+strongswan-4.3.6
+----------------
+
+- The IKEv1 and IKEV2 daemons now check certificate path length constraints.
+
+
strongswan-4.3.5
----------------
#include <credentials/certificates/ocsp_request.h>
#include <credentials/certificates/ocsp_response.h>
-#define MAX_CA_LEVELS 6
-
typedef struct private_credential_manager_t private_credential_manager_t;
/**
bool trusted, bool crl, bool ocsp)
{
certificate_t *current, *issuer;
+ x509_t *x509;
auth_cfg_t *auth;
- u_int level = 0;
+ int pathlen, pathlen_constraint;
auth = auth_cfg_create();
current = subject->get_ref(subject);
- while (level++ < MAX_CA_LEVELS)
+
+ for (pathlen = 0; pathlen <= X509_MAX_PATH_LEN; pathlen++)
{
issuer = get_issuer_cert(this, current, TRUE);
if (issuer)
{
auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer));
DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"",
- issuer->get_subject(issuer));
+ issuer->get_subject(issuer));
trusted = TRUE;
}
else
issuer->destroy(issuer);
break;
}
+
+ /* check path length constraint */
+ x509 = (x509_t*)issuer;
+ pathlen_constraint = x509->get_pathLenConstraint(x509);
+ if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
+ pathlen > pathlen_constraint)
+ {
+ DBG1(DBG_CFG, "path length of %d violates constraint of %d",
+ pathlen, pathlen_constraint);
+ trusted = FALSE;
+ issuer->destroy(issuer);
+ break;
+ }
current->destroy(current);
current = issuer;
if (trusted)
{
+ DBG1(DBG_CFG, " reached self-signed root ca with a path length of %d",
+ pathlen);
break;
}
}
current->destroy(current);
- if (level > MAX_CA_LEVELS)
+ if (pathlen > X509_MAX_PATH_LEN)
{
- DBG1(DBG_CFG, "maximum ca path length of %d levels reached", level);
+ DBG1(DBG_CFG, "maximum path length of %d exceeded", X509_MAX_PATH_LEN);
}
if (trusted)
{
{
certificate_t *issuer, *current;
auth_cfg_t *trustchain;
- u_int level = 0;
+ int pathlen = 0;
trustchain = auth_cfg_create();
trustchain->add(trustchain, AUTH_RULE_IM_CERT, current);
}
issuer = get_issuer_cert(this, current, FALSE);
- if (!issuer || issuer->equals(issuer, current) || level > MAX_CA_LEVELS)
+ if (!issuer || issuer->equals(issuer, current) ||
+ pathlen > X509_MAX_PATH_LEN)
{
DESTROY_IF(issuer);
break;
}
current = issuer;
- level++;
+ pathlen++;
}
trustchain->destroy(trustchain);
return NULL;
/* list optional pathLenConstraint */
pathlen = x509->get_pathLenConstraint(x509);
- if (pathlen != NO_PATH_LEN_CONSTRAINT)
+ if (pathlen != X509_NO_PATH_LEN_CONSTRAINT)
{
fprintf(out, " pathlen: %d\n", pathlen);
}
#include <utils/enumerator.h>
#include <credentials/certificates/certificate.h>
-#define NO_PATH_LEN_CONSTRAINT -1
+#define X509_NO_PATH_LEN_CONSTRAINT -1
+#define X509_MAX_PATH_LEN 7
typedef struct x509_t x509_t;
typedef enum x509_flag_t x509_flag_t;
this->subjectKeyIdentifier = chunk_empty;
this->authKeyIdentifier = chunk_empty;
this->authKeySerialNumber = chunk_empty;
- this->pathLenConstraint = NO_PATH_LEN_CONSTRAINT;
+ this->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT;
this->algorithm = 0;
this->signature = chunk_empty;
this->flags = 0;
#include <debug.h>
#include <utils/enumerator.h>
+#include <credentials/certificates/x509.h>
#include <freeswan.h>
/* no CA b specified -> any CA a is accepted */
if (b == NULL)
{
- *pathlen = (a == NULL) ? 0 : MAX_CA_PATH_LEN;
+ *pathlen = (a == NULL) ? 0 : X509_MAX_PATH_LEN;
return TRUE;
}
/* no CA a specified -> trust cannot be established */
if (a == NULL)
{
- *pathlen = MAX_CA_PATH_LEN;
+ *pathlen = X509_MAX_PATH_LEN;
return FALSE;
}
/* CA a might be a subordinate CA of b */
lock_authcert_list("trusted_ca");
- while ((*pathlen)++ < MAX_CA_PATH_LEN)
+ while ((*pathlen)++ < X509_MAX_PATH_LEN)
{
certificate_t *certificate;
identification_t *issuer;
return TRUE;
}
- *our_pathlen = MAX_CA_PATH_LEN + 1;
+ *our_pathlen = X509_MAX_PATH_LEN + 1;
enumerator = requested_ca->create_enumerator(requested_ca);
while (enumerator->enumerate(enumerator, &ca))
}
enumerator->destroy(enumerator);
- if (*our_pathlen > MAX_CA_PATH_LEN)
+ if (*our_pathlen > X509_MAX_PATH_LEN)
{
- *our_pathlen = MAX_CA_PATH_LEN;
+ *our_pathlen = X509_MAX_PATH_LEN;
return FALSE;
}
else
lock_authcert_list("trust_authcert_candidate");
- for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+ for (pathlen = 0; pathlen < X509_MAX_PATH_LEN; pathlen++)
{
certificate_t *certificate = cert->cert;
x509_t *x509 = (x509_t*)certificate;
/* go up one step in the trust chain */
cert = authcert;
}
- plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+ plog("maximum ca path length of %d levels exceeded", X509_MAX_PATH_LEN);
unlock_authcert_list("trust_authcert_candidate");
return FALSE;
}
#include "x509.h"
#include "whack.h"
-#define MAX_CA_PATH_LEN 7
-
/* CA info structures */
typedef struct ca_info ca_info_t;
int prio = (ID_MATCH_PERFECT) * !matching_request +
ID_MATCH_PERFECT - match_level;
- prio = (MAX_CA_PATH_LEN + 1) * prio + peer_pathlen;
- prio = (MAX_CA_PATH_LEN + 1) * prio + our_pathlen;
+ prio = (X509_MAX_PATH_LEN + 1) * prio + peer_pathlen;
+ prio = (X509_MAX_PATH_LEN + 1) * prio + our_pathlen;
DBG(DBG_CONTROLMORE,
DBG_log("%s: %s match (id: %s, auth: %s, trust: %s, request: %s, prio: %4d)"
*/
#define PATH_WEIGHT 1
-#define WILD_WEIGHT (MAX_CA_PATH_LEN+1)
+#define WILD_WEIGHT (X509_MAX_PATH_LEN+1)
#define PRIO_WEIGHT (ID_MATCH_PERFECT+1) * WILD_WEIGHT
/* fc_try: a helper function for find_client_connection */
*/
prio = PRIO_WEIGHT * routed(sr->routing)
+ WILD_WEIGHT * match_level
- + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen)
+ + PATH_WEIGHT * (X509_MAX_PATH_LEN - pathlen)
+ 1;
if (prio > best_prio)
{
*/
prio = PRIO_WEIGHT * (d->prio + routed(sr->routing))
+ WILD_WEIGHT * match_level
- + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen);
+ + PATH_WEIGHT * (X509_MAX_PATH_LEN - pathlen);
if (prio > best_prio)
{
best = d;
*/
static bool valid_ocsp_response(response_t *res)
{
- int pathlen;
+ int pathlen, pathlen_constraint;
x509cert_t *authcert;
lock_authcert_list("valid_ocsp_response");
)
- for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++)
+ for (pathlen = -1; pathlen <= X509_MAX_PATH_LEN; pathlen++)
{
x509cert_t *cert = authcert;
certificate_t *certificate = cert->cert;
DBG_log("certificate signature is valid")
)
+ /* check path length constraint */
+ pathlen_constraint = x509->get_pathLenConstraint(x509);
+ if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
+ pathlen > pathlen_constraint)
+ {
+ plog("path length of %d violates constraint of %d",
+ pathlen, pathlen_constraint);
+ return FALSE;
+ }
+
/* check if cert is self-signed */
if (x509->get_flags(x509) & X509_SELF_SIGNED)
{
DBG(DBG_CONTROL,
- DBG_log("reached self-signed root ca")
+ DBG_log("reached self-signed root ca with a path length of %d",
+ pathlen)
)
unlock_authcert_list("valid_ocsp_response");
return TRUE;
}
}
- plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN);
+ plog("maximum path length of %d exceeded", X509_MAX_PATH_LEN);
unlock_authcert_list("valid_ocsp_response");
return FALSE;
}
*until = 0;
- for (pathlen = -1; pathlen < MAX_CA_PATH_LEN; pathlen++)
+ for (pathlen = -1; pathlen <= X509_MAX_PATH_LEN; pathlen++)
{
certificate_t *certificate = cert->cert;
identification_t *subject = certificate->get_subject(certificate);
/* check path length constraint */
pathlen_constraint = x509->get_pathLenConstraint(x509);
- if (pathlen_constraint != NO_PATH_LEN_CONSTRAINT &&
+ if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT &&
pathlen > pathlen_constraint)
{
plog("path length of %d violates constraint of %d",
/* go up one step in the trust chain */
cert = issuer_cert;
}
- plog("maximum path length of %d exceeded", MAX_CA_PATH_LEN);
+ plog("maximum path length of %d exceeded", X509_MAX_PATH_LEN);
return FALSE;
}
/* list optional pathLenConstraint */
pathlen = x509->get_pathLenConstraint(x509);
- if (pathlen != NO_PATH_LEN_CONSTRAINT)
+ if (pathlen != X509_NO_PATH_LEN_CONSTRAINT)
{
whack_log(RC_COMMENT, " pathlen: %d", pathlen);
}
-moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
-moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
-moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
-carol::ipsec status::alice.*INSTALLED::YES
-moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES
-carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-carol::ipsec status::venus.*INSTALLED::NO
-moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO
-moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES
-moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES
-moon::cat /var/log/daemon.log::switching to peer config.*venus::YES
-dave::ipsec status::venus.*INSTALLED::YES
-moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES
-dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
-dave::ipsec status::alice.*INSTALLED::NO
-moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO
+moon::cat /var/log/daemon.log::maximum path length of 7 exceeded::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+carol::ipsec status::alice.*INSTALLED::NO
+moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO
--- /dev/null
+The <b>strongSwan Root CA</b> constrains the path length to <b>one</b> intermediate CA
+but the <b>Research CA</b> creates a subsidiary <b>Duck Research CA</b> which in turn
+issues an end entity certificate to roadwarrior <b>carol</b> so that the total
+path length becomes <b>two</b>. This is detected by gateway <b>moon</b> which aborts
+the negotiation.
--- /dev/null
+moon::cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES
+carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES
+carol::ipsec status::home.*INSTALLED::NO
+moon::ipsec status::duck.*INSTALLED::NO
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftcert=carolCert.pem
+ leftid=carol@strongswan.org
+ leftsendcert=ifasked
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightsubnet=10.1.0.0/16
+ auto=add
+
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX
+BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz
+MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh
+bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n
+c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y
+IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2
+30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb
+jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG
+veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii
+ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5
+7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD
+VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx
+jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg
+c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo
+IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3
+DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH
+TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G
+4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6
+Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O
+3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok
+BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF
+Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF
+w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/
+rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8
+UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX
+aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+
+33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX
+ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA
+zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2
+DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag
+QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp
+5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP
+44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX
+Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV
+2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar
+PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX
+LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/
+Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq
+VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL
+Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty
+6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3
+Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw
+Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq
+Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS
+QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw==
+-----END RSA PRIVATE KEY-----
--- /dev/null
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+}
--- /dev/null
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ strictcrlpolicy=no
+ plutostart=no
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn duck
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftsendcert=ifasked
+ leftid=@moon.strongswan.org
+ leftsubnet=10.1.0.0/16
+ right=%any
+ rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Duck Research CA"
+ auto=add
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS
+BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw
+M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP
+BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu
+MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa
+ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO
+UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD
+h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY
+i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB
+o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2
+KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p
+891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3
+YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF
+AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv
+YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx
+rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C
+1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5
+wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v
+DSlBqDpnqK8tEI9V9YeroihTcygrEg==
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD
+FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU
+zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO
+/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0
+C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494
++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E
+BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd
+VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV
+BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv
+bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg
+Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX
+fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq
+3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa
+0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1
+IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW
+Tfcyi+M=
+-----END CERTIFICATE-----
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink
+}
--- /dev/null
+moon::ipsec stop
+carol::ipsec stop
+moon::rm /etc/ipsec.d/cacerts/*
--- /dev/null
+moon::echo 1 > /proc/sys/net/ipv4/ip_forward
+carol::ipsec start
+moon::ipsec start
+carol::sleep 2
+carol::ipsec up home
--- /dev/null
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice venus moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
projects / thirdparty / strongswan.git / commitdiff
