From: Andreas Steffen Date: Wed, 4 Jan 2023 17:28:13 +0000 (+0100) Subject: rsa_signatures: Enable rsa_pss by default X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ccf86b66d63a29a42558bbf128c1441df4a003ee;p=thirdparty%2Fstrongswan.git rsa_signatures: Enable rsa_pss by default --- diff --git a/conf/options/charon.opt b/conf/options/charon.opt index 72efd17de2..f18417fb87 100644 --- a/conf/options/charon.opt +++ b/conf/options/charon.opt @@ -408,8 +408,9 @@ charon.routing_table charon.routing_table_prio Priority of the routing table. -charon.rsa_pss = no - Whether to use RSA with PSS padding instead of PKCS#1 padding by default. +charon.rsa_pss = yes + Use RSA with PSS padding by default. Revert to legacy PKCS#1 padding by + setting the option to no. charon.rsa_pss_trailerfield = no Whether to encode an explicit trailerField value of 0x01 in the RSA-PSS diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c index 89868a710f..b7153b3490 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c @@ -2,6 +2,7 @@ * Copyright (C) 2012-2020 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager + * Copyright (C) 2023 Andreas Steffen, strongSec GmbH * * Copyright (C) secunet Security Networks AG * @@ -423,7 +424,7 @@ static void initiate(settings_t *settings) settings->get_bool(settings, "global.ocsp", TRUE)); lib->settings->set_bool(lib->settings, "charon.rsa_pss", - settings->get_bool(settings, "global.rsa_pss", FALSE)); + settings->get_bool(settings, "global.rsa_pss", TRUE)); /* this is actually the size of the complete IKE/IP packet, so if the MTU * for the TUN devices has to be reduced to pass traffic the IKE packets * will be a bit smaller than necessary as there is no IPsec overhead like diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 1570cc5926..e13264ade5 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -2,6 +2,7 @@ * Copyright (C) 2008-2018 Tobias Brunner * Copyright (C) 2005-2009 Martin Willi * Copyright (C) 2005 Jan Hutter + * Copyright (C) 2023 Andreas Steffen, strongSec GmbH * * Copyright (C) secunet Security Networks AG * @@ -227,7 +228,7 @@ static array_t *select_signature_schemes(keymat_v2_t *keymat, while (enumerator->enumerate(enumerator, &config)) { if (config->scheme == SIGN_RSA_EMSA_PSS && - !lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + !lib->settings->get_bool(lib->settings, "%s.rsa_pss", TRUE, lib->ns)) { continue; diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index d4178f97ba..ac4b9edea4 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2008-2017 Tobias Brunner * Copyright (C) 2007-2009 Martin Willi - * Copyright (C) 2016 Andreas Steffen + * Copyright (C) 2016-2023 Andreas Steffen * * Copyright (C) secunet Security Networks AG * @@ -571,7 +571,7 @@ METHOD(auth_cfg_t, add_pubkey_constraints, void, auth_rule_t type; void *value; - rsa_pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + rsa_pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", TRUE, lib->ns); enumerator = enumerator_create_token(constraints, "-", ""); diff --git a/src/libstrongswan/tests/suites/test_auth_cfg.c b/src/libstrongswan/tests/suites/test_auth_cfg.c index 78c5d1d496..3c9b18bfcb 100644 --- a/src/libstrongswan/tests/suites/test_auth_cfg.c +++ b/src/libstrongswan/tests/suites/test_auth_cfg.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2016 Tobias Brunner + * Copyright (C) 2023 Andreas Steffen, strongSec GmbH * * Copyright (C) secunet Security Networks AG * @@ -68,6 +69,8 @@ START_TEST(test_sig_constraints) auth_cfg_t *cfg; signature_scheme_t none[] = {0}; + lib->settings->set_bool(lib->settings, "%s.rsa_pss", FALSE, lib->ns); + cfg = auth_cfg_create(); cfg->add_pubkey_constraints(cfg, sig_constraints_tests[_i].constraints, FALSE); check_sig_constraints(cfg, AUTH_RULE_SIGNATURE_SCHEME, sig_constraints_tests[_i].sig); @@ -89,6 +92,7 @@ START_TEST(test_ike_constraints_fallback) { auth_cfg_t *cfg; + lib->settings->set_bool(lib->settings, "%s.rsa_pss", FALSE, lib->ns); lib->settings->set_bool(lib->settings, "%s.signature_authentication_constraints", TRUE, lib->ns); @@ -168,6 +172,8 @@ START_TEST(test_sig_constraints_params) { auth_cfg_t *cfg; + lib->settings->set_bool(lib->settings, "%s.rsa_pss", FALSE, lib->ns); + cfg = auth_cfg_create(); cfg->add_pubkey_constraints(cfg, sig_constraints_params_tests[_i].constraints, TRUE); check_sig_constraints_params(cfg, AUTH_RULE_IKE_SIGNATURE_SCHEME, diff --git a/src/pki/commands/acert.c b/src/pki/commands/acert.c index 7f91bf9b1e..afee64ded5 100644 --- a/src/pki/commands/acert.c +++ b/src/pki/commands/acert.