *host);
/**
* Convert a traffic selector address range to a subnet
@@ -218,7 +228,7 @@ struct traffic_selector_t {
* @param mask converted net mask
* @return TRUE if traffic selector matches exactly to the subnet
*/
- bool (*to_subnet) (traffic_selector_t *this, host_t **net, uint8_t *mask);
+ bool (*to_subnet)(traffic_selector_t *this, host_t **net, uint8_t *mask);
/**
* Create a hash value for the traffic selector.
@@ -231,7 +241,7 @@ struct traffic_selector_t {
/**
* Destroys the ts object
*/
- void (*destroy) (traffic_selector_t *this);
+ void (*destroy)(traffic_selector_t *this);
};
/**
diff --git a/src/libstrongswan/settings/settings.c b/src/libstrongswan/settings/settings.c
index 829e784..b00e819 100644
--- a/src/libstrongswan/settings/settings.c
+++ b/src/libstrongswan/settings/settings.c
@@ -512,11 +512,16 @@ inline int settings_value_as_int(char *value, int def)
{
int intval;
char *end;
+ int base = 10;
if (value)
{
errno = 0;
- intval = strtol(value, &end, 10);
+ if (value[0] == '0' && value[1] == 'x')
+ { /* manually detect 0x prefix as we want to avoid octal encoding */
+ base = 16;
+ }
+ intval = strtol(value, &end, base);
if (errno == 0 && *end == 0 && end != value)
{
return intval;
diff --git a/src/libstrongswan/settings/settings_types.c b/src/libstrongswan/settings/settings_types.c
index 1256762..d753720 100644
--- a/src/libstrongswan/settings/settings_types.c
+++ b/src/libstrongswan/settings/settings_types.c
@@ -177,7 +177,7 @@ static bool section_purge(section_t *this, array_t *contents)
* having any such subsections) are not removed */
for (i = array_count(this->sections_order) - 1; i >= 0; i--)
{
- array_get(this->sections, i, ¤t);
+ array_get(this->sections_order, i, ¤t);
if (section_purge(current, contents))
{
array_remove(this->sections_order, i, NULL);
diff --git a/src/libstrongswan/tests/Makefile.am b/src/libstrongswan/tests/Makefile.am
index caa9d3a..0231c1c 100644
--- a/src/libstrongswan/tests/Makefile.am
+++ b/src/libstrongswan/tests/Makefile.am
@@ -55,7 +55,8 @@ tests_SOURCES = tests.h tests.c \
suites/test_printf.c \
suites/test_test_rng.c \
suites/test_mgf1.c \
- suites/test_ntru.c
+ suites/test_ntru.c \
+ suites/test_ed25519.c
tests_CFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
diff --git a/src/libstrongswan/tests/Makefile.in b/src/libstrongswan/tests/Makefile.in
index 51ba9c0..f4c607c 100644
--- a/src/libstrongswan/tests/Makefile.in
+++ b/src/libstrongswan/tests/Makefile.in
@@ -160,7 +160,8 @@ am_tests_OBJECTS = tests-tests.$(OBJEXT) \
suites/tests-test_printf.$(OBJEXT) \
suites/tests-test_test_rng.$(OBJEXT) \
suites/tests-test_mgf1.$(OBJEXT) \
- suites/tests-test_ntru.$(OBJEXT)
+ suites/tests-test_ntru.$(OBJEXT) \
+ suites/tests-test_ed25519.$(OBJEXT)
tests_OBJECTS = $(am_tests_OBJECTS)
tests_DEPENDENCIES = \
$(top_builddir)/src/libstrongswan/libstrongswan.la libtest.la
@@ -397,7 +398,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -432,6 +432,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -532,7 +533,8 @@ tests_SOURCES = tests.h tests.c \
suites/test_printf.c \
suites/test_test_rng.c \
suites/test_mgf1.c \
- suites/test_ntru.c
+ suites/test_ntru.c \
+ suites/test_ed25519.c
tests_CFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
@@ -688,6 +690,8 @@ suites/tests-test_mgf1.$(OBJEXT): suites/$(am__dirstamp) \
suites/$(DEPDIR)/$(am__dirstamp)
suites/tests-test_ntru.$(OBJEXT): suites/$(am__dirstamp) \
suites/$(DEPDIR)/$(am__dirstamp)
+suites/tests-test_ed25519.$(OBJEXT): suites/$(am__dirstamp) \
+ suites/$(DEPDIR)/$(am__dirstamp)
tests$(EXEEXT): $(tests_OBJECTS) $(tests_DEPENDENCIES) $(EXTRA_tests_DEPENDENCIES)
@rm -f tests$(EXEEXT)
@@ -717,6 +721,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/tests-test_crypter.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/tests-test_crypto_factory.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/tests-test_ecdsa.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/tests-test_ed25519.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/tests-test_enum.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/tests-test_enumerator.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at suites/$(DEPDIR)/tests-test_fetch_http.Po at am__quote@
@@ -1306,6 +1311,20 @@ suites/tests-test_ntru.obj: suites/test_ntru.c
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ntru.obj `if test -f 'suites/test_ntru.c'; then $(CYGPATH_W) 'suites/test_ntru.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ntru.c'; fi`
+suites/tests-test_ed25519.o: suites/test_ed25519.c
+ at am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ed25519.o -MD -MP -MF suites/$(DEPDIR)/tests-test_ed25519.Tpo -c -o suites/tests-test_ed25519.o `test -f 'suites/test_ed25519.c' || echo '$(srcdir)/'`suites/test_ed25519.c
+ at am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ed25519.Tpo suites/$(DEPDIR)/tests-test_ed25519.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed25519.c' object='suites/tests-test_ed25519.o' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ed25519.o `test -f 'suites/test_ed25519.c' || echo '$(srcdir)/'`suites/test_ed25519.c
+
+suites/tests-test_ed25519.obj: suites/test_ed25519.c
+ at am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -MT suites/tests-test_ed25519.obj -MD -MP -MF suites/$(DEPDIR)/tests-test_ed25519.Tpo -c -o suites/tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi`
+ at am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) suites/$(DEPDIR)/tests-test_ed25519.Tpo suites/$(DEPDIR)/tests-test_ed25519.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='suites/test_ed25519.c' object='suites/tests-test_ed25519.obj' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(tests_CFLAGS) $(CFLAGS) -c -o suites/tests-test_ed25519.obj `if test -f 'suites/test_ed25519.c'; then $(CYGPATH_W) 'suites/test_ed25519.c'; else $(CYGPATH_W) '$(srcdir)/suites/test_ed25519.c'; fi`
+
mostlyclean-libtool:
-rm -f *.lo
diff --git a/src/libstrongswan/tests/suites/test_chunk.c b/src/libstrongswan/tests/suites/test_chunk.c
index b82b143..9b2e48b 100644
--- a/src/libstrongswan/tests/suites/test_chunk.c
+++ b/src/libstrongswan/tests/suites/test_chunk.c
@@ -397,15 +397,15 @@ START_TEST(test_base16)
{FALSE, "fooba", "666f6f6261"},
{FALSE, "foobar", "666f6f626172"},
};
- testdata_t test_colon[] = {
- {TRUE, "", ""},
- {TRUE, "f", "66"},
+ testdata_t test_prefix_colon[] = {
+ {TRUE, "", "0x"},
+ {TRUE, "f", "0x66"},
{TRUE, "fo", "66:6F"},
- {TRUE, "foo", "66:6F:6F"},
+ {TRUE, "foo", "0x66:6F:6F"},
{FALSE, "foob", "66:6f:6f:62"},
- {FALSE, "fooba", "66:6f:6f:62:61"},
+ {FALSE, "fooba", "0x66:6f:6f:62:61"},
{FALSE, "foobar", "66:6f:6f:62:61:72"},
- {FALSE, "foobar", "66:6f6f:6261:72"},
+ {FALSE, "foobar", "0x66:6f6f:6261:72"},
};
int i;
@@ -430,14 +430,15 @@ START_TEST(test_base16)
free(out.ptr);
}
- for (i = 0; i < countof(test_colon); i++)
+ for (i = 0; i < countof(test_prefix_colon); i++)
{
chunk_t out;
- out = chunk_from_hex(chunk_create(test_colon[i].out, strlen(test_colon[i].out)), NULL);
- fail_unless(strneq(out.ptr, test_colon[i].in, out.len),
+ out = chunk_from_hex(chunk_create(test_prefix_colon[i].out,
+ strlen(test_prefix_colon[i].out)), NULL);
+ fail_unless(strneq(out.ptr, test_prefix_colon[i].in, out.len),
"base16 conversion error - should '%s', is %#B",
- test_colon[i].in, &out);
+ test_prefix_colon[i].in, &out);
free(out.ptr);
}
}
diff --git a/src/libstrongswan/tests/suites/test_crypter.c b/src/libstrongswan/tests/suites/test_crypter.c
index 4e7550a..321feed 100644
--- a/src/libstrongswan/tests/suites/test_crypter.c
+++ b/src/libstrongswan/tests/suites/test_crypter.c
@@ -36,7 +36,8 @@ static crypter_oid_t oids[] = {
{ OID_AES256_CBC, ENCR_AES_CBC, 256 },
{ OID_CAMELLIA128_CBC, ENCR_CAMELLIA_CBC, 128 },
{ OID_CAMELLIA192_CBC, ENCR_CAMELLIA_CBC, 192 },
- { OID_CAMELLIA256_CBC, ENCR_CAMELLIA_CBC, 256 }
+ { OID_CAMELLIA256_CBC, ENCR_CAMELLIA_CBC, 256 },
+ { OID_BLOWFISH_CBC, ENCR_BLOWFISH, 0 }
};
START_TEST(test_crypter_from_oid)
diff --git a/src/libstrongswan/tests/suites/test_ed25519.c b/src/libstrongswan/tests/suites/test_ed25519.c
new file mode 100644
index 0000000..0084262
--- /dev/null
+++ b/src/libstrongswan/tests/suites/test_ed25519.c
@@ -0,0 +1,527 @@
+/*
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "test_suite.h"
+
+#include <time.h>
+
+typedef struct sig_test_t sig_test_t;
+
+struct sig_test_t {
+ chunk_t key;
+ chunk_t pubkey;
+ chunk_t msg;
+ chunk_t sig;
+};
+
+/**
+ * Ed25519 Test Vectors from draft-irtf-cfrg-eddsa
+ */
+static sig_test_t sig_tests[] = {
+ /* Test 1 */
+ { chunk_from_chars(
+ 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b,
+ 0x65, 0x70, 0x04, 0x22, 0x04, 0x20, 0x9d, 0x61, 0xb1, 0x9d,
+ 0xef, 0xfd, 0x5a, 0x60, 0xba, 0x84, 0x4a, 0xf4, 0x92, 0xec,
+ 0x2c, 0xc4, 0x44, 0x49, 0xc5, 0x69, 0x7b, 0x32, 0x69, 0x19,
+ 0x70, 0x3b, 0xac, 0x03, 0x1c, 0xae, 0x7f, 0x60),
+ chunk_from_chars(
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03,
+ 0x21, 0x00, 0xd7, 0x5a, 0x98, 0x01, 0x82, 0xb1, 0x0a, 0xb7,
+ 0xd5, 0x4b, 0xfe, 0xd3, 0xc9, 0x64, 0x07, 0x3a, 0x0e, 0xe1,
+ 0x72, 0xf3, 0xda, 0xa6, 0x23, 0x25, 0xaf, 0x02, 0x1a, 0x68,
+ 0xf7, 0x07, 0x51, 0x1a),
+ { NULL, 0 },
+ chunk_from_chars(
+ 0xe5, 0x56, 0x43, 0x00, 0xc3, 0x60, 0xac, 0x72, 0x90, 0x86,
+ 0xe2, 0xcc, 0x80, 0x6e, 0x82, 0x8a, 0x84, 0x87, 0x7f, 0x1e,
+ 0xb8, 0xe5, 0xd9, 0x74, 0xd8, 0x73, 0xe0, 0x65, 0x22, 0x49,
+ 0x01, 0x55, 0x5f, 0xb8, 0x82, 0x15, 0x90, 0xa3, 0x3b, 0xac,
+ 0xc6, 0x1e, 0x39, 0x70, 0x1c, 0xf9, 0xb4, 0x6b, 0xd2, 0x5b,
+ 0xf5, 0xf0, 0x59, 0x5b, 0xbe, 0x24, 0x65, 0x51, 0x41, 0x43,
+ 0x8e, 0x7a, 0x10, 0x0b)
+ },
+ /* Test 2 */
+ { chunk_from_chars(
+ 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b,
+ 0x65, 0x70, 0x04, 0x22, 0x04, 0x20, 0x4c, 0xcd, 0x08, 0x9b,
+ 0x28, 0xff, 0x96, 0xda, 0x9d, 0xb6, 0xc3, 0x46, 0xec, 0x11,
+ 0x4e, 0x0f, 0x5b, 0x8a, 0x31, 0x9f, 0x35, 0xab, 0xa6, 0x24,
+ 0xda, 0x8c, 0xf6, 0xed, 0x4f, 0xb8, 0xa6, 0xfb),
+ chunk_from_chars(
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03,
+ 0x21, 0x00, 0x3d, 0x40, 0x17, 0xc3, 0xe8, 0x43, 0x89, 0x5a,
+ 0x92, 0xb7, 0x0a, 0xa7, 0x4d, 0x1b, 0x7e, 0xbc, 0x9c, 0x98,
+ 0x2c, 0xcf, 0x2e, 0xc4, 0x96, 0x8c, 0xc0, 0xcd, 0x55, 0xf1,
+ 0x2a, 0xf4, 0x66, 0x0c),
+ chunk_from_chars(
+ 0x72),
+ chunk_from_chars(
+ 0x92, 0xa0, 0x09, 0xa9, 0xf0, 0xd4, 0xca, 0xb8, 0x72, 0x0e,
+ 0x82, 0x0b, 0x5f, 0x64, 0x25, 0x40, 0xa2, 0xb2, 0x7b, 0x54,
+ 0x16, 0x50, 0x3f, 0x8f, 0xb3, 0x76, 0x22, 0x23, 0xeb, 0xdb,
+ 0x69, 0xda, 0x08, 0x5a, 0xc1, 0xe4, 0x3e, 0x15, 0x99, 0x6e,
+ 0x45, 0x8f, 0x36, 0x13, 0xd0, 0xf1, 0x1d, 0x8c, 0x38, 0x7b,
+ 0x2e, 0xae, 0xb4, 0x30, 0x2a, 0xee, 0xb0, 0x0d, 0x29, 0x16,
+ 0x12, 0xbb, 0x0c, 0x00)
+ },
+ /* Test 3 */
+ { chunk_from_chars(
+ 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b,
+ 0x65, 0x70, 0x04, 0x22, 0x04, 0x20, 0xc5, 0xaa, 0x8d, 0xf4,
+ 0x3f, 0x9f, 0x83, 0x7b, 0xed, 0xb7, 0x44, 0x2f, 0x31, 0xdc,
+ 0xb7, 0xb1, 0x66, 0xd3, 0x85, 0x35,0x07, 0x6f, 0x09, 0x4b,
+ 0x85, 0xce, 0x3a, 0x2e, 0x0b, 0x44, 0x58, 0xf7),
+ chunk_from_chars(
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03,
+ 0x21, 0x00, 0xfc, 0x51, 0xcd, 0x8e, 0x62, 0x18, 0xa1, 0xa3,
+ 0x8d, 0xa4, 0x7e, 0xd0, 0x02, 0x30, 0xf0, 0x58, 0x08, 0x16,
+ 0xed, 0x13, 0xba, 0x33, 0x03, 0xac, 0x5d, 0xeb, 0x91, 0x15,
+ 0x48, 0x90, 0x80, 0x25),
+ chunk_from_chars(
+ 0xaf, 0x82),
+ chunk_from_chars(
+ 0x62, 0x91, 0xd6, 0x57, 0xde, 0xec, 0x24, 0x02, 0x48, 0x27,
+ 0xe6, 0x9c, 0x3a, 0xbe, 0x01, 0xa3, 0x0c, 0xe5, 0x48, 0xa2,
+ 0x84, 0x74, 0x3a, 0x44, 0x5e, 0x36, 0x80, 0xd7, 0xdb, 0x5a,
+ 0xc3, 0xac, 0x18, 0xff, 0x9b, 0x53, 0x8d, 0x16, 0xf2, 0x90,
+ 0xae, 0x67, 0xf7, 0x60, 0x98, 0x4d, 0xc6, 0x59, 0x4a, 0x7c,
+ 0x15, 0xe9, 0x71, 0x6e, 0xd2, 0x8d, 0xc0, 0x27, 0xbe, 0xce,
+ 0xea, 0x1e, 0xc4, 0x0a)
+ },
+ /* Test 1024 */
+ { chunk_from_chars(
+ 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b,
+ 0x65, 0x70, 0x04, 0x22, 0x04, 0x20, 0xf5, 0xe5, 0x76, 0x7c,
+ 0xf1, 0x53, 0x31, 0x95, 0x17, 0x63, 0x0f, 0x22, 0x68, 0x76,
+ 0xb8, 0x6c, 0x81, 0x60, 0xcc, 0x58, 0x3b, 0xc0, 0x13, 0x74,
+ 0x4c, 0x6b, 0xf2, 0x55, 0xf5, 0xcc, 0x0e, 0xe5),
+ chunk_from_chars(
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03,
+ 0x21, 0x00, 0x27, 0x81, 0x17, 0xfc, 0x14, 0x4c, 0x72, 0x34,
+ 0x0f, 0x67, 0xd0, 0xf2, 0x31, 0x6e, 0x83, 0x86, 0xce, 0xff,
+ 0xbf, 0x2b, 0x24, 0x28, 0xc9, 0xc5, 0x1f, 0xef, 0x7c, 0x59,
+ 0x7f, 0x1d, 0x42, 0x6e),
+ chunk_from_chars(
+ 0x08, 0xb8, 0xb2, 0xb7, 0x33, 0x42, 0x42, 0x43, 0x76, 0x0f,
+ 0xe4, 0x26, 0xa4, 0xb5, 0x49, 0x08, 0x63, 0x21, 0x10, 0xa6,
+ 0x6c, 0x2f, 0x65, 0x91, 0xea, 0xbd, 0x33, 0x45, 0xe3, 0xe4,
+ 0xeb, 0x98, 0xfa, 0x6e, 0x26, 0x4b, 0xf0, 0x9e, 0xfe, 0x12,
+ 0xee, 0x50, 0xf8, 0xf5, 0x4e, 0x9f, 0x77, 0xb1, 0xe3, 0x55,
+ 0xf6, 0xc5, 0x05, 0x44, 0xe2, 0x3f, 0xb1, 0x43, 0x3d, 0xdf,
+ 0x73, 0xbe, 0x84, 0xd8, 0x79, 0xde, 0x7c, 0x00, 0x46, 0xdc,
+ 0x49, 0x96, 0xd9, 0xe7, 0x73, 0xf4, 0xbc, 0x9e, 0xfe, 0x57,
+ 0x38, 0x82, 0x9a, 0xdb, 0x26, 0xc8, 0x1b, 0x37, 0xc9, 0x3a,
+ 0x1b, 0x27, 0x0b, 0x20, 0x32, 0x9d, 0x65, 0x86, 0x75, 0xfc,
+
+ 0x6e, 0xa5, 0x34, 0xe0, 0x81, 0x0a, 0x44, 0x32, 0x82, 0x6b,
+ 0xf5, 0x8c, 0x94, 0x1e, 0xfb, 0x65, 0xd5, 0x7a, 0x33, 0x8b,
+ 0xbd, 0x2e, 0x26, 0x64, 0x0f, 0x89, 0xff, 0xbc, 0x1a, 0x85,
+ 0x8e, 0xfc, 0xb8, 0x55, 0x0e, 0xe3, 0xa5, 0xe1, 0x99, 0x8b,
+ 0xd1, 0x77, 0xe9, 0x3a, 0x73, 0x63, 0xc3, 0x44, 0xfe, 0x6b,
+ 0x19, 0x9e, 0xe5, 0xd0, 0x2e, 0x82, 0xd5, 0x22, 0xc4, 0xfe,
+ 0xba, 0x15, 0x45, 0x2f, 0x80, 0x28, 0x8a, 0x82, 0x1a, 0x57,
+ 0x91, 0x16, 0xec, 0x6d, 0xad, 0x2b, 0x3b, 0x31, 0x0d, 0xa9,
+ 0x03, 0x40, 0x1a, 0xa6, 0x21, 0x00, 0xab, 0x5d, 0x1a, 0x36,
+ 0x55, 0x3e, 0x06, 0x20, 0x3b, 0x33, 0x89, 0x0c, 0xc9, 0xb8,
+
+ 0x32, 0xf7, 0x9e, 0xf8, 0x05, 0x60, 0xcc, 0xb9, 0xa3, 0x9c,
+ 0xe7, 0x67, 0x96, 0x7e, 0xd6, 0x28, 0xc6, 0xad, 0x57, 0x3c,
+ 0xb1, 0x16, 0xdb, 0xef, 0xef, 0xd7, 0x54, 0x99, 0xda, 0x96,
+ 0xbd, 0x68, 0xa8, 0xa9, 0x7b, 0x92, 0x8a, 0x8b, 0xbc, 0x10,
+ 0x3b, 0x66, 0x21, 0xfc, 0xde, 0x2b, 0xec, 0xa1, 0x23, 0x1d,
+ 0x20, 0x6b, 0xe6, 0xcd, 0x9e, 0xc7, 0xaf, 0xf6, 0xf6, 0xc9,
+ 0x4f, 0xcd, 0x72, 0x04, 0xed, 0x34, 0x55, 0xc6, 0x8c, 0x83,
+ 0xf4, 0xa4, 0x1d, 0xa4, 0xaf, 0x2b, 0x74, 0xef, 0x5c, 0x53,
+ 0xf1, 0xd8, 0xac, 0x70, 0xbd, 0xcb, 0x7e, 0xd1, 0x85, 0xce,
+ 0x81, 0xbd, 0x84, 0x35, 0x9d, 0x44, 0x25, 0x4d, 0x95, 0x62,
+
+ 0x9e, 0x98, 0x55, 0xa9, 0x4a, 0x7c, 0x19, 0x58, 0xd1, 0xf8,
+ 0xad, 0xa5, 0xd0, 0x53, 0x2e, 0xd8, 0xa5, 0xaa, 0x3f, 0xb2,
+ 0xd1, 0x7b, 0xa7, 0x0e, 0xb6, 0x24, 0x8e, 0x59, 0x4e, 0x1a,
+ 0x22, 0x97, 0xac, 0xbb, 0xb3, 0x9d, 0x50, 0x2f, 0x1a, 0x8c,
+ 0x6e, 0xb6, 0xf1, 0xce, 0x22, 0xb3, 0xde, 0x1a, 0x1f, 0x40,
+ 0xcc, 0x24, 0x55, 0x41, 0x19, 0xa8, 0x31, 0xa9, 0xaa, 0xd6,
+ 0x07, 0x9c, 0xad, 0x88, 0x42, 0x5d, 0xe6, 0xbd, 0xe1, 0xa9,
+ 0x18, 0x7e, 0xbb, 0x60, 0x92, 0xcf, 0x67, 0xbf, 0x2b, 0x13,
+ 0xfd, 0x65, 0xf2, 0x70, 0x88, 0xd7, 0x8b, 0x7e, 0x88, 0x3c,
+ 0x87, 0x59, 0xd2, 0xc4, 0xf5, 0xc6, 0x5a, 0xdb, 0x75, 0x53,
+
+ 0x87, 0x8a, 0xd5, 0x75, 0xf9, 0xfa, 0xd8, 0x78, 0xe8, 0x0a,
+ 0x0c, 0x9b, 0xa6, 0x3b, 0xcb, 0xcc, 0x27, 0x32, 0xe6, 0x94,
+ 0x85, 0xbb, 0xc9, 0xc9, 0x0b, 0xfb, 0xd6, 0x24, 0x81, 0xd9,
+ 0x08, 0x9b, 0xec, 0xcf, 0x80, 0xcf, 0xe2, 0xdf, 0x16, 0xa2,
+ 0xcf, 0x65, 0xbd, 0x92, 0xdd, 0x59, 0x7b, 0x07, 0x07, 0xe0,
+ 0x91, 0x7a, 0xf4, 0x8b, 0xbb, 0x75, 0xfe, 0xd4, 0x13, 0xd2,
+ 0x38, 0xf5, 0x55, 0x5a, 0x7a, 0x56, 0x9d, 0x80, 0xc3, 0x41,
+ 0x4a, 0x8d, 0x08, 0x59, 0xdc, 0x65, 0xa4, 0x61, 0x28, 0xba,
+ 0xb2, 0x7a, 0xf8, 0x7a, 0x71, 0x31, 0x4f, 0x31, 0x8c, 0x78,
+ 0x2b, 0x23, 0xeb, 0xfe, 0x80, 0x8b, 0x82, 0xb0, 0xce, 0x26,
+
+ 0x40, 0x1d, 0x2e, 0x22, 0xf0, 0x4d, 0x83, 0xd1, 0x25, 0x5d,
+ 0xc5, 0x1a, 0xdd, 0xd3, 0xb7, 0x5a, 0x2b, 0x1a, 0xe0, 0x78,
+ 0x45, 0x04, 0xdf, 0x54, 0x3a, 0xf8, 0x96, 0x9b, 0xe3, 0xea,
+ 0x70, 0x82, 0xff, 0x7f, 0xc9, 0x88, 0x8c, 0x14, 0x4d, 0xa2,
+ 0xaf, 0x58, 0x42, 0x9e, 0xc9, 0x60, 0x31, 0xdb, 0xca, 0xd3,
+ 0xda, 0xd9, 0xaf, 0x0d, 0xcb, 0xaa, 0xaf, 0x26, 0x8c, 0xb8,
+ 0xfc, 0xff, 0xea, 0xd9, 0x4f, 0x3c, 0x7c, 0xa4, 0x95, 0xe0,
+ 0x56, 0xa9, 0xb4, 0x7a, 0xcd, 0xb7, 0x51, 0xfb, 0x73, 0xe6,
+ 0x66, 0xc6, 0xc6, 0x55, 0xad, 0xe8, 0x29, 0x72, 0x97, 0xd0,
+ 0x7a, 0xd1, 0xba, 0x5e, 0x43, 0xf1, 0xbc, 0xa3, 0x23, 0x01,
+
+ 0x65, 0x13, 0x39, 0xe2, 0x29, 0x04, 0xcc, 0x8c, 0x42, 0xf5,
+ 0x8c, 0x30, 0xc0, 0x4a, 0xaf, 0xdb, 0x03, 0x8d, 0xda, 0x08,
+ 0x47, 0xdd, 0x98, 0x8d, 0xcd, 0xa6, 0xf3, 0xbf, 0xd1, 0x5c,
+ 0x4b, 0x4c, 0x45, 0x25, 0x00, 0x4a, 0xa0, 0x6e, 0xef, 0xf8,
+ 0xca, 0x61, 0x78, 0x3a, 0xac, 0xec, 0x57, 0xfb, 0x3d, 0x1f,
+ 0x92, 0xb0, 0xfe, 0x2f, 0xd1, 0xa8, 0x5f, 0x67, 0x24, 0x51,
+ 0x7b, 0x65, 0xe6, 0x14, 0xad, 0x68, 0x08, 0xd6, 0xf6, 0xee,
+ 0x34, 0xdf, 0xf7, 0x31, 0x0f, 0xdc, 0x82, 0xae, 0xbf, 0xd9,
+ 0x04, 0xb0, 0x1e, 0x1d, 0xc5, 0x4b, 0x29, 0x27, 0x09, 0x4b,
+ 0x2d, 0xb6, 0x8d, 0x6f, 0x90, 0x3b, 0x68, 0x40, 0x1a, 0xde,
+
+ 0xbf, 0x5a, 0x7e, 0x08, 0xd7, 0x8f, 0xf4, 0xef, 0x5d, 0x63,
+ 0x65, 0x3a, 0x65, 0x04, 0x0c, 0xf9, 0xbf, 0xd4, 0xac, 0xa7,
+ 0x98, 0x4a, 0x74, 0xd3, 0x71, 0x45, 0x98, 0x67, 0x80, 0xfc,
+ 0x0b, 0x16, 0xac, 0x45, 0x16, 0x49, 0xde, 0x61, 0x88, 0xa7,
+ 0xdb, 0xdf, 0x19, 0x1f, 0x64, 0xb5, 0xfc, 0x5e, 0x2a, 0xb4,
+ 0x7b, 0x57, 0xf7, 0xf7, 0x27, 0x6c, 0xd4, 0x19, 0xc1, 0x7a,
+ 0x3c, 0xa8, 0xe1, 0xb9, 0x39, 0xae, 0x49, 0xe4, 0x88, 0xac,
+ 0xba, 0x6b, 0x96, 0x56, 0x10, 0xb5, 0x48, 0x01, 0x09, 0xc8,
+ 0xb1, 0x7b, 0x80, 0xe1, 0xb7, 0xb7, 0x50, 0xdf, 0xc7, 0x59,
+ 0x8d, 0x5d, 0x50, 0x11, 0xfd, 0x2d, 0xcc, 0x56, 0x00, 0xa3,
+
+ 0x2e, 0xf5, 0xb5, 0x2a, 0x1e, 0xcc, 0x82, 0x0e, 0x30, 0x8a,
+ 0xa3, 0x42, 0x72, 0x1a, 0xac, 0x09, 0x43, 0xbf, 0x66, 0x86,
+ 0xb6, 0x4b, 0x25, 0x79, 0x37, 0x65, 0x04, 0xcc, 0xc4, 0x93,
+ 0xd9, 0x7e, 0x6a, 0xed, 0x3f, 0xb0, 0xf9, 0xcd, 0x71, 0xa4,
+ 0x3d, 0xd4, 0x97, 0xf0, 0x1f, 0x17, 0xc0, 0xe2, 0xcb, 0x37,
+ 0x97, 0xaa, 0x2a, 0x2f, 0x25, 0x66, 0x56, 0x16, 0x8e, 0x6c,
+ 0x49, 0x6a, 0xfc, 0x5f, 0xb9, 0x32, 0x46, 0xf6, 0xb1, 0x11,
+ 0x63, 0x98, 0xa3, 0x46, 0xf1, 0xa6, 0x41, 0xf3, 0xb0, 0x41,
+ 0xe9, 0x89, 0xf7, 0x91, 0x4f, 0x90, 0xcc, 0x2c, 0x7f, 0xff,
+ 0x35, 0x78, 0x76, 0xe5, 0x06, 0xb5, 0x0d, 0x33, 0x4b, 0xa7,
+
+ 0x7c, 0x22, 0x5b, 0xc3, 0x07, 0xba, 0x53, 0x71, 0x52, 0xf3,
+ 0xf1, 0x61, 0x0e, 0x4e, 0xaf, 0xe5, 0x95, 0xf6, 0xd9, 0xd9,
+ 0x0d, 0x11, 0xfa, 0xa9, 0x33, 0xa1, 0x5e, 0xf1, 0x36, 0x95,
+ 0x46, 0x86, 0x8a, 0x7f, 0x3a, 0x45, 0xa9, 0x67, 0x68, 0xd4,
+ 0x0f, 0xd9, 0xd0, 0x34, 0x12, 0xc0, 0x91, 0xc6, 0x31, 0x5c,
+ 0xf4, 0xfd, 0xe7, 0xcb, 0x68, 0x60, 0x69, 0x37, 0x38, 0x0d,
+ 0xb2, 0xea, 0xaa, 0x70, 0x7b, 0x4c, 0x41, 0x85, 0xc3, 0x2e,
+ 0xdd, 0xcd, 0xd3, 0x06, 0x70, 0x5e, 0x4d, 0xc1, 0xff, 0xc8,
+ 0x72, 0xee, 0xee, 0x47, 0x5a, 0x64, 0xdf, 0xac, 0x86, 0xab,
+ 0xa4, 0x1c, 0x06, 0x18, 0x98, 0x3f, 0x87, 0x41, 0xc5, 0xef,
+
+ 0x68, 0xd3, 0xa1, 0x01, 0xe8, 0xa3, 0xb8, 0xca, 0xc6, 0x0c,
+ 0x90, 0x5c, 0x15, 0xfc, 0x91, 0x08, 0x40, 0xb9, 0x4c, 0x00,
+ 0xa0, 0xb9, 0xd0),
+ chunk_from_chars(
+ 0x0a, 0xab, 0x4c, 0x90, 0x05, 0x01, 0xb3, 0xe2, 0x4d, 0x7c,
+ 0xdf, 0x46, 0x63, 0x32, 0x6a, 0x3a, 0x87, 0xdf, 0x5e, 0x48,
+ 0x43, 0xb2, 0xcb, 0xdb, 0x67, 0xcb, 0xf6, 0xe4, 0x60, 0xfe,
+ 0xc3, 0x50, 0xaa, 0x53, 0x71, 0xb1, 0x50, 0x8f, 0x9f, 0x45,
+ 0x28, 0xec, 0xea, 0x23, 0xc4, 0x36, 0xd9, 0x4b, 0x5e, 0x8f,
+ 0xcd, 0x4f, 0x68, 0x1e, 0x30, 0xa6, 0xac, 0x00, 0xa9, 0x70,
+ 0x4a, 0x18, 0x8a, 0x03)
+ },
+ /* Test SHA(abc) */
+ { chunk_from_chars(
+ 0x30, 0x2e, 0x02, 0x01, 0x00, 0x30, 0x05, 0x06, 0x03, 0x2b,
+ 0x65, 0x70, 0x04, 0x22, 0x04, 0x20, 0x83, 0x3f, 0xe6, 0x24,
+ 0x09, 0x23, 0x7b, 0x9d, 0x62, 0xec, 0x77, 0x58, 0x75, 0x20,
+ 0x91, 0x1e, 0x9a, 0x75, 0x9c, 0xec, 0x1d, 0x19, 0x75, 0x5b,
+ 0x7d, 0xa9, 0x01, 0xb9, 0x6d, 0xca, 0x3d, 0x42),
+ chunk_from_chars(
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03,
+ 0x21, 0x00, 0xec, 0x17, 0x2b, 0x93, 0xad, 0x5e, 0x56, 0x3b,
+ 0xf4, 0x93, 0x2c, 0x70, 0xe1, 0x24, 0x50, 0x34, 0xc3, 0x54,
+ 0x67, 0xef, 0x2e, 0xfd, 0x4d, 0x64, 0xeb, 0xf8, 0x19, 0x68,
+ 0x34, 0x67, 0xe2, 0xbf),
+ chunk_from_chars(
+ 0xdd, 0xaf, 0x35, 0xa1, 0x93, 0x61, 0x7a, 0xba, 0xcc, 0x41,
+ 0x73, 0x49, 0xae, 0x20, 0x41, 0x31, 0x12, 0xe6, 0xfa, 0x4e,
+ 0x89, 0xa9, 0x7e, 0xa2, 0x0a, 0x9e, 0xee, 0xe6, 0x4b, 0x55,
+ 0xd3, 0x9a, 0x21, 0x92, 0x99, 0x2a, 0x27, 0x4f, 0xc1, 0xa8,
+ 0x36, 0xba, 0x3c, 0x23, 0xa3, 0xfe, 0xeb, 0xbd, 0x45, 0x4d,
+ 0x44, 0x23, 0x64, 0x3c, 0xe8, 0x0e, 0x2a, 0x9a, 0xc9, 0x4f,
+ 0xa5, 0x4c, 0xa4, 0x9f),
+ chunk_from_chars(
+ 0xdc, 0x2a, 0x44, 0x59, 0xe7, 0x36, 0x96, 0x33, 0xa5, 0x2b,
+ 0x1b, 0xf2, 0x77, 0x83, 0x9a, 0x00, 0x20, 0x10, 0x09, 0xa3,
+ 0xef, 0xbf, 0x3e, 0xcb, 0x69, 0xbe, 0xa2, 0x18, 0x6c, 0x26,
+ 0xb5, 0x89, 0x09, 0x35, 0x1f, 0xc9, 0xac, 0x90, 0xb3, 0xec,
+ 0xfd, 0xfb, 0xc7, 0xc6, 0x64, 0x31, 0xe0, 0x30, 0x3d, 0xca,
+ 0x17, 0x9c, 0x13, 0x8a, 0xc1, 0x7a, 0xd9, 0xbe, 0xf1, 0x17,
+ 0x73, 0x31, 0xa7, 0x04)
+ }
+};
+
+START_TEST(test_ed25519_sign)
+{
+ private_key_t *key;
+ public_key_t *pubkey, *public;
+ chunk_t sig, encoding;
+
+ /* load private key */
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED25519,
+ BUILD_BLOB_ASN1_DER, sig_tests[_i].key, BUILD_END);
+ ck_assert(key != NULL);
+ ck_assert(key->get_encoding(key, PRIVKEY_ASN1_DER, &encoding));
+ ck_assert(chunk_equals(encoding, sig_tests[_i].key));
+ chunk_free(&encoding);
+
+ /* load public key */
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
+ BUILD_BLOB_ASN1_DER, sig_tests[_i].pubkey, BUILD_END);
+ ck_assert(pubkey != NULL);
+ ck_assert(pubkey->get_encoding(pubkey, PUBKEY_SPKI_ASN1_DER, &encoding));
+ ck_assert(chunk_equals(encoding, sig_tests[_i].pubkey));
+ chunk_free(&encoding);
+
+ /* compare public keys */
+ public = key->get_public_key(key);
+ ck_assert(public != NULL);
+ ck_assert(public->equals(public, pubkey));
+
+ /* sign */
+ ck_assert(key->sign(key, SIGN_ED25519, sig_tests[_i].msg, &sig));
+ ck_assert(sig.len == 64);
+ ck_assert(chunk_equals(sig, sig_tests[_i].sig));
+
+ /* verify */
+ ck_assert(pubkey->verify(pubkey, SIGN_ED25519, sig_tests[_i].msg,
+ sig_tests[_i].sig));
+
+ /* cleanup */
+ key->destroy(key);
+ pubkey->destroy(pubkey);
+ public->destroy(public);
+ chunk_free(&sig);
+}
+END_TEST
+
+START_TEST(test_ed25519_gen)
+{
+ private_key_t *key, *key2;
+ public_key_t *pubkey, *pubkey2;
+ chunk_t msg = chunk_from_str("Ed25519"), sig, encoding, fp_priv, fp_pub;
+
+ /* generate private key */
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED25519,
+ BUILD_KEY_SIZE, 256, BUILD_END);
+ ck_assert(key != NULL);
+ ck_assert(key->get_type(key) == KEY_ED25519);
+ ck_assert(key->get_keysize(key) == 256);
+ ck_assert(!key->get_encoding(key, PRIVKEY_PGP, &encoding));
+ ck_assert(key->get_encoding(key, PRIVKEY_PEM, &encoding));
+ ck_assert(encoding.ptr != NULL);
+ ck_assert(strstr(encoding.ptr, "PRIVATE KEY"));
+ chunk_free(&encoding);
+
+ /* clone private key */
+ key2 = key->get_ref(key);
+ ck_assert(key2);
+ key2->destroy(key2);
+
+ /* decryption not supported */
+ ck_assert(!key->decrypt(key, ENCRYPT_UNKNOWN, msg, NULL));
+
+ /* wrong signature scheme */
+ ck_assert(!key->sign(key, SIGN_ED448, msg, &sig));
+
+ /* correct signature scheme*/
+ ck_assert(key->sign(key, SIGN_ED25519, msg, &sig));
+
+ /* export public key */
+ pubkey = key->get_public_key(key);
+ ck_assert(pubkey != NULL);
+ ck_assert(pubkey->get_type(pubkey) == KEY_ED25519);
+ ck_assert(pubkey->get_keysize(pubkey) == 256);
+ ck_assert(pubkey->get_encoding(pubkey, PUBKEY_PEM, &encoding));
+ ck_assert(encoding.ptr != NULL);
+ ck_assert(strstr(encoding.ptr, "PUBLIC KEY"));
+ chunk_free(&encoding);
+
+ /* generate and compare public and private key fingerprints */
+ ck_assert(!key->get_fingerprint(key, KEYID_PGPV4, &fp_priv));
+ ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp_priv));
+ ck_assert(key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fp_priv));
+ ck_assert(fp_priv.ptr != NULL);
+ ck_assert(!pubkey->get_fingerprint(pubkey, KEYID_PGPV4, &fp_pub));
+ ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub));
+ ck_assert(pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_SHA1, &fp_pub));
+ ck_assert(fp_pub.ptr != NULL);
+ ck_assert(chunk_equals(fp_pub, fp_priv));
+
+ /* clone public key */
+ pubkey2 = pubkey->get_ref(pubkey);
+ ck_assert(pubkey2 != NULL);
+ pubkey2->destroy(pubkey2);
+
+ /* encryption not supported */
+ ck_assert(!pubkey->encrypt(pubkey, ENCRYPT_UNKNOWN, msg, NULL));
+
+ /* verify with wrong signature scheme */
+ ck_assert(!pubkey->verify(pubkey, SIGN_ED448, msg, sig));
+
+ /* verify with correct signature scheme */
+ ck_assert(pubkey->verify(pubkey, SIGN_ED25519, msg, sig));
+
+ /* cleanup */
+ key->destroy(key);
+ pubkey->destroy(pubkey);
+ chunk_free(&sig);
+}
+END_TEST
+
+START_TEST(test_ed25519_speed)
+{
+ private_key_t *key;
+ public_key_t *pubkey;
+ chunk_t msg = chunk_from_str("Hello Ed25519"), sig;
+ int i, count = 1000;
+
+#ifdef HAVE_CLOCK_GETTIME
+ struct timespec start, stop;
+ clock_gettime(CLOCK_THREAD_CPUTIME_ID, &start);
+#endif
+
+ for (i = 0; i < count; i++)
+ {
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED25519,
+ BUILD_KEY_SIZE, 256, BUILD_END);
+ ck_assert(key != NULL);
+ ck_assert(key->sign(key, SIGN_ED25519, msg, &sig));
+ pubkey = key->get_public_key(key);
+ ck_assert(pubkey != NULL);
+ ck_assert(pubkey->verify(pubkey, SIGN_ED25519, msg, sig));
+ key->destroy(key);
+ pubkey->destroy(pubkey);
+ chunk_free(&sig);
+ }
+
+#ifdef HAVE_CLOCK_GETTIME
+ clock_gettime(CLOCK_THREAD_CPUTIME_ID, &stop);
+ DBG0(DBG_LIB, "%d Ed25519 keys and signatures in %d ms\n", count,
+ (stop.tv_nsec - start.tv_nsec) / 1000000 +
+ (stop.tv_sec - start.tv_sec) * 1000);
+#endif
+}
+END_TEST
+
+static chunk_t zero_pk = chunk_from_chars(
+ 0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03,
+ 0x21, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00);
+
+START_TEST(test_ed25519_fail)
+{
+ private_key_t *key;
+ public_key_t *pubkey;
+ chunk_t blob, sig;
+ uint8_t sig1[64];
+
+ /* Invalid private key format */
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED25519,
+ BUILD_BLOB_ASN1_DER, chunk_empty, BUILD_END);
+ ck_assert(key == NULL);
+
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED25519,
+ BUILD_EDDSA_PRIV_ASN1_DER, chunk_empty, BUILD_END);
+ ck_assert(key == NULL);
+
+ blob = chunk_from_chars(0x04, 0x01, 0x9d);
+ key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ED25519,
+ BUILD_EDDSA_PRIV_ASN1_DER, blob, BUILD_END);
+ ck_assert(key == NULL);
+
+ /* Invalid public key format */
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
+ BUILD_BLOB_ASN1_DER, chunk_empty, BUILD_END);
+ ck_assert(pubkey == NULL);
+
+ blob = chunk_from_chars(0x30, 0x0b, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65,
+ 0x70, 0x03, 0x02, 0x00, 0xd7);
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
+ BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+ ck_assert(pubkey == NULL);
+
+ blob = chunk_from_chars(0x30, 0x0b, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x00,
+ 0x70, 0x03, 0x02, 0x00, 0xd7);
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
+ BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+ ck_assert(pubkey == NULL);
+
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
+ BUILD_KEY_SIZE, 256, BUILD_BLOB_ASN1_DER, blob, BUILD_END);
+ ck_assert(pubkey == NULL);
+
+ /* Invalid signature format */
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
+ BUILD_BLOB_ASN1_DER, sig_tests[0].pubkey, BUILD_END);
+ ck_assert(pubkey != NULL);
+
+ ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, chunk_empty, chunk_empty));
+
+ /* malformed signature */
+ sig = chunk_create(sig1, 64);
+ memcpy(sig1, sig_tests[0].sig.ptr, 64);
+ sig1[63] |= 0xe0;
+ ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, sig_tests[0].msg, sig));
+
+ /* wrong signature */
+ memcpy(sig1, sig_tests[0].sig.ptr, 64);
+ sig1[0] = 0xe4;
+ ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, sig_tests[0].msg, sig));
+
+ /* detect all-zeroes public key */
+ pubkey->destroy(pubkey);
+ pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ED25519,
+ BUILD_BLOB_ASN1_DER, zero_pk, BUILD_END);
+ ck_assert(pubkey != NULL);
+ ck_assert(!pubkey->verify(pubkey, SIGN_ED25519, sig_tests[0].msg, sig));
+ pubkey->destroy(pubkey);
+}
+END_TEST
+
+Suite *ed25519_suite_create()
+{
+ Suite *s;
+ TCase *tc;
+
+ s = suite_create("ed25519");
+
+ tc = tcase_create("ed25519_sign");
+ tcase_add_loop_test(tc, test_ed25519_sign, 0, countof(sig_tests));
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("ed25519_gen");
+ tcase_add_test(tc, test_ed25519_gen);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("ed25519_fail");
+ tcase_add_test(tc, test_ed25519_fail);
+ suite_add_tcase(s, tc);
+
+ tc = tcase_create("ed25519_speed");
+ test_case_set_timeout(tc, 10);
+ tcase_add_test(tc, test_ed25519_speed);
+ suite_add_tcase(s, tc);
+
+ return s;
+}
diff --git a/src/libstrongswan/tests/suites/test_hasher.c b/src/libstrongswan/tests/suites/test_hasher.c
index de285ca..6a83fe7 100644
--- a/src/libstrongswan/tests/suites/test_hasher.c
+++ b/src/libstrongswan/tests/suites/test_hasher.c
@@ -28,38 +28,47 @@ typedef struct {
}hasher_oid_t;
static hasher_oid_t oids[] = {
- { OID_MD2, HASH_MD2, KEY_ANY }, /* 0 */
- { OID_MD5, HASH_MD5, KEY_ANY }, /* 1 */
- { OID_SHA1, HASH_SHA1, KEY_ANY }, /* 2 */
- { OID_SHA224, HASH_SHA224, KEY_ANY }, /* 3 */
- { OID_SHA256, HASH_SHA256, KEY_ANY }, /* 4 */
- { OID_SHA384, HASH_SHA384, KEY_ANY }, /* 5 */
- { OID_SHA512, HASH_SHA512, KEY_ANY }, /* 6 */
- { OID_SHA3_224, HASH_SHA3_224, KEY_ANY }, /* 7 */
- { OID_SHA3_256, HASH_SHA3_256, KEY_ANY }, /* 8 */
- { OID_SHA3_384, HASH_SHA3_384, KEY_ANY }, /* 9 */
- { OID_SHA3_512, HASH_SHA3_512, KEY_ANY }, /* 10 */
- { OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY }, /* 11 */
- { OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA }, /* 12 */
- { OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA }, /* 13 */
- { OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA }, /* 14 */
- { OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA }, /* 15 */
- { OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA }, /* 16 */
- { OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA }, /* 17 */
- { OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA }, /* 18 */
- { OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA }, /* 19 */
- { OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA }, /* 20 */
- { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA }, /* 21 */
- { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA }, /* 22 */
- { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA }, /* 23 */
- { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }, /* 24 */
- { OID_BLISS_WITH_SHA2_256, HASH_SHA256, KEY_BLISS }, /* 25 */
- { OID_BLISS_WITH_SHA2_384, HASH_SHA384, KEY_BLISS }, /* 26 */
- { OID_BLISS_WITH_SHA2_512, HASH_SHA512, KEY_BLISS }, /* 27 */
- { OID_BLISS_WITH_SHA3_256, HASH_SHA3_256, KEY_BLISS }, /* 28 */
- { OID_BLISS_WITH_SHA3_384, HASH_SHA3_384, KEY_BLISS }, /* 29 */
- { OID_BLISS_WITH_SHA3_512, HASH_SHA3_512, KEY_BLISS }, /* 30 */
- { OID_UNKNOWN, HASH_UNKNOWN, KEY_BLISS } /* 31 */
+ { OID_MD2, HASH_MD2, KEY_ANY }, /* 0 */
+ { OID_MD5, HASH_MD5, KEY_ANY }, /* 1 */
+ { OID_SHA1, HASH_SHA1, KEY_ANY }, /* 2 */
+ { OID_SHA224, HASH_SHA224, KEY_ANY }, /* 3 */
+ { OID_SHA256, HASH_SHA256, KEY_ANY }, /* 4 */
+ { OID_SHA384, HASH_SHA384, KEY_ANY }, /* 5 */
+ { OID_SHA512, HASH_SHA512, KEY_ANY }, /* 6 */
+ { OID_SHA3_224, HASH_SHA3_224, KEY_ANY }, /* 7 */
+ { OID_SHA3_256, HASH_SHA3_256, KEY_ANY }, /* 8 */
+ { OID_SHA3_384, HASH_SHA3_384, KEY_ANY }, /* 9 */
+ { OID_SHA3_512, HASH_SHA3_512, KEY_ANY }, /* 10 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ANY }, /* 11 */
+ { OID_MD2_WITH_RSA, HASH_MD2, KEY_RSA }, /* 12 */
+ { OID_MD5_WITH_RSA, HASH_MD5, KEY_RSA }, /* 13 */
+ { OID_SHA1_WITH_RSA, HASH_SHA1, KEY_RSA }, /* 14 */
+ { OID_SHA224_WITH_RSA, HASH_SHA224, KEY_RSA }, /* 15 */
+ { OID_SHA256_WITH_RSA, HASH_SHA256, KEY_RSA }, /* 16 */
+ { OID_SHA384_WITH_RSA, HASH_SHA384, KEY_RSA }, /* 17 */
+ { OID_SHA512_WITH_RSA, HASH_SHA512, KEY_RSA }, /* 18 */
+ { OID_RSASSA_PKCS1V15_WITH_SHA3_224, HASH_SHA3_224, KEY_RSA }, /* 19 */
+ { OID_RSASSA_PKCS1V15_WITH_SHA3_256, HASH_SHA3_256, KEY_RSA }, /* 20 */
+ { OID_RSASSA_PKCS1V15_WITH_SHA3_384, HASH_SHA3_384, KEY_RSA }, /* 21 */
+ { OID_RSASSA_PKCS1V15_WITH_SHA3_512, HASH_SHA3_512, KEY_RSA }, /* 22 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_RSA }, /* 23 */
+ { OID_ED25519, HASH_IDENTITY, KEY_ED25519 }, /* 24 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ED25519 }, /* 25 */
+ { OID_ED448, HASH_IDENTITY, KEY_ED448 }, /* 26 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ED448 }, /* 27 */
+ { OID_ECDSA_WITH_SHA1, HASH_SHA1, KEY_ECDSA }, /* 28 */
+ { OID_ECDSA_WITH_SHA256, HASH_SHA256, KEY_ECDSA }, /* 29 */
+ { OID_ECDSA_WITH_SHA384, HASH_SHA384, KEY_ECDSA }, /* 30 */
+ { OID_ECDSA_WITH_SHA512, HASH_SHA512, KEY_ECDSA }, /* 31 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_ECDSA }, /* 32 */
+ { OID_BLISS_WITH_SHA2_256, HASH_SHA256, KEY_BLISS }, /* 33 */
+ { OID_BLISS_WITH_SHA2_384, HASH_SHA384, KEY_BLISS }, /* 34 */
+ { OID_BLISS_WITH_SHA2_512, HASH_SHA512, KEY_BLISS }, /* 35 */
+ { OID_BLISS_WITH_SHA3_256, HASH_SHA3_256, KEY_BLISS }, /* 36 */
+ { OID_BLISS_WITH_SHA3_384, HASH_SHA3_384, KEY_BLISS }, /* 37 */
+ { OID_BLISS_WITH_SHA3_512, HASH_SHA3_512, KEY_BLISS }, /* 38 */
+ { OID_UNKNOWN, HASH_UNKNOWN, KEY_BLISS }, /* 39 */
+
};
START_TEST(test_hasher_from_oid)
@@ -113,6 +122,8 @@ static hasher_sig_scheme_t sig_schemes[] = {
{ SIGN_BLISS_WITH_SHA3_256, HASH_SHA3_256 },
{ SIGN_BLISS_WITH_SHA3_384, HASH_SHA3_384 },
{ SIGN_BLISS_WITH_SHA3_512, HASH_SHA3_512 },
+ { SIGN_ED25519, HASH_IDENTITY },
+ { SIGN_ED448, HASH_IDENTITY },
{ 30, HASH_UNKNOWN }
};
@@ -214,6 +225,7 @@ typedef struct {
}hasher_ikev2_t;
static hasher_ikev2_t ikev2[] = {
+ { HASH_IDENTITY, TRUE },
{ HASH_SHA1, TRUE },
{ HASH_SHA256, TRUE },
{ HASH_SHA384, TRUE },
@@ -244,7 +256,7 @@ Suite *hasher_suite_create()
s = suite_create("hasher");
tc = tcase_create("from_oid");
- tcase_add_loop_test(tc, test_hasher_from_oid, 0, 15);
+ tcase_add_loop_test(tc, test_hasher_from_oid, 0, 28);
suite_add_tcase(s, tc);
tc = tcase_create("to_oid");
diff --git a/src/libstrongswan/tests/suites/test_host.c b/src/libstrongswan/tests/suites/test_host.c
index 5d05457..63f0eb2 100644
--- a/src/libstrongswan/tests/suites/test_host.c
+++ b/src/libstrongswan/tests/suites/test_host.c
@@ -657,18 +657,18 @@ END_TEST
static struct {
char *addr;
uint16_t port;
- /* results for %H, %+H, %#H (falls back to [0]) */
+ /* results for %H, %+H, %#H (falls back to the first entry) */
char *result[3];
} printf_data[] = {
{NULL, 0, { "(null)" }},
{NULL, 500, { "(null)" }},
- {"%any", 0, { "%any", "0.0.0.0", "0.0.0.0[0]" }},
+ {"%any", 0, { "%any", "0.0.0.0", "0.0.0.0" }},
{"%any", 500, { "%any", "0.0.0.0", "0.0.0.0[500]" }},
- {"%any6", 0, { "%any6", "::", "::[0]" }},
+ {"%any6", 0, { "%any6", "::", "::" }},
{"%any6", 500, { "%any6", "::", "::[500]" }},
- {"192.168.0.1", 0, { "192.168.0.1", "192.168.0.1", "192.168.0.1[0]" }},
+ {"192.168.0.1", 0, { "192.168.0.1" }},
{"192.168.0.1", 500, { "192.168.0.1", "192.168.0.1", "192.168.0.1[500]" }},
- {"fec1::1", 0, { "fec1::1", "fec1::1", "fec1::1[0]" }},
+ {"fec1::1", 0, { "fec1::1" }},
{"fec1::1", 500, { "fec1::1", "fec1::1", "fec1::1[500]" }},
};
diff --git a/src/libstrongswan/tests/suites/test_traffic_selector.c b/src/libstrongswan/tests/suites/test_traffic_selector.c
index 0d5d877..a5f30d2 100644
--- a/src/libstrongswan/tests/suites/test_traffic_selector.c
+++ b/src/libstrongswan/tests/suites/test_traffic_selector.c
@@ -511,16 +511,24 @@ struct {
char *host;
char *after;
} set_address_tests[] = {
- { "0.0.0.0/0", "192.168.1.2", "0.0.0.0/0" },
- { "::/0", "fec2::1", "::/0" },
+ { "0.0.0.0/0", "192.168.1.2", "192.168.1.2/32" },
+ { "::/0", "fec2::1", "fec2::1/128" },
{ "192.168.1.2/32", "192.168.1.1", "192.168.1.1/32" },
+ { "192.168.1.0/24", "192.168.1.1", "192.168.1.1/32" },
{ "192.168.1.2/32", "fec2::1", "fec2::1/128" },
+ { "192.168.1.0/24", "fec2::1", "fec2::1/128" },
{ "192.168.1.2/32", "%any", "0.0.0.0/0" },
+ { "192.168.1.0/24", "%any", "0.0.0.0/0" },
{ "192.168.1.2/32", "%any6", "::/0" },
+ { "192.168.1.0/24", "%any6", "::/0" },
{ "fec2::1/128", "192.168.1.1", "192.168.1.1/32" },
+ { "fec2::/64", "192.168.1.1", "192.168.1.1/32" },
{ "fec2::1/128", "fec2::2", "fec2::2/128" },
+ { "fec2::/64", "fec2::2", "fec2::2/128" },
{ "fec2::1/128", "%any", "0.0.0.0/0" },
+ { "fec2::/64", "%any", "0.0.0.0/0" },
{ "fec2::1/128", "%any6", "::/0" },
+ { "fec2::/64", "%any6", "::/0" },
{ NULL, "192.168.1.1", "192.168.1.1/32" },
{ NULL, "fec2::1", "fec2::1/128" },
{ NULL, "%any", "0.0.0.0/0" },
diff --git a/src/libstrongswan/tests/test_suite.h b/src/libstrongswan/tests/test_suite.h
index aedd8c0..66c6846 100644
--- a/src/libstrongswan/tests/test_suite.h
+++ b/src/libstrongswan/tests/test_suite.h
@@ -39,7 +39,9 @@ typedef struct test_fixture_t test_fixture_t;
/**
* Default timeout for a single test function
*/
+#ifndef TEST_FUNCTION_DEFAULT_TIMEOUT
#define TEST_FUNCTION_DEFAULT_TIMEOUT 2
+#endif
/**
* Test function implementation
diff --git a/src/libstrongswan/tests/tests.h b/src/libstrongswan/tests/tests.h
index fabfaa8..79a88e2 100644
--- a/src/libstrongswan/tests/tests.h
+++ b/src/libstrongswan/tests/tests.h
@@ -50,3 +50,5 @@ TEST_SUITE_DEPEND(mgf1_sha1_suite_create, XOF, XOF_MGF1_SHA1)
TEST_SUITE_DEPEND(mgf1_sha256_suite_create, XOF, XOF_MGF1_SHA256)
TEST_SUITE_DEPEND(ntru_suite_create, DH, NTRU_112_BIT)
TEST_SUITE_DEPEND(fetch_http_suite_create, FETCHER, "http://")
+TEST_SUITE_DEPEND(ed25519_suite_create, PRIVKEY_GEN, KEY_ED25519)
+
diff --git a/src/libstrongswan/utils/chunk.c b/src/libstrongswan/utils/chunk.c
index 2f824a2..0c50ab7 100644
--- a/src/libstrongswan/utils/chunk.c
+++ b/src/libstrongswan/utils/chunk.c
@@ -504,7 +504,13 @@ chunk_t chunk_from_hex(chunk_t hex, char *buf)
u_char *ptr;
bool odd = FALSE;
- /* subtract the number of optional ':' separation characters */
+ /* skip an optional 0x prefix */
+ if (hex.len > 1 && hex.ptr[1] == 'x' && hex.ptr[0] == '0')
+ {
+ hex = chunk_skip(hex, 2);
+ }
+
+ /* subtract the number of optional ':' separation characters */
len = hex.len;
ptr = hex.ptr;
for (i = 0; i < hex.len; i++)
diff --git a/src/libstrongswan/utils/compat/windows.h b/src/libstrongswan/utils/compat/windows.h
index f7e6207..68e1dca 100644
--- a/src/libstrongswan/utils/compat/windows.h
+++ b/src/libstrongswan/utils/compat/windows.h
@@ -114,6 +114,13 @@ static inline char* strdup_windows(const char *src)
char* strndup(const char *s, size_t n);
/**
+ * From winsock2.h
+ */
+#ifndef IPPROTO_IPIP
+#define IPPROTO_IPIP IPPROTO_IPV4
+#endif
+
+/**
* Provided via ws2_32
*/
#ifndef InetNtop
diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in
index ca49a0a..197ffc4 100644
--- a/src/libtls/Makefile.in
+++ b/src/libtls/Makefile.in
@@ -410,7 +410,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -445,6 +444,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtls/tests/Makefile.in b/src/libtls/tests/Makefile.in
index 7d8975a..22eb099 100644
--- a/src/libtls/tests/Makefile.in
+++ b/src/libtls/tests/Makefile.in
@@ -354,7 +354,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -389,6 +388,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtls/tests/suites/test_socket.c b/src/libtls/tests/suites/test_socket.c
index d105dd3..fce9b9e 100644
--- a/src/libtls/tests/suites/test_socket.c
+++ b/src/libtls/tests/suites/test_socket.c
@@ -128,73 +128,73 @@ static char ecdsa[] = {
/**
* TLS certificate for RSA key
+ * pki --self --in rsa.key --dn "C=CH, O=strongSwan, CN=tls-rsa" --san 127.0.0.1
*/
static char rsa_crt[] = {
- 0x30,0x82,0x03,0x1f,0x30,0x82,0x02,0x07,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
- 0xf0,0xbb,0xac,0xc3,0xa1,0x6b,0xf3,0x1c,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,
- 0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x30,0x34,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,
- 0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,
- 0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x10,0x30,0x0e,0x06,
- 0x03,0x55,0x04,0x03,0x13,0x07,0x74,0x6c,0x73,0x2d,0x72,0x73,0x61,0x30,0x1e,0x17,
- 0x0d,0x31,0x34,0x30,0x33,0x32,0x34,0x31,0x36,0x32,0x37,0x32,0x36,0x5a,0x17,0x0d,
- 0x31,0x37,0x30,0x33,0x32,0x33,0x31,0x36,0x32,0x37,0x32,0x36,0x5a,0x30,0x34,0x31,
- 0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,
- 0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,
- 0x6e,0x31,0x10,0x30,0x0e,0x06,0x03,0x55,0x04,0x03,0x13,0x07,0x74,0x6c,0x73,0x2d,
- 0x72,0x73,0x61,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,
- 0x0d,0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,
- 0x82,0x01,0x01,0x00,0xee,0xa3,0x28,0xcc,0x48,0xca,0x37,0xfc,0xb6,0xfa,0xfc,0x18,
- 0x0d,0xa2,0x28,0x44,0xb4,0x16,0x56,0xf7,0x97,0x5f,0x38,0x83,0xfc,0xd4,0x30,0xea,
- 0xf7,0x5e,0xaa,0xd4,0x21,0x0e,0x71,0x49,0x13,0x39,0xaf,0x89,0xa1,0x1d,0x1b,0x9a,
- 0x08,0x44,0xff,0x0b,0xeb,0x4b,0xad,0x8e,0xc4,0x6d,0x1e,0x0c,0x02,0xbb,0x17,0x59,
- 0xc7,0x66,0xc7,0xff,0x4c,0x3c,0x11,0x40,0x1a,0xe3,0xca,0x34,0xf8,0x41,0xe0,0x39,
- 0x3e,0xce,0x72,0x9f,0x56,0x9e,0x69,0xad,0x98,0x43,0x5f,0x35,0xc2,0xd0,0xd9,0xbc,
- 0x8b,0xed,0xc6,0xc7,0x74,0x73,0x74,0x30,0x92,0x86,0x39,0x26,0x3d,0xf1,0xd5,0x16,
- 0x45,0x7d,0xcc,0x90,0x54,0xff,0x44,0x74,0xf3,0xba,0x41,0x5c,0x58,0xa4,0x66,0xe6,
- 0x9d,0x58,0xbe,0x7e,0x89,0xe1,0x7c,0xf7,0x28,0xb0,0xde,0xe2,0x01,0x0a,0x89,0xc7,
- 0x63,0x3f,0xef,0x2b,0xcb,0xef,0x65,0x89,0x82,0x23,0x32,0xa7,0xa3,0x1c,0x0d,0xc6,
- 0x8f,0x76,0x59,0x8b,0x55,0x65,0x9c,0x91,0xd4,0x93,0x89,0xad,0x37,0x47,0x23,0x25,
- 0xb3,0x53,0xea,0xef,0x73,0xeb,0x97,0xd3,0xd7,0x74,0x38,0x73,0x8d,0x16,0x0d,0x6f,
- 0xae,0x59,0x33,0x4e,0x24,0xe9,0x52,0xf6,0x6f,0x8c,0x5c,0x13,0xcf,0x1d,0x0a,0xcc,
- 0xb7,0x6a,0x88,0xce,0x91,0xe2,0xe0,0xcb,0xc6,0xd2,0xfb,0x81,0xf6,0xd2,0x9f,0x0a,
- 0x82,0x70,0x80,0xbf,0x93,0x70,0xc0,0x57,0x23,0x6e,0x97,0x1c,0x9d,0x7d,0xf0,0xa3,
- 0x54,0x86,0xec,0x40,0xae,0x09,0x20,0xed,0x02,0x43,0xa3,0xf8,0x7e,0x0e,0x5b,0xd0,
- 0x22,0x7b,0x74,0x39,0x02,0x03,0x01,0x00,0x01,0xa3,0x34,0x30,0x32,0x30,0x1f,0x06,
- 0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x96,0x0e,0xc8,0xd3,0xb3,0x3f,
- 0xd1,0x11,0xb6,0x36,0x70,0xdb,0x37,0x98,0x3c,0xab,0x69,0x03,0x69,0x56,0x30,0x0f,
- 0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f,0x00,0x00,0x01,0x30,
- 0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x05,0x05,0x00,0x03,0x82,
- 0x01,0x01,0x00,0x94,0x1d,0x08,0xda,0x7b,0xc4,0xa3,0xf4,0x40,0x54,0xae,0x45,0x6a,
- 0xb3,0x62,0xb6,0x0b,0x35,0xc7,0x5f,0xed,0xb9,0x42,0x33,0xd5,0x32,0x80,0x23,0x76,
- 0x87,0xae,0x59,0xbb,0x77,0x00,0xc4,0xbf,0x60,0x3b,0x9b,0x04,0x46,0x52,0xde,0x9f,
- 0x16,0xc6,0x96,0x5e,0x7a,0xb5,0xbb,0x49,0x6a,0x89,0x4a,0x60,0x0b,0x85,0x15,0xec,
- 0xbb,0x83,0x79,0x01,0xfa,0x3c,0xd5,0x1e,0x6a,0x75,0xe7,0x93,0xc9,0xc4,0xbb,0xea,
- 0xad,0xa2,0x23,0x32,0xc5,0x57,0x4c,0x41,0xb2,0x41,0x91,0x53,0x5e,0xaf,0x98,0x83,
- 0xcb,0x6b,0xa8,0x2f,0xc8,0x06,0x16,0x18,0x5a,0x75,0xe1,0xee,0xac,0xc0,0x28,0x08,
- 0x0a,0x09,0xd1,0x03,0xba,0x65,0xf1,0x89,0xcc,0x63,0x6f,0xb2,0x70,0xdc,0x46,0x2b,
- 0x62,0x5b,0x64,0xd4,0x7a,0xc4,0x12,0xe2,0x88,0x3a,0x54,0x0a,0xf5,0x1e,0x1c,0x9e,
- 0x9a,0xb2,0x62,0xf9,0xd3,0x02,0xf0,0xc1,0xf0,0x7b,0x4d,0xf3,0x44,0xd8,0x3c,0x13,
- 0x1d,0xfc,0x78,0xa3,0x54,0x68,0xce,0x43,0x31,0x78,0x58,0x2f,0x5d,0xb8,0xa7,0xff,
- 0x54,0xae,0x6e,0x25,0xd7,0x40,0x6c,0x59,0x7b,0x5f,0x18,0x31,0xe9,0xfc,0x53,0x34,
- 0xb2,0xb0,0x18,0xd4,0x2c,0x85,0x9d,0xad,0x2d,0xd2,0x05,0x5d,0x2e,0x47,0xee,0x09,
- 0x3d,0x05,0x2e,0x46,0x66,0xea,0x09,0xb2,0x81,0xd3,0x9b,0x28,0xbf,0xf9,0x9c,0x54,
- 0x98,0xb7,0x2d,0x38,0xd8,0xae,0x03,0x70,0xae,0x1e,0xd4,0xa9,0xb7,0x2e,0xdb,0x02,
- 0x6a,0x84,0x0f,0x6c,0xe8,0xb8,0x25,0x73,0x84,0x13,0x9f,0x34,0x24,0xb8,0xfc,0x96,
- 0x4c,0x91,0xfa,
+ 0x30,0x82,0x02,0xfd,0x30,0x82,0x01,0xe5,0xa0,0x03,0x02,0x01,0x02,0x02,0x08,0x49,
+ 0xbd,0xfd,0x4a,0xe8,0xa9,0xb8,0x40,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,
+ 0x0d,0x01,0x01,0x0b,0x05,0x00,0x30,0x34,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,
+ 0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,
+ 0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x10,0x30,0x0e,0x06,0x03,
+ 0x55,0x04,0x03,0x13,0x07,0x74,0x6c,0x73,0x2d,0x72,0x73,0x61,0x30,0x1e,0x17,0x0d,
+ 0x31,0x37,0x30,0x33,0x32,0x34,0x30,0x39,0x31,0x31,0x31,0x39,0x5a,0x17,0x0d,0x32,
+ 0x30,0x30,0x33,0x32,0x33,0x30,0x39,0x31,0x31,0x31,0x39,0x5a,0x30,0x34,0x31,0x0b,
+ 0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,
+ 0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,
+ 0x31,0x10,0x30,0x0e,0x06,0x03,0x55,0x04,0x03,0x13,0x07,0x74,0x6c,0x73,0x2d,0x72,
+ 0x73,0x61,0x30,0x82,0x01,0x22,0x30,0x0d,0x06,0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,
+ 0x01,0x01,0x01,0x05,0x00,0x03,0x82,0x01,0x0f,0x00,0x30,0x82,0x01,0x0a,0x02,0x82,
+ 0x01,0x01,0x00,0xee,0xa3,0x28,0xcc,0x48,0xca,0x37,0xfc,0xb6,0xfa,0xfc,0x18,0x0d,
+ 0xa2,0x28,0x44,0xb4,0x16,0x56,0xf7,0x97,0x5f,0x38,0x83,0xfc,0xd4,0x30,0xea,0xf7,
+ 0x5e,0xaa,0xd4,0x21,0x0e,0x71,0x49,0x13,0x39,0xaf,0x89,0xa1,0x1d,0x1b,0x9a,0x08,
+ 0x44,0xff,0x0b,0xeb,0x4b,0xad,0x8e,0xc4,0x6d,0x1e,0x0c,0x02,0xbb,0x17,0x59,0xc7,
+ 0x66,0xc7,0xff,0x4c,0x3c,0x11,0x40,0x1a,0xe3,0xca,0x34,0xf8,0x41,0xe0,0x39,0x3e,
+ 0xce,0x72,0x9f,0x56,0x9e,0x69,0xad,0x98,0x43,0x5f,0x35,0xc2,0xd0,0xd9,0xbc,0x8b,
+ 0xed,0xc6,0xc7,0x74,0x73,0x74,0x30,0x92,0x86,0x39,0x26,0x3d,0xf1,0xd5,0x16,0x45,
+ 0x7d,0xcc,0x90,0x54,0xff,0x44,0x74,0xf3,0xba,0x41,0x5c,0x58,0xa4,0x66,0xe6,0x9d,
+ 0x58,0xbe,0x7e,0x89,0xe1,0x7c,0xf7,0x28,0xb0,0xde,0xe2,0x01,0x0a,0x89,0xc7,0x63,
+ 0x3f,0xef,0x2b,0xcb,0xef,0x65,0x89,0x82,0x23,0x32,0xa7,0xa3,0x1c,0x0d,0xc6,0x8f,
+ 0x76,0x59,0x8b,0x55,0x65,0x9c,0x91,0xd4,0x93,0x89,0xad,0x37,0x47,0x23,0x25,0xb3,
+ 0x53,0xea,0xef,0x73,0xeb,0x97,0xd3,0xd7,0x74,0x38,0x73,0x8d,0x16,0x0d,0x6f,0xae,
+ 0x59,0x33,0x4e,0x24,0xe9,0x52,0xf6,0x6f,0x8c,0x5c,0x13,0xcf,0x1d,0x0a,0xcc,0xb7,
+ 0x6a,0x88,0xce,0x91,0xe2,0xe0,0xcb,0xc6,0xd2,0xfb,0x81,0xf6,0xd2,0x9f,0x0a,0x82,
+ 0x70,0x80,0xbf,0x93,0x70,0xc0,0x57,0x23,0x6e,0x97,0x1c,0x9d,0x7d,0xf0,0xa3,0x54,
+ 0x86,0xec,0x40,0xae,0x09,0x20,0xed,0x02,0x43,0xa3,0xf8,0x7e,0x0e,0x5b,0xd0,0x22,
+ 0x7b,0x74,0x39,0x02,0x03,0x01,0x00,0x01,0xa3,0x13,0x30,0x11,0x30,0x0f,0x06,0x03,
+ 0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f,0x00,0x00,0x01,0x30,0x0d,0x06,
+ 0x09,0x2a,0x86,0x48,0x86,0xf7,0x0d,0x01,0x01,0x0b,0x05,0x00,0x03,0x82,0x01,0x01,
+ 0x00,0x34,0xe5,0x9d,0x90,0xe4,0xc1,0x0b,0x82,0xea,0x48,0x29,0xfd,0x50,0x8c,0x6b,
+ 0xf3,0xc8,0x4d,0x7a,0xb1,0xdb,0x5b,0x1f,0x67,0x22,0x55,0xaa,0xf4,0x11,0xf9,0x1b,
+ 0x1c,0x9f,0x30,0xfa,0x71,0x6b,0xc5,0x9e,0x1d,0x4d,0xd2,0x8c,0x48,0x5a,0xe8,0x76,
+ 0xa4,0x1a,0xe8,0x6a,0xf5,0x1c,0x3d,0x55,0x7f,0x23,0x0b,0x67,0xe6,0x0b,0xef,0xad,
+ 0x75,0x17,0x3f,0xa7,0x18,0x18,0x25,0xdc,0x73,0x99,0xc1,0x2b,0x76,0x54,0xcf,0x9a,
+ 0x4c,0x33,0xbe,0xab,0xda,0xe7,0xa3,0xf8,0xc3,0x66,0x29,0x20,0x1f,0x04,0x88,0xfd,
+ 0xfe,0x62,0x67,0xc0,0x62,0xd8,0x46,0xfb,0x47,0x17,0x35,0x38,0x5c,0x58,0xd9,0x51,
+ 0x10,0x5b,0x44,0xc6,0x16,0x96,0x84,0x31,0x37,0xd9,0xef,0xd4,0xc8,0x15,0x2e,0x8b,
+ 0x90,0xf8,0x18,0x0d,0x63,0xbe,0xa4,0x0f,0xd6,0x4a,0xfd,0xea,0x87,0xe2,0xb2,0xd1,
+ 0x05,0x07,0x01,0x44,0x84,0xdf,0x29,0xf9,0x2c,0x6b,0x9a,0x82,0xe4,0x50,0xdf,0x6c,
+ 0xac,0xf8,0x54,0x5f,0x78,0x03,0xc2,0x1c,0x77,0x8f,0x7f,0x52,0xce,0x83,0x97,0x94,
+ 0x42,0xe3,0x87,0x42,0xd4,0x16,0xf5,0xed,0x54,0xc9,0xa8,0x3a,0x0f,0x81,0xe1,0x4b,
+ 0x62,0xcd,0x99,0xcc,0xab,0x55,0x89,0x69,0x90,0x31,0x63,0x7b,0x18,0x34,0xd6,0x9a,
+ 0x20,0x12,0x91,0x2a,0x49,0x56,0x4c,0x69,0xa4,0x77,0x8f,0xf5,0x7d,0x60,0xb9,0x1c,
+ 0x87,0xfd,0xcc,0x36,0xdd,0x18,0x44,0x2e,0x06,0x35,0x8e,0x70,0xf2,0x07,0x79,0x94,
+ 0x72,0xc9,0x47,0x57,0x9a,0xe0,0xef,0x38,0x27,0x79,0x20,0xda,0x03,0xe2,0x9c,0xd9,
+ 0x06,
};
/**
* TLS certificate for ECDSA key
+ * pki --self --in ecdsa.key --dn "C=CH, O=strongSwan, CN=tls-ecdsa" --san 127.0.0.1
*/
static char ecdsa_crt[] = {
- 0x30,0x82,0x01,0xd3,0x30,0x82,0x01,0x59,0xa0,0x03,0x02,0x01,0x02,0x02,0x09,0x00,
- 0xaa,0x92,0xf5,0x39,0x85,0xf5,0xd5,0xa3,0x30,0x09,0x06,0x07,0x2a,0x86,0x48,0xce,
- 0x3d,0x04,0x01,0x30,0x36,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
+ 0x30,0x82,0x01,0xb2,0x30,0x82,0x01,0x38,0xa0,0x03,0x02,0x01,0x02,0x02,0x08,0x6f,
+ 0xaa,0xe0,0x88,0x46,0x8c,0x57,0x0d,0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,
+ 0x04,0x03,0x03,0x30,0x36,0x31,0x0b,0x30,0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,
0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,
0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03,
0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63,0x64,0x73,0x61,0x30,0x1e,0x17,0x0d,0x31,
- 0x34,0x30,0x33,0x32,0x34,0x31,0x36,0x32,0x39,0x33,0x34,0x5a,0x17,0x0d,0x31,0x37,
- 0x30,0x33,0x32,0x33,0x31,0x36,0x32,0x39,0x33,0x34,0x5a,0x30,0x36,0x31,0x0b,0x30,
+ 0x37,0x30,0x33,0x32,0x34,0x30,0x39,0x31,0x31,0x32,0x31,0x5a,0x17,0x0d,0x32,0x30,
+ 0x30,0x33,0x32,0x33,0x30,0x39,0x31,0x31,0x32,0x31,0x5a,0x30,0x36,0x31,0x0b,0x30,
0x09,0x06,0x03,0x55,0x04,0x06,0x13,0x02,0x43,0x48,0x31,0x13,0x30,0x11,0x06,0x03,
0x55,0x04,0x0a,0x13,0x0a,0x73,0x74,0x72,0x6f,0x6e,0x67,0x53,0x77,0x61,0x6e,0x31,
0x12,0x30,0x10,0x06,0x03,0x55,0x04,0x03,0x13,0x09,0x74,0x6c,0x73,0x2d,0x65,0x63,
@@ -205,18 +205,16 @@ static char ecdsa_crt[] = {
0x4e,0xe3,0xdd,0xf4,0xa6,0xc3,0xba,0x77,0x53,0xb8,0x28,0x5f,0xd2,0x97,0x05,0xa3,
0x5b,0xe6,0xde,0x0a,0xce,0x11,0xa8,0xaf,0x02,0xbd,0xfa,0x17,0xf9,0xa7,0x38,0x3e,
0x5b,0x57,0xb0,0x01,0xb3,0xc6,0x09,0x29,0x65,0xae,0xfb,0x87,0x92,0xa3,0xd7,0x3d,
- 0x9a,0x1c,0x52,0x09,0xb1,0x47,0xc8,0xf6,0x18,0xbb,0x97,0xa3,0x34,0x30,0x32,0x30,
- 0x1f,0x06,0x03,0x55,0x1d,0x23,0x04,0x18,0x30,0x16,0x80,0x14,0x4f,0x1e,0x5d,0x94,
- 0x85,0xe2,0xbc,0x86,0x0e,0x80,0xce,0x17,0x92,0x42,0xb4,0xb8,0x19,0x67,0xb8,0xfe,
- 0x30,0x0f,0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f,0x00,0x00,
- 0x01,0x30,0x09,0x06,0x07,0x2a,0x86,0x48,0xce,0x3d,0x04,0x01,0x03,0x69,0x00,0x30,
- 0x66,0x02,0x31,0x00,0xdc,0x6e,0x3b,0xe4,0x9f,0x36,0xa5,0xa8,0x88,0x8d,0xcf,0x2d,
- 0xa1,0x6e,0x33,0x68,0x73,0xd6,0x6a,0xd6,0x1d,0x00,0xe5,0x5c,0x76,0x09,0x5e,0xe9,
- 0x7a,0x3a,0x00,0x5e,0xbc,0xef,0x0d,0x8d,0x95,0x5c,0x2b,0xfc,0xa4,0xe3,0xe3,0xcf,
- 0x74,0x95,0x00,0x21,0x02,0x31,0x00,0x8f,0x40,0x3e,0xfc,0xe9,0xae,0x17,0x9b,0x36,
- 0x39,0xe2,0x79,0xa5,0x7b,0x5d,0xe3,0xe0,0x84,0x68,0x7e,0x00,0x57,0xbe,0x4d,0xe3,
- 0x0e,0xff,0x20,0x9c,0xce,0xd1,0x43,0x76,0x00,0x6e,0x59,0x7b,0xac,0x94,0x05,0xef,
- 0xed,0xca,0x8b,0xe5,0x7f,0xa5,0xd7,
+ 0x9a,0x1c,0x52,0x09,0xb1,0x47,0xc8,0xf6,0x18,0xbb,0x97,0xa3,0x13,0x30,0x11,0x30,
+ 0x0f,0x06,0x03,0x55,0x1d,0x11,0x04,0x08,0x30,0x06,0x87,0x04,0x7f,0x00,0x00,0x01,
+ 0x30,0x0a,0x06,0x08,0x2a,0x86,0x48,0xce,0x3d,0x04,0x03,0x03,0x03,0x68,0x00,0x30,
+ 0x65,0x02,0x31,0x00,0xdf,0x9e,0x92,0xcf,0x95,0xe1,0x6b,0xe4,0x89,0xf7,0x16,0xc7,
+ 0xf8,0x6b,0xcb,0x5d,0x15,0xb4,0xb3,0x71,0xcd,0x34,0x4b,0x08,0x79,0xa2,0x7a,0x9d,
+ 0xbe,0xc1,0xb0,0xc5,0x8d,0xcd,0x87,0x72,0xcf,0xa2,0x69,0xc9,0x50,0x60,0x02,0x23,
+ 0xd4,0xc0,0xd7,0x80,0x02,0x30,0x7d,0xa1,0xf3,0x1c,0x1f,0x51,0xd4,0x07,0xc0,0xce,
+ 0xa5,0x1a,0x28,0x5c,0x26,0x67,0x2f,0xfb,0x2e,0x35,0x23,0xa8,0xbb,0x6d,0x9f,0xd8,
+ 0x13,0xd7,0xb0,0x30,0x1e,0x4b,0x11,0x6b,0xe8,0x5a,0x17,0x23,0x51,0xe6,0x63,0xcf,
+ 0x3d,0xbb,0x21,0xff,0xe0,0x8b,
};
START_SETUP(setup_creds)
diff --git a/src/libtls/tls_fragmentation.c b/src/libtls/tls_fragmentation.c
index 3607aa3..7a96302 100644
--- a/src/libtls/tls_fragmentation.c
+++ b/src/libtls/tls_fragmentation.c
@@ -329,7 +329,7 @@ static bool check_alerts(private_tls_fragmentation_t *this, chunk_t *data)
}
/**
- * Build hanshake message
+ * Build handshake message
*/
static status_t build_handshake(private_tls_fragmentation_t *this)
{
diff --git a/src/libtnccs/Makefile.in b/src/libtnccs/Makefile.in
index 1f4f22f..a22a631 100644
--- a/src/libtnccs/Makefile.in
+++ b/src/libtnccs/Makefile.in
@@ -414,7 +414,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -449,6 +448,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnc_imc/Makefile.in b/src/libtnccs/plugins/tnc_imc/Makefile.in
index f8797f3..2d04cc1 100644
--- a/src/libtnccs/plugins/tnc_imc/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imc/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnc_imv/Makefile.in b/src/libtnccs/plugins/tnc_imv/Makefile.in
index 811dd0a..cfdd73c 100644
--- a/src/libtnccs/plugins/tnc_imv/Makefile.in
+++ b/src/libtnccs/plugins/tnc_imv/Makefile.in
@@ -363,7 +363,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -398,6 +397,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnc_tnccs/Makefile.in b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
index 048c7cd..094d3be 100644
--- a/src/libtnccs/plugins/tnc_tnccs/Makefile.in
+++ b/src/libtnccs/plugins/tnc_tnccs/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnccs_11/Makefile.in b/src/libtnccs/plugins/tnccs_11/Makefile.in
index 2580d2f..d816d6b 100644
--- a/src/libtnccs/plugins/tnccs_11/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_11/Makefile.in
@@ -372,7 +372,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -407,6 +406,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.in b/src/libtnccs/plugins/tnccs_20/Makefile.in
index 43ab69a..a64288f 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.in
@@ -375,7 +375,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -410,6 +409,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
index 0d9a641..043e64d 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
+++ b/src/libtnccs/plugins/tnccs_dynamic/Makefile.in
@@ -362,7 +362,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -397,6 +396,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtncif/Makefile.in b/src/libtncif/Makefile.in
index d3c74a2..77c950a 100644
--- a/src/libtncif/Makefile.in
+++ b/src/libtncif/Makefile.in
@@ -324,7 +324,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -359,6 +358,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libtpmtss/Makefile.am b/src/libtpmtss/Makefile.am
index e2c1597..c7ac39a 100644
--- a/src/libtpmtss/Makefile.am
+++ b/src/libtpmtss/Makefile.am
@@ -8,12 +8,6 @@ AM_LDFLAGS = \
-no-undefined
ipseclib_LTLIBRARIES = libtpmtss.la
-libtpmtss_la_SOURCES = \
- tpm_tss.h tpm_tss.c \
- tpm_tss_quote_info.h tpm_tss_quote_info.c \
- tpm_tss_trousers.h tpm_tss_trousers.c \
- tpm_tss_tss2.h tpm_tss_tss2.c \
- tpm_tss_tss2_names.h tpm_tss_tss2_names.c
libtpmtss_la_LIBADD = \
$(top_builddir)/src/libstrongswan/libstrongswan.la
@@ -26,3 +20,24 @@ if USE_TROUSERS
libtpmtss_la_LIBADD += -ltspi
endif
+libtpmtss_la_SOURCES = \
+ tpm_tss.h tpm_tss.c \
+ tpm_tss_quote_info.h tpm_tss_quote_info.c \
+ tpm_tss_trousers.h tpm_tss_trousers.c \
+ tpm_tss_tss2.h tpm_tss_tss2.c \
+ tpm_tss_tss2_names.h tpm_tss_tss2_names.c
+
+if MONOLITHIC
+SUBDIRS =
+else
+SUBDIRS = .
+endif
+
+if USE_TPM
+ SUBDIRS += plugins/tpm
+if MONOLITHIC
+ libtpmtss_la_LIBADD += plugins/tpm/libstrongswan-tpm.la
+endif
+endif
+
+
diff --git a/src/libtpmtss/Makefile.in b/src/libtpmtss/Makefile.in
index 46d8cf6..1a19fb5 100644
--- a/src/libtpmtss/Makefile.in
+++ b/src/libtpmtss/Makefile.in
@@ -90,6 +90,8 @@ build_triplet = @build@
host_triplet = @host@
@USE_TSS2_TRUE at am__append_1 = $(tss2_LIBS)
@USE_TROUSERS_TRUE at am__append_2 = -ltspi
+ at USE_TPM_TRUE@am__append_3 = plugins/tpm
+ at MONOLITHIC_TRUE@@USE_TPM_TRUE at am__append_4 = plugins/tpm/libstrongswan-tpm.la
subdir = src/libtpmtss
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
@@ -142,7 +144,7 @@ am__DEPENDENCIES_1 =
@USE_TSS2_TRUE at am__DEPENDENCIES_2 = $(am__DEPENDENCIES_1)
libtpmtss_la_DEPENDENCIES = \
$(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1)
+ $(am__DEPENDENCIES_2) $(am__DEPENDENCIES_1) $(am__append_4)
am_libtpmtss_la_OBJECTS = tpm_tss.lo tpm_tss_quote_info.lo \
tpm_tss_trousers.lo tpm_tss_tss2.lo tpm_tss_tss2_names.lo
libtpmtss_la_OBJECTS = $(am_libtpmtss_la_OBJECTS)
@@ -186,11 +188,27 @@ am__v_CCLD_0 = @echo " CCLD " $@;
am__v_CCLD_1 =
SOURCES = $(libtpmtss_la_SOURCES)
DIST_SOURCES = $(libtpmtss_la_SOURCES)
+RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \
+ ctags-recursive dvi-recursive html-recursive info-recursive \
+ install-data-recursive install-dvi-recursive \
+ install-exec-recursive install-html-recursive \
+ install-info-recursive install-pdf-recursive \
+ install-ps-recursive install-recursive installcheck-recursive \
+ installdirs-recursive pdf-recursive ps-recursive \
+ tags-recursive uninstall-recursive
am__can_run_installinfo = \
case $$AM_UPDATE_INFO_DIR in \
n|no|NO) false;; \
*) (install-info --version) >/dev/null 2>&1;; \
esac
+RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \
+ distclean-recursive maintainer-clean-recursive
+am__recursive_targets = \
+ $(RECURSIVE_TARGETS) \
+ $(RECURSIVE_CLEAN_TARGETS) \
+ $(am__extra_recursive_targets)
+AM_RECURSIVE_TARGETS = $(am__recursive_targets:-recursive=) TAGS CTAGS \
+ distdir
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
@@ -210,8 +228,34 @@ am__define_uniq_tagged_files = \
done | $(am__uniquify_input)`
ETAGS = etags
CTAGS = ctags
+DIST_SUBDIRS = . plugins/tpm
am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+am__relativize = \
+ dir0=`pwd`; \
+ sed_first='s,^\([^/]*\)/.*$$,\1,'; \
+ sed_rest='s,^[^/]*/*,,'; \
+ sed_last='s,^.*/\([^/]*\)$$,\1,'; \
+ sed_butlast='s,/*[^/]*$$,,'; \
+ while test -n "$$dir1"; do \
+ first=`echo "$$dir1" | sed -e "$$sed_first"`; \
+ if test "$$first" != "."; then \
+ if test "$$first" = ".."; then \
+ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \
+ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \
+ else \
+ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \
+ if test "$$first2" = "$$first"; then \
+ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \
+ else \
+ dir2="../$$dir2"; \
+ fi; \
+ dir0="$$dir0"/"$$first"; \
+ fi; \
+ fi; \
+ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \
+ done; \
+ reldir="$$dir2"
ACLOCAL = @ACLOCAL@
ALLOCA = @ALLOCA@
AMTAR = @AMTAR@
@@ -358,7 +402,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -393,6 +436,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -452,6 +496,9 @@ AM_LDFLAGS = \
-no-undefined
ipseclib_LTLIBRARIES = libtpmtss.la
+libtpmtss_la_LIBADD = \
+ $(top_builddir)/src/libstrongswan/libstrongswan.la \
+ $(am__append_1) $(am__append_2) $(am__append_4)
libtpmtss_la_SOURCES = \
tpm_tss.h tpm_tss.c \
tpm_tss_quote_info.h tpm_tss_quote_info.c \
@@ -459,10 +506,9 @@ libtpmtss_la_SOURCES = \
tpm_tss_tss2.h tpm_tss_tss2.c \
tpm_tss_tss2_names.h tpm_tss_tss2_names.c
-libtpmtss_la_LIBADD = \
- $(top_builddir)/src/libstrongswan/libstrongswan.la \
- $(am__append_1) $(am__append_2)
-all: all-am
+ at MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3)
+ at MONOLITHIC_TRUE@SUBDIRS = $(am__append_3)
+all: all-recursive
.SUFFIXES:
.SUFFIXES: .c .lo .o .obj
@@ -576,14 +622,61 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
+# This directory's subdirectories are mostly independent; you can cd
+# into them and run 'make' without going through this Makefile.
+# To change the values of 'make' variables: instead of editing Makefiles,
+# (1) if the variable is set in 'config.status', edit 'config.status'
+# (which will cause the Makefiles to be regenerated when you run 'make');
+# (2) otherwise, pass the desired values on the 'make' command line.
+$(am__recursive_targets):
+ @fail=; \
+ if $(am__make_keepgoing); then \
+ failcom='fail=yes'; \
+ else \
+ failcom='exit 1'; \
+ fi; \
+ dot_seen=no; \
+ target=`echo $@ | sed s/-recursive//`; \
+ case "$@" in \
+ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \
+ *) list='$(SUBDIRS)' ;; \
+ esac; \
+ for subdir in $$list; do \
+ echo "Making $$target in $$subdir"; \
+ if test "$$subdir" = "."; then \
+ dot_seen=yes; \
+ local_target="$$target-am"; \
+ else \
+ local_target="$$target"; \
+ fi; \
+ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \
+ || eval $$failcom; \
+ done; \
+ if test "$$dot_seen" = "no"; then \
+ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \
+ fi; test -z "$$fail"
+
ID: $(am__tagged_files)
$(am__define_uniq_tagged_files); mkid -fID $$unique
-tags: tags-am
+tags: tags-recursive
TAGS: tags
tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
set x; \
here=`pwd`; \
+ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \
+ include_option=--etags-include; \
+ empty_fix=.; \
+ else \
+ include_option=--include; \
+ empty_fix=; \
+ fi; \
+ list='$(SUBDIRS)'; for subdir in $$list; do \
+ if test "$$subdir" = .; then :; else \
+ test ! -f $$subdir/TAGS || \
+ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \
+ fi; \
+ done; \
$(am__define_uniq_tagged_files); \
shift; \
if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
@@ -596,7 +689,7 @@ tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
$$unique; \
fi; \
fi
-ctags: ctags-am
+ctags: ctags-recursive
CTAGS: ctags
ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
@@ -609,7 +702,7 @@ GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
&& $(am__cd) $(top_srcdir) \
&& gtags -i $(GTAGS_ARGS) "$$here"
-cscopelist: cscopelist-am
+cscopelist: cscopelist-recursive
cscopelist-am: $(am__tagged_files)
list='$(am__tagged_files)'; \
@@ -658,22 +751,48 @@ distdir: $(DISTFILES)
|| exit 1; \
fi; \
done
+ @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \
+ if test "$$subdir" = .; then :; else \
+ $(am__make_dryrun) \
+ || test -d "$(distdir)/$$subdir" \
+ || $(MKDIR_P) "$(distdir)/$$subdir" \
+ || exit 1; \
+ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \
+ $(am__relativize); \
+ new_distdir=$$reldir; \
+ dir1=$$subdir; dir2="$(top_distdir)"; \
+ $(am__relativize); \
+ new_top_distdir=$$reldir; \
+ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \
+ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \
+ ($(am__cd) $$subdir && \
+ $(MAKE) $(AM_MAKEFLAGS) \
+ top_distdir="$$new_top_distdir" \
+ distdir="$$new_distdir" \
+ am__remove_distdir=: \
+ am__skip_length_check=: \
+ am__skip_mode_fix=: \
+ distdir) \
+ || exit 1; \
+ fi; \
+ done
check-am: all-am
-check: check-am
+check: check-recursive
all-am: Makefile $(LTLIBRARIES)
-installdirs:
+installdirs: installdirs-recursive
+installdirs-am:
for dir in "$(DESTDIR)$(ipseclibdir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
done
-install: install-am
-install-exec: install-exec-am
-install-data: install-data-am
-uninstall: uninstall-am
+install: install-recursive
+install-exec: install-exec-recursive
+install-data: install-data-recursive
+uninstall: uninstall-recursive
install-am: all-am
@$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
-installcheck: installcheck-am
+installcheck: installcheck-recursive
install-strip:
if test -z '$(STRIP)'; then \
$(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
@@ -695,89 +814,90 @@ distclean-generic:
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@echo "it deletes files that may require special tools to rebuild."
-clean: clean-am
+clean: clean-recursive
clean-am: clean-generic clean-ipseclibLTLIBRARIES clean-libtool \
mostlyclean-am
-distclean: distclean-am
+distclean: distclean-recursive
-rm -rf ./$(DEPDIR)
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
-dvi: dvi-am
+dvi: dvi-recursive
dvi-am:
-html: html-am
+html: html-recursive
html-am:
-info: info-am
+info: info-recursive
info-am:
install-data-am: install-ipseclibLTLIBRARIES
-install-dvi: install-dvi-am
+install-dvi: install-dvi-recursive
install-dvi-am:
install-exec-am:
-install-html: install-html-am
+install-html: install-html-recursive
install-html-am:
-install-info: install-info-am
+install-info: install-info-recursive
install-info-am:
install-man:
-install-pdf: install-pdf-am
+install-pdf: install-pdf-recursive
install-pdf-am:
-install-ps: install-ps-am
+install-ps: install-ps-recursive
install-ps-am:
installcheck-am:
-maintainer-clean: maintainer-clean-am
+maintainer-clean: maintainer-clean-recursive
-rm -rf ./$(DEPDIR)
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
-mostlyclean: mostlyclean-am
+mostlyclean: mostlyclean-recursive
mostlyclean-am: mostlyclean-compile mostlyclean-generic \
mostlyclean-libtool
-pdf: pdf-am
+pdf: pdf-recursive
pdf-am:
-ps: ps-am
+ps: ps-recursive
ps-am:
uninstall-am: uninstall-ipseclibLTLIBRARIES
-.MAKE: install-am install-strip
-
-.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
- clean-ipseclibLTLIBRARIES clean-libtool cscopelist-am ctags \
- ctags-am distclean distclean-compile distclean-generic \
- distclean-libtool distclean-tags distdir dvi dvi-am html \
- html-am info info-am install install-am install-data \
- install-data-am install-dvi install-dvi-am install-exec \
- install-exec-am install-html install-html-am install-info \
- install-info-am install-ipseclibLTLIBRARIES install-man \
- install-pdf install-pdf-am install-ps install-ps-am \
- install-strip installcheck installcheck-am installdirs \
+.MAKE: $(am__recursive_targets) install-am install-strip
+
+.PHONY: $(am__recursive_targets) CTAGS GTAGS TAGS all all-am check \
+ check-am clean clean-generic clean-ipseclibLTLIBRARIES \
+ clean-libtool cscopelist-am ctags ctags-am distclean \
+ distclean-compile distclean-generic distclean-libtool \
+ distclean-tags distdir dvi dvi-am html html-am info info-am \
+ install install-am install-data install-data-am install-dvi \
+ install-dvi-am install-exec install-exec-am install-html \
+ install-html-am install-info install-info-am \
+ install-ipseclibLTLIBRARIES install-man install-pdf \
+ install-pdf-am install-ps install-ps-am install-strip \
+ installcheck installcheck-am installdirs installdirs-am \
maintainer-clean maintainer-clean-generic mostlyclean \
mostlyclean-compile mostlyclean-generic mostlyclean-libtool \
pdf pdf-am ps ps-am tags tags-am uninstall uninstall-am \
diff --git a/src/libtpmtss/plugins/tpm/Makefile.am b/src/libtpmtss/plugins/tpm/Makefile.am
new file mode 100644
index 0000000..2812810
--- /dev/null
+++ b/src/libtpmtss/plugins/tpm/Makefile.am
@@ -0,0 +1,21 @@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libtpmtss
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tpm.la
+else
+plugin_LTLIBRARIES = libstrongswan-tpm.la
+libstrongswan_tpm_la_LIBADD = \
+ $(top_builddir)/src/libtpmtss/libtpmtss.la
+endif
+
+libstrongswan_tpm_la_SOURCES = \
+ tpm_plugin.h tpm_plugin.c \
+ tpm_private_key.h tpm_private_key.c \
+ tpm_rng.h tpm_rng.c
+
+libstrongswan_tpm_la_LDFLAGS = -module -avoid-version
diff --git a/src/libtpmtss/plugins/tpm/Makefile.in b/src/libtpmtss/plugins/tpm/Makefile.in
new file mode 100644
index 0000000..9e2641b
--- /dev/null
+++ b/src/libtpmtss/plugins/tpm/Makefile.in
@@ -0,0 +1,799 @@
+# Makefile.in generated by automake 1.15 from Makefile.am.
+# @configure_input@
+
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+
+# This Makefile.in is free software; the Free Software Foundation
+# gives unlimited permission to copy and/or distribute it,
+# with or without modifications, as long as this notice is preserved.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY, to the extent permitted by law; without
+# even the implied warranty of MERCHANTABILITY or FITNESS FOR A
+# PARTICULAR PURPOSE.
+
+ at SET_MAKE@
+
+VPATH = @srcdir@
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
+am__make_running_with_option = \
+ case $${target_option-} in \
+ ?) ;; \
+ *) echo "am__make_running_with_option: internal error: invalid" \
+ "target option '$${target_option-}' specified" >&2; \
+ exit 1;; \
+ esac; \
+ has_opt=no; \
+ sane_makeflags=$$MAKEFLAGS; \
+ if $(am__is_gnu_make); then \
+ sane_makeflags=$$MFLAGS; \
+ else \
+ case $$MAKEFLAGS in \
+ *\\[\ \ ]*) \
+ bs=\\; \
+ sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \
+ | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \
+ esac; \
+ fi; \
+ skip_next=no; \
+ strip_trailopt () \
+ { \
+ flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \
+ }; \
+ for flg in $$sane_makeflags; do \
+ test $$skip_next = yes && { skip_next=no; continue; }; \
+ case $$flg in \
+ *=*|--*) continue;; \
+ -*I) strip_trailopt 'I'; skip_next=yes;; \
+ -*I?*) strip_trailopt 'I';; \
+ -*O) strip_trailopt 'O'; skip_next=yes;; \
+ -*O?*) strip_trailopt 'O';; \
+ -*l) strip_trailopt 'l'; skip_next=yes;; \
+ -*l?*) strip_trailopt 'l';; \
+ -[dEDm]) skip_next=yes;; \
+ -[JT]) skip_next=yes;; \
+ esac; \
+ case $$flg in \
+ *$$target_option*) has_opt=yes; break;; \
+ esac; \
+ done; \
+ test $$has_opt = yes
+am__make_dryrun = (target_option=n; $(am__make_running_with_option))
+am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+pkgdatadir = $(datadir)/@PACKAGE@
+pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
+am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
+install_sh_DATA = $(install_sh) -c -m 644
+install_sh_PROGRAM = $(install_sh) -c
+install_sh_SCRIPT = $(install_sh) -c
+INSTALL_HEADER = $(INSTALL_DATA)
+transform = $(program_transform_name)
+NORMAL_INSTALL = :
+PRE_INSTALL = :
+POST_INSTALL = :
+NORMAL_UNINSTALL = :
+PRE_UNINSTALL = :
+POST_UNINSTALL = :
+build_triplet = @build@
+host_triplet = @host@
+subdir = src/libtpmtss/plugins/tpm
+ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
+am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \
+ $(top_srcdir)/m4/config/ltoptions.m4 \
+ $(top_srcdir)/m4/config/ltsugar.m4 \
+ $(top_srcdir)/m4/config/ltversion.m4 \
+ $(top_srcdir)/m4/config/lt~obsolete.m4 \
+ $(top_srcdir)/m4/macros/split-package-version.m4 \
+ $(top_srcdir)/m4/macros/with.m4 \
+ $(top_srcdir)/m4/macros/enable-disable.m4 \
+ $(top_srcdir)/m4/macros/add-plugin.m4 \
+ $(top_srcdir)/configure.ac
+am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
+ $(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
+mkinstalldirs = $(install_sh) -d
+CONFIG_HEADER = $(top_builddir)/config.h
+CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
+am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
+am__vpath_adj = case $$p in \
+ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
+ *) f=$$p;; \
+ esac;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
+am__uninstall_files_from_dir = { \
+ test -z "$$files" \
+ || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+ || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+ $(am__cd) "$$dir" && rm -f $$files; }; \
+ }
+am__installdirs = "$(DESTDIR)$(plugindir)"
+LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
+ at MONOLITHIC_FALSE@libstrongswan_tpm_la_DEPENDENCIES = \
+ at MONOLITHIC_FALSE@ $(top_builddir)/src/libtpmtss/libtpmtss.la
+am_libstrongswan_tpm_la_OBJECTS = tpm_plugin.lo tpm_private_key.lo \
+ tpm_rng.lo
+libstrongswan_tpm_la_OBJECTS = $(am_libstrongswan_tpm_la_OBJECTS)
+AM_V_lt = $(am__v_lt_ at AM_V@)
+am__v_lt_ = $(am__v_lt_ at AM_DEFAULT_V@)
+am__v_lt_0 = --silent
+am__v_lt_1 =
+libstrongswan_tpm_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
+ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
+ $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_tpm_la_LDFLAGS) \
+ $(LDFLAGS) -o $@
+ at MONOLITHIC_FALSE@am_libstrongswan_tpm_la_rpath = -rpath $(plugindir)
+ at MONOLITHIC_TRUE@am_libstrongswan_tpm_la_rpath =
+AM_V_P = $(am__v_P_ at AM_V@)
+am__v_P_ = $(am__v_P_ at AM_DEFAULT_V@)
+am__v_P_0 = false
+am__v_P_1 = :
+AM_V_GEN = $(am__v_GEN_ at AM_V@)
+am__v_GEN_ = $(am__v_GEN_ at AM_DEFAULT_V@)
+am__v_GEN_0 = @echo " GEN " $@;
+am__v_GEN_1 =
+AM_V_at = $(am__v_at_ at AM_V@)
+am__v_at_ = $(am__v_at_ at AM_DEFAULT_V@)
+am__v_at_0 = @
+am__v_at_1 =
+DEFAULT_INCLUDES = -I. at am__isrc@ -I$(top_builddir)
+depcomp = $(SHELL) $(top_srcdir)/depcomp
+am__depfiles_maybe = depfiles
+am__mv = mv -f
+COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
+ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
+LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \
+ $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \
+ $(AM_CFLAGS) $(CFLAGS)
+AM_V_CC = $(am__v_CC_ at AM_V@)
+am__v_CC_ = $(am__v_CC_ at AM_DEFAULT_V@)
+am__v_CC_0 = @echo " CC " $@;
+am__v_CC_1 =
+CCLD = $(CC)
+LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \
+ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
+ $(AM_LDFLAGS) $(LDFLAGS) -o $@
+AM_V_CCLD = $(am__v_CCLD_ at AM_V@)
+am__v_CCLD_ = $(am__v_CCLD_ at AM_DEFAULT_V@)
+am__v_CCLD_0 = @echo " CCLD " $@;
+am__v_CCLD_1 =
+SOURCES = $(libstrongswan_tpm_la_SOURCES)
+DIST_SOURCES = $(libstrongswan_tpm_la_SOURCES)
+am__can_run_installinfo = \
+ case $$AM_UPDATE_INFO_DIR in \
+ n|no|NO) false;; \
+ *) (install-info --version) >/dev/null 2>&1;; \
+ esac
+am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
+# Read a list of newline-separated strings from the standard input,
+# and print each of them once, without duplicates. Input order is
+# *not* preserved.
+am__uniquify_input = $(AWK) '\
+ BEGIN { nonempty = 0; } \
+ { items[$$0] = 1; nonempty = 1; } \
+ END { if (nonempty) { for (i in items) print i; }; } \
+'
+# Make sure the list of sources is unique. This is necessary because,
+# e.g., the same source file might be shared among _SOURCES variables
+# for different programs/libraries.
+am__define_uniq_tagged_files = \
+ list='$(am__tagged_files)'; \
+ unique=`for i in $$list; do \
+ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
+ done | $(am__uniquify_input)`
+ETAGS = etags
+CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
+DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
+ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
+AMTAR = @AMTAR@
+AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
+AR = @AR@
+ATOMICLIB = @ATOMICLIB@
+AUTOCONF = @AUTOCONF@
+AUTOHEADER = @AUTOHEADER@
+AUTOMAKE = @AUTOMAKE@
+AWK = @AWK@
+BFDLIB = @BFDLIB@
+BTLIB = @BTLIB@
+CC = @CC@
+CCDEPMODE = @CCDEPMODE@
+CFLAGS = @CFLAGS@
+COVERAGE_CFLAGS = @COVERAGE_CFLAGS@
+COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@
+CPP = @CPP@
+CPPFLAGS = @CPPFLAGS@
+CYGPATH_W = @CYGPATH_W@
+DEFS = @DEFS@
+DEPDIR = @DEPDIR@
+DLLIB = @DLLIB@
+DLLTOOL = @DLLTOOL@
+DSYMUTIL = @DSYMUTIL@
+DUMPBIN = @DUMPBIN@
+EASY_INSTALL = @EASY_INSTALL@
+ECHO_C = @ECHO_C@
+ECHO_N = @ECHO_N@
+ECHO_T = @ECHO_T@
+EGREP = @EGREP@
+EXEEXT = @EXEEXT@
+FGREP = @FGREP@
+GEM = @GEM@
+GENHTML = @GENHTML@
+GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
+GREP = @GREP@
+INSTALL = @INSTALL@
+INSTALL_DATA = @INSTALL_DATA@
+INSTALL_PROGRAM = @INSTALL_PROGRAM@
+INSTALL_SCRIPT = @INSTALL_SCRIPT@
+INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@
+LCOV = @LCOV@
+LD = @LD@
+LDFLAGS = @LDFLAGS@
+LEX = @LEX@
+LEXLIB = @LEXLIB@
+LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@
+LIBOBJS = @LIBOBJS@
+LIBS = @LIBS@
+LIBTOOL = @LIBTOOL@
+LIPO = @LIPO@
+LN_S = @LN_S@
+LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
+MAKEINFO = @MAKEINFO@
+MANIFEST_TOOL = @MANIFEST_TOOL@
+MKDIR_P = @MKDIR_P@
+MYSQLCFLAG = @MYSQLCFLAG@
+MYSQLCONFIG = @MYSQLCONFIG@
+MYSQLLIB = @MYSQLLIB@
+NM = @NM@
+NMEDIT = @NMEDIT@
+OBJDUMP = @OBJDUMP@
+OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
+OTOOL = @OTOOL@
+OTOOL64 = @OTOOL64@
+PACKAGE = @PACKAGE@
+PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
+PACKAGE_NAME = @PACKAGE_NAME@
+PACKAGE_STRING = @PACKAGE_STRING@
+PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
+PACKAGE_VERSION = @PACKAGE_VERSION@
+PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@
+PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@
+PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@
+PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@
+PATH_SEPARATOR = @PATH_SEPARATOR@
+PERL = @PERL@
+PKG_CONFIG = @PKG_CONFIG@
+PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
+PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
+PTHREADLIB = @PTHREADLIB@
+PYTHON = @PYTHON@
+PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@
+PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
+PYTHON_PACKAGE_VERSION = @PYTHON_PACKAGE_VERSION@
+PYTHON_PLATFORM = @PYTHON_PLATFORM@
+PYTHON_PREFIX = @PYTHON_PREFIX@
+PYTHON_VERSION = @PYTHON_VERSION@
+PY_TEST = @PY_TEST@
+RANLIB = @RANLIB@
+RTLIB = @RTLIB@
+RUBY = @RUBY@
+RUBYGEMDIR = @RUBYGEMDIR@
+RUBYINCLUDE = @RUBYINCLUDE@
+RUBYLIB = @RUBYLIB@
+SED = @SED@
+SET_MAKE = @SET_MAKE@
+SHELL = @SHELL@
+SOCKLIB = @SOCKLIB@
+STRIP = @STRIP@
+UNWINDLIB = @UNWINDLIB@
+VERSION = @VERSION@
+YACC = @YACC@
+YFLAGS = @YFLAGS@
+abs_builddir = @abs_builddir@
+abs_srcdir = @abs_srcdir@
+abs_top_builddir = @abs_top_builddir@
+abs_top_srcdir = @abs_top_srcdir@
+ac_ct_AR = @ac_ct_AR@
+ac_ct_CC = @ac_ct_CC@
+ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
+am__include = @am__include@
+am__leading_dot = @am__leading_dot@
+am__quote = @am__quote@
+am__tar = @am__tar@
+am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+bindir = @bindir@
+build = @build@
+build_alias = @build_alias@
+build_cpu = @build_cpu@
+build_os = @build_os@
+build_vendor = @build_vendor@
+builddir = @builddir@
+c_plugins = @c_plugins@
+charon_natt_port = @charon_natt_port@
+charon_plugins = @charon_plugins@
+charon_udp_port = @charon_udp_port@
+clearsilver_LIBS = @clearsilver_LIBS@
+cmd_plugins = @cmd_plugins@
+datadir = @datadir@
+datarootdir = @datarootdir@
+dev_headers = @dev_headers@
+docdir = @docdir@
+dvidir = @dvidir@
+exec_prefix = @exec_prefix@
+fips_mode = @fips_mode@
+gtk_CFLAGS = @gtk_CFLAGS@
+gtk_LIBS = @gtk_LIBS@
+host = @host@
+host_alias = @host_alias@
+host_cpu = @host_cpu@
+host_os = @host_os@
+host_vendor = @host_vendor@
+htmldir = @htmldir@
+imcvdir = @imcvdir@
+includedir = @includedir@
+infodir = @infodir@
+install_sh = @install_sh@
+ipsec_script = @ipsec_script@
+ipsec_script_upper = @ipsec_script_upper@
+ipsecdir = @ipsecdir@
+ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
+ipsecuser = @ipsecuser@
+json_CFLAGS = @json_CFLAGS@
+json_LIBS = @json_LIBS@
+libdir = @libdir@
+libexecdir = @libexecdir@
+libiptc_CFLAGS = @libiptc_CFLAGS@
+libiptc_LIBS = @libiptc_LIBS@
+linux_headers = @linux_headers@
+localedir = @localedir@
+localstatedir = @localstatedir@
+manager_plugins = @manager_plugins@
+mandir = @mandir@
+medsrv_plugins = @medsrv_plugins@
+mkdir_p = @mkdir_p@
+nm_CFLAGS = @nm_CFLAGS@
+nm_LIBS = @nm_LIBS@
+nm_ca_dir = @nm_ca_dir@
+nm_plugins = @nm_plugins@
+oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
+pdfdir = @pdfdir@
+piddir = @piddir@
+pkgpyexecdir = @pkgpyexecdir@
+pkgpythondir = @pkgpythondir@
+pki_plugins = @pki_plugins@
+plugindir = @plugindir@
+pool_plugins = @pool_plugins@
+prefix = @prefix@
+program_transform_name = @program_transform_name@
+psdir = @psdir@
+pyexecdir = @pyexecdir@
+pythondir = @pythondir@
+random_device = @random_device@
+resolv_conf = @resolv_conf@
+routing_table = @routing_table@
+routing_table_prio = @routing_table_prio@
+runstatedir = @runstatedir@
+s_plugins = @s_plugins@
+sbindir = @sbindir@
+scepclient_plugins = @scepclient_plugins@
+scripts_plugins = @scripts_plugins@
+sharedstatedir = @sharedstatedir@
+soup_CFLAGS = @soup_CFLAGS@
+soup_LIBS = @soup_LIBS@
+srcdir = @srcdir@
+starter_plugins = @starter_plugins@
+strongswan_conf = @strongswan_conf@
+strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
+sysconfdir = @sysconfdir@
+systemd_CFLAGS = @systemd_CFLAGS@
+systemd_LIBS = @systemd_LIBS@
+systemd_daemon_CFLAGS = @systemd_daemon_CFLAGS@
+systemd_daemon_LIBS = @systemd_daemon_LIBS@
+systemd_journal_CFLAGS = @systemd_journal_CFLAGS@
+systemd_journal_LIBS = @systemd_journal_LIBS@
+systemdsystemunitdir = @systemdsystemunitdir@
+t_plugins = @t_plugins@
+target_alias = @target_alias@
+top_build_prefix = @top_build_prefix@
+top_builddir = @top_builddir@
+top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
+urandom_device = @urandom_device@
+xml_CFLAGS = @xml_CFLAGS@
+xml_LIBS = @xml_LIBS@
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libtpmtss
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+ at MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tpm.la
+ at MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tpm.la
+ at MONOLITHIC_FALSE@libstrongswan_tpm_la_LIBADD = \
+ at MONOLITHIC_FALSE@ $(top_builddir)/src/libtpmtss/libtpmtss.la
+
+libstrongswan_tpm_la_SOURCES = \
+ tpm_plugin.h tpm_plugin.c \
+ tpm_private_key.h tpm_private_key.c \
+ tpm_rng.h tpm_rng.c
+
+libstrongswan_tpm_la_LDFLAGS = -module -avoid-version
+all: all-am
+
+.SUFFIXES:
+.SUFFIXES: .c .lo .o .obj
+$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
+ @for dep in $?; do \
+ case '$(am__configure_deps)' in \
+ *$$dep*) \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
+ exit 1;; \
+ esac; \
+ done; \
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libtpmtss/plugins/tpm/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu src/libtpmtss/plugins/tpm/Makefile
+Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
+ @case '$?' in \
+ *config.status*) \
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
+ *) \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ esac;
+
+$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+
+$(top_srcdir)/configure: $(am__configure_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(ACLOCAL_M4): $(am__aclocal_m4_deps)
+ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
+
+clean-noinstLTLIBRARIES:
+ -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES)
+ @list='$(noinst_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES)
+ @$(NORMAL_INSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ list2=; for p in $$list; do \
+ if test -f $$p; then \
+ list2="$$list2 $$p"; \
+ else :; fi; \
+ done; \
+ test -z "$$list2" || { \
+ echo " $(MKDIR_P) '$(DESTDIR)$(plugindir)'"; \
+ $(MKDIR_P) "$(DESTDIR)$(plugindir)" || exit 1; \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \
+ }
+
+uninstall-pluginLTLIBRARIES:
+ @$(NORMAL_UNINSTALL)
+ @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \
+ done
+
+clean-pluginLTLIBRARIES:
+ -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES)
+ @list='$(plugin_LTLIBRARIES)'; \
+ locs=`for p in $$list; do echo $$p; done | \
+ sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \
+ sort -u`; \
+ test -z "$$locs" || { \
+ echo rm -f $${locs}; \
+ rm -f $${locs}; \
+ }
+
+libstrongswan-tpm.la: $(libstrongswan_tpm_la_OBJECTS) $(libstrongswan_tpm_la_DEPENDENCIES) $(EXTRA_libstrongswan_tpm_la_DEPENDENCIES)
+ $(AM_V_CCLD)$(libstrongswan_tpm_la_LINK) $(am_libstrongswan_tpm_la_rpath) $(libstrongswan_tpm_la_OBJECTS) $(libstrongswan_tpm_la_LIBADD) $(LIBS)
+
+mostlyclean-compile:
+ -rm -f *.$(OBJEXT)
+
+distclean-compile:
+ -rm -f *.tab.c
+
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tpm_plugin.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tpm_private_key.Plo at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at ./$(DEPDIR)/tpm_rng.Plo at am__quote@
+
+.c.o:
+ at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\
+ at am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ $<
+
+.c.obj:
+ at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\
+ at am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\
+ at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
+
+.c.lo:
+ at am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\
+ at am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\
+ at am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
+ at AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
+ at am__fastdepCC_FALSE@ $(AM_V_CC at am__nodep@)$(LTCOMPILE) -c -o $@ $<
+
+mostlyclean-libtool:
+ -rm -f *.lo
+
+clean-libtool:
+ -rm -rf .libs _libs
+
+ID: $(am__tagged_files)
+ $(am__define_uniq_tagged_files); mkid -fID $$unique
+tags: tags-am
+TAGS: tags
+
+tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ set x; \
+ here=`pwd`; \
+ $(am__define_uniq_tagged_files); \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
+ test -n "$$unique" || unique=$$empty_fix; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
+ fi
+ctags: ctags-am
+
+CTAGS: ctags
+ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files)
+ $(am__define_uniq_tagged_files); \
+ test -z "$(CTAGS_ARGS)$$unique" \
+ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
+ $$unique
+
+GTAGS:
+ here=`$(am__cd) $(top_builddir) && pwd` \
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
+cscopelist: cscopelist-am
+
+cscopelist-am: $(am__tagged_files)
+ list='$(am__tagged_files)'; \
+ case "$(srcdir)" in \
+ [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \
+ *) sdir=$(subdir)/$(srcdir) ;; \
+ esac; \
+ for i in $$list; do \
+ if test -f "$$i"; then \
+ echo "$(subdir)/$$i"; \
+ else \
+ echo "$$sdir/$$i"; \
+ fi; \
+ done >> $(top_builddir)/cscope.files
+
+distclean-tags:
+ -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
+
+distdir: $(DISTFILES)
+ @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
+ list='$(DISTFILES)'; \
+ dist_files=`for file in $$list; do echo $$file; done | \
+ sed -e "s|^$$srcdirstrip/||;t" \
+ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \
+ case $$dist_files in \
+ */*) $(MKDIR_P) `echo "$$dist_files" | \
+ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \
+ sort -u` ;; \
+ esac; \
+ for file in $$dist_files; do \
+ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
+ if test -d $$d/$$file; then \
+ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
+ else \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
+ || exit 1; \
+ fi; \
+ done
+check-am: all-am
+check: check-am
+all-am: Makefile $(LTLIBRARIES)
+installdirs:
+ for dir in "$(DESTDIR)$(plugindir)"; do \
+ test -z "$$dir" || $(MKDIR_P) "$$dir"; \
+ done
+install: install-am
+install-exec: install-exec-am
+install-data: install-data-am
+uninstall: uninstall-am
+
+install-am: all-am
+ @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am
+
+installcheck: installcheck-am
+install-strip:
+ if test -z '$(STRIP)'; then \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ install; \
+ else \
+ $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \
+ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \
+ "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \
+ fi
+mostlyclean-generic:
+
+clean-generic:
+
+distclean-generic:
+ -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+
+maintainer-clean-generic:
+ @echo "This command is intended for maintainers to use"
+ @echo "it deletes files that may require special tools to rebuild."
+clean: clean-am
+
+clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \
+ clean-pluginLTLIBRARIES mostlyclean-am
+
+distclean: distclean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+distclean-am: clean-am distclean-compile distclean-generic \
+ distclean-tags
+
+dvi: dvi-am
+
+dvi-am:
+
+html: html-am
+
+html-am:
+
+info: info-am
+
+info-am:
+
+install-data-am: install-pluginLTLIBRARIES
+
+install-dvi: install-dvi-am
+
+install-dvi-am:
+
+install-exec-am:
+
+install-html: install-html-am
+
+install-html-am:
+
+install-info: install-info-am
+
+install-info-am:
+
+install-man:
+
+install-pdf: install-pdf-am
+
+install-pdf-am:
+
+install-ps: install-ps-am
+
+install-ps-am:
+
+installcheck-am:
+
+maintainer-clean: maintainer-clean-am
+ -rm -rf ./$(DEPDIR)
+ -rm -f Makefile
+maintainer-clean-am: distclean-am maintainer-clean-generic
+
+mostlyclean: mostlyclean-am
+
+mostlyclean-am: mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool
+
+pdf: pdf-am
+
+pdf-am:
+
+ps: ps-am
+
+ps-am:
+
+uninstall-am: uninstall-pluginLTLIBRARIES
+
+.MAKE: install-am install-strip
+
+.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \
+ clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \
+ cscopelist-am ctags ctags-am distclean distclean-compile \
+ distclean-generic distclean-libtool distclean-tags distdir dvi \
+ dvi-am html html-am info info-am install install-am \
+ install-data install-data-am install-dvi install-dvi-am \
+ install-exec install-exec-am install-html install-html-am \
+ install-info install-info-am install-man install-pdf \
+ install-pdf-am install-pluginLTLIBRARIES install-ps \
+ install-ps-am install-strip installcheck installcheck-am \
+ installdirs maintainer-clean maintainer-clean-generic \
+ mostlyclean mostlyclean-compile mostlyclean-generic \
+ mostlyclean-libtool pdf pdf-am ps ps-am tags tags-am uninstall \
+ uninstall-am uninstall-pluginLTLIBRARIES
+
+.PRECIOUS: Makefile
+
+
+# Tell versions [3.59,3.63) of GNU make to not export all variables.
+# Otherwise a system limit (for SysV at least) may be exceeded.
+.NOEXPORT:
diff --git a/src/libtpmtss/plugins/tpm/tpm_plugin.c b/src/libtpmtss/plugins/tpm/tpm_plugin.c
new file mode 100644
index 0000000..b9a4c12
--- /dev/null
+++ b/src/libtpmtss/plugins/tpm/tpm_plugin.c
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tpm_plugin.h"
+#include "tpm_private_key.h"
+#include "tpm_rng.h"
+
+#include <library.h>
+
+typedef struct private_tpm_plugin_t private_tpm_plugin_t;
+
+/**
+ * private data of tpm_plugin
+ */
+struct private_tpm_plugin_t {
+
+ /**
+ * public functions
+ */
+ tpm_plugin_t public;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_tpm_plugin_t *this)
+{
+ return "tpm";
+}
+
+METHOD(plugin_t, get_features, int,
+ private_tpm_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f_rng[] = {
+ PLUGIN_REGISTER(RNG, tpm_rng_create),
+ PLUGIN_PROVIDE(RNG, RNG_STRONG),
+ PLUGIN_PROVIDE(RNG, RNG_TRUE),
+ };
+ static plugin_feature_t f_privkey[] = {
+ PLUGIN_REGISTER(PRIVKEY, tpm_private_key_connect, FALSE),
+ PLUGIN_PROVIDE(PRIVKEY, KEY_ANY),
+ };
+ static plugin_feature_t f[countof(f_rng) + countof(f_privkey)] = {};
+
+ static int count = 0;
+
+ if (!count)
+ {
+ plugin_features_add(f, f_privkey, countof(f_privkey), &count);
+
+ if (lib->settings->get_bool(lib->settings,
+ "%s.plugins.tpm.use_rng", FALSE, lib->ns))
+ {
+ plugin_features_add(f, f_rng, countof(f_rng), &count);
+ }
+ }
+ *features = f;
+
+ return count;
+}
+
+METHOD(plugin_t, destroy, void,
+ private_tpm_plugin_t *this)
+{
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tpm_plugin_create()
+{
+ private_tpm_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ return &this->public.plugin;
+}
diff --git a/src/libtpmtss/plugins/tpm/tpm_plugin.h b/src/libtpmtss/plugins/tpm/tpm_plugin.h
new file mode 100644
index 0000000..bf419b3
--- /dev/null
+++ b/src/libtpmtss/plugins/tpm/tpm_plugin.h
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tpm tpm
+ * @ingroup plugins
+ *
+ * @defgroup tpm_plugin tpm_plugin
+ * @{ @ingroup tpm
+ */
+
+#ifndef TPM_PLUGIN_H_
+#define TPM_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tpm_plugin_t tpm_plugin_t;
+
+/**
+ * Plugin providing TPM token support.
+ */
+struct tpm_plugin_t {
+
+ /**
+ * Implements plugin interface,
+ */
+ plugin_t plugin;
+};
+
+#endif /** TPM_PLUGIN_H_ @}*/
diff --git a/src/libtpmtss/plugins/tpm/tpm_private_key.c b/src/libtpmtss/plugins/tpm/tpm_private_key.c
new file mode 100644
index 0000000..bd5a8ba
--- /dev/null
+++ b/src/libtpmtss/plugins/tpm/tpm_private_key.c
@@ -0,0 +1,239 @@
+/*
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tpm_private_key.h"
+
+#include <tpm_tss.h>
+#include <utils/debug.h>
+
+typedef struct private_tpm_private_key_t private_tpm_private_key_t;
+
+/**
+ * Private data of an tpm_private_key_t object.
+ */
+struct private_tpm_private_key_t {
+
+ /**
+ * Public tpm_private_key_t interface.
+ */
+ tpm_private_key_t public;
+
+ /**
+ * Token keyid used to reference optional PIN for TPM key
+ */
+ identification_t *keyid;
+
+ /**
+ * Trusted Platform Module
+ */
+ tpm_tss_t *tpm;
+
+ /**
+ * TPM key object handle
+ */
+ uint32_t handle;
+
+ /**
+ * Hierarchy the TPM key object is attached to
+ */
+ uint32_t hierarchy;
+
+ /**
+ * Associated public key
+ */
+ public_key_t *pubkey;
+
+ /**
+ * References to this key
+ */
+ refcount_t ref;
+
+};
+
+
+METHOD(private_key_t, get_type, key_type_t,
+ private_tpm_private_key_t *this)
+{
+ return this->pubkey->get_type(this->pubkey);
+}
+
+METHOD(private_key_t, get_keysize, int,
+ private_tpm_private_key_t *this)
+{
+ return this->pubkey->get_keysize(this->pubkey);
+}
+
+METHOD(private_key_t, sign, bool,
+ private_tpm_private_key_t *this, signature_scheme_t scheme,
+ chunk_t data, chunk_t *signature)
+{
+ chunk_t pin = chunk_empty;
+ shared_key_t *shared;
+ enumerator_t *enumerator;
+
+ /* check for optional PIN */
+ enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr,
+ SHARED_PIN, this->keyid, NULL);
+ if (enumerator->enumerate(enumerator, &shared, NULL, NULL))
+ {
+ pin = shared->get_key(shared);
+ }
+ enumerator->destroy(enumerator);
+
+ return this->tpm->sign(this->tpm, this->hierarchy, this->handle, scheme,
+ data, pin, signature);
+}
+
+METHOD(private_key_t, decrypt, bool,
+ private_tpm_private_key_t *this, encryption_scheme_t scheme,
+ chunk_t crypt, chunk_t *plain)
+{
+ return FALSE;
+}
+
+METHOD(private_key_t, get_public_key, public_key_t*,
+ private_tpm_private_key_t *this)
+{
+ return this->pubkey->get_ref(this->pubkey);
+}
+
+METHOD(private_key_t, get_fingerprint, bool,
+ private_tpm_private_key_t *this, cred_encoding_type_t type,
+ chunk_t *fingerprint)
+{
+ return this->pubkey->get_fingerprint(this->pubkey, type, fingerprint);
+}
+
+METHOD(private_key_t, get_encoding, bool,
+ private_tpm_private_key_t *this, cred_encoding_type_t type,
+ chunk_t *encoding)
+{
+ return FALSE;
+}
+
+METHOD(private_key_t, get_ref, private_key_t*,
+ private_tpm_private_key_t *this)
+{
+ ref_get(&this->ref);
+ return &this->public.key;
+}
+
+METHOD(private_key_t, destroy, void,
+ private_tpm_private_key_t *this)
+{
+ if (ref_put(&this->ref))
+ {
+ DESTROY_IF(this->pubkey);
+ this->tpm->destroy(this->tpm);
+ this->keyid->destroy(this->keyid);
+ free(this);
+ }
+}
+
+/**
+ * See header.
+ */
+tpm_private_key_t *tpm_private_key_connect(key_type_t type, va_list args)
+{
+ private_tpm_private_key_t *this;
+ tpm_tss_t *tpm;
+ chunk_t keyid = chunk_empty, pubkey_blob = chunk_empty;
+ char handle_str[4];
+ size_t len;
+ uint32_t hierarchy = 0x4000000B; /* TPM_RH_ENDORSEMENT */
+ uint32_t handle;
+
+ while (TRUE)
+ {
+ switch (va_arg(args, builder_part_t))
+ {
+ case BUILD_PKCS11_KEYID:
+ keyid = va_arg(args, chunk_t);
+ continue;
+ case BUILD_PKCS11_SLOT:
+ hierarchy = va_arg(args, int);
+ continue;
+ case BUILD_PKCS11_MODULE:
+ va_arg(args, char*);
+ continue;
+ case BUILD_END:
+ break;
+ default:
+ return NULL;
+ }
+ break;
+ }
+
+ /* convert keyid into 32 bit TPM key object handle */
+ if (!keyid.len)
+ {
+ return NULL;
+ }
+ len = min(keyid.len, 4);
+ memset(handle_str, 0x00, 4);
+ memcpy(handle_str + 4 - len, keyid.ptr + keyid.len - len, len);
+ handle = untoh32(handle_str);
+
+ /* try to find a TPM 2.0 */
+ tpm = tpm_tss_probe(TPM_VERSION_2_0);
+ if (!tpm)
+ {
+ DBG1(DBG_LIB, "no TPM 2.0 found");
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .key = {
+ .get_type = _get_type,
+ .sign = _sign,
+ .decrypt = _decrypt,
+ .get_keysize = _get_keysize,
+ .get_public_key = _get_public_key,
+ .equals = private_key_equals,
+ .belongs_to = private_key_belongs_to,
+ .get_fingerprint = _get_fingerprint,
+ .has_fingerprint = private_key_has_fingerprint,
+ .get_encoding = _get_encoding,
+ .get_ref = _get_ref,
+ .destroy = _destroy,
+ },
+ },
+ .tpm = tpm,
+ .keyid = identification_create_from_encoding(ID_KEY_ID, keyid),
+ .handle = handle,
+ .hierarchy = hierarchy,
+ .ref = 1,
+ );
+
+ /* get public key from TPM */
+ pubkey_blob = tpm->get_public(tpm, handle);
+ if (!pubkey_blob.len)
+ {
+ destroy(this);
+ return NULL;
+ }
+ this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
+ BUILD_BLOB_ASN1_DER, pubkey_blob, BUILD_END);
+ chunk_free(&pubkey_blob);
+
+ if (!this->pubkey)
+ {
+ destroy(this);
+ return NULL;
+ }
+
+ return &this->public;
+}
diff --git a/src/libtpmtss/plugins/tpm/tpm_private_key.h b/src/libtpmtss/plugins/tpm/tpm_private_key.h
new file mode 100644
index 0000000..d3745e2
--- /dev/null
+++ b/src/libtpmtss/plugins/tpm/tpm_private_key.h
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tpm_private_key tpm_private_key
+ * @{ @ingroup tpm
+ */
+
+#ifndef TPM_PRIVATE_KEY_H_
+#define TPM_PRIVATE_KEY_H_
+
+typedef struct tpm_private_key_t tpm_private_key_t;
+
+#include <credentials/builder.h>
+#include <credentials/keys/private_key.h>
+
+/**
+ * Private Key implementation for the TPM 2.0 Trusted Platform Module
+ */
+struct tpm_private_key_t {
+
+ /**
+ * Implements private_key_t interface.
+ */
+ private_key_t key;
+};
+
+/**
+ * Connect to a private key bound to the TPM
+ *
+ * @param type type of the key
+ * @param args builder_part_t argument list
+ * @return loaded key, NULL on failure
+ */
+tpm_private_key_t *tpm_private_key_connect(key_type_t type, va_list args);
+
+#endif /** tpm_PRIVATE_KEY_H_ @}*/
diff --git a/src/libtpmtss/plugins/tpm/tpm_rng.c b/src/libtpmtss/plugins/tpm/tpm_rng.c
new file mode 100644
index 0000000..d96bc49
--- /dev/null
+++ b/src/libtpmtss/plugins/tpm/tpm_rng.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tpm_rng.h"
+
+#include <tpm_tss.h>
+#include <utils/debug.h>
+
+typedef struct private_tpm_rng_t private_tpm_rng_t;
+
+/**
+ * Private data of an tpm_rng_t object.
+ */
+struct private_tpm_rng_t {
+
+ /**
+ * Public interface.
+ */
+ tpm_rng_t public;
+
+ /**
+ * Trusted Platform Module
+ */
+ tpm_tss_t *tpm;
+
+};
+
+METHOD(rng_t, get_bytes, bool,
+ private_tpm_rng_t *this, size_t bytes, uint8_t *buffer)
+{
+ return this->tpm->get_random(this->tpm, bytes, buffer);
+}
+
+METHOD(rng_t, allocate_bytes, bool,
+ private_tpm_rng_t *this, size_t bytes, chunk_t *chunk)
+{
+ *chunk = chunk_alloc(bytes);
+ if (!get_bytes(this, chunk->len, chunk->ptr))
+ {
+ chunk_clear(chunk);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+METHOD(rng_t, destroy, void,
+ private_tpm_rng_t *this)
+{
+ this->tpm->destroy(this->tpm);
+ free(this);
+}
+
+/*
+ * Described in header.
+ */
+tpm_rng_t *tpm_rng_create(rng_quality_t quality)
+{
+ private_tpm_rng_t *this;
+ tpm_tss_t *tpm;
+
+ /* try to find a TPM 2.0 */
+ tpm = tpm_tss_probe(TPM_VERSION_2_0);
+ if (!tpm)
+ {
+ DBG1(DBG_LIB, "no TPM 2.0 found");
+ return NULL;
+ }
+
+ INIT(this,
+ .public = {
+ .rng = {
+ .get_bytes = _get_bytes,
+ .allocate_bytes = _allocate_bytes,
+ .destroy = _destroy,
+ },
+ },
+ .tpm = tpm,
+ );
+
+ return &this->public;
+}
+
diff --git a/src/libtpmtss/plugins/tpm/tpm_rng.h b/src/libtpmtss/plugins/tpm/tpm_rng.h
new file mode 100644
index 0000000..de96816
--- /dev/null
+++ b/src/libtpmtss/plugins/tpm/tpm_rng.h
@@ -0,0 +1,47 @@
+/*
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tpm_rng tpm_rng
+ * @{ @ingroup tpm
+ */
+
+#ifndef TPM_RNG_H_
+#define TPM_RNG_H_
+
+typedef struct tpm_rng_t tpm_rng_t;
+
+#include <library.h>
+
+/**
+ * rng_t implementation via TSS 2.0
+ */
+struct tpm_rng_t {
+
+ /**
+ * Implements rng_t.
+ */
+ rng_t rng;
+};
+
+/**
+ * Creates a tpm_rng_t instance.
+ *
+ * @param quality required quality of randomness
+ * @return created tpm_rng_t
+ */
+tpm_rng_t *tpm_rng_create(rng_quality_t quality);
+
+#endif /** TPM_RNG_H_ @} */
diff --git a/src/libtpmtss/tpm_tss.h b/src/libtpmtss/tpm_tss.h
index 4f4b9e2..f408d04 100644
--- a/src/libtpmtss/tpm_tss.h
+++ b/src/libtpmtss/tpm_tss.h
@@ -120,6 +120,30 @@ struct tpm_tss_t {
tpm_tss_quote_info_t **quote_info, chunk_t *quote_sig);
/**
+ * Do a signature over a data hash using a TPM key handle (TPM 2.0 only)
+ *
+ * @param handle object handle of TPM key to be used for signature
+ * @param hierarchy hierarchy the TPM key object is attached to
+ * @param scheme scheme to be used for signature
+ * @param data data to be hashed and signed
+ * @param pin PIN code or empty chunk
+ * @param signature returns signature
+ * @return TRUE if signature succeeded
+ */
+ bool (*sign)(tpm_tss_t *this, uint32_t hierarchy, uint32_t handle,
+ signature_scheme_t scheme, chunk_t data, chunk_t pin,
+ chunk_t *signature);
+
+ /**
+ * Get random bytes from the TPM
+ *
+ * @param bytes number of random bytes requested
+ * @param buffer buffer where the random bytes are written into
+ * @return TRUE if random bytes could be delivered
+ */
+ bool (*get_random)(tpm_tss_t *this, size_t bytes, uint8_t *buffer);
+
+ /**
* Destroy a tpm_tss_t.
*/
void (*destroy)(tpm_tss_t *this);
diff --git a/src/libtpmtss/tpm_tss_trousers.c b/src/libtpmtss/tpm_tss_trousers.c
index 8be3ad8..d5bc2b8 100644
--- a/src/libtpmtss/tpm_tss_trousers.c
+++ b/src/libtpmtss/tpm_tss_trousers.c
@@ -582,6 +582,19 @@ err1:
return success;
}
+METHOD(tpm_tss_t, sign, bool,
+ private_tpm_tss_trousers_t *this, uint32_t hierarchy, uint32_t handle,
+ signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature)
+{
+ return FALSE;
+}
+
+METHOD(tpm_tss_t, get_random, bool,
+ private_tpm_tss_trousers_t *this, size_t bytes, uint8_t *buffer)
+{
+ return FALSE;
+}
+
METHOD(tpm_tss_t, destroy, void,
private_tpm_tss_trousers_t *this)
{
@@ -622,8 +635,10 @@ tpm_tss_t *tpm_tss_trousers_create()
.generate_aik = _generate_aik,
.get_public = _get_public,
.read_pcr = _read_pcr,
- .quote = _quote,
.extend_pcr = _extend_pcr,
+ .quote = _quote,
+ .sign = _sign,
+ .get_random = _get_random,
.destroy = _destroy,
},
.load_aik = _load_aik,
diff --git a/src/libtpmtss/tpm_tss_tss2.c b/src/libtpmtss/tpm_tss_tss2.c
index d0f76ac..9a4b9a4 100644
--- a/src/libtpmtss/tpm_tss_tss2.c
+++ b/src/libtpmtss/tpm_tss_tss2.c
@@ -317,16 +317,9 @@ bool read_public(private_tpm_tss_tss2_t *this, TPMI_DH_OBJECT handle,
sessions_data.rspAuths = &session_data_array[0];
sessions_data.rspAuthsCount = 1;
- /* always send simulator platform command, ignored by true RM */
- PlatformCommand(this->tcti_context ,MS_SIM_POWER_ON );
- PlatformCommand(this->tcti_context, MS_SIM_NV_ON );
-
/* read public key for a given object handle from TPM 2.0 NVRAM */
rval = Tss2_Sys_ReadPublic(this->sys_context, handle, 0, public, &name,
&qualified_name, &sessions_data);
-
- PlatformCommand(this->tcti_context, MS_SIM_POWER_OFF);
-
if (rval != TPM_RC_SUCCESS)
{
DBG1(DBG_PTS, "%s could not read public key from handle 0x%08x: 0x%06x",
@@ -646,6 +639,222 @@ METHOD(tpm_tss_t, quote, bool,
return TRUE;
}
+METHOD(tpm_tss_t, sign, bool,
+ private_tpm_tss_tss2_t *this, uint32_t hierarchy, uint32_t handle,
+ signature_scheme_t scheme, chunk_t data, chunk_t pin, chunk_t *signature)
+{
+ key_type_t key_type;
+ hash_algorithm_t hash_alg;
+ uint32_t rval;
+
+ TPM_ALG_ID alg_id;
+ TPM2B_MAX_BUFFER buffer;
+ TPM2B_DIGEST hash = { { sizeof(TPM2B_DIGEST)-2, } };
+ TPMT_TK_HASHCHECK validation;
+ TPM2B_PUBLIC public = { { 0, } };
+ TPMT_SIG_SCHEME sig_scheme;
+ TPMT_SIGNATURE sig;
+ TPMS_AUTH_COMMAND session_data_cmd;
+ TPMS_AUTH_RESPONSE session_data_rsp;
+ TSS2_SYS_CMD_AUTHS sessions_data_cmd;
+ TSS2_SYS_RSP_AUTHS sessions_data_rsp;
+ TPMS_AUTH_COMMAND *session_data_cmd_array[1];
+ TPMS_AUTH_RESPONSE *session_data_rsp_array[1];
+
+ session_data_cmd_array[0] = &session_data_cmd;
+ session_data_rsp_array[0] = &session_data_rsp;
+
+ sessions_data_cmd.cmdAuths = &session_data_cmd_array[0];
+ sessions_data_rsp.rspAuths = &session_data_rsp_array[0];
+
+ sessions_data_cmd.cmdAuthsCount = 1;
+ sessions_data_rsp.rspAuthsCount = 1;
+
+ session_data_cmd.sessionHandle = TPM_RS_PW;
+ session_data_cmd.nonce.t.size = 0;
+ session_data_cmd.hmac.t.size = 0;
+
+ if (pin.len > 0)
+ {
+ session_data_cmd.hmac.t.size = min(sizeof(session_data_cmd.hmac.t) - 2,
+ pin.len);
+ memcpy(session_data_cmd.hmac.t.buffer, pin.ptr,
+ session_data_cmd.hmac.t.size);
+ }
+ *( (uint8_t *)((void *)&session_data_cmd.sessionAttributes ) ) = 0;
+
+ key_type = key_type_from_signature_scheme(scheme);
+ hash_alg = hasher_from_signature_scheme(scheme);
+
+ /* Check if hash algorithm is supported by TPM */
+ alg_id = hash_alg_to_tpm_alg_id(hash_alg);
+ if (!is_supported_alg(this, alg_id))
+ {
+ DBG1(DBG_PTS, "%s %N hash algorithm not supported by TPM",
+ LABEL, hash_algorithm_short_names, hash_alg);
+ return FALSE;
+ }
+
+ /* Get public key */
+ if (!read_public(this, handle, &public))
+ {
+ return FALSE;
+ }
+
+ if (key_type == KEY_RSA && public.t.publicArea.type == TPM_ALG_RSA)
+ {
+ sig_scheme.scheme = TPM_ALG_RSASSA;
+ sig_scheme.details.rsassa.hashAlg = alg_id;
+ }
+ else if (key_type == KEY_ECDSA && public.t.publicArea.type == TPM_ALG_ECC)
+ {
+ sig_scheme.scheme = TPM_ALG_ECDSA;
+ sig_scheme.details.ecdsa.hashAlg = alg_id;
+
+ }
+ else
+ {
+ DBG1(DBG_PTS, "%s signature scheme %N not supported by TPM key",
+ LABEL, signature_scheme_names, scheme);
+ return FALSE;
+ }
+
+ if (data.len <= MAX_DIGEST_BUFFER)
+ {
+ memcpy(buffer.t.buffer, data.ptr, data.len);
+ buffer.t.size = data.len;
+
+ rval = Tss2_Sys_Hash(this->sys_context, 0, &buffer, alg_id, hierarchy,
+ &hash, &validation, 0);
+ if (rval != TPM_RC_SUCCESS)
+ {
+ DBG1(DBG_PTS,"%s Tss2_Sys_Hash failed: 0x%06x", LABEL, rval);
+ return FALSE;
+ }
+ }
+ else
+ {
+ TPMI_DH_OBJECT sequence_handle;
+ TPM2B_AUTH null_auth;
+
+ null_auth.t.size = 0;
+ rval = Tss2_Sys_HashSequenceStart(this->sys_context, 0, &null_auth,
+ alg_id, &sequence_handle, 0);
+ if (rval != TPM_RC_SUCCESS)
+ {
+ DBG1(DBG_PTS,"%s Tss2_Sys_HashSequenceStart failed: 0x%06x",
+ LABEL, rval);
+ return FALSE;
+ }
+
+ while (data.len > 0)
+ {
+ buffer.t.size = min(data.len, MAX_DIGEST_BUFFER);
+ memcpy(buffer.t.buffer, data.ptr, buffer.t.size);
+ data.ptr += buffer.t.size;
+ data.len -= buffer.t.size;
+
+ rval = Tss2_Sys_SequenceUpdate(this->sys_context, sequence_handle,
+ &sessions_data_cmd, &buffer, 0);
+ if (rval != TPM_RC_SUCCESS)
+ {
+ DBG1(DBG_PTS,"%s Tss2_Sys_SequenceUpdate failed: 0x%06x",
+ LABEL, rval);
+ return FALSE;
+ }
+ }
+ buffer.t.size = 0;
+
+ rval = Tss2_Sys_SequenceComplete(this->sys_context, sequence_handle,
+ &sessions_data_cmd, &buffer, hierarchy,
+ &hash, &validation, 0);
+ if (rval != TPM_RC_SUCCESS)
+ {
+ DBG1(DBG_PTS,"%s Tss2_Sys_SequenceComplete failed: 0x%06x",
+ LABEL, rval);
+ return FALSE;
+ }
+ }
+
+ rval = Tss2_Sys_Sign(this->sys_context, handle, &sessions_data_cmd, &hash,
+ &sig_scheme, &validation, &sig, &sessions_data_rsp);
+ if (rval != TPM_RC_SUCCESS)
+ {
+ DBG1(DBG_PTS,"%s Tss2_Sys_Sign failed: 0x%06x", LABEL, rval);
+ return FALSE;
+ }
+
+ /* extract signature */
+ switch (scheme)
+ {
+ case SIGN_RSA_EMSA_PKCS1_SHA1:
+ case SIGN_RSA_EMSA_PKCS1_SHA2_256:
+ case SIGN_RSA_EMSA_PKCS1_SHA2_384:
+ case SIGN_RSA_EMSA_PKCS1_SHA2_512:
+ *signature = chunk_clone(
+ chunk_create(
+ sig.signature.rsassa.sig.t.buffer,
+ sig.signature.rsassa.sig.t.size));
+ break;
+ case SIGN_ECDSA_256:
+ case SIGN_ECDSA_384:
+ case SIGN_ECDSA_521:
+ *signature = chunk_cat("cc",
+ chunk_create(
+ sig.signature.ecdsa.signatureR.t.buffer,
+ sig.signature.ecdsa.signatureR.t.size),
+ chunk_create(
+ sig.signature.ecdsa.signatureS.t.buffer,
+ sig.signature.ecdsa.signatureS.t.size));
+ break;
+ case SIGN_ECDSA_WITH_SHA256_DER:
+ case SIGN_ECDSA_WITH_SHA384_DER:
+ case SIGN_ECDSA_WITH_SHA512_DER:
+ *signature = asn1_wrap(ASN1_SEQUENCE, "mm",
+ asn1_integer("c",
+ chunk_create(
+ sig.signature.ecdsa.signatureR.t.buffer,
+ sig.signature.ecdsa.signatureR.t.size)),
+ asn1_integer("c",
+ chunk_create(
+ sig.signature.ecdsa.signatureS.t.buffer,
+ sig.signature.ecdsa.signatureS.t.size)));
+ break;
+ default:
+ DBG1(DBG_PTS, "%s unsupported %N signature scheme",
+ LABEL, signature_scheme_names, scheme);
+ return FALSE;
+ };
+
+ return TRUE;
+}
+
+METHOD(tpm_tss_t, get_random, bool,
+ private_tpm_tss_tss2_t *this, size_t bytes, uint8_t *buffer)
+{
+ size_t len, random_len= sizeof(TPM2B_DIGEST)-2;
+ TPM2B_DIGEST random = { { random_len, } };
+ uint8_t *pos = buffer;
+ uint32_t rval;
+
+ while (bytes > 0)
+ {
+ len = min(bytes, random_len);
+
+ rval = Tss2_Sys_GetRandom(this->sys_context, NULL, len, &random, NULL);
+ if (rval != TSS2_RC_SUCCESS)
+ {
+ DBG1(DBG_PTS,"%s Tss2_Sys_GetRandom failed: 0x%06x", LABEL, rval);
+ return FALSE;
+ }
+ memcpy(pos, random.t.buffer, random.t.size);
+ pos += random.t.size;
+ bytes -= random.t.size;
+ }
+
+ return TRUE;
+}
+
METHOD(tpm_tss_t, destroy, void,
private_tpm_tss_tss2_t *this)
{
@@ -670,6 +879,8 @@ tpm_tss_t *tpm_tss_tss2_create()
.read_pcr = _read_pcr,
.extend_pcr = _extend_pcr,
.quote = _quote,
+ .sign = _sign,
+ .get_random = _get_random,
.destroy = _destroy,
},
);
diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in
index 90e2d5e..8b0a402 100644
--- a/src/manager/Makefile.in
+++ b/src/manager/Makefile.in
@@ -376,7 +376,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -411,6 +410,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in
index bd88b0d..249728b 100644
--- a/src/medsrv/Makefile.in
+++ b/src/medsrv/Makefile.in
@@ -365,7 +365,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -400,6 +399,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index d9ffbf8..72d554a 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -378,7 +378,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -413,6 +412,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c
index 4f850d6..9e6e809 100644
--- a/src/pki/commands/acert.c
+++ b/src/pki/commands/acert.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2009 Martin Willi
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2017 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -286,7 +286,7 @@ static void __attribute__ ((constructor))reg()
{"group", 'm', 1, "group membership string to include"},
{"issuercert", 'c', 1, "issuer certificate file"},
{"issuerkey", 'k', 1, "issuer private key file"},
- {"issuerkeyid", 'x', 1, "keyid on smartcard of issuer private key"},
+ {"issuerkeyid", 'x', 1, "smartcard or TPM issuer private key object handle"},
{"serial", 's', 1, "serial number in hex, default: random"},
{"lifetime", 'l', 1, "hours the acert is valid, default: 24"},
{"not-before", 'F', 1, "date/time the validity of the AC starts"},
diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c
index 8b11854..6f14b52 100644
--- a/src/pki/commands/gen.c
+++ b/src/pki/commands/gen.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2009 Martin Willi
- * Copyright (C) 2014-2015 Andreas Steffen
+ * Copyright (C) 2014-2016 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -44,6 +44,10 @@ static int gen()
{
type = KEY_ECDSA;
}
+ else if (streq(arg, "ed25519"))
+ {
+ type = KEY_ED25519;
+ }
else if (streq(arg, "bliss"))
{
type = KEY_BLISS;
@@ -101,6 +105,9 @@ static int gen()
case KEY_ECDSA:
size = 384;
break;
+ case KEY_ED25519:
+ size = 256;
+ break;
case KEY_BLISS:
size = 1;
break;
@@ -159,7 +166,7 @@ static void __attribute__ ((constructor))reg()
{
command_register((command_t) {
gen, 'g', "gen", "generate a new private key",
- {" [--type rsa|ecdsa|bliss] [--size bits] [--safe-primes]",
+ {" [--type rsa|ecdsa|ed25519|bliss] [--size bits] [--safe-primes]",
"[--shares n] [--threshold l] [--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index b15f901..b0399c7 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2009 Martin Willi
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2017 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -71,6 +71,7 @@ static int issue()
char *error = NULL, *keyid = NULL;
identification_t *id = NULL;
linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings;
+ linked_list_t *addrblocks;
int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
chunk_t serial = chunk_empty;
@@ -81,6 +82,7 @@ static int issue()
x509_t *x509;
x509_cdp_t *cdp = NULL;
x509_cert_policy_t *policy = NULL;
+ traffic_selector_t *ts;
char *arg;
san = linked_list_create();
@@ -90,6 +92,7 @@ static int issue()
excluded = linked_list_create();
policies = linked_list_create();
mappings = linked_list_create();
+ addrblocks = linked_list_create();
while (TRUE)
{
@@ -112,6 +115,11 @@ static int issue()
type = CRED_PRIVATE_KEY;
subtype = KEY_ECDSA;
}
+ else if (streq(arg, "ed25519"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_ED25519;
+ }
else if (streq(arg, "bliss"))
{
type = CRED_PRIVATE_KEY;
@@ -179,6 +187,15 @@ static int issue()
case 'p':
pathlen = atoi(arg);
continue;
+ case 'B':
+ ts = parse_ts(arg);
+ if (!ts)
+ {
+ error = "invalid addressBlock";
+ goto usage;
+ }
+ addrblocks->insert_last(addrblocks, ts);
+ continue;
case 'n':
permitted->insert_last(permitted,
identification_create_from_string(arg));
@@ -514,7 +531,7 @@ static int issue()
BUILD_NOT_BEFORE_TIME, not_before, BUILD_DIGEST_ALG, digest,
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags,
- BUILD_PATHLEN, pathlen,
+ BUILD_PATHLEN, pathlen, BUILD_ADDRBLOCKS, addrblocks,
BUILD_CRL_DISTRIBUTION_POINTS, cdps,
BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
@@ -552,6 +569,7 @@ end:
san->destroy_offset(san, offsetof(identification_t, destroy));
permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+ addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy));
policies->destroy_function(policies, (void*)destroy_cert_policy);
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
cdps->destroy_function(cdps, (void*)destroy_cdp);
@@ -570,6 +588,7 @@ usage:
san->destroy_offset(san, offsetof(identification_t, destroy));
permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+ addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy));
policies->destroy_function(policies, (void*)destroy_cert_policy);
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
cdps->destroy_function(cdps, (void*)destroy_cdp);
@@ -585,7 +604,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
issue, 'i', "issue",
"issue a certificate using a CA certificate and key",
- {"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|bliss] --cakey file|--cakeyid hex",
+ {"[--in file] [--type pub|pkcs10|priv|rsa|ecdsa|ed25519|bliss] --cakey file|--cakeyid hex",
" --cacert file [--dn subject-dn] [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--pathlen len]",
"[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -601,7 +620,7 @@ static void __attribute__ ((constructor))reg()
{"type", 't', 1, "type of input, default: pub"},
{"cacert", 'c', 1, "CA certificate file"},
{"cakey", 'k', 1, "CA private key file"},
- {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"},
+ {"cakeyid", 'x', 1, "smartcard or TPM CA private key object handle"},
{"dn", 'd', 1, "distinguished name to include as subject"},
{"san", 'a', 1, "subjectAltName to include in certificate"},
{"lifetime", 'l', 1, "days the certificate is valid, default: 1095"},
@@ -611,6 +630,7 @@ static void __attribute__ ((constructor))reg()
{"serial", 's', 1, "serial number in hex, default: random"},
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
{"pathlen", 'p', 1, "set path length constraint"},
+ {"addrblock", 'B', 1, "RFC 3779 addrBlock to include"},
{"nc-permitted", 'n', 1, "add permitted NameConstraint"},
{"nc-excluded", 'N', 1, "add excluded NameConstraint"},
{"cert-policy", 'P', 1, "certificatePolicy OID to include"},
diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c
index f79120b..001b9ff 100644
--- a/src/pki/commands/keyid.c
+++ b/src/pki/commands/keyid.c
@@ -1,6 +1,7 @@
/*
* Copyright (C) 2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@@ -30,7 +31,7 @@ static int keyid()
certificate_t *cert;
private_key_t *private;
public_key_t *public;
- char *file = NULL;
+ char *file = NULL, *keyid = NULL;
void *cred;
chunk_t id;
char *arg;
@@ -88,6 +89,9 @@ static int keyid()
case 'i':
file = arg;
continue;
+ case 'x':
+ keyid = arg;
+ continue;
case EOF:
break;
default:
@@ -100,6 +104,15 @@ static int keyid()
cred = lib->creds->create(lib->creds, type, subtype,
BUILD_FROM_FILE, file, BUILD_END);
}
+ else if (keyid)
+ {
+ chunk_t chunk;
+
+ chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+ cred = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+ BUILD_PKCS11_KEYID, chunk, BUILD_END);
+ free(chunk.ptr);
+ }
else
{
chunk_t chunk;
@@ -177,10 +190,11 @@ static void __attribute__ ((constructor))reg()
command_register((command_t)
{ keyid, 'k', "keyid",
"calculate key identifiers of a key/certificate",
- {"[--in file] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"},
+ {"[--in file|--keyid hex] [--type priv|rsa|ecdsa|bliss|pub|pkcs10|x509]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
+ {"keyid", 'x', 1, "smartcard or TPM private key object handle"},
{"type", 't', 1, "type of key, default: priv"},
}
});
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index 8cb0a7b..8021016 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -2,7 +2,7 @@
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -106,6 +106,12 @@ static int print()
type = CRED_PRIVATE_KEY;
subtype = KEY_ECDSA;
}
+ else if (streq(arg, "ed25519") ||
+ streq(arg, "ed25519-priv"))
+ {
+ type = CRED_PRIVATE_KEY;
+ subtype = KEY_ED25519;
+ }
else if (streq(arg, "bliss") ||
streq(arg, "bliss-priv"))
{
@@ -181,7 +187,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t)
{ print, 'a', "print",
"print a credential in a human readable form",
- {"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|bliss]"},
+ {"[--in file] [--type x509|crl|ac|pub|priv|rsa|ecdsa|ed25519|bliss]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c
index 1d876f6..1f9f3e0 100644
--- a/src/pki/commands/pub.c
+++ b/src/pki/commands/pub.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2009 Martin Willi
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2017 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -199,7 +199,7 @@ static void __attribute__ ((constructor))reg()
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "input file, default: stdin"},
- {"keyid", 'x', 1, "keyid on smartcard of private key"},
+ {"keyid", 'x', 1, "smartcard or TPM private key object handle"},
{"type", 't', 1, "type of credential, default: priv"},
{"outform", 'f', 1, "encoding of extracted public key, default: der"},
}
diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c
index 23d07a2..7b87e6c 100644
--- a/src/pki/commands/req.c
+++ b/src/pki/commands/req.c
@@ -1,8 +1,6 @@
/*
* Copyright (C) 2009 Martin Willi
- * Copyright (C) 2009-2015 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
+ * Copyright (C) 2009-2017 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -34,7 +32,7 @@ static int req()
hash_algorithm_t digest = HASH_UNKNOWN;
certificate_t *cert = NULL;
private_key_t *private = NULL;
- char *file = NULL, *dn = NULL, *error = NULL;
+ char *file = NULL, *keyid = NULL, *dn = NULL, *error = NULL;
identification_t *id = NULL;
linked_list_t *san;
chunk_t encoding = chunk_empty;
@@ -98,6 +96,9 @@ static int req()
goto usage;
}
continue;
+ case 'x':
+ keyid = arg;
+ continue;
case EOF:
break;
default:
@@ -123,6 +124,15 @@ static int req()
private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
BUILD_FROM_FILE, file, BUILD_END);
}
+ else if (keyid)
+ {
+ chunk_t chunk;
+
+ chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
+ private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
+ BUILD_PKCS11_KEYID, chunk, BUILD_END);
+ free(chunk.ptr);
+ }
else
{
chunk_t chunk;
@@ -198,13 +208,14 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
req, 'r', "req",
"create a PKCS#10 certificate request",
- {" [--in file] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
+ {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv] --dn distinguished-name",
"[--san subjectAltName]+ [--password challengePassword]",
"[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]",
"[--outform der|pem]"},
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "private key input file, default: stdin"},
+ {"keyid", 'x', 1, "smartcard or TPM private key object handle"},
{"type", 't', 1, "type of input key, default: priv"},
{"dn", 'd', 1, "subject distinguished name"},
{"san", 'a', 1, "subjectAltName to include in cert request"},
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index 6fb7b75..bdb2246 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2009 Martin Willi
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2017 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
@@ -22,6 +22,7 @@
#include <collections/linked_list.h>
#include <credentials/certificates/certificate.h>
#include <credentials/certificates/x509.h>
+#include <selectors/traffic_selector.h>
#include <asn1/asn1.h>
/**
@@ -49,7 +50,7 @@ static void destroy_policy_mapping(x509_policy_mapping_t *mapping)
static int self()
{
cred_encoding_type_t form = CERT_ASN1_DER;
- key_type_t type = KEY_RSA;
+ key_type_t type = KEY_ANY;
hash_algorithm_t digest = HASH_UNKNOWN;
certificate_t *cert = NULL;
private_key_t *private = NULL;
@@ -57,6 +58,7 @@ static int self()
char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL;
identification_t *id = NULL;
linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
+ linked_list_t *addrblocks;
int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
int inhibit_mapping = X509_NO_CONSTRAINT;
int require_explicit = X509_NO_CONSTRAINT;
@@ -66,6 +68,7 @@ static int self()
char *datenb = NULL, *datena = NULL, *dateform = NULL;
x509_flag_t flags = 0;
x509_cert_policy_t *policy = NULL;
+ traffic_selector_t *ts;
char *arg;
san = linked_list_create();
@@ -74,6 +77,7 @@ static int self()
excluded = linked_list_create();
policies = linked_list_create();
mappings = linked_list_create();
+ addrblocks = linked_list_create();
while (TRUE)
{
@@ -90,6 +94,10 @@ static int self()
{
type = KEY_ECDSA;
}
+ else if (streq(arg, "ed25519"))
+ {
+ type = KEY_ED25519;
+ }
else if (streq(arg, "bliss"))
{
type = KEY_BLISS;
@@ -149,6 +157,15 @@ static int self()
case 'p':
pathlen = atoi(arg);
continue;
+ case 'B':
+ ts = parse_ts(arg);
+ if (!ts)
+ {
+ error = "invalid addressBlock";
+ goto usage;
+ }
+ addrblocks->insert_last(addrblocks, ts);
+ continue;
case 'n':
permitted->insert_last(permitted,
identification_create_from_string(arg));
@@ -356,6 +373,7 @@ static int self()
BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial,
BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags,
BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san,
+ BUILD_ADDRBLOCKS, addrblocks,
BUILD_OCSP_ACCESS_LOCATIONS, ocsp,
BUILD_PERMITTED_NAME_CONSTRAINTS, permitted,
BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded,
@@ -390,6 +408,7 @@ end:
san->destroy_offset(san, offsetof(identification_t, destroy));
permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+ addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy));
policies->destroy_function(policies, (void*)destroy_cert_policy);
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
ocsp->destroy(ocsp);
@@ -407,6 +426,7 @@ usage:
san->destroy_offset(san, offsetof(identification_t, destroy));
permitted->destroy_offset(permitted, offsetof(identification_t, destroy));
excluded->destroy_offset(excluded, offsetof(identification_t, destroy));
+ addrblocks->destroy_offset(addrblocks, offsetof(traffic_selector_t, destroy));
policies->destroy_function(policies, (void*)destroy_cert_policy);
mappings->destroy_function(mappings, (void*)destroy_policy_mapping);
ocsp->destroy(ocsp);
@@ -421,7 +441,7 @@ static void __attribute__ ((constructor))reg()
command_register((command_t) {
self, 's', "self",
"create a self signed certificate",
- {" [--in file|--keyid hex] [--type rsa|ecdsa|bliss|priv]",
+ {" [--in file|--keyid hex] [--type rsa|ecdsa|ed25519|bliss|priv]",
" --dn distinguished-name [--san subjectAltName]+",
"[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+",
"[--flag serverAuth|clientAuth|crlSign|ocspSigning|msSmartcardLogon]+",
@@ -434,7 +454,7 @@ static void __attribute__ ((constructor))reg()
{
{"help", 'h', 0, "show usage information"},
{"in", 'i', 1, "private key input file, default: stdin"},
- {"keyid", 'x', 1, "keyid on smartcard of private key"},
+ {"keyid", 'x', 1, "smartcard or TPM private key object handle"},
{"type", 't', 1, "type of input key, default: priv"},
{"dn", 'd', 1, "subject and issuer distinguished name"},
{"san", 'a', 1, "subjectAltName to include in certificate"},
@@ -445,6 +465,7 @@ static void __attribute__ ((constructor))reg()
{"serial", 's', 1, "serial number in hex, default: random"},
{"ca", 'b', 0, "include CA basicConstraint, default: no"},
{"pathlen", 'p', 1, "set path length constraint"},
+ {"addrblock", 'B', 1, "RFC 3779 addrBlock to include"},
{"nc-permitted", 'n', 1, "add permitted NameConstraint"},
{"nc-excluded", 'N', 1, "add excluded NameConstraint"},
{"cert-policy", 'P', 1, "certificatePolicy OID to include"},
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index b9cf9c4..6bccf1b 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -2,6 +2,9 @@
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
+ * Copyright (C) 2017 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
@@ -461,7 +464,7 @@ static void __attribute__ ((constructor))reg()
{"help", 'h', 0, "show usage information"},
{"cacert", 'c', 1, "CA certificate file"},
{"cakey", 'k', 1, "CA private key file"},
- {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"},
+ {"cakeyid", 'x', 1, "smartcard or TPM CA private key object handle"},
{"lifetime", 'l', 1, "days the CRL gets a nextUpdate, default: 15"},
{"this-update", 'F', 1, "date/time the validity of the CRL starts"},
{"next-update", 'T', 1, "date/time the validity of the CRL ends"},
diff --git a/src/pki/man/Makefile.in b/src/pki/man/Makefile.in
index 030d6be..e40aca3 100644
--- a/src/pki/man/Makefile.in
+++ b/src/pki/man/Makefile.in
@@ -315,7 +315,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -350,6 +349,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in
index d7460fd..c6ecbb9 100644
--- a/src/pki/man/pki---acert.1.in
+++ b/src/pki/man/pki---acert.1.in
@@ -63,7 +63,8 @@ Issuer private key file. Either this or
is required.
.TP
.BI "\-x, \-\-issuerkeyid " hex
-Key ID of a issuer private key on a smartcard. Either this or
+Smartcard or TPM issuer private key object handle in hex format with an optional
+h0x prefix. Either this or
.B \-\-issuerkey
is required.
.TP
diff --git a/src/pki/man/pki---gen.1.in b/src/pki/man/pki---gen.1.in
index 138ab61..4c61ead 100644
--- a/src/pki/man/pki---gen.1.in
+++ b/src/pki/man/pki---gen.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-GEN" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-GEN" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
@@ -45,7 +45,8 @@ Set debug level, default: 1.
Read command line options from \fIfile\fR.
.TP
.BI "\-t, \-\-type " type
-Type of key to generate. Either \fIrsa\fR or \fIecdsa\fR, defaults to \fIrsa\fR.
+Type of key to generate. Either \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR or
+\fIbliss\fR, defaults to \fIrsa\fR.
.TP
.BI "\-s, \-\-size " bits
Key length in bits. Defaults to 2048 for \fIrsa\fR and 384 for \fIecdsa\fR.
diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in
index bfc7bb1..99cc64f 100644
--- a/src/pki/man/pki---issue.1.in
+++ b/src/pki/man/pki---issue.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-ISSUE" 1 "2013-08-12" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-ISSUE" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
@@ -24,6 +24,7 @@ pki \-\-issue \- Issue a certificate using a CA certificate and key
.OP \-\-ocsp uri
.OP \-\-pathlen len
.OP \-\-nc-permitted name
+.OP \-\-addrblock block
.OP \-\-nc-excluded name
.OP \-\-policy\-mapping mapping
.OP \-\-policy\-explicit len
@@ -68,9 +69,9 @@ key/request is read from \fISTDIN\fR.
.TP
.BI "\-t, \-\-type " type
Type of the input. One of \fIpub\fR (public key), \fIpriv\fR (private key),
-\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS
-private key) or \fIpkcs10\fR (PKCS#10 certificate request), defaults to
-\fIpub\fR.
+\fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private key),
+\fIed25519\fR (Ed25519 private key) \fIbliss\fR (BLISS private key) or
+\fIpkcs10\fR (PKCS#10 certificate request), defaults to \fIpub\fR.
.TP
.BI "\-k, \-\-cakey " file
CA private key file. Either this or
@@ -78,7 +79,8 @@ CA private key file. Either this or
is required.
.TP
.BI "\-x, \-\-cakeyid " hex
-Key ID of a CA private key on a smartcard. Either this or
+Smartcard or TPM CA private key object handle in hex format with an optional
+0x prefix. Either this or
.B \-\-cakey
is required.
.TP
@@ -148,6 +150,14 @@ times.
.BI "\-p, \-\-pathlen " len
Set path length constraint.
.TP
+.BI "\-B, \-\-addrblock " block
+RFC 3779 address block to include in certificate. \fIblock\fR is either a
+CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
+(\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
+Please note that the supplied blocks are included in the certificate as is,
+so for standards compliance, multiple blocks must be supplied in correct
+order and adjacent blocks must be combined. Refer to RFC 3779 for details.
+.TP
.BI "\-n, \-\-nc-permitted " name
Add permitted NameConstraint extension to certificate. For DNS or email
constraints, the identity type is not always detectable by the given name. Use
diff --git a/src/pki/man/pki---keyid.1.in b/src/pki/man/pki---keyid.1.in
index c69f7cb..148b95e 100644
--- a/src/pki/man/pki---keyid.1.in
+++ b/src/pki/man/pki---keyid.1.in
@@ -7,7 +7,9 @@ pki \-\-keyid \- Calculate key identifiers of a key or certificate
.SH "SYNOPSIS"
.
.SY pki\ \-\-keyid
-.OP \-\-in file
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
.OP \-\-type type
.OP \-\-debug level
.YS
@@ -43,6 +45,10 @@ Read command line options from \fIfile\fR.
.BI "\-i, \-\-in " file
Input file. If not given the input is read from \fISTDIN\fR.
.TP
+.BI "\-x, \-\-keyid " hex
+Smartcard or TPM private key object handle in hex format with an optional
+0x prefix.
+.TP
.BI "\-t, \-\-type " type
Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
\fIecdsa\fR (ECDSA private key), \fIbliss\fR (BLISS private key),
@@ -70,4 +76,4 @@ Calculate key identifiers of an X.509 certificate:
.
.SH "SEE ALSO"
.
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---print.1.in b/src/pki/man/pki---print.1.in
index 09f81cd..65fb8bc 100644
--- a/src/pki/man/pki---print.1.in
+++ b/src/pki/man/pki---print.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-PRINT" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-PRINT" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
@@ -47,8 +47,8 @@ Input file. If not given the input is read from \fISTDIN\fR.
Type of input. One of \fIx509\fR (X.509 certificate), \fIcrl\fR (Certificate
Revocation List, CRL), \fIac\fR (Attribute Certificate), \fIpub\fR (public key),
\fpriv\fR (private key), \fIrsa\fR (RSA private key), \fIecdsa\fR (ECDSA private
-key), \fIbliss\fR (BLISS private key), \fIpriv\fR (private key), defaults to
-\fIx509\fR.
+key), \fIed25519\fR (Ed25519 private key), \fIbliss\fR (BLISS private key),
+\fIpriv\fR (private key), defaults to \fIx509\fR.
.
.SH "SEE ALSO"
.
diff --git a/src/pki/man/pki---pub.1.in b/src/pki/man/pki---pub.1.in
index fe6c520..006b7ae 100644
--- a/src/pki/man/pki---pub.1.in
+++ b/src/pki/man/pki---pub.1.in
@@ -46,6 +46,10 @@ Read command line options from \fIfile\fR.
.BI "\-i, \-\-in " file
Input file. If not given the input is read from \fISTDIN\fR.
.TP
+.BI "\-x, \-\-keyid " hex
+Smartcard or TPM private key object handle in hex format with an optional
+0x prefix.
+.TP
.BI "\-t, \-\-type " type
Type of input. One of \fIpriv\fR (private key), \fIrsa\fR (RSA private key),
\fIecdsa\fR (ECDSA private key), \fIpub\fR (public key), \fIpkcs10\fR (PKCS#10
diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in
index 4a39c5c..09ef086 100644
--- a/src/pki/man/pki---req.1.in
+++ b/src/pki/man/pki---req.1.in
@@ -7,7 +7,9 @@ pki \-\-req \- Create a PKCS#10 certificate request
.SH "SYNOPSIS"
.
.SY pki\ \-\-req
-.OP \-\-in file
+.RB [ \-\-in
+.IR file | \fB\-\-keyid\fR
+.IR hex ]
.OP \-\-type type
.BI \-\-dn\~ distinguished-name
.OP \-\-san subjectAltName
@@ -48,6 +50,10 @@ Read command line options from \fIfile\fR.
.BI "\-i, \-\-in " file
Private key input file. If not given the key is read from \fISTDIN\fR.
.TP
+.BI "\-x, \-\-keyid " hex
+Smartcard or TPM private key object handle in hex format with an optional
+0x prefix.
+.TP
.BI "\-t, \-\-type " type
Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
defaults to \fIpriv\fR.
@@ -89,4 +95,4 @@ Generate a certificate request for an ECDSA key and a different digest:
.
.SH "SEE ALSO"
.
-.BR pki (1)
\ No newline at end of file
+.BR pki (1)
diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in
index 9461e3e..aa7e6fa 100644
--- a/src/pki/man/pki---self.1.in
+++ b/src/pki/man/pki---self.1.in
@@ -1,4 +1,4 @@
-.TH "PKI \-\-SELF" 1 "2013-07-31" "@PACKAGE_VERSION@" "strongSwan"
+.TH "PKI \-\-SELF" 1 "2016-12-13" "@PACKAGE_VERSION@" "strongSwan"
.
.SH "NAME"
.
@@ -22,6 +22,7 @@ pki \-\-self \- Create a self-signed certificate
.OP \-\-ca
.OP \-\-ocsp uri
.OP \-\-pathlen len
+.OP \-\-addrblock block
.OP \-\-nc-permitted name
.OP \-\-nc-excluded name
.OP \-\-policy\-mapping mapping
@@ -65,11 +66,12 @@ Read command line options from \fIfile\fR.
Private key input file. If not given the key is read from \fISTDIN\fR.
.TP
.BI "\-x, \-\-keyid " hex
-Key ID of a private key on a smartcard.
+Smartcard or TPM private key object handle in hex format with an optional
+0x prefix.
.TP
.BI "\-t, \-\-type " type
-Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR or \fIbliss\fR,
-defaults to \fIpriv\fR.
+Type of the input key. Either \fIpriv\fR, \fIrsa\fR, \fIecdsa\fR, \fIed25519\fR
+or \fIbliss\fR, defaults to \fIpriv\fR.
.TP
.BI "\-d, \-\-dn " distinguished-name
Subject and issuer distinguished name (DN). Required.
@@ -127,6 +129,14 @@ times.
.BI "\-p, \-\-pathlen " len
Set path length constraint.
.TP
+.BI "\-B, \-\-addrblock " block
+RFC 3779 address block to include in certificate. \fIblock\fR is either a
+CIDR subnet (such as \fI10.0.0.0/8\fR) or an arbitrary address range
+(\fI192.168.1.7-192.168.1.13\fR). Can be repeated to include multiple blocks.
+Please note that the supplied blocks are included in the certificate as is,
+so for standards compliance, multiple blocks must be supplied in correct
+order and adjacent blocks must be combined. Refer to RFC 3779 for details.
+.TP
.BI "\-n, \-\-nc-permitted " name
Add permitted NameConstraint extension to certificate. For DNS or email
constraints, the identity type is not always detectable by the given name. Use
diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in
index b930bfa..b901ad0 100644
--- a/src/pki/man/pki---signcrl.1.in
+++ b/src/pki/man/pki---signcrl.1.in
@@ -56,7 +56,8 @@ CA private key file. Either this or
is required.
.TP
.BI "\-x, \-\-cakeyid " hex
-Key ID of a CA private key on a smartcard. Either this or
+Smartcard or TPM CA private key object handle in hex format with an optional
+0x prefix. Either this or
.B \-\-cakey
is required.
.TP
diff --git a/src/pki/pki.c b/src/pki/pki.c
index 4727049..0fdab2a 100644
--- a/src/pki/pki.c
+++ b/src/pki/pki.c
@@ -258,6 +258,28 @@ hash_algorithm_t get_default_digest(private_key_t *private)
return alg == HASH_UNKNOWN ? HASH_SHA256 : alg;
}
+/*
+ * Described in header
+ */
+traffic_selector_t* parse_ts(char *str)
+{
+ ts_type_t type = TS_IPV4_ADDR_RANGE;
+ char *to, from[64];
+
+ if (strchr(str, ':'))
+ {
+ type = TS_IPV6_ADDR_RANGE;
+ }
+ to = strchr(str, '-');
+ if (to)
+ {
+ snprintf(from, sizeof(from), "%.*s", (int)(to - str), str);
+ to++;
+ return traffic_selector_create_from_string(0, type, from, 0, to, 65535);
+ }
+ return traffic_selector_create_from_cidr(str, 0, 0, 65535);
+}
+
/**
* Callback credential set pki uses
*/
diff --git a/src/pki/pki.h b/src/pki/pki.h
index 017e61d..54be59f 100644
--- a/src/pki/pki.h
+++ b/src/pki/pki.h
@@ -26,6 +26,7 @@
#include "command.h"
#include <library.h>
+#include <selectors/traffic_selector.h>
#include <credentials/keys/private_key.h>
/**
@@ -63,4 +64,12 @@ void set_file_mode(FILE *stream, cred_encoding_type_t enc);
*/
hash_algorithm_t get_default_digest(private_key_t *private);
+/**
+ * Create a traffic selector from a CIDR or range string.
+ *
+ * @param str input string, either a.b.c.d/e or a.b.c.d-e.f.g.h
+ * @return traffic selector, NULL on error
+ */
+traffic_selector_t* parse_ts(char *str);
+
#endif /** PKI_H_ @}*/
diff --git a/src/pool/Makefile.in b/src/pool/Makefile.in
index 9ad2445..d67830e 100644
--- a/src/pool/Makefile.in
+++ b/src/pool/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/pt-tls-client/Makefile.in b/src/pt-tls-client/Makefile.in
index 3a8ffb8..2c87f5f 100644
--- a/src/pt-tls-client/Makefile.in
+++ b/src/pt-tls-client/Makefile.in
@@ -329,7 +329,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -364,6 +363,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index 1b36b91..47b0c8c 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -357,7 +357,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -392,6 +391,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in
index 4cc0ab5..3c89b0c 100644
--- a/src/starter/Makefile.in
+++ b/src/starter/Makefile.in
@@ -402,7 +402,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -437,6 +436,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 3fb750e..f98fc89 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -40,7 +40,7 @@
#define SA_REPLACEMENT_RETRIES_DEFAULT 3
#define SA_REPLAY_WINDOW_DEFAULT -1 /* use charon.replay_window */
-static const char ike_defaults[] = "aes128-sha256-modp3072";
+static const char ike_defaults[] = "aes128-sha256-curve25519";
static const char esp_defaults[] = "aes128-sha256";
static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables";
diff --git a/src/starter/tests/Makefile.in b/src/starter/tests/Makefile.in
index 46d200f..8e9028a 100644
--- a/src/starter/tests/Makefile.in
+++ b/src/starter/tests/Makefile.in
@@ -354,7 +354,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -389,6 +388,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in
index 39ca9fd..fff0a5e 100644
--- a/src/stroke/Makefile.in
+++ b/src/stroke/Makefile.in
@@ -328,7 +328,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -363,6 +362,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/swanctl/Makefile.am b/src/swanctl/Makefile.am
index 9ca759e..2fc9982 100644
--- a/src/swanctl/Makefile.am
+++ b/src/swanctl/Makefile.am
@@ -4,6 +4,7 @@ swanctl_SOURCES = \
command.c command.h \
commands/initiate.c \
commands/terminate.c \
+ commands/rekey.c \
commands/redirect.c \
commands/install.c \
commands/list_sas.c \
diff --git a/src/swanctl/Makefile.in b/src/swanctl/Makefile.in
index ff9dca0..7e2a1da 100644
--- a/src/swanctl/Makefile.in
+++ b/src/swanctl/Makefile.in
@@ -113,9 +113,9 @@ am__installdirs = "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man5dir)" \
PROGRAMS = $(sbin_PROGRAMS)
am__dirstamp = $(am__leading_dot)dirstamp
am_swanctl_OBJECTS = command.$(OBJEXT) commands/initiate.$(OBJEXT) \
- commands/terminate.$(OBJEXT) commands/redirect.$(OBJEXT) \
- commands/install.$(OBJEXT) commands/list_sas.$(OBJEXT) \
- commands/list_pols.$(OBJEXT) \
+ commands/terminate.$(OBJEXT) commands/rekey.$(OBJEXT) \
+ commands/redirect.$(OBJEXT) commands/install.$(OBJEXT) \
+ commands/list_sas.$(OBJEXT) commands/list_pols.$(OBJEXT) \
commands/list_authorities.$(OBJEXT) \
commands/list_conns.$(OBJEXT) commands/list_certs.$(OBJEXT) \
commands/list_pools.$(OBJEXT) commands/list_algs.$(OBJEXT) \
@@ -377,7 +377,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -412,6 +411,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
@@ -465,6 +465,7 @@ swanctl_SOURCES = \
command.c command.h \
commands/initiate.c \
commands/terminate.c \
+ commands/rekey.c \
commands/redirect.c \
commands/install.c \
commands/list_sas.c \
@@ -603,6 +604,8 @@ commands/initiate.$(OBJEXT): commands/$(am__dirstamp) \
commands/$(DEPDIR)/$(am__dirstamp)
commands/terminate.$(OBJEXT): commands/$(am__dirstamp) \
commands/$(DEPDIR)/$(am__dirstamp)
+commands/rekey.$(OBJEXT): commands/$(am__dirstamp) \
+ commands/$(DEPDIR)/$(am__dirstamp)
commands/redirect.$(OBJEXT): commands/$(am__dirstamp) \
commands/$(DEPDIR)/$(am__dirstamp)
commands/install.$(OBJEXT): commands/$(am__dirstamp) \
@@ -672,6 +675,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/load_pools.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/log.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/redirect.Po at am__quote@
+ at AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/rekey.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/reload_settings.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/stats.Po at am__quote@
@AMDEP_TRUE@@am__include@ @am__quote at commands/$(DEPDIR)/terminate.Po at am__quote@
diff --git a/src/swanctl/command.h b/src/swanctl/command.h
index 7b92ae9..c178114 100644
--- a/src/swanctl/command.h
+++ b/src/swanctl/command.h
@@ -27,7 +27,7 @@
/**
* Maximum number of commands (+1).
*/
-#define MAX_COMMANDS 24
+#define MAX_COMMANDS 25
/**
* Maximum number of options in a command (+3)
diff --git a/src/swanctl/commands/initiate.c b/src/swanctl/commands/initiate.c
index eb7b6ad..8e452a6 100644
--- a/src/swanctl/commands/initiate.c
+++ b/src/swanctl/commands/initiate.c
@@ -37,7 +37,7 @@ static int initiate(vici_conn_t *conn)
vici_req_t *req;
vici_res_t *res;
command_format_options_t format = COMMAND_FORMAT_NONE;
- char *arg, *child = NULL;
+ char *arg, *child = NULL, *ike = NULL;
int ret = 0, timeout = 0, level = 1;
while (TRUE)
@@ -55,6 +55,9 @@ static int initiate(vici_conn_t *conn)
case 'c':
child = arg;
continue;
+ case 'i':
+ ike = arg;
+ continue;
case 't':
timeout = atoi(arg);
continue;
@@ -80,6 +83,10 @@ static int initiate(vici_conn_t *conn)
{
vici_add_key_valuef(req, "child", "%s", child);
}
+ if (ike)
+ {
+ vici_add_key_valuef(req, "ike", "%s", ike);
+ }
if (timeout)
{
vici_add_key_valuef(req, "timeout", "%d", timeout * 1000);
@@ -121,10 +128,11 @@ static void __attribute__ ((constructor))reg()
{
command_register((command_t) {
initiate, 'i', "initiate", "initiate a connection",
- {"--child <name> [--timeout <s>] [--raw|--pretty]"},
+ {"--child <name> [--ike <name>] [--timeout <s>] [--raw|--pretty]"},
{
{"help", 'h', 0, "show usage information"},
{"child", 'c', 1, "initate a CHILD_SA configuration"},
+ {"ike", 'i', 1, "name of the connection to which the child belongs"},
{"timeout", 't', 1, "timeout in seconds before detaching"},
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
diff --git a/src/swanctl/commands/install.c b/src/swanctl/commands/install.c
index 59c5c24..24a397b 100644
--- a/src/swanctl/commands/install.c
+++ b/src/swanctl/commands/install.c
@@ -22,7 +22,7 @@ static int manage_policy(vici_conn_t *conn, char *label)
vici_req_t *req;
vici_res_t *res;
command_format_options_t format = COMMAND_FORMAT_NONE;
- char *arg, *child = NULL;
+ char *arg, *child = NULL, *ike = NULL;
int ret = 0;
while (TRUE)
@@ -40,6 +40,9 @@ static int manage_policy(vici_conn_t *conn, char *label)
case 'c':
child = arg;
continue;
+ case 'i':
+ ike = arg;
+ continue;
case EOF:
break;
default:
@@ -52,6 +55,10 @@ static int manage_policy(vici_conn_t *conn, char *label)
{
vici_add_key_valuef(req, "child", "%s", child);
}
+ if (ike)
+ {
+ vici_add_key_valuef(req, "ike", "%s", ike);
+ }
res = vici_submit(req, conn);
if (!res)
{
@@ -98,10 +105,11 @@ static void __attribute__ ((constructor))reg_uninstall()
{
command_register((command_t) {
uninstall, 'u', "uninstall", "uninstall a trap or shunt policy",
- {"--child <name> [--raw|--pretty]"},
+ {"--child <name> [--ike <name>] [--raw|--pretty]"},
{
{"help", 'h', 0, "show usage information"},
{"child", 'c', 1, "CHILD_SA configuration to uninstall"},
+ {"ike", 'i', 1, "name of the connection to which the child belongs"},
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
}
@@ -115,10 +123,11 @@ static void __attribute__ ((constructor))reg_install()
{
command_register((command_t) {
install, 'p', "install", "install a trap or shunt policy",
- {"--child <name> [--raw|--pretty]"},
+ {"--child <name> [--ike <name>] [--raw|--pretty]"},
{
{"help", 'h', 0, "show usage information"},
{"child", 'c', 1, "CHILD_SA configuration to install"},
+ {"ike", 'i', 1, "name of the connection to which the child belongs"},
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
}
diff --git a/src/swanctl/commands/list_pools.c b/src/swanctl/commands/list_pools.c
index 429107e..a170ade 100644
--- a/src/swanctl/commands/list_pools.c
+++ b/src/swanctl/commands/list_pools.c
@@ -1,6 +1,6 @@
/*
- * Copyright (C) 2015 Tobias Brunner
- * Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2015-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2014 Martin Willi
* Copyright (C) 2014 revosec AG
@@ -58,7 +58,7 @@ static int list_pools(vici_conn_t *conn)
vici_req_t *req;
vici_res_t *res;
command_format_options_t format = COMMAND_FORMAT_NONE;
- char *arg;
+ char *arg, *name = NULL;
int ret = 0;
bool leases = FALSE;
@@ -77,6 +77,9 @@ static int list_pools(vici_conn_t *conn)
case 'l':
leases = TRUE;
continue;
+ case 'n':
+ name = arg;
+ continue;
case EOF:
break;
default:
@@ -90,6 +93,10 @@ static int list_pools(vici_conn_t *conn)
{
vici_add_key_valuef(req, "leases", "yes");
}
+ if (name)
+ {
+ vici_add_key_valuef(req, "name", "%s", name);
+ }
res = vici_submit(req, conn);
if (!res)
{
@@ -123,6 +130,7 @@ static void __attribute__ ((constructor))reg()
{"raw", 'r', 0, "dump raw response message"},
{"pretty", 'P', 0, "dump raw response message in pretty print"},
{"leases", 'l', 0, "list leases of each pool"},
+ {"name", 'n', 1, "filter pools by name"},
}
});
}
diff --git a/src/swanctl/commands/list_sas.c b/src/swanctl/commands/list_sas.c
index e5f251d..28602fc 100644
--- a/src/swanctl/commands/list_sas.c
+++ b/src/swanctl/commands/list_sas.c
@@ -112,8 +112,9 @@ CALLBACK(child_sas, int,
if (ret == 0)
{
printf(" %s: #%s, reqid %s, %s, %s%s, %s:",
- name, child->get(child, "uniqueid"), child->get(child, "reqid"),
- child->get(child, "state"), child->get(child, "mode"),
+ child->get(child, "name"), child->get(child, "uniqueid"),
+ child->get(child, "reqid"), child->get(child, "state"),
+ child->get(child, "mode"),
child->get(child, "encap") ? "-in-UDP" : "",
child->get(child, "protocol"));
@@ -165,6 +166,15 @@ CALLBACK(child_sas, int,
printf(" in %s%s%s", child->get(child, "spi-in"),
child->get(child, "cpi-in") ? "/" : "",
child->get(child, "cpi-in") ?: "");
+ if (child->get(child, "mark-in"))
+ {
+ printf(" (0x%s", child->get(child, "mark-in"));
+ if (child->get(child, "mark-mask-in"))
+ {
+ printf("/0x%s", child->get(child, "mark-mask-in"));
+ }
+ printf(")");
+ }
printf(", %6s bytes, %5s packets",
child->get(child, "bytes-in"), child->get(child, "packets-in"));
if (child->get(child, "use-in"))
@@ -176,6 +186,15 @@ CALLBACK(child_sas, int,
printf(" out %s%s%s", child->get(child, "spi-out"),
child->get(child, "cpi-out") ? "/" : "",
child->get(child, "cpi-out") ?: "");
+ if (child->get(child, "mark-out"))
+ {
+ printf(" (0x%s", child->get(child, "mark-out"));
+ if (child->get(child, "mark-mask-out"))
+ {
+ printf("/0x%s", child->get(child, "mark-mask-out"));
+ }
+ printf(")");
+ }
printf(", %6s bytes, %5s packets",
child->get(child, "bytes-out"), child->get(child, "packets-out"));
if (child->get(child, "use-out"))
diff --git a/src/swanctl/commands/load_authorities.c b/src/swanctl/commands/load_authorities.c
index 352a185..8947866 100644
--- a/src/swanctl/commands/load_authorities.c
+++ b/src/swanctl/commands/load_authorities.c
@@ -86,18 +86,18 @@ static bool add_key_values(vici_req_t *req, settings_t *cfg, char *section)
enumerator = cfg->create_key_value_enumerator(cfg, section);
while (enumerator->enumerate(enumerator, &key, &value))
{
- /* pool subnet is encoded as key/value, all other attributes as list */
if (streq(key, "cacert"))
{
ret = add_file_key_value(req, key, value);
}
- else if (streq(key, "cert_uri_base"))
+ else if (streq(key, "crl_uris") ||
+ streq(key, "ocsp_uris"))
{
- vici_add_key_valuef(req, key, "%s", value);
+ add_list_key(req, key, value);
}
else
{
- add_list_key(req, key, value);
+ vici_add_key_valuef(req, key, "%s", value);
}
if (!ret)
{
diff --git a/src/swanctl/commands/load_conns.c b/src/swanctl/commands/load_conns.c
index 2e443a9..0518ef5 100644
--- a/src/swanctl/commands/load_conns.c
+++ b/src/swanctl/commands/load_conns.c
@@ -38,6 +38,7 @@ static bool is_list_key(char *key)
"vips",
"pools",
"groups",
+ "cert_policy",
};
int i;
@@ -97,7 +98,7 @@ static void add_list_key(vici_req_t *req, char *key, char *value)
static bool add_file_list_key(vici_req_t *req, char *key, char *value)
{
enumerator_t *enumerator;
- chunk_t *map;
+ chunk_t *map, blob;
char *token, buf[PATH_MAX];
bool ret = TRUE;
@@ -105,41 +106,51 @@ static bool add_file_list_key(vici_req_t *req, char *key, char *value)
enumerator = enumerator_create_token(value, ",", " ");
while (enumerator->enumerate(enumerator, &token))
{
- if (!path_absolute(token))
+ if (strcasepfx(token, "0x") || strcasepfx(token, "0s"))
{
- if (streq(key, "certs"))
+ blob = chunk_from_str(token + 2);
+ blob = strcasepfx(token, "0x") ? chunk_from_hex(blob, NULL)
+ : chunk_from_base64(blob, NULL);
+ vici_add_list_item(req, blob.ptr, blob.len);
+ chunk_free(&blob);
+ }
+ else
+ {
+ if (!path_absolute(token))
{
- snprintf(buf, sizeof(buf), "%s%s%s",
- SWANCTL_X509DIR, DIRECTORY_SEPARATOR, token);
- token = buf;
+ if (streq(key, "certs"))
+ {
+ snprintf(buf, sizeof(buf), "%s%s%s",
+ SWANCTL_X509DIR, DIRECTORY_SEPARATOR, token);
+ token = buf;
+ }
+ else if (streq(key, "cacerts"))
+ {
+ snprintf(buf, sizeof(buf), "%s%s%s",
+ SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, token);
+ token = buf;
+ }
+ else if (streq(key, "pubkeys"))
+ {
+ snprintf(buf, sizeof(buf), "%s%s%s",
+ SWANCTL_PUBKEYDIR, DIRECTORY_SEPARATOR, token);
+ token = buf;
+ }
}
- else if (streq(key, "cacerts"))
+ map = chunk_map(token, FALSE);
+ if (map)
{
- snprintf(buf, sizeof(buf), "%s%s%s",
- SWANCTL_X509CADIR, DIRECTORY_SEPARATOR, token);
- token = buf;
+ vici_add_list_item(req, map->ptr, map->len);
+ chunk_unmap(map);
}
- else if (streq(key, "pubkeys"))
+ else
{
- snprintf(buf, sizeof(buf), "%s%s%s",
- SWANCTL_PUBKEYDIR, DIRECTORY_SEPARATOR, token);
- token = buf;
+ fprintf(stderr, "loading %s certificate '%s' failed: %s\n",
+ key, token, strerror(errno));
+ ret = FALSE;
+ break;
}
}
-
- map = chunk_map(token, FALSE);
- if (map)
- {
- vici_add_list_item(req, map->ptr, map->len);
- chunk_unmap(map);
- }
- else
- {
- fprintf(stderr, "loading %s certificate '%s' failed: %s\n",
- key, token, strerror(errno));
- ret = FALSE;
- break;
- }
}
enumerator->destroy(enumerator);
vici_end_list(req);
diff --git a/src/swanctl/commands/load_creds.c b/src/swanctl/commands/load_creds.c
index 6278f66..848d851 100644
--- a/src/swanctl/commands/load_creds.c
+++ b/src/swanctl/commands/load_creds.c
@@ -1,11 +1,11 @@
/*
- * Copyright (C) 2014 Martin Willi
- * Copyright (C) 2014 revosec AG
- *
* Copyright (C) 2016 Tobias Brunner
* Copyright (C) 2015 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
+ * Copyright (C) 2014 Martin Willi
+ * Copyright (C) 2014 revosec AG
+ *
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
@@ -30,15 +30,35 @@
#include <credentials/sets/mem_cred.h>
#include <credentials/sets/callback_cred.h>
#include <credentials/containers/pkcs12.h>
+#include <collections/hashtable.h>
#include <vici_cert_info.h>
+#define HASH_SIZE_SHA1_HEX (2 * HASH_SIZE_SHA1)
+
+/**
+ * Context used to track loaded secrets
+ */
+typedef struct {
+ /** vici connection */
+ vici_conn_t *conn;
+ /** format options */
+ command_format_options_t format;
+ /** read setting */
+ settings_t *cfg;
+ /** don't prompt user for password */
+ bool noprompt;
+ /** list of key ids of loaded private keys */
+ hashtable_t *keys;
+ /** list of unique ids of loaded shared keys */
+ hashtable_t *shared;
+} load_ctx_t;
+
/**
* Load a single certificate over vici
*/
-static bool load_cert(vici_conn_t *conn, command_format_options_t format,
- char *dir, certificate_type_t type, x509_flag_t flag,
- chunk_t data)
+static bool load_cert(load_ctx_t *ctx, char *dir, certificate_type_t type,
+ x509_flag_t flag, chunk_t data)
{
vici_req_t *req;
vici_res_t *res;
@@ -53,15 +73,15 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
}
vici_add_key_value(req, "data", data.ptr, data.len);
- res = vici_submit(req, conn);
+ res = vici_submit(req, ctx->conn);
if (!res)
{
fprintf(stderr, "load-cert request failed: %s\n", strerror(errno));
return FALSE;
}
- if (format & COMMAND_FORMAT_RAW)
+ if (ctx->format & COMMAND_FORMAT_RAW)
{
- vici_dump(res, "load-cert reply", format & COMMAND_FORMAT_PRETTY,
+ vici_dump(res, "load-cert reply", ctx->format & COMMAND_FORMAT_PRETTY,
stdout);
}
else if (!streq(vici_find_str(res, "no", "success"), "yes"))
@@ -81,8 +101,7 @@ static bool load_cert(vici_conn_t *conn, command_format_options_t format,
/**
* Load certficiates from a directory
*/
-static void load_certs(vici_conn_t *conn, command_format_options_t format,
- char *type_str, char *dir)
+static void load_certs(load_ctx_t *ctx, char *type_str, char *dir)
{
enumerator_t *enumerator;
certificate_type_t type;
@@ -103,7 +122,7 @@ static void load_certs(vici_conn_t *conn, command_format_options_t format,
map = chunk_map(path, FALSE);
if (map)
{
- load_cert(conn, format, path, type, flag, *map);
+ load_cert(ctx, path, type, flag, *map);
chunk_unmap(map);
}
else
@@ -120,8 +139,7 @@ static void load_certs(vici_conn_t *conn, command_format_options_t format,
/**
* Load a single private key over vici
*/
-static bool load_key(vici_conn_t *conn, command_format_options_t format,
- char *dir, char *type, chunk_t data)
+static bool load_key(load_ctx_t *ctx, char *dir, char *type, chunk_t data)
{
vici_req_t *req;
vici_res_t *res;
@@ -140,15 +158,15 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format,
}
vici_add_key_value(req, "data", data.ptr, data.len);
- res = vici_submit(req, conn);
+ res = vici_submit(req, ctx->conn);
if (!res)
{
fprintf(stderr, "load-key request failed: %s\n", strerror(errno));
return FALSE;
}
- if (format & COMMAND_FORMAT_RAW)
+ if (ctx->format & COMMAND_FORMAT_RAW)
{
- vici_dump(res, "load-key reply", format & COMMAND_FORMAT_PRETTY,
+ vici_dump(res, "load-key reply", ctx->format & COMMAND_FORMAT_PRETTY,
stdout);
}
else if (!streq(vici_find_str(res, "no", "success"), "yes"))
@@ -168,11 +186,12 @@ static bool load_key(vici_conn_t *conn, command_format_options_t format,
/**
* Load a private key of any type to vici
*/
-static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format,
- char *path, private_key_t *private)
+static bool load_key_anytype(load_ctx_t *ctx, char *path,
+ private_key_t *private)
{
bool loaded = FALSE;
- chunk_t encoding;
+ chunk_t encoding, keyid;
+ char hex[HASH_SIZE_SHA1_HEX + 1];
if (!private->get_encoding(private, PRIVKEY_ASN1_DER, &encoding))
{
@@ -182,18 +201,25 @@ static bool load_key_anytype(vici_conn_t *conn, command_format_options_t format,
switch (private->get_type(private))
{
case KEY_RSA:
- loaded = load_key(conn, format, path, "rsa", encoding);
+ loaded = load_key(ctx, path, "rsa", encoding);
break;
case KEY_ECDSA:
- loaded = load_key(conn, format, path, "ecdsa", encoding);
+ loaded = load_key(ctx, path, "ecdsa", encoding);
break;
case KEY_BLISS:
- loaded = load_key(conn, format, path, "bliss", encoding);
+ loaded = load_key(ctx, path, "bliss", encoding);
break;
default:
fprintf(stderr, "unsupported key type in '%s'\n", path);
break;
}
+
+ if (loaded &&
+ private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &keyid) &&
+ snprintf(hex, sizeof(hex), "%+B", &keyid) == HASH_SIZE_SHA1_HEX)
+ {
+ free(ctx->keys->remove(ctx->keys, hex));
+ }
chunk_clear(&encoding);
return loaded;
}
@@ -312,7 +338,7 @@ static void* decrypt(char *name, char *type, chunk_t encoding)
/**
* Try to parse a potentially encrypted credential using configured secret
*/
-static void* decrypt_with_config(settings_t *cfg, char *name, char *type,
+static void* decrypt_with_config(load_ctx_t *ctx, char *name, char *type,
chunk_t encoding)
{
credential_type_t credtype;
@@ -329,16 +355,16 @@ static void* decrypt_with_config(settings_t *cfg, char *name, char *type,
}
/* load all secrets for this key type */
- enumerator = cfg->create_section_enumerator(cfg, "secrets");
+ enumerator = ctx->cfg->create_section_enumerator(ctx->cfg, "secrets");
while (enumerator->enumerate(enumerator, §ion))
{
if (strpfx(section, type))
{
- file = cfg->get_str(cfg, "secrets.%s.file", NULL, section);
+ file = ctx->cfg->get_str(ctx->cfg, "secrets.%s.file", NULL, section);
if (file && strcaseeq(file, name))
{
snprintf(buf, sizeof(buf), "secrets.%s", section);
- secrets = cfg->create_key_value_enumerator(cfg, buf);
+ secrets = ctx->cfg->create_key_value_enumerator(ctx->cfg, buf);
while (secrets->enumerate(secrets, &key, &value))
{
if (strpfx(key, "secret"))
@@ -382,22 +408,20 @@ static void* decrypt_with_config(settings_t *cfg, char *name, char *type,
/**
* Try to decrypt and load a private key
*/
-static bool load_encrypted_key(vici_conn_t *conn,
- command_format_options_t format, settings_t *cfg,
- char *rel, char *path, char *type, bool noprompt,
- chunk_t data)
+static bool load_encrypted_key(load_ctx_t *ctx, char *rel, char *path,
+ char *type, chunk_t data)
{
private_key_t *private;
bool loaded = FALSE;
- private = decrypt_with_config(cfg, rel, type, data);
- if (!private && !noprompt)
+ private = decrypt_with_config(ctx, rel, type, data);
+ if (!private && !ctx->noprompt)
{
private = decrypt(rel, type, data);
}
if (private)
{
- loaded = load_key_anytype(conn, format, path, private);
+ loaded = load_key_anytype(ctx, path, private);
private->destroy(private);
}
return loaded;
@@ -406,8 +430,7 @@ static bool load_encrypted_key(vici_conn_t *conn,
/**
* Load private keys from a directory
*/
-static void load_keys(vici_conn_t *conn, command_format_options_t format,
- bool noprompt, settings_t *cfg, char *type, char *dir)
+static void load_keys(load_ctx_t *ctx, char *type, char *dir)
{
enumerator_t *enumerator;
struct stat st;
@@ -424,10 +447,9 @@ static void load_keys(vici_conn_t *conn, command_format_options_t format,
map = chunk_map(path, FALSE);
if (map)
{
- if (!load_encrypted_key(conn, format, cfg, rel, path, type,
- noprompt, *map))
+ if (!load_encrypted_key(ctx, rel, path, type, *map))
{
- load_key(conn, format, path, type, *map);
+ load_key(ctx, path, type, *map);
}
chunk_unmap(map);
}
@@ -445,8 +467,7 @@ static void load_keys(vici_conn_t *conn, command_format_options_t format,
/**
* Load credentials from a PKCS#12 container over vici
*/
-static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format,
- char *path, pkcs12_t *p12)
+static bool load_pkcs12(load_ctx_t *ctx, char *path, pkcs12_t *p12)
{
enumerator_t *enumerator;
certificate_t *cert;
@@ -460,8 +481,7 @@ static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format,
loaded = FALSE;
if (cert->get_encoding(cert, CERT_ASN1_DER, &encoding))
{
- loaded = load_cert(conn, format, path, CERT_X509, X509_NONE,
- encoding);
+ loaded = load_cert(ctx, path, CERT_X509, X509_NONE, encoding);
if (loaded)
{
fprintf(stderr, " %Y\n", cert->get_subject(cert));
@@ -478,7 +498,7 @@ static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format,
enumerator = p12->create_key_enumerator(p12);
while (loaded && enumerator->enumerate(enumerator, &private))
{
- loaded = load_key_anytype(conn, format, path, private);
+ loaded = load_key_anytype(ctx, path, private);
}
enumerator->destroy(enumerator);
@@ -488,15 +508,14 @@ static bool load_pkcs12(vici_conn_t *conn, command_format_options_t format,
/**
* Try to decrypt and load credentials from a container
*/
-static bool load_encrypted_container(vici_conn_t *conn,
- command_format_options_t format, settings_t *cfg, char *rel,
- char *path, char *type, bool noprompt, chunk_t data)
+static bool load_encrypted_container(load_ctx_t *ctx, char *rel, char *path,
+ char *type, chunk_t data)
{
container_t *container;
bool loaded = FALSE;
- container = decrypt_with_config(cfg, rel, type, data);
- if (!container && !noprompt)
+ container = decrypt_with_config(ctx, rel, type, data);
+ if (!container && !ctx->noprompt)
{
container = decrypt(rel, type, data);
}
@@ -505,7 +524,7 @@ static bool load_encrypted_container(vici_conn_t *conn,
switch (container->get_type(container))
{
case CONTAINER_PKCS12:
- loaded = load_pkcs12(conn, format, path, (pkcs12_t*)container);
+ loaded = load_pkcs12(ctx, path, (pkcs12_t*)container);
break;
default:
break;
@@ -518,8 +537,7 @@ static bool load_encrypted_container(vici_conn_t *conn,
/**
* Load credential containers from a directory
*/
-static void load_containers(vici_conn_t *conn, command_format_options_t format,
- bool noprompt, settings_t *cfg, char *type, char *dir)
+static void load_containers(load_ctx_t *ctx, char *type, char *dir)
{
enumerator_t *enumerator;
struct stat st;
@@ -536,8 +554,7 @@ static void load_containers(vici_conn_t *conn, command_format_options_t format,
map = chunk_map(path, FALSE);
if (map)
{
- load_encrypted_container(conn, format, cfg, rel, path,
- type, noprompt, *map);
+ load_encrypted_container(ctx, rel, path, type, *map);
chunk_unmap(map);
}
else
@@ -552,10 +569,96 @@ static void load_containers(vici_conn_t *conn, command_format_options_t format,
}
/**
+ * Load a single private key on a token over vici
+ */
+static bool load_token(load_ctx_t *ctx, char *name, char *pin)
+{
+ vici_req_t *req;
+ vici_res_t *res;
+ enumerator_t *enumerator;
+ char *key, *value, *id;
+ bool ret = TRUE;
+
+ req = vici_begin("load-token");
+
+ enumerator = ctx->cfg->create_key_value_enumerator(ctx->cfg, "secrets.%s",
+ name);
+ while (enumerator->enumerate(enumerator, &key, &value))
+ {
+ vici_add_key_valuef(req, key, "%s", value);
+ }
+ enumerator->destroy(enumerator);
+
+ if (pin)
+ {
+ vici_add_key_valuef(req, "pin", "%s", pin);
+ }
+ res = vici_submit(req, ctx->conn);
+ if (!res)
+ {
+ fprintf(stderr, "load-token request failed: %s\n", strerror(errno));
+ return FALSE;
+ }
+ if (ctx->format & COMMAND_FORMAT_RAW)
+ {
+ vici_dump(res, "load-token reply", ctx->format & COMMAND_FORMAT_PRETTY,
+ stdout);
+ }
+ else if (!streq(vici_find_str(res, "no", "success"), "yes"))
+ {
+ fprintf(stderr, "loading '%s' failed: %s\n",
+ name, vici_find_str(res, "", "errmsg"));
+ ret = FALSE;
+ }
+ else
+ {
+ id = vici_find_str(res, "", "id");
+ printf("loaded key %s from token [keyid: %s]\n", name, id);
+ free(ctx->keys->remove(ctx->keys, id));
+ }
+ vici_free_res(res);
+ return ret;
+}
+
+/**
+ * Load keys from tokens
+ */
+static void load_tokens(load_ctx_t *ctx)
+{
+ enumerator_t *enumerator;
+ char *section, *pin = NULL, prompt[128];
+
+ enumerator = ctx->cfg->create_section_enumerator(ctx->cfg, "secrets");
+ while (enumerator->enumerate(enumerator, §ion))
+ {
+ if (strpfx(section, "token"))
+ {
+ if (!ctx->noprompt &&
+ !ctx->cfg->get_str(ctx->cfg, "secrets.%s.pin", NULL, section))
+ {
+#ifdef HAVE_GETPASS
+ snprintf(prompt, sizeof(prompt), "PIN for %s: ", section);
+ pin = strdupnull(getpass(prompt));
+#endif
+ }
+ load_token(ctx, section, pin);
+ if (pin)
+ {
+ memwipe(pin, strlen(pin));
+ free(pin);
+ pin = NULL;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+}
+
+
+
+/**
* Load a single secret over VICI
*/
-static bool load_secret(vici_conn_t *conn, settings_t *cfg,
- char *section, command_format_options_t format)
+static bool load_secret(load_ctx_t *ctx, char *section)
{
enumerator_t *enumerator;
vici_req_t *req;
@@ -567,6 +670,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
char *types[] = {
"eap",
"xauth",
+ "ntlm",
"ike",
"private",
"rsa",
@@ -574,6 +678,7 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
"bliss",
"pkcs8",
"pkcs12",
+ "token",
};
for (i = 0; i < countof(types); i++)
@@ -589,12 +694,13 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
fprintf(stderr, "ignoring unsupported secret '%s'\n", section);
return FALSE;
}
- if (!streq(type, "eap") && !streq(type, "xauth") && !streq(type, "ike"))
+ if (!streq(type, "eap") && !streq(type, "xauth") && !streq(type, "ntlm") &&
+ !streq(type, "ike"))
{ /* skip non-shared secrets */
return TRUE;
}
- value = cfg->get_str(cfg, "secrets.%s.secret", NULL, section);
+ value = ctx->cfg->get_str(ctx->cfg, "secrets.%s.secret", NULL, section);
if (!value)
{
fprintf(stderr, "missing secret in '%s', ignored\n", section);
@@ -615,13 +721,14 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
req = vici_begin("load-shared");
+ vici_add_key_valuef(req, "id", "%s", section);
vici_add_key_valuef(req, "type", "%s", type);
vici_add_key_value(req, "data", data.ptr, data.len);
chunk_clear(&data);
vici_begin_list(req, "owners");
snprintf(buf, sizeof(buf), "secrets.%s", section);
- enumerator = cfg->create_key_value_enumerator(cfg, buf);
+ enumerator = ctx->cfg->create_key_value_enumerator(ctx->cfg, buf);
while (enumerator->enumerate(enumerator, &key, &value))
{
if (strpfx(key, "id"))
@@ -632,15 +739,15 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
enumerator->destroy(enumerator);
vici_end_list(req);
- res = vici_submit(req, conn);
+ res = vici_submit(req, ctx->conn);
if (!res)
{
fprintf(stderr, "load-shared request failed: %s\n", strerror(errno));
return FALSE;
}
- if (format & COMMAND_FORMAT_RAW)
+ if (ctx->format & COMMAND_FORMAT_RAW)
{
- vici_dump(res, "load-shared reply", format & COMMAND_FORMAT_PRETTY,
+ vici_dump(res, "load-shared reply", ctx->format & COMMAND_FORMAT_PRETTY,
stdout);
}
else if (!streq(vici_find_str(res, "no", "success"), "yes"))
@@ -653,10 +760,111 @@ static bool load_secret(vici_conn_t *conn, settings_t *cfg,
{
printf("loaded %s secret '%s'\n", type, section);
}
+ if (ret)
+ {
+ free(ctx->shared->remove(ctx->shared, section));
+ }
vici_free_res(res);
return ret;
}
+CALLBACK(get_id, int,
+ hashtable_t *ht, vici_res_t *res, char *name, void *value, int len)
+{
+ if (streq(name, "keys"))
+ {
+ char *str;
+
+ if (asprintf(&str, "%.*s", len, value) != -1)
+ {
+ free(ht->put(ht, str, str));
+ }
+ }
+ return 0;
+}
+
+/**
+ * Get a list of currently loaded private and shared keys
+ */
+static void get_creds(load_ctx_t *ctx)
+{
+ vici_res_t *res;
+
+ res = vici_submit(vici_begin("get-keys"), ctx->conn);
+ if (res)
+ {
+ if (ctx->format & COMMAND_FORMAT_RAW)
+ {
+ vici_dump(res, "get-keys reply", ctx->format & COMMAND_FORMAT_PRETTY,
+ stdout);
+ }
+ vici_parse_cb(res, NULL, NULL, get_id, ctx->keys);
+ vici_free_res(res);
+ }
+ res = vici_submit(vici_begin("get-shared"), ctx->conn);
+ if (res)
+ {
+ if (ctx->format & COMMAND_FORMAT_RAW)
+ {
+ vici_dump(res, "get-shared reply", ctx->format & COMMAND_FORMAT_PRETTY,
+ stdout);
+ }
+ vici_parse_cb(res, NULL, NULL, get_id, ctx->shared);
+ vici_free_res(res);
+ }
+}
+
+/**
+ * Remove a given key
+ */
+static bool unload_key(load_ctx_t *ctx, char *command, char *id)
+{
+ vici_req_t *req;
+ vici_res_t *res;
+ char buf[BUF_LEN];
+ bool ret = TRUE;
+
+ req = vici_begin(command);
+
+ vici_add_key_valuef(req, "id", "%s", id);
+
+ res = vici_submit(req, ctx->conn);
+ if (!res)
+ {
+ fprintf(stderr, "%s request failed: %s\n", command, strerror(errno));
+ return FALSE;
+ }
+ if (ctx->format & COMMAND_FORMAT_RAW)
+ {
+ snprintf(buf, sizeof(buf), "%s reply", command);
+ vici_dump(res, buf, ctx->format & COMMAND_FORMAT_PRETTY, stdout);
+ }
+ else if (!streq(vici_find_str(res, "no", "success"), "yes"))
+ {
+ fprintf(stderr, "unloading key '%s' failed: %s\n",
+ id, vici_find_str(res, "", "errmsg"));
+ ret = FALSE;
+ }
+ vici_free_res(res);
+ return ret;
+}
+
+/**
+ * Remove all keys in the given hashtable using the given command
+ */
+static void unload_keys(load_ctx_t *ctx, hashtable_t *ht, char *command)
+{
+ enumerator_t *enumerator;
+ char *id;
+
+ enumerator = ht->create_enumerator(ht);
+ while (enumerator->enumerate(enumerator, &id, NULL))
+ {
+ unload_key(ctx, command, id);
+ }
+ enumerator->destroy(enumerator);
+}
+
/**
* Clear all currently loaded credentials
*/
@@ -687,6 +895,14 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
{
enumerator_t *enumerator;
char *section;
+ load_ctx_t ctx = {
+ .conn = conn,
+ .format = format,
+ .noprompt = noprompt,
+ .cfg = cfg,
+ .keys = hashtable_create(hashtable_hash_str, hashtable_equals_str, 8),
+ .shared = hashtable_create(hashtable_hash_str, hashtable_equals_str, 8),
+ };
if (clear)
{
@@ -696,29 +912,38 @@ int load_creds_cfg(vici_conn_t *conn, command_format_options_t format,
}
}
- load_certs(conn, format, "x509", SWANCTL_X509DIR);
- load_certs(conn, format, "x509ca", SWANCTL_X509CADIR);
- load_certs(conn, format, "x509ocsp", SWANCTL_X509OCSPDIR);
- load_certs(conn, format, "x509aa", SWANCTL_X509AADIR);
- load_certs(conn, format, "x509ac", SWANCTL_X509ACDIR);
- load_certs(conn, format, "x509crl", SWANCTL_X509CRLDIR);
- load_certs(conn, format, "pubkey", SWANCTL_PUBKEYDIR);
+ get_creds(&ctx);
+
+ load_certs(&ctx, "x509", SWANCTL_X509DIR);
+ load_certs(&ctx, "x509ca", SWANCTL_X509CADIR);
+ load_certs(&ctx, "x509ocsp", SWANCTL_X509OCSPDIR);
+ load_certs(&ctx, "x509aa", SWANCTL_X509AADIR);
+ load_certs(&ctx, "x509ac", SWANCTL_X509ACDIR);
+ load_certs(&ctx, "x509crl", SWANCTL_X509CRLDIR);
+ load_certs(&ctx, "pubkey", SWANCTL_PUBKEYDIR);
- load_keys(conn, format, noprompt, cfg, "private", SWANCTL_PRIVATEDIR);
- load_keys(conn, format, noprompt, cfg, "rsa", SWANCTL_RSADIR);
- load_keys(conn, format, noprompt, cfg, "ecdsa", SWANCTL_ECDSADIR);
- load_keys(conn, format, noprompt, cfg, "bliss", SWANCTL_BLISSDIR);
- load_keys(conn, format, noprompt, cfg, "pkcs8", SWANCTL_PKCS8DIR);
+ load_keys(&ctx, "private", SWANCTL_PRIVATEDIR);
+ load_keys(&ctx, "rsa", SWANCTL_RSADIR);
+ load_keys(&ctx, "ecdsa", SWANCTL_ECDSADIR);
+ load_keys(&ctx, "bliss", SWANCTL_BLISSDIR);
+ load_keys(&ctx, "pkcs8", SWANCTL_PKCS8DIR);
- load_containers(conn, format, noprompt, cfg, "pkcs12", SWANCTL_PKCS12DIR);
+ load_containers(&ctx, "pkcs12", SWANCTL_PKCS12DIR);
+
+ load_tokens(&ctx);
enumerator = cfg->create_section_enumerator(cfg, "secrets");
while (enumerator->enumerate(enumerator, §ion))
{
- load_secret(conn, cfg, section, format);
+ load_secret(&ctx, section);
}
enumerator->destroy(enumerator);
+ unload_keys(&ctx, ctx.keys, "unload-key");
+ unload_keys(&ctx, ctx.shared, "unload-shared");
+
+ ctx.keys->destroy_function(ctx.keys, (void*)free);
+ ctx.shared->destroy_function(ctx.shared, (void*)free);
return 0;
}
diff --git a/src/swanctl/commands/rekey.c b/src/swanctl/commands/rekey.c
new file mode 100644
index 0000000..47a3136
--- /dev/null
+++ b/src/swanctl/commands/rekey.c
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2017 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "command.h"
+
+#include <errno.h>
+
+static int rekey(vici_conn_t *conn)
+{
+ vici_req_t *req;
+ vici_res_t *res;
+ command_format_options_t format = COMMAND_FORMAT_NONE;
+ char *arg, *child = NULL, *ike = NULL;
+ int ret = 0, child_id = 0, ike_id = 0;
+
+ while (TRUE)
+ {
+ switch (command_getopt(&arg))
+ {
+ case 'h':
+ return command_usage(NULL);
+ case 'P':
+ format |= COMMAND_FORMAT_PRETTY;
+ /* fall through to raw */
+ case 'r':
+ format |= COMMAND_FORMAT_RAW;
+ continue;
+ case 'c':
+ child = arg;
+ continue;
+ case 'i':
+ ike = arg;
+ continue;
+ case 'C':
+ child_id = atoi(arg);
+ continue;
+ case 'I':
+ ike_id = atoi(arg);
+ continue;
+ case EOF:
+ break;
+ default:
+ return command_usage("invalid --rekey option");
+ }
+ break;
+ }
+
+ req = vici_begin("rekey");
+ if (child)
+ {
+ vici_add_key_valuef(req, "child", "%s", child);
+ }
+ if (ike)
+ {
+ vici_add_key_valuef(req, "ike", "%s", ike);
+ }
+ if (child_id)
+ {
+ vici_add_key_valuef(req, "child-id", "%d", child_id);
+ }
+ if (ike_id)
+ {
+ vici_add_key_valuef(req, "ike-id", "%d", ike_id);
+ }
+ res = vici_submit(req, conn);
+ if (!res)
+ {
+ ret = errno;
+ fprintf(stderr, "rekey request failed: %s\n", strerror(errno));
+ return ret;
+ }
+ if (format & COMMAND_FORMAT_RAW)
+ {
+ vici_dump(res, "rekey reply", format & COMMAND_FORMAT_PRETTY,
+ stdout);
+ }
+ else
+ {
+ if (streq(vici_find_str(res, "no", "success"), "yes"))
+ {
+ printf("rekey completed successfully\n");
+ }
+ else
+ {
+ fprintf(stderr, "rekey failed: %s\n",
+ vici_find_str(res, "", "errmsg"));
+ ret = 1;
+ }
+ }
+ vici_free_res(res);
+ return ret;
+}
+
+/**
+ * Register the command.
+ */
+static void __attribute__ ((constructor))reg()
+{
+ command_register((command_t) {
+ rekey, 'R', "rekey", "rekey an SA",
+ {"--child <name> | --ike <name | --child-id <id> | --ike-id <id>",
+ "[--raw|--pretty]"},
+ {
+ {"help", 'h', 0, "show usage information"},
+ {"child", 'c', 1, "rekey by CHILD_SA name"},
+ {"ike", 'i', 1, "rekey by IKE_SA name"},
+ {"child-id", 'C', 1, "rekey by CHILD_SA unique identifier"},
+ {"ike-id", 'I', 1, "rekey by IKE_SA unique identifier"},
+ {"raw", 'r', 0, "dump raw response message"},
+ {"pretty", 'P', 0, "dump raw response message in pretty print"},
+ }
+ });
+}
diff --git a/src/swanctl/swanctl.8.in b/src/swanctl/swanctl.8.in
index 9c5a5a0..391fe48 100644
--- a/src/swanctl/swanctl.8.in
+++ b/src/swanctl/swanctl.8.in
@@ -40,6 +40,9 @@ initiate a connection
.B "\-t, \-\-terminate"
terminate a connection
.TP
+.B "\-R, \-\-rekey"
+rekey an SA
+.TP
.B "\-d, \-\-redirect"
redirect an IKE_SA
.TP
diff --git a/src/swanctl/swanctl.conf b/src/swanctl/swanctl.conf
index eb46005..789b128 100644
--- a/src/swanctl/swanctl.conf
+++ b/src/swanctl/swanctl.conf
@@ -31,6 +31,10 @@
# Set the Mode Config mode to use.
# pull = yes
+ # Differentiated Services Field Codepoint to set on outgoing IKE packets
+ # (six binary digits).
+ # dscp = 000000
+
# Enforce UDP encapsulation by faking NAT-D payloads.
# encap = no
@@ -73,6 +77,15 @@
# Comma separated list of named IP pools.
# pools =
+ # Whether this connection is a mediation connection.
+ # mediation = no
+
+ # The name of the connection to mediate this connection through.
+ # mediated_by =
+
+ # Identity under which the peer is registered at the mediation server.
+ # mediation_peer =
+
# Section for a local authentication round.
# local<suffix> {
@@ -85,6 +98,9 @@
# authentication.
# certs =
+ # Section for a certificate candidate to use for authentication.
+ # cert<suffix> =
+
# Comma separated list of raw public key candidates to use for
# authentication.
# pubkeys =
@@ -106,6 +122,22 @@
# Client XAuth username used in the XAuth exchange.
# xauth_id = id
+ # cert<suffix> {
+
+ # Absolute path to the certificate to load.
+ # file =
+
+ # Hex-encoded CKA_ID of the certificate on a token.
+ # handle =
+
+ # Optional slot number of the token that stores the certificate.
+ # slot =
+
+ # Optional PKCS#11 module name.
+ # module =
+
+ # }
+
# }
# Section for a remote authentication round.
@@ -122,13 +154,22 @@
# Authorization group memberships to require.
# groups =
+ # Certificate policy OIDs the peer's certificate must have.
+ # cert_policy =
+
# Comma separated list of certificate to accept for authentication.
# certs =
+ # Section for a certificate to accept for authentication.
+ # cert<suffix> =
+
# Comma separated list of CA certificates to accept for
# authentication.
# cacerts =
+ # Section for a CA certificate to accept for authentication.
+ # cacert<suffix> =
+
# Comma separated list of raw public keys to accept for
# authentication.
# pubkeys =
@@ -140,6 +181,39 @@
# or eap[-method]).
# auth = pubkey
+ # cert<suffix> {
+
+ # Absolute path to the certificate to load.
+ # file =
+
+ # Hex-encoded CKA_ID of the certificate on a token.
+ # handle =
+
+ # Optional slot number of the token that stores the certificate.
+ # slot =
+
+ # Optional PKCS#11 module name.
+ # module =
+
+ # }
+
+ # cacert<suffix> {
+
+ # Absolute path to the certificate to load.
+ # file =
+
+ # Hex-encoded CKA_ID of the CA certificate on a token.
+ # handle =
+
+ # Optional slot number of the token that stores the CA
+ # certificate.
+ # slot =
+
+ # Optional PKCS#11 module name.
+ # module =
+
+ # }
+
# }
# children {
@@ -194,8 +268,8 @@
# Hostaccess variable to pass to updown script.
# hostaccess = yes
- # IPsec Mode to establish (tunnel, transport, beet, pass or
- # drop).
+ # IPsec Mode to establish (tunnel, transport, transport_proxy,
+ # beet, pass or drop).
# mode = tunnel
# Whether to install IPsec policies or not.
@@ -270,6 +344,17 @@
# }
+ # NTLM secret section for a specific secret.
+ # ntlm<suffix> {
+
+ # Value of the NTLM secret.
+ # secret =
+
+ # Identity the NTLM secret belongs to.
+ # id<suffix> =
+
+ # }
+
# IKE preshared secret section for a specific secret.
# ike<suffix> {
@@ -340,6 +425,24 @@
# }
+ # Definition for a private key that's stored on a token/smartcard.
+ # token<suffix> {
+
+ # Hex-encoded CKA_ID of the private key on the token.
+ # handle =
+
+ # Optional slot number to access the token.
+ # slot =
+
+ # Optional PKCS#11 module name to access the token.
+ # module =
+
+ # Optional PIN required to access the key on the token. If none is
+ # provided the user is prompted during an interactive --load-creds call.
+ # pin =
+
+ # }
+
# }
# Section defining named pools.
@@ -367,10 +470,22 @@
# CA certificate belonging to the certification authority.
# cacert =
- # Comma-separated list of CRL distribution points
+ # Absolute path to the certificate to load.
+ # file =
+
+ # Hex-encoded CKA_ID of the CA certificate on a token.
+ # handle =
+
+ # Optional slot number of the token that stores the CA certificate.
+ # slot =
+
+ # Optional PKCS#11 module name.
+ # module =
+
+ # Comma-separated list of CRL distribution points.
# crl_uris =
- # Comma-separated list of OCSP URIs
+ # Comma-separated list of OCSP URIs.
# ocsp_uris =
# Defines the base URI for the Hash and URL feature supported by IKEv2.
diff --git a/src/swanctl/swanctl.conf.5.head.in b/src/swanctl/swanctl.conf.5.head.in
index 84f734e..5742d25 100644
--- a/src/swanctl/swanctl.conf.5.head.in
+++ b/src/swanctl/swanctl.conf.5.head.in
@@ -6,7 +6,8 @@ swanctl.conf is the configuration file used by the
.BR swanctl (8)
tool to load configurations and credentials into the strongSwan IKE daemon.
-For a description of the basic file syntax refer to
+For a description of the basic file syntax, including how to split the
+configuration in multiple files by including other files, refer to
.BR strongswan.conf (5).
.SH TIME FORMATS
diff --git a/src/swanctl/swanctl.conf.5.main b/src/swanctl/swanctl.conf.5.main
index 697bd40..6e1e9ad 100644
--- a/src/swanctl/swanctl.conf.5.main
+++ b/src/swanctl/swanctl.conf.5.main
@@ -35,6 +35,9 @@ As initiator, the first non\-range/non\-subnet is used to initiate the connectio
from. As responder, the local destination address must match at least to one of
the specified addresses, subnets or ranges.
+If FQDNs are assigned they are resolved every time a configuration lookup is
+done. If DNS resolution times out, the lookup is delayed for that time.
+
.TP
.BR connections.<conn>.remote_addrs " [%any]"
Remote address(es) to use for IKE communication, comma separated. Takes single
@@ -44,6 +47,9 @@ As initiator, the first non\-range/non\-subnet is used to initiate the connectio
to. As responder, the initiator source address must match at least to one of the
specified addresses, subnets or ranges.
+If FQDNs are assigned they are resolved every time a configuration lookup is
+done. If DNS resolution times out, the lookup is delayed for that time.
+
To initiate a connection, at least one specific address or DNS name must be
specified.
@@ -118,6 +124,12 @@ Push mode is currently supported for IKEv1, but not in IKEv2. It is used by a
few implementations only, pull mode is recommended.
.TP
+.BR connections.<conn>.dscp " [000000]"
+Differentiated Services Field Codepoint to set on outgoing IKE packets for this
+connection. The value is a six digit binary encoded string specifying the
+Codepoint to set, as defined in RFC 2474.
+
+.TP
.BR connections.<conn>.encap " [no]"
To enforce UDP encapsulation of ESP packets, the IKE daemon can fake the NAT
detection payloads. This makes the peer believe that NAT takes place on the
@@ -303,6 +315,30 @@ either the
section or an external pool.
.TP
+.BR connections.<conn>.mediation " [no]"
+Whether this connection is a mediation connection, that is, whether this
+connection is used to mediate other connections using the IKEv2 Mediation
+Extension. Mediation connections create no CHILD_SA.
+
+.TP
+.BR connections.<conn>.mediated_by " []"
+The name of the connection to mediate this connection through. If given, the
+connection will be mediated through the named mediation connection. The
+mediation connection must have
+.RB "" "mediation" ""
+enabled.
+
+.TP
+.BR connections.<conn>.mediation_peer " []"
+Identity under which the peer is registered at the mediation server, that is,
+the IKE identity the other end of this connection uses as its local identity on
+its connection to the mediation server. This is the identity we request the
+mediation server to mediate us with. Only relevant on connections that set
+.RB "" "mediated_by" "."
+If it is not given, the remote IKE identity of the first
+authentication round of this connection will be used.
+
+.TP
.B connections.<conn>.local<suffix>
.br
Section for a local authentication round. A local authentication round defines
@@ -334,6 +370,37 @@ certificate request payloads. If no appropriate CA can be located, the first
certificate is used.
.TP
+.BR connections.<conn>.local<suffix>.cert<suffix> " []"
+Section for a certificate candidate to use for authentication. Certificates in
+.RI "" "certs" ""
+are transmitted as binary blobs, these sections offer more flexibility.
+
+.TP
+.BR connections.<conn>.local<suffix>.cert<suffix>.file " []"
+Absolute path to the certificate to load. Passed as\-is to the daemon, so it must
+be readable by it.
+
+Configure either this or
+.RI "" "handle" ","
+but not both, in one section.
+
+.TP
+.BR connections.<conn>.local<suffix>.cert<suffix>.handle " []"
+Hex\-encoded CKA_ID of the certificate on a token.
+
+Configure either this or
+.RI "" "file" ","
+but not both, in one section.
+
+.TP
+.BR connections.<conn>.local<suffix>.cert<suffix>.slot " []"
+Optional slot number of the token that stores the certificate.
+
+.TP
+.BR connections.<conn>.local<suffix>.cert<suffix>.module " []"
+Optional PKCS#11 module name.
+
+.TP
.BR connections.<conn>.local<suffix>.pubkeys " []"
Comma separated list of raw public key candidates to use for authentication. The
public keys may use a relative path from the
@@ -498,6 +565,11 @@ certified by different means, for example by appropriate Attribute Certificates
or by an AAA backend involved in the authentication.
.TP
+.BR connections.<conn>.remote<suffix>.cert_policy " []"
+Comma separated list of certificate policy OIDs the peer's certificate must
+have. OIDs are specified using the numerical dotted representation.
+
+.TP
.BR connections.<conn>.remote<suffix>.certs " []"
Comma separated list of certificates to accept for authentication. The
certificates may use a relative path from the
@@ -507,6 +579,37 @@ directory or an
absolute path.
.TP
+.BR connections.<conn>.remote<suffix>.cert<suffix> " []"
+Section for a certificate to accept for authentication. Certificates in
+.RI "" "certs" ""
+are transmitted as binary blobs, these sections offer more flexibility.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cert<suffix>.file " []"
+Absolute path to the certificate to load. Passed as\-is to the daemon, so it must
+be readable by it.
+
+Configure either this or
+.RI "" "handle" ","
+but not both, in one section.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cert<suffix>.handle " []"
+Hex\-encoded CKA_ID of the certificate on a token.
+
+Configure either this or
+.RI "" "file" ","
+but not both, in one section.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cert<suffix>.slot " []"
+Optional slot number of the token that stores the certificate.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cert<suffix>.module " []"
+Optional PKCS#11 module name.
+
+.TP
.BR connections.<conn>.remote<suffix>.cacerts " []"
Comma separated list of CA certificates to accept for authentication. The
certificates may use a relative path from the
@@ -516,6 +619,38 @@ directory or
an absolute path.
.TP
+.BR connections.<conn>.remote<suffix>.cacert<suffix> " []"
+Section for a CA certificate to accept for authentication. Certificates in
+.RI "" "cacerts" ""
+are transmitted as binary blobs, these sections offer more
+flexibility.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cacert<suffix>.file " []"
+Absolute path to the certificate to load. Passed as\-is to the daemon, so it must
+be readable by it.
+
+Configure either this or
+.RI "" "handle" ","
+but not both, in one section.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cacert<suffix>.handle " []"
+Hex\-encoded CKA_ID of the CA certificate on a token.
+
+Configure either this or
+.RI "" "file" ","
+but not both, in one section.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cacert<suffix>.slot " []"
+Optional slot number of the token that stores the CA certificate.
+
+.TP
+.BR connections.<conn>.remote<suffix>.cacert<suffix>.module " []"
+Optional PKCS#11 module name.
+
+.TP
.BR connections.<conn>.remote<suffix>.pubkeys " []"
Comma separated list of raw public keys to accept for authentication. The public
keys may use a relative path from the
@@ -673,9 +808,16 @@ for RFC 4301
OPAQUE selectors. Port ranges may be specified as well, none of the kernel
backends currently support port ranges, though.
-Unless the Unity extension is used, IKEv1 supports the first specified selector
-only. IKEv1 uses very similar traffic selector narrowing as it is supported in
-the IKEv2 protocol.
+When IKEv1 is used only the first selector is interpreted, except if the Cisco
+Unity extension plugin is used. This is due to a limitation of the IKEv1
+protocol, which only allows a single pair of selectors per CHILD_SA. So to
+tunnel traffic matched by several pairs of selectors when using IKEv1 several
+children (CHILD_SAs) have to be defined that cover the selectors.
+
+The IKE daemon uses traffic selector narrowing for IKEv1, the same way it is
+standardized and implemented for IKEv2. However, this may lead to problems with
+other implementations. To avoid that, configure identical selectors in such
+scenarios.
.TP
.BR connections.<conn>.children.<child>.remote_ts " [dynamic]"
@@ -803,10 +945,12 @@ negotiates the CHILD_SA in IPsec
Tunnel Mode, whereas
.RI "" "transport" ""
uses IPsec Transport Mode.
+.RI "" "transport_proxy" ""
+signifying the special Mobile IPv6 Transport Proxy Mode.
.RI "" "beet" ""
-is the Bound
-End to End Tunnel mixture mode, working with fixed inner addresses without the
-need to include them in each packet.
+is the Bound End
+to End Tunnel mixture mode, working with fixed inner addresses without the need
+to include them in each packet.
Both
.RI "" "transport" ""
@@ -1011,6 +1155,33 @@ secrets under both section prefixes are used for both EAP and XAuth
authentication.
.TP
+.B secrets.ntlm<suffix>
+.br
+NTLM secret section for a specific secret. Each NTLM secret is defined in a
+unique section having the
+.RI "" "ntlm" ""
+prefix. NTLM secrets may only be used for
+EAP\-MSCHAPv2 authentication.
+
+.TP
+.BR secrets.ntlm<suffix>.secret " []"
+Value of the NTLM secret, which is the NT Hash of the actual secret, that is,
+MD4(UTF\-16LE(secret)). The resulting 16\-byte value may either be given as a hex
+encoded string with a
+.RI "" "0x" ""
+prefix or as a Base64 encoded string with a
+.RI "" "0s" ""
+prefix.
+
+.TP
+.BR secrets.ntlm<suffix>.id<suffix> " []"
+Identity the NTLM secret belongs to. Multiple unique identities may be
+specified, each having an
+.RI "" "id" ""
+prefix, if a secret is shared between multiple
+users.
+
+.TP
.B secrets.ike<suffix>
.br
IKE preshared secret section for a specific secret. Each IKE PSK is defined in a
@@ -1121,6 +1292,28 @@ folder for which this passphrase should be used.
Value of decryption passphrase for PKCS#12 container.
.TP
+.B secrets.token<suffix>
+.br
+Definition for a private key that's stored on a token/smartcard.
+
+.TP
+.BR secrets.token<suffix>.handle " []"
+Hex\-encoded CKA_ID of the private key on the token.
+
+.TP
+.BR secrets.token<suffix>.slot " []"
+Optional slot number to access the token.
+
+.TP
+.BR secrets.token<suffix>.module " []"
+Optional PKCS#11 module name to access the token.
+
+.TP
+.BR secrets.token<suffix>.pin " []"
+Optional PIN required to access the key on the token. If none is provided the
+user is prompted during an interactive \-\-load\-creds call.
+
+.TP
.B pools
.br
Section defining named pools. Named pools may be referenced by connections with
@@ -1172,19 +1365,57 @@ Section defining a certification authority with a unique name.
.TP
.BR authorities.<name>.cacert " []"
-The certificates may use a relative path from the
+CA certificate belonging to the certification authority. The certificates may
+use a relative path from the
.RB "" "swanctl" ""
.RI "" "x509ca" ""
-directory
-or an absolute path.
+directory or an absolute path.
+
+Configure one of
+.RI "" "cacert" ","
+.RI "" "file" ","
+or
+.RI "" "handle" ""
+per section.
+
+.TP
+.BR authorities.<name>.file " []"
+Absolute path to the certificate to load. Passed as\-is to the daemon, so it must
+be readable by it.
+
+Configure one of
+.RI "" "cacert" ","
+.RI "" "file" ","
+or
+.RI "" "handle" ""
+per section.
+
+.TP
+.BR authorities.<name>.handle " []"
+Hex\-encoded CKA_ID of the CA certificate on a token.
+
+Configure one of
+.RI "" "cacert" ","
+.RI "" "file" ","
+or
+.RI "" "handle" ""
+per section.
+
+.TP
+.BR authorities.<name>.slot " []"
+Optional slot number of the token that stores the CA certificate.
+
+.TP
+.BR authorities.<name>.module " []"
+Optional PKCS#11 module name.
.TP
.BR authorities.<name>.crl_uris " []"
-Comma\-separated list of CRL distribution points (ldap, http, or file URI)
+Comma\-separated list of CRL distribution points (ldap, http, or file URI).
.TP
.BR authorities.<name>.ocsp_uris " []"
-Comma\-separated list of OCSP URIs
+Comma\-separated list of OCSP URIs.
.TP
.BR authorities.<name>.cert_uri_base " []"
diff --git a/src/swanctl/swanctl.opt b/src/swanctl/swanctl.opt
index a7d6d9f..bdd9217 100644
--- a/src/swanctl/swanctl.opt
+++ b/src/swanctl/swanctl.opt
@@ -28,6 +28,9 @@ connections.<conn>.local_addrs = %any
connection from. As responder, the local destination address must match at
least to one of the specified addresses, subnets or ranges.
+ If FQDNs are assigned they are resolved every time a configuration lookup
+ is done. If DNS resolution times out, the lookup is delayed for that time.
+
connections.<conn>.remote_addrs = %any
Remote address(es) to use for IKE communication, comma separated.
@@ -38,6 +41,9 @@ connections.<conn>.remote_addrs = %any
connection to. As responder, the initiator source address must match at
least to one of the specified addresses, subnets or ranges.
+ If FQDNs are assigned they are resolved every time a configuration lookup
+ is done. If DNS resolution times out, the lookup is delayed for that time.
+
To initiate a connection, at least one specific address or DNS name must
be specified.
@@ -102,6 +108,14 @@ connections.<conn>.pull = yes
Push mode is currently supported for IKEv1, but not in IKEv2. It is used
by a few implementations only, pull mode is recommended.
+connections.<conn>.dscp = 000000
+ Differentiated Services Field Codepoint to set on outgoing IKE packets (six
+ binary digits).
+
+ Differentiated Services Field Codepoint to set on outgoing IKE packets for
+ this connection. The value is a six digit binary encoded string specifying
+ the Codepoint to set, as defined in RFC 2474.
+
connections.<conn>.encap = no
Enforce UDP encapsulation by faking NAT-D payloads.
@@ -256,6 +270,30 @@ connections.<conn>.pools =
other configuration attributes from. Each name references a pool by name
from either the **pools** section or an external pool.
+connections.<conn>.mediation = no
+ Whether this connection is a mediation connection.
+
+ Whether this connection is a mediation connection, that is, whether this
+ connection is used to mediate other connections using the IKEv2 Mediation
+ Extension. Mediation connections create no CHILD_SA.
+
+connections.<conn>.mediated_by =
+ The name of the connection to mediate this connection through.
+
+ The name of the connection to mediate this connection through. If given, the
+ connection will be mediated through the named mediation connection.
+ The mediation connection must have **mediation** enabled.
+
+connections.<conn>.mediation_peer =
+ Identity under which the peer is registered at the mediation server.
+
+ Identity under which the peer is registered at the mediation server, that
+ is, the IKE identity the other end of this connection uses as its local
+ identity on its connection to the mediation server. This is the identity we
+ request the mediation server to mediate us with. Only relevant on
+ connections that set **mediated_by**. If it is not given, the remote IKE
+ identity of the first authentication round of this connection will be used.
+
connections.<conn>.local<suffix> {}
Section for a local authentication round.
@@ -284,6 +322,34 @@ connections.<conn>.local<suffix>.certs =
certificate request payloads. If no appropriate CA can be located, the
first certificate is used.
+connections.<conn>.local<suffix>.cert<suffix> =
+ Section for a certificate candidate to use for authentication.
+
+ Section for a certificate candidate to use for authentication. Certificates
+ in _certs_ are transmitted as binary blobs, these sections offer more
+ flexibility.
+
+connections.<conn>.local<suffix>.cert<suffix>.file =
+ Absolute path to the certificate to load.
+
+ Absolute path to the certificate to load. Passed as-is to the daemon, so it
+ must be readable by it.
+
+ Configure either this or _handle_, but not both, in one section.
+
+connections.<conn>.local<suffix>.cert<suffix>.handle =
+ Hex-encoded CKA_ID of the certificate on a token.
+
+ Hex-encoded CKA_ID of the certificate on a token.
+
+ Configure either this or _file_, but not both, in one section.
+
+connections.<conn>.local<suffix>.cert<suffix>.slot =
+ Optional slot number of the token that stores the certificate.
+
+connections.<conn>.local<suffix>.cert<suffix>.module =
+ Optional PKCS#11 module name.
+
connections.<conn>.local<suffix>.pubkeys =
Comma separated list of raw public key candidates to use for authentication.
@@ -398,6 +464,12 @@ connections.<conn>.remote<suffix>.groups =
can be certified by different means, for example by appropriate Attribute
Certificates or by an AAA backend involved in the authentication.
+connections.<conn>.remote<suffix>.cert_policy =
+ Certificate policy OIDs the peer's certificate must have.
+
+ Comma separated list of certificate policy OIDs the peer's certificate must
+ have. OIDs are specified using the numerical dotted representation.
+
connections.<conn>.remote<suffix>.certs =
Comma separated list of certificate to accept for authentication.
@@ -405,6 +477,34 @@ connections.<conn>.remote<suffix>.certs =
The certificates may use a relative path from the **swanctl** _x509_
directory or an absolute path.
+connections.<conn>.remote<suffix>.cert<suffix> =
+ Section for a certificate to accept for authentication.
+
+ Section for a certificate to accept for authentication. Certificates
+ in _certs_ are transmitted as binary blobs, these sections offer more
+ flexibility.
+
+connections.<conn>.remote<suffix>.cert<suffix>.file =
+ Absolute path to the certificate to load.
+
+ Absolute path to the certificate to load. Passed as-is to the daemon, so it
+ must be readable by it.
+
+ Configure either this or _handle_, but not both, in one section.
+
+connections.<conn>.remote<suffix>.cert<suffix>.handle =
+ Hex-encoded CKA_ID of the certificate on a token.
+
+ Hex-encoded CKA_ID of the certificate on a token.
+
+ Configure either this or _file_, but not both, in one section.
+
+connections.<conn>.remote<suffix>.cert<suffix>.slot =
+ Optional slot number of the token that stores the certificate.
+
+connections.<conn>.remote<suffix>.cert<suffix>.module =
+ Optional PKCS#11 module name.
+
connections.<conn>.remote<suffix>.cacerts =
Comma separated list of CA certificates to accept for authentication.
@@ -412,6 +512,34 @@ connections.<conn>.remote<suffix>.cacerts =
The certificates may use a relative path from the **swanctl** _x509ca_
directory or an absolute path.
+connections.<conn>.remote<suffix>.cacert<suffix> =
+ Section for a CA certificate to accept for authentication.
+
+ Section for a CA certificate to accept for authentication. Certificates
+ in _cacerts_ are transmitted as binary blobs, these sections offer more
+ flexibility.
+
+connections.<conn>.remote<suffix>.cacert<suffix>.file =
+ Absolute path to the certificate to load.
+
+ Absolute path to the certificate to load. Passed as-is to the daemon, so it
+ must be readable by it.
+
+ Configure either this or _handle_, but not both, in one section.
+
+connections.<conn>.remote<suffix>.cacert<suffix>.handle =
+ Hex-encoded CKA_ID of the CA certificate on a token.
+
+ Hex-encoded CKA_ID of the CA certificate on a token.
+
+ Configure either this or _file_, but not both, in one section.
+
+connections.<conn>.remote<suffix>.cacert<suffix>.slot =
+ Optional slot number of the token that stores the CA certificate.
+
+connections.<conn>.remote<suffix>.cacert<suffix>.module =
+ Optional PKCS#11 module name.
+
connections.<conn>.remote<suffix>.pubkeys =
Comma separated list of raw public keys to accept for authentication.
@@ -536,9 +664,16 @@ connections.<conn>.children.<child>.local_ts = dynamic
value _opaque_ for RFC 4301 OPAQUE selectors. Port ranges may be specified
as well, none of the kernel backends currently support port ranges, though.
- Unless the Unity extension is used, IKEv1 supports the first specified
- selector only. IKEv1 uses very similar traffic selector narrowing as it is
- supported in the IKEv2 protocol.
+ When IKEv1 is used only the first selector is interpreted, except if
+ the Cisco Unity extension plugin is used. This is due to a limitation of the
+ IKEv1 protocol, which only allows a single pair of selectors per CHILD_SA.
+ So to tunnel traffic matched by several pairs of selectors when using IKEv1
+ several children (CHILD_SAs) have to be defined that cover the selectors.
+
+ The IKE daemon uses traffic selector narrowing for IKEv1, the same way it is
+ standardized and implemented for IKEv2. However, this may lead to problems
+ with other implementations. To avoid that, configure identical selectors in
+ such scenarios.
connections.<conn>.children.<child>.remote_ts = dynamic
Remote selectors to include in CHILD_SA.
@@ -640,11 +775,13 @@ connections.<conn>.children.<child>.hostaccess = yes
Hostaccess variable to pass to **updown** script.
connections.<conn>.children.<child>.mode = tunnel
- IPsec Mode to establish (_tunnel_, _transport_, _beet_, _pass_ or _drop_).
+ IPsec Mode to establish (_tunnel_, _transport_, _transport_proxy_, _beet_,
+ _pass_ or _drop_).
IPsec Mode to establish CHILD_SA with. _tunnel_ negotiates the CHILD_SA
- in IPsec Tunnel Mode, whereas _transport_ uses IPsec Transport Mode. _beet_
- is the Bound End to End Tunnel mixture mode, working with fixed inner
+ in IPsec Tunnel Mode, whereas _transport_ uses IPsec Transport Mode.
+ _transport_proxy_ signifying the special Mobile IPv6 Transport Proxy Mode.
+ _beet_ is the Bound End to End Tunnel mixture mode, working with fixed inner
addresses without the need to include them in each packet.
Both _transport_ and _beet_ modes are subject to mode negotiation; _tunnel_
@@ -815,6 +952,28 @@ secrets.eap<suffix>.id<suffix> =
be specified, each having an _id_ prefix, if a secret is shared between
multiple users.
+secrets.ntlm<suffix> { # }
+ NTLM secret section for a specific secret.
+
+ NTLM secret section for a specific secret. Each NTLM secret is defined in
+ a unique section having the _ntlm_ prefix. NTLM secrets may only be used for
+ EAP-MSCHAPv2 authentication.
+
+secrets.ntlm<suffix>.secret =
+ Value of the NTLM secret.
+
+ Value of the NTLM secret, which is the NT Hash of the actual secret, that
+ is, MD4(UTF-16LE(secret)). The resulting 16-byte value may either be given
+ as a hex encoded string with a _0x_ prefix or as a Base64 encoded string
+ with a _0s_ prefix.
+
+secrets.ntlm<suffix>.id<suffix> =
+ Identity the NTLM secret belongs to.
+
+ Identity the NTLM secret belongs to. Multiple unique identities may
+ be specified, each having an _id_ prefix, if a secret is shared between
+ multiple users.
+
secrets.ike<suffix> { # }
IKE preshared secret section for a specific secret.
@@ -880,6 +1039,22 @@ secrets.pkcs12<suffix>.file =
secrets.pkcs12<suffix>.secret
Value of decryption passphrase for PKCS#12 container.
+secrets.token<suffix> { # }
+ Definition for a private key that's stored on a token/smartcard.
+
+secrets.token<suffix>.handle =
+ Hex-encoded CKA_ID of the private key on the token.
+
+secrets.token<suffix>.slot =
+ Optional slot number to access the token.
+
+secrets.token<suffix>.module =
+ Optional PKCS#11 module name to access the token.
+
+secrets.token<suffix>.pin =
+ Optional PIN required to access the key on the token. If none is provided
+ the user is prompted during an interactive --load-creds call.
+
pools { # }
Section defining named pools.
@@ -916,18 +1091,40 @@ authorities.<name> { # }
authorities.<name>.cacert =
CA certificate belonging to the certification authority.
- The certificates may use a relative path from the **swanctl** _x509ca_
- directory or an absolute path.
+ CA certificate belonging to the certification authority. The certificates
+ may use a relative path from the **swanctl** _x509ca_ directory or an
+ absolute path.
+
+ Configure one of _cacert_, _file_, or _handle_ per section.
+
+authorities.<name>.file =
+ Absolute path to the certificate to load.
+
+ Absolute path to the certificate to load. Passed as-is to the daemon, so it
+ must be readable by it.
+
+ Configure one of _cacert_, _file_, or _handle_ per section.
+
+authorities.<name>.handle =
+ Hex-encoded CKA_ID of the CA certificate on a token.
+
+ Hex-encoded CKA_ID of the CA certificate on a token.
+
+ Configure one of _cacert_, _file_, or _handle_ per section.
+
+authorities.<name>.slot =
+ Optional slot number of the token that stores the CA certificate.
+
+authorities.<name>.module =
+ Optional PKCS#11 module name.
authorities.<name>.crl_uris =
- Comma-separated list of CRL distribution points
+ Comma-separated list of CRL distribution points.
- Comma-separated list of CRL distribution points (ldap, http, or file URI)
+ Comma-separated list of CRL distribution points (ldap, http, or file URI).
authorities.<name>.ocsp_uris =
- Comma-separated list of OCSP URIs
-
- Comma-separated list of OCSP URIs
+ Comma-separated list of OCSP URIs.
authorities.<name>.cert_uri_base =
Defines the base URI for the Hash and URL feature supported by IKEv2.
diff --git a/testing/Makefile.in b/testing/Makefile.in
index 58fd2eb..495fbeb 100644
--- a/testing/Makefile.in
+++ b/testing/Makefile.in
@@ -274,7 +274,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -309,6 +308,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/testing/config/kernel/config-4.10 b/testing/config/kernel/config-4.10
new file mode 100644
index 0000000..1795dfd
--- /dev/null
+++ b/testing/config/kernel/config-4.10
@@ -0,0 +1,2524 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 4.10.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_ARCH_MMAP_RND_BITS_MIN=28
+CONFIG_ARCH_MMAP_RND_BITS_MAX=32
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_DEBUG_RODATA=y
+CONFIG_PGTABLE_LEVELS=4
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+CONFIG_THREAD_INFO_IN_TASK=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_FHANDLE=y
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_DOMAIN_HIERARCHY=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_RCU_EXPERT is not set
+CONFIG_SRCU=y
+# CONFIG_TASKS_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+# CONFIG_RCU_EXPEDITE_BOOT is not set
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_NMI_LOG_BUF_SHIFT=13
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+CONFIG_CGROUPS=y
+CONFIG_PAGE_COUNTER=y
+CONFIG_MEMCG=y
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_SWAP_ENABLED=y
+CONFIG_BLK_CGROUP=y
+# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_CGROUP_WRITEBACK=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_CFS_BANDWIDTH=y
+# CONFIG_RT_GROUP_SCHED is not set
+CONFIG_CGROUP_PIDS=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CPUSETS=y
+CONFIG_PROC_PID_CPUSET=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_PERF=y
+# CONFIG_CGROUP_DEBUG is not set
+CONFIG_SOCK_CGROUP_DATA=y
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_MULTIUSER=y
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_POSIX_TIMERS=y
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set
+CONFIG_KALLSYMS_BASE_RELATIVE=y
+CONFIG_PRINTK=y
+CONFIG_PRINTK_NMI=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+# CONFIG_BPF_SYSCALL is not set
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+# CONFIG_USERFAULTFD is not set
+CONFIG_PCI_QUIRKS=y
+CONFIG_MEMBARRIER=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_SLAB_FREELIST_RANDOM is not set
+# CONFIG_SYSTEM_DATA_VERIFICATION is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_NMI=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGINS is not set
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_HUGE_VMAP=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
+CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
+CONFIG_HAVE_EXIT_THREAD=y
+CONFIG_ARCH_MMAP_RND_BITS=28
+CONFIG_HAVE_COPY_THREAD_TLS=y
+CONFIG_HAVE_STACK_VALIDATION=y
+# CONFIG_HAVE_ARCH_HASH is not set
+# CONFIG_ISA_BUS_API is not set
+# CONFIG_CPU_NO_EFFICIENT_FFS is not set
+CONFIG_HAVE_ARCH_VMAP_STACK=y
+CONFIG_VMAP_STACK=y
+
+#
+# GCOV-based kernel profiling
+#
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_MODULES_TREE_LOOKUP=y
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_DEV_ZONED is not set
+# CONFIG_BLK_DEV_THROTTLING is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+# CONFIG_BLK_WBT is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+CONFIG_BLK_MQ_PCI=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_CFQ_GROUP_IOSCHED is not set
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
+CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_FAST_FEATURE_TESTS=y
+CONFIG_X86_MPPARSE=y
+# CONFIG_GOLDFISH is not set
+# CONFIG_INTEL_RDT_A is not set
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_MID is not set
+# CONFIG_X86_INTEL_LPSS is not set
+# CONFIG_X86_AMD_PLATFORM_DEVICE is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_UP_LATE_INIT=y
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+
+#
+# Performance monitoring
+#
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_PERF_EVENTS_INTEL_RAPL=y
+CONFIG_PERF_EVENTS_INTEL_CSTATE=y
+# CONFIG_PERF_EVENTS_AMD_POWER is not set
+# CONFIG_VM86 is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+CONFIG_X86_VSYSCALL_EMULATION=y
+# CONFIG_I8K is not set
+CONFIG_MICROCODE=y
+CONFIG_MICROCODE_INTEL=y
+# CONFIG_MICROCODE_AMD is not set
+CONFIG_MICROCODE_OLD_INTERFACE=y
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_X86_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y
+# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
+# CONFIG_IDLE_PAGE_TRACKING is not set
+# CONFIG_ZONE_DEVICE is not set
+CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
+CONFIG_ARCH_HAS_PKEYS=y
+# CONFIG_X86_PMEM_LEGACY is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_X86_INTEL_MPX is not set
+CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_KEXEC_FILE is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_LEGACY_VSYSCALL_NATIVE is not set
+CONFIG_LEGACY_VSYSCALL_EMULATE=y
+# CONFIG_LEGACY_VSYSCALL_NONE is not set
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_MODIFY_LDT_SYSCALL=y
+CONFIG_HAVE_LIVEPATCH=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
+# CONFIG_ACPI_DEBUGGER is not set
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_PROCESSOR_CSTATE=y
+CONFIG_ACPI_PROCESSOR_IDLE=y
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+CONFIG_ACPI_HOTPLUG_IOAPIC=y
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+# CONFIG_ACPI_NFIT is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_DPTF_POWER is not set
+# CONFIG_PMIC_OPREGION is not set
+# CONFIG_ACPI_CONFIGFS is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_BUS_ADDR_T_64BIT=y
+CONFIG_PCI_MSI=y
+CONFIG_PCI_MSI_IRQ_DOMAIN=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+CONFIG_PCI_LABEL=y
+# CONFIG_HOTPLUG_PCI is not set
+
+#
+# PCI host controller drivers
+#
+# CONFIG_PCIE_DW_PLAT is not set
+# CONFIG_VMD is not set
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ELFCORE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_X86_X32 is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_PMC_ATOM=y
+CONFIG_NET=y
+CONFIG_NET_INGRESS=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_INET_RAW_DIAG is not set
+# CONFIG_INET_DIAG_DESTROY is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+# CONFIG_IPV6_ILA is not set
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_VTI is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+# CONFIG_IPV6_FOU is not set
+# CONFIG_IPV6_FOU_TUNNEL is not set
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_IPV6_SEG6_LWTUNNEL is not set
+# CONFIG_IPV6_SEG6_HMAC is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NET_PTP_CLASSIFY is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+# CONFIG_NF_LOG_NETDEV is not set
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+CONFIG_NF_NAT_REDIRECT=y
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_IPMAC is not set
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+# CONFIG_NF_SOCKET_IPV4 is not set
+# CONFIG_NF_DUP_IPV4 is not set
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+# CONFIG_NF_SOCKET_IPV6 is not set
+# CONFIG_NF_DUP_IPV6 is not set
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP6_NF_NAT is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_MPLS is not set
+# CONFIG_HSR is not set
+# CONFIG_NET_SWITCHDEV is not set
+# CONFIG_NET_L3_MASTER_DEV is not set
+# CONFIG_NET_NCSI is not set
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_NET_CLASSID=y
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+# CONFIG_AF_KCM is not set
+# CONFIG_STREAM_PARSER is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+# CONFIG_LWTUNNEL is not set
+CONFIG_DST_CACHE=y
+# CONFIG_NET_DEVLINK is not set
+CONFIG_MAY_USE_DEVLINK=y
+CONFIG_HAVE_EBPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_OF is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+# CONFIG_BLK_DEV_NVME is not set
+# CONFIG_NVME_FC is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_INTEL_MEI is not set
+# CONFIG_INTEL_MEI_ME is not set
+# CONFIG_INTEL_MEI_TXE is not set
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# SCIF Bus Driver
+#
+# CONFIG_SCIF_BUS is not set
+
+#
+# VOP Bus Driver
+#
+# CONFIG_VOP_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+
+#
+# SCIF Driver
+#
+
+#
+# Intel MIC Coprocessor State Management (COSM) Drivers
+#
+
+#
+# VOP Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_CXL_BASE is not set
+# CONFIG_CXL_AFU_DRIVER_OPS is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_GENEVE is not set
+# CONFIG_GTP is not set
+CONFIG_MACSEC=y
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_TUN_VNET_CROSS_LE is not set
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+
+#
+# Distributed Switch Architecture drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALACRITECH=y
+# CONFIG_SLICOSS is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMAZON=y
+# CONFIG_ENA_ETHERNET is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_AMD_XGBE is not set
+# CONFIG_AMD_XGBE_HAVE_ECC is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+# CONFIG_NET_VENDOR_AURORA is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BCMGENET is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+# CONFIG_BNXT is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CAVIUM=y
+# CONFIG_THUNDER_NIC_PF is not set
+# CONFIG_THUNDER_NIC_VF is not set
+# CONFIG_THUNDER_NIC_BGX is not set
+# CONFIG_THUNDER_NIC_RGX is not set
+# CONFIG_LIQUIDIO is not set
+# CONFIG_LIQUIDIO_VF is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EZCHIP=y
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_FM10K is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+# CONFIG_MLXSW_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_NETRONOME=y
+# CONFIG_NFP_NETVF is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+# CONFIG_QED is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+# CONFIG_QCOM_EMAC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RENESAS=y
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_ROCKER=y
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+CONFIG_NET_VENDOR_SOLARFLARE=y
+# CONFIG_SFC is not set
+# CONFIG_SFC_FALCON is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_SYNOPSYS=y
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TI_CPSW_ALE is not set
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+CONFIG_WLAN_VENDOR_ADMTEK=y
+CONFIG_WLAN_VENDOR_ATH=y
+# CONFIG_ATH_DEBUG is not set
+# CONFIG_ATH5K_PCI is not set
+CONFIG_WLAN_VENDOR_ATMEL=y
+CONFIG_WLAN_VENDOR_BROADCOM=y
+CONFIG_WLAN_VENDOR_CISCO=y
+CONFIG_WLAN_VENDOR_INTEL=y
+CONFIG_WLAN_VENDOR_INTERSIL=y
+# CONFIG_HOSTAP is not set
+# CONFIG_PRISM54 is not set
+CONFIG_WLAN_VENDOR_MARVELL=y
+CONFIG_WLAN_VENDOR_MEDIATEK=y
+CONFIG_WLAN_VENDOR_RALINK=y
+CONFIG_WLAN_VENDOR_REALTEK=y
+CONFIG_WLAN_VENDOR_RSI=y
+CONFIG_WLAN_VENDOR_ST=y
+CONFIG_WLAN_VENDOR_TI=y
+CONFIG_WLAN_VENDOR_ZYDAS=y
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_FUJITSU_ES is not set
+# CONFIG_ISDN is not set
+# CONFIG_NVM is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_BYD=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+CONFIG_MOUSE_PS2_FOCALTECH=y
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+# CONFIG_RMI4_CORE is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_USERIO is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVMEM=y
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_UARTLITE is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+# CONFIG_POWER_AVS is not set
+# CONFIG_POWER_RESET is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27XXX is not set
+# CONFIG_CHARGER_MAX8903 is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_DELL_SMM is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_I5500 is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+# CONFIG_THERMAL_WRITABLE_TRIPS is not set
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+
+#
+# ACPI INT340X thermal drivers
+#
+# CONFIG_INT340X_THERMAL is not set
+# CONFIG_INTEL_PCH_THERMAL is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_INTEL_LPSS_ACPI is not set
+# CONFIG_MFD_INTEL_LPSS_PCI is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_MT6397 is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+
+#
+# ACP (Audio CoProcessor) Configuration
+#
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+# CONFIG_VGASTATE is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_DUMMY_CONSOLE_COLUMNS=80
+CONFIG_DUMMY_CONSOLE_ROWS=25
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+# CONFIG_HID_CMEDIA is not set
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_GEMBIRD is not set
+# CONFIG_HID_GFRM is not set
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_HIDPP is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+# CONFIG_HID_MAYFLASH is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+CONFIG_HID_PLANTRONICS=y
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_UDRAW_PS3 is not set
+# CONFIG_HID_WACOM is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+# CONFIG_HID_ALPS is not set
+
+#
+# Intel ISH HID support
+#
+# CONFIG_INTEL_ISH_HID is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_USB_ULPI_BUS is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+CONFIG_EDAC_ATOMIC_SCRUB=y
+CONFIG_EDAC_SUPPORT=y
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+CONFIG_RTC_MC146818_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+
+#
+# DMABUF options
+#
+# CONFIG_SYNC_FILE is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_PCI_LEGACY=y
+CONFIG_VIRTIO_BALLOON=y
+# CONFIG_VIRTIO_INPUT is not set
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ASUS_WIRELESS is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_HID_EVENT is not set
+# CONFIG_INTEL_VBTN is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_INTEL_PMC_CORE is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_INTEL_PMC_IPC is not set
+# CONFIG_SURFACE_PRO3_BUTTON is not set
+# CONFIG_INTEL_PUNIT_IPC is not set
+# CONFIG_MLX_PLATFORM is not set
+# CONFIG_MLX_CPLD_PLATFORM is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# Hardware Spinlock drivers
+#
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_ATMEL_PIT is not set
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+
+#
+# Generic IOMMU Pagetable Support
+#
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_REMOTEPROC is not set
+
+#
+# Rpmsg drivers
+#
+
+#
+# SOC (System On Chip) specific Drivers
+#
+
+#
+# Broadcom SoC drivers
+#
+# CONFIG_SUNXI_SRAM is not set
+# CONFIG_SOC_TI is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+CONFIG_ARM_GIC_MAX_NR=1
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_PHY_PXA_28NM_HSIC is not set
+# CONFIG_PHY_PXA_28NM_USB2 is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+
+#
+# Performance monitor support
+#
+# CONFIG_RAS is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Android
+#
+# CONFIG_ANDROID is not set
+# CONFIG_LIBNVDIMM is not set
+# CONFIG_NVMEM is not set
+# CONFIG_STM is not set
+# CONFIG_INTEL_TH is not set
+
+#
+# FPGA Configuration Support
+#
+# CONFIG_FPGA is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_FW_CFG_SYSFS is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+# CONFIG_EFI_DEV_PATH_PARSER is not set
+
+#
+# Tegra firmware driver
+#
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_FS_POSIX_ACL is not set
+# CONFIG_EXT3_FS_SECURITY is not set
+CONFIG_EXT4_FS=y
+# CONFIG_EXT4_FS_POSIX_ACL is not set
+# CONFIG_EXT4_FS_SECURITY is not set
+# CONFIG_EXT4_ENCRYPTION is not set
+# CONFIG_EXT4_DEBUG is not set
+CONFIG_JBD2=y
+# CONFIG_JBD2_DEBUG is not set
+CONFIG_FS_MBCACHE=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+# CONFIG_F2FS_FS is not set
+# CONFIG_FS_DAX is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_EXPORTFS=y
+# CONFIG_EXPORTFS_BLOCK_OPS is not set
+CONFIG_FILE_LOCKING=y
+CONFIG_MANDATORY_FILE_LOCKING=y
+# CONFIG_FS_ENCRYPTION is not set
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+# CONFIG_PROC_CHILDREN is not set
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+CONFIG_ARCH_HAS_GIGANTIC_PAGE=y
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ORANGEFS_FS is not set
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_CONSOLE_LOGLEVEL_DEFAULT=7
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+# CONFIG_GDB_SCRIPTS is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_PAGE_OWNER is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_SECTION_MISMATCH_WARN_ONLY=y
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_STACK_VALIDATION is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_PAGE_EXTENSION is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_PAGE_POISONING is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+CONFIG_HAVE_ARCH_KASAN=y
+# CONFIG_KASAN is not set
+CONFIG_ARCH_HAS_KCOV=y
+# CONFIG_KCOV is not set
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_WQ_WATCHDOG is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHED_INFO is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_DEBUG_TIMEKEEPING is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_PROVE_RCU is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_PERF_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_RCU_EQS_DEBUG is not set
+# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_HWLAT_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_HIST_TRIGGERS is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_HEXDUMP is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_PRINTF is not set
+# CONFIG_TEST_BITMAP is not set
+# CONFIG_TEST_UUID is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_TEST_HASH is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_MEMTEST is not set
+# CONFIG_BUG_ON_DATA_CORRUPTION is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
+# CONFIG_ARCH_WANTS_UBSAN_NO_NULL is not set
+# CONFIG_UBSAN is not set
+CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP_CORE is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_WX is not set
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_ENTRY is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+CONFIG_X86_DEBUG_FPU=y
+# CONFIG_PUNIT_ATOM_DEBUG is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
+CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
+# CONFIG_HARDENED_USERCOPY is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RNG_DEFAULT=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_KPP=y
+CONFIG_CRYPTO_ACOMP2=y
+# CONFIG_CRYPTO_RSA is not set
+CONFIG_CRYPTO_DH=y
+CONFIG_CRYPTO_ECDH=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_MCRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_SIMD=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_SEQIV=y
+CONFIG_CRYPTO_ECHAINIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+# CONFIG_CRYPTO_KEYWRAP is not set
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_POLY1305=y
+CONFIG_CRYPTO_POLY1305_X86_64=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256_MB=y
+CONFIG_CRYPTO_SHA512_MB=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_SHA3=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_CHACHA20=y
+CONFIG_CRYPTO_CHACHA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_842=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_DRBG_MENU=y
+CONFIG_CRYPTO_DRBG_HMAC=y
+CONFIG_CRYPTO_DRBG_HASH=y
+CONFIG_CRYPTO_DRBG_CTR=y
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_USER_API_RNG is not set
+CONFIG_CRYPTO_USER_API_AEAD=y
+# CONFIG_CRYPTO_HW is not set
+
+#
+# Certificates for signature checking
+#
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+# CONFIG_HAVE_ARCH_BITREVERSE is not set
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_842_COMPRESS=y
+CONFIG_842_DECOMPRESS=y
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_CLZ_TAB=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+# CONFIG_IRQ_POLL is not set
+CONFIG_MPILIB=y
+# CONFIG_SG_SPLIT is not set
+# CONFIG_SG_POOL is not set
+CONFIG_ARCH_HAS_SG_CHAIN=y
+CONFIG_ARCH_HAS_PMEM_API=y
+CONFIG_ARCH_HAS_MMIO_FLUSH=y
+CONFIG_SBITMAP=y
diff --git a/testing/config/kernel/config-4.9 b/testing/config/kernel/config-4.9
new file mode 100644
index 0000000..95a5f8c
--- /dev/null
+++ b/testing/config/kernel/config-4.9
@@ -0,0 +1,2502 @@
+#
+# Automatically generated file; DO NOT EDIT.
+# Linux/x86 4.9.0 Kernel Configuration
+#
+CONFIG_64BIT=y
+CONFIG_X86_64=y
+CONFIG_X86=y
+CONFIG_INSTRUCTION_DECODER=y
+CONFIG_OUTPUT_FORMAT="elf64-x86-64"
+CONFIG_ARCH_DEFCONFIG="arch/x86/configs/x86_64_defconfig"
+CONFIG_LOCKDEP_SUPPORT=y
+CONFIG_STACKTRACE_SUPPORT=y
+CONFIG_MMU=y
+CONFIG_ARCH_MMAP_RND_BITS_MIN=28
+CONFIG_ARCH_MMAP_RND_BITS_MAX=32
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MIN=8
+CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=16
+CONFIG_NEED_DMA_MAP_STATE=y
+CONFIG_NEED_SG_DMA_LENGTH=y
+CONFIG_GENERIC_ISA_DMA=y
+CONFIG_GENERIC_BUG=y
+CONFIG_GENERIC_BUG_RELATIVE_POINTERS=y
+CONFIG_GENERIC_HWEIGHT=y
+CONFIG_ARCH_MAY_HAVE_PC_FDC=y
+CONFIG_RWSEM_XCHGADD_ALGORITHM=y
+CONFIG_GENERIC_CALIBRATE_DELAY=y
+CONFIG_ARCH_HAS_CPU_RELAX=y
+CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
+CONFIG_HAVE_SETUP_PER_CPU_AREA=y
+CONFIG_NEED_PER_CPU_EMBED_FIRST_CHUNK=y
+CONFIG_NEED_PER_CPU_PAGE_FIRST_CHUNK=y
+CONFIG_ARCH_HIBERNATION_POSSIBLE=y
+CONFIG_ARCH_SUSPEND_POSSIBLE=y
+CONFIG_ARCH_WANT_HUGE_PMD_SHARE=y
+CONFIG_ARCH_WANT_GENERAL_HUGETLB=y
+CONFIG_ZONE_DMA32=y
+CONFIG_AUDIT_ARCH=y
+CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
+CONFIG_ARCH_SUPPORTS_DEBUG_PAGEALLOC=y
+CONFIG_ARCH_SUPPORTS_UPROBES=y
+CONFIG_FIX_EARLYCON_MEM=y
+CONFIG_DEBUG_RODATA=y
+CONFIG_PGTABLE_LEVELS=4
+CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"
+CONFIG_IRQ_WORK=y
+CONFIG_BUILDTIME_EXTABLE_SORT=y
+CONFIG_THREAD_INFO_IN_TASK=y
+
+#
+# General setup
+#
+CONFIG_BROKEN_ON_SMP=y
+CONFIG_INIT_ENV_ARG_LIMIT=32
+CONFIG_CROSS_COMPILE=""
+# CONFIG_COMPILE_TEST is not set
+CONFIG_LOCALVERSION=""
+CONFIG_LOCALVERSION_AUTO=y
+CONFIG_HAVE_KERNEL_GZIP=y
+CONFIG_HAVE_KERNEL_BZIP2=y
+CONFIG_HAVE_KERNEL_LZMA=y
+CONFIG_HAVE_KERNEL_XZ=y
+CONFIG_HAVE_KERNEL_LZO=y
+CONFIG_HAVE_KERNEL_LZ4=y
+CONFIG_KERNEL_GZIP=y
+# CONFIG_KERNEL_BZIP2 is not set
+# CONFIG_KERNEL_LZMA is not set
+# CONFIG_KERNEL_XZ is not set
+# CONFIG_KERNEL_LZO is not set
+# CONFIG_KERNEL_LZ4 is not set
+CONFIG_DEFAULT_HOSTNAME="(none)"
+CONFIG_SWAP=y
+CONFIG_SYSVIPC=y
+CONFIG_SYSVIPC_SYSCTL=y
+CONFIG_POSIX_MQUEUE=y
+CONFIG_POSIX_MQUEUE_SYSCTL=y
+CONFIG_CROSS_MEMORY_ATTACH=y
+CONFIG_FHANDLE=y
+CONFIG_USELIB=y
+# CONFIG_AUDIT is not set
+CONFIG_HAVE_ARCH_AUDITSYSCALL=y
+
+#
+# IRQ subsystem
+#
+CONFIG_GENERIC_IRQ_PROBE=y
+CONFIG_GENERIC_IRQ_SHOW=y
+CONFIG_IRQ_DOMAIN=y
+CONFIG_IRQ_DOMAIN_HIERARCHY=y
+CONFIG_GENERIC_MSI_IRQ=y
+CONFIG_GENERIC_MSI_IRQ_DOMAIN=y
+CONFIG_IRQ_FORCED_THREADING=y
+CONFIG_SPARSE_IRQ=y
+CONFIG_CLOCKSOURCE_WATCHDOG=y
+CONFIG_ARCH_CLOCKSOURCE_DATA=y
+CONFIG_CLOCKSOURCE_VALIDATE_LAST_CYCLE=y
+CONFIG_GENERIC_TIME_VSYSCALL=y
+CONFIG_GENERIC_CLOCKEVENTS=y
+CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
+CONFIG_GENERIC_CLOCKEVENTS_MIN_ADJUST=y
+CONFIG_GENERIC_CMOS_UPDATE=y
+
+#
+# Timers subsystem
+#
+CONFIG_TICK_ONESHOT=y
+CONFIG_NO_HZ_COMMON=y
+# CONFIG_HZ_PERIODIC is not set
+CONFIG_NO_HZ_IDLE=y
+CONFIG_NO_HZ=y
+CONFIG_HIGH_RES_TIMERS=y
+
+#
+# CPU/Task time and stats accounting
+#
+CONFIG_TICK_CPU_ACCOUNTING=y
+# CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
+# CONFIG_IRQ_TIME_ACCOUNTING is not set
+CONFIG_BSD_PROCESS_ACCT=y
+# CONFIG_BSD_PROCESS_ACCT_V3 is not set
+# CONFIG_TASKSTATS is not set
+
+#
+# RCU Subsystem
+#
+CONFIG_TINY_RCU=y
+# CONFIG_RCU_EXPERT is not set
+CONFIG_SRCU=y
+# CONFIG_TASKS_RCU is not set
+# CONFIG_RCU_STALL_COMMON is not set
+# CONFIG_TREE_RCU_TRACE is not set
+# CONFIG_RCU_EXPEDITE_BOOT is not set
+CONFIG_BUILD_BIN2C=y
+CONFIG_IKCONFIG=y
+CONFIG_IKCONFIG_PROC=y
+CONFIG_LOG_BUF_SHIFT=14
+CONFIG_NMI_LOG_BUF_SHIFT=13
+CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
+CONFIG_ARCH_SUPPORTS_NUMA_BALANCING=y
+CONFIG_ARCH_SUPPORTS_INT128=y
+CONFIG_CGROUPS=y
+CONFIG_PAGE_COUNTER=y
+CONFIG_MEMCG=y
+CONFIG_MEMCG_SWAP=y
+CONFIG_MEMCG_SWAP_ENABLED=y
+CONFIG_BLK_CGROUP=y
+# CONFIG_DEBUG_BLK_CGROUP is not set
+CONFIG_CGROUP_WRITEBACK=y
+CONFIG_CGROUP_SCHED=y
+CONFIG_FAIR_GROUP_SCHED=y
+CONFIG_CFS_BANDWIDTH=y
+# CONFIG_RT_GROUP_SCHED is not set
+CONFIG_CGROUP_PIDS=y
+CONFIG_CGROUP_FREEZER=y
+CONFIG_CPUSETS=y
+CONFIG_PROC_PID_CPUSET=y
+CONFIG_CGROUP_DEVICE=y
+CONFIG_CGROUP_CPUACCT=y
+CONFIG_CGROUP_PERF=y
+# CONFIG_CGROUP_DEBUG is not set
+# CONFIG_CHECKPOINT_RESTORE is not set
+CONFIG_NAMESPACES=y
+# CONFIG_UTS_NS is not set
+# CONFIG_IPC_NS is not set
+# CONFIG_USER_NS is not set
+# CONFIG_PID_NS is not set
+# CONFIG_NET_NS is not set
+# CONFIG_SCHED_AUTOGROUP is not set
+# CONFIG_SYSFS_DEPRECATED is not set
+# CONFIG_RELAY is not set
+# CONFIG_BLK_DEV_INITRD is not set
+# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set
+CONFIG_CC_OPTIMIZE_FOR_SIZE=y
+CONFIG_SYSCTL=y
+CONFIG_ANON_INODES=y
+CONFIG_SYSCTL_EXCEPTION_TRACE=y
+CONFIG_HAVE_PCSPKR_PLATFORM=y
+CONFIG_BPF=y
+# CONFIG_EXPERT is not set
+CONFIG_MULTIUSER=y
+CONFIG_SGETMASK_SYSCALL=y
+CONFIG_SYSFS_SYSCALL=y
+# CONFIG_SYSCTL_SYSCALL is not set
+CONFIG_KALLSYMS=y
+# CONFIG_KALLSYMS_ALL is not set
+# CONFIG_KALLSYMS_ABSOLUTE_PERCPU is not set
+CONFIG_KALLSYMS_BASE_RELATIVE=y
+CONFIG_PRINTK=y
+CONFIG_PRINTK_NMI=y
+CONFIG_BUG=y
+CONFIG_ELF_CORE=y
+CONFIG_PCSPKR_PLATFORM=y
+CONFIG_BASE_FULL=y
+CONFIG_FUTEX=y
+CONFIG_EPOLL=y
+CONFIG_SIGNALFD=y
+CONFIG_TIMERFD=y
+CONFIG_EVENTFD=y
+# CONFIG_BPF_SYSCALL is not set
+CONFIG_SHMEM=y
+CONFIG_AIO=y
+CONFIG_ADVISE_SYSCALLS=y
+# CONFIG_USERFAULTFD is not set
+CONFIG_PCI_QUIRKS=y
+CONFIG_MEMBARRIER=y
+# CONFIG_EMBEDDED is not set
+CONFIG_HAVE_PERF_EVENTS=y
+
+#
+# Kernel Performance Events And Counters
+#
+CONFIG_PERF_EVENTS=y
+# CONFIG_DEBUG_PERF_USE_VMALLOC is not set
+CONFIG_VM_EVENT_COUNTERS=y
+CONFIG_COMPAT_BRK=y
+CONFIG_SLAB=y
+# CONFIG_SLUB is not set
+# CONFIG_SLAB_FREELIST_RANDOM is not set
+# CONFIG_SYSTEM_DATA_VERIFICATION is not set
+# CONFIG_PROFILING is not set
+CONFIG_HAVE_OPROFILE=y
+CONFIG_OPROFILE_NMI_TIMER=y
+# CONFIG_JUMP_LABEL is not set
+# CONFIG_UPROBES is not set
+# CONFIG_HAVE_64BIT_ALIGNED_ACCESS is not set
+CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
+CONFIG_ARCH_USE_BUILTIN_BSWAP=y
+CONFIG_HAVE_IOREMAP_PROT=y
+CONFIG_HAVE_KPROBES=y
+CONFIG_HAVE_KRETPROBES=y
+CONFIG_HAVE_OPTPROBES=y
+CONFIG_HAVE_KPROBES_ON_FTRACE=y
+CONFIG_HAVE_NMI=y
+CONFIG_HAVE_ARCH_TRACEHOOK=y
+CONFIG_HAVE_DMA_CONTIGUOUS=y
+CONFIG_GENERIC_SMP_IDLE_THREAD=y
+CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
+CONFIG_HAVE_REGS_AND_STACK_ACCESS_API=y
+CONFIG_HAVE_DMA_API_DEBUG=y
+CONFIG_HAVE_HW_BREAKPOINT=y
+CONFIG_HAVE_MIXED_BREAKPOINTS_REGS=y
+CONFIG_HAVE_USER_RETURN_NOTIFIER=y
+CONFIG_HAVE_PERF_EVENTS_NMI=y
+CONFIG_HAVE_PERF_REGS=y
+CONFIG_HAVE_PERF_USER_STACK_DUMP=y
+CONFIG_HAVE_ARCH_JUMP_LABEL=y
+CONFIG_ARCH_HAVE_NMI_SAFE_CMPXCHG=y
+CONFIG_HAVE_CMPXCHG_LOCAL=y
+CONFIG_HAVE_CMPXCHG_DOUBLE=y
+CONFIG_HAVE_ARCH_SECCOMP_FILTER=y
+CONFIG_SECCOMP_FILTER=y
+CONFIG_HAVE_GCC_PLUGINS=y
+# CONFIG_GCC_PLUGINS is not set
+CONFIG_HAVE_CC_STACKPROTECTOR=y
+CONFIG_CC_STACKPROTECTOR=y
+# CONFIG_CC_STACKPROTECTOR_NONE is not set
+CONFIG_CC_STACKPROTECTOR_REGULAR=y
+# CONFIG_CC_STACKPROTECTOR_STRONG is not set
+CONFIG_HAVE_ARCH_WITHIN_STACK_FRAMES=y
+CONFIG_HAVE_CONTEXT_TRACKING=y
+CONFIG_HAVE_VIRT_CPU_ACCOUNTING_GEN=y
+CONFIG_HAVE_IRQ_TIME_ACCOUNTING=y
+CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y
+CONFIG_HAVE_ARCH_HUGE_VMAP=y
+CONFIG_HAVE_ARCH_SOFT_DIRTY=y
+CONFIG_MODULES_USE_ELF_RELA=y
+CONFIG_HAVE_IRQ_EXIT_ON_IRQ_STACK=y
+CONFIG_ARCH_HAS_ELF_RANDOMIZE=y
+CONFIG_HAVE_ARCH_MMAP_RND_BITS=y
+CONFIG_HAVE_EXIT_THREAD=y
+CONFIG_ARCH_MMAP_RND_BITS=28
+CONFIG_HAVE_COPY_THREAD_TLS=y
+CONFIG_HAVE_STACK_VALIDATION=y
+# CONFIG_HAVE_ARCH_HASH is not set
+# CONFIG_ISA_BUS_API is not set
+# CONFIG_CPU_NO_EFFICIENT_FFS is not set
+CONFIG_HAVE_ARCH_VMAP_STACK=y
+CONFIG_VMAP_STACK=y
+
+#
+# GCOV-based kernel profiling
+#
+CONFIG_ARCH_HAS_GCOV_PROFILE_ALL=y
+# CONFIG_HAVE_GENERIC_DMA_COHERENT is not set
+CONFIG_SLABINFO=y
+CONFIG_RT_MUTEXES=y
+CONFIG_BASE_SMALL=0
+# CONFIG_MODULES is not set
+CONFIG_MODULES_TREE_LOOKUP=y
+CONFIG_BLOCK=y
+# CONFIG_BLK_DEV_BSG is not set
+# CONFIG_BLK_DEV_BSGLIB is not set
+# CONFIG_BLK_DEV_INTEGRITY is not set
+# CONFIG_BLK_DEV_THROTTLING is not set
+# CONFIG_BLK_CMDLINE_PARSER is not set
+
+#
+# Partition Types
+#
+# CONFIG_PARTITION_ADVANCED is not set
+CONFIG_MSDOS_PARTITION=y
+CONFIG_EFI_PARTITION=y
+CONFIG_BLK_MQ_PCI=y
+
+#
+# IO Schedulers
+#
+CONFIG_IOSCHED_NOOP=y
+CONFIG_IOSCHED_DEADLINE=y
+CONFIG_IOSCHED_CFQ=y
+# CONFIG_CFQ_GROUP_IOSCHED is not set
+# CONFIG_DEFAULT_DEADLINE is not set
+CONFIG_DEFAULT_CFQ=y
+# CONFIG_DEFAULT_NOOP is not set
+CONFIG_DEFAULT_IOSCHED="cfq"
+CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
+CONFIG_INLINE_READ_UNLOCK=y
+CONFIG_INLINE_READ_UNLOCK_IRQ=y
+CONFIG_INLINE_WRITE_UNLOCK=y
+CONFIG_INLINE_WRITE_UNLOCK_IRQ=y
+CONFIG_ARCH_SUPPORTS_ATOMIC_RMW=y
+CONFIG_ARCH_USE_QUEUED_SPINLOCKS=y
+CONFIG_ARCH_USE_QUEUED_RWLOCKS=y
+CONFIG_FREEZER=y
+
+#
+# Processor type and features
+#
+CONFIG_ZONE_DMA=y
+# CONFIG_SMP is not set
+CONFIG_X86_FEATURE_NAMES=y
+CONFIG_X86_FAST_FEATURE_TESTS=y
+CONFIG_X86_MPPARSE=y
+# CONFIG_GOLDFISH is not set
+CONFIG_X86_EXTENDED_PLATFORM=y
+# CONFIG_X86_GOLDFISH is not set
+# CONFIG_X86_INTEL_MID is not set
+# CONFIG_MLX_PLATFORM is not set
+# CONFIG_X86_INTEL_LPSS is not set
+# CONFIG_X86_AMD_PLATFORM_DEVICE is not set
+CONFIG_IOSF_MBI=y
+CONFIG_SCHED_OMIT_FRAME_POINTER=y
+# CONFIG_HYPERVISOR_GUEST is not set
+CONFIG_NO_BOOTMEM=y
+# CONFIG_MK8 is not set
+# CONFIG_MPSC is not set
+CONFIG_MCORE2=y
+# CONFIG_MATOM is not set
+# CONFIG_GENERIC_CPU is not set
+CONFIG_X86_INTERNODE_CACHE_SHIFT=6
+CONFIG_X86_L1_CACHE_SHIFT=6
+CONFIG_X86_INTEL_USERCOPY=y
+CONFIG_X86_USE_PPRO_CHECKSUM=y
+CONFIG_X86_P6_NOP=y
+CONFIG_X86_TSC=y
+CONFIG_X86_CMPXCHG64=y
+CONFIG_X86_CMOV=y
+CONFIG_X86_MINIMUM_CPU_FAMILY=64
+CONFIG_X86_DEBUGCTLMSR=y
+CONFIG_CPU_SUP_INTEL=y
+CONFIG_CPU_SUP_AMD=y
+CONFIG_CPU_SUP_CENTAUR=y
+CONFIG_HPET_TIMER=y
+CONFIG_DMI=y
+CONFIG_GART_IOMMU=y
+# CONFIG_CALGARY_IOMMU is not set
+CONFIG_SWIOTLB=y
+CONFIG_IOMMU_HELPER=y
+CONFIG_NR_CPUS=1
+CONFIG_PREEMPT_NONE=y
+# CONFIG_PREEMPT_VOLUNTARY is not set
+# CONFIG_PREEMPT is not set
+CONFIG_UP_LATE_INIT=y
+CONFIG_X86_LOCAL_APIC=y
+CONFIG_X86_IO_APIC=y
+# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
+# CONFIG_X86_MCE is not set
+
+#
+# Performance monitoring
+#
+CONFIG_PERF_EVENTS_INTEL_UNCORE=y
+CONFIG_PERF_EVENTS_INTEL_RAPL=y
+CONFIG_PERF_EVENTS_INTEL_CSTATE=y
+# CONFIG_PERF_EVENTS_AMD_POWER is not set
+# CONFIG_VM86 is not set
+CONFIG_X86_16BIT=y
+CONFIG_X86_ESPFIX64=y
+CONFIG_X86_VSYSCALL_EMULATION=y
+# CONFIG_I8K is not set
+CONFIG_MICROCODE=y
+CONFIG_MICROCODE_INTEL=y
+# CONFIG_MICROCODE_AMD is not set
+CONFIG_MICROCODE_OLD_INTERFACE=y
+# CONFIG_X86_MSR is not set
+# CONFIG_X86_CPUID is not set
+CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
+CONFIG_ARCH_DMA_ADDR_T_64BIT=y
+CONFIG_X86_DIRECT_GBPAGES=y
+CONFIG_ARCH_SPARSEMEM_ENABLE=y
+CONFIG_ARCH_SPARSEMEM_DEFAULT=y
+CONFIG_ARCH_SELECT_MEMORY_MODEL=y
+CONFIG_ARCH_MEMORY_PROBE=y
+CONFIG_ARCH_PROC_KCORE_TEXT=y
+CONFIG_ILLEGAL_POINTER_VALUE=0xdead000000000000
+CONFIG_SELECT_MEMORY_MODEL=y
+CONFIG_SPARSEMEM_MANUAL=y
+CONFIG_SPARSEMEM=y
+CONFIG_HAVE_MEMORY_PRESENT=y
+CONFIG_SPARSEMEM_EXTREME=y
+CONFIG_SPARSEMEM_VMEMMAP_ENABLE=y
+CONFIG_SPARSEMEM_ALLOC_MEM_MAP_TOGETHER=y
+CONFIG_SPARSEMEM_VMEMMAP=y
+CONFIG_HAVE_MEMBLOCK=y
+CONFIG_HAVE_MEMBLOCK_NODE_MAP=y
+CONFIG_ARCH_DISCARD_MEMBLOCK=y
+CONFIG_MEMORY_ISOLATION=y
+CONFIG_HAVE_BOOTMEM_INFO_NODE=y
+CONFIG_MEMORY_HOTPLUG=y
+CONFIG_MEMORY_HOTPLUG_SPARSE=y
+# CONFIG_MEMORY_HOTPLUG_DEFAULT_ONLINE is not set
+CONFIG_MEMORY_HOTREMOVE=y
+CONFIG_SPLIT_PTLOCK_CPUS=4
+CONFIG_ARCH_ENABLE_SPLIT_PMD_PTLOCK=y
+CONFIG_MEMORY_BALLOON=y
+# CONFIG_COMPACTION is not set
+CONFIG_MIGRATION=y
+CONFIG_PHYS_ADDR_T_64BIT=y
+CONFIG_BOUNCE=y
+CONFIG_VIRT_TO_BUS=y
+# CONFIG_KSM is not set
+CONFIG_DEFAULT_MMAP_MIN_ADDR=4096
+# CONFIG_TRANSPARENT_HUGEPAGE is not set
+CONFIG_NEED_PER_CPU_KM=y
+# CONFIG_CLEANCACHE is not set
+# CONFIG_FRONTSWAP is not set
+# CONFIG_CMA is not set
+# CONFIG_ZPOOL is not set
+# CONFIG_ZBUD is not set
+# CONFIG_ZSMALLOC is not set
+CONFIG_GENERIC_EARLY_IOREMAP=y
+CONFIG_ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT=y
+# CONFIG_DEFERRED_STRUCT_PAGE_INIT is not set
+# CONFIG_IDLE_PAGE_TRACKING is not set
+# CONFIG_ZONE_DEVICE is not set
+CONFIG_ARCH_USES_HIGH_VMA_FLAGS=y
+CONFIG_ARCH_HAS_PKEYS=y
+# CONFIG_X86_PMEM_LEGACY is not set
+# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
+CONFIG_X86_RESERVE_LOW=64
+CONFIG_MTRR=y
+CONFIG_MTRR_SANITIZER=y
+CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
+CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
+CONFIG_X86_PAT=y
+CONFIG_ARCH_USES_PG_UNCACHED=y
+CONFIG_ARCH_RANDOM=y
+CONFIG_X86_SMAP=y
+# CONFIG_X86_INTEL_MPX is not set
+CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS=y
+# CONFIG_EFI is not set
+CONFIG_SECCOMP=y
+# CONFIG_HZ_100 is not set
+CONFIG_HZ_250=y
+# CONFIG_HZ_300 is not set
+# CONFIG_HZ_1000 is not set
+CONFIG_HZ=250
+CONFIG_SCHED_HRTICK=y
+# CONFIG_KEXEC is not set
+# CONFIG_KEXEC_FILE is not set
+# CONFIG_CRASH_DUMP is not set
+CONFIG_PHYSICAL_START=0x1000000
+CONFIG_RELOCATABLE=y
+# CONFIG_RANDOMIZE_BASE is not set
+CONFIG_PHYSICAL_ALIGN=0x1000000
+# CONFIG_LEGACY_VSYSCALL_NATIVE is not set
+CONFIG_LEGACY_VSYSCALL_EMULATE=y
+# CONFIG_LEGACY_VSYSCALL_NONE is not set
+# CONFIG_CMDLINE_BOOL is not set
+CONFIG_MODIFY_LDT_SYSCALL=y
+CONFIG_HAVE_LIVEPATCH=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTPLUG=y
+CONFIG_ARCH_ENABLE_MEMORY_HOTREMOVE=y
+
+#
+# Power management and ACPI options
+#
+CONFIG_SUSPEND=y
+CONFIG_SUSPEND_FREEZER=y
+# CONFIG_HIBERNATION is not set
+CONFIG_PM_SLEEP=y
+# CONFIG_PM_AUTOSLEEP is not set
+# CONFIG_PM_WAKELOCKS is not set
+CONFIG_PM=y
+# CONFIG_PM_DEBUG is not set
+# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set
+CONFIG_ACPI=y
+CONFIG_ACPI_LEGACY_TABLES_LOOKUP=y
+CONFIG_ARCH_MIGHT_HAVE_ACPI_PDC=y
+CONFIG_ACPI_SYSTEM_POWER_STATES_SUPPORT=y
+# CONFIG_ACPI_DEBUGGER is not set
+CONFIG_ACPI_SLEEP=y
+# CONFIG_ACPI_PROCFS_POWER is not set
+CONFIG_ACPI_REV_OVERRIDE_POSSIBLE=y
+# CONFIG_ACPI_EC_DEBUGFS is not set
+CONFIG_ACPI_AC=y
+CONFIG_ACPI_BATTERY=y
+CONFIG_ACPI_BUTTON=y
+CONFIG_ACPI_FAN=y
+# CONFIG_ACPI_DOCK is not set
+CONFIG_ACPI_CPU_FREQ_PSS=y
+CONFIG_ACPI_PROCESSOR_CSTATE=y
+CONFIG_ACPI_PROCESSOR_IDLE=y
+CONFIG_ACPI_PROCESSOR=y
+# CONFIG_ACPI_PROCESSOR_AGGREGATOR is not set
+CONFIG_ACPI_THERMAL=y
+# CONFIG_ACPI_CUSTOM_DSDT is not set
+CONFIG_ARCH_HAS_ACPI_TABLE_UPGRADE=y
+# CONFIG_ACPI_DEBUG is not set
+# CONFIG_ACPI_PCI_SLOT is not set
+CONFIG_X86_PM_TIMER=y
+# CONFIG_ACPI_CONTAINER is not set
+# CONFIG_ACPI_HOTPLUG_MEMORY is not set
+CONFIG_ACPI_HOTPLUG_IOAPIC=y
+# CONFIG_ACPI_SBS is not set
+# CONFIG_ACPI_HED is not set
+# CONFIG_ACPI_REDUCED_HARDWARE_ONLY is not set
+# CONFIG_ACPI_NFIT is not set
+CONFIG_HAVE_ACPI_APEI=y
+CONFIG_HAVE_ACPI_APEI_NMI=y
+# CONFIG_ACPI_APEI is not set
+# CONFIG_DPTF_POWER is not set
+# CONFIG_PMIC_OPREGION is not set
+# CONFIG_ACPI_CONFIGFS is not set
+# CONFIG_SFI is not set
+
+#
+# CPU Frequency scaling
+#
+# CONFIG_CPU_FREQ is not set
+
+#
+# CPU Idle
+#
+CONFIG_CPU_IDLE=y
+CONFIG_CPU_IDLE_GOV_LADDER=y
+CONFIG_CPU_IDLE_GOV_MENU=y
+# CONFIG_ARCH_NEEDS_CPU_IDLE_COUPLED is not set
+# CONFIG_INTEL_IDLE is not set
+
+#
+# Memory power savings
+#
+# CONFIG_I7300_IDLE is not set
+
+#
+# Bus options (PCI etc.)
