From: Andreas Steffen Date: Wed, 4 Nov 2009 22:37:15 +0000 (+0100) Subject: implemented path length constraint checkinf for IKEv2 X-Git-Tag: 4.3.6~262 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4c68a85a75f23a33623687847dcc5dcd2d761ff5;p=thirdparty%2Fstrongswan.git implemented path length constraint checkinf for IKEv2 --- diff --git a/NEWS b/NEWS index 4fae8cf22a..2cd4a54716 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,9 @@ +strongswan-4.3.6 +---------------- + +- The IKEv1 and IKEV2 daemons now check certificate path length constraints. + + strongswan-4.3.5 ---------------- diff --git a/src/charon/credentials/credential_manager.c b/src/charon/credentials/credential_manager.c index 7bd724a661..875b62d80e 100644 --- a/src/charon/credentials/credential_manager.c +++ b/src/charon/credentials/credential_manager.c @@ -28,8 +28,6 @@ #include #include -#define MAX_CA_LEVELS 6 - typedef struct private_credential_manager_t private_credential_manager_t; /** @@ -1067,12 +1065,14 @@ static bool verify_trust_chain(private_credential_manager_t *this, bool trusted, bool crl, bool ocsp) { certificate_t *current, *issuer; + x509_t *x509; auth_cfg_t *auth; - u_int level = 0; + int pathlen, pathlen_constraint; auth = auth_cfg_create(); current = subject->get_ref(subject); - while (level++ < MAX_CA_LEVELS) + + for (pathlen = 0; pathlen <= X509_MAX_PATH_LEN; pathlen++) { issuer = get_issuer_cert(this, current, TRUE); if (issuer) @@ -1082,7 +1082,7 @@ static bool verify_trust_chain(private_credential_manager_t *this, { auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", - issuer->get_subject(issuer)); + issuer->get_subject(issuer)); trusted = TRUE; } else @@ -1122,17 +1122,32 @@ static bool verify_trust_chain(private_credential_manager_t *this, issuer->destroy(issuer); break; } + + /* check path length constraint */ + x509 = (x509_t*)issuer; + pathlen_constraint = x509->get_pathLenConstraint(x509); + if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && + pathlen > pathlen_constraint) + { + DBG1(DBG_CFG, "path length of %d violates constraint of %d", + pathlen, pathlen_constraint); + trusted = FALSE; + issuer->destroy(issuer); + break; + } current->destroy(current); current = issuer; if (trusted) { + DBG1(DBG_CFG, " reached self-signed root ca with a path length of %d", + pathlen); break; } } current->destroy(current); - if (level > MAX_CA_LEVELS) + if (pathlen > X509_MAX_PATH_LEN) { - DBG1(DBG_CFG, "maximum ca path length of %d levels reached", level); + DBG1(DBG_CFG, "maximum path length of %d exceeded", X509_MAX_PATH_LEN); } if (trusted) { @@ -1377,7 +1392,7 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this, { certificate_t *issuer, *current; auth_cfg_t *trustchain; - u_int level = 0; + int pathlen = 0; trustchain = auth_cfg_create(); @@ -1406,13 +1421,14 @@ static auth_cfg_t *build_trustchain(private_credential_manager_t *this, trustchain->add(trustchain, AUTH_RULE_IM_CERT, current); } issuer = get_issuer_cert(this, current, FALSE); - if (!issuer || issuer->equals(issuer, current) || level > MAX_CA_LEVELS) + if (!issuer || issuer->equals(issuer, current) || + pathlen > X509_MAX_PATH_LEN) { DESTROY_IF(issuer); break; } current = issuer; - level++; + pathlen++; } trustchain->destroy(trustchain); return NULL; diff --git