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2009 Martin Willi - * Copyright (C) 2015-2017 Andreas Steffen + * Copyright (C) 2015-2023 Andreas Steffen * * Copyright (C) secunet Security Networks AG * @@ -45,7 +45,7 @@ static int acert() time_t not_before, not_after, lifetime = 24 * 60 * 60; char *datenb = NULL, *datena = NULL, *dateform = NULL; char *arg; - bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", TRUE, lib->ns); groups = linked_list_create(); @@ -68,7 +68,11 @@ static int acert() { pss = TRUE; } - else if (!streq(arg, "pkcs1")) + else if (streq(arg, "pkcs1")) + { + pss = FALSE; + } + else { error = "invalid RSA padding"; goto usage; @@ -285,7 +289,7 @@ static void __attribute__ ((constructor))reg() " --issuercert file [--serial hex] [--lifetime hours]", " [--not-before datetime] [--not-after datetime] [--dateform form]", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", - "[--rsa-padding pkcs1|pss]", + "[--rsa-padding pss|pkcs1]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, @@ -300,7 +304,7 @@ static void __attribute__ ((constructor))reg() {"not-after", 'T', 1, "date/time the validity of the AC ends"}, {"dateform", 'D', 1, "strptime(3) input format, default: %d.%m.%y %T"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, - {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pss"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 9979f22633..7eefb743b9 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2009 Martin Willi - * Copyright (C) 2015-2022 Andreas Steffen + * Copyright (C) 2015-2023 Andreas Steffen * * Copyright (C) secunet Security Networks AG * @@ -118,7 +118,7 @@ static int issue() x509_cert_policy_t *policy = NULL; traffic_selector_t *ts; char *arg; - bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", TRUE, lib->ns); san = linked_list_create(); @@ -184,7 +184,11 @@ static int issue() { pss = TRUE; } - else if (!streq(arg, "pkcs1")) + else if (streq(arg, "pkcs1")) + { + pss = FALSE; + } + else { error = "invalid RSA padding"; goto usage; @@ -657,7 +661,7 @@ static void __attribute__ ((constructor))reg() "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", - "[--rsa-padding pkcs1|pss] [--critical oid]", + "[--rsa-padding pss|pkcs1] [--critical oid]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, @@ -690,7 +694,7 @@ static void __attribute__ ((constructor))reg() {"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, - {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pss"}, {"critical", 'X', 1, "critical extension OID to include"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, } diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index fd11e76b9e..41a5c407cc 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2009 Martin Willi - * Copyright (C) 2009-2022 Andreas Steffen + * Copyright (C) 2009-2023 Andreas Steffen * * Copyright (C) secunet Security Networks AG * @@ -45,7 +45,7 @@ static int req() chunk_t cert_type_ext = chunk_empty; x509_flag_t flags = 0; char *arg; - bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", TRUE, lib->ns); san = linked_list_create(); @@ -105,7 +105,11 @@ static int req() { pss = TRUE; } - else if (!streq(arg, "pkcs1")) + else if (streq(arg, "pkcs1")) + { + pss = FALSE; + } + else { error = "invalid RSA padding"; goto usage; @@ -282,7 +286,7 @@ static void __attribute__ ((constructor))reg() "[--flag serverAuth|clientAuth|ocspSigning|msSmartcardLogon]+", "[--profile server|client|dual|ocsp] [--password challengePassword]", "[--digest sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", - "[--rsa-padding pkcs1|pss] [--outform der|pem]"}, + "[--rsa-padding pss|pkcs1] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, @@ -295,7 +299,7 @@ static void __attribute__ ((constructor))reg() