ARG_ENABL_SET([systime-fix], [enable plugin to handle cert lifetimes with invalid system time gracefully.])
ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.])
ARG_DISBL_SET([updown], [disable updown firewall script plugin.])
+ARG_ENABL_SET([demo], [enable demo plugin.])
# programs/components
ARG_ENABL_SET([aikgen], [enable AIK generator for TPM 1.2.])
ARG_DISBL_SET([charon], [disable the IKEv1/IKEv2 keying daemon charon.])
ADD_PLUGIN([addrblock], [c charon])
ADD_PLUGIN([unity], [c charon])
ADD_PLUGIN([counters], [c charon])
+ADD_PLUGIN([demo], [c charon])
AC_SUBST(charon_plugins)
AC_SUBST(starter_plugins)
AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue)
AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue)
AM_CONDITIONAL(USE_COUNTERS, test x$counters = xtrue)
+AM_CONDITIONAL(USE_DEMO, test x$demo = xtrue)
# other options
# ---------------
src/libcharon/plugins/resolve/Makefile
src/libcharon/plugins/attr/Makefile
src/libcharon/plugins/attr_sql/Makefile
+ src/libcharon/plugins/demo/Makefile
src/libcharon/tests/Makefile
src/libtpmtss/Makefile
src/libtpmtss/plugins/tpm/Makefile
endif
endif
+if USE_DEMO
+ SUBDIRS += plugins/demo
+if MONOLITHIC
+ libcharon_la_LIBADD += plugins/demo/libstrongswan-demo.la
+endif
+endif
+
if MONOLITHIC
SUBDIRS += .
endif
"ME_CONNECTAUTH",
"ME_RESPONSE",
"RADIUS_ATTRIBUTE");
-ENUM_END(notify_type_names, RADIUS_ATTRIBUTE);
+ENUM_NEXT(notify_type_names, DEMO_PAYLOAD, DEMO_PAYLOAD, RADIUS_ATTRIBUTE,
+ "DEMO_PAYLOAD");
+ENUM_END(notify_type_names, DEMO_PAYLOAD);
ENUM_BEGIN(notify_type_short_names, UNSUPPORTED_CRITICAL_PAYLOAD, UNSUPPORTED_CRITICAL_PAYLOAD,
"ME_CAUTH",
"ME_R",
"RADIUS");
-ENUM_END(notify_type_short_names, RADIUS_ATTRIBUTE);
+ENUM_NEXT(notify_type_short_names, DEMO_PAYLOAD, DEMO_PAYLOAD, RADIUS_ATTRIBUTE,
+ "DEMO");
+ENUM_END(notify_type_short_names, DEMO_PAYLOAD);
typedef struct private_notify_payload_t private_notify_payload_t;
ME_RESPONSE = 40968,
/* RADIUS attribute received/to send to a AAA backend */
RADIUS_ATTRIBUTE = 40969,
+ /* DEMO payload */
+ DEMO_PAYLOAD = 42000,
};
/**
--- /dev/null
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libcharon
+
+AM_CFLAGS = \
+ $(PLUGIN_CFLAGS)
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-demo.la
+else
+plugin_LTLIBRARIES = libstrongswan-demo.la
+endif
+
+libstrongswan_demo_la_SOURCES = \
+ demo_plugin.h demo_plugin.c \
+ demo_listener.h demo_listener.c
+
+libstrongswan_demo_la_LDFLAGS = -module -avoid-version
--- /dev/null
+/*
+ * Copyright (C) 2015-2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "demo_listener.h"
+
+#include <crypto/hashers/hasher.h>
+#include <utils/debug.h>
+#include <daemon.h>
+
+typedef struct private_demo_listener_t private_demo_listener_t;
+
+/**
+ * Private data of a demo_listener_t object.
+ */
+struct private_demo_listener_t {
+
+ /**
+ * Public demo_listener_t interface.
+ */
+ demo_listener_t public;
+
+ /**
+ * SHA-1 hasher used to hash DEMO payload.
+ */
+ hasher_t *hasher;
+
+};
+
+METHOD(listener_t, message, bool,
+ private_demo_listener_t *this,
+ ike_sa_t *ike_sa, message_t *message, bool incoming, bool plain)
+{
+ enumerator_t *enumerator;
+ payload_t *payload;
+ notify_payload_t *notify;
+ ike_sa_id_t *ike_sa_id;
+ chunk_t data = chunk_empty;
+ char *demo_str;
+
+ if (plain && message->get_exchange_type(message) == CREATE_CHILD_SA)
+ {
+ ike_sa_id = ike_sa->get_id(ike_sa);
+
+ if (incoming)
+ {
+ enumerator = message->create_payload_enumerator(message);
+ while (enumerator->enumerate(enumerator, &payload))
+ {
+ if (payload->get_type(payload) == PLV2_NOTIFY)
+ {
+ notify = (notify_payload_t*)payload;
+ if (notify->get_notify_type(notify) == DEMO_PAYLOAD)
+ {
+ data = notify->get_notification_data(notify);
+ break;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (data.len)
+ {
+ DBG1(DBG_IKE, "received %.*s", data.len, data.ptr);
+ }
+ }
+ else
+ {
+ demo_str = ike_sa_id->is_initiator(ike_sa_id) ? "demo request" :
+ "demo response";
+ DBG1(DBG_IKE, "sending %s", demo_str);
+ data = chunk_from_str(demo_str);
+ message->add_notify(message, FALSE, DEMO_PAYLOAD, data);
+ }
+ }
+ return TRUE;
+}
+
+METHOD(demo_listener_t, destroy, void,
+ private_demo_listener_t *this)
+{
+ DESTROY_IF(this->hasher);
+ free(this);
+}
+
+/**
+ * See header
+ */
+demo_listener_t *demo_listener_create()
+{
+ private_demo_listener_t *this;
+
+ INIT(this,
+ .public = {
+ .listener = {
+ .message = _message,
+ },
+ .destroy = _destroy,
+ },
+ .hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1),
+ );
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2015-2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup demo_listener demo_listener
+ * @{ @ingroup demo
+ */
+
+#ifndef DEMO_LISTENER_H_
+#define DEMO_LISTENER_H_
+
+
+#include <bus/listeners/listener.h>
+
+typedef struct demo_listener_t demo_listener_t;
+
+/**
+ * Insert and process DEMO notify payload
+ */
+struct demo_listener_t {
+
+ /**
+ * Implements a listener.
+ */
+ listener_t listener;
+
+ /**
+ * Destroy a demo_listener_t.
+ */
+ void (*destroy)(demo_listener_t *this);
+};
+
+/**
+ * Create a demo_listener instance.
+ */
+demo_listener_t *demo_listener_create();
+
+#endif /** DEMO_LISTENER_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2015-2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+
+#include "demo_plugin.h"
+#include "demo_listener.h"
+
+#include <daemon.h>
+
+typedef struct private_demo_plugin_t private_demo_plugin_t;
+
+/**
+ * Private data of a demo_plugin_t object.
+ */
+struct private_demo_plugin_t {
+
+ /**
+ * Public radius_plugin_t interface.
+ */
+ demo_plugin_t public;
+
+ /**
+ * Message listener inserting and processing DEMO notify payload
+ */
+ demo_listener_t *demo;
+};
+
+METHOD(plugin_t, get_name, char*,
+ private_demo_plugin_t *this)
+{
+ return "demo";
+}
+
+/**
+ * Register listener
+ */
+static bool plugin_cb(private_demo_plugin_t *this,
+ plugin_feature_t *feature, bool reg, void *cb_data)
+{
+ if (reg)
+ {
+ this->demo = demo_listener_create();
+ if (this->demo)
+ {
+ charon->bus->add_listener(charon->bus, &this->demo->listener);
+ }
+ }
+ else
+ {
+ if (this->demo)
+ {
+ charon->bus->remove_listener(charon->bus, &this->demo->listener);
+ this->demo->destroy(this->demo);
+ }
+ }
+ return TRUE;
+}
+
+METHOD(plugin_t, get_features, int,
+ private_demo_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ PLUGIN_CALLBACK((plugin_feature_callback_t)plugin_cb, NULL),
+ PLUGIN_PROVIDE(CUSTOM, "demo"),
+ PLUGIN_DEPENDS(HASHER, HASH_SHA1),
+ };
+ *features = f;
+ return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+ private_demo_plugin_t *this)
+{
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *demo_plugin_create()
+{
+ private_demo_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ return &this->public.plugin;
+}
--- /dev/null
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup demo demo
+ * @ingroup cplugins
+ *
+ * @defgroup demo_plugin demo_plugin
+ * @{ @ingroup demo
+ */
+
+#ifndef DEMO_PLUGIN_H_
+#define DEMO_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct demo_plugin_t demo_plugin_t;
+
+/**
+ * DEMO plugin.
+ *
+ * This plugin subscribes a listener to the IKE message hook and provides
+ * the sending and processing of a DEMO notify payload.
+ */
+struct demo_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** DEMO_PLUGIN_H_ @}*/
--enable-newhope \
--enable-systemd \
--enable-counters \
- --enable-save-keys
+ --enable-save-keys \
+ --enable-demo
export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat
--- /dev/null
+A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up.
+The authentication is based on <b>X.509 certificates</b>. Upon the successful
+establishment of the IPsec tunnel, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b>
+pings client <b>bob</b> located behind gateway <b>sun</b>.
--- /dev/null
+moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES
+sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES
+alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES
+sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES
+sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici demo
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+ syslog {
+ daemon {
+ default = 1
+ }
+ auth {
+ default = 0
+ }
+ }
+}
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.1
+ remote_addrs = 192.168.0.2
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = sun.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.1.0.0/16
+ remote_ts = 10.2.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-modp3072
+ }
+}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+ load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon {
+ load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation constraints pubkey gmp random nonce curl kernel-netlink socket-default updown vici demo
+
+ start-scripts {
+ creds = /usr/local/sbin/swanctl --load-creds
+ conns = /usr/local/sbin/swanctl --load-conns
+ }
+}
--- /dev/null
+connections {
+
+ gw-gw {
+ local_addrs = 192.168.0.2
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = sunCert.pem
+ id = sun.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ net-net {
+ local_ts = 10.2.0.0/16
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = aes128gcm128-modp3072
+ }
+ }
+ version = 2
+ mobike = no
+ proposals = aes128-sha256-modp3072
+ }
+}
--- /dev/null
+moon::swanctl --terminate --ike gw-gw 2> /dev/null
+moon::service charon stop 2> /dev/null
+sun::service charon stop 2> /dev/null
+moon::iptables-restore < /etc/iptables.flush
+sun::iptables-restore < /etc/iptables.flush
--- /dev/null
+moon::iptables-restore < /etc/iptables.rules
+sun::iptables-restore < /etc/iptables.rules
+moon::service charon start 2> /dev/null
+sun::service charon start 2> /dev/null
+moon::expect-connection gw-gw
+sun::expect-connection gw-gw
+moon::swanctl --initiate --child net-net 2> /dev/null
+moon::swanctl --terminate --child net-net 2> /dev/null
+moon::swanctl --initiate --child net-net 2> /dev/null
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon winnetou sun bob"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-w-s-b.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="sun"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon sun"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
projects / thirdparty / strongswan.git / commitdiff