a/src/charon/plugins/stroke/stroke_list.c b/src/charon/plugins/stroke/stroke_list.c index 5cffa4298c..93942441fe 100644 --- a/src/charon/plugins/stroke/stroke_list.c +++ b/src/charon/plugins/stroke/stroke_list.c @@ -746,7 +746,7 @@ static void stroke_list_certs(linked_list_t *list, char *label, /* list optional pathLenConstraint */ pathlen = x509->get_pathLenConstraint(x509); - if (pathlen != NO_PATH_LEN_CONSTRAINT) + if (pathlen != X509_NO_PATH_LEN_CONSTRAINT) { fprintf(out, " pathlen: %d\n", pathlen); } diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 6d34195462..a671ce220b 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -24,7 +24,8 @@ #include #include -#define NO_PATH_LEN_CONSTRAINT -1 +#define X509_NO_PATH_LEN_CONSTRAINT -1 +#define X509_MAX_PATH_LEN 7 typedef struct x509_t x509_t; typedef enum x509_flag_t x509_flag_t; diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 0147e78c6d..bc1afad33a 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -1238,7 +1238,7 @@ static private_x509_cert_t* create_empty(void) this->subjectKeyIdentifier = chunk_empty; this->authKeyIdentifier = chunk_empty; this->authKeySerialNumber = chunk_empty; - this->pathLenConstraint = NO_PATH_LEN_CONSTRAINT; + this->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT; this->algorithm = 0; this->signature = chunk_empty; this->flags = 0; diff --git a/src/pluto/ca.c b/src/pluto/ca.c index 2f59a90141..583ef8b901 100644 --- a/src/pluto/ca.c +++ b/src/pluto/ca.c @@ -21,6 +21,7 @@ #include #include +#include #include @@ -52,14 +53,14 @@ bool trusted_ca(identification_t *a, identification_t *b, int *pathlen) /* no CA b specified -> any CA a is accepted */ if (b == NULL) { - *pathlen = (a == NULL) ? 0 : MAX_CA_PATH_LEN; + *pathlen = (a == NULL) ? 0 : X509_MAX_PATH_LEN; return TRUE; } /* no CA a specified -> trust cannot be established */ if (a == NULL) { - *pathlen = MAX_CA_PATH_LEN; + *pathlen = X509_MAX_PATH_LEN; return FALSE; } @@ -74,7 +75,7 @@ bool trusted_ca(identification_t *a, identification_t *b, int *pathlen) /* CA a might be a subordinate CA of b */ lock_authcert_list("trusted_ca"); - while ((*pathlen)++ < MAX_CA_PATH_LEN) + while ((*pathlen)++ < X509_MAX_PATH_LEN) { certificate_t *certificate; identification_t *issuer; @@ -130,7 +131,7 @@ bool match_requested_ca(linked_list_t *requested_ca, identification_t *our_ca, return TRUE; } - *our_pathlen = MAX_CA_PATH_LEN + 1; + *our_pathlen = X509_MAX_PATH_LEN + 1; enumerator = requested_ca->create_enumerator(requested_ca); while (enumerator->enumerate(enumerator, &ca)) @@ -144,9 +145,9 @@ bool match_requested_ca(linked_list_t *requested_ca, identification_t *our_ca, } enumerator->destroy(enumerator); - if (*our_pathlen > MAX_CA_PATH_LEN) + if (*our_pathlen > X509_MAX_PATH_LEN) { - *our_pathlen = MAX_CA_PATH_LEN; + *our_pathlen = X509_MAX_PATH_LEN; return FALSE; } else @@ -374,7 +375,7 @@ bool trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chai lock_authcert_list("trust_authcert_candidate"); - for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++) + for (pathlen = 0; pathlen < X509_MAX_PATH_LEN; pathlen++) { certificate_t *certificate = cert->cert; x509_t *x509 = (x509_t*)certificate; @@ -443,7 +444,7 @@ bool trust_authcert_candidate(const x509cert_t *cert, const x509cert_t *alt_chai /* go up one step in the trust chain */ cert = authcert; } - plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN); + plog("maximum ca path length of %d levels exceeded", X509_MAX_PATH_LEN); unlock_authcert_list("trust_authcert_candidate"); return FALSE; } diff --git a/src/pluto/ca.h b/src/pluto/ca.h index 77dfe33274..7b016f9437 100644 --- a/src/pluto/ca.h +++ b/src/pluto/ca.h @@ -21,8 +21,6 @@ #include "x509.h" #include "whack.h" -#define MAX_CA_PATH_LEN 7 - /* CA info structures */ typedef struct ca_info ca_info_t; diff --git a/src/pluto/connections.c b/src/pluto/connections.c index 528e408977..45d88a350c 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -3391,8 +3391,8 @@ connection_t *refine_host_connection(const struct state *st, int prio = (ID_MATCH_PERFECT) * !matching_request + ID_MATCH_PERFECT - match_level; - prio = (MAX_CA_PATH_LEN + 1) * prio + peer_pathlen; - prio = (MAX_CA_PATH_LEN + 1) * prio + our_pathlen; + prio = (X509_MAX_PATH_LEN + 1) * prio + peer_pathlen; + prio = (X509_MAX_PATH_LEN + 1) * prio + our_pathlen; DBG(DBG_CONTROLMORE, DBG_log("%s: %s match (id: %s, auth: %s, trust: %s, request: %s, prio: %4d)" @@ -3560,7 +3560,7 @@ static bool is_virtual_net_used(const ip_subnet *peer_net, */ #define PATH_WEIGHT 1 -#define WILD_WEIGHT (MAX_CA_PATH_LEN+1) +#define WILD_WEIGHT (X509_MAX_PATH_LEN+1) #define PRIO_WEIGHT (ID_MATCH_PERFECT+1) * WILD_WEIGHT /* fc_try: a helper function for find_client_connection */ @@ -3691,7 +3691,7 @@ static connection_t *fc_try(const connection_t *c, struct host_pair *hp, */ prio = PRIO_WEIGHT * routed(sr->routing) + WILD_WEIGHT * match_level - + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen) + + PATH_WEIGHT * (X509_MAX_PATH_LEN - pathlen) + 1; if (prio > best_prio) { @@ -3797,7 +3797,7 @@ static connection_t *fc_try_oppo(const connection_t *c, */ prio = PRIO_WEIGHT * (d->prio + routed(sr->routing)) + WILD_WEIGHT * match_level - + PATH_WEIGHT * (MAX_CA_PATH_LEN - pathlen); + + PATH_WEIGHT * (X509_MAX_PATH_LEN - pathlen); if (prio > best_prio) { best = d; diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index 10ebcda144..2674aa2ab4 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -961,7 +961,7 @@ chunk_t build_ocsp_request(ocsp_location_t *location) */ static bool valid_ocsp_response(response_t *res) { - int pathlen; + int pathlen, pathlen_constraint; x509cert_t *authcert; lock_authcert_list("valid_ocsp_response"); @@ -990,7 +990,7 @@ static bool valid_ocsp_response(response_t *res) ) - for (pathlen = 0; pathlen < MAX_CA_PATH_LEN; pathlen++) + for (pathlen = -1; pathlen <= X509_MAX_PATH_LEN; pathlen++) { x509cert_t *cert = authcert; certificate_t *certificate = cert->cert; @@ -1038,17 +1038,28 @@ static bool valid_ocsp_response(response_t *res) DBG_log("certificate signature is valid") ) + /* check path length constraint */ + pathlen_constraint = x509->get_pathLenConstraint(x509); + if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && + pathlen > pathlen_constraint) + { + plog("path length of %d violates constraint of %d", + pathlen, pathlen_constraint); + return FALSE; + } + /* check if cert is self-signed */ if (x509->get_flags(x509) & X509_SELF_SIGNED) { DBG(DBG_CONTROL, - DBG_log("reached self-signed root ca") + DBG_log("reached self-signed root ca with a path length of %d", + pathlen) ) unlock_authcert_list("valid_ocsp_response"); return TRUE; } } - plog("maximum ca path length of %d levels exceeded", MAX_CA_PATH_LEN); + plog("maximum path length of %d exceeded", X509_MAX_PATH_LEN); unlock_authcert_list("valid_ocsp_response"); return FALSE; } diff --git a/src/pluto/x509.c b/src/pluto/x509.c index 37d0b016a2..a612a70edc 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -348,7 +348,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until) *until = 0; - for (pathlen = -1; pathlen < MAX_CA_PATH_LEN; pathlen++) + for (pathlen = -1; pathlen <= X509_MAX_PATH_LEN; pathlen++) { certificate_t *certificate = cert->cert; identification_t *subject = certificate->get_subject(certificate); @@ -409,7 +409,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until) /* check path length constraint */ pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != NO_PATH_LEN_CONSTRAINT && + if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && pathlen > pathlen_constraint) { plog("path length of %d violates constraint of %d", @@ -490,7 +490,7 @@ bool verify_x509cert(const x509cert_t *cert, bool strict, time_t *until) /* go up one step in the trust chain */ cert = issuer_cert; } - plog("maximum path length of %d exceeded", MAX_CA_PATH_LEN); + plog("maximum path length of %d exceeded", X509_MAX_PATH_LEN); return FALSE; } @@ -603,7 +603,7 @@ void list_x509cert_chain(const char *caption, x509cert_t* cert, /* list optional pathLenConstraint */ pathlen = x509->get_pathLenConstraint(x509); - if (pathlen != NO_PATH_LEN_CONSTRAINT) + if (pathlen != X509_NO_PATH_LEN_CONSTRAINT) { whack_log(RC_COMMENT, " pathlen: %d", pathlen); } diff --git a/testing/tests/ikev2/multi-level-ca/evaltest.dat b/testing/tests/ikev2/multi-level-ca/evaltest.dat index b0814556dd..6b77a81616 100644 --- a/testing/tests/ikev2/multi-level-ca/evaltest.dat +++ b/testing/tests/ikev2/multi-level-ca/evaltest.dat @@ -1,19 +1,4 @@ -moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES -moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES -moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES -moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES -carol::ipsec status::alice.*INSTALLED::YES -moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::YES -carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES -carol::ipsec status::venus.*INSTALLED::NO -moon::ipsec status::venus.*ESTABLISHED.*carol@strongswan.org::NO -moon::cat /var/log/daemon.log::constraint check failed: peer not authenticated by.*Research CA::YES -moon::cat /var/log/daemon.log::selected peer config.*alice.*inacceptable::YES -moon::cat /var/log/daemon.log::switching to peer config.*venus::YES -dave::ipsec status::venus.*INSTALLED::YES -moon::ipsec status::venus.*ESTABLISHED.*dave@strongswan.org::YES -dave::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES -dave::ipsec status::alice.*INSTALLED::NO -moon::ipsec status::alice.*ESTABLISHED.*dave@strongswan.org::NO +moon::cat /var/log/daemon.log::maximum path length of 7 exceeded::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +carol::ipsec status::alice.*INSTALLED::NO +moon::ipsec status::alice.*ESTABLISHED.