+#
+CONFIG_PCI=y
+CONFIG_PCI_DIRECT=y
+# CONFIG_PCI_MMCONFIG is not set
+CONFIG_PCI_DOMAINS=y
+# CONFIG_PCIEPORTBUS is not set
+CONFIG_PCI_BUS_ADDR_T_64BIT=y
+CONFIG_PCI_MSI=y
+CONFIG_PCI_MSI_IRQ_DOMAIN=y
+# CONFIG_PCI_DEBUG is not set
+# CONFIG_PCI_REALLOC_ENABLE_AUTO is not set
+# CONFIG_PCI_STUB is not set
+CONFIG_HT_IRQ=y
+# CONFIG_PCI_IOV is not set
+# CONFIG_PCI_PRI is not set
+# CONFIG_PCI_PASID is not set
+CONFIG_PCI_LABEL=y
+# CONFIG_HOTPLUG_PCI is not set
+
+#
+# PCI host controller drivers
+#
+# CONFIG_PCIE_DW_PLAT is not set
+# CONFIG_VMD is not set
+CONFIG_ISA_DMA_API=y
+CONFIG_AMD_NB=y
+# CONFIG_PCCARD is not set
+# CONFIG_RAPIDIO is not set
+# CONFIG_X86_SYSFB is not set
+
+#
+# Executable file formats / Emulations
+#
+CONFIG_BINFMT_ELF=y
+CONFIG_ELFCORE=y
+# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
+CONFIG_BINFMT_SCRIPT=y
+# CONFIG_HAVE_AOUT is not set
+# CONFIG_BINFMT_MISC is not set
+CONFIG_COREDUMP=y
+# CONFIG_IA32_EMULATION is not set
+# CONFIG_X86_X32 is not set
+CONFIG_X86_DEV_DMA_OPS=y
+CONFIG_PMC_ATOM=y
+CONFIG_NET=y
+CONFIG_NET_INGRESS=y
+
+#
+# Networking options
+#
+CONFIG_PACKET=y
+# CONFIG_PACKET_DIAG is not set
+CONFIG_UNIX=y
+# CONFIG_UNIX_DIAG is not set
+CONFIG_XFRM=y
+CONFIG_XFRM_ALGO=y
+CONFIG_XFRM_USER=y
+CONFIG_XFRM_SUB_POLICY=y
+CONFIG_XFRM_MIGRATE=y
+CONFIG_XFRM_STATISTICS=y
+CONFIG_XFRM_IPCOMP=y
+CONFIG_NET_KEY=y
+CONFIG_NET_KEY_MIGRATE=y
+CONFIG_INET=y
+# CONFIG_IP_MULTICAST is not set
+CONFIG_IP_ADVANCED_ROUTER=y
+# CONFIG_IP_FIB_TRIE_STATS is not set
+CONFIG_IP_MULTIPLE_TABLES=y
+# CONFIG_IP_ROUTE_MULTIPATH is not set
+# CONFIG_IP_ROUTE_VERBOSE is not set
+CONFIG_IP_ROUTE_CLASSID=y
+# CONFIG_IP_PNP is not set
+# CONFIG_NET_IPIP is not set
+# CONFIG_NET_IPGRE_DEMUX is not set
+CONFIG_NET_IP_TUNNEL=y
+# CONFIG_SYN_COOKIES is not set
+# CONFIG_NET_IPVTI is not set
+CONFIG_NET_UDP_TUNNEL=y
+# CONFIG_NET_FOU is not set
+CONFIG_INET_AH=y
+CONFIG_INET_ESP=y
+CONFIG_INET_IPCOMP=y
+CONFIG_INET_XFRM_TUNNEL=y
+CONFIG_INET_TUNNEL=y
+CONFIG_INET_XFRM_MODE_TRANSPORT=y
+CONFIG_INET_XFRM_MODE_TUNNEL=y
+CONFIG_INET_XFRM_MODE_BEET=y
+CONFIG_INET_DIAG=y
+CONFIG_INET_TCP_DIAG=y
+# CONFIG_INET_UDP_DIAG is not set
+# CONFIG_INET_DIAG_DESTROY is not set
+# CONFIG_TCP_CONG_ADVANCED is not set
+CONFIG_TCP_CONG_CUBIC=y
+CONFIG_DEFAULT_TCP_CONG="cubic"
+# CONFIG_TCP_MD5SIG is not set
+CONFIG_IPV6=y
+# CONFIG_IPV6_ROUTER_PREF is not set
+CONFIG_IPV6_OPTIMISTIC_DAD=y
+CONFIG_INET6_AH=y
+CONFIG_INET6_ESP=y
+CONFIG_INET6_IPCOMP=y
+CONFIG_IPV6_MIP6=y
+# CONFIG_IPV6_ILA is not set
+CONFIG_INET6_XFRM_TUNNEL=y
+CONFIG_INET6_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_TRANSPORT=y
+CONFIG_INET6_XFRM_MODE_TUNNEL=y
+CONFIG_INET6_XFRM_MODE_BEET=y
+# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
+# CONFIG_IPV6_VTI is not set
+# CONFIG_IPV6_SIT is not set
+CONFIG_IPV6_TUNNEL=y
+# CONFIG_IPV6_FOU is not set
+# CONFIG_IPV6_FOU_TUNNEL is not set
+CONFIG_IPV6_MULTIPLE_TABLES=y
+CONFIG_IPV6_SUBTREES=y
+# CONFIG_IPV6_MROUTE is not set
+# CONFIG_NETWORK_SECMARK is not set
+# CONFIG_NET_PTP_CLASSIFY is not set
+# CONFIG_NETWORK_PHY_TIMESTAMPING is not set
+CONFIG_NETFILTER=y
+# CONFIG_NETFILTER_DEBUG is not set
+CONFIG_NETFILTER_ADVANCED=y
+
+#
+# Core Netfilter Configuration
+#
+CONFIG_NETFILTER_INGRESS=y
+CONFIG_NETFILTER_NETLINK=y
+# CONFIG_NETFILTER_NETLINK_ACCT is not set
+CONFIG_NETFILTER_NETLINK_QUEUE=y
+CONFIG_NETFILTER_NETLINK_LOG=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_LOG_COMMON=y
+CONFIG_NF_CONNTRACK_MARK=y
+# CONFIG_NF_CONNTRACK_ZONES is not set
+CONFIG_NF_CONNTRACK_PROCFS=y
+CONFIG_NF_CONNTRACK_EVENTS=y
+# CONFIG_NF_CONNTRACK_TIMEOUT is not set
+# CONFIG_NF_CONNTRACK_TIMESTAMP is not set
+# CONFIG_NF_CT_PROTO_DCCP is not set
+# CONFIG_NF_CT_PROTO_SCTP is not set
+CONFIG_NF_CT_PROTO_UDPLITE=y
+# CONFIG_NF_CONNTRACK_AMANDA is not set
+# CONFIG_NF_CONNTRACK_FTP is not set
+# CONFIG_NF_CONNTRACK_H323 is not set
+# CONFIG_NF_CONNTRACK_IRC is not set
+# CONFIG_NF_CONNTRACK_NETBIOS_NS is not set
+# CONFIG_NF_CONNTRACK_SNMP is not set
+# CONFIG_NF_CONNTRACK_PPTP is not set
+CONFIG_NF_CONNTRACK_SANE=y
+# CONFIG_NF_CONNTRACK_SIP is not set
+# CONFIG_NF_CONNTRACK_TFTP is not set
+CONFIG_NF_CT_NETLINK=y
+# CONFIG_NF_CT_NETLINK_TIMEOUT is not set
+# CONFIG_NETFILTER_NETLINK_GLUE_CT is not set
+CONFIG_NF_NAT=y
+CONFIG_NF_NAT_NEEDED=y
+CONFIG_NF_NAT_PROTO_UDPLITE=y
+# CONFIG_NF_NAT_AMANDA is not set
+# CONFIG_NF_NAT_FTP is not set
+# CONFIG_NF_NAT_IRC is not set
+# CONFIG_NF_NAT_SIP is not set
+# CONFIG_NF_NAT_TFTP is not set
+CONFIG_NF_NAT_REDIRECT=y
+# CONFIG_NF_TABLES is not set
+CONFIG_NETFILTER_XTABLES=y
+
+#
+# Xtables combined modules
+#
+CONFIG_NETFILTER_XT_MARK=y
+CONFIG_NETFILTER_XT_CONNMARK=y
+CONFIG_NETFILTER_XT_SET=y
+
+#
+# Xtables targets
+#
+# CONFIG_NETFILTER_XT_TARGET_CHECKSUM is not set
+CONFIG_NETFILTER_XT_TARGET_CLASSIFY=y
+CONFIG_NETFILTER_XT_TARGET_CONNMARK=y
+CONFIG_NETFILTER_XT_TARGET_CT=y
+CONFIG_NETFILTER_XT_TARGET_DSCP=y
+CONFIG_NETFILTER_XT_TARGET_HL=y
+# CONFIG_NETFILTER_XT_TARGET_HMARK is not set
+# CONFIG_NETFILTER_XT_TARGET_IDLETIMER is not set
+CONFIG_NETFILTER_XT_TARGET_LOG=y
+CONFIG_NETFILTER_XT_TARGET_MARK=y
+CONFIG_NETFILTER_XT_NAT=y
+CONFIG_NETFILTER_XT_TARGET_NETMAP=y
+CONFIG_NETFILTER_XT_TARGET_NFLOG=y
+CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y
+CONFIG_NETFILTER_XT_TARGET_NOTRACK=y
+# CONFIG_NETFILTER_XT_TARGET_RATEEST is not set
+CONFIG_NETFILTER_XT_TARGET_REDIRECT=y
+# CONFIG_NETFILTER_XT_TARGET_TEE is not set
+# CONFIG_NETFILTER_XT_TARGET_TPROXY is not set
+CONFIG_NETFILTER_XT_TARGET_TRACE=y
+CONFIG_NETFILTER_XT_TARGET_TCPMSS=y
+# CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP is not set
+
+#
+# Xtables matches
+#
+CONFIG_NETFILTER_XT_MATCH_ADDRTYPE=y
+# CONFIG_NETFILTER_XT_MATCH_BPF is not set
+# CONFIG_NETFILTER_XT_MATCH_CGROUP is not set
+CONFIG_NETFILTER_XT_MATCH_CLUSTER=y
+CONFIG_NETFILTER_XT_MATCH_COMMENT=y
+CONFIG_NETFILTER_XT_MATCH_CONNBYTES=y
+# CONFIG_NETFILTER_XT_MATCH_CONNLABEL is not set
+CONFIG_NETFILTER_XT_MATCH_CONNLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_CONNMARK=y
+CONFIG_NETFILTER_XT_MATCH_CONNTRACK=y
+# CONFIG_NETFILTER_XT_MATCH_CPU is not set
+CONFIG_NETFILTER_XT_MATCH_DCCP=y
+CONFIG_NETFILTER_XT_MATCH_DEVGROUP=y
+CONFIG_NETFILTER_XT_MATCH_DSCP=y
+CONFIG_NETFILTER_XT_MATCH_ECN=y
+CONFIG_NETFILTER_XT_MATCH_ESP=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_NETFILTER_XT_MATCH_HELPER=y
+CONFIG_NETFILTER_XT_MATCH_HL=y
+# CONFIG_NETFILTER_XT_MATCH_IPCOMP is not set
+# CONFIG_NETFILTER_XT_MATCH_IPRANGE is not set
+CONFIG_NETFILTER_XT_MATCH_L2TP=y
+CONFIG_NETFILTER_XT_MATCH_LENGTH=y
+CONFIG_NETFILTER_XT_MATCH_LIMIT=y
+CONFIG_NETFILTER_XT_MATCH_MAC=y
+CONFIG_NETFILTER_XT_MATCH_MARK=y
+CONFIG_NETFILTER_XT_MATCH_MULTIPORT=y
+# CONFIG_NETFILTER_XT_MATCH_NFACCT is not set
+# CONFIG_NETFILTER_XT_MATCH_OSF is not set
+# CONFIG_NETFILTER_XT_MATCH_OWNER is not set
+CONFIG_NETFILTER_XT_MATCH_POLICY=y
+CONFIG_NETFILTER_XT_MATCH_PKTTYPE=y
+CONFIG_NETFILTER_XT_MATCH_QUOTA=y
+# CONFIG_NETFILTER_XT_MATCH_RATEEST is not set
+CONFIG_NETFILTER_XT_MATCH_REALM=y
+# CONFIG_NETFILTER_XT_MATCH_RECENT is not set
+CONFIG_NETFILTER_XT_MATCH_SCTP=y
+# CONFIG_NETFILTER_XT_MATCH_SOCKET is not set
+CONFIG_NETFILTER_XT_MATCH_STATE=y
+CONFIG_NETFILTER_XT_MATCH_STATISTIC=y
+CONFIG_NETFILTER_XT_MATCH_STRING=y
+CONFIG_NETFILTER_XT_MATCH_TCPMSS=y
+# CONFIG_NETFILTER_XT_MATCH_TIME is not set
+CONFIG_NETFILTER_XT_MATCH_U32=y
+CONFIG_IP_SET=y
+CONFIG_IP_SET_MAX=256
+CONFIG_IP_SET_BITMAP_IP=y
+CONFIG_IP_SET_BITMAP_IPMAC=y
+CONFIG_IP_SET_BITMAP_PORT=y
+CONFIG_IP_SET_HASH_IP=y
+# CONFIG_IP_SET_HASH_IPMARK is not set
+CONFIG_IP_SET_HASH_IPPORT=y
+CONFIG_IP_SET_HASH_IPPORTIP=y
+CONFIG_IP_SET_HASH_IPPORTNET=y
+# CONFIG_IP_SET_HASH_MAC is not set
+# CONFIG_IP_SET_HASH_NETPORTNET is not set
+CONFIG_IP_SET_HASH_NET=y
+# CONFIG_IP_SET_HASH_NETNET is not set
+CONFIG_IP_SET_HASH_NETPORT=y
+# CONFIG_IP_SET_HASH_NETIFACE is not set
+CONFIG_IP_SET_LIST_SET=y
+# CONFIG_IP_VS is not set
+
+#
+# IP: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV4=y
+CONFIG_NF_CONNTRACK_IPV4=y
+# CONFIG_NF_DUP_IPV4 is not set
+# CONFIG_NF_LOG_ARP is not set
+CONFIG_NF_LOG_IPV4=y
+CONFIG_NF_REJECT_IPV4=y
+CONFIG_NF_NAT_IPV4=y
+CONFIG_NF_NAT_MASQUERADE_IPV4=y
+# CONFIG_NF_NAT_PPTP is not set
+# CONFIG_NF_NAT_H323 is not set
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_MATCH_AH=y
+CONFIG_IP_NF_MATCH_ECN=y
+# CONFIG_IP_NF_MATCH_RPFILTER is not set
+CONFIG_IP_NF_MATCH_TTL=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_TARGET_REJECT=y
+# CONFIG_IP_NF_TARGET_SYNPROXY is not set
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+CONFIG_IP_NF_TARGET_NETMAP=y
+CONFIG_IP_NF_TARGET_REDIRECT=y
+CONFIG_IP_NF_MANGLE=y
+CONFIG_IP_NF_TARGET_CLUSTERIP=y
+CONFIG_IP_NF_TARGET_ECN=y
+CONFIG_IP_NF_TARGET_TTL=y
+CONFIG_IP_NF_RAW=y
+CONFIG_IP_NF_ARPTABLES=y
+CONFIG_IP_NF_ARPFILTER=y
+CONFIG_IP_NF_ARP_MANGLE=y
+
+#
+# IPv6: Netfilter Configuration
+#
+CONFIG_NF_DEFRAG_IPV6=y
+CONFIG_NF_CONNTRACK_IPV6=y
+# CONFIG_NF_DUP_IPV6 is not set
+CONFIG_NF_REJECT_IPV6=y
+CONFIG_NF_LOG_IPV6=y
+CONFIG_NF_NAT_IPV6=y
+CONFIG_NF_NAT_MASQUERADE_IPV6=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IP6_NF_MATCH_AH=y
+CONFIG_IP6_NF_MATCH_EUI64=y
+CONFIG_IP6_NF_MATCH_FRAG=y
+CONFIG_IP6_NF_MATCH_OPTS=y
+CONFIG_IP6_NF_MATCH_HL=y
+CONFIG_IP6_NF_MATCH_IPV6HEADER=y
+CONFIG_IP6_NF_MATCH_MH=y
+# CONFIG_IP6_NF_MATCH_RPFILTER is not set
+CONFIG_IP6_NF_MATCH_RT=y
+CONFIG_IP6_NF_TARGET_HL=y
+CONFIG_IP6_NF_FILTER=y
+CONFIG_IP6_NF_TARGET_REJECT=y
+# CONFIG_IP6_NF_TARGET_SYNPROXY is not set
+CONFIG_IP6_NF_MANGLE=y
+CONFIG_IP6_NF_RAW=y
+# CONFIG_IP6_NF_NAT is not set
+# CONFIG_IP_DCCP is not set
+# CONFIG_IP_SCTP is not set
+# CONFIG_RDS is not set
+# CONFIG_TIPC is not set
+# CONFIG_ATM is not set
+CONFIG_L2TP=y
+# CONFIG_L2TP_V3 is not set
+# CONFIG_BRIDGE is not set
+CONFIG_HAVE_NET_DSA=y
+# CONFIG_VLAN_8021Q is not set
+# CONFIG_DECNET is not set
+# CONFIG_LLC2 is not set
+# CONFIG_IPX is not set
+# CONFIG_ATALK is not set
+# CONFIG_X25 is not set
+# CONFIG_LAPB is not set
+# CONFIG_PHONET is not set
+# CONFIG_6LOWPAN is not set
+# CONFIG_IEEE802154 is not set
+# CONFIG_NET_SCHED is not set
+# CONFIG_DCB is not set
+# CONFIG_BATMAN_ADV is not set
+# CONFIG_OPENVSWITCH is not set
+# CONFIG_VSOCKETS is not set
+# CONFIG_NETLINK_DIAG is not set
+# CONFIG_MPLS is not set
+# CONFIG_HSR is not set
+# CONFIG_NET_SWITCHDEV is not set
+# CONFIG_NET_L3_MASTER_DEV is not set
+# CONFIG_NET_NCSI is not set
+CONFIG_SOCK_CGROUP_DATA=y
+CONFIG_CGROUP_NET_PRIO=y
+CONFIG_CGROUP_NET_CLASSID=y
+CONFIG_NET_RX_BUSY_POLL=y
+CONFIG_BQL=y
+
+#
+# Network testing
+#
+# CONFIG_NET_PKTGEN is not set
+# CONFIG_HAMRADIO is not set
+# CONFIG_CAN is not set
+# CONFIG_IRDA is not set
+# CONFIG_BT is not set
+# CONFIG_AF_RXRPC is not set
+# CONFIG_AF_KCM is not set
+# CONFIG_STREAM_PARSER is not set
+CONFIG_FIB_RULES=y
+CONFIG_WIRELESS=y
+# CONFIG_CFG80211 is not set
+# CONFIG_LIB80211 is not set
+
+#
+# CFG80211 needs to be enabled for MAC80211
+#
+CONFIG_MAC80211_STA_HASH_MAX_SIZE=0
+# CONFIG_WIMAX is not set
+# CONFIG_RFKILL is not set
+CONFIG_NET_9P=y
+CONFIG_NET_9P_VIRTIO=y
+# CONFIG_NET_9P_DEBUG is not set
+# CONFIG_CAIF is not set
+# CONFIG_CEPH_LIB is not set
+# CONFIG_NFC is not set
+# CONFIG_LWTUNNEL is not set
+CONFIG_DST_CACHE=y
+# CONFIG_NET_DEVLINK is not set
+CONFIG_MAY_USE_DEVLINK=y
+CONFIG_HAVE_EBPF_JIT=y
+
+#
+# Device Drivers
+#
+
+#
+# Generic Driver Options
+#
+CONFIG_UEVENT_HELPER=y
+CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
+CONFIG_DEVTMPFS=y
+CONFIG_DEVTMPFS_MOUNT=y
+CONFIG_STANDALONE=y
+CONFIG_PREVENT_FIRMWARE_BUILD=y
+CONFIG_FW_LOADER=y
+CONFIG_FIRMWARE_IN_KERNEL=y
+CONFIG_EXTRA_FIRMWARE=""
+# CONFIG_FW_LOADER_USER_HELPER_FALLBACK is not set
+CONFIG_ALLOW_DEV_COREDUMP=y
+# CONFIG_DEBUG_DRIVER is not set
+# CONFIG_DEBUG_DEVRES is not set
+# CONFIG_DEBUG_TEST_DRIVER_REMOVE is not set
+# CONFIG_SYS_HYPERVISOR is not set
+# CONFIG_GENERIC_CPU_DEVICES is not set
+CONFIG_GENERIC_CPU_AUTOPROBE=y
+# CONFIG_DMA_SHARED_BUFFER is not set
+
+#
+# Bus devices
+#
+# CONFIG_CONNECTOR is not set
+# CONFIG_MTD is not set
+# CONFIG_OF is not set
+CONFIG_ARCH_MIGHT_HAVE_PC_PARPORT=y
+# CONFIG_PARPORT is not set
+CONFIG_PNP=y
+CONFIG_PNP_DEBUG_MESSAGES=y
+
+#
+# Protocols
+#
+CONFIG_PNPACPI=y
+CONFIG_BLK_DEV=y
+# CONFIG_BLK_DEV_NULL_BLK is not set
+# CONFIG_BLK_DEV_FD is not set
+# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set
+# CONFIG_BLK_CPQ_CISS_DA is not set
+# CONFIG_BLK_DEV_DAC960 is not set
+# CONFIG_BLK_DEV_UMEM is not set
+# CONFIG_BLK_DEV_COW_COMMON is not set
+CONFIG_BLK_DEV_LOOP=y
+CONFIG_BLK_DEV_LOOP_MIN_COUNT=8
+# CONFIG_BLK_DEV_CRYPTOLOOP is not set
+# CONFIG_BLK_DEV_DRBD is not set
+CONFIG_BLK_DEV_NBD=y
+# CONFIG_BLK_DEV_SKD is not set
+# CONFIG_BLK_DEV_SX8 is not set
+# CONFIG_BLK_DEV_RAM is not set
+# CONFIG_CDROM_PKTCDVD is not set
+# CONFIG_ATA_OVER_ETH is not set
+CONFIG_VIRTIO_BLK=y
+# CONFIG_BLK_DEV_HD is not set
+# CONFIG_BLK_DEV_RBD is not set
+# CONFIG_BLK_DEV_RSXX is not set
+# CONFIG_BLK_DEV_NVME is not set
+
+#
+# Misc devices
+#
+# CONFIG_SENSORS_LIS3LV02D is not set
+# CONFIG_DUMMY_IRQ is not set
+# CONFIG_IBM_ASM is not set
+# CONFIG_PHANTOM is not set
+# CONFIG_SGI_IOC4 is not set
+# CONFIG_TIFM_CORE is not set
+# CONFIG_ENCLOSURE_SERVICES is not set
+# CONFIG_HP_ILO is not set
+# CONFIG_SRAM is not set
+# CONFIG_C2PORT is not set
+
+#
+# EEPROM support
+#
+# CONFIG_EEPROM_93CX6 is not set
+# CONFIG_CB710_CORE is not set
+
+#
+# Texas Instruments shared transport line discipline
+#
+
+#
+# Altera FPGA firmware download module
+#
+# CONFIG_INTEL_MEI is not set
+# CONFIG_INTEL_MEI_ME is not set
+# CONFIG_INTEL_MEI_TXE is not set
+# CONFIG_VMWARE_VMCI is not set
+
+#
+# Intel MIC Bus Driver
+#
+# CONFIG_INTEL_MIC_BUS is not set
+
+#
+# SCIF Bus Driver
+#
+# CONFIG_SCIF_BUS is not set
+
+#
+# VOP Bus Driver
+#
+# CONFIG_VOP_BUS is not set
+
+#
+# Intel MIC Host Driver
+#
+
+#
+# Intel MIC Card Driver
+#
+
+#
+# SCIF Driver
+#
+
+#
+# Intel MIC Coprocessor State Management (COSM) Drivers
+#
+
+#
+# VOP Driver
+#
+# CONFIG_GENWQE is not set
+# CONFIG_ECHO is not set
+# CONFIG_CXL_BASE is not set
+# CONFIG_CXL_AFU_DRIVER_OPS is not set
+CONFIG_HAVE_IDE=y
+# CONFIG_IDE is not set
+
+#
+# SCSI device support
+#
+CONFIG_SCSI_MOD=y
+# CONFIG_RAID_ATTRS is not set
+# CONFIG_SCSI is not set
+# CONFIG_SCSI_DMA is not set
+# CONFIG_SCSI_NETLINK is not set
+# CONFIG_ATA is not set
+# CONFIG_MD is not set
+# CONFIG_FUSION is not set
+
+#
+# IEEE 1394 (FireWire) support
+#
+# CONFIG_FIREWIRE is not set
+# CONFIG_FIREWIRE_NOSY is not set
+# CONFIG_MACINTOSH_DRIVERS is not set
+CONFIG_NETDEVICES=y
+CONFIG_NET_CORE=y
+# CONFIG_BONDING is not set
+CONFIG_DUMMY=y
+# CONFIG_EQUALIZER is not set
+# CONFIG_NET_TEAM is not set
+# CONFIG_MACVLAN is not set
+# CONFIG_VXLAN is not set
+# CONFIG_GENEVE is not set
+# CONFIG_GTP is not set
+CONFIG_MACSEC=y
+# CONFIG_NETCONSOLE is not set
+# CONFIG_NETPOLL is not set
+# CONFIG_NET_POLL_CONTROLLER is not set
+CONFIG_TUN=y
+# CONFIG_TUN_VNET_CROSS_LE is not set
+# CONFIG_VETH is not set
+CONFIG_VIRTIO_NET=y
+# CONFIG_NLMON is not set
+# CONFIG_ARCNET is not set
+
+#
+# CAIF transport drivers
+#
+
+#
+# Distributed Switch Architecture drivers
+#
+CONFIG_ETHERNET=y
+CONFIG_NET_VENDOR_3COM=y
+# CONFIG_VORTEX is not set
+# CONFIG_TYPHOON is not set
+CONFIG_NET_VENDOR_ADAPTEC=y
+# CONFIG_ADAPTEC_STARFIRE is not set
+CONFIG_NET_VENDOR_AGERE=y
+# CONFIG_ET131X is not set
+CONFIG_NET_VENDOR_ALTEON=y
+# CONFIG_ACENIC is not set
+# CONFIG_ALTERA_TSE is not set
+CONFIG_NET_VENDOR_AMAZON=y
+# CONFIG_ENA_ETHERNET is not set
+CONFIG_NET_VENDOR_AMD=y
+# CONFIG_AMD8111_ETH is not set
+# CONFIG_PCNET32 is not set
+# CONFIG_NET_VENDOR_ARC is not set
+CONFIG_NET_VENDOR_ATHEROS=y
+# CONFIG_ATL2 is not set
+# CONFIG_ATL1 is not set
+# CONFIG_ATL1E is not set
+# CONFIG_ATL1C is not set
+# CONFIG_ALX is not set
+# CONFIG_NET_VENDOR_AURORA is not set
+CONFIG_NET_CADENCE=y
+# CONFIG_MACB is not set
+CONFIG_NET_VENDOR_BROADCOM=y
+# CONFIG_B44 is not set
+# CONFIG_BCMGENET is not set
+# CONFIG_BNX2 is not set
+# CONFIG_CNIC is not set
+# CONFIG_TIGON3 is not set
+# CONFIG_BNX2X is not set
+# CONFIG_BNXT is not set
+CONFIG_NET_VENDOR_BROCADE=y
+# CONFIG_BNA is not set
+CONFIG_NET_VENDOR_CAVIUM=y
+# CONFIG_THUNDER_NIC_PF is not set
+# CONFIG_THUNDER_NIC_VF is not set
+# CONFIG_THUNDER_NIC_BGX is not set
+# CONFIG_THUNDER_NIC_RGX is not set
+# CONFIG_LIQUIDIO is not set
+CONFIG_NET_VENDOR_CHELSIO=y
+# CONFIG_CHELSIO_T1 is not set
+# CONFIG_CHELSIO_T3 is not set
+# CONFIG_CHELSIO_T4 is not set
+# CONFIG_CHELSIO_T4VF is not set
+CONFIG_NET_VENDOR_CISCO=y
+# CONFIG_ENIC is not set
+# CONFIG_CX_ECAT is not set
+# CONFIG_DNET is not set
+CONFIG_NET_VENDOR_DEC=y
+# CONFIG_NET_TULIP is not set
+CONFIG_NET_VENDOR_DLINK=y
+# CONFIG_DL2K is not set
+# CONFIG_SUNDANCE is not set
+CONFIG_NET_VENDOR_EMULEX=y
+# CONFIG_BE2NET is not set
+CONFIG_NET_VENDOR_EZCHIP=y
+CONFIG_NET_VENDOR_EXAR=y
+# CONFIG_S2IO is not set
+# CONFIG_VXGE is not set
+CONFIG_NET_VENDOR_HP=y
+# CONFIG_HP100 is not set
+CONFIG_NET_VENDOR_INTEL=y
+# CONFIG_E100 is not set
+# CONFIG_E1000 is not set
+# CONFIG_E1000E is not set
+# CONFIG_IGB is not set
+# CONFIG_IGBVF is not set
+# CONFIG_IXGB is not set
+# CONFIG_IXGBE is not set
+# CONFIG_IXGBEVF is not set
+# CONFIG_I40E is not set
+# CONFIG_I40EVF is not set
+# CONFIG_FM10K is not set
+CONFIG_NET_VENDOR_I825XX=y
+# CONFIG_JME is not set
+CONFIG_NET_VENDOR_MARVELL=y
+# CONFIG_MVMDIO is not set
+# CONFIG_MVNETA_BM is not set
+# CONFIG_SKGE is not set
+# CONFIG_SKY2 is not set
+CONFIG_NET_VENDOR_MELLANOX=y
+# CONFIG_MLX4_EN is not set
+# CONFIG_MLX4_CORE is not set
+# CONFIG_MLX5_CORE is not set
+# CONFIG_MLXSW_CORE is not set
+CONFIG_NET_VENDOR_MICREL=y
+# CONFIG_KS8851_MLL is not set
+# CONFIG_KSZ884X_PCI is not set
+CONFIG_NET_VENDOR_MYRI=y
+# CONFIG_MYRI10GE is not set
+# CONFIG_FEALNX is not set
+CONFIG_NET_VENDOR_NATSEMI=y
+# CONFIG_NATSEMI is not set
+# CONFIG_NS83820 is not set
+CONFIG_NET_VENDOR_NETRONOME=y
+# CONFIG_NFP_NETVF is not set
+CONFIG_NET_VENDOR_8390=y
+# CONFIG_NE2K_PCI is not set
+CONFIG_NET_VENDOR_NVIDIA=y
+# CONFIG_FORCEDETH is not set
+CONFIG_NET_VENDOR_OKI=y
+# CONFIG_ETHOC is not set
+CONFIG_NET_PACKET_ENGINE=y
+# CONFIG_HAMACHI is not set
+# CONFIG_YELLOWFIN is not set
+CONFIG_NET_VENDOR_QLOGIC=y
+# CONFIG_QLA3XXX is not set
+# CONFIG_QLCNIC is not set
+# CONFIG_QLGE is not set
+# CONFIG_NETXEN_NIC is not set
+# CONFIG_QED is not set
+CONFIG_NET_VENDOR_QUALCOMM=y
+# CONFIG_QCOM_EMAC is not set
+CONFIG_NET_VENDOR_REALTEK=y
+# CONFIG_8139CP is not set
+# CONFIG_8139TOO is not set
+# CONFIG_R8169 is not set
+CONFIG_NET_VENDOR_RENESAS=y
+CONFIG_NET_VENDOR_RDC=y
+# CONFIG_R6040 is not set
+CONFIG_NET_VENDOR_ROCKER=y
+CONFIG_NET_VENDOR_SAMSUNG=y
+# CONFIG_SXGBE_ETH is not set
+CONFIG_NET_VENDOR_SEEQ=y
+CONFIG_NET_VENDOR_SILAN=y
+# CONFIG_SC92031 is not set
+CONFIG_NET_VENDOR_SIS=y
+# CONFIG_SIS900 is not set
+# CONFIG_SIS190 is not set
+# CONFIG_SFC is not set
+CONFIG_NET_VENDOR_SMSC=y
+# CONFIG_EPIC100 is not set
+# CONFIG_SMSC911X is not set
+# CONFIG_SMSC9420 is not set
+CONFIG_NET_VENDOR_STMICRO=y
+# CONFIG_STMMAC_ETH is not set
+CONFIG_NET_VENDOR_SUN=y
+# CONFIG_HAPPYMEAL is not set
+# CONFIG_SUNGEM is not set
+# CONFIG_CASSINI is not set
+# CONFIG_NIU is not set
+CONFIG_NET_VENDOR_SYNOPSYS=y
+CONFIG_NET_VENDOR_TEHUTI=y
+# CONFIG_TEHUTI is not set
+CONFIG_NET_VENDOR_TI=y
+# CONFIG_TI_CPSW_ALE is not set
+# CONFIG_TLAN is not set
+CONFIG_NET_VENDOR_VIA=y
+# CONFIG_VIA_RHINE is not set
+# CONFIG_VIA_VELOCITY is not set
+CONFIG_NET_VENDOR_WIZNET=y
+# CONFIG_WIZNET_W5100 is not set
+# CONFIG_WIZNET_W5300 is not set
+# CONFIG_FDDI is not set
+# CONFIG_HIPPI is not set
+# CONFIG_NET_SB1000 is not set
+# CONFIG_PHYLIB is not set
+# CONFIG_PPP is not set
+# CONFIG_SLIP is not set
+
+#
+# Host-side USB support is needed for USB Network Adapter support
+#
+CONFIG_WLAN=y
+CONFIG_WLAN_VENDOR_ADMTEK=y
+CONFIG_WLAN_VENDOR_ATH=y
+# CONFIG_ATH_DEBUG is not set
+# CONFIG_ATH5K_PCI is not set
+CONFIG_WLAN_VENDOR_ATMEL=y
+CONFIG_WLAN_VENDOR_BROADCOM=y
+CONFIG_WLAN_VENDOR_CISCO=y
+CONFIG_WLAN_VENDOR_INTEL=y
+CONFIG_WLAN_VENDOR_INTERSIL=y
+# CONFIG_HOSTAP is not set
+# CONFIG_PRISM54 is not set
+CONFIG_WLAN_VENDOR_MARVELL=y
+CONFIG_WLAN_VENDOR_MEDIATEK=y
+CONFIG_WLAN_VENDOR_RALINK=y
+CONFIG_WLAN_VENDOR_REALTEK=y
+CONFIG_WLAN_VENDOR_RSI=y
+CONFIG_WLAN_VENDOR_ST=y
+CONFIG_WLAN_VENDOR_TI=y
+CONFIG_WLAN_VENDOR_ZYDAS=y
+
+#
+# Enable WiMAX (Networking options) to see the WiMAX drivers
+#
+# CONFIG_WAN is not set
+# CONFIG_VMXNET3 is not set
+# CONFIG_FUJITSU_ES is not set
+# CONFIG_ISDN is not set
+# CONFIG_NVM is not set
+
+#
+# Input device support
+#
+CONFIG_INPUT=y
+# CONFIG_INPUT_FF_MEMLESS is not set
+# CONFIG_INPUT_POLLDEV is not set
+# CONFIG_INPUT_SPARSEKMAP is not set
+# CONFIG_INPUT_MATRIXKMAP is not set
+
+#
+# Userland interfaces
+#
+CONFIG_INPUT_MOUSEDEV=y
+CONFIG_INPUT_MOUSEDEV_PSAUX=y
+CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
+CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
+# CONFIG_INPUT_JOYDEV is not set
+CONFIG_INPUT_EVDEV=y
+# CONFIG_INPUT_EVBUG is not set
+
+#
+# Input Device Drivers
+#
+CONFIG_INPUT_KEYBOARD=y
+CONFIG_KEYBOARD_ATKBD=y
+# CONFIG_KEYBOARD_LKKBD is not set
+# CONFIG_KEYBOARD_NEWTON is not set
+# CONFIG_KEYBOARD_OPENCORES is not set
+# CONFIG_KEYBOARD_STOWAWAY is not set
+# CONFIG_KEYBOARD_SUNKBD is not set
+# CONFIG_KEYBOARD_XTKBD is not set
+CONFIG_INPUT_MOUSE=y
+CONFIG_MOUSE_PS2=y
+CONFIG_MOUSE_PS2_ALPS=y
+CONFIG_MOUSE_PS2_BYD=y
+CONFIG_MOUSE_PS2_LOGIPS2PP=y
+CONFIG_MOUSE_PS2_SYNAPTICS=y
+CONFIG_MOUSE_PS2_CYPRESS=y
+CONFIG_MOUSE_PS2_LIFEBOOK=y
+CONFIG_MOUSE_PS2_TRACKPOINT=y
+# CONFIG_MOUSE_PS2_ELANTECH is not set
+# CONFIG_MOUSE_PS2_SENTELIC is not set
+# CONFIG_MOUSE_PS2_TOUCHKIT is not set
+CONFIG_MOUSE_PS2_FOCALTECH=y
+# CONFIG_MOUSE_SERIAL is not set
+# CONFIG_MOUSE_APPLETOUCH is not set
+# CONFIG_MOUSE_BCM5974 is not set
+# CONFIG_MOUSE_VSXXXAA is not set
+# CONFIG_MOUSE_SYNAPTICS_USB is not set
+# CONFIG_INPUT_JOYSTICK is not set
+# CONFIG_INPUT_TABLET is not set
+# CONFIG_INPUT_TOUCHSCREEN is not set
+# CONFIG_INPUT_MISC is not set
+# CONFIG_RMI4_CORE is not set
+
+#
+# Hardware I/O ports
+#
+CONFIG_SERIO=y
+CONFIG_ARCH_MIGHT_HAVE_PC_SERIO=y
+CONFIG_SERIO_I8042=y
+CONFIG_SERIO_SERPORT=y
+# CONFIG_SERIO_CT82C710 is not set
+# CONFIG_SERIO_PCIPS2 is not set
+CONFIG_SERIO_LIBPS2=y
+# CONFIG_SERIO_RAW is not set
+# CONFIG_SERIO_ALTERA_PS2 is not set
+# CONFIG_SERIO_PS2MULT is not set
+# CONFIG_SERIO_ARC_PS2 is not set
+# CONFIG_USERIO is not set
+# CONFIG_GAMEPORT is not set
+
+#
+# Character devices
+#
+CONFIG_TTY=y
+CONFIG_VT=y
+CONFIG_CONSOLE_TRANSLATIONS=y
+CONFIG_VT_CONSOLE=y
+CONFIG_VT_CONSOLE_SLEEP=y
+CONFIG_HW_CONSOLE=y
+# CONFIG_VT_HW_CONSOLE_BINDING is not set
+CONFIG_UNIX98_PTYS=y
+CONFIG_LEGACY_PTYS=y
+CONFIG_LEGACY_PTY_COUNT=256
+# CONFIG_SERIAL_NONSTANDARD is not set
+# CONFIG_NOZOMI is not set
+# CONFIG_N_GSM is not set
+# CONFIG_TRACE_SINK is not set
+CONFIG_DEVMEM=y
+CONFIG_DEVKMEM=y
+
+#
+# Serial drivers
+#
+# CONFIG_SERIAL_8250 is not set
+
+#
+# Non-8250 serial port support
+#
+# CONFIG_SERIAL_UARTLITE is not set
+# CONFIG_SERIAL_JSM is not set
+# CONFIG_SERIAL_SCCNXP is not set
+# CONFIG_SERIAL_ALTERA_JTAGUART is not set
+# CONFIG_SERIAL_ALTERA_UART is not set
+# CONFIG_SERIAL_ARC is not set
+# CONFIG_SERIAL_RP2 is not set
+# CONFIG_SERIAL_FSL_LPUART is not set
+CONFIG_HVC_DRIVER=y
+CONFIG_VIRTIO_CONSOLE=y
+# CONFIG_IPMI_HANDLER is not set
+# CONFIG_HW_RANDOM is not set
+# CONFIG_NVRAM is not set
+# CONFIG_R3964 is not set
+# CONFIG_APPLICOM is not set
+# CONFIG_MWAVE is not set
+# CONFIG_RAW_DRIVER is not set
+# CONFIG_HPET is not set
+# CONFIG_HANGCHECK_TIMER is not set
+# CONFIG_TCG_TPM is not set
+# CONFIG_TELCLOCK is not set
+CONFIG_DEVPORT=y
+# CONFIG_XILLYBUS is not set
+
+#
+# I2C support
+#
+# CONFIG_I2C is not set
+# CONFIG_SPI is not set
+# CONFIG_SPMI is not set
+# CONFIG_HSI is not set
+
+#
+# PPS support
+#
+# CONFIG_PPS is not set
+
+#
+# PPS generators support
+#
+
+#
+# PTP clock support
+#
+# CONFIG_PTP_1588_CLOCK is not set
+
+#
+# Enable PHYLIB and NETWORK_PHY_TIMESTAMPING to see the additional clocks.
+#
+# CONFIG_GPIOLIB is not set
+# CONFIG_W1 is not set
+# CONFIG_POWER_AVS is not set
+# CONFIG_POWER_RESET is not set
+CONFIG_POWER_SUPPLY=y
+# CONFIG_POWER_SUPPLY_DEBUG is not set
+# CONFIG_PDA_POWER is not set
+# CONFIG_TEST_POWER is not set
+# CONFIG_BATTERY_DS2780 is not set
+# CONFIG_BATTERY_DS2781 is not set
+# CONFIG_BATTERY_BQ27XXX is not set
+# CONFIG_CHARGER_MAX8903 is not set
+CONFIG_HWMON=y
+# CONFIG_HWMON_VID is not set
+# CONFIG_HWMON_DEBUG_CHIP is not set
+
+#
+# Native drivers
+#
+# CONFIG_SENSORS_ABITUGURU is not set
+# CONFIG_SENSORS_ABITUGURU3 is not set
+# CONFIG_SENSORS_K8TEMP is not set
+# CONFIG_SENSORS_K10TEMP is not set
+# CONFIG_SENSORS_FAM15H_POWER is not set
+# CONFIG_SENSORS_APPLESMC is not set
+# CONFIG_SENSORS_DELL_SMM is not set
+# CONFIG_SENSORS_I5K_AMB is not set
+# CONFIG_SENSORS_F71805F is not set
+# CONFIG_SENSORS_F71882FG is not set
+# CONFIG_SENSORS_I5500 is not set
+# CONFIG_SENSORS_CORETEMP is not set
+# CONFIG_SENSORS_IT87 is not set
+# CONFIG_SENSORS_MAX197 is not set
+# CONFIG_SENSORS_PC87360 is not set
+# CONFIG_SENSORS_PC87427 is not set
+# CONFIG_SENSORS_NTC_THERMISTOR is not set
+# CONFIG_SENSORS_NCT6683 is not set
+# CONFIG_SENSORS_NCT6775 is not set
+# CONFIG_SENSORS_SIS5595 is not set
+# CONFIG_SENSORS_SMSC47M1 is not set
+# CONFIG_SENSORS_SMSC47B397 is not set
+# CONFIG_SENSORS_SCH56XX_COMMON is not set
+# CONFIG_SENSORS_VIA_CPUTEMP is not set
+# CONFIG_SENSORS_VIA686A is not set
+# CONFIG_SENSORS_VT1211 is not set
+# CONFIG_SENSORS_VT8231 is not set
+# CONFIG_SENSORS_W83627HF is not set
+# CONFIG_SENSORS_W83627EHF is not set
+
+#
+# ACPI drivers
+#
+# CONFIG_SENSORS_ACPI_POWER is not set
+# CONFIG_SENSORS_ATK0110 is not set
+CONFIG_THERMAL=y
+CONFIG_THERMAL_HWMON=y
+# CONFIG_THERMAL_WRITABLE_TRIPS is not set
+CONFIG_THERMAL_DEFAULT_GOV_STEP_WISE=y
+# CONFIG_THERMAL_DEFAULT_GOV_FAIR_SHARE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_DEFAULT_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_GOV_FAIR_SHARE is not set
+CONFIG_THERMAL_GOV_STEP_WISE=y
+# CONFIG_THERMAL_GOV_BANG_BANG is not set
+# CONFIG_THERMAL_GOV_USER_SPACE is not set
+# CONFIG_THERMAL_GOV_POWER_ALLOCATOR is not set
+# CONFIG_THERMAL_EMULATION is not set
+# CONFIG_INTEL_POWERCLAMP is not set
+# CONFIG_INTEL_SOC_DTS_THERMAL is not set
+
+#
+# ACPI INT340X thermal drivers
+#
+# CONFIG_INT340X_THERMAL is not set
+# CONFIG_INTEL_PCH_THERMAL is not set
+# CONFIG_WATCHDOG is not set
+CONFIG_SSB_POSSIBLE=y
+
+#
+# Sonics Silicon Backplane
+#
+# CONFIG_SSB is not set
+CONFIG_BCMA_POSSIBLE=y
+
+#
+# Broadcom specific AMBA
+#
+# CONFIG_BCMA is not set
+
+#
+# Multifunction device drivers
+#
+# CONFIG_MFD_CORE is not set
+# CONFIG_MFD_CROS_EC is not set
+# CONFIG_MFD_EXYNOS_LPASS is not set
+# CONFIG_HTC_PASIC3 is not set
+# CONFIG_LPC_ICH is not set
+# CONFIG_LPC_SCH is not set
+# CONFIG_MFD_INTEL_LPSS_ACPI is not set
+# CONFIG_MFD_INTEL_LPSS_PCI is not set
+# CONFIG_MFD_JANZ_CMODIO is not set
+# CONFIG_MFD_KEMPLD is not set
+# CONFIG_MFD_MT6397 is not set
+# CONFIG_MFD_RDC321X is not set
+# CONFIG_MFD_RTSX_PCI is not set
+# CONFIG_MFD_SM501 is not set
+# CONFIG_ABX500_CORE is not set
+# CONFIG_MFD_SYSCON is not set
+# CONFIG_MFD_TI_AM335X_TSCADC is not set
+# CONFIG_MFD_TMIO is not set
+# CONFIG_MFD_VX855 is not set
+# CONFIG_REGULATOR is not set
+# CONFIG_MEDIA_SUPPORT is not set
+
+#
+# Graphics support
+#
+# CONFIG_AGP is not set
+CONFIG_VGA_ARB=y
+CONFIG_VGA_ARB_MAX_GPUS=16
+# CONFIG_VGA_SWITCHEROO is not set
+# CONFIG_DRM is not set
+
+#
+# ACP (Audio CoProcessor) Configuration
+#
+
+#
+# Frame buffer Devices
+#
+# CONFIG_FB is not set
+# CONFIG_BACKLIGHT_LCD_SUPPORT is not set
+# CONFIG_VGASTATE is not set
+
+#
+# Console display driver support
+#
+CONFIG_VGA_CONSOLE=y
+# CONFIG_VGACON_SOFT_SCROLLBACK is not set
+CONFIG_DUMMY_CONSOLE=y
+CONFIG_DUMMY_CONSOLE_COLUMNS=80
+CONFIG_DUMMY_CONSOLE_ROWS=25
+CONFIG_SOUND=y
+# CONFIG_SOUND_OSS_CORE is not set
+# CONFIG_SND is not set
+# CONFIG_SOUND_PRIME is not set
+
+#
+# HID support
+#
+CONFIG_HID=y
+# CONFIG_HID_BATTERY_STRENGTH is not set
+# CONFIG_HIDRAW is not set
+# CONFIG_UHID is not set
+CONFIG_HID_GENERIC=y
+
+#
+# Special HID drivers
+#
+CONFIG_HID_A4TECH=y
+# CONFIG_HID_ACRUX is not set
+CONFIG_HID_APPLE=y
+# CONFIG_HID_AUREAL is not set
+CONFIG_HID_BELKIN=y
+CONFIG_HID_CHERRY=y
+CONFIG_HID_CHICONY=y
+# CONFIG_HID_CMEDIA is not set
+CONFIG_HID_CYPRESS=y
+# CONFIG_HID_DRAGONRISE is not set
+# CONFIG_HID_EMS_FF is not set
+# CONFIG_HID_ELECOM is not set
+CONFIG_HID_EZKEY=y
+# CONFIG_HID_GEMBIRD is not set
+# CONFIG_HID_GFRM is not set
+# CONFIG_HID_KEYTOUCH is not set
+# CONFIG_HID_KYE is not set
+# CONFIG_HID_WALTOP is not set
+# CONFIG_HID_GYRATION is not set
+# CONFIG_HID_ICADE is not set
+# CONFIG_HID_TWINHAN is not set
+CONFIG_HID_KENSINGTON=y
+# CONFIG_HID_LCPOWER is not set
+# CONFIG_HID_LENOVO is not set
+CONFIG_HID_LOGITECH=y
+# CONFIG_HID_LOGITECH_HIDPP is not set
+# CONFIG_LOGITECH_FF is not set
+# CONFIG_LOGIRUMBLEPAD2_FF is not set
+# CONFIG_LOGIG940_FF is not set
+# CONFIG_LOGIWHEELS_FF is not set
+# CONFIG_HID_MAGICMOUSE is not set
+CONFIG_HID_MICROSOFT=y
+CONFIG_HID_MONTEREY=y
+# CONFIG_HID_MULTITOUCH is not set
+# CONFIG_HID_ORTEK is not set
+# CONFIG_HID_PANTHERLORD is not set
+# CONFIG_HID_PETALYNX is not set
+# CONFIG_HID_PICOLCD is not set
+CONFIG_HID_PLANTRONICS=y
+# CONFIG_HID_PRIMAX is not set
+# CONFIG_HID_SAITEK is not set
+# CONFIG_HID_SAMSUNG is not set
+# CONFIG_HID_SPEEDLINK is not set
+# CONFIG_HID_STEELSERIES is not set
+# CONFIG_HID_SUNPLUS is not set
+# CONFIG_HID_RMI is not set
+# CONFIG_HID_GREENASIA is not set
+# CONFIG_HID_SMARTJOYPLUS is not set
+# CONFIG_HID_TIVO is not set
+# CONFIG_HID_TOPSEED is not set
+# CONFIG_HID_THRUSTMASTER is not set
+# CONFIG_HID_WACOM is not set
+# CONFIG_HID_XINMO is not set
+# CONFIG_HID_ZEROPLUS is not set
+# CONFIG_HID_ZYDACRON is not set
+# CONFIG_HID_SENSOR_HUB is not set
+# CONFIG_HID_ALPS is not set
+
+#
+# Intel ISH HID support
+#
+# CONFIG_INTEL_ISH_HID is not set
+CONFIG_USB_OHCI_LITTLE_ENDIAN=y
+CONFIG_USB_SUPPORT=y
+CONFIG_USB_ARCH_HAS_HCD=y
+# CONFIG_USB is not set
+
+#
+# USB port drivers
+#
+
+#
+# USB Physical Layer drivers
+#
+# CONFIG_USB_PHY is not set
+# CONFIG_NOP_USB_XCEIV is not set
+# CONFIG_USB_GADGET is not set
+# CONFIG_USB_ULPI_BUS is not set
+# CONFIG_UWB is not set
+# CONFIG_MMC is not set
+# CONFIG_MEMSTICK is not set
+# CONFIG_NEW_LEDS is not set
+# CONFIG_ACCESSIBILITY is not set
+# CONFIG_INFINIBAND is not set
+CONFIG_EDAC_ATOMIC_SCRUB=y
+CONFIG_EDAC_SUPPORT=y
+# CONFIG_EDAC is not set
+CONFIG_RTC_LIB=y
+CONFIG_RTC_MC146818_LIB=y
+# CONFIG_RTC_CLASS is not set
+# CONFIG_DMADEVICES is not set
+
+#
+# DMABUF options
+#
+# CONFIG_SYNC_FILE is not set
+# CONFIG_AUXDISPLAY is not set
+# CONFIG_UIO is not set
+# CONFIG_VIRT_DRIVERS is not set
+CONFIG_VIRTIO=y
+
+#
+# Virtio drivers
+#
+CONFIG_VIRTIO_PCI=y
+CONFIG_VIRTIO_PCI_LEGACY=y
+CONFIG_VIRTIO_BALLOON=y
+# CONFIG_VIRTIO_INPUT is not set
+CONFIG_VIRTIO_MMIO=y
+# CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set
+
+#
+# Microsoft Hyper-V guest support
+#
+# CONFIG_STAGING is not set
+CONFIG_X86_PLATFORM_DEVICES=y
+# CONFIG_ACERHDF is not set
+# CONFIG_DELL_SMO8800 is not set
+# CONFIG_FUJITSU_TABLET is not set
+# CONFIG_HP_ACCEL is not set
+# CONFIG_HP_WIRELESS is not set
+# CONFIG_SENSORS_HDAPS is not set
+# CONFIG_INTEL_MENLOW is not set
+# CONFIG_ASUS_WIRELESS is not set
+# CONFIG_ACPI_WMI is not set
+# CONFIG_TOPSTAR_LAPTOP is not set
+# CONFIG_TOSHIBA_BT_RFKILL is not set
+# CONFIG_TOSHIBA_HAPS is not set
+# CONFIG_ACPI_CMPC is not set
+# CONFIG_INTEL_HID_EVENT is not set
+# CONFIG_INTEL_VBTN is not set
+# CONFIG_INTEL_IPS is not set
+# CONFIG_INTEL_PMC_CORE is not set
+# CONFIG_IBM_RTL is not set
+# CONFIG_SAMSUNG_Q10 is not set
+# CONFIG_INTEL_RST is not set
+# CONFIG_INTEL_SMARTCONNECT is not set
+# CONFIG_PVPANIC is not set
+# CONFIG_INTEL_PMC_IPC is not set
+# CONFIG_SURFACE_PRO3_BUTTON is not set
+# CONFIG_INTEL_PUNIT_IPC is not set
+# CONFIG_CHROME_PLATFORMS is not set
+
+#
+# Hardware Spinlock drivers
+#
+
+#
+# Clock Source drivers
+#
+CONFIG_CLKEVT_I8253=y
+CONFIG_I8253_LOCK=y
+CONFIG_CLKBLD_I8253=y
+# CONFIG_ATMEL_PIT is not set
+# CONFIG_SH_TIMER_CMT is not set
+# CONFIG_SH_TIMER_MTU2 is not set
+# CONFIG_SH_TIMER_TMU is not set
+# CONFIG_EM_TIMER_STI is not set
+# CONFIG_MAILBOX is not set
+CONFIG_IOMMU_SUPPORT=y
+
+#
+# Generic IOMMU Pagetable Support
+#
+# CONFIG_AMD_IOMMU is not set
+# CONFIG_INTEL_IOMMU is not set
+# CONFIG_IRQ_REMAP is not set
+
+#
+# Remoteproc drivers
+#
+# CONFIG_STE_MODEM_RPROC is not set
+
+#
+# Rpmsg drivers
+#
+
+#
+# SOC (System On Chip) specific Drivers
+#
+
+#
+# Broadcom SoC drivers
+#
+# CONFIG_SUNXI_SRAM is not set
+# CONFIG_SOC_TI is not set
+# CONFIG_PM_DEVFREQ is not set
+# CONFIG_EXTCON is not set
+# CONFIG_MEMORY is not set
+# CONFIG_IIO is not set
+# CONFIG_NTB is not set
+# CONFIG_VME_BUS is not set
+# CONFIG_PWM is not set
+CONFIG_ARM_GIC_MAX_NR=1
+# CONFIG_IPACK_BUS is not set
+# CONFIG_RESET_CONTROLLER is not set
+# CONFIG_FMC is not set
+
+#
+# PHY Subsystem
+#
+# CONFIG_GENERIC_PHY is not set
+# CONFIG_PHY_PXA_28NM_HSIC is not set
+# CONFIG_PHY_PXA_28NM_USB2 is not set
+# CONFIG_BCM_KONA_USB2_PHY is not set
+# CONFIG_POWERCAP is not set
+# CONFIG_MCB is not set
+
+#
+# Performance monitor support
+#
+# CONFIG_RAS is not set
+# CONFIG_THUNDERBOLT is not set
+
+#
+# Android
+#
+# CONFIG_ANDROID is not set
+# CONFIG_LIBNVDIMM is not set
+# CONFIG_NVMEM is not set
+# CONFIG_STM is not set
+# CONFIG_INTEL_TH is not set
+
+#
+# FPGA Configuration Support
+#
+# CONFIG_FPGA is not set
+
+#
+# Firmware Drivers
+#
+# CONFIG_EDD is not set
+CONFIG_FIRMWARE_MEMMAP=y
+# CONFIG_DELL_RBU is not set
+# CONFIG_DCDBAS is not set
+CONFIG_DMIID=y
+# CONFIG_DMI_SYSFS is not set
+CONFIG_DMI_SCAN_MACHINE_NON_EFI_FALLBACK=y
+# CONFIG_ISCSI_IBFT_FIND is not set
+# CONFIG_FW_CFG_SYSFS is not set
+# CONFIG_GOOGLE_FIRMWARE is not set
+
+#
+# File systems
+#
+CONFIG_DCACHE_WORD_ACCESS=y
+CONFIG_EXT2_FS=y
+# CONFIG_EXT2_FS_XATTR is not set
+CONFIG_EXT3_FS=y
+# CONFIG_EXT3_FS_POSIX_ACL is not set
+# CONFIG_EXT3_FS_SECURITY is not set
+CONFIG_EXT4_FS=y
+# CONFIG_EXT4_FS_POSIX_ACL is not set
+# CONFIG_EXT4_FS_SECURITY is not set
+# CONFIG_EXT4_ENCRYPTION is not set
+# CONFIG_EXT4_DEBUG is not set
+CONFIG_JBD2=y
+# CONFIG_JBD2_DEBUG is not set
+CONFIG_FS_MBCACHE=y
+CONFIG_REISERFS_FS=y
+# CONFIG_REISERFS_CHECK is not set
+# CONFIG_REISERFS_PROC_INFO is not set
+# CONFIG_REISERFS_FS_XATTR is not set
+# CONFIG_JFS_FS is not set
+# CONFIG_XFS_FS is not set
+# CONFIG_GFS2_FS is not set
+# CONFIG_BTRFS_FS is not set
+# CONFIG_NILFS2_FS is not set
+# CONFIG_F2FS_FS is not set
+# CONFIG_FS_DAX is not set
+CONFIG_FS_POSIX_ACL=y
+CONFIG_EXPORTFS=y
+# CONFIG_EXPORTFS_BLOCK_OPS is not set
+CONFIG_FILE_LOCKING=y
+CONFIG_MANDATORY_FILE_LOCKING=y
+# CONFIG_FS_ENCRYPTION is not set
+CONFIG_FSNOTIFY=y
+CONFIG_DNOTIFY=y
+CONFIG_INOTIFY_USER=y
+# CONFIG_FANOTIFY is not set
+CONFIG_QUOTA=y
+# CONFIG_QUOTA_NETLINK_INTERFACE is not set
+CONFIG_PRINT_QUOTA_WARNING=y
+# CONFIG_QUOTA_DEBUG is not set
+# CONFIG_QFMT_V1 is not set
+# CONFIG_QFMT_V2 is not set
+CONFIG_QUOTACTL=y
+CONFIG_AUTOFS4_FS=y
+# CONFIG_FUSE_FS is not set
+# CONFIG_OVERLAY_FS is not set
+
+#
+# Caches
+#
+# CONFIG_FSCACHE is not set
+
+#
+# CD-ROM/DVD Filesystems
+#
+CONFIG_ISO9660_FS=y
+CONFIG_JOLIET=y
+# CONFIG_ZISOFS is not set
+# CONFIG_UDF_FS is not set
+
+#
+# DOS/FAT/NT Filesystems
+#
+# CONFIG_MSDOS_FS is not set
+# CONFIG_VFAT_FS is not set
+# CONFIG_NTFS_FS is not set
+
+#
+# Pseudo filesystems
+#
+CONFIG_PROC_FS=y
+CONFIG_PROC_KCORE=y
+CONFIG_PROC_SYSCTL=y
+CONFIG_PROC_PAGE_MONITOR=y
+# CONFIG_PROC_CHILDREN is not set
+CONFIG_KERNFS=y
+CONFIG_SYSFS=y
+CONFIG_TMPFS=y
+# CONFIG_TMPFS_POSIX_ACL is not set
+# CONFIG_TMPFS_XATTR is not set
+# CONFIG_HUGETLBFS is not set
+# CONFIG_HUGETLB_PAGE is not set
+CONFIG_ARCH_HAS_GIGANTIC_PAGE=y
+# CONFIG_CONFIGFS_FS is not set
+CONFIG_MISC_FILESYSTEMS=y
+# CONFIG_ORANGEFS_FS is not set
+# CONFIG_ADFS_FS is not set
+# CONFIG_AFFS_FS is not set
+# CONFIG_HFS_FS is not set
+# CONFIG_HFSPLUS_FS is not set
+# CONFIG_BEFS_FS is not set
+# CONFIG_BFS_FS is not set
+# CONFIG_EFS_FS is not set
+# CONFIG_LOGFS is not set
+# CONFIG_CRAMFS is not set
+# CONFIG_SQUASHFS is not set
+# CONFIG_VXFS_FS is not set
+# CONFIG_MINIX_FS is not set
+# CONFIG_OMFS_FS is not set
+# CONFIG_HPFS_FS is not set
+# CONFIG_QNX4FS_FS is not set
+# CONFIG_QNX6FS_FS is not set
+# CONFIG_ROMFS_FS is not set
+# CONFIG_PSTORE is not set
+# CONFIG_SYSV_FS is not set
+# CONFIG_UFS_FS is not set
+CONFIG_NETWORK_FILESYSTEMS=y
+# CONFIG_NFS_FS is not set
+# CONFIG_NFSD is not set
+# CONFIG_CEPH_FS is not set
+# CONFIG_CIFS is not set
+# CONFIG_NCP_FS is not set
+# CONFIG_CODA_FS is not set
+# CONFIG_AFS_FS is not set
+CONFIG_9P_FS=y
+CONFIG_9P_FS_POSIX_ACL=y
+# CONFIG_9P_FS_SECURITY is not set
+CONFIG_NLS=y
+CONFIG_NLS_DEFAULT="iso8859-1"
+# CONFIG_NLS_CODEPAGE_437 is not set
+# CONFIG_NLS_CODEPAGE_737 is not set
+# CONFIG_NLS_CODEPAGE_775 is not set
+# CONFIG_NLS_CODEPAGE_850 is not set
+# CONFIG_NLS_CODEPAGE_852 is not set
+# CONFIG_NLS_CODEPAGE_855 is not set
+# CONFIG_NLS_CODEPAGE_857 is not set
+# CONFIG_NLS_CODEPAGE_860 is not set
+# CONFIG_NLS_CODEPAGE_861 is not set
+# CONFIG_NLS_CODEPAGE_862 is not set
+# CONFIG_NLS_CODEPAGE_863 is not set
+# CONFIG_NLS_CODEPAGE_864 is not set
+# CONFIG_NLS_CODEPAGE_865 is not set
+# CONFIG_NLS_CODEPAGE_866 is not set
+# CONFIG_NLS_CODEPAGE_869 is not set
+# CONFIG_NLS_CODEPAGE_936 is not set
+# CONFIG_NLS_CODEPAGE_950 is not set
+# CONFIG_NLS_CODEPAGE_932 is not set
+# CONFIG_NLS_CODEPAGE_949 is not set
+# CONFIG_NLS_CODEPAGE_874 is not set
+# CONFIG_NLS_ISO8859_8 is not set
+# CONFIG_NLS_CODEPAGE_1250 is not set
+# CONFIG_NLS_CODEPAGE_1251 is not set
+# CONFIG_NLS_ASCII is not set
+# CONFIG_NLS_ISO8859_1 is not set
+# CONFIG_NLS_ISO8859_2 is not set
+# CONFIG_NLS_ISO8859_3 is not set
+# CONFIG_NLS_ISO8859_4 is not set
+# CONFIG_NLS_ISO8859_5 is not set
+# CONFIG_NLS_ISO8859_6 is not set
+# CONFIG_NLS_ISO8859_7 is not set
+# CONFIG_NLS_ISO8859_9 is not set
+# CONFIG_NLS_ISO8859_13 is not set
+# CONFIG_NLS_ISO8859_14 is not set
+# CONFIG_NLS_ISO8859_15 is not set
+# CONFIG_NLS_KOI8_R is not set
+# CONFIG_NLS_KOI8_U is not set
+# CONFIG_NLS_MAC_ROMAN is not set
+# CONFIG_NLS_MAC_CELTIC is not set
+# CONFIG_NLS_MAC_CENTEURO is not set
+# CONFIG_NLS_MAC_CROATIAN is not set
+# CONFIG_NLS_MAC_CYRILLIC is not set
+# CONFIG_NLS_MAC_GAELIC is not set
+# CONFIG_NLS_MAC_GREEK is not set
+# CONFIG_NLS_MAC_ICELAND is not set
+# CONFIG_NLS_MAC_INUIT is not set
+# CONFIG_NLS_MAC_ROMANIAN is not set
+# CONFIG_NLS_MAC_TURKISH is not set
+# CONFIG_NLS_UTF8 is not set
+
+#
+# Kernel hacking
+#
+CONFIG_TRACE_IRQFLAGS_SUPPORT=y
+
+#
+# printk and dmesg options
+#
+# CONFIG_PRINTK_TIME is not set
+CONFIG_MESSAGE_LOGLEVEL_DEFAULT=4
+# CONFIG_BOOT_PRINTK_DELAY is not set
+
+#
+# Compile-time checks and compiler options
+#
+CONFIG_DEBUG_INFO=y
+# CONFIG_DEBUG_INFO_REDUCED is not set
+# CONFIG_DEBUG_INFO_SPLIT is not set
+# CONFIG_DEBUG_INFO_DWARF4 is not set
+# CONFIG_GDB_SCRIPTS is not set
+CONFIG_ENABLE_WARN_DEPRECATED=y
+CONFIG_ENABLE_MUST_CHECK=y
+CONFIG_FRAME_WARN=1024
+# CONFIG_STRIP_ASM_SYMS is not set
+# CONFIG_READABLE_ASM is not set
+# CONFIG_UNUSED_SYMBOLS is not set
+# CONFIG_PAGE_OWNER is not set
+# CONFIG_DEBUG_FS is not set
+# CONFIG_HEADERS_CHECK is not set
+# CONFIG_DEBUG_SECTION_MISMATCH is not set
+CONFIG_SECTION_MISMATCH_WARN_ONLY=y
+CONFIG_ARCH_WANT_FRAME_POINTERS=y
+CONFIG_FRAME_POINTER=y
+# CONFIG_STACK_VALIDATION is not set
+# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set
+# CONFIG_MAGIC_SYSRQ is not set
+CONFIG_DEBUG_KERNEL=y
+
+#
+# Memory Debugging
+#
+# CONFIG_PAGE_EXTENSION is not set
+# CONFIG_DEBUG_PAGEALLOC is not set
+# CONFIG_PAGE_POISONING is not set
+# CONFIG_DEBUG_OBJECTS is not set
+# CONFIG_DEBUG_SLAB is not set
+CONFIG_HAVE_DEBUG_KMEMLEAK=y
+# CONFIG_DEBUG_KMEMLEAK is not set
+# CONFIG_DEBUG_STACK_USAGE is not set
+# CONFIG_DEBUG_VM is not set
+# CONFIG_DEBUG_VIRTUAL is not set
+CONFIG_DEBUG_MEMORY_INIT=y
+CONFIG_HAVE_DEBUG_STACKOVERFLOW=y
+# CONFIG_DEBUG_STACKOVERFLOW is not set
+CONFIG_HAVE_ARCH_KMEMCHECK=y
+CONFIG_HAVE_ARCH_KASAN=y
+# CONFIG_KASAN is not set
+CONFIG_ARCH_HAS_KCOV=y
+# CONFIG_KCOV is not set
+# CONFIG_DEBUG_SHIRQ is not set
+
+#
+# Debug Lockups and Hangs
+#
+# CONFIG_LOCKUP_DETECTOR is not set
+CONFIG_DETECT_HUNG_TASK=y
+CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120
+# CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set
+CONFIG_BOOTPARAM_HUNG_TASK_PANIC_VALUE=0
+# CONFIG_WQ_WATCHDOG is not set
+# CONFIG_PANIC_ON_OOPS is not set
+CONFIG_PANIC_ON_OOPS_VALUE=0
+CONFIG_PANIC_TIMEOUT=0
+# CONFIG_SCHED_DEBUG is not set
+# CONFIG_SCHED_INFO is not set
+# CONFIG_SCHEDSTATS is not set
+# CONFIG_SCHED_STACK_END_CHECK is not set
+# CONFIG_DEBUG_TIMEKEEPING is not set
+# CONFIG_TIMER_STATS is not set
+
+#
+# Lock Debugging (spinlocks, mutexes, etc...)
+#
+# CONFIG_DEBUG_RT_MUTEXES is not set
+# CONFIG_DEBUG_SPINLOCK is not set
+# CONFIG_DEBUG_MUTEXES is not set
+# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set
+# CONFIG_DEBUG_LOCK_ALLOC is not set
+# CONFIG_PROVE_LOCKING is not set
+# CONFIG_LOCK_STAT is not set
+# CONFIG_DEBUG_ATOMIC_SLEEP is not set
+# CONFIG_DEBUG_LOCKING_API_SELFTESTS is not set
+# CONFIG_LOCK_TORTURE_TEST is not set
+# CONFIG_STACKTRACE is not set
+# CONFIG_DEBUG_KOBJECT is not set
+CONFIG_DEBUG_BUGVERBOSE=y
+# CONFIG_DEBUG_LIST is not set
+# CONFIG_DEBUG_PI_LIST is not set
+# CONFIG_DEBUG_SG is not set
+# CONFIG_DEBUG_NOTIFIERS is not set
+# CONFIG_DEBUG_CREDENTIALS is not set
+
+#
+# RCU Debugging
+#
+# CONFIG_PROVE_RCU is not set
+# CONFIG_SPARSE_RCU_POINTER is not set
+# CONFIG_TORTURE_TEST is not set
+# CONFIG_RCU_PERF_TEST is not set
+# CONFIG_RCU_TORTURE_TEST is not set
+# CONFIG_RCU_TRACE is not set
+# CONFIG_RCU_EQS_DEBUG is not set
+# CONFIG_DEBUG_WQ_FORCE_RR_CPU is not set
+# CONFIG_DEBUG_BLOCK_EXT_DEVT is not set
+# CONFIG_NOTIFIER_ERROR_INJECTION is not set
+# CONFIG_FAULT_INJECTION is not set
+# CONFIG_LATENCYTOP is not set
+CONFIG_USER_STACKTRACE_SUPPORT=y
+CONFIG_HAVE_FUNCTION_TRACER=y
+CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
+CONFIG_HAVE_DYNAMIC_FTRACE=y
+CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
+CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
+CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
+CONFIG_HAVE_FENTRY=y
+CONFIG_HAVE_C_RECORDMCOUNT=y
+CONFIG_TRACING_SUPPORT=y
+CONFIG_FTRACE=y
+# CONFIG_FUNCTION_TRACER is not set
+# CONFIG_IRQSOFF_TRACER is not set
+# CONFIG_SCHED_TRACER is not set
+# CONFIG_HWLAT_TRACER is not set
+# CONFIG_ENABLE_DEFAULT_TRACERS is not set
+# CONFIG_FTRACE_SYSCALLS is not set
+# CONFIG_TRACER_SNAPSHOT is not set
+CONFIG_BRANCH_PROFILE_NONE=y
+# CONFIG_PROFILE_ANNOTATED_BRANCHES is not set
+# CONFIG_PROFILE_ALL_BRANCHES is not set
+# CONFIG_STACK_TRACER is not set
+# CONFIG_BLK_DEV_IO_TRACE is not set
+# CONFIG_UPROBE_EVENT is not set
+# CONFIG_PROBE_EVENTS is not set
+# CONFIG_MMIOTRACE is not set
+# CONFIG_HIST_TRIGGERS is not set
+# CONFIG_TRACEPOINT_BENCHMARK is not set
+
+#
+# Runtime Testing
+#
+# CONFIG_TEST_LIST_SORT is not set
+# CONFIG_BACKTRACE_SELF_TEST is not set
+# CONFIG_RBTREE_TEST is not set
+# CONFIG_ATOMIC64_SELFTEST is not set
+# CONFIG_TEST_HEXDUMP is not set
+# CONFIG_TEST_STRING_HELPERS is not set
+# CONFIG_TEST_KSTRTOX is not set
+# CONFIG_TEST_PRINTF is not set
+# CONFIG_TEST_BITMAP is not set
+# CONFIG_TEST_UUID is not set
+# CONFIG_TEST_RHASHTABLE is not set
+# CONFIG_TEST_HASH is not set
+# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
+# CONFIG_DMA_API_DEBUG is not set
+# CONFIG_TEST_FIRMWARE is not set
+# CONFIG_TEST_UDELAY is not set
+# CONFIG_MEMTEST is not set
+# CONFIG_SAMPLES is not set
+CONFIG_HAVE_ARCH_KGDB=y
+# CONFIG_KGDB is not set
+CONFIG_ARCH_HAS_UBSAN_SANITIZE_ALL=y
+# CONFIG_ARCH_WANTS_UBSAN_NO_NULL is not set
+# CONFIG_UBSAN is not set
+CONFIG_ARCH_HAS_DEVMEM_IS_ALLOWED=y
+# CONFIG_STRICT_DEVMEM is not set
+CONFIG_X86_VERBOSE_BOOTUP=y
+CONFIG_EARLY_PRINTK=y
+# CONFIG_EARLY_PRINTK_DBGP is not set
+# CONFIG_X86_PTDUMP_CORE is not set
+# CONFIG_X86_PTDUMP is not set
+CONFIG_DEBUG_RODATA_TEST=y
+# CONFIG_DEBUG_WX is not set
+CONFIG_DOUBLEFAULT=y
+# CONFIG_DEBUG_TLBFLUSH is not set
+# CONFIG_IOMMU_DEBUG is not set
+# CONFIG_IOMMU_STRESS is not set
+CONFIG_HAVE_MMIOTRACE_SUPPORT=y
+CONFIG_IO_DELAY_TYPE_0X80=0
+CONFIG_IO_DELAY_TYPE_0XED=1
+CONFIG_IO_DELAY_TYPE_UDELAY=2
+CONFIG_IO_DELAY_TYPE_NONE=3
+CONFIG_IO_DELAY_0X80=y
+# CONFIG_IO_DELAY_0XED is not set
+# CONFIG_IO_DELAY_UDELAY is not set
+# CONFIG_IO_DELAY_NONE is not set
+CONFIG_DEFAULT_IO_DELAY_TYPE=0
+# CONFIG_CPA_DEBUG is not set
+# CONFIG_OPTIMIZE_INLINING is not set
+# CONFIG_DEBUG_ENTRY is not set
+# CONFIG_DEBUG_NMI_SELFTEST is not set
+CONFIG_X86_DEBUG_FPU=y
+# CONFIG_PUNIT_ATOM_DEBUG is not set
+
+#
+# Security options
+#
+# CONFIG_KEYS is not set
+# CONFIG_SECURITY_DMESG_RESTRICT is not set
+# CONFIG_SECURITY is not set
+# CONFIG_SECURITYFS is not set
+CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
+CONFIG_HAVE_ARCH_HARDENED_USERCOPY=y
+# CONFIG_HARDENED_USERCOPY is not set
+CONFIG_DEFAULT_SECURITY_DAC=y
+CONFIG_DEFAULT_SECURITY=""
+CONFIG_CRYPTO=y
+
+#
+# Crypto core or helper
+#
+CONFIG_CRYPTO_ALGAPI=y
+CONFIG_CRYPTO_ALGAPI2=y
+CONFIG_CRYPTO_AEAD=y
+CONFIG_CRYPTO_AEAD2=y
+CONFIG_CRYPTO_BLKCIPHER=y
+CONFIG_CRYPTO_BLKCIPHER2=y
+CONFIG_CRYPTO_HASH=y
+CONFIG_CRYPTO_HASH2=y
+CONFIG_CRYPTO_RNG=y
+CONFIG_CRYPTO_RNG2=y
+CONFIG_CRYPTO_RNG_DEFAULT=y
+CONFIG_CRYPTO_AKCIPHER2=y
+CONFIG_CRYPTO_KPP2=y
+CONFIG_CRYPTO_KPP=y
+# CONFIG_CRYPTO_RSA is not set
+CONFIG_CRYPTO_DH=y
+CONFIG_CRYPTO_ECDH=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_CRYPTO_MANAGER2=y
+CONFIG_CRYPTO_USER=y
+CONFIG_CRYPTO_MANAGER_DISABLE_TESTS=y
+CONFIG_CRYPTO_GF128MUL=y
+CONFIG_CRYPTO_NULL=y
+CONFIG_CRYPTO_NULL2=y
+CONFIG_CRYPTO_WORKQUEUE=y
+CONFIG_CRYPTO_CRYPTD=y
+CONFIG_CRYPTO_MCRYPTD=y
+CONFIG_CRYPTO_AUTHENC=y
+CONFIG_CRYPTO_ABLK_HELPER=y
+CONFIG_CRYPTO_GLUE_HELPER_X86=y
+
+#
+# Authenticated Encryption with Associated Data
+#
+CONFIG_CRYPTO_CCM=y
+CONFIG_CRYPTO_GCM=y
+CONFIG_CRYPTO_CHACHA20POLY1305=y
+CONFIG_CRYPTO_SEQIV=y
+CONFIG_CRYPTO_ECHAINIV=y
+
+#
+# Block modes
+#
+CONFIG_CRYPTO_CBC=y
+CONFIG_CRYPTO_CTR=y
+# CONFIG_CRYPTO_CTS is not set
+CONFIG_CRYPTO_ECB=y
+CONFIG_CRYPTO_LRW=y
+CONFIG_CRYPTO_PCBC=y
+CONFIG_CRYPTO_XTS=y
+# CONFIG_CRYPTO_KEYWRAP is not set
+
+#
+# Hash modes
+#
+CONFIG_CRYPTO_CMAC=y
+CONFIG_CRYPTO_HMAC=y
+CONFIG_CRYPTO_XCBC=y
+# CONFIG_CRYPTO_VMAC is not set
+
+#
+# Digest
+#
+CONFIG_CRYPTO_CRC32C=y
+# CONFIG_CRYPTO_CRC32C_INTEL is not set
+# CONFIG_CRYPTO_CRC32 is not set
+# CONFIG_CRYPTO_CRC32_PCLMUL is not set
+# CONFIG_CRYPTO_CRCT10DIF is not set
+CONFIG_CRYPTO_GHASH=y
+CONFIG_CRYPTO_POLY1305=y
+CONFIG_CRYPTO_POLY1305_X86_64=y
+CONFIG_CRYPTO_MD4=y
+CONFIG_CRYPTO_MD5=y
+CONFIG_CRYPTO_MICHAEL_MIC=y
+CONFIG_CRYPTO_RMD128=y
+CONFIG_CRYPTO_RMD160=y
+CONFIG_CRYPTO_RMD256=y
+CONFIG_CRYPTO_RMD320=y
+CONFIG_CRYPTO_SHA1=y
+# CONFIG_CRYPTO_SHA1_SSSE3 is not set
+CONFIG_CRYPTO_SHA256_SSSE3=y
+CONFIG_CRYPTO_SHA512_SSSE3=y
+# CONFIG_CRYPTO_SHA1_MB is not set
+CONFIG_CRYPTO_SHA256_MB=y
+CONFIG_CRYPTO_SHA512_MB=y
+CONFIG_CRYPTO_SHA256=y
+CONFIG_CRYPTO_SHA512=y
+CONFIG_CRYPTO_SHA3=y
+CONFIG_CRYPTO_TGR192=y
+CONFIG_CRYPTO_WP512=y
+# CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL is not set
+
+#
+# Ciphers
+#
+CONFIG_CRYPTO_AES=y
+CONFIG_CRYPTO_AES_X86_64=y
+CONFIG_CRYPTO_AES_NI_INTEL=y
+CONFIG_CRYPTO_ANUBIS=y
+CONFIG_CRYPTO_ARC4=y
+CONFIG_CRYPTO_BLOWFISH=y
+CONFIG_CRYPTO_BLOWFISH_COMMON=y
+CONFIG_CRYPTO_BLOWFISH_X86_64=y
+CONFIG_CRYPTO_CAMELLIA=y
+CONFIG_CRYPTO_CAMELLIA_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=y
+CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=y
+CONFIG_CRYPTO_CAST_COMMON=y
+CONFIG_CRYPTO_CAST5=y
+CONFIG_CRYPTO_CAST5_AVX_X86_64=y
+CONFIG_CRYPTO_CAST6=y
+CONFIG_CRYPTO_CAST6_AVX_X86_64=y
+CONFIG_CRYPTO_DES=y
+# CONFIG_CRYPTO_DES3_EDE_X86_64 is not set
+CONFIG_CRYPTO_FCRYPT=y
+CONFIG_CRYPTO_KHAZAD=y
+CONFIG_CRYPTO_SALSA20=y
+CONFIG_CRYPTO_SALSA20_X86_64=y
+CONFIG_CRYPTO_CHACHA20=y
+CONFIG_CRYPTO_CHACHA20_X86_64=y
+CONFIG_CRYPTO_SEED=y
+CONFIG_CRYPTO_SERPENT=y
+CONFIG_CRYPTO_SERPENT_SSE2_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX_X86_64=y
+CONFIG_CRYPTO_SERPENT_AVX2_X86_64=y
+CONFIG_CRYPTO_TEA=y
+CONFIG_CRYPTO_TWOFISH=y
+CONFIG_CRYPTO_TWOFISH_COMMON=y
+CONFIG_CRYPTO_TWOFISH_X86_64=y
+CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=y
+CONFIG_CRYPTO_TWOFISH_AVX_X86_64=y
+
+#
+# Compression
+#
+CONFIG_CRYPTO_DEFLATE=y
+CONFIG_CRYPTO_LZO=y
+CONFIG_CRYPTO_842=y
+CONFIG_CRYPTO_LZ4=y
+CONFIG_CRYPTO_LZ4HC=y
+
+#
+# Random Number Generation
+#
+# CONFIG_CRYPTO_ANSI_CPRNG is not set
+CONFIG_CRYPTO_DRBG_MENU=y
+CONFIG_CRYPTO_DRBG_HMAC=y
+CONFIG_CRYPTO_DRBG_HASH=y
+CONFIG_CRYPTO_DRBG_CTR=y
+CONFIG_CRYPTO_DRBG=y
+CONFIG_CRYPTO_JITTERENTROPY=y
+CONFIG_CRYPTO_USER_API=y
+CONFIG_CRYPTO_USER_API_HASH=y
+CONFIG_CRYPTO_USER_API_SKCIPHER=y
+# CONFIG_CRYPTO_USER_API_RNG is not set
+CONFIG_CRYPTO_USER_API_AEAD=y
+# CONFIG_CRYPTO_HW is not set
+
+#
+# Certificates for signature checking
+#
+CONFIG_HAVE_KVM=y
+CONFIG_VIRTUALIZATION=y
+# CONFIG_KVM is not set
+# CONFIG_VHOST_NET is not set
+# CONFIG_VHOST_CROSS_ENDIAN_LEGACY is not set
+# CONFIG_BINARY_PRINTF is not set
+
+#
+# Library routines
+#
+CONFIG_BITREVERSE=y
+# CONFIG_HAVE_ARCH_BITREVERSE is not set
+CONFIG_GENERIC_STRNCPY_FROM_USER=y
+CONFIG_GENERIC_STRNLEN_USER=y
+CONFIG_GENERIC_NET_UTILS=y
+CONFIG_GENERIC_FIND_FIRST_BIT=y
+CONFIG_GENERIC_PCI_IOMAP=y
+CONFIG_GENERIC_IOMAP=y
+CONFIG_GENERIC_IO=y
+CONFIG_ARCH_USE_CMPXCHG_LOCKREF=y
+CONFIG_ARCH_HAS_FAST_MULTIPLIER=y
+CONFIG_CRC_CCITT=y
+CONFIG_CRC16=y
+# CONFIG_CRC_T10DIF is not set
+CONFIG_CRC_ITU_T=y
+CONFIG_CRC32=y
+# CONFIG_CRC32_SELFTEST is not set
+CONFIG_CRC32_SLICEBY8=y
+# CONFIG_CRC32_SLICEBY4 is not set
+# CONFIG_CRC32_SARWATE is not set
+# CONFIG_CRC32_BIT is not set
+CONFIG_CRC7=y
+CONFIG_LIBCRC32C=y
+# CONFIG_CRC8 is not set
+# CONFIG_AUDIT_ARCH_COMPAT_GENERIC is not set
+# CONFIG_RANDOM32_SELFTEST is not set
+CONFIG_842_COMPRESS=y
+CONFIG_842_DECOMPRESS=y
+CONFIG_ZLIB_INFLATE=y
+CONFIG_ZLIB_DEFLATE=y
+CONFIG_LZO_COMPRESS=y
+CONFIG_LZO_DECOMPRESS=y
+CONFIG_LZ4_COMPRESS=y
+CONFIG_LZ4HC_COMPRESS=y
+CONFIG_LZ4_DECOMPRESS=y
+# CONFIG_XZ_DEC is not set
+# CONFIG_XZ_DEC_BCJ is not set
+CONFIG_TEXTSEARCH=y
+CONFIG_TEXTSEARCH_KMP=y
+CONFIG_TEXTSEARCH_BM=y
+CONFIG_TEXTSEARCH_FSM=y
+CONFIG_HAS_IOMEM=y
+CONFIG_HAS_IOPORT_MAP=y
+CONFIG_HAS_DMA=y
+CONFIG_DQL=y
+CONFIG_NLATTR=y
+CONFIG_CLZ_TAB=y
+# CONFIG_CORDIC is not set
+# CONFIG_DDR is not set
+# CONFIG_IRQ_POLL is not set
+CONFIG_MPILIB=y
+# CONFIG_SG_SPLIT is not set
+# CONFIG_SG_POOL is not set
+CONFIG_ARCH_HAS_SG_CHAIN=y
+CONFIG_ARCH_HAS_PMEM_API=y
+CONFIG_ARCH_HAS_MMIO_FLUSH=y
+CONFIG_SBITMAP=y
diff --git a/testing/do-tests b/testing/do-tests
index fd5cfe6..60c34c7 100755
--- a/testing/do-tests
+++ b/testing/do-tests
@@ -298,63 +298,6 @@ do
touch $CONSOLE_LOG
TESTDIR=$TESTSDIR/${testname}
- rm -rf $TESTDIR
- mkdir -p $TESTDIR
- cp -rfp $DEFAULTTESTSDIR/${testname}/* $TESTDIR
-
-
- ##############################################################################
- # replace IP wildcards with actual IPv4 and IPv6 addresses
- #
-
- for host in $STRONGSWANHOSTS
- do
- case $host in
- moon)
- searchandreplace PH_IP_MOON1 $ipv4_moon1 $TESTDIR
- searchandreplace PH_IP_MOON $ipv4_moon $TESTDIR
- searchandreplace PH_IP6_MOON1 $ipv6_moon1 $TESTDIR
- searchandreplace PH_IP6_MOON $ipv6_moon $TESTDIR
- ;;
- sun)
- searchandreplace PH_IP_SUN1 $ipv4_sun1 $TESTDIR
- searchandreplace PH_IP_SUN $ipv4_sun $TESTDIR
- searchandreplace PH_IP6_SUN1 $ipv6_sun1 $TESTDIR
- searchandreplace PH_IP6_SUN $ipv6_sun $TESTDIR
- ;;
- alice)
- searchandreplace PH_IP_ALICE1 $ipv4_alice1 $TESTDIR
- searchandreplace PH_IP_ALICE $ipv4_alice $TESTDIR
- searchandreplace PH_IP6_ALICE1 $ipv6_alice1 $TESTDIR
- searchandreplace PH_IP6_ALICE $ipv6_alice $TESTDIR
- ;;
- venus)
- searchandreplace PH_IP_VENUS $ipv4_venus $TESTDIR
- searchandreplace PH_IP6_VENUS $ipv6_venus $TESTDIR
- ;;
- bob)
- searchandreplace PH_IP_BOB $ipv4_bob $TESTDIR
- searchandreplace PH_IPV6_BOB $ipv6_bob $TESTDIR
- ;;
- carol)
- searchandreplace PH_IP_CAROL1 $ipv4_carol1 $TESTDIR
- searchandreplace PH_IP_CAROL $ipv4_carol $TESTDIR
- searchandreplace PH_IP6_CAROL1 $ipv6_carol1 $TESTDIR
- searchandreplace PH_IP6_CAROL $ipv6_carol $TESTDIR
- ;;
- dave)
- searchandreplace PH_IP_DAVE1 $ipv4_dave1 $TESTDIR
- searchandreplace PH_IP_DAVE $ipv4_dave $TESTDIR
- searchandreplace PH_IP6_DAVE1 $ipv6_dave1 $TESTDIR
- searchandreplace PH_IP6_DAVE $ipv6_dave $TESTDIR
- ;;
- winnetou)
- searchandreplace PH_IP_WINNETOU $ipv4_winnetou $TESTDIR
- searchandreplace PH_IP6_WINNETOU $ipv6_winnetou $TESTDIR
- ;;
- esac
- done
-
##########################################################################
# copy test specific configurations to hosts and clear log files
diff --git a/testing/hosts/default/usr/local/bin/init_tnc b/testing/hosts/default/usr/local/bin/init_tnc
new file mode 100755
index 0000000..49084e4
--- /dev/null
+++ b/testing/hosts/default/usr/local/bin/init_tnc
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+cd /var/www/tnc
+
+if [ -f django.db ]
+then
+ exit 0
+fi
+
+./manage.py migrate --database meta
+./manage.py setpassword strongSwan strongSwan
+./manage.py collectstatic --noinput
+
+chmod g+w django.db
+exit 0
diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/carolCert.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/carolCert.pem
new file mode 100644
index 0000000..132b5d5
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/carolCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4jCCAZSgAwIBAgIBAzAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDExWhcNMjExMjA0MjI0MDExWjBbMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MR0wGwYDVQQDDBRjYXJvbEBzdHJvbmdzd2FuLm9yZzAqMAUGAytlcAMh
+APtwTFkrXyLYOWm9zlNm+ASZ3LzmpWmB2OwqnWZlFIXVo4GIMIGFMB8GA1UdIwQY
+MBaAFCNOkpAKSIb2BV3+ead2AzqOcNj4MB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9u
+Z3N3YW4ub3JnMEEGA1UdHwQ6MDgwNqA0oDKGMGh0dHA6Ly9jcmwuc3Ryb25nc3dh
+bi5vcmcvc3Ryb25nc3dhbl9lZDI1NTE5LmNybDAFBgMrZXADQQAC5ukfb9FmxhM5
+ynVSrYUvCfii+zD7SjA+kFabRZ6tgoTWBBUONT31dwLpD0Aqe0z7SWLTXpeVVAl4
+JbhZsPUD
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/daveCert.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/daveCert.pem
new file mode 100644
index 0000000..18f0e08
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/daveCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4DCCAZKgAwIBAgIBBDAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjIzODQwWhcNMjExMjA0MjIzODQwWjBaMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRwwGgYDVQQDDBNkYXZlQHN0cm9uZ3N3YW4ub3JnMCowBQYDK2VwAyEA
+fYCNzyBpr3lne+kVB27q7O7TvMkERDB9kRnzNSx30hijgYcwgYQwHwYDVR0jBBgw
+FoAUI06SkApIhvYFXf55p3YDOo5w2PgwHgYDVR0RBBcwFYETZGF2ZUBzdHJvbmdz
+d2FuLm9yZzBBBgNVHR8EOjA4MDagNKAyhjBodHRwOi8vY3JsLnN0cm9uZ3N3YW4u
+b3JnL3N0cm9uZ3N3YW5fZWQyNTUxOS5jcmwwBQYDK2VwA0EAEG4SjQX49xhuMiyn
+86uOCxDWy08KUQRBLoqan+cPfYDPgCbblpbmJOoCBtcUyzEYQ+L/gCQzwLAUZSbK
+MEj7Dg==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/moonCert.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/moonCert.pem
new file mode 100644
index 0000000..e67b224
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/moonCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9TCCAaegAwIBAgIBATAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDQyWhcNMjExMjA0MjI0MDQyWjBaMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRwwGgYDVQQDExNtb29uLnN0cm9uZ3N3YW4ub3JnMCowBQYDK2VwAyEA
+4X/jpRSEXr0/TmIHTOj7FqllkP+3e+ljkAU1FtYnX5ijgZwwgZkwHwYDVR0jBBgw
+FoAUI06SkApIhvYFXf55p3YDOo5w2PgwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWQyNTUxOS5jcmww
+BQYDK2VwA0EAOjD6PXrI3R8Wj55gstR2FtT0Htu4vV2jCRekts8O0++GNVMn65BX
+8ohW9fH7Ie2JTSOb0wzX+TPuMUAkLutUBA==
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/sunCert.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/sunCert.pem
new file mode 100644
index 0000000..70af020
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ed25519/newcerts/sunCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB8zCCAaWgAwIBAgIBAjAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDAyWhcNMjExMjA0MjI0MDAyWjBZMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRswGQYDVQQDExJzdW4uc3Ryb25nc3dhbi5vcmcwKjAFBgMrZXADIQBn
+HgUv3QIepihJpxydVVtgTsIqminFnbGSER5ReAaQ+qOBmzCBmDAfBgNVHSMEGDAW
+gBQjTpKQCkiG9gVd/nmndgM6jnDY+DAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dh
+bi5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0
+cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VkMjU1MTkuY3JsMAUG
+AytlcANBAC27Z6Q7/c21bPb3OfvbdnePhIpgGM3LVBL/0Pj9VOAtUec/Rv2rPNHq
+8C1xtc/jMCsI/NdpXSZCeN0lQgf0mgA=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/carolKey.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/carolKey.pem
new file mode 100644
index 0000000..5c3e262
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/carolKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIJk9u+XHU+E8YNCuj/bTDVRHbWDk2NzCyrTFqtzWRAv8
+-----END PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/daveKey.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/daveKey.pem
new file mode 100644
index 0000000..bf84ef3
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/daveKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIF17ReOyn64y7tmC11XyYzcALKmu9lkS0VnWSd0l54FX
+-----END PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/moonKey.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/moonKey.pem
new file mode 100644
index 0000000..491d364
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/moonKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIKF9TGaPwvVmqoqowy6y8anmPMKpSi9bKc310bbXBMtk
+-----END PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/sunKey.pem b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/sunKey.pem
new file mode 100644
index 0000000..b83f62c
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ed25519/newkeys/sunKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIF8vNpW9TVnEB+DzglbCjuZr+1u84dHRofgHoybGL9j0
+-----END PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519.crl b/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519.crl
new file mode 100644
index 0000000..b0320ad
Binary files /dev/null and b/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519.crl differ
diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519Cert.pem b/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519Cert.pem
new file mode 100644
index 0000000..9c5a069
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519Cert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw
+GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g
+RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow
+TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG
+A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G
+lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4
+MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv
+OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ=
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519Key.pem b/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519Key.pem
new file mode 100644
index 0000000..ae82fb9
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/ed25519/strongswan_ed25519Key.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIHb+63Ppcfc9m/E9EyoojCDUz6KcUmwTquU7sgpmctz0
+-----END PRIVATE KEY-----
diff --git a/testing/hosts/winnetou/etc/openssl/generate-crl b/testing/hosts/winnetou/etc/openssl/generate-crl
index 1a375e0..1c62d64 100755
--- a/testing/hosts/winnetou/etc/openssl/generate-crl
+++ b/testing/hosts/winnetou/etc/openssl/generate-crl
@@ -63,3 +63,6 @@ cp strongswan_bliss.crl ${ROOT}
cd /etc/openssl/sha3-rsa
pki --signcrl --cacert strongswanCert.pem --cakey strongswanKey.pem --lifetime 30 --digest sha3_256 > strongswan-sha3-rsa.crl
cp strongswan-sha3-rsa.crl ${ROOT}
+cd /etc/openssl/ed25519
+pki --signcrl --cacert strongswan_ed25519Cert.pem --cakey strongswan_ed25519Key.pem --lifetime 30 > strongswan_ed25519.crl
+cp strongswan_ed25519.crl ${ROOT}
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt
index 586f9dd..057333f 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt
+++ b/testing/hosts/winnetou/etc/openssl/index.txt
@@ -36,7 +36,7 @@ R 151119165922Z 151126081658Z,superseded 23 unknown /C=CH/O=Linux strongSwan/OU=
R 161015124507Z 161018152707Z,superseded 24 unknown /C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org
R 161015124759Z 161018152711Z,superseded 25 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol at strongswan.org
R 161015125030Z 161018152714Z,superseded 26 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave at strongswan.org
-V 170314064200Z 27 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol at strongswan.org
+R 170314064200Z 170320204507Z,superseded 27 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol at strongswan.org
R 190321135622Z 140322135700Z,CACompromise 28 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
V 190413204655Z 29 unknown /C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol at strongswan.org
V 190826144245Z 2A unknown /C=CH/O=Linux strongSwan/CN=sun.strongswan.org
@@ -53,3 +53,4 @@ V 190906082453Z 34 unknown /C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=m
V 190905153713Z 35 unknown /C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org
V 190905154104Z 36 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol at strongswan.org
V 190905154224Z 37 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave at strongswan.org
+V 190906205244Z 38 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol at strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old
index 649ad9f..8e9729c 100644
--- a/testing/hosts/winnetou/etc/openssl/index.txt.old
+++ b/testing/hosts/winnetou/etc/openssl/index.txt.old
@@ -36,7 +36,7 @@ R 151119165922Z 151126081658Z,superseded 23 unknown /C=CH/O=Linux strongSwan/OU=
R 161015124507Z 161018152707Z,superseded 24 unknown /C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org
R 161015124759Z 161018152711Z,superseded 25 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol at strongswan.org
R 161015125030Z 161018152714Z,superseded 26 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave at strongswan.org
-V 170314064200Z 27 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol at strongswan.org
+R 170314064200Z 170320204507Z,superseded 27 unknown /C=CH/O=Linux strongSwan/OU=OCSP/CN=carol at strongswan.org
R 190321135622Z 140322135700Z,CACompromise 28 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA
V 190413204655Z 29 unknown /C=CH/O=Linux strongSwan/OU=Research/serialNumber=002/CN=carol at strongswan.org
V 190826144245Z 2A unknown /C=CH/O=Linux strongSwan/CN=sun.strongswan.org
@@ -52,3 +52,4 @@ V 190906145531Z 33 unknown /C=CH/O=Linux strongSwan/CN=aaa.strongswan.org
V 190906082453Z 34 unknown /C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=mars.strongswan.org
V 190905153713Z 35 unknown /C=CH/O=Linux strongSwan/OU=SHA-224/CN=moon.strongswan.org
V 190905154104Z 36 unknown /C=CH/O=Linux strongSwan/OU=SHA-384/CN=carol at strongswan.org
+V 190905154224Z 37 unknown /C=CH/O=Linux strongSwan/OU=SHA-512/CN=dave at strongswan.org
diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/38.pem b/testing/hosts/winnetou/etc/openssl/newcerts/38.pem
new file mode 100644
index 0000000..d1e85db
--- /dev/null
+++ b/testing/hosts/winnetou/etc/openssl/newcerts/38.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEWzCCA0OgAwIBAgIBODANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE3MDMyMDIwNTI0NFoXDTE5MDkwNjIwNTI0NFowVjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
+HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu
+8qaOjRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS
+6ngwOEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5
+WRqVVDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbR
+wjx2afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj
+2uStn7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFJCYo8BXG9mSEkp2ag3HiT74
+TT+4MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
+b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
+b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCo
+tFCDUTmBfPjeaDQVCv7uBausS0sZCw+Pw7zypqo3vyRm0R2Ds2eymfVI4/Zc1NwW
+hYCy9D1f1r2gukI2jDWHdDwNMQPptyx0Kxr98SIlm9ms8jGT7GZ5l0SdkGe5GDMO
+vq7FscqQZX/KkdFk3ye/ONffFS/ukjVRHu8971BNODcRbG0OBhEI2TQsIyxf/iir
+taI23m8b9dclikqZx3FqoxfTHSN5T5KHntpH7KVIS00hrlavxkLLMn5oePRnkBWu
+feSmpfbOBbnEpElLtJM5K8AjArGOx8nxrtw/KNjMiOsyfCim1r0ff1tnZGtHhHCq
+ZCZKA5DsRXZVWasv1CIz
+-----END CERTIFICATE-----
diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial
index e522732..a272009 100644
--- a/testing/hosts/winnetou/etc/openssl/serial
+++ b/testing/hosts/winnetou/etc/openssl/serial
@@ -1 +1 @@
-38
+39
diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old
index 81b5c5d..e522732 100644
--- a/testing/hosts/winnetou/etc/openssl/serial.old
+++ b/testing/hosts/winnetou/etc/openssl/serial.old
@@ -1 +1 @@
-37
+38
diff --git a/testing/hosts/winnetou/etc/strongswan.conf b/testing/hosts/winnetou/etc/strongswan.conf
index dfb9dbc..a69df79 100644
--- a/testing/hosts/winnetou/etc/strongswan.conf
+++ b/testing/hosts/winnetou/etc/strongswan.conf
@@ -1,5 +1,5 @@
# strongswan.conf - strongSwan configuration file
pki {
- load = random pem sha1 sha2 sha3 pkcs1 pem gmp mgf1 bliss x509
+ load = random pem sha1 sha2 sha3 pkcs1 pkcs8 pem gmp mgf1 bliss curve25519 x509
}
diff --git a/testing/scripts/build-guestkernel b/testing/scripts/build-guestkernel
index a10fb83..c8f0178 100755
--- a/testing/scripts/build-guestkernel
+++ b/testing/scripts/build-guestkernel
@@ -14,7 +14,7 @@ cd $BUILDDIR
if [ ! -f "$KERNELTARBALL" ]
then
- url=ftp://ftp.kernel.org/pub/linux/kernel/v${KERNELVERSION:0:1}.x/$KERNELTARBALL
+ url=https://cdn.kernel.org/pub/linux/kernel/v${KERNELVERSION:0:1}.x/$KERNELTARBALL
log_action "Downloading $url"
execute "wget -q $url"
fi
diff --git a/testing/scripts/load-testconfig b/testing/scripts/load-testconfig
index 5f35c12..a1a0f98 100755
--- a/testing/scripts/load-testconfig
+++ b/testing/scripts/load-testconfig
@@ -25,24 +25,123 @@ SSHCONF="-F $DIR/../ssh_config"
testname=$1
+DEFAULTTESTSDIR=$DIR/../tests
+
+[ -d $DEFAULTTESTSDIR ] || die "Directory 'tests' not found"
+[ -d $DEFAULTTESTSDIR/$testname ] || die "Test '$testname' not found"
+[ -f $DEFAULTTESTSDIR/$testname/test.conf ] || die "File 'test.conf' is missing"
+
TESTSDIR=$BUILDDIR/tests
+[ -d $TESTSDIR ] || mkdir $TESTSDIR
+
+TESTDIR=$TESTSDIR/${testname}
+rm -rf $TESTDIR
+mkdir -p $TESTDIR
+cp -rfp $DEFAULTTESTSDIR/${testname}/* $TESTDIR
+
+##############################################################################
+# assign IP for each host to hostname
+#
+
+for host in $STRONGSWANHOSTS
+do
+ eval ipv4_${host}="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+ eval ipv6_${host}="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-[ -d $TESTSDIR ] || die "Directory '$TESTSDIR' not found"
-[ -d $TESTSDIR/$testname ] || die "Test '$testname' not found"
-[ -f $TESTSDIR/$testname/test.conf ] || die "File 'test.conf' is missing"
+ case $host in
+ moon)
+ eval ipv4_moon1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+ eval ipv6_moon1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+ ;;
+ sun)
+ eval ipv4_sun1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+ eval ipv6_sun1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+ ;;
+ alice)
+ eval ipv4_alice1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+ eval ipv6_alice1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+ ;;
+ venus)
+ ;;
+ bob)
+ ;;
+ carol)
+ eval ipv4_carol1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+ eval ipv6_carol1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+ ;;
+ dave)
+ eval ipv4_dave1="`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+ eval ipv6_dave1="`echo $HOSTNAMEIPV6 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $2 }' | awk '{ print $1 }'`"
+ ;;
+ winnetou)
+ ;;
+ esac
+done
+
+##############################################################################
+# replace IP wildcards with actual IPv4 and IPv6 addresses
+#
+
+for host in $STRONGSWANHOSTS
+do
+ case $host in
+ moon)
+ searchandreplace PH_IP_MOON1 $ipv4_moon1 $TESTDIR
+ searchandreplace PH_IP_MOON $ipv4_moon $TESTDIR
+ searchandreplace PH_IP6_MOON1 $ipv6_moon1 $TESTDIR
+ searchandreplace PH_IP6_MOON $ipv6_moon $TESTDIR
+ ;;
+ sun)
+ searchandreplace PH_IP_SUN1 $ipv4_sun1 $TESTDIR
+ searchandreplace PH_IP_SUN $ipv4_sun $TESTDIR
+ searchandreplace PH_IP6_SUN1 $ipv6_sun1 $TESTDIR
+ searchandreplace PH_IP6_SUN $ipv6_sun $TESTDIR
+ ;;
+ alice)
+ searchandreplace PH_IP_ALICE1 $ipv4_alice1 $TESTDIR
+ searchandreplace PH_IP_ALICE $ipv4_alice $TESTDIR
+ searchandreplace PH_IP6_ALICE1 $ipv6_alice1 $TESTDIR
+ searchandreplace PH_IP6_ALICE $ipv6_alice $TESTDIR
+ ;;
+ venus)
+ searchandreplace PH_IP_VENUS $ipv4_venus $TESTDIR
+ searchandreplace PH_IP6_VENUS $ipv6_venus $TESTDIR
+ ;;
+ bob)
+ searchandreplace PH_IP_BOB $ipv4_bob $TESTDIR
+ searchandreplace PH_IPV6_BOB $ipv6_bob $TESTDIR
+ ;;
+ carol)
+ searchandreplace PH_IP_CAROL1 $ipv4_carol1 $TESTDIR
+ searchandreplace PH_IP_CAROL $ipv4_carol $TESTDIR
+ searchandreplace PH_IP6_CAROL1 $ipv6_carol1 $TESTDIR
+ searchandreplace PH_IP6_CAROL $ipv6_carol $TESTDIR
+ ;;
+ dave)
+ searchandreplace PH_IP_DAVE1 $ipv4_dave1 $TESTDIR
+ searchandreplace PH_IP_DAVE $ipv4_dave $TESTDIR
+ searchandreplace PH_IP6_DAVE1 $ipv6_dave1 $TESTDIR
+ searchandreplace PH_IP6_DAVE $ipv6_dave $TESTDIR
+ ;;
+ winnetou)
+ searchandreplace PH_IP_WINNETOU $ipv4_winnetou $TESTDIR
+ searchandreplace PH_IP6_WINNETOU $ipv6_winnetou $TESTDIR
+ ;;
+ esac
+done
-source $TESTSDIR/$testname/test.conf
+source $TESTDIR/test.conf
##########################################################################
# copy test specific configurations to uml hosts
#
-if [ -d $TESTSDIR/$testname/hosts ]
+if [ -d $TESTDIR/hosts ]
then
- for host in `ls $TESTSDIR/$testname/hosts`
+ for host in `ls $TESTDIR/hosts`
do
- eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
- scp $SSHCONF -r $TESTSDIR/$testname/hosts/$host/etc $HOSTLOGIN:/ > /dev/null 2>&1
+ eval HOSTLOGIN=root@\$ipv4_${host}
+ scp $SSHCONF -r $TESTDIR/hosts/$host/etc $HOSTLOGIN:/ > /dev/null 2>&1
done
fi
@@ -53,7 +152,7 @@ fi
for host in $IPSECHOSTS
do
- eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+ eval HOSTLOGIN=root@\$ipv4_${host}
ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/auth.log /var/log/daemon.log; \
kill -SIGHUP `cat /var/run/rsyslogd.pid`' > /dev/null 2>&1
done
@@ -65,7 +164,7 @@ done
for host in $RADIUSHOSTS
do
- eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
+ eval HOSTLOGIN=root@\$ipv4_${host}
ssh $SSHCONF $HOSTLOGIN 'rm -f /var/log/daemon.log /var/log/freeradius/radius.log; \
kill -SIGHUP `cat /var/run/rsyslogd.pid`' > /dev/null 2>&1
done
diff --git a/testing/scripts/recipes/015_strongTNC.mk b/testing/scripts/recipes/015_strongTNC.mk
index cc4a94a..419d60b 100644
--- a/testing/scripts/recipes/015_strongTNC.mk
+++ b/testing/scripts/recipes/015_strongTNC.mk
@@ -19,4 +19,4 @@ $(DEPS): $(PKG)-master
install: $(DEPS)
pip install --no-index --find-links=file://`pwd`/$(DEPS) -r $(PKG)-master/requirements.txt
- cp -r $(PKG)-master /var/www/tnc && chgrp -R www-data /var/www/tnc && chmod g+w /var/www/tnc /var/www/tnc/django.db
+ cp -r $(PKG)-master /var/www/tnc && chgrp -R www-data /var/www/tnc && chmod g+sw /var/www/tnc
diff --git a/testing/testing.conf b/testing/testing.conf
index 5f85dd5..1a30977 100644
--- a/testing/testing.conf
+++ b/testing/testing.conf
@@ -24,14 +24,14 @@ fi
: ${TESTDIR=/srv/strongswan-testing}
# Kernel configuration
-: ${KERNELVERSION=4.8.3}
+: ${KERNELVERSION=4.10.6}
: ${KERNEL=linux-$KERNELVERSION}
: ${KERNELTARBALL=$KERNEL.tar.xz}
-: ${KERNELCONFIG=$DIR/../config/kernel/config-4.8}
+: ${KERNELCONFIG=$DIR/../config/kernel/config-4.10}
: ${KERNELPATCH=ha-4.4-abicompat.patch.bz2}
# strongSwan version used in tests
-: ${SWANVERSION=5.5.1}
+: ${SWANVERSION=5.5.2}
# Build directory where the guest kernel and images will be built
: ${BUILDDIR=$TESTDIR/build}
diff --git a/testing/tests/ha/active-passive/hosts/alice/etc/strongswan.conf b/testing/tests/ha/active-passive/hosts/alice/etc/strongswan.conf
index d6d4539..5072d77 100644
--- a/testing/tests/ha/active-passive/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ha/active-passive/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default ha
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default ha
+
plugins {
ha {
local = PH_IP_ALICE
diff --git a/testing/tests/ha/active-passive/hosts/carol/etc/strongswan.conf b/testing/tests/ha/active-passive/hosts/carol/etc/strongswan.conf
index e58af9e..af5fa19 100644
--- a/testing/tests/ha/active-passive/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ha/active-passive/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ha/active-passive/hosts/dave/etc/strongswan.conf b/testing/tests/ha/active-passive/hosts/dave/etc/strongswan.conf
index ecbad66..16a0a8c 100644
--- a/testing/tests/ha/active-passive/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ha/active-passive/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ha/active-passive/hosts/moon/etc/strongswan.conf b/testing/tests/ha/active-passive/hosts/moon/etc/strongswan.conf
index 198f3a0..68d4414 100644
--- a/testing/tests/ha/active-passive/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ha/active-passive/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default ha
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default ha
+
plugins {
ha {
local = PH_IP_MOON1
diff --git a/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
index e8be72a..0d10394 100644
--- a/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default ha
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default ha
+
plugins {
ha {
local = PH_IP_ALICE
diff --git a/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
index e58af9e..af5fa19 100644
--- a/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
index ecbad66..16a0a8c 100644
--- a/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
index 206fb21..17d5422 100644
--- a/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default ha
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default ha
+
plugins {
ha {
local = PH_IP_MOON1
diff --git a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
index 0776fb1..48e8fc6 100644
--- a/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
index 0776fb1..7a64dce 100644
--- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
index 0776fb1..7a64dce 100644
--- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf
index 9b248e8..ae0529e 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac x509 curl revocation stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp hmac x509 curl revocation stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
index 9b248e8..ab779fc 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac x509 curl revocation stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp hmac x509 curl revocation stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
index 9b248e8..ab779fc 100644
--- a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac x509 curl revocation stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp hmac x509 curl revocation stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf
index f585edf..2c4f3fc 100644
--- a/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-3des-md5/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf
index f585edf..66ff246 100644
--- a/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-3des-md5/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
index 1f0fd41..d69a7b8 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- dh_exponent_ansi_x9_42 = no
- load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes blowfish md5 sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf
index 1f0fd41..a3c9999 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- dh_exponent_ansi_x9_42 = no
- load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
index 1f0fd41..a3c9999 100644
--- a/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- dh_exponent_ansi_x9_42 = no
- load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
index f585edf..3f13273 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
index f585edf..be00a11 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
index f585edf..be00a11 100644
--- a/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-sha256/description.txt b/testing/tests/ikev1/alg-sha256/description.txt
index 826a8f1..f7e5391 100644
--- a/testing/tests/ikev1/alg-sha256/description.txt
+++ b/testing/tests/ikev1/alg-sha256/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_128 / HMAC_SHA2_256_128</b> by defining <b>esp=aes128-sha256-modp2048!</b>
+<b>AES_CBC_128 / HMAC_SHA2_256_128</b> by defining <b>esp=aes128-sha256-curve25519!</b>
in ipsec.conf. The same cipher suite is used for IKE.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha256/evaltest.dat b/testing/tests/ikev1/alg-sha256/evaltest.dat
index 8cbac4f..d9ff947 100644
--- a/testing/tests/ikev1/alg-sha256/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha256/evaltest.dat
@@ -2,11 +2,11 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol at st
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128/MODP_3072,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/MODP_3072,::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128/CURVE_25519,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/CURVE_25519,::YES
moon:: ip xfrm state::auth-trunc hmac(sha256)::YES
carol::ip xfrm state::auth-trunc hmac(sha256)::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 200::YES
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
index 1c22797..25fce18 100644
--- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes128-sha256-modp3072!
- esp=aes128-sha256-modp3072!
+ ike=aes128-sha256-curve25519!
+ esp=aes128-sha256-curve25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
index 177aebf..b3e5df1 100644
--- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes128-sha256-modp3072!
- esp=aes128-sha256-modp3072!
+ ike=aes128-sha256-curve25519!
+ esp=aes128-sha256-curve25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-sha256/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-sha384/description.txt b/testing/tests/ikev1/alg-sha384/description.txt
index 2255fe8..f96ea5c 100644
--- a/testing/tests/ikev1/alg-sha384/description.txt
+++ b/testing/tests/ikev1/alg-sha384/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_192 / HMAC_SHA2_384_192</b> by defining <b>esp=aes192-sha384-modp3072!</b>
+<b>AES_CBC_192 / HMAC_SHA2_384_192</b> by defining <b>esp=aes192-sha384-curve25519!</b>
in ipsec.conf. The same cipher suite is used for IKE.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/alg-sha384/evaltest.dat b/testing/tests/ikev1/alg-sha384/evaltest.dat
index 166aa81..3a53356 100644
--- a/testing/tests/ikev1/alg-sha384/evaltest.dat
+++ b/testing/tests/ikev1/alg-sha384/evaltest.dat
@@ -2,11 +2,11 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol at st
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_25519::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_25519::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192/MODP_3072,::YES
-carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/MODP_3072,::YES
+moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192/CURVE_25519,::YES
+carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/CURVE_25519,::YES
moon:: ip xfrm state::auth-trunc hmac(sha384)::YES
carol::ip xfrm state::auth-trunc hmac(sha384)::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 208::YES
diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
index 6f1519f..9e7f488 100644
--- a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes192-sha384-modp3072!
- esp=aes192-sha384-modp3072!
+ ike=aes192-sha384-curve25519!
+ esp=aes192-sha384-curve25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
index 919ee9b..d4c4a6f 100644
--- a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes192-sha384-modp3072!
- esp=aes192-sha384-modp3072!
+ ike=aes192-sha384-curve25519!
+ esp=aes192-sha384-curve25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf
index f585edf..3f13273 100644
--- a/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf
index f585edf..be00a11 100644
--- a/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf
index 5d1c35c..0fbefa3 100644
--- a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf
index 5d1c35c..729db45 100644
--- a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf
index de6bda2..b8817fe 100644
--- a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
dns1 = PH_IP_WINNETOU
dns2 = PH_IP_VENUS
diff --git a/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf
index 5d1c35c..0fbefa3 100644
--- a/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf
index 5d1c35c..729db45 100644
--- a/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf
index de6bda2..b8817fe 100644
--- a/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
dns1 = PH_IP_WINNETOU
dns2 = PH_IP_VENUS
diff --git a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev1/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/double-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev1/double-nat/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
index 4ccce1f..af5fa19 100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
index 4ccce1f..af5fa19 100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
index 4ccce1f..93f4345 100644
--- a/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-initiator/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
index 4ccce1f..af5fa19 100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
index 4ccce1f..af5fa19 100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
index 4ccce1f..93f4345 100644
--- a/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-responder/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
index 4ccce1f..af5fa19 100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
index 4ccce1f..93f4345 100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
index 4ccce1f..93f4345 100644
--- a/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/dynamic-two-peers/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/description.txt b/testing/tests/ikev1/esp-alg-aes-ccm/description.txt
index 9fe03b0..40cc821 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/description.txt
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CCM_12_128</b> by defining <b>esp=aes128ccm12-modp2048</b> or alternatively
-<b>esp=aes128ccm96-modp2048</b> in ipsec.conf.
+<b>AES_CCM_12_128</b> by defining <b>esp=aes128ccm12-curve25519</b> or alternatively
+<b>esp=aes128ccm96-curve25519</b> in ipsec.conf.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
index 1cef8f8..35b96c1 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes128-sha256-modp2048!
- esp=aes128ccm96-modp2048!
+ ike=aes128-sha256-curve25519!
+ esp=aes128ccm96-curve25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
index f295f15..9692b64 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac ccm stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
index 72163ae..40251f7 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes128-sha256-modp2048!
- esp=aes128ccm12-modp2048!
+ ike=aes128-sha256-curve25519!
+ esp=aes128ccm12-curve25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
index f295f15..cbfd676 100644
--- a/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac ccm stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/description.txt b/testing/tests/ikev1/esp-alg-aes-ctr/description.txt
index fbcc480..5858267 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/description.txt
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/description.txt
@@ -1,3 +1,3 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CTR_256 / AES_XCBC_96</b> by defining <b>esp=aes256ctr-aesxcbc-modp2048</b> in ipsec.conf.
+<b>AES_CTR_256 / AES_XCBC_96</b> by defining <b>esp=aes256ctr-aesxcbc-curve25519</b> in ipsec.conf.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
index 08ff7da..ac835d0 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes256-sha512-modp2048!
- esp=aes256ctr-aesxcbc-modp2048!
+ ike=aes256-sha512-curve25519!
+ esp=aes256ctr-aesxcbc-curve25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
index cae7e00..913afb4 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac ctr stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
index f712ed8..5c7bbf8 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes256-sha512-modp2048!
- esp=aes256ctr-aesxcbc-modp2048!
+ ike=aes256-sha512-curve25519!
+ esp=aes256ctr-aesxcbc-curve25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
index cae7e00..8cbe58f 100644
--- a/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac ctr stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/description.txt b/testing/tests/ikev1/esp-alg-aes-gcm/description.txt
index bd9521e..f112af6 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/description.txt
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_GCM_16_256</b> by defining <b>esp=aes256gcm16-modp2048</b> or alternatively
-<b>esp=aes256gcm128-modp2048</b> in ipsec.conf.
+<b>AES_GCM_16_256</b> by defining <b>esp=aes256gcm16-curve25519</b> or alternatively
+<b>esp=aes256gcm128-curve25519</b> in ipsec.conf.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
index 125ce91..6dddc28 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes256-sha512-modp2048!
- esp=aes256gcm128-modp2048!
+ ike=aes256-sha512-curve25519!
+ esp=aes256gcm128-curve25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
index e396bb1..1d1cd4e 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
index b5821cd..d98aaea 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes256-sha512-modp2048!
- esp=aes256gcm16-modp2048!
+ ike=aes256-sha512-curve25519!
+ esp=aes256gcm16-curve25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
index e396bb1..369c294 100644
--- a/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt b/testing/tests/ikev1/esp-alg-aes-gmac/description.txt
index 823ec25..0d5eb10 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/description.txt
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the authentication-only
-ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac-modp2048!</b>
+ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac-curve25519!</b>
in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
the established tunnel.
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
index 5ad6365..c6d77ca 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes256-sha256-modp2048!
- esp=aes256gmac-modp2048!
+ ike=aes256-sha256-curve25519!
+ esp=aes256gmac-curve25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
index fba69ab..f42aad2 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes256-sha256-modp2048!
- esp=aes256gmac-modp2048!
+ ike=aes256-sha256-curve25519!
+ esp=aes256gmac-curve25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf
index 94eb96f..a653bcd 100644
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -8,7 +8,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes256-sha256-modp2048!
+ ike=aes256-sha256-curve25519!
esp=aes256-aesxcbc!
conn home
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index f585edf..c5200b0 100644
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf
index dbc4685..3e37c3c 100644
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -8,7 +8,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes256-sha256-modp2048!
+ ike=aes256-sha256-curve25519!
esp=aes256-aesxcbc!
conn rw
diff --git a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index f585edf..e0561f3 100644
--- a/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/esp-alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/esp-alg-null/evaltest.dat b/testing/tests/ikev1/esp-alg-null/evaltest.dat
index d9888a1..b80e9f7 100644
--- a/testing/tests/ikev1/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev1/esp-alg-null/evaltest.dat
@@ -3,9 +3,9 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
-carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA2_256_128::YES
+carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA2_256_128::YES
moon:: ip xfrm state::enc ecb(cipher_null)::YES
carol::ip xfrm state::enc ecb(cipher_null)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 172::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 172::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 176::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 176::YES
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
index cd93d79..d436291 100644
--- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes128-sha1-modp2048!
- esp=null-sha1!
+ ike=aes128-sha256-curve25519!
+ esp=null-sha256!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
index 2e9b8de..c17c581 100644
--- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes128-sha1-modp2048!
- esp=null-sha1!
+ ike=aes128-sha256-curve25519!
+ esp=null-sha256!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
index 7b81476..0fbefa3 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
index 7b81476..729db45 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
index 7d97dd2..c224059 100644
--- a/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown
plugins {
attr-sql {
diff --git a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf
index 0387fdf..9d07c88 100644
--- a/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-rw/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
keep_alive = 5
}
diff --git a/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf
index 2127105..93f4345 100644
--- a/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf
index 0387fdf..9d07c88 100644
--- a/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-rw/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
keep_alive = 5
}
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/nat-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev1/net2net-ah/description.txt b/testing/tests/ikev1/net2net-ah/description.txt
index 7ced7a5..fbe4a77 100644
--- a/testing/tests/ikev1/net2net-ah/description.txt
+++ b/testing/tests/ikev1/net2net-ah/description.txt
@@ -1,8 +1,8 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b>
is set up using the IKEv1 protocol.
-With <b>ah=md5,sha1</b> gateway <b>moon</b> proposes the use of an
-<b>AH proposal</b>. Gateway <b>sun</b> selects SHA1 for integrity protection
-with its <b>ah=sha1!</b> configuration.
+With <b>ah=sha1,sha256!</b> gateway <b>moon</b> proposes the use of <b>AH</b>.
+Gateway <b>sun</b> selects SHA2_256_128 for integrity protection with its
+<b>ah=sha256!</b> configuration.
<p/>
Upon the successful establishment of the AH CHILD SA, client <b>alice</b> behind
gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev1/net2net-ah/evaltest.dat b/testing/tests/ikev1/net2net-ah/evaltest.dat
index d13369f..34a1cde 100644
--- a/testing/tests/ikev1/net2net-ah/evaltest.dat
+++ b/testing/tests/ikev1/net2net-ah/evaltest.dat
@@ -1,5 +1,5 @@
-sun:: cat /var/log/daemon.log::received proposals: AH:HMAC_MD5_96/NO_EXT_SEQ, AH:HMAC_SHA1_96/NO_EXT_SEQ::YES
-sun:: cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA1_96/NO_EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::received proposals: AH:HMAC_SHA1_96/NO_EXT_SEQ, AH:HMAC_SHA2_256_128/NO_EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA2_256_128/NO_EXT_SEQ::YES
moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
@@ -7,5 +7,5 @@ sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
-moon::ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES
-sun:: ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES
+moon::ipsec statusall 2> /dev/null::HMAC_SHA2_256_128::YES
+sun:: ipsec statusall 2> /dev/null::HMAC_SHA2_256_128::YES
diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf
index d062dfe..d6e251d 100644
--- a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf
@@ -5,8 +5,8 @@ config setup
conn %default
keyexchange=ikev1
- ike=aes128-sha1-modp1536!
- ah=md5,sha1
+ ike=aes128-sha256-modp3072!
+ ah=sha1,sha256!
conn net-net
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf
index ddba8b1..02ae5af 100644
--- a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf
index c374adf..7c0490d 100644
--- a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf
@@ -5,8 +5,8 @@ config setup
conn %default
keyexchange=ikev1
- ike=aes128-sha1-modp1536!
- ah=sha1!
+ ike=aes128-sha256-modp3072!
+ ah=sha256!
conn net-net
left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf
index ddba8b1..02ae5af 100644
--- a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
index 4ccce1f..93f4345 100644
--- a/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
index 4ccce1f..93f4345 100644
--- a/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/net2net-esn/description.txt b/testing/tests/ikev1/net2net-esn/description.txt
index 13bb62b..6318c55 100644
--- a/testing/tests/ikev1/net2net-esn/description.txt
+++ b/testing/tests/ikev1/net2net-esn/description.txt
@@ -1,6 +1,6 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-With <b>esp=aes128-sha1-esn!</b> gateway <b>moon</b> proposes the use of
-<b>Extended Sequence Numbers</b>. Gateway <b>sun</b> defines <b>esp=aes128-sha1-esn-noesn!</b>,
+With <b>esp=aes128-sha256-esn!</b> gateway <b>moon</b> proposes the use of
+<b>Extended Sequence Numbers</b>. Gateway <b>sun</b> defines <b>esp=aes128-sha256-esn-noesn!</b>,
accepting proposals with and without ESN.
<p/>
Upon the successful establishment of the CHILD SA with ESN, client <b>alice</b> behind
diff --git a/testing/tests/ikev1/net2net-esn/evaltest.dat b/testing/tests/ikev1/net2net-esn/evaltest.dat
index d8d7cb4..8fa6893 100644
--- a/testing/tests/ikev1/net2net-esn/evaltest.dat
+++ b/testing/tests/ikev1/net2net-esn/evaltest.dat
@@ -1,6 +1,6 @@
-sun:: cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ::YES
-sun:: cat /var/log/daemon.log::configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ/NO_EXT_SEQ::YES
-sun:: cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::configured proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ::YES
sun:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
moon:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
@@ -12,6 +12,6 @@ moon:: ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
alice::ping -c 10 -i 0 -f PH_IP_BOB::10 packets transmitted, 10 received, 0% packet loss::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-moon::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_96/ESN::YES
-sun:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_96/ESN::YES
+moon::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA2_256_128/ESN::YES
+sun:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA2_256_128/ESN::YES
diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf
index 8929072..4fcff4a 100644
--- a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/ipsec.conf
@@ -9,8 +9,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes128-sha1-modp1536!
- esp=aes128-sha1-esn!
+ ike=aes128-sha256-modp3072!
+ esp=aes128-sha256-esn!
conn net-net
left=PH_IP_MOON
diff --git a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf
index ddba8b1..02ae5af 100644
--- a/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-esn/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf
index 666e32d..2e81bfd 100644
--- a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/ipsec.conf
@@ -9,8 +9,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
- ike=aes128-sha1-modp1536!
- esp=aes128-sha1-esn-noesn!
+ ike=aes128-sha256-modp3072!
+ esp=aes128-sha256-esn-noesn!
conn net-net
left=PH_IP_SUN
diff --git a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf
index ddba8b1..02ae5af 100644
--- a/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-esn/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
index e663014..14cd6e4 100644
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
- dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
index e663014..14cd6e4 100644
--- a/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-fragmentation/hosts/sun/etc/strongswan.conf
@@ -1,8 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
- dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
index 3925d92..38df6a9 100644
--- a/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
send_vendor_id = yes
diff --git a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
index fafe267..7a578d2 100644
--- a/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
send_vendor_id = yes
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
index 5db4358..1188d68 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
index 5db4358..1188d68 100644
--- a/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
index 2486425..9555143 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
index 2486425..9555143 100644
--- a/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev1/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
index 33c50d1..af5fa19 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
index 33c50d1..93f4345 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
index 33c50d1..93f4345 100644
--- a/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-aggressive/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
index c43d34a..5df879c 100644
--- a/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/carol/etc/strongswan.conf
@@ -1,8 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default unity
-
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default unity
cisco_unity = yes
- dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
index cb696bd..b925166 100644
--- a/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert-unity/hosts/moon/etc/strongswan.conf
@@ -1,10 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default attr unity
-
+ load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default attr unity
cisco_unity = yes
- dh_exponent_ansi_x9_42 = no
plugins {
attr {
diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
index 86827b2..7e57927 100644
--- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
- dh_exponent_ansi_x9_42 = no
integrity_test = yes
crypto_test {
diff --git a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
index 86827b2..7e57927 100644
--- a/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,9 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
- dh_exponent_ansi_x9_42 = no
integrity_test = yes
crypto_test {
diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
index 86827b2..7e57927 100644
--- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce test-vectors aes des md5 sha1 sha2 sha3 chapoly pem pkcs1 pkcs8 curve25519 gmp newhope mgf1 ntru x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
- dh_exponent_ansi_x9_42 = no
integrity_test = yes
crypto_test {
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
index 73b0885..ff775e5 100644
--- a/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
initiator_only = yes
}
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
index 094e0ef..c58fdbc 100644
--- a/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
index 094e0ef..c58fdbc 100644
--- a/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-initiator-only/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf
index 708a71c..bcafd86 100644
--- a/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-aggressive/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
i_dont_care_about_security_and_use_aggressive_mode_psk = yes
}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
index c08fab8..d6dcd99 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown
}
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
index 66054d0..d6dcd99 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic resolve kernel-netlink socket-default stroke updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic resolve kernel-netlink socket-default stroke updown
}
diff --git a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
index 02e7618..4f0b4be 100644
--- a/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-psk-config/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic attr kernel-netlink socket-default stroke updown
+ load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic attr kernel-netlink socket-default stroke updown
dns1 = 192.168.0.150
dns2 = 10.1.0.20
- dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
index ca3372f..b635720 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
index ca3372f..e3bada0 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
index ca3372f..e3bada0 100644
--- a/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-aggressive/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
index ca3372f..b635720 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
index ca3372f..e3bada0 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
index ca3372f..e3bada0 100644
--- a/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-config/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
index ca3372f..b635720 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
index ca3372f..e3bada0 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
index ca3372f..e3bada0 100644
--- a/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-id-rsa-hybrid/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
index f65197b..73a4271 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
index f65197b..73a4271 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
index f65197b..73a4271 100644
--- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac curve25519 xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
index ca3372f..b635720 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
index 09b9264..41fa522 100644
--- a/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius eap-md5 xauth-eap updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-md5 xauth-eap updown
plugins {
eap-radius {
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
index ca3372f..b635720 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
index a6e1ba4..2f8caca 100644
--- a/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa-radius/hosts/moon/etc/strongswan.conf
@@ -1,9 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
plugins {
eap-radius {
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
index ca3372f..b635720 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
index ca3372f..e3bada0 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
index ca3372f..e3bada0 100644
--- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random nonce curl xauth-generic kernel-netlink socket-default updown stroke
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl xauth-generic kernel-netlink socket-default updown stroke
}
diff --git a/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-cached/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-cached/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
index bae8628..6276b14 100644
--- a/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-cached/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation acert hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation acert hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-fallback/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
index bae8628..6276b14 100644
--- a/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-fallback/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation acert hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation acert hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-inline/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-inline/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
index bae8628..6276b14 100644
--- a/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/acert-inline/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation acert hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation acert hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
index f585edf..2c4f3fc 100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
index f585edf..66ff246 100644
--- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-aes-ccm/description.txt b/testing/tests/ikev2/alg-aes-ccm/description.txt
index 28e38ca..569504a 100644
--- a/testing/tests/ikev2/alg-aes-ccm/description.txt
+++ b/testing/tests/ikev2/alg-aes-ccm/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_CCM_12_128</b> both for IKE and ESP by defining <b>ike=aes128ccm12-aesxcbc-modp2048</b>
-(or alternatively <b>aes128ccm96</b>) and <b>esp=aes128ccm12-modp2048</b> in ipsec.conf, respectively.
+<b>AES_CCM_12_128</b> both for IKE and ESP by defining <b>ike=aes128ccm12-aesxcbc-curve25519</b>
+(or alternatively <b>aes128ccm96</b>) and <b>esp=aes128ccm12-curve25519</b> in ipsec.conf, respectively.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
index 03707f8..c7218e4 100644
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128ccm96-aesxcbc-modp2048!
- esp=aes128ccm96-modp2048!
+ ike=aes128ccm96-aesxcbc-x25519!
+ esp=aes128ccm96-x25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
index f295f15..eb329f2 100644
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc ccm stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
index d7ed92f..fdffa0f 100644
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128ccm12-aesxcbc-modp2048!
- esp=aes128ccm12-modp2048!
+ ike=aes128ccm12-aesxcbc-x25519!
+ esp=aes128ccm12-x25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
index f295f15..ffe6974 100644
--- a/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ccm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ccm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc ccm stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-aes-ctr/description.txt b/testing/tests/ikev2/alg-aes-ctr/description.txt
index edb601b..1ac6b4c 100644
--- a/testing/tests/ikev2/alg-aes-ctr/description.txt
+++ b/testing/tests/ikev2/alg-aes-ctr/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_CTR_128</b> both for IKE and ESP by defining <b>ike=aes128ctr-aesxcbc-modp2048</b>
-and <b>esp=aes128ctr-aesxcbc-modp2048</b> in ipsec.conf, respectively.
+<b>AES_CTR_128</b> both for IKE and ESP by defining <b>ike=aes128ctr-aesxcbc-curve25519</b>
+and <b>esp=aes128ctr-aesxcbc-curve25519</b> in ipsec.conf, respectively.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
index 3be20c6..b5aabdd 100644
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128ctr-aesxcbc-modp2048!
- esp=aes128ctr-aesxcbc-modp2048!
+ ike=aes128ctr-aesxcbc-x25519!
+ esp=aes128ctr-aesxcbc-x25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
index cae7e00..c6ef5d7 100644
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc ctr stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
index 1cf16ee..650b346 100644
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128ctr-aesxcbc-modp2048!
- esp=aes128ctr-aesxcbc-modp2048!
+ ike=aes128ctr-aesxcbc-x25519!
+ esp=aes128ctr-aesxcbc-x25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
index cae7e00..3ec3f00 100644
--- a/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-ctr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc ctr stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-aes-gcm/description.txt b/testing/tests/ikev2/alg-aes-gcm/description.txt
index 2afcecd..ccf32fc 100644
--- a/testing/tests/ikev2/alg-aes-gcm/description.txt
+++ b/testing/tests/ikev2/alg-aes-gcm/description.txt
@@ -1,5 +1,5 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the cipher suite
-<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-aesxcbc-modp2048</b>
-(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-modp2048</b> in ipsec.conf,
+<b>AES_GCM_16_256</b> both for IKE and ESP by defining <b>ike=aes256gcm16-aesxcbc-curve25519</b>
+(or alternatively <b>aes256gcm128</b>) and <b>esp=aes256gcm16-curve25519</b> in ipsec.conf,
respectively.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
index 7a808ff..c6bc925 100644
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes256gcm128-aesxcbc-modp2048!
- esp=aes256gcm128-modp2048!
+ ike=aes256gcm128-aesxcbc-x25519!
+ esp=aes256gcm128-x25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
index e396bb1..7cb4496 100644
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc gcm stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
index 12a35cb..1597aae 100644
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes256gcm16-aesxcbc-modp2048!
- esp=aes256gcm16-modp2048!
+ ike=aes256gcm16-aesxcbc-x25519!
+ esp=aes256gcm16-x25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
index e396bb1..35d3c19 100644
--- a/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-gcm/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc gcm stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-aes-xcbc/description.txt b/testing/tests/ikev2/alg-aes-xcbc/description.txt
index c71d749..d69d3d0 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/description.txt
+++ b/testing/tests/ikev2/alg-aes-xcbc/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_128 / AES_XCBC_96</b> by defining <b>esp=aes128-aesxcbc-modp2048!</b>
+<b>AES_CBC_128 / AES_XCBC_96</b> by defining <b>esp=aes128-aesxcbc-curve25519!</b>
in ipsec.conf. The same cipher suite is used for IKE.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
index 4b85484..42bf076 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
+++ b/testing/tests/ikev2/alg-aes-xcbc/evaltest.dat
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol at st
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/MODP_3072::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/CURVE_25519::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/AES_XCBC_96/PRF_AES128_XCBC/CURVE_25519::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/AES_XCBC_96,::YES
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/AES_XCBC_96,::YES
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
index c9e9e92..93bafce 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-aesxcbc-modp3072!
- esp=aes128-aesxcbc-modp3072!
+ ike=aes128-aesxcbc-x25519!
+ esp=aes128-aesxcbc-x25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index f585edf..ce99647 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
index 4e4a932..13a1798 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-aesxcbc-modp3072!
- esp=aes128-aesxcbc-modp3072!
+ ike=aes128-aesxcbc-x25519!
+ esp=aes128-aesxcbc-x25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index f585edf..69f188e 100644
--- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
index 1f0fd41..d69a7b8 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- dh_exponent_ansi_x9_42 = no
- load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes blowfish md5 sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
index 1f0fd41..a3c9999 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- dh_exponent_ansi_x9_42 = no
- load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
index 1f0fd41..a3c9999 100644
--- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- dh_exponent_ansi_x9_42 = no
- load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce blowfish sha1 sha2 pem pkcs1 gmp curl x509 revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
index f585edf..3f13273 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
index f585edf..be00a11 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
index f585edf..be00a11 100644
--- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-sha256-96/description.txt b/testing/tests/ikev2/alg-sha256-96/description.txt
index e1d5916..9e5321e 100644
--- a/testing/tests/ikev2/alg-sha256-96/description.txt
+++ b/testing/tests/ikev2/alg-sha256-96/description.txt
@@ -1,5 +1,5 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
<b>AES_CBC_128 / HMAC_SHA2_256_96</b> which uses 96 bit instead of the
standard 128 bit truncation, allowing compatibility with Linux kernels older than 2.6.33
-by defining <b>esp=aes128-sha256_96-modp2048!</b> in ipsec.conf.
+by defining <b>esp=aes128-sha256_96-curve25519!</b> in ipsec.conf.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-sha256-96/evaltest.dat b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
index c5ea03f..42e7b93 100644
--- a/testing/tests/ikev2/alg-sha256-96/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha256-96/evaltest.dat
@@ -4,8 +4,8 @@ moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
moon:: cat /var/log/daemon.log::received strongSwan vendor ID::YES
carol::cat /var/log/daemon.log::received strongSwan vendor ID::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_96,::YES
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_96,::YES
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
index 90a1436..6a1a1ad 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha256-modp3072!
- esp=aes128-sha256_96-modp3072!
+ ike=aes128-sha256-x25519!
+ esp=aes128-sha256_96-x25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
index adc0ab9..a3837a4 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
send_vendor_id = yes
}
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
index e0b2625..41919c8 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha256-modp3072!
- esp=aes128-sha256_96-modp3072!
+ ike=aes128-sha256-x25519!
+ esp=aes128-sha256_96-x25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
index adc0ab9..55a6df1 100644
--- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
send_vendor_id = yes
}
diff --git a/testing/tests/ikev2/alg-sha256/description.txt b/testing/tests/ikev2/alg-sha256/description.txt
index 826a8f1..f7e5391 100644
--- a/testing/tests/ikev2/alg-sha256/description.txt
+++ b/testing/tests/ikev2/alg-sha256/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_128 / HMAC_SHA2_256_128</b> by defining <b>esp=aes128-sha256-modp2048!</b>
+<b>AES_CBC_128 / HMAC_SHA2_256_128</b> by defining <b>esp=aes128-sha256-curve25519!</b>
in ipsec.conf. The same cipher suite is used for IKE.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-sha256/evaltest.dat b/testing/tests/ikev2/alg-sha256/evaltest.dat
index 8bfcbc4..f47852b 100644
--- a/testing/tests/ikev2/alg-sha256/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha256/evaltest.dat
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol at st
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_128/HMAC_SHA2_256_128,::YES
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128,::YES
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
index 6890ea4..b3548db 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha256-modp3072!
- esp=aes128-sha256-modp3072!
+ ike=aes128-sha256-x25519!
+ esp=aes128-sha256-x25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
index 5831118..da8bff0 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha256-modp3072!
- esp=aes128-sha256-modp3072!
+ ike=aes128-sha256-x25519!
+ esp=aes128-sha256-x25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-sha384/description.txt b/testing/tests/ikev2/alg-sha384/description.txt
index 2255fe8..f96ea5c 100644
--- a/testing/tests/ikev2/alg-sha384/description.txt
+++ b/testing/tests/ikev2/alg-sha384/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the ESP cipher suite
-<b>AES_CBC_192 / HMAC_SHA2_384_192</b> by defining <b>esp=aes192-sha384-modp3072!</b>
+<b>AES_CBC_192 / HMAC_SHA2_384_192</b> by defining <b>esp=aes192-sha384-curve25519!</b>
in ipsec.conf. The same cipher suite is used for IKE.
A ping from <b>carol</b> to <b>alice</b> successfully checks the established tunnel.
diff --git a/testing/tests/ikev2/alg-sha384/evaltest.dat b/testing/tests/ikev2/alg-sha384/evaltest.dat
index 1148a18..56d862e 100644
--- a/testing/tests/ikev2/alg-sha384/evaltest.dat
+++ b/testing/tests/ikev2/alg-sha384/evaltest.dat
@@ -2,8 +2,8 @@ moon:: ipsec status 2> /dev/null::rw.*ESTABLISHED.*moon.strongswan.org.*carol at st
carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
-carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_3072::YES
+moon:: ipsec statusall 2> /dev/null::rw.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_25519::YES
+carol::ipsec statusall 2> /dev/null::home.*IKE proposal.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/CURVE_25519::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
moon:: ipsec statusall 2> /dev/null::rw.*AES_CBC_192/HMAC_SHA2_384_192,::YES
carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192,::YES
diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
index e02d90b..e9122d4 100644
--- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes192-sha384-modp3072!
- esp=aes192-sha384-modp3072!
+ ike=aes192-sha384-x25519!
+ esp=aes192-sha384-x25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
index 990fce1..e4b5273 100644
--- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes192-sha384-modp3072!
- esp=aes192-sha384-modp3072!
+ ike=aes192-sha384-x25519!
+ esp=aes192-sha384-x25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
index f585edf..3f13273 100644
--- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
index f585edf..be00a11 100644
--- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
index fed33db..d4085e6 100644
--- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
index fed33db..d4085e6 100644
--- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
index fed33db..d4085e6 100644
--- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
index fed33db..d4085e6 100644
--- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress-nat/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress-nat/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
index 5d1c35c..0fbefa3 100644
--- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
index 5d1c35c..729db45 100644
--- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
index de6bda2..b8817fe 100644
--- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr
dns1 = PH_IP_WINNETOU
dns2 = PH_IP_VENUS
diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
index 269e1a5..448093f 100644
--- a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
index a2bdf79..dbcb7a3 100644
--- a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
index ea1b905..82118b4 100644
--- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
cache_crls = yes
}
diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
index d0c3f8c..a9c6e8d 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
index d0c3f8c..a9c6e8d 100644
--- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
index ea1b905..82118b4 100644
--- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
cache_crls = yes
}
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
index 7b81476..0fbefa3 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
index 7b81476..729db45 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
index 1c7c270..c4a0ff8 100644
--- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp
+
plugins {
dhcp {
server = 10.1.255.255
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
index 7b81476..0fbefa3 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
index 7b81476..729db45 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
index 1c7c270..c4a0ff8 100644
--- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp
+
plugins {
dhcp {
server = 10.1.255.255
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
index 7b81476..0fbefa3 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
index 7b81476..729db45 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
index d96d1d7..0883bf0 100644
--- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr farp dhcp
+
plugins {
dhcp {
server = 10.1.255.255
diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
index 4ccce1f..af5fa19 100644
--- a/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
index 4ccce1f..af5fa19 100644
--- a/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
index 4ccce1f..93f4345 100644
--- a/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-initiator/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
index 4ccce1f..af5fa19 100644
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
index 4ccce1f..93f4345 100644
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
index 4ccce1f..93f4345 100644
--- a/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/dynamic-two-peers/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
-
- dh_exponent_ansi_x9_42 = no
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/description.txt b/testing/tests/ikev2/esp-alg-aes-gmac/description.txt
index 823ec25..0d5eb10 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/description.txt
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/description.txt
@@ -1,4 +1,4 @@
Roadwarrior <b>carol</b> proposes to gateway <b>moon</b> the authentication-only
-ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac-modp2048!</b>
+ESP cipher suite <b>NULL_AES_GMAC_256</b> by defining <b>esp=aes256gmac-curve25519!</b>
in ipsec.conf. A ping from <b>carol</b> to <b>alice</b> successfully checks
the established tunnel.
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
index 8f5b77c..ebe0c27 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes256-aesxcbc-modp2048!
- esp=aes256gmac-modp2048!
+ ike=aes256-aesxcbc-x25519!
+ esp=aes256gmac-x25519!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
index f585edf..ce99647 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation xcbc stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
index d41ba72..1fdb1bd 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes256-aesxcbc-modp2048!
- esp=aes256gmac-modp2048!
+ ike=aes256-aesxcbc-x25519!
+ esp=aes256gmac-x25519!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
index f585edf..69f188e 100644
--- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation xcbc stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
index f585edf..2c4f3fc 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
index f585edf..2c4f3fc 100644
--- a/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-md5-128/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/esp-alg-null/evaltest.dat b/testing/tests/ikev2/esp-alg-null/evaltest.dat
index d9888a1..b80e9f7 100644
--- a/testing/tests/ikev2/esp-alg-null/evaltest.dat
+++ b/testing/tests/ikev2/esp-alg-null/evaltest.dat
@@ -3,9 +3,9 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol at strongswan.org.*moon.
moon:: ipsec status 2> /dev/null::rw.*INSTALLED, TUNNEL::YES
carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
-carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA1_96::YES
+moon:: ipsec statusall 2> /dev/null::NULL/HMAC_SHA2_256_128::YES
+carol::ipsec statusall 2> /dev/null::NULL/HMAC_SHA2_256_128::YES
moon:: ip xfrm state::enc ecb(cipher_null)::YES
carol::ip xfrm state::enc ecb(cipher_null)::YES
-moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 172::YES
-moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 172::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 176::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 176::YES
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
index 1d85091..9991b0b 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha1-modp2048!
- esp=null-sha1!
+ ike=aes128-sha256-x25519!
+ esp=null-sha256!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
index 38f8bd6..2a2c4cb 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha1-modp2048!
- esp=null-sha1!
+ ike=aes128-sha256-x25519!
+ esp=null-sha256!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf
index 5262987..043c3d7 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/ipsec.conf
@@ -8,7 +8,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha1-modp1536!
+ ike=aes128-sha1-modp2048!
esp=aes128-sha1_160!
conn home
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
index f585edf..3f13273 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf
index d4cc3fb..8681963 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/ipsec.conf
@@ -8,7 +8,7 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha1-modp1536!
+ ike=aes128-sha1-modp2048!
esp=aes128-sha1_160!
conn rw
diff --git a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
index f585edf..be00a11 100644
--- a/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/esp-alg-sha1-160/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
index 7b81476..0fbefa3 100644
--- a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
index 7b81476..729db45 100644
--- a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
index eaaf8bd..e34ca9d 100644
--- a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr farp
dns1 = PH_IP_WINNETOU
dns2 = PH_IP_VENUS
}
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
index 7b81476..0fbefa3 100644
--- a/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/forecast/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
index 7b81476..729db45 100644
--- a/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/forecast/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
index 986ef32..9cd6f68 100644
--- a/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/forecast/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown attr forecast
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown attr forecast
+
syslog {
daemon {
net = 2
diff --git a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf
new file mode 100644
index 0000000..3738301
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation pubkey curve25519 gmp curl kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
index 1311e5b..e3fc4d7 100644
--- a/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default connmark
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default connmark
}
diff --git a/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf
new file mode 100644
index 0000000..3738301
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-connmark/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation pubkey curve25519 gmp curl kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf
new file mode 100644
index 0000000..281da12
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/alice/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf
new file mode 100644
index 0000000..281da12
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf
new file mode 100644
index 0000000..281da12
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/hosts/venus/etc/strongswan.conf
@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 curve25519 gmp x509 curl revocation kernel-netlink socket-default updown stroke
+}
diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
index 7b81476..0fbefa3 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
index 7b81476..729db45 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
index 7d97dd2..c224059 100644
--- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown
plugins {
attr-sql {
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
index 7d97dd2..c224059 100644
--- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite attr-sql updown
plugins {
attr-sql {
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
index 7b81476..729db45 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
index 7b81476..f0b74a7 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
index 7b81476..729db45 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
index b238646..1664d55 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke sqlite attr-sql kernel-netlink socket-default updown
plugins {
attr-sql {
diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
index 7b81476..729db45 100644
--- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown resolve
}
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
index b238646..1664d55 100644
--- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke sqlite attr-sql kernel-netlink socket-default updown
plugins {
attr-sql {
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
index da157a5..db9ab46 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-v4v6-db/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite attr-sql
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown sqlite attr-sql
plugins {
attr-sql {
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools-v4v6/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
index f585edf..952df5e 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf
index f585edf..952df5e 100644
--- a/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/lookip/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/lookip/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf
index af1bc18..cabe702 100644
--- a/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/lookip/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown lookip
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown lookip
}
diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
index 414eeba..5615f44 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
index 414eeba..51614f7 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
}
diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
index 710c38b..aab6993 100644
--- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
index 91ded37..fa36317 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
index 91ded37..fa36317 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
index d0c3f8c..2881b73 100644
--- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 ldap revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
index 0431c5d..3038f52 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce constraints x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp constraints x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
index 8d3610b..0b6834b 100644
--- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation constraints hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation constraints hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw-mark/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf
index 924fd47..f6cb39c 100644
--- a/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf
index 924fd47..f6cb39c 100644
--- a/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf
index 924fd47..f6cb39c 100644
--- a/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw-psk/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf
index 0387fdf..9d07c88 100644
--- a/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
keep_alive = 5
}
diff --git a/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf
index 2127105..93f4345 100644
--- a/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf
index 0387fdf..9d07c88 100644
--- a/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-rw/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
keep_alive = 5
}
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-ah/description.txt b/testing/tests/ikev2/net2net-ah/description.txt
index a8ac7ee..7816aa2 100644
--- a/testing/tests/ikev2/net2net-ah/description.txt
+++ b/testing/tests/ikev2/net2net-ah/description.txt
@@ -1,7 +1,7 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-With <b>ah=sha1-md5</b> gateway <b>moon</b> proposes the use of an
-<b>AH proposal</b>. Gateway <b>sun</b> selects SHA1 for integrity protection
-with its <b>ah=sha1!</b> configuration.
+With <b>ah=sha256-sha384!</b> gateway <b>moon</b> proposes the use of <b>AH</b>.
+Gateway <b>sun</b> selects SHA2_256_128 for integrity protection with its <b>ah=sha256!</b>
+configuration.
<p/>
Upon the successful establishment of the AH CHILD SA, client <b>alice</b> behind
gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-ah/evaltest.dat b/testing/tests/ikev2/net2net-ah/evaltest.dat
index 1cfc450..69a7165 100644
--- a/testing/tests/ikev2/net2net-ah/evaltest.dat
+++ b/testing/tests/ikev2/net2net-ah/evaltest.dat
@@ -1,5 +1,5 @@
-sun:: cat /var/log/daemon.log::received proposals: AH:HMAC_SHA1_96/HMAC_MD5_96/NO_EXT_SEQ::YES
-sun:: cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA1_96/NO_EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::received proposals: AH:HMAC_SHA2_256_128/HMAC_SHA2_384_192/NO_EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA2_256_128/NO_EXT_SEQ::YES
moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
@@ -7,5 +7,5 @@ sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES
-moon::ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES
-sun:: ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES
+moon::ipsec statusall 2> /dev/null::HMAC_SHA2_256_128::YES
+sun:: ipsec statusall 2> /dev/null::HMAC_SHA2_256_128::YES
diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf
index 6021195..7af65a5 100644
--- a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf
@@ -5,8 +5,8 @@ config setup
conn %default
keyexchange=ikev2
- ike=aes128-sha1-modp1536!
- ah=sha1-md5
+ ike=aes128-sha256-modp3072!
+ ah=sha256-sha384!
conn net-net
left=PH_IP_MOON
diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf
index ddba8b1..02ae5af 100644
--- a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf
index 3f1ee59..82da6cb 100644
--- a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf
@@ -5,8 +5,8 @@ config setup
conn %default
keyexchange=ikev2
- ike=aes128-sha1-modp1536!
- ah=sha1!
+ ike=aes128-sha256-modp3072!
+ ah=sha256!
conn net-net
left=PH_IP_SUN
diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf
index ddba8b1..02ae5af 100644
--- a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
index 2127105..93f4345 100644
--- a/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
index 2127105..93f4345 100644
--- a/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert-sha2/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
index 6e5c240..2cb7f03 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
signature_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
index 6e5c240..2cb7f03 100644
--- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
signature_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
index d5ac379..b73dd8a 100644
--- a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound dnscert random nonce x509 curl kernel-netlink socket-default stroke updown
+ load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default stroke updown
plugins {
dnscert {
diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
index d5ac379..b73dd8a 100644
--- a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound dnscert random nonce x509 curl kernel-netlink socket-default stroke updown
+ load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound dnscert x509 curl kernel-netlink socket-default stroke updown
plugins {
dnscert {
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
index 58deb25..d4c8c55 100644
--- a/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown
+ load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default stroke updown
plugins {
ipseckey {
diff --git a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
index 58deb25..d4c8c55 100644
--- a/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-dnssec/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound ipseckey random nonce curl kernel-netlink socket-default stroke updown
+ load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey unbound ipseckey curl kernel-netlink socket-default stroke updown
plugins {
ipseckey {
diff --git a/testing/tests/ikev2/net2net-ed25519/description.txt b/testing/tests/ikev2/net2net-ed25519/description.txt
new file mode 100644
index 0000000..07839e0
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> containing <b>Ed25519</b> keys.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/ikev2/net2net-ed25519/evaltest.dat b/testing/tests/ikev2/net2net-ed25519/evaltest.dat
new file mode 100644
index 0000000..cb29fa6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/evaltest.dat
@@ -0,0 +1,9 @@
+moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES
+sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES
+moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
+sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
+moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.conf
new file mode 100644
index 0000000..e85ec33
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_MOON
+ leftauth=pubkey
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ leftfirewall=yes
+ right=PH_IP_SUN
+ rightauth=pubkey
+ rightid=@sun.strongswan.org
+ rightsubnet=10.2.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 0000000..9c5a069
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw
+GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g
+RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow
+TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG
+A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G
+lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4
+MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv
+OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.d/certs/moonCert.pem b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.d/certs/moonCert.pem
new file mode 100644
index 0000000..e67b224
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.d/certs/moonCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9TCCAaegAwIBAgIBATAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDQyWhcNMjExMjA0MjI0MDQyWjBaMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRwwGgYDVQQDExNtb29uLnN0cm9uZ3N3YW4ub3JnMCowBQYDK2VwAyEA
+4X/jpRSEXr0/TmIHTOj7FqllkP+3e+ljkAU1FtYnX5ijgZwwgZkwHwYDVR0jBBgw
+FoAUI06SkApIhvYFXf55p3YDOo5w2PgwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWQyNTUxOS5jcmww
+BQYDK2VwA0EAOjD6PXrI3R8Wj55gstR2FtT0Htu4vV2jCRekts8O0++GNVMn65BX
+8ohW9fH7Ie2JTSOb0wzX+TPuMUAkLutUBA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.d/private/moonKey.pem b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.d/private/moonKey.pem
new file mode 100644
index 0000000..491d364
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.d/private/moonKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIKF9TGaPwvVmqoqowy6y8anmPMKpSi9bKc310bbXBMtk
+-----END PRIVATE KEY-----
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 0000000..54790b6
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: PKCS8 moonKey.pem
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf
new file mode 100644
index 0000000..021f78e
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.conf
new file mode 100644
index 0000000..cfe9955
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.conf
@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+ mobike=no
+
+conn net-net
+ left=PH_IP_SUN
+ leftauth=pubkey
+ leftcert=sunCert.pem
+ leftid=@sun.strongswan.org
+ leftsubnet=10.2.0.0/16
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightauth=pubkey
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
new file mode 100644
index 0000000..9c5a069
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.d/cacerts/strongswanCert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw
+GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g
+RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow
+TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG
+A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G
+lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4
+MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv
+OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.d/certs/sunCert.pem b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.d/certs/sunCert.pem
new file mode 100644
index 0000000..70af020
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.d/certs/sunCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB8zCCAaWgAwIBAgIBAjAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDAyWhcNMjExMjA0MjI0MDAyWjBZMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRswGQYDVQQDExJzdW4uc3Ryb25nc3dhbi5vcmcwKjAFBgMrZXADIQBn
+HgUv3QIepihJpxydVVtgTsIqminFnbGSER5ReAaQ+qOBmzCBmDAfBgNVHSMEGDAW
+gBQjTpKQCkiG9gVd/nmndgM6jnDY+DAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dh
+bi5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0
+cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VkMjU1MTkuY3JsMAUG
+AytlcANBAC27Z6Q7/c21bPb3OfvbdnePhIpgGM3LVBL/0Pj9VOAtUec/Rv2rPNHq
+8C1xtc/jMCsI/NdpXSZCeN0lQgf0mgA=
+-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.d/private/sunKey.pem b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.d/private/sunKey.pem
new file mode 100644
index 0000000..b83f62c
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.d/private/sunKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIF8vNpW9TVnEB+DzglbCjuZr+1u84dHRofgHoybGL9j0
+-----END PRIVATE KEY-----
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.secrets
new file mode 100644
index 0000000..e3850f0
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/ipsec.secrets
@@ -0,0 +1,8 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: PKCS8 sunKey.pem
+
+
+
+
+
diff --git a/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf
new file mode 100644
index 0000000..021f78e
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,6 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ multiple_authentication = no
+}
diff --git a/testing/tests/ikev2/net2net-ed25519/posttest.dat b/testing/tests/ikev2/net2net-ed25519/posttest.dat
new file mode 100644
index 0000000..837738f
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/posttest.dat
@@ -0,0 +1,5 @@
+moon::ipsec stop
+sun::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+
diff --git a/testing/tests/ikev2/net2net-ed25519/pretest.dat b/testing/tests/ikev2/net2net-ed25519/pretest.dat
new file mode 100644
index 0000000..bcc2cb0
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/pretest.dat
@@ -0,0 +1,7 @@
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+sun::ipsec start
+moon::ipsec start
+sun::expect-connection net-net
+moon::expect-connection net-net
+moon::ipsec up net-net
diff --git a/testing/tests/ikev2/net2net-ed25519/test.conf b/testing/tests/ikev2/net2net-ed25519/test.conf
new file mode 100644
index 0000000..646b8b3
--- /dev/null
+++ b/testing/tests/ikev2/net2net-ed25519/test.conf
@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
diff --git a/testing/tests/ikev2/net2net-esn/description.txt b/testing/tests/ikev2/net2net-esn/description.txt
index da847b6..c9da682 100644
--- a/testing/tests/ikev2/net2net-esn/description.txt
+++ b/testing/tests/ikev2/net2net-esn/description.txt
@@ -1,7 +1,7 @@
A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
-With <b>esp=aes128-sha1-esn-noesn!</b> gateway <b>moon</b> proposes the use of
+With <b>esp=aes128-sha256-esn-noesn!</b> gateway <b>moon</b> proposes the use of
<b>Extended Sequence Numbers</b> but can also live without them. Gateway <b>sun</b>
-defines <b>esp=aes128-sha1-esn!</b> and thus decides on the use of ESN.
+defines <b>esp=aes128-sha256-esn!</b> and thus decides on the use of ESN.
<p/>
Upon the successful establishment of the CHILD SA with ESN, client <b>alice</b> behind
gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b> 10 times.
diff --git a/testing/tests/ikev2/net2net-esn/evaltest.dat b/testing/tests/ikev2/net2net-esn/evaltest.dat
index 63058eb..534ace9 100644
--- a/testing/tests/ikev2/net2net-esn/evaltest.dat
+++ b/testing/tests/ikev2/net2net-esn/evaltest.dat
@@ -1,5 +1,5 @@
-sun:: cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ/NO_EXT_SEQ::YES
-sun:: cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::received proposals: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ/NO_EXT_SEQ::YES
+sun:: cat /var/log/daemon.log::selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/EXT_SEQ::YES
sun:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
moon:: cat /var/log/daemon.log::using extended sequence numbers (ESN)::YES
moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES
@@ -11,6 +11,6 @@ moon:: ip -s xfrm state::flag af-unspec.*(0x10100000)::YES
alice::ping -c 10 -i 0 -f PH_IP_BOB::10 packets transmitted, 10 received, 0% packet loss::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
-moon::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_96/ESN::YES
-sun:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA1_96/ESN::YES
+moon::ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA2_256_128/ESN::YES
+sun:: ipsec statusall 2> /dev/null::AES_CBC_128/HMAC_SHA2_256_128/ESN::YES
diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf
index 3418e63..8cce0c9 100644
--- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/ipsec.conf
@@ -9,8 +9,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha1-modp1536!
- esp=aes128-sha1-esn-noesn!
+ ike=aes128-sha256-modp3072!
+ esp=aes128-sha256-esn-noesn!
mobike=no
conn net-net
diff --git a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
index ddba8b1..02ae5af 100644
--- a/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf
index f0b6c90..1fd5ddb 100644
--- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/ipsec.conf
@@ -9,8 +9,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=aes128-sha1-modp1536!
- esp=aes128-sha1-esn!
+ ike=aes128-sha256-modp3072!
+ esp=aes128-sha256-esn!
mobike=no
conn net-net
diff --git a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
index ddba8b1..02ae5af 100644
--- a/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-esn/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf
index 8cc4192..02280ac 100644
--- a/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-fragmentation/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
- dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf
index 8cc4192..02280ac 100644
--- a/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-fragmentation/hosts/sun/etc/strongswan.conf
@@ -1,8 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
- dh_exponent_ansi_x9_42 = no
}
diff --git a/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf
index db2698d..904a5fa 100644
--- a/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-multicast/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default forecast
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast
multiple_authentication = no
plugins {
diff --git a/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf
index db2698d..904a5fa 100644
--- a/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-multicast/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default forecast
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default forecast
multiple_authentication = no
plugins {
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
index 867949d..4907748 100644
--- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
send_vendor_id = yes
diff --git a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
index e39c922..1dcbd6c 100644
--- a/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-bandwidth/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
send_vendor_id = yes
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
index 3925d92..38df6a9 100644
--- a/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
send_vendor_id = yes
diff --git a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
index a4cfc61..0b31f73 100644
--- a/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-ntru-cert/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl mgf1 ntru revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
send_vendor_id = yes
}
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
index 8accff2..a76d601 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown
+ load = random nonce aes md5 sha1 sha2 hmac pem pkcs1 pgp curve25519 gmp stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
index 8accff2..a76d601 100644
--- a/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown
+ load = random nonce aes md5 sha1 sha2 hmac pem pkcs1 pgp curve25519 gmp stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
index 8accff2..7e53287 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 pgp curve25519 gmp stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
index 8accff2..7e53287 100644
--- a/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pgp-v4/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 pgp gmp random nonce stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 pgp curve25519 gmp stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
index 92e758d..4494dae 100644
--- a/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
index 92e758d..4494dae 100644
--- a/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pkcs12/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 rc2 pem pkcs1 pkcs7 pkcs8 pkcs12 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
index 5d04d3e..3cf8c88 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac xcbc curl stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac curl stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
index 5d04d3e..3cf8c88 100644
--- a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac xcbc curl stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac curl stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf
index 5db4358..1188d68 100644
--- a/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf
index 5db4358..1188d68 100644
--- a/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk-fail/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
index 5db4358..1188d68 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
index 5db4358..1188d68 100644
--- a/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-psk/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
index 3cd9004..4cc2e21 100644
--- a/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown
+ load = random nonce aes sha1 sha2 hmac curve25519 gmp pem pkcs1 pubkey curl kernel-netlink socket-default stroke updown
}
diff --git a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
index 3cd9004..4cc2e21 100644
--- a/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-pubkey/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown
+ load = random nonce aes sha1 sha2 hmac curve25519 gmp pem pkcs1 pubkey curl kernel-netlink socket-default stroke updown
}
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
index f1b3fb7..18ed6a4 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
index f1b3fb7..18ed6a4 100644
--- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
index e1efec8..045e3a0 100644
--- a/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown
+ load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey curl kernel-netlink socket-default stroke updown
}
diff --git a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
index e1efec8..045e3a0 100644
--- a/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-rsa/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey random nonce curl kernel-netlink socket-default stroke updown
+ load = random nonce aes sha1 sha2 hmac curve25519 gmp dnskey pem pkcs1 pubkey curl kernel-netlink socket-default stroke updown
}
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
index ddba8b1..8d89cd0 100644
--- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
index a1c57b0..d1e85db 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
@@ -1,95 +1,26 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 39 (0x27)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: C=CH, O=Linux strongSwan, CN=strongSwan Root CA
- Validity
- Not Before: Mar 15 06:42:00 2012 GMT
- Not After : Mar 14 06:42:00 2017 GMT
- Subject: C=CH, O=Linux strongSwan, OU=OCSP, CN=carol at strongswan.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:b0:33:dd:ed:c0:d6:9d:01:de:eb:08:c4:f9:6a:
- e9:46:10:f6:a4:cd:7d:aa:79:4b:c2:33:1f:61:40:
- 40:de:06:9f:b8:2a:b0:84:cd:a7:79:c8:ee:a7:24:
- 69:08:04:89:f8:7b:62:7e:03:9e:0a:d9:df:ff:7c:
- 20:3c:a7:b1:86:7f:cc:e6:ad:0c:7e:6f:c4:9b:31:
- 55:57:92:df:7b:94:86:f1:27:3a:0e:fa:0b:92:58:
- ad:64:8a:40:46:5d:87:ca:11:20:03:ad:86:68:a5:
- 0c:8a:19:ce:36:d0:55:bf:1f:00:47:c9:1a:af:c5:
- ad:14:3c:d7:0c:9e:28:d9:61:1b:a2:a8:b7:f1:56:
- a7:d9:3b:fa:09:08:2c:9b:75:e3:30:64:5e:93:80:
- 48:94:35:0d:97:ca:ac:57:66:02:86:b6:1b:6b:f1:
- 4a:86:30:74:48:38:46:1a:7d:07:61:30:15:33:b0:
- 9d:50:fc:4d:8c:16:1e:30:13:9f:07:04:7a:3b:92:
- 54:33:c7:3a:0b:67:e2:ba:46:b0:b3:0d:79:7f:e4:
- ed:81:bd:34:cb:e5:30:f3:af:d4:dd:52:3e:f5:13:
- 0e:c0:79:f8:43:c7:f5:b9:b0:12:6a:46:38:db:61:
- 44:c8:4a:68:7b:77:34:68:63:ef:88:16:be:ae:89:
- ff:89
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Key Encipherment, Key Agreement
- X509v3 Subject Key Identifier:
- C5:E8:58:D7:63:B0:B8:D4:2E:22:04:E1:CB:35:34:95:DA:74:F0:E6
- X509v3 Authority Key Identifier:
- keyid:5D:A7:DD:70:06:51:32:7E:E7:B6:6D:B3:B5:E5:E0:60:EA:2E:4D:EF
- DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA
- serial:00
-
- X509v3 Subject Alternative Name:
- email:carol at strongswan.org
- Authority Information Access:
- OCSP - URI:http://ocsp.strongswan.org:8880
-
- X509v3 CRL Distribution Points:
- URI:http://crl.strongswan.org/strongswan.crl
-
- Signature Algorithm: sha256WithRSAEncryption
- b6:2d:d8:bb:40:e9:cf:a9:33:31:6c:91:c7:40:79:8c:5f:89:
- 8e:26:d8:ef:91:67:da:71:75:f9:27:84:21:c3:6c:d1:a5:fb:
- 50:de:b2:02:ad:3c:a4:6b:40:58:30:41:c7:bd:31:ca:df:77:
- 00:c9:ac:5b:10:e3:66:71:6c:be:4a:49:7e:58:92:de:f4:16:
- 51:12:00:2c:33:e2:2c:b5:e5:d4:6e:36:a2:50:ba:86:e3:c6:
- bb:50:a2:e5:11:69:c4:86:91:fc:4d:65:7e:09:49:bd:d2:ae:
- cd:70:f8:98:5d:a8:b6:cf:38:c3:19:49:fd:8b:72:3b:1a:cc:
- fc:19:c9:c1:36:b2:39:ba:ed:9a:cd:db:2d:27:15:b0:ba:8a:
- 64:4a:5c:8f:ff:db:78:7d:cd:78:c3:c6:13:ba:93:7b:b7:57:
- da:a3:f2:16:9f:f7:24:95:57:df:f4:4f:c5:9f:d6:12:b1:69:
- 39:a7:5a:88:9c:74:be:f7:b0:f3:b4:89:82:46:57:de:7d:a1:
- 42:a2:c2:de:1c:37:19:66:60:2a:df:ed:25:e3:72:d3:f9:9b:
- 84:05:b6:97:6a:63:63:5c:30:5d:01:7a:15:c4:6e:2c:a0:21:
- d2:31:30:98:60:94:26:44:9a:08:b4:85:8d:52:00:98:ef:cb:
- 07:4f:b7:8e
-----BEGIN CERTIFICATE-----
-MIIEWzCCA0OgAwIBAgIBJzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEWzCCA0OgAwIBAgIBODANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTEyMDMxNTA2NDIwMFoXDTE3MDMxNDA2NDIwMFowVjELMAkGA1UE
+b290IENBMB4XDTE3MDMyMDIwNTI0NFoXDTE5MDkwNjIwNTI0NFowVjELMAkGA1UE
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAsDPd7cDWnQHe6wjE+WrpRhD2pM19qnlLwjMfYUBA3gaf
-uCqwhM2necjupyRpCASJ+HtifgOeCtnf/3wgPKexhn/M5q0Mfm/EmzFVV5Lfe5SG
-8Sc6DvoLklitZIpARl2HyhEgA62GaKUMihnONtBVvx8AR8kar8WtFDzXDJ4o2WEb
-oqi38Van2Tv6CQgsm3XjMGRek4BIlDUNl8qsV2YChrYba/FKhjB0SDhGGn0HYTAV
-M7CdUPxNjBYeMBOfBwR6O5JUM8c6C2fiukawsw15f+Ttgb00y+Uw86/U3VI+9RMO
-wHn4Q8f1ubASakY422FEyEpoe3c0aGPviBa+ron/iQIDAQABo4IBQzCCAT8wCQYD
-VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFMXoWNdjsLjULiIE4cs1NJXa
-dPDmMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+AAOCAQ8AMIIBCgKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu
+8qaOjRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS
+6ngwOEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5
+WRqVVDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbR
+wjx2afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj
+2uStn7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFJCYo8BXG9mSEkp2ag3HiT74
+TT+4MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
-cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC2
-Ldi7QOnPqTMxbJHHQHmMX4mOJtjvkWfacXX5J4Qhw2zRpftQ3rICrTyka0BYMEHH
-vTHK33cAyaxbEONmcWy+Skl+WJLe9BZREgAsM+IsteXUbjaiULqG48a7UKLlEWnE
-hpH8TWV+CUm90q7NcPiYXai2zzjDGUn9i3I7Gsz8GcnBNrI5uu2azdstJxWwuopk
-SlyP/9t4fc14w8YTupN7t1fao/IWn/cklVff9E/Fn9YSsWk5p1qInHS+97DztImC
-RlfefaFCosLeHDcZZmAq3+0l43LT+ZuEBbaXamNjXDBdAXoVxG4soCHSMTCYYJQm
-RJoItIWNUgCY78sHT7eO
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCo
+tFCDUTmBfPjeaDQVCv7uBausS0sZCw+Pw7zypqo3vyRm0R2Ds2eymfVI4/Zc1NwW
+hYCy9D1f1r2gukI2jDWHdDwNMQPptyx0Kxr98SIlm9ms8jGT7GZ5l0SdkGe5GDMO
+vq7FscqQZX/KkdFk3ye/ONffFS/ukjVRHu8971BNODcRbG0OBhEI2TQsIyxf/iir
+taI23m8b9dclikqZx3FqoxfTHSN5T5KHntpH7KVIS00hrlavxkLLMn5oePRnkBWu
+feSmpfbOBbnEpElLtJM5K8AjArGOx8nxrtw/KNjMiOsyfCim1r0ff1tnZGtHhHCq
+ZCZKA5DsRXZVWasv1CIz
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
index d6a762b..2d7938a 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAsDPd7cDWnQHe6wjE+WrpRhD2pM19qnlLwjMfYUBA3gafuCqw
-hM2necjupyRpCASJ+HtifgOeCtnf/3wgPKexhn/M5q0Mfm/EmzFVV5Lfe5SG8Sc6
-DvoLklitZIpARl2HyhEgA62GaKUMihnONtBVvx8AR8kar8WtFDzXDJ4o2WEboqi3
-8Van2Tv6CQgsm3XjMGRek4BIlDUNl8qsV2YChrYba/FKhjB0SDhGGn0HYTAVM7Cd
-UPxNjBYeMBOfBwR6O5JUM8c6C2fiukawsw15f+Ttgb00y+Uw86/U3VI+9RMOwHn4
-Q8f1ubASakY422FEyEpoe3c0aGPviBa+ron/iQIDAQABAoIBAEEGwy5M7mb/G79t
-exP5CqHa/MsRMwFIxlai+z+usMG/fA5BYud/5gCh0MFKRKC63BghoNWUjCzA/1OQ
-AW2hDXjvjTTMREIdCVekuzQYdfVreOliaqDAUqjtpP/nrZTKS6Sc8U2qKmJQFvKY
-V2wPMrXXwQi9BOY9c4R2d36ml7iw6veYhPj0XHy3spJc3V6k7YmbApOQgWDqRwid
-GGnnvDpdD0gAGAOxadCCpV+N9NK+AMSk03Qpcc2ki4THEn2e8Rs1/dH1k5nics/E
-cG9VT9pZtvGXjEX7Wo06v0lXsTRWGWLKhHvzfhIb6uWnC/YUR+7Cv8JYRz+RZn98
-bv5lXokCgYEA1iRf3gH8qwvxQjLtaNKRyr8Bheo3tsOLh2tYriWaUTXqeKAd46zI
-KcWAKtYWJQenVyFvnsMwKNFvFq/HgJGhKTOvZRwsrTb2wXgxcAleOBO+Ts4Vhb9J
-xil8/WcWCKU+GPf8hQOkwVnhv4CxLscCXT2g9zxTpP/JCKmHaucQog8CgYEA0qUC
-NBRMh55bjiHaqsSRvr45iwxzNzd8KK5A/xKyScEl+A4HWdqDpZ+8w9YC4GUQClvH
-cHn5NpWfq9hrNAXPjBzVGXk+JqFcJM/yPImH+Vg8MupJprwVSHJ1mqQ/MPSpxxhy
-iNaWeJX6bhPAgQSOAYbH22uNOGePmMQ8kk3v/OcCgYA7ZzPA3kQ9Hr76Yi5Bmcgf
-ugSuJV73MB+QnVKoXH4GcTJt69zev5t3GvaG64SRGSJupTPVksfVSuPKI1DwdXWD
-fHb3UW2DT2/8E1+DeNXOMIvmSHzn8TyB4BhwIxyVoWEsg/5k17HogQqCmSyNkV8y
-hloUu4NojhwybvTFzvtqOQKBgDL0IVVRt7Vyk/kMrWVziUHXp/m/uDsaG9mHVUee
-USxQIYwgcJzGo+OzgSjqIuX+7GNlEhheGO+gP/CEuGHsKeldrBquXl9f1vc8qf8E
-0bR6KI20aL6BbrCIp3QR2QtRk6QKgOIi7mEa/moUMxPCc0thPAUSviVvv6eXiINn
-gO7vAoGAcvwVy9gDcGTL+4mMjZ07jc/TmQPmOpqosXuDTQZITuovpzY0Nf9KPNJs
-0dTuCaO+N5ZjttxIm6L9h/Ah0BN2Ir+JbplJ5uScWldz0MFJXm1wz7KJCRZQpVIO
-6SJCLSmh4nZ0TIL8V0ABhaFVQK0qq2z/ASljIF6iC68DBEDfuzY=
+MIIEowIBAAKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu8qaO
+jRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS6ngw
+OEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5WRqV
+VDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbRwjx2
+afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj2uSt
+n7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABAoIBAGuC6UU3NyvYqVc+
+AiVC+r1rdU/052Rj53ahQVPhNXGZDdGkXlkdTgVynk5s+sA65KTl+7ppyAL7vzWe
+QBhRUXCXPxs+3yFwqWadmbAAa5PTjKPfwIb1YmCFxGm5CoWdziLbyxVTDHkiCbGA
+QL8ZSu3wvN32ZyGZ4lO48+ZKi3B+uO5IRPN1YfJAa9g4q+Xt7nybS7hQnriZAn/v
+5ff5StjalQ/241U5LUOrfgeUQIp2DxPiUwHiH/HH1KrcR4Vm4dQrZdOSqUHptoc9
+D7PorAJ0cB7m2FdqAUgEKh4ONy11spf1do79Yi2+XaacTgoCoX8E/1+icmfYvQV7
+rWIBasECgYEA3MIvMrOHgqSNQDgpmA5aq2HsjLgL+KBcQWIFAVhNZ8MOtTYdDIXV
+ZKz0HJjaRi4dSvSGPxze9iRmvhydAupJANBJndTrgAoyRo/tLvGBbuYq9B8R+XM/
+gKBUx5/AwenM4JbSodVIzQIJX7lo+Or1H5TuxJ1Xm79rQMg1GOoMSmECgYEAxYxC
+lIWpHrVKoktazeuNF9E56fB/EAAjsmpJE7PM+SFDvGWbRJR5Y7faiCySetCW4/LC
+Urs2IxnkV7Mo+HgIRmp/K8BBIQ7UAC72mU/qlZeTtf0DH4NMSarPB9+pse8lcPrZ
+dyr7q1o2TDd1Q+fFfNWU3KAi2RHtmqKwRECKLnMCgYBPYK9x7qXiLuLvXYJvP3IQ
+v9Q7wQ3k51xk0ib0ldi3X6bRN9T4JMNXQO1BvyB1La2wvv3qgaoWHX6oC0fVvYJk
+fYCK9P18+62aO7RQNdyRkMePIgDnji4eRQhXAzVfRH87nl+8eyGDPaE7P0Lkhi9/
+nKDCJ8VRpmGdWJ/nBnlG4QKBgQC9ZOuwWTT7K/SSBIzaP6rV2tIbZ2dqf7e5pgzJ
+xugNMccvKHrkFTUMVYg+Zf1JohIIGQYVK0eL/5bcPfhZvzqvyAqEd535g63dPylN
+c0EEin4jTJ9h5w+M0SYL9nNLFGxhFR7JEXyXm7XS/JiAsgS02lAN9blzQ6z5RGCa
+DwZr4QKBgBJBG343JQqRNiQDolaiwzWdSmUxBjfEPzP+pvXJ8pazAUeBdugcm59v
+2whpaffSBJzy4ixInTDmAMhIqvkLlc6GrlTPIur4Gts+hssAjsQN0wEPpG1z+ui4
+4KH/klS64465eK40dplWn1akjOb0KaQsjNwffyfzszvh5+8PkzgB
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
index a1c57b0..d1e85db 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/certs/carolCert-ocsp.pem
@@ -1,95 +1,26 @@
-Certificate:
- Data:
- Version: 3 (0x2)
- Serial Number: 39 (0x27)
- Signature Algorithm: sha256WithRSAEncryption
- Issuer: C=CH, O=Linux strongSwan, CN=strongSwan Root CA
- Validity
- Not Before: Mar 15 06:42:00 2012 GMT
- Not After : Mar 14 06:42:00 2017 GMT
- Subject: C=CH, O=Linux strongSwan, OU=OCSP, CN=carol at strongswan.org
- Subject Public Key Info:
- Public Key Algorithm: rsaEncryption
- RSA Public Key: (2048 bit)
- Modulus (2048 bit):
- 00:b0:33:dd:ed:c0:d6:9d:01:de:eb:08:c4:f9:6a:
- e9:46:10:f6:a4:cd:7d:aa:79:4b:c2:33:1f:61:40:
- 40:de:06:9f:b8:2a:b0:84:cd:a7:79:c8:ee:a7:24:
- 69:08:04:89:f8:7b:62:7e:03:9e:0a:d9:df:ff:7c:
- 20:3c:a7:b1:86:7f:cc:e6:ad:0c:7e:6f:c4:9b:31:
- 55:57:92:df:7b:94:86:f1:27:3a:0e:fa:0b:92:58:
- ad:64:8a:40:46:5d:87:ca:11:20:03:ad:86:68:a5:
- 0c:8a:19:ce:36:d0:55:bf:1f:00:47:c9:1a:af:c5:
- ad:14:3c:d7:0c:9e:28:d9:61:1b:a2:a8:b7:f1:56:
- a7:d9:3b:fa:09:08:2c:9b:75:e3:30:64:5e:93:80:
- 48:94:35:0d:97:ca:ac:57:66:02:86:b6:1b:6b:f1:
- 4a:86:30:74:48:38:46:1a:7d:07:61:30:15:33:b0:
- 9d:50:fc:4d:8c:16:1e:30:13:9f:07:04:7a:3b:92:
- 54:33:c7:3a:0b:67:e2:ba:46:b0:b3:0d:79:7f:e4:
- ed:81:bd:34:cb:e5:30:f3:af:d4:dd:52:3e:f5:13:
- 0e:c0:79:f8:43:c7:f5:b9:b0:12:6a:46:38:db:61:
- 44:c8:4a:68:7b:77:34:68:63:ef:88:16:be:ae:89:
- ff:89
- Exponent: 65537 (0x10001)
- X509v3 extensions:
- X509v3 Basic Constraints:
- CA:FALSE
- X509v3 Key Usage:
- Digital Signature, Key Encipherment, Key Agreement
- X509v3 Subject Key Identifier:
- C5:E8:58:D7:63:B0:B8:D4:2E:22:04:E1:CB:35:34:95:DA:74:F0:E6
- X509v3 Authority Key Identifier:
- keyid:5D:A7:DD:70:06:51:32:7E:E7:B6:6D:B3:B5:E5:E0:60:EA:2E:4D:EF
- DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA
- serial:00
-
- X509v3 Subject Alternative Name:
- email:carol at strongswan.org
- Authority Information Access:
- OCSP - URI:http://ocsp.strongswan.org:8880
-
- X509v3 CRL Distribution Points:
- URI:http://crl.strongswan.org/strongswan.crl
-
- Signature Algorithm: sha256WithRSAEncryption
- b6:2d:d8:bb:40:e9:cf:a9:33:31:6c:91:c7:40:79:8c:5f:89:
- 8e:26:d8:ef:91:67:da:71:75:f9:27:84:21:c3:6c:d1:a5:fb:
- 50:de:b2:02:ad:3c:a4:6b:40:58:30:41:c7:bd:31:ca:df:77:
- 00:c9:ac:5b:10:e3:66:71:6c:be:4a:49:7e:58:92:de:f4:16:
- 51:12:00:2c:33:e2:2c:b5:e5:d4:6e:36:a2:50:ba:86:e3:c6:
- bb:50:a2:e5:11:69:c4:86:91:fc:4d:65:7e:09:49:bd:d2:ae:
- cd:70:f8:98:5d:a8:b6:cf:38:c3:19:49:fd:8b:72:3b:1a:cc:
- fc:19:c9:c1:36:b2:39:ba:ed:9a:cd:db:2d:27:15:b0:ba:8a:
- 64:4a:5c:8f:ff:db:78:7d:cd:78:c3:c6:13:ba:93:7b:b7:57:
- da:a3:f2:16:9f:f7:24:95:57:df:f4:4f:c5:9f:d6:12:b1:69:
- 39:a7:5a:88:9c:74:be:f7:b0:f3:b4:89:82:46:57:de:7d:a1:
- 42:a2:c2:de:1c:37:19:66:60:2a:df:ed:25:e3:72:d3:f9:9b:
- 84:05:b6:97:6a:63:63:5c:30:5d:01:7a:15:c4:6e:2c:a0:21:
- d2:31:30:98:60:94:26:44:9a:08:b4:85:8d:52:00:98:ef:cb:
- 07:4f:b7:8e
-----BEGIN CERTIFICATE-----
-MIIEWzCCA0OgAwIBAgIBJzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MIIEWzCCA0OgAwIBAgIBODANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTEyMDMxNTA2NDIwMFoXDTE3MDMxNDA2NDIwMFowVjELMAkGA1UE
+b290IENBMB4XDTE3MDMyMDIwNTI0NFoXDTE5MDkwNjIwNTI0NFowVjELMAkGA1UE
BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
-AAOCAQ8AMIIBCgKCAQEAsDPd7cDWnQHe6wjE+WrpRhD2pM19qnlLwjMfYUBA3gaf
-uCqwhM2necjupyRpCASJ+HtifgOeCtnf/3wgPKexhn/M5q0Mfm/EmzFVV5Lfe5SG
-8Sc6DvoLklitZIpARl2HyhEgA62GaKUMihnONtBVvx8AR8kar8WtFDzXDJ4o2WEb
-oqi38Van2Tv6CQgsm3XjMGRek4BIlDUNl8qsV2YChrYba/FKhjB0SDhGGn0HYTAV
-M7CdUPxNjBYeMBOfBwR6O5JUM8c6C2fiukawsw15f+Ttgb00y+Uw86/U3VI+9RMO
-wHn4Q8f1ubASakY422FEyEpoe3c0aGPviBa+ron/iQIDAQABo4IBQzCCAT8wCQYD
-VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFMXoWNdjsLjULiIE4cs1NJXa
-dPDmMG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+AAOCAQ8AMIIBCgKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu
+8qaOjRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS
+6ngwOEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5
+WRqVVDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbR
+wjx2afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj
+2uStn7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFJCYo8BXG9mSEkp2ag3HiT74
+TT+4MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
-cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQC2
-Ldi7QOnPqTMxbJHHQHmMX4mOJtjvkWfacXX5J4Qhw2zRpftQ3rICrTyka0BYMEHH
-vTHK33cAyaxbEONmcWy+Skl+WJLe9BZREgAsM+IsteXUbjaiULqG48a7UKLlEWnE
-hpH8TWV+CUm90q7NcPiYXai2zzjDGUn9i3I7Gsz8GcnBNrI5uu2azdstJxWwuopk
-SlyP/9t4fc14w8YTupN7t1fao/IWn/cklVff9E/Fn9YSsWk5p1qInHS+97DztImC
-RlfefaFCosLeHDcZZmAq3+0l43LT+ZuEBbaXamNjXDBdAXoVxG4soCHSMTCYYJQm
-RJoItIWNUgCY78sHT7eO
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCo
+tFCDUTmBfPjeaDQVCv7uBausS0sZCw+Pw7zypqo3vyRm0R2Ds2eymfVI4/Zc1NwW
+hYCy9D1f1r2gukI2jDWHdDwNMQPptyx0Kxr98SIlm9ms8jGT7GZ5l0SdkGe5GDMO
+vq7FscqQZX/KkdFk3ye/ONffFS/ukjVRHu8971BNODcRbG0OBhEI2TQsIyxf/iir
+taI23m8b9dclikqZx3FqoxfTHSN5T5KHntpH7KVIS00hrlavxkLLMn5oePRnkBWu
+feSmpfbOBbnEpElLtJM5K8AjArGOx8nxrtw/KNjMiOsyfCim1r0ff1tnZGtHhHCq
+ZCZKA5DsRXZVWasv1CIz
-----END CERTIFICATE-----
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
index d6a762b..2d7938a 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/ipsec.d/private/carolKey-ocsp.pem
@@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAsDPd7cDWnQHe6wjE+WrpRhD2pM19qnlLwjMfYUBA3gafuCqw
-hM2necjupyRpCASJ+HtifgOeCtnf/3wgPKexhn/M5q0Mfm/EmzFVV5Lfe5SG8Sc6
-DvoLklitZIpARl2HyhEgA62GaKUMihnONtBVvx8AR8kar8WtFDzXDJ4o2WEboqi3
-8Van2Tv6CQgsm3XjMGRek4BIlDUNl8qsV2YChrYba/FKhjB0SDhGGn0HYTAVM7Cd
-UPxNjBYeMBOfBwR6O5JUM8c6C2fiukawsw15f+Ttgb00y+Uw86/U3VI+9RMOwHn4
-Q8f1ubASakY422FEyEpoe3c0aGPviBa+ron/iQIDAQABAoIBAEEGwy5M7mb/G79t
-exP5CqHa/MsRMwFIxlai+z+usMG/fA5BYud/5gCh0MFKRKC63BghoNWUjCzA/1OQ
-AW2hDXjvjTTMREIdCVekuzQYdfVreOliaqDAUqjtpP/nrZTKS6Sc8U2qKmJQFvKY
-V2wPMrXXwQi9BOY9c4R2d36ml7iw6veYhPj0XHy3spJc3V6k7YmbApOQgWDqRwid
-GGnnvDpdD0gAGAOxadCCpV+N9NK+AMSk03Qpcc2ki4THEn2e8Rs1/dH1k5nics/E
-cG9VT9pZtvGXjEX7Wo06v0lXsTRWGWLKhHvzfhIb6uWnC/YUR+7Cv8JYRz+RZn98
-bv5lXokCgYEA1iRf3gH8qwvxQjLtaNKRyr8Bheo3tsOLh2tYriWaUTXqeKAd46zI
-KcWAKtYWJQenVyFvnsMwKNFvFq/HgJGhKTOvZRwsrTb2wXgxcAleOBO+Ts4Vhb9J
-xil8/WcWCKU+GPf8hQOkwVnhv4CxLscCXT2g9zxTpP/JCKmHaucQog8CgYEA0qUC
-NBRMh55bjiHaqsSRvr45iwxzNzd8KK5A/xKyScEl+A4HWdqDpZ+8w9YC4GUQClvH
-cHn5NpWfq9hrNAXPjBzVGXk+JqFcJM/yPImH+Vg8MupJprwVSHJ1mqQ/MPSpxxhy
-iNaWeJX6bhPAgQSOAYbH22uNOGePmMQ8kk3v/OcCgYA7ZzPA3kQ9Hr76Yi5Bmcgf
-ugSuJV73MB+QnVKoXH4GcTJt69zev5t3GvaG64SRGSJupTPVksfVSuPKI1DwdXWD
-fHb3UW2DT2/8E1+DeNXOMIvmSHzn8TyB4BhwIxyVoWEsg/5k17HogQqCmSyNkV8y
-hloUu4NojhwybvTFzvtqOQKBgDL0IVVRt7Vyk/kMrWVziUHXp/m/uDsaG9mHVUee
-USxQIYwgcJzGo+OzgSjqIuX+7GNlEhheGO+gP/CEuGHsKeldrBquXl9f1vc8qf8E
-0bR6KI20aL6BbrCIp3QR2QtRk6QKgOIi7mEa/moUMxPCc0thPAUSviVvv6eXiINn
-gO7vAoGAcvwVy9gDcGTL+4mMjZ07jc/TmQPmOpqosXuDTQZITuovpzY0Nf9KPNJs
-0dTuCaO+N5ZjttxIm6L9h/Ah0BN2Ir+JbplJ5uScWldz0MFJXm1wz7KJCRZQpVIO
-6SJCLSmh4nZ0TIL8V0ABhaFVQK0qq2z/ASljIF6iC68DBEDfuzY=
+MIIEowIBAAKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu8qaO
+jRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS6ngw
+OEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5WRqV
+VDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbRwjx2
+afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj2uSt
+n7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABAoIBAGuC6UU3NyvYqVc+
+AiVC+r1rdU/052Rj53ahQVPhNXGZDdGkXlkdTgVynk5s+sA65KTl+7ppyAL7vzWe
+QBhRUXCXPxs+3yFwqWadmbAAa5PTjKPfwIb1YmCFxGm5CoWdziLbyxVTDHkiCbGA
+QL8ZSu3wvN32ZyGZ4lO48+ZKi3B+uO5IRPN1YfJAa9g4q+Xt7nybS7hQnriZAn/v
+5ff5StjalQ/241U5LUOrfgeUQIp2DxPiUwHiH/HH1KrcR4Vm4dQrZdOSqUHptoc9
+D7PorAJ0cB7m2FdqAUgEKh4ONy11spf1do79Yi2+XaacTgoCoX8E/1+icmfYvQV7
+rWIBasECgYEA3MIvMrOHgqSNQDgpmA5aq2HsjLgL+KBcQWIFAVhNZ8MOtTYdDIXV
+ZKz0HJjaRi4dSvSGPxze9iRmvhydAupJANBJndTrgAoyRo/tLvGBbuYq9B8R+XM/
+gKBUx5/AwenM4JbSodVIzQIJX7lo+Or1H5TuxJ1Xm79rQMg1GOoMSmECgYEAxYxC
+lIWpHrVKoktazeuNF9E56fB/EAAjsmpJE7PM+SFDvGWbRJR5Y7faiCySetCW4/LC
+Urs2IxnkV7Mo+HgIRmp/K8BBIQ7UAC72mU/qlZeTtf0DH4NMSarPB9+pse8lcPrZ
+dyr7q1o2TDd1Q+fFfNWU3KAi2RHtmqKwRECKLnMCgYBPYK9x7qXiLuLvXYJvP3IQ
+v9Q7wQ3k51xk0ib0ldi3X6bRN9T4JMNXQO1BvyB1La2wvv3qgaoWHX6oC0fVvYJk
+fYCK9P18+62aO7RQNdyRkMePIgDnji4eRQhXAzVfRH87nl+8eyGDPaE7P0Lkhi9/
+nKDCJ8VRpmGdWJ/nBnlG4QKBgQC9ZOuwWTT7K/SSBIzaP6rV2tIbZ2dqf7e5pgzJ
+xugNMccvKHrkFTUMVYg+Zf1JohIIGQYVK0eL/5bcPfhZvzqvyAqEd535g63dPylN
+c0EEin4jTJ9h5w+M0SYL9nNLFGxhFR7JEXyXm7XS/JiAsgS02lAN9blzQ6z5RGCa
+DwZr4QKBgBJBG343JQqRNiQDolaiwzWdSmUxBjfEPzP+pvXJ8pazAUeBdugcm59v
+2whpaffSBJzy4ixInTDmAMhIqvkLlc6GrlTPIur4Gts+hssAjsQN0wEPpG1z+ui4
+4KH/klS64465eK40dplWn1akjOb0KaQsjNwffyfzszvh5+8PkzgB
-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
index 7014c36..48e8fc6 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf
index f89437e..1f0c2fa 100644
--- a/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
make_before_break = yes
}
diff --git a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-mbb-revoked/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
index f89437e..1f0c2fa 100644
--- a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
make_before_break = yes
}
diff --git a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-mbb-virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
index f89437e..1f0c2fa 100644
--- a/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-mbb/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
make_before_break = yes
}
diff --git a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/reauth-mbb/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf
index 6f7f4c4..db3b535 100644
--- a/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/redirect-active/hosts/alice/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown vici
}
diff --git a/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf
index e58af9e..af5fa19 100644
--- a/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/redirect-active/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf
index ecbad66..16a0a8c 100644
--- a/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/redirect-active/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf
index 7c415b1..16a0a8c 100644
--- a/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/redirect-active/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-cert/evaltest.dat b/testing/tests/ikev2/rw-cert/evaltest.dat
index be78c51..849d59a 100644
--- a/testing/tests/ikev2/rw-cert/evaltest.dat
+++ b/testing/tests/ikev2/rw-cert/evaltest.dat
@@ -12,4 +12,3 @@ moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
index 6a6d398..520eb71 100644
--- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
index 6a6d398..520eb71 100644
--- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
index 6a6d398..520eb71 100644
--- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce test-vectors aes des sha1 sha2 sha3 md5 chapoly mgf1 curve25519 ntru newhope pem pkcs1 pkcs8 gmp x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
index 825af9d..29fa361 100644
--- a/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
plugins {
ipseckey {
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
index 825af9d..0d3c7b7 100644
--- a/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac stroke kernel-netlink socket-default updown resolve
plugins {
ipseckey {
diff --git a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
index 644ac3d..fa853d4 100644
--- a/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-dnssec/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 dnskey pubkey unbound ipseckey gmp random nonce hmac stroke kernel-netlink socket-default updown attr
+ load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac stroke kernel-netlink socket-default updown attr
dns1 = PH_IP_WINNETOU
dns2 = PH_IP_VENUS
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
index 32446b8..364b8c0 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
index 32446b8..364b8c0 100644
--- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
index b3d3510..a919d68 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
integrity_test = yes
}
diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
index b3d3510..a919d68 100644
--- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown
integrity_test = yes
}
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf
index c54efe5..f399dfb 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
}
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf
index decdc7e..43e0ef3 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown
}
diff --git a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf
index 75c8ad3..407683a 100644
--- a/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-dynamic/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-md5 eap-tls eap-dynamic updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-tls eap-dynamic updown
plugins {
eap-dynamic {
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
index 2a5c62c..0250ce3 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
index 2a5c62c..0250ce3 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
index 6cdad0a..1479e30 100644
--- a/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-framed-ip-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
+
plugins {
eap-radius {
class_group = yes
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
index 2a5c62c..0250ce3 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
index 2a5c62c..0250ce3 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
index 6cdad0a..1479e30 100644
--- a/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-class-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
+
plugins {
eap-radius {
class_group = yes
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
index 2a5c62c..0250ce3 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
index 2a5c62c..0250ce3 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-prompt/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
index 2a5c62c..0250ce3 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
index 710c38b..3a8d5c2 100644
--- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
+
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
index c54efe5..f399dfb 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
}
diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
index 6de89b8..6d37fbb 100644
--- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
index c54efe5..f399dfb 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
}
diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
index c54efe5..f399dfb 100644
--- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 updown
}
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
index e48153b..51eaacb 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+ load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
index e48153b..51eaacb 100644
--- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
+ load = random nonce aes des sha1 sha2 md4 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
index ccf3f2c..c8c3f85 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
index ccf3f2c..c8c3f85 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
index 5f9465d..48dcd30 100644
--- a/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-md5/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,9 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
multiple_authentication=no
+
plugins {
eap-peap {
phase2_method = md5
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
index f97b28f..96b9ad0 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+ load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
index f97b28f..96b9ad0 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+ load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
index f2a9c37..e8f76d4 100644
--- a/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-mschapv2/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md4 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
+ load = random nonce aes des sha1 sha2 md4 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-mschapv2 eap-peap updown
multiple_authentication=no
plugins {
eap-peap {
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
index d2989a8..c8c3f85 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
index d2989a8..c8c3f85 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-peap updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
index 3629454..9681551 100644
--- a/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-peap-radius/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,9 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
multiple_authentication=no
+
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
index 414eeba..51614f7 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
index 710c38b..3a8d5c2 100644
--- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
+
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
index 1ea5962..195893a 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
index 1ea5962..195893a 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
}
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
index 6de89b8..6725cf8 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
+ load = random nonce aes sha1 sha2 md5 curve25519 hmac stroke kernel-netlink socket-default eap-radius updown
+
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
index 960352c..9614686 100644
--- a/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-sim-only-radius/pretest.dat
@@ -1,3 +1,6 @@
+moon::rm /etc/ipsec.d/cacerts/*
+carol::rm /etc/ipsec.d/cacerts/*
+dave::rm /etc/ipsec.d/cacerts/*
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
index 1ea5962..e78434f 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
index 1ea5962..e78434f 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
}
diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
index 6de89b8..6d37fbb 100644
--- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,8 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
index a2c3b71..e652c52 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
integrity_test = yes
}
diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
index 1716f91..0015835 100644
--- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown
integrity_test = yes
}
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
index 2fc9f94..6b0ab0d 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown
multiple_authentication=no
plugins {
diff --git a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
index 2fc9f94..6b0ab0d 100644
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl hmac gcm stroke kernel-netlink socket-default eap-tls updown
multiple_authentication=no
plugins {
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
index 1510176..2261fc3 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
index 35b6f39..8865bd5 100644
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
index 50f0389..84d5714 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/carol/etc/strongswan.conf
@@ -1,9 +1,10 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-tls updown
multiple_authentication=no
}
+
libtls {
suites = TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
}
diff --git a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
index fbf1617..783b4c8 100644
--- a/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-radius/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,9 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
multiple_authentication=no
+
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
index e1a0cee..9510026 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
index e1a0cee..9510026 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
index 3f7b266..242329b 100644
--- a/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-only/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,9 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
multiple_authentication=no
+
plugins {
eap-ttls {
phase2_method = md5
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
index d148c4e..9510026 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
index d148c4e..9510026 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
index 2d85e8c..20afebf 100644
--- a/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-phase2-piggyback/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,9 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
multiple_authentication=no
+
plugins {
eap-ttls {
phase2_method = md5
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
index e1a0cee..1d380c4 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
index e1a0cee..1d380c4 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls updown
multiple_authentication=no
}
diff --git a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
index fbf1617..9681551 100644
--- a/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-ttls-radius/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,9 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown
multiple_authentication=no
+
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
index 7ea4d88..9c9714a 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
index 7ea4d88..3a52f0d 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
index 7ea4d88..3a52f0d 100644
--- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
index 73b0885..54b68df 100644
--- a/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
initiator_only = yes
}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
index 094e0ef..93f4345 100644
--- a/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
index 094e0ef..93f4345 100644
--- a/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-initiator-only/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
index d35cb99..680785b 100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes des md5 sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
index d35cb99..6fab712 100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
index 665ef65..c58fdbc 100644
--- a/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random nonce x509 curl revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 pkcs8 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index d84cba2..9555143 100644
--- a/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
index 924fd47..b91dca9 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
index 924fd47..669e299 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
index 924fd47..669e299 100644
--- a/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-no-idr/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
index 2a5c62c..445b100 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-md5 eap-identity updown
}
diff --git a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
index a7937ed..75418b8 100644
--- a/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-radius-accounting/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius eap-identity updown
plugins {
eap-radius {
secret = gv6URkSs
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
index 044d73a..af5fa19 100644
--- a/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
index 044d73a..93f4345 100644
--- a/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
index 044d73a..93f4345 100644
--- a/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-sig-auth/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default fips-prf updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
index 77edd57..6145a96 100644
--- a/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-whitelist/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc whitelist stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac whitelist stroke kernel-netlink socket-default updown
plugins {
whitelist {
enable = yes
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
index 0387fdf..9d07c88 100644
--- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
keep_alive = 5
}
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
index 2127105..93f4345 100644
--- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
index 0387fdf..9d07c88 100644
--- a/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/ikev2/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
keep_alive = 5
}
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf
index 8e685c8..dbcd7d8 100644
--- a/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/trap-any/hosts/carol/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf
index 8e685c8..8d89cd0 100644
--- a/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/trap-any/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf
index 8e685c8..8d89cd0 100644
--- a/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/trap-any/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf
index 8e685c8..8d89cd0 100644
--- a/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ikev2/trap-any/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
index 7014c36..714f868 100644
--- a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes md5 sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
index 7014c36..7a64dce 100644
--- a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default
}
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
index 818f7cd..6cb3ee2 100644
--- a/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/moon/etc/strongswan.conf
@@ -2,7 +2,7 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
}
diff --git a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
index 818f7cd..6cb3ee2 100644
--- a/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev1/hosts/sun/etc/strongswan.conf
@@ -2,7 +2,7 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
}
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
index 8269071..3a52f0d 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
index 8269071..3a52f0d 100644
--- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
index a0f8344..00380cc 100644
--- a/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1400
}
diff --git a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
index a0f8344..00380cc 100644
--- a/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev1/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1400
}
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
index a0f8344..00380cc 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1400
}
diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
index a0f8344..00380cc 100644
--- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1400
}
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
index 5f29f52..02280ac 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
}
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
index 1f39ade..7a39a8a 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev1/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size=1024
}
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
index 8269071..3a52f0d 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
index 8269071..3a52f0d 100644
--- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
index 268b708..0be55a7 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
install_routes = no
}
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
index a1a6e74..812d52a 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev1/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
install_routes=no
}
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
index 268b708..0be55a7 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
install_routes = no
}
diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
index a1a6e74..812d52a 100644
--- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
install_routes=no
}
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
index ec70039..4fa0583 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
index ec70039..4fa0583 100644
--- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-compress-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
index 5f29f52..0835a16 100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
}
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
index 5f29f52..02280ac 100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
}
diff --git a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
index 5f29f52..02280ac 100644
--- a/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev1/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
}
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
index 8269071..9c9714a 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
index 8269071..3a52f0d 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
index 8269071..3a52f0d 100644
--- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
index 8269071..9c9714a 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
index 8269071..3a52f0d 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
index 8269071..3a52f0d 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev1/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
index 8269071..9c9714a 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
index 8269071..3a52f0d 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
index 8269071..3a52f0d 100644
--- a/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
index 699d8fd..9555143 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
index 699d8fd..9555143 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
index 699d8fd..9555143 100644
--- a/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
index 699d8fd..9555143 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
index 699d8fd..9555143 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/dave/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
index 699d8fd..9555143 100644
--- a/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-psk-ikev2/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 curve25519 hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
index ec70039..da170cb 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
index bb9f822..4fa0583 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random x509 curl nonce revocation addrblock hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
index ec70039..4fa0583 100644
--- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation addrblock hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
index 5f29f52..02280ac 100644
--- a/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
}
diff --git a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
index 5f29f52..02280ac 100644
--- a/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev1/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
fragment_size = 1024
}
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
index 8269071..3a52f0d 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
index 8269071..3a52f0d 100644
--- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf
@@ -2,5 +2,5 @@
charon {
hash_and_url = yes
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf
index 71180e0..c8897b0 100644
--- a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf
@@ -1,8 +1,9 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
multiple_authentication = no
+
plugins {
kernel-netlink {
fwmark = !0x42
diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf
index 71180e0..c8897b0 100644
--- a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf
@@ -1,8 +1,9 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
multiple_authentication = no
+
plugins {
kernel-netlink {
fwmark = !0x42
diff --git a/testing/tests/libipsec/net2net-3des/evaltest.dat b/testing/tests/libipsec/net2net-3des/evaltest.dat
index e71456e..9365a8f 100644
--- a/testing/tests/libipsec/net2net-3des/evaltest.dat
+++ b/testing/tests/libipsec/net2net-3des/evaltest.dat
@@ -2,8 +2,8 @@ moon::ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.
sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES
moon::ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES
-moon::ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024::YES
-sun:: ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024::YES
+moon::ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048::YES
+sun:: ipsec statusall 2> /dev/null::net-net\[1].*3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
moon::ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES
sun:: ipsec statusall 2> /dev/null::net-net[{]1}.*3DES_CBC/HMAC_SHA1_96::YES
diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf
index f1d328f..141b4a3 100644
--- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=3des-sha1-modp1024!
- esp=3des-sha1-modp1024!
+ ike=3des-sha1-modp2048!
+ esp=3des-sha1-modp2048!
mobike=no
conn net-net
diff --git a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf
index 19d636b..467da3a 100644
--- a/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/libipsec/net2net-3des/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+ load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf
index 3bd31c6..0108a04 100644
--- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/ipsec.conf
@@ -8,8 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
- ike=3des-sha1-modp1024!
- esp=3des-sha1-modp1024!
+ ike=3des-sha1-modp2048!
+ esp=3des-sha1-modp2048!
mobike=no
conn net-net
diff --git a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf
index 19d636b..467da3a 100644
--- a/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/libipsec/net2net-3des/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+ load = random nonce des sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
index 19d636b..fa7c0ec 100644
--- a/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/libipsec/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
index 19d636b..fa7c0ec 100644
--- a/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/libipsec/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf
index c283474..2beff1b 100644
--- a/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/libipsec/net2net-null/hosts/moon/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 random nonce revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf
index c283474..2beff1b 100644
--- a/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/libipsec/net2net-null/hosts/sun/etc/strongswan.conf
@@ -1,6 +1,6 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 random nonce revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
multiple_authentication = no
}
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
index 8acfbbf..4ab9a61 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 pkcs8 random nonce x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
initiator_only = yes
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
index 8acfbbf..4ab9a61 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 pkcs8 random nonce x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
initiator_only = yes
diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
index 5f39be3..d68b6e5 100644
--- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 pkcs8 random nonce x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 pkcs8 x509 revocation openssl curl stroke kernel-libipsec kernel-netlink socket-default updown
plugins {
openssl {
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
index 5891439..1527867 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/ipsec.conf
@@ -8,6 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+ ike=aes128-sha256-ecp256!
+ esp=aes128gcm16!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
index 150c63b..ed9410c 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/ipsec.conf
@@ -8,6 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+ ike=aes128-sha256-ecp256!
+ esp=aes128gcm16!
conn home
left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
index 5cf82c6..359029d 100644
--- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/ipsec.conf
@@ -8,6 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
+ ike=aes128-sha256-ecp256!
+ esp=aes128gcm16!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
index 3b06577..24beedd 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf
@@ -8,6 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=aes128-sha256-ecp256!
+ esp=aes128gcm16!
mobike=no
conn net-net
diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
index 2b4406d..f176bcd 100644
--- a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf
@@ -8,6 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=aes128-sha256-ecp256!
+ esp=aes128gcm16!
mobike=no
conn net-net
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
index dd2ceea..c562e35 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/ipsec.conf
@@ -8,6 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=aes128-sha256-ecp256!
+ esp=aes128gcm16!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
index 4c6e11f..62a62a4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/ipsec.conf
@@ -8,6 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=aes128-sha256-ecp256!
+ esp=aes128gcm16!
conn home
left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
index e67d9af..c5e5e61 100644
--- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/ipsec.conf
@@ -8,6 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=aes128-sha256-ecp256!
+ esp=aes128gcm16!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
index dd2ceea..c562e35 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/carol/etc/ipsec.conf
@@ -8,6 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=aes128-sha256-ecp256!
+ esp=aes128gcm16!
conn home
left=PH_IP_CAROL
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
index 4c6e11f..62a62a4 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/dave/etc/ipsec.conf
@@ -8,6 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=aes128-sha256-ecp256!
+ esp=aes128gcm16!
conn home
left=PH_IP_DAVE
diff --git a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
index e67d9af..c5e5e61 100644
--- a/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/ecdsa-pkcs8/hosts/moon/etc/ipsec.conf
@@ -8,6 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=aes128-sha256-ecp256!
+ esp=aes128gcm16!
conn rw
left=PH_IP_MOON
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
index 7601113..fcb9d83 100644
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf
@@ -8,7 +8,10 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
-
+ ike=aes128-sha256-modp3072!
+ esp=aes128gcm16!
+ mobike=no
+
conn net-net
left=PH_IP_MOON
leftsubnet=10.1.0.0/16
diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
index 641c3d9..91d6ef5 100644
--- a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf
@@ -8,6 +8,9 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=aes128-sha256-modp3072!
+ esp=aes128gcm16!
+ mobike=no
conn net-net
left=PH_IP_SUN
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
index 0296e18..195710a 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/moon/etc/ipsec.conf
@@ -8,6 +8,8 @@ conn %default
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
+ ike=aes128-sha256-modp3072!
+ esp=aes128gcm16!
mobike=no
conn net-net
diff --git a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
index 6dcedd0..292fbee 100644
--- a/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
+++ b/testing/tests/openssl-ikev2/net2net-pkcs12/hosts/sun/etc/ipsec.conf
@@ -6,8 +6,10 @@ conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
- keyingtries=1
+ keyingtries=1
keyexchange=ikev2
+ ike=aes128-sha256-modp3072!
+ esp=aes128gcm16!
mobike=no
conn net-net
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
index f585edf..93f4345 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
index f585edf..af5fa19 100644
--- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
index 5afc88f..45eef63 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation xcbc stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
index 5afc88f..da46bc2 100644
--- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation xcbc stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
index 5afc88f..fc5f418 100644
--- a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
index 5afc88f..43363ba 100644
--- a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
index 5afc88f..fc5f418 100644
--- a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
index 5afc88f..43363ba 100644
--- a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf
index 5afc88f..dcbd764 100644
--- a/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/compress/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf
index 5afc88f..0ecc2f8 100644
--- a/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/compress/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
index 5afc88f..dcbd764 100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
index 5afc88f..0ecc2f8 100644
--- a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
index 5afc88f..0ecc2f8 100644
--- a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
index 5afc88f..0ecc2f8 100644
--- a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf
index 5afc88f..0ecc2f8 100644
--- a/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/pfkey/nat-rw/hosts/alice/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf
index 5afc88f..0ecc2f8 100644
--- a/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/nat-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf
index 5afc88f..0ecc2f8 100644
--- a/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/pfkey/nat-rw/hosts/venus/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
index 5afc88f..0ecc2f8 100644
--- a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
index 5afc88f..0ecc2f8 100644
--- a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
index 5afc88f..dcbd764 100644
--- a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
index 5afc88f..0ecc2f8 100644
--- a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
index 5afc88f..dcbd764 100644
--- a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
index 5afc88f..0ecc2f8 100644
--- a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
index a627f72..5c541e4 100644
--- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
index a627f72..5c541e4 100644
--- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
index a627f72..5c541e4 100644
--- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce test-vectors aes des sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown
integrity_test = yes
crypto_test {
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
index db61be2..138386b 100644
--- a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
keep_alive = 5
}
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
index f8efdff..0ecc2f8 100644
--- a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@@ -1,5 +1,5 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
}
diff --git a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
index db61be2..138386b 100644
--- a/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/pfkey/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-pfkey kernel-netlink socket-default updown
keep_alive = 5
}
diff --git a/testing/tests/swanctl/config-payload/evaltest.dat b/testing/tests/swanctl/config-payload/evaltest.dat
index 8115a9e..3827b65 100755
--- a/testing/tests/swanctl/config-payload/evaltest.dat
+++ b/testing/tests/swanctl/config-payload/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol at strongswan.org status=online::YES
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave at strongswan.org status=online::YES
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol at strongswan.org::YES
diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf
index 7d7e5f9..1f367c2 100755
--- a/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/config-payload/hosts/carol/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf
index f1a76db..3e71395 100755
--- a/testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/config-payload/hosts/carol/etc/swanctl/swanctl.conf
@@ -19,10 +19,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf
index 7d7e5f9..1f367c2 100755
--- a/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/config-payload/hosts/dave/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf
index 184185b..c9e3c2b 100755
--- a/testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/config-payload/hosts/dave/etc/swanctl/swanctl.conf
@@ -19,10 +19,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf
index cd161be..ff6e719 100755
--- a/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/config-payload/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf b/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf
index 08fa711..7819dbf 100755
--- a/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf
+++ b/testing/tests/swanctl/config-payload/hosts/moon/etc/swanctl/swanctl_base.conf
@@ -10,8 +10,8 @@
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-curve25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-curve25519
diff --git a/testing/tests/swanctl/dhcp-dynamic/evaltest.dat b/testing/tests/swanctl/dhcp-dynamic/evaltest.dat
index bc85611..7b88c6d 100644
--- a/testing/tests/swanctl/dhcp-dynamic/evaltest.dat
+++ b/testing/tests/swanctl/dhcp-dynamic/evaltest.dat
@@ -2,10 +2,10 @@ alice::ping -c 1 10.1.0.50::64 bytes from 10.1.0.50: icmp_.eq=1::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
alice::ping -c 1 10.1.0.51::64 bytes from 10.1.0.51: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.1.0.50] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.50/32] remote-ts [...]
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.1.0.51] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.51/32] remote-ts= [...]
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.1.0.50] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote- [...]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.1.0.51] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-t [...]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.50] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.50/32] remote- [...]
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.1.0.51] child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.51/32] remote-t [...]
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.50] child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remot [...]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.1.0.51] child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote [...]
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf
index 5b06b25..dda67e0 100755
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default resolve updown vici
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf
index f1a76db..3e71395 100755
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/carol/etc/swanctl/swanctl.conf
@@ -19,10 +19,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf
index 5b06b25..dda67e0 100755
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default resolve updown vici
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default resolve updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf
index 184185b..c9e3c2b 100755
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/dave/etc/swanctl/swanctl.conf
@@ -19,10 +19,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf
index 36e4e77..1f1e0a6 100755
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown attr farp dhcp
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf
index e19568b..8b62b8d 100755
--- a/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/dhcp-dynamic/hosts/moon/etc/swanctl/swanctl.conf
@@ -17,10 +17,10 @@ connections {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/ip-pool-db/evaltest.dat b/testing/tests/swanctl/ip-pool-db/evaltest.dat
index 5fa9dca..93983d8 100755
--- a/testing/tests/swanctl/ip-pool-db/evaltest.dat
+++ b/testing/tests/swanctl/ip-pool-db/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.1 to peer.*carol at strongswan.org::YES
moon:: cat /var/log/daemon.log::assigning virtual IP 10.3.0.2 to peer.*dave at strongswan.org::YES
moon:: ipsec pool --status 2> /dev/null::big_pool.*10.3.0.1.*10.3.3.232.*static.*2::YES
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf
index 44384ca..11b1576 100755
--- a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default resolve updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
index f1a76db..3e71395 100755
--- a/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ip-pool-db/hosts/carol/etc/swanctl/swanctl.conf
@@ -19,10 +19,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf
index 79bd963..be90bde 100755
--- a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default resolve updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default resolve updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
index 184185b..c9e3c2b 100755
--- a/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ip-pool-db/hosts/dave/etc/swanctl/swanctl.conf
@@ -19,10 +19,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf
index 1eab75a..885d986 100755
--- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown sqlite attr-sql vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown sqlite attr-sql vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
index 3975512..de22502 100755
--- a/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ip-pool-db/hosts/moon/etc/swanctl/swanctl.conf
@@ -17,10 +17,10 @@ connections {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/ip-pool/evaltest.dat b/testing/tests/swanctl/ip-pool/evaltest.dat
index ee0b980..0be5dcf 100755
--- a/testing/tests/swanctl/ip-pool/evaltest.dat
+++ b/testing/tests/swanctl/ip-pool/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.1/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.3.0.2/32]
moon:: swanctl --list-pools --raw 2> /dev/null::rw_pool.*base=10.3.0.0 size=14 online=2 offline=0::YES
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.1 identity=carol at strongswan.org status=online::YES
moon:: swanctl --list-pools --raw --leases 2> /dev/null::address=10.3.0.2 identity=dave at strongswan.org status=online::YES
diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf
index 7d7e5f9..9d7fa51 100755
--- a/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/ip-pool/hosts/carol/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf
index f1a76db..3e71395 100755
--- a/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ip-pool/hosts/carol/etc/swanctl/swanctl.conf
@@ -19,10 +19,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf
index 7d7e5f9..9d7fa51 100755
--- a/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/ip-pool/hosts/dave/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf
index 184185b..c9e3c2b 100755
--- a/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ip-pool/hosts/dave/etc/swanctl/swanctl.conf
@@ -19,10 +19,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf
index cd161be..67e5a61 100755
--- a/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/ip-pool/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf
index 8d4dd6b..e700296 100755
--- a/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/ip-pool/hosts/moon/etc/swanctl/swanctl.conf
@@ -17,11 +17,11 @@ connections {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/manual-prio/evaltest.dat b/testing/tests/swanctl/manual-prio/evaltest.dat
index 8a03505..25e8192 100755
--- a/testing/tests/swanctl/manual-prio/evaltest.dat
+++ b/testing/tests/swanctl/manual-prio/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
carol::ping -c 1 10.1.0.1::64 bytes from 10.1.0.1: icmp_.eq=1::YES
carol::ping -c 1 10.1.0.10::64 bytes from 10.1.0.10: icmp_.eq=1::YES
dave:: ping -c 1 10.1.0.1::64 bytes from 10.1.0.1: icmp_.eq=1::YES
diff --git a/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf
index 7d7e5f9..9d7fa51 100755
--- a/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/manual-prio/hosts/carol/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/manual-prio/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/manual-prio/hosts/carol/etc/swanctl/swanctl.conf
index 1821c1c..810dfe9 100755
--- a/testing/tests/swanctl/manual-prio/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/manual-prio/hosts/carol/etc/swanctl/swanctl.conf
@@ -18,11 +18,11 @@ connections {
remote_ts = 10.1.0.0/16
priority = 2
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
shunts {
diff --git a/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf
index 7d7e5f9..9d7fa51 100755
--- a/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/manual-prio/hosts/dave/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/manual-prio/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/manual-prio/hosts/dave/etc/swanctl/swanctl.conf
index ecdd585..c56a34c 100755
--- a/testing/tests/swanctl/manual-prio/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/manual-prio/hosts/dave/etc/swanctl/swanctl.conf
@@ -18,11 +18,11 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
shunts {
diff --git a/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf
index 7d7e5f9..9d7fa51 100755
--- a/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/manual-prio/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf
index 5fefdcd..0245fda 100755
--- a/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/manual-prio/hosts/moon/etc/swanctl/swanctl.conf
@@ -18,11 +18,11 @@ connections {
interface = eth0
policies_fwd_out = yes
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
shunts {
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat
index ebaad54..a520e5c 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/evaltest.dat
@@ -5,8 +5,8 @@ carol::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
moon:: cat /var/log/daemon.log::received EAP identity .*228060123456001::YES
moon:: cat /var/log/daemon.log::authentication of .*228060123456001 at strongswan.org.* with EAP successful::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=228060123456001 at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\ [...]
-moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=228060123456001 at strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remo [...]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=228060123456001 at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts [...]
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=228060123456001 at strongswan.org remote-eap-id=228060123456001.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] re [...]
moon::cat /var/log/daemon.log::authentication of .*dave at strongswan.org.* with RSA.* successful::YES
dave::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES
dave::cat /var/log/daemon.log::server requested EAP_SIM authentication::YES
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
index bccbe5a..7e2ee00 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf
index 944e78e..4865330 100755
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/carol/etc/swanctl/swanctl.conf
@@ -23,10 +23,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
index bccbe5a..7e2ee00 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf
index bca5ad3..7aa09c2 100755
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/dave/etc/swanctl/swanctl.conf
@@ -23,10 +23,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
index 7f90207..40b0c59 100644
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 md5 pem pkcs1 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac xcbc vici kernel-netlink socket-default fips-prf eap-radius eap-identity updown
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf
index 396eff5..1b801e9 100755
--- a/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/mult-auth-rsa-eap-sim-id/hosts/moon/etc/swanctl/swanctl.conf
@@ -21,10 +21,10 @@ connections {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/net2net-cert/evaltest.dat b/testing/tests/swanctl/net2net-cert/evaltest.dat
index 1d9bd64..4c56d52 100755
--- a/testing/tests/swanctl/net2net-cert/evaltest.dat
+++ b/testing/tests/swanctl/net2net-cert/evaltest.dat
@@ -1,5 +1,5 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf
index 7d7e5f9..9d7fa51 100755
--- a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
index 9034651..bcc2742 100755
--- a/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -22,12 +22,12 @@ connections {
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
reauth_time = 10800
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf
index 7d7e5f9..9d7fa51 100755
--- a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
index 2b9ddcf..12cee0f 100755
--- a/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -22,12 +22,12 @@ connections {
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
reauth_time = 10800
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/net2net-ed25519/description.txt b/testing/tests/swanctl/net2net-ed25519/description.txt
new file mode 100755
index 0000000..07839e0
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/description.txt
@@ -0,0 +1,6 @@
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b> containing <b>Ed25519</b> keys.
+Upon the successful establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
diff --git a/testing/tests/swanctl/net2net-ed25519/evaltest.dat b/testing/tests/swanctl/net2net-ed25519/evaltest.dat
new file mode 100755
index 0000000..ebbb8ae
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/evaltest.dat
@@ -0,0 +1,7 @@
+moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES
+sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf
new file mode 100755
index 0000000..d766a70
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ default = 1
+ }
+ }
+}
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem
new file mode 100644
index 0000000..491d364
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/pkcs8/moonKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIKF9TGaPwvVmqoqowy6y8anmPMKpSi9bKc310bbXBMtk
+-----END PRIVATE KEY-----
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..bcc2742
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem
new file mode 100644
index 0000000..e67b224
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/x509/moonCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB9TCCAaegAwIBAgIBATAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDQyWhcNMjExMjA0MjI0MDQyWjBaMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRwwGgYDVQQDExNtb29uLnN0cm9uZ3N3YW4ub3JnMCowBQYDK2VwAyEA
+4X/jpRSEXr0/TmIHTOj7FqllkP+3e+ljkAU1FtYnX5ijgZwwgZkwHwYDVR0jBBgw
+FoAUI06SkApIhvYFXf55p3YDOo5w2PgwHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdz
+d2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATBBBgNVHR8EOjA4MDagNKAyhjBo
+dHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fZWQyNTUxOS5jcmww
+BQYDK2VwA0EAOjD6PXrI3R8Wj55gstR2FtT0Htu4vV2jCRekts8O0++GNVMn65BX
+8ohW9fH7Ie2JTSOb0wzX+TPuMUAkLutUBA==
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 0000000..9c5a069
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/hosts/moon/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw
+GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g
+RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow
+TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG
+A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G
+lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4
+MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv
+OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ=
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf
new file mode 100755
index 0000000..d766a70
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/strongswan.conf
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ auth {
+ default = 0
+ }
+ daemon {
+ default = 1
+ }
+ }
+}
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem
new file mode 100644
index 0000000..b83f62c
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/pkcs8/sunKey.pem
@@ -0,0 +1,3 @@
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEIF8vNpW9TVnEB+DzglbCjuZr+1u84dHRofgHoybGL9j0
+-----END PRIVATE KEY-----
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..12cee0f
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf
@@ -0,0 +1,33 @@
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ rekey_time = 5400
+ rekey_bytes = 500000000
+ rekey_packets = 1000000
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ mobike = no
+ reauth_time = 10800
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem
new file mode 100644
index 0000000..70af020
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/x509/sunCert.pem
@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB8zCCAaWgAwIBAgIBAjAFBgMrZXAwTzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoT
+EnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEGA1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5
+IFJvb3QgQ0EwHhcNMTYxMjA0MjI0MDAyWhcNMjExMjA0MjI0MDAyWjBZMQswCQYD
+VQQGEwJDSDEbMBkGA1UEChMSc3Ryb25nU3dhbiBQcm9qZWN0MRAwDgYDVQQLEwdF
+ZDI1NTE5MRswGQYDVQQDExJzdW4uc3Ryb25nc3dhbi5vcmcwKjAFBgMrZXADIQBn
+HgUv3QIepihJpxydVVtgTsIqminFnbGSER5ReAaQ+qOBmzCBmDAfBgNVHSMEGDAW
+gBQjTpKQCkiG9gVd/nmndgM6jnDY+DAdBgNVHREEFjAUghJzdW4uc3Ryb25nc3dh
+bi5vcmcwEwYDVR0lBAwwCgYIKwYBBQUHAwEwQQYDVR0fBDowODA2oDSgMoYwaHR0
+cDovL2NybC5zdHJvbmdzd2FuLm9yZy9zdHJvbmdzd2FuX2VkMjU1MTkuY3JsMAUG
+AytlcANBAC27Z6Q7/c21bPb3OfvbdnePhIpgGM3LVBL/0Pj9VOAtUec/Rv2rPNHq
+8C1xtc/jMCsI/NdpXSZCeN0lQgf0mgA=
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
new file mode 100644
index 0000000..9c5a069
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/hosts/sun/etc/swanctl/x509ca/strongswanCert.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBljCCAUigAwIBAgIIBrMLy9hl4GQwBQYDK2VwME8xCzAJBgNVBAYTAkNIMRsw
+GQYDVQQKExJzdHJvbmdTd2FuIFByb2plY3QxIzAhBgNVBAMTGnN0cm9uZ1N3YW4g
+RWQyNTUxOSBSb290IENBMB4XDTE2MTIwNDIyMzU1NloXDTI2MTIwNDIyMzU1Nlow
+TzELMAkGA1UEBhMCQ0gxGzAZBgNVBAoTEnN0cm9uZ1N3YW4gUHJvamVjdDEjMCEG
+A1UEAxMac3Ryb25nU3dhbiBFZDI1NTE5IFJvb3QgQ0EwKjAFBgMrZXADIQAKMO0G
+lvjTLC7k8FoSp78rca3x++nvf9xPACSqnBg5UKNCMEAwDwYDVR0TAQH/BAUwAwEB
+/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFCNOkpAKSIb2BV3+ead2AzqOcNj4
+MAUGAytlcANBAEimNd3OTwM42KM0D+E6nJMHbrGSLA1XAukJDH9w30tzkbQHxTSv
+OPEN02ar1L30xfYVySJhV9i5cE8QkhThcAQ=
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/net2net-ed25519/posttest.dat b/testing/tests/swanctl/net2net-ed25519/posttest.dat
new file mode 100755
index 0000000..8d47767
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/posttest.dat
@@ -0,0 +1,7 @@
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
+moon::rm /etc/swanctl/pkcs8/*
+sun::rm /etc/swanctl/pkcs8/*
diff --git a/testing/tests/swanctl/net2net-ed25519/pretest.dat b/testing/tests/swanctl/net2net-ed25519/pretest.dat
new file mode 100755
index 0000000..f939b3a
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/pretest.dat
@@ -0,0 +1,9 @@
+moon::rm /etc/swanctl/rsa/moonKey.pem
+sun::rm /etc/swanctl/rsa/sunKey.pem
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::service charon start 2> /dev/null
+sun::service charon start 2> /dev/null
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
diff --git a/testing/tests/swanctl/net2net-ed25519/test.conf b/testing/tests/swanctl/net2net-ed25519/test.conf
new file mode 100755
index 0000000..07a3b24
--- /dev/null
+++ b/testing/tests/swanctl/net2net-ed25519/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/net2net-gw/evaltest.dat b/testing/tests/swanctl/net2net-gw/evaltest.dat
index 4908d80..c104aae 100755
--- a/testing/tests/swanctl/net2net-gw/evaltest.dat
+++ b/testing/tests/swanctl/net2net-gw/evaltest.dat
@@ -1,5 +1,5 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol at strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol at strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
sun::tcpdump::IP carol.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf
index febe9fa..4f54f61 100755
--- a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-gw/hosts/carol/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-gw/hosts/carol/etc/swanctl/swanctl.conf
index d450053..cdf6bca 100755
--- a/testing/tests/swanctl/net2net-gw/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-gw/hosts/carol/etc/swanctl/swanctl.conf
@@ -16,12 +16,12 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
gw-sun {
local {
diff --git a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf
index febe9fa..4f54f61 100755
--- a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-gw/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-gw/hosts/moon/etc/swanctl/swanctl.conf
index 348e532..404af8e 100755
--- a/testing/tests/swanctl/net2net-gw/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-gw/hosts/moon/etc/swanctl/swanctl.conf
@@ -18,11 +18,11 @@ connections {
remote_ts = 10.2.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf
index febe9fa..4f54f61 100755
--- a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-gw/hosts/sun/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-gw/hosts/sun/etc/swanctl/swanctl.conf
index 68e70be..6f41f1f 100755
--- a/testing/tests/swanctl/net2net-gw/hosts/sun/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-gw/hosts/sun/etc/swanctl/swanctl.conf
@@ -18,11 +18,11 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/net2net-multicast/evaltest.dat b/testing/tests/swanctl/net2net-multicast/evaltest.dat
index e29f312..6efa23a 100644
--- a/testing/tests/swanctl/net2net-multicast/evaltest.dat
+++ b/testing/tests/swanctl/net2net-multicast/evaltest.dat
@@ -2,8 +2,8 @@ alice::traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
bob:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
moon:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
sun:: traceroute -p 5353 -w 1 -q 1 -m 1 224.0.0.251::traceroute::YES
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.251/32] remote-ts=\[10.2.0.0/1 [...]
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16 224.0.0.251/32] remote-ts=\[10.1.0.0/16 224.0.0.251/ [...]
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16 224.0.0.251/32] remote-ts=\[10.2.0.0 [...]
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16 224.0.0.251/32] remote-ts=\[10.1.0.0/16 224.0.0.25 [...]
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
alice::tcpdump::IP bob.strongswan.org.*224.0.0.251::YES
diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf
index bbd60d8..2ff6ac0 100644
--- a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf
index 89d616c..b27593d 100755
--- a/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-multicast/hosts/moon/etc/swanctl/swanctl.conf
@@ -24,12 +24,12 @@ connections {
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
reauth_time = 10800
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf
index 48c4b83..b119e82 100644
--- a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac kernel-netlink socket-default forecast vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf
index 68ba24a..4b578d0 100755
--- a/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-multicast/hosts/sun/etc/swanctl/swanctl.conf
@@ -24,12 +24,12 @@ connections {
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
reauth_time = 10800
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/net2net-route/evaltest.dat b/testing/tests/swanctl/net2net-route/evaltest.dat
index a500b29..5a95371 100755
--- a/testing/tests/swanctl/net2net-route/evaltest.dat
+++ b/testing/tests/swanctl/net2net-route/evaltest.dat
@@ -1,7 +1,7 @@
moon::swanctl --list-pols --raw 2> /dev/null::net-net.*mode=TUNNEL local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8] === 10.2.0.10/32\[icmp/8]::YES
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf
index 7d7e5f9..9d7fa51 100755
--- a/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-route/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf
index 3de6edc..2e1b765 100755
--- a/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-route/hosts/moon/etc/swanctl/swanctl.conf
@@ -20,11 +20,11 @@ connections {
start_action = trap
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf
index 7d7e5f9..4ca179a 100755
--- a/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-route/hosts/sun/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf
index 5a9cd13..3a52335 100755
--- a/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-route/hosts/sun/etc/swanctl/swanctl.conf
@@ -20,11 +20,11 @@ connections {
start_action = none
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat b/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat
index 1d9bd64..4c56d52 100755
--- a/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/evaltest.dat
@@ -1,5 +1,5 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
index 5b67bf3..f102eee 100755
--- a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
+ load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
index 9034651..bcc2742 100755
--- a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -22,12 +22,12 @@ connections {
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
reauth_time = 10800
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
index 5b67bf3..f102eee 100755
--- a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici
+ load = random nonce sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
index 2b9ddcf..12cee0f 100755
--- a/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf
@@ -22,12 +22,12 @@ connections {
rekey_time = 5400
rekey_bytes = 500000000
rekey_packets = 1000000
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
reauth_time = 10800
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/net2net-start/evaltest.dat b/testing/tests/swanctl/net2net-start/evaltest.dat
index 1d9bd64..4c56d52 100755
--- a/testing/tests/swanctl/net2net-start/evaltest.dat
+++ b/testing/tests/swanctl/net2net-start/evaltest.dat
@@ -1,5 +1,5 @@
-moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
-sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf
index 7d7e5f9..1f367c2 100755
--- a/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-start/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf
index 0713e7d..a72957b 100755
--- a/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-start/hosts/moon/etc/swanctl/swanctl.conf
@@ -20,11 +20,11 @@ connections {
start_action = start
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf
index 7d7e5f9..1f367c2 100755
--- a/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/swanctl/net2net-start/hosts/sun/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf
index 5a9cd13..3a52335 100755
--- a/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/net2net-start/hosts/sun/etc/swanctl/swanctl.conf
@@ -20,11 +20,11 @@ connections {
start_action = none
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
mobike = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/ocsp-disabled/description.txt b/testing/tests/swanctl/ocsp-disabled/description.txt
new file mode 100644
index 0000000..4875229
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/description.txt
@@ -0,0 +1,10 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>.
+Client <b>carol</b>'s certificate includes an <b>OCSP URI</b> in an authority information
+access extension pointing to <b>winnetou</b>. Gateway <b>moon</b>'s certificate doesn't
+contain any such extensions but <b>carol</b>'s swanctl.conf contains a corresponding
+authorities section. With the directive <b>charon.plugins.revocation.enable_ocsp = no</b>
+in strongswan.conf all OCSP fetching is disabled and a fallback to CRL fetching occurs.
+<p/>
+<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
+the status of both certificates is <b>good</b>.
diff --git a/testing/tests/swanctl/ocsp-disabled/evaltest.dat b/testing/tests/swanctl/ocsp-disabled/evaltest.dat
new file mode 100644
index 0000000..01fc2bc
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/evaltest.dat
@@ -0,0 +1,8 @@
+moon:: cat /var/log/daemon.log::all OCSP validation disabled::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http://crl.strongswan.org/strongswan.crl::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::all OCSP validation disabled::YES
+carol::cat /var/log/daemon.log::fetching crl from.*http://crl.strongswan.org/strongswan.crl::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\ [...]
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf
new file mode 100644
index 0000000..e3eb4e3
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ auths = /usr/local/sbin/swanctl --load-authorities
+ }
+ plugins {
+ revocation {
+ enable_ocsp = no
+ }
+ }
+}
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/rsa/carolKey.pem
new file mode 100644
index 0000000..2d7938a
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/rsa/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu8qaO
+jRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS6ngw
+OEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5WRqV
+VDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbRwjx2
+afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj2uSt
+n7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABAoIBAGuC6UU3NyvYqVc+
+AiVC+r1rdU/052Rj53ahQVPhNXGZDdGkXlkdTgVynk5s+sA65KTl+7ppyAL7vzWe
+QBhRUXCXPxs+3yFwqWadmbAAa5PTjKPfwIb1YmCFxGm5CoWdziLbyxVTDHkiCbGA
+QL8ZSu3wvN32ZyGZ4lO48+ZKi3B+uO5IRPN1YfJAa9g4q+Xt7nybS7hQnriZAn/v
+5ff5StjalQ/241U5LUOrfgeUQIp2DxPiUwHiH/HH1KrcR4Vm4dQrZdOSqUHptoc9
+D7PorAJ0cB7m2FdqAUgEKh4ONy11spf1do79Yi2+XaacTgoCoX8E/1+icmfYvQV7
+rWIBasECgYEA3MIvMrOHgqSNQDgpmA5aq2HsjLgL+KBcQWIFAVhNZ8MOtTYdDIXV
+ZKz0HJjaRi4dSvSGPxze9iRmvhydAupJANBJndTrgAoyRo/tLvGBbuYq9B8R+XM/
+gKBUx5/AwenM4JbSodVIzQIJX7lo+Or1H5TuxJ1Xm79rQMg1GOoMSmECgYEAxYxC
+lIWpHrVKoktazeuNF9E56fB/EAAjsmpJE7PM+SFDvGWbRJR5Y7faiCySetCW4/LC
+Urs2IxnkV7Mo+HgIRmp/K8BBIQ7UAC72mU/qlZeTtf0DH4NMSarPB9+pse8lcPrZ
+dyr7q1o2TDd1Q+fFfNWU3KAi2RHtmqKwRECKLnMCgYBPYK9x7qXiLuLvXYJvP3IQ
+v9Q7wQ3k51xk0ib0ldi3X6bRN9T4JMNXQO1BvyB1La2wvv3qgaoWHX6oC0fVvYJk
+fYCK9P18+62aO7RQNdyRkMePIgDnji4eRQhXAzVfRH87nl+8eyGDPaE7P0Lkhi9/
+nKDCJ8VRpmGdWJ/nBnlG4QKBgQC9ZOuwWTT7K/SSBIzaP6rV2tIbZ2dqf7e5pgzJ
+xugNMccvKHrkFTUMVYg+Zf1JohIIGQYVK0eL/5bcPfhZvzqvyAqEd535g63dPylN
+c0EEin4jTJ9h5w+M0SYL9nNLFGxhFR7JEXyXm7XS/JiAsgS02lAN9blzQ6z5RGCa
+DwZr4QKBgBJBG343JQqRNiQDolaiwzWdSmUxBjfEPzP+pvXJ8pazAUeBdugcm59v
+2whpaffSBJzy4ixInTDmAMhIqvkLlc6GrlTPIur4Gts+hssAjsQN0wEPpG1z+ui4
+4KH/klS64465eK40dplWn1akjOb0KaQsjNwffyfzszvh5+8PkzgB
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 0000000..6fd2297
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol at strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ revocation = strict
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+authorities {
+
+ strongswan {
+ cacert = strongswanCert.pem
+ ocsp_uris = http://ocsp.strongswan.org:8880
+ }
+}
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/x509/carolCert.pem
new file mode 100644
index 0000000..d1e85db
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/hosts/carol/etc/swanctl/x509/carolCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEWzCCA0OgAwIBAgIBODANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE3MDMyMDIwNTI0NFoXDTE5MDkwNjIwNTI0NFowVjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
+HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu
+8qaOjRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS
+6ngwOEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5
+WRqVVDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbR
+wjx2afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj
+2uStn7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFJCYo8BXG9mSEkp2ag3HiT74
+TT+4MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
+b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
+b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCo
+tFCDUTmBfPjeaDQVCv7uBausS0sZCw+Pw7zypqo3vyRm0R2Ds2eymfVI4/Zc1NwW
+hYCy9D1f1r2gukI2jDWHdDwNMQPptyx0Kxr98SIlm9ms8jGT7GZ5l0SdkGe5GDMO
+vq7FscqQZX/KkdFk3ye/ONffFS/ukjVRHu8971BNODcRbG0OBhEI2TQsIyxf/iir
+taI23m8b9dclikqZx3FqoxfTHSN5T5KHntpH7KVIS00hrlavxkLLMn5oePRnkBWu
+feSmpfbOBbnEpElLtJM5K8AjArGOx8nxrtw/KNjMiOsyfCim1r0ff1tnZGtHhHCq
+ZCZKA5DsRXZVWasv1CIz
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf
new file mode 100644
index 0000000..3912f5e
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ plugins {
+ revocation {
+ enable_ocsp = no
+ }
+ }
+}
diff --git a/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..7103071
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ revocation = strict
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ocsp-disabled/posttest.dat b/testing/tests/swanctl/ocsp-disabled/posttest.dat
new file mode 100644
index 0000000..672f418
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/posttest.dat
@@ -0,0 +1,3 @@
+carol::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
diff --git a/testing/tests/swanctl/ocsp-disabled/pretest.dat b/testing/tests/swanctl/ocsp-disabled/pretest.dat
new file mode 100644
index 0000000..e6d6045
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/pretest.dat
@@ -0,0 +1,5 @@
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/swanctl/ocsp-disabled/test.conf b/testing/tests/swanctl/ocsp-disabled/test.conf
new file mode 100644
index 0000000..c5b3ecc
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-disabled/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/ocsp-signer-cert/description.txt b/testing/tests/swanctl/ocsp-signer-cert/description.txt
new file mode 100644
index 0000000..22496f1
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/description.txt
@@ -0,0 +1,10 @@
+By setting <b>strictcrlpolicy=yes</b>, a <b>strict</b> CRL policy is enforced on
+both roadwarrior <b>carol</b> and gateway <b>moon</b>. The online certificate status
+is checked via the OCSP server <b>winnetou</b> which possesses an OCSP signer certificate
+issued by the strongSwan CA. This certificate contains an <b>OCSPSigning</b>
+extended key usage flag. <b>carol</b>'s certificate includes an <b>OCSP URI</b>
+in an authority information access extension pointing to <b>winnetou</b>.
+Therefore no special authorities section information is needed in moon's swanctl.conf.
+<p>
+<b>carol</b> can successfully initiate an IPsec connection to <b>moon</b> since
+the status of both certificates is <b>good</b>.
diff --git a/testing/tests/swanctl/ocsp-signer-cert/evaltest.dat b/testing/tests/swanctl/ocsp-signer-cert/evaltest.dat
new file mode 100644
index 0000000..4597216
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/evaltest.dat
@@ -0,0 +1,11 @@
+carol::swanctl --list-authorities 2> /dev/null::ocsp_uris: http://ocsp.strongswan.org:8880::YES
+moon:: cat /var/log/daemon.log::requesting ocsp status::YES
+moon:: cat /var/log/daemon.log::ocsp response correctly signed by::YES
+moon:: cat /var/log/daemon.log::ocsp response is valid::YES
+moon:: cat /var/log/daemon.log::certificate status is good::YES
+carol::cat /var/log/daemon.log::requesting ocsp status::YES
+carol::cat /var/log/daemon.log::ocsp response correctly signed by::YES
+carol::cat /var/log/daemon.log::ocsp response is valid::YES
+carol::cat /var/log/daemon.log::certificate status is good::YES
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\ [...]
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
new file mode 100644
index 0000000..9ea5160
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 md5 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ auths = /usr/local/sbin/swanctl --load-authorities
+ }
+}
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem
new file mode 100644
index 0000000..2d7938a
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/rsa/carolKey.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu8qaO
+jRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS6ngw
+OEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5WRqV
+VDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbRwjx2
+afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj2uSt
+n7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABAoIBAGuC6UU3NyvYqVc+
+AiVC+r1rdU/052Rj53ahQVPhNXGZDdGkXlkdTgVynk5s+sA65KTl+7ppyAL7vzWe
+QBhRUXCXPxs+3yFwqWadmbAAa5PTjKPfwIb1YmCFxGm5CoWdziLbyxVTDHkiCbGA
+QL8ZSu3wvN32ZyGZ4lO48+ZKi3B+uO5IRPN1YfJAa9g4q+Xt7nybS7hQnriZAn/v
+5ff5StjalQ/241U5LUOrfgeUQIp2DxPiUwHiH/HH1KrcR4Vm4dQrZdOSqUHptoc9
+D7PorAJ0cB7m2FdqAUgEKh4ONy11spf1do79Yi2+XaacTgoCoX8E/1+icmfYvQV7
+rWIBasECgYEA3MIvMrOHgqSNQDgpmA5aq2HsjLgL+KBcQWIFAVhNZ8MOtTYdDIXV
+ZKz0HJjaRi4dSvSGPxze9iRmvhydAupJANBJndTrgAoyRo/tLvGBbuYq9B8R+XM/
+gKBUx5/AwenM4JbSodVIzQIJX7lo+Or1H5TuxJ1Xm79rQMg1GOoMSmECgYEAxYxC
+lIWpHrVKoktazeuNF9E56fB/EAAjsmpJE7PM+SFDvGWbRJR5Y7faiCySetCW4/LC
+Urs2IxnkV7Mo+HgIRmp/K8BBIQ7UAC72mU/qlZeTtf0DH4NMSarPB9+pse8lcPrZ
+dyr7q1o2TDd1Q+fFfNWU3KAi2RHtmqKwRECKLnMCgYBPYK9x7qXiLuLvXYJvP3IQ
+v9Q7wQ3k51xk0ib0ldi3X6bRN9T4JMNXQO1BvyB1La2wvv3qgaoWHX6oC0fVvYJk
+fYCK9P18+62aO7RQNdyRkMePIgDnji4eRQhXAzVfRH87nl+8eyGDPaE7P0Lkhi9/
+nKDCJ8VRpmGdWJ/nBnlG4QKBgQC9ZOuwWTT7K/SSBIzaP6rV2tIbZ2dqf7e5pgzJ
+xugNMccvKHrkFTUMVYg+Zf1JohIIGQYVK0eL/5bcPfhZvzqvyAqEd535g63dPylN
+c0EEin4jTJ9h5w+M0SYL9nNLFGxhFR7JEXyXm7XS/JiAsgS02lAN9blzQ6z5RGCa
+DwZr4QKBgBJBG343JQqRNiQDolaiwzWdSmUxBjfEPzP+pvXJ8pazAUeBdugcm59v
+2whpaffSBJzy4ixInTDmAMhIqvkLlc6GrlTPIur4Gts+hssAjsQN0wEPpG1z+ui4
+4KH/klS64465eK40dplWn1akjOb0KaQsjNwffyfzszvh5+8PkzgB
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf
new file mode 100644
index 0000000..6fd2297
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -0,0 +1,35 @@
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol at strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ revocation = strict
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
+
+authorities {
+
+ strongswan {
+ cacert = strongswanCert.pem
+ ocsp_uris = http://ocsp.strongswan.org:8880
+ }
+}
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/x509/carolCert.pem b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/x509/carolCert.pem
new file mode 100644
index 0000000..d1e85db
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/carol/etc/swanctl/x509/carolCert.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEWzCCA0OgAwIBAgIBODANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE3MDMyMDIwNTI0NFoXDTE5MDkwNjIwNTI0NFowVjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDTALBgNVBAsTBE9DU1Ax
+HTAbBgNVBAMUFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAqlph7feSim5jou6cNCWB/6E+ptfLuEwtpNv4oRa6wHGu
+8qaOjRqaV/rsVJFPTMotGD9u0uHkI9j4hoRm6JgfKCrULQWHizE3mE8T5X9k2HNS
+6ngwOEkxGZgV7p3kq/GW654rfmHdmbRlNNBZa6cO9H3o7iOYibVLHk4Yd93lC5/5
+WRqVVDPdGFMUT71kIRh4MZhpmKgxNL8tftDs+FeFw1j5HDFzlapurWniawlXJFbR
+wjx2afYZ2wH1zFArQ2j8LvObEB4VSFrOy3B5J57hrslFP8609/jFeNuLOt0xc6Gj
+2uStn7TIvjF4KpcZv++VQ+B0bTQoRN33NAM7sSzXkwIDAQABo4IBQzCCAT8wCQYD
+VR0TBAIwADALBgNVHQ8EBAMCA6gwHQYDVR0OBBYEFJCYo8BXG9mSEkp2ag3HiT74
+TT+4MG0GA1UdIwRmMGSAFF2n3XAGUTJ+57Zts7Xl4GDqLk3voUmkRzBFMQswCQYD
+VQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ry
+b25nU3dhbiBSb290IENBggEAMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4u
+b3JnMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc3Auc3Ry
+b25nc3dhbi5vcmc6ODg4MDA5BgNVHR8EMjAwMC6gLKAqhihodHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCo
+tFCDUTmBfPjeaDQVCv7uBausS0sZCw+Pw7zypqo3vyRm0R2Ds2eymfVI4/Zc1NwW
+hYCy9D1f1r2gukI2jDWHdDwNMQPptyx0Kxr98SIlm9ms8jGT7GZ5l0SdkGe5GDMO
+vq7FscqQZX/KkdFk3ye/ONffFS/ukjVRHu8971BNODcRbG0OBhEI2TQsIyxf/iir
+taI23m8b9dclikqZx3FqoxfTHSN5T5KHntpH7KVIS00hrlavxkLLMn5oePRnkBWu
+feSmpfbOBbnEpElLtJM5K8AjArGOx8nxrtw/KNjMiOsyfCim1r0ff1tnZGtHhHCq
+ZCZKA5DsRXZVWasv1CIz
+-----END CERTIFICATE-----
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
new file mode 100644
index 0000000..9ba617c
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,10 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+}
diff --git a/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf
new file mode 100755
index 0000000..7103071
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -0,0 +1,25 @@
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ revocation = strict
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ esp_proposals = aes128gcm128-x25519
+ }
+ }
+ version = 2
+ proposals = aes128-sha256-x25519
+ }
+}
diff --git a/testing/tests/swanctl/ocsp-signer-cert/posttest.dat b/testing/tests/swanctl/ocsp-signer-cert/posttest.dat
new file mode 100644
index 0000000..672f418
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/posttest.dat
@@ -0,0 +1,3 @@
+carol::swanctl --terminate --ike home
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
diff --git a/testing/tests/swanctl/ocsp-signer-cert/pretest.dat b/testing/tests/swanctl/ocsp-signer-cert/pretest.dat
new file mode 100644
index 0000000..e6d6045
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/pretest.dat
@@ -0,0 +1,5 @@
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home
diff --git a/testing/tests/swanctl/ocsp-signer-cert/test.conf b/testing/tests/swanctl/ocsp-signer-cert/test.conf
new file mode 100644
index 0000000..c5b3ecc
--- /dev/null
+++ b/testing/tests/swanctl/ocsp-signer-cert/test.conf
@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
diff --git a/testing/tests/swanctl/protoport-dual/evaltest.dat b/testing/tests/swanctl/protoport-dual/evaltest.dat
index 74ba593..b5eec4b 100644
--- a/testing/tests/swanctl/protoport-dual/evaltest.dat
+++ b/testing/tests/swanctl/protoport-dual/evaltest.dat
@@ -1,7 +1,7 @@
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10 [...]
-moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]] [...]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[ [...]
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp [...]
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf
index 5cf4d0c..383a242 100644
--- a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf
index c33f05c..e0cc292 100755
--- a/testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/protoport-dual/hosts/carol/etc/swanctl/swanctl.conf
@@ -19,17 +19,17 @@ connections {
remote_ts = 10.1.0.0/16[icmp]
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
ssh {
local_ts = dynamic[tcp]
remote_ts = 10.1.0.0/16[tcp/ssh]
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf
index 1065d9a..383a242 100644
--- a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac vici kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf
index 71d7099..7851f43 100755
--- a/testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/protoport-dual/hosts/moon/etc/swanctl/swanctl.conf
@@ -18,7 +18,7 @@ connections {
hostaccess = yes
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
ssh {
local_ts = 10.1.0.0/16[tcp/ssh]
@@ -26,10 +26,10 @@ connections {
hostaccess = yes
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/protoport-range/evaltest.dat b/testing/tests/swanctl/protoport-range/evaltest.dat
index 45bf76f..c8d4c05 100644
--- a/testing/tests/swanctl/protoport-range/evaltest.dat
+++ b/testing/tests/swanctl/protoport-range/evaltest.dat
@@ -1,7 +1,7 @@
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
carol::ping -c 1 PH_IP_MOON1::64 bytes from PH_IP_MOON1: icmp_.eq=1::YES
carol::ssh -o ConnectTimeout=5 PH_IP_ALICE hostname::alice::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp-req.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp/8]] remote-t [...]
-moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*icmp-req.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp/8]] remote-ts=\[192.168.0.100/32\[ [...]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp-req.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp/8]] remote [...]
+moon::swanctl --list-sas --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp-req.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp/8]] remote-ts=\[192.168.0.100/32 [...]
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf
index 5cf4d0c..383a242 100644
--- a/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/protoport-range/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf
index 4414172..a752c26 100755
--- a/testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/protoport-range/hosts/carol/etc/swanctl/swanctl.conf
@@ -19,24 +19,24 @@ connections {
remote_ts = 10.1.0.0/16[icmp/2048]
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
icmp-rep {
local_ts = dynamic[icmp/0]
remote_ts = 10.1.0.0/16[icmp/0]
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
ftp-ssh {
local_ts = dynamic[tcp/32768-65535]
remote_ts = 10.1.0.0/16[tcp/21-22]
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf
index 1065d9a..383a242 100644
--- a/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/protoport-range/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp random nonce x509 curl revocation hmac vici kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf
index c5a2a71..3d140a3 100755
--- a/testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/protoport-range/hosts/moon/etc/swanctl/swanctl.conf
@@ -18,7 +18,7 @@ connections {
hostaccess = yes
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
icmp-rep {
local_ts = 10.1.0.0/16[icmp/0]
@@ -26,7 +26,7 @@ connections {
hostaccess = yes
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
ftp-ssh {
local_ts = 10.1.0.0/16[tcp/21-22]
@@ -34,10 +34,10 @@ connections {
hostaccess = yes
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-cert/evaltest.dat b/testing/tests/swanctl/rw-cert/evaltest.dat
index 51bf8c1..8a8a95f 100755
--- a/testing/tests/swanctl/rw-cert/evaltest.dat
+++ b/testing/tests/swanctl/rw-cert/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf
index 7d7e5f9..909bca0 100755
--- a/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
index 6cdc7bd..5484bc8 100755
--- a/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf
@@ -18,11 +18,11 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf
index 7d7e5f9..909bca0 100755
--- a/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-cert/hosts/dave/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
index e65ec7a..2c5c8f3 100755
--- a/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf
@@ -18,10 +18,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf
index 7d7e5f9..909bca0 100755
--- a/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-cert/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce sha1 sha2 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
index a3c51c8..b938f0d 100755
--- a/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf
@@ -16,10 +16,10 @@ connections {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-dnssec/evaltest.dat b/testing/tests/swanctl/rw-dnssec/evaltest.dat
index 6dafe78..73a2ff4 100644
--- a/testing/tests/swanctl/rw-dnssec/evaltest.dat
+++ b/testing/tests/swanctl/rw-dnssec/evaltest.dat
@@ -1,15 +1,15 @@
carol::cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] rem [...]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.1/32] r [...]
carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*moon.strongswan.org::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] remo [...]
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.3.0.2/32] re [...]
dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*carol.strongswan.org::YES
moon:: cat /var/log/daemon.log::performing a DNS query for IPSECKEY RRs of.*dave.strongswan.org::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-t [...]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts [...]
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote [...]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*net.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote- [...]
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf
index 7913daf..ec66253 100644
--- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf
index 2d14b32..edb9710 100755
--- a/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-dnssec/hosts/carol/etc/swanctl/swanctl.conf
@@ -19,10 +19,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf
index 7913daf..ec66253 100644
--- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp dnskey pubkey unbound ipseckey hmac vici kernel-netlink socket-default updown resolve
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf
index ba511a4..b894dc7 100755
--- a/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-dnssec/hosts/dave/etc/swanctl/swanctl.conf
@@ -19,10 +19,10 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf
index 9eafa0d..dcca175 100644
--- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey gmp hmac vici kernel-netlink socket-default updown attr
+ load = random nonce aes sha1 sha2 pem pkcs1 dnskey pubkey unbound ipseckey curve25519 gmp hmac vici kernel-netlink socket-default updown attr
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf
index 33c4170..6b1a2c2 100755
--- a/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-dnssec/hosts/moon/etc/swanctl/swanctl.conf
@@ -17,11 +17,11 @@ connections {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat
index 51bf8c1..8a8a95f 100755
--- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
index 3b492f0..14afb43 100755
--- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl eap-tls kernel-netlink socket-default updown vici
+ load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf
index 229b602..173b7ff 100755
--- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/carol/etc/swanctl/swanctl.conf
@@ -18,11 +18,11 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf
index 3b492f0..14afb43 100755
--- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl eap-tls kernel-netlink socket-default updown vici
+ load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf
index adf9326..04042cd 100755
--- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/dave/etc/swanctl/swanctl.conf
@@ -18,11 +18,11 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
index 646ee0e..c090d68 100755
--- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey gmp curl eap-tls kernel-netlink socket-default updown vici
+ load = random nonce md5 sha1 sha2 sha3 aes hmac pem pkcs1 x509 revocation constraints pubkey curve25519 gmp curl eap-tls kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf
index ec6b06b..9070fc3 100755
--- a/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-eap-tls-sha3-rsa/hosts/moon/etc/swanctl/swanctl.conf
@@ -16,11 +16,11 @@ connections {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
send_certreq = no
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-hash-and-url/evaltest.dat b/testing/tests/swanctl/rw-hash-and-url/evaltest.dat
index f0a25b1..a7f04b5 100755
--- a/testing/tests/swanctl/rw-hash-and-url/evaltest.dat
+++ b/testing/tests/swanctl/rw-hash-and-url/evaltest.dat
@@ -2,10 +2,10 @@ carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
moon:: cat /var/log/daemon.log::fetched certificate.*carol at strongswan.org::YES
moon:: cat /var/log/daemon.log::fetched certificate.*dave at strongswan.org::YES
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf
index 4b0e311..d58694c 100755
--- a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf
index 401b9fa..f01ee12 100755
--- a/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-hash-and-url/hosts/carol/etc/swanctl/swanctl.conf
@@ -18,11 +18,11 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf
index 4b0e311..d58694c 100755
--- a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf
index b1e734d..ac16338 100755
--- a/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-hash-and-url/hosts/dave/etc/swanctl/swanctl.conf
@@ -18,11 +18,11 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf
index 4b0e311..d58694c 100755
--- a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf
index f893175..530abbd 100755
--- a/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-hash-and-url/hosts/moon/etc/swanctl/swanctl.conf
@@ -16,11 +16,11 @@ connections {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/evaltest.dat b/testing/tests/swanctl/rw-multi-ciphers-ikev1/evaltest.dat
index e7bff2d..f91649b 100755
--- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/evaltest.dat
+++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/evaltest.dat
@@ -2,9 +2,9 @@ alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
venus::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::NO
venus::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::NO
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=MODP_3072.*local-ts [...]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*loca [...]
dave::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 dh-group=MODP_2048.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.16/28]::YES
-moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=MODP_3072.*local-ts=\[ [...]
+moon::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 dh-group=CURVE_25519.*local-t [...]
moon::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave at strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 prf-alg=PRF_HMAC_SHA1 dh-group=MODP_2048.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA1_96 dh-group=MODP_2048.*local-ts=\[10.1.0.16/28] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf
index bbb6f6c..22b3184 100755
--- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = random nonce sha1 sha2 aes des hmac pkcs1 pem pubkey x509 revocation constraints gmp curl kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac pkcs1 pem x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/swanctl/swanctl.conf
index 12f62cf..61d8150 100755
--- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/carol/etc/swanctl/swanctl.conf
@@ -17,10 +17,10 @@ connections {
remote_ts = 10.1.0.0/28
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128-sha256-modp3072
+ esp_proposals = aes128-sha256-x25519
}
}
version = 1
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf
index c5c1fc3..a55b90a 100755
--- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/dave/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = random nonce sha1 sha2 aes des hmac pkcs1 pem pubkey x509 revocation constraints gmp curl kernel-netlink socket-default updown vici
+ load = random nonce des sha1 sha2 hmac pkcs1 pem x509 revocation gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf
index 71ae251..e7b5caa 100755
--- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,7 @@ swanctl {
}
charon {
- load = random nonce sha1 sha2 aes des hmac pkcs1 pem pubkey x509 revocation constraints gmp curl kernel-netlink socket-default updown vici
+ load = random nonce aes des sha1 sha2 hmac pkcs1 pem x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/swanctl/swanctl.conf
index 8356c02..76a6c89 100755
--- a/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-multi-ciphers-ikev1/hosts/moon/etc/swanctl/swanctl.conf
@@ -15,11 +15,11 @@ connections {
local_ts = 10.1.0.0/28
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128-sha256-modp3072
+ esp_proposals = aes128-sha256-x25519
}
}
version = 1
- proposals = aes128-sha256-modp3072,3des-sha1-modp2048
+ proposals = aes128-sha256-x25519,3des-sha1-modp2048
}
rw-2 {
@@ -40,6 +40,6 @@ connections {
}
}
version = 1
- proposals = 3des-sha1-modp2048,aes128-sha256-modp3072
+ proposals = 3des-sha1-modp2048,aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
index 00576a8..6bfef3d 100755
--- a/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
+ load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random
}
charon {
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
index 83cfb4e..1d90adb 100755
--- a/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
+ load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random
}
charon {
- load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici
+ load = random nonce sha1 sha2 sha3 aes chapoly newhope mgf1 bliss hmac pem pkcs1 x509 revocation pubkey gmp curl kernel-netlink socket-default updown vici
send_vendor_id = yes
fragment_size = 1500
diff --git a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
index 98de2c9..d4e3ca2 100755
--- a/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-newhope-bliss/hosts/moon/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
+ load = pem pkcs1 x509 revocation constraints pubkey openssl mgf1 bliss random
}
charon {
diff --git a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat
index 41595b6..1a34a92 100755
--- a/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat
+++ b/testing/tests/swanctl/rw-psk-fqdn/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave at strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave at strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
index 68df22a..335f389 100755
--- a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
+ load = random openssl
}
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf
index 9bf759e..cfa7f7e 100755
--- a/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/carol/etc/swanctl/swanctl.conf
@@ -17,11 +17,11 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
index 68df22a..335f389 100755
--- a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
+ load = random openssl
}
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf
index 1f2beef..0a8499c 100755
--- a/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/dave/etc/swanctl/swanctl.conf
@@ -17,11 +17,11 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
index 68df22a..335f389 100755
--- a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
+ load = random openssl
}
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf
index 7138b5d..1094172 100755
--- a/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-fqdn/hosts/moon/etc/swanctl/swanctl.conf
@@ -15,11 +15,11 @@ connections {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat
index 097489d..3eacc39 100755
--- a/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat
+++ b/testing/tests/swanctl/rw-psk-ikev1/evaltest.dat
@@ -4,10 +4,10 @@ alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
venus::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
alice::ping -c 1 -W 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::NO
venus::ping -c 1 -W 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::NO
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.17..10.1.0.20]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_2048.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_3072.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.17..10.1.0.20] remote-ts=\[192.168.0.200/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/28]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_4096.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.17..10.1.0.20]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw-1.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE25519.*child-sas.*net-1.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw-2.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=192 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=MODP_4096.*child-sas.*net-2.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=192.*local-ts=\[10.1.0.17..10.1.0.20] remote-ts=\[192.168.0.200/32]
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
index 8c0f03f..e539ea5 100755
--- a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
+ load = random openssl
}
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf
index dcfcd0b..35fbfda 100755
--- a/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/carol/etc/swanctl/swanctl.conf
@@ -15,11 +15,11 @@ connections {
remote_ts = 10.1.0.0/28
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp2048
+ esp_proposals = aes128gcm128-x25519
}
}
version = 1
- proposals = aes128-sha256-modp2048
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
index df1424d..02f6c1b 100755
--- a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
+ load = random openssl
}
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac gmp kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf
index 8cd79ea..cc6e936 100755
--- a/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/dave/etc/swanctl/swanctl.conf
@@ -15,11 +15,11 @@ connections {
remote_ts = 10.1.0.17-10.1.0.20
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes192gcm128-modp3072
+ esp_proposals = aes192gcm128-modp4096
}
}
version = 1
- proposals = aes192-sha384-modp3072
+ proposals = aes192-sha384-modp4096
}
}
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
index 5f21901..c429799 100755
--- a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
+ load = random openssl
}
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac curve25519 gmp kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf
index be1bf8a..cd9c455 100755
--- a/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-ikev1/hosts/moon/etc/swanctl/swanctl.conf
@@ -15,11 +15,11 @@ connections {
local_ts = 10.1.0.0/28
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp2048
+ esp_proposals = aes128gcm128-x25519
}
}
version = 1
- proposals = aes128-sha256-modp2048
+ proposals = aes128-sha256-x25519
}
rw-2 {
@@ -37,11 +37,11 @@ connections {
local_ts = 10.1.0.17-10.1.0.20
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes192gcm128-modp3072
+ esp_proposals = aes192gcm128-modp4096
}
}
version = 1
- proposals = aes192-sha384-modp3072
+ proposals = aes192-sha384-modp4096
}
}
diff --git a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat
index 1f9fb0e..c4d46e7 100755
--- a/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat
+++ b/testing/tests/swanctl/rw-psk-ipv4/evaltest.dat
@@ -1,7 +1,7 @@
-carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
-dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
-moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
-moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=192.168.0.100 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=192.168.0.200 remote-host=192.168.0.1 remote-port=4500 remote-id=192.168.0.1 initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.100 remote-port=4500 remote-id=192.168.0.100.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=192.168.0.1 remote-host=192.168.0.200 remote-port=4500 remote-id=192.168.0.200.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]
alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES
alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
index c560a37..53973cf 100755
--- a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/strongswan.conf
@@ -1,11 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
+ load = random openssl
}
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
index 8b3863b..467a869 100755
--- a/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/carol/etc/swanctl/swanctl.conf
@@ -17,11 +17,11 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
index c560a37..53973cf 100755
--- a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/strongswan.conf
@@ -1,11 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
+ load = random openssl
}
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 hmac curve25519 kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
index 83f3c0a..a9e866f 100755
--- a/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/dave/etc/swanctl/swanctl.conf
@@ -17,11 +17,11 @@ connections {
remote_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
index c560a37..5efaed6 100755
--- a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/strongswan.conf
@@ -1,11 +1,11 @@
# /etc/strongswan.conf - strongSwan configuration file
swanctl {
- load = pem pkcs1 x509 revocation constraints pubkey openssl random
+ load = random openssl
}
charon {
- load = sha1 sha2 md5 aes des hmac gmp random nonce kernel-netlink socket-default updown vici
+ load = random nonce aes sha1 sha2 md5 hmac curve25519 kernel-netlink socket-default updown vici
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf
index 9b4f7ce..cb36d6c 100755
--- a/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/rw-psk-ipv4/hosts/moon/etc/swanctl/swanctl.conf
@@ -14,11 +14,11 @@ connections {
local_ts = 10.1.0.0/16
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat b/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat
index 032cd68..dd0d8ec 100644
--- a/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/evaltest.dat
@@ -4,10 +4,10 @@ alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
alice::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_.eq=1::YES
venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES
venus::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
-alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice at strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize [...]
-venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize [...]
-sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice at strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[ [...]
-sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[ [...]
+alice::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.10 local-port=4500 local-id=alice at strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysi [...]
+venus::swanctl --list-sas --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=10.1.0.20 local-port=4500 local-id=venus.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-local=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*local-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysi [...]
+sun::swanctl --list-sas --ike-id 1 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=alice at strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.1] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts= [...]
+sun::swanctl --list-sas --ike-id 2 --raw 2> /dev/null::nat-t.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1.*remote-id=venus.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*remote-vips=\[10.3.0.2] child-sas.*nat-t.*state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts= [...]
moon::tcpdump::IP moon.strongswan.org.* > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP::YES
moon::tcpdump::IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.*: UDP-encap: ESP::YES
alice::tcpdump::IP alice.strongswan.org > venus.strongswan.org: ICMP::YES
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
index 9622bb0..ee5b261 100644
--- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf
index 373f8a7..c5c67cf 100755
--- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/alice/etc/swanctl/swanctl.conf
@@ -18,11 +18,11 @@ connections {
remote_ts = 0.0.0.0/0
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
local-net {
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
index 38794af..e5c0136 100644
--- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf
index 2f21d4a..1edbf33 100755
--- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/sun/etc/swanctl/swanctl.conf
@@ -17,11 +17,11 @@ connections {
local_ts = 0.0.0.0/0
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
}
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
index 9622bb0..ee5b261 100644
--- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/strongswan.conf
@@ -1,7 +1,7 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
+ load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac vici kernel-netlink socket-default updown
start-scripts {
creds = /usr/local/sbin/swanctl --load-creds
diff --git a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf
index bb9ca08..9f925e9 100755
--- a/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf
+++ b/testing/tests/swanctl/shunt-policies-nat-rw/hosts/venus/etc/swanctl/swanctl.conf
@@ -18,11 +18,11 @@ connections {
remote_ts = 0.0.0.0/0
updown = /usr/local/libexec/ipsec/_updown iptables
- esp_proposals = aes128gcm128-modp3072
+ esp_proposals = aes128gcm128-x25519
}
}
version = 2
- proposals = aes128-sha256-modp3072
+ proposals = aes128-sha256-x25519
}
local-net {
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini
index ea9cbbe..5ae53c4 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini
@@ -16,4 +16,4 @@ Your Name: alice at strongswan.org
[security]
SECRET_KEY=strongSwan
-ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc
+ALLOWED_HOSTS=127.0.0.1,10.1.0.10,tnc.strongswan.org,tnc
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
index 36c7cc6..385cc30 100644
--- a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
@@ -16,7 +16,7 @@ alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db
-alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan
+alice::/usr/local/bin/init_tnc
alice::service apache2 start
alice::service charon start
moon::service charon start
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini
index ea9cbbe..5ae53c4 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini
@@ -16,4 +16,4 @@ Your Name: alice at strongswan.org
[security]
SECRET_KEY=strongSwan
-ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc
+ALLOWED_HOSTS=127.0.0.1,10.1.0.10,tnc.strongswan.org,tnc
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
index 860a6c3..17951e8 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
@@ -10,7 +10,7 @@ alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
alice::sed -i "s:DEBIAN_VERSION:\`cat /etc/debian_version\`:" /etc/pts/data1.sql
alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/db.d/config.db
alice::chgrp -R www-data /etc/db.d/config.db; chmod -R g+w /etc/db.d/config.db
-alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan
+alice::/usr/local/bin/init_tnc
alice::rm /etc/swanctl/x509/aliceCert.pem
alice::rm /etc/swanctl/rsa/aliceKey.pem
alice::service charon start
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git
More information about the Pkg-swan-devel
mailing list