*carol@strongswan.org::NO diff --git a/testing/tests/multi-level-ca-pathlen/description.txt b/testing/tests/multi-level-ca-pathlen/description.txt new file mode 100644 index 0000000000..1852f71575 --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/description.txt @@ -0,0 +1,5 @@ +The strongSwan Root CA constrains the path length to one intermediate CA +but the Research CA creates a subsidiary Duck Research CA which in turn +issues an end entity certificate to roadwarrior carol so that the total +path length becomes two. This is detected by gateway moon which aborts +the negotiation. diff --git a/testing/tests/multi-level-ca-pathlen/evaltest.dat b/testing/tests/multi-level-ca-pathlen/evaltest.dat new file mode 100644 index 0000000000..266f0d0daa --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/evaltest.dat @@ -0,0 +1,4 @@ +moon::cat /var/log/daemon.log::path length of 2 violates constraint of 1::YES +carol::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +carol::ipsec status::home.*INSTALLED::NO +moon::ipsec status::duck.*INSTALLED::NO diff --git a/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf b/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf new file mode 100755 index 0000000000..64539ccc2c --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftsendcert=ifasked + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add + diff --git a/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem b/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem new file mode 100644 index 0000000000..4e13b52d02 --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/certs/carolCert.pem @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBzCCAu+gAwIBAgIBATANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxGTAX +BgNVBAMTEER1Y2sgUmVzZWFyY2ggQ0EwHhcNMDkxMTA0MTYyMzM1WhcNMTQxMTAz +MTYyMzM1WjBfMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXggc3Ryb25nU3dh +bjEWMBQGA1UECxMNRHVjayBSZXNlYXJjaDEdMBsGA1UEAxQUY2Fyb2xAc3Ryb25n +c3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6LueCi67Y +IGRDKP5bkysGWZHrFrztq7elIFCPPSUxyIOYo4Upzr5WsvO0dIfcZY3agV2NcAI2 +30sATlfTUp+obedZMHbzE3VBvQuLjgK42ox2XIXDj23Vy496mVqlwUQulhBcAhMb +jnBb4T0aR7WCnJvfzyckEyWrTN0ajRyQhJEmTn+spYNQX/2lg6hEn/K1T/3Py7sG +veeF6BRenHR5L60NSK7qV7AU+hM4R0UIvgwYqzxSStgGS9G6Bwj9QTOWwSV1tuii +ABiRdZSBoON0uMMpRjgEzuVe0f4VbOCIEXO8MtdpCu7Rwa9tc8OwneLcGCYVomr5 +7KKRJdvC5As3AgMBAAGjgdYwgdMwCQYDVR0TBAIwADALBgNVHQ8EBAMCA6gwHQYD +VR0OBBYEFFSYDz2TYOMxfyrIx20NhPPHTCOIMHkGA1UdIwRyMHCAFHYqqKQxp8Zx +jzAlvAJmm8sXVI0goVWkUzBRMQswCQYDVQQGEwJDSDEZMBcGA1UEChMQTGludXgg +c3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDASBgNVBAMTC1Jlc2VhcmNo +IENBggEFMB8GA1UdEQQYMBaBFGNhcm9sQHN0cm9uZ3N3YW4ub3JnMA0GCSqGSIb3 +DQEBCwUAA4IBAQBIpl8SH4Nytgr6KvmXzns80u615WnDmP6oJrnwIZUkunVns8HH +TFUVjvDKoQ+8CvuaH9Ifo2dokGjtGObeO4Y38y0xBIkUO+JpwfTa3SeCEhdOZb3G +4e9WxHhV9IGfRyPsXQG+3JpAMaHYH+PNKiv7RBTq6rGaHzvgUEXRMTbv/bJI+Fs6 +Yfd/XxIur/ftVh4dZocyC74MUyXy5tyZJkHe1aBszOa0iT1852fq93lNUQPQqw0O +3q3Lg7CvbNSdWqeAMqUgeBqh6oQItY9Exrwh0tfuCsjZ0oWXUBghsuiV+GTmZ6ok +BiGmSmtX5OD4UtKcicuMRqnK2MYJHp1z1goE +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem new file mode 100644 index 0000000000..48727ed9d5 --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAui7ngouu2CBkQyj+W5MrBlmR6xa87au3pSBQjz0lMciDmKOF +Kc6+VrLztHSH3GWN2oFdjXACNt9LAE5X01KfqG3nWTB28xN1Qb0Li44CuNqMdlyF +w49t1cuPeplapcFELpYQXAITG45wW+E9Gke1gpyb388nJBMlq0zdGo0ckISRJk5/ +rKWDUF/9pYOoRJ/ytU/9z8u7Br3nhegUXpx0eS+tDUiu6lewFPoTOEdFCL4MGKs8 +UkrYBkvRugcI/UEzlsEldbboogAYkXWUgaDjdLjDKUY4BM7lXtH+FWzgiBFzvDLX +aQru0cGvbXPDsJ3i3BgmFaJq+eyikSXbwuQLNwIDAQABAoIBAGK7cOXXsTbHpqO+ +33QsjQpnAWyLuFDJWS/l/RKYuFq4HKEbRgivrFxJtdciXNHRwPH43GWe2m3C6AEX +ipd0H1qwPZkcjFfHH81mtPKismrY6tfxpLXaH8LamhHHtTxlSwTxa2d/aiaY2JjA +zyhakrTa3AZJ0lXdGYLH1hC4eEdiPghIqwL8YNB0V2ldq+bMdtQ1i3dcmseV9TI2 +DEAKWzjc7oIcuY9HtfEEAIPzSSqwrM7wUWd9dk70o7b05eK9pnTF59Lnk5U1J1Ag +QnXBHBZfLVDnTYd+dFWM8wUIpO0n6ccUToINppwSejyOs726jUuWGZCthxLBsFZp +5Pj9B6ECgYEA3lRxGRJsAfMoyOc4kLfDmlDtrP88knRlqRW7mVYjclhMbVtrtaTP +44VqmxKIVNQt1p5hB/Gn4kbhC7OnUja/FVHdosEjFhYNh+QCisyaS2V7RNyEidJX +Q61V8v0Z7MxHxxDljVvWfSdAUDRrFwWYxRXZJWwStEmtdAbiZa6aydkCgYEA1mEV +2D+gaR+oBouqcZMiSAjV/qHbnfw4EC2XFCw84JMPerBwl4noWCgvgf0lRirbI+Ar +PDOfoclLnDQRgnqkK4okSIW0SddxttbKdDhhZ2c2CoyKxUqN7/NEyy/tZ2WZRcmX +LILTLXzi/9qq8lF9odjIl5KKsRpXhqMsf5b1w48CgYEAqDT8yDo+yw7b6Xu+OQc/ +Ds5xs3P7sNYtX8qYfz9DXCxfzlDfYbMKsZlr+V0BFiTddUWoJal4GeMEOqU2TyYq +VYf1hkBXOkt++zPPlJGNnsNtisDH6bng2cwXfdpttdEr8Pjgo5063r9GkifGacmL +Nnj8K6rjT9F6UJEw0jtS0qkCgYAi3RMSYfaSYgWPWvNTGRyAHn++s0/l93iemOty +6mbUFtZzm3IUEudoPtDLEQIY0StmQDSHy9VwGC5lrsoSMCO2uPaBnMzfHVxu4at3 +Dxw4Fr7hJE4FG8TNewB7EsZHBGzSvqAJKxVw1liMR2F5musVgQ3OKJTJjIEjcjHw +Zfp93QKBgQCPp6SH510qK9Rf+HjeWXJpOB2ByruC5rBgqrxE4rbIB3/fAl86a3Kq +Q1VqdGb+CW0FlkPshDmmdi3IoCliXywadSaXi/unPfPTel0pQAC8NM7WpPoaUfnS +QgL5iNXshicKoE8U6PRhYvn81zVpt4bFn3DZRgIlau2GQnijLkGvQw== +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets b/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets new file mode 100644 index 0000000000..fac55d63be --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem diff --git a/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..572cf39cbc --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink +} diff --git a/testing/tests/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf b/testing/tests/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf new file mode 100755 index 0000000000..528dda39ba --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn duck + left=PH_IP_MOON + leftcert=moonCert.pem + leftsendcert=ifasked + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + right=%any + rightca="C=CH, O=Linux strongSwan, OU=Research, CN=Duck Research CA" + auto=add diff --git a/testing/tests/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem b/testing/tests/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem new file mode 100644 index 0000000000..bb205a0fdc --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/duckCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID0jCCArqgAwIBAgIBBTANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA5MTEwNDE2MTUwM1oXDTE1MTEwMzE2MTUw +M1owVjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAP +BgNVBAsTCFJlc2VhcmNoMRkwFwYDVQQDExBEdWNrIFJlc2VhcmNoIENBMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApIBRSgHCxHhMjsVZo4PtFnENkHNu +MfyRDsc7m1KRDVt8N4h/EcbduU7xeq/RjxZSmlc1q6EWEgDv3KwDYY0sX+qrpQKa +ub5AgsRa2fOOR9xfyf0Q7Nc3oR3keWqQUiigCuaw9NQRtdMm/JFdXLNY3r60tBsO +UHOJAPZNoGPey5UL9ZjjsN6ROUVTh0NAkFwkmnTRwmUvY5bi/T7ulsSkO9BrfqKD +h/pliP7uZANd0ZpPcrIc68WwrelpI1zu0kYGqu/y8HZpuPuAXtGqS2jctrjSieeY +i9wFLnS2tgV3ID4LzEEICSeqVqOvYgGKbarqLkARdxmdRKM9QYpu+5J+YQIDAQAB +o4GvMIGsMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBR2 +KqikMafGcY8wJbwCZpvLF1SNIDBtBgNVHSMEZjBkgBTndfCg8q0gzc1gI8zHyA8p +891UIKFJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3 +YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIBDzANBgkqhkiG9w0BAQsF +AAOCAQEAsHR1vDlz2sPQpD9xnt1PL4qX7XWSSM6d+QG3cjdiKCjH8t78ecEm1duv +YozLg6SYHGUF9qYuPz2SAZjQjmIWLlkQpBfQm8/orG+jbsQl5HkXFYX0UWAKZFGx +rjHnOzmQxnmIWHky4uMDT/UmhmWy6kuCmZbKeeOqkBR2gVxfLyzelTSbF4ntEm1C +1XqqtM4OfTOD5QUPD+6rZ5RoIPId9+2A8pJ2NyCUCf47FbkmYzU5+oiChhcGzsC5 +wDlgP32NA88kSiSJ2p2ZveYveRqcyZXZDAiTxRaIwJY0bt2Dk4wKicvy6vPdLA5v +DSlBqDpnqK8tEI9V9YeroihTcygrEg== +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem b/testing/tests/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem new file mode 100644 index 0000000000..154cff654a --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/hosts/moon/etc/ipsec.d/cacerts/researchCert.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIIDwTCCAqmgAwIBAgIBDzANBgkqhkiG9w0BAQQFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTA1MDYyMTE5NTgwNloXDTEwMDYyMDE5NTgwNlowUTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh +cmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEP +ADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHfrxnGsvmD +FCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9IDBxzQaQyU +zsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx4PKJ54FO +/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5qm+0iNKy0 +C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha/m0Ug494 ++wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOBrzCBrDAPBgNVHRMBAf8E +BTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPMx8gPKfPd +VCAwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOouTe+hSaRHMEUxCzAJBgNV +BAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQDExJzdHJv +bmdTd2FuIFJvb3QgQ0GCAQAwDQYJKoZIhvcNAQEEBQADggEBAHArS2trQnBoMVcg +Br3HV78wYsa1MNAQCBAPhKMMd6EziO4FTwgNgecbKXpObX6ErFDgjtVTcLOMTvNX +fvZoNuPpdcitlgcWjfxZafNbj6j9ClE/rMbGDO64NLhdXuPVkbmic6yXRwGZpTuq +3CKgTguLvhzIEM47yfonXKaaJcKVPI7nYRZdlJmD4VflYrSUpzB361dCaPpl0AYa +0zz1+jfBBvlyic/tf+cCngV3f+GlJ4ntZ3gvRjyysHRmYpWBD7xcA8mJzgUiMyi1 +IKeNzydp+tnLfxwetfA/8ptc346me7RktAaASqO9vpS/N78eXyJRthZTKEf/OqVW +Tfcyi+M= +-----END CERTIFICATE----- diff --git a/testing/tests/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf new file mode 100644 index 0000000000..572cf39cbc --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink +} diff --git a/testing/tests/multi-level-ca-pathlen/posttest.dat b/testing/tests/multi-level-ca-pathlen/posttest.dat new file mode 100644 index 0000000000..f84b7e37ba --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/posttest.dat @@ -0,0 +1,3 @@ +moon::ipsec stop +carol::ipsec stop +moon::rm /etc/ipsec.d/cacerts/* diff --git a/testing/tests/multi-level-ca-pathlen/pretest.dat b/testing/tests/multi-level-ca-pathlen/pretest.dat new file mode 100644 index 0000000000..9f0232a7b4 --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/pretest.dat @@ -0,0 +1,5 @@ +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +carol::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home diff --git a/testing/tests/multi-level-ca-pathlen/test.conf b/testing/tests/multi-level-ca-pathlen/test.conf new file mode 100644 index 0000000000..b118cb7dc1 --- /dev/null +++ b/testing/tests/multi-level-ca-pathlen/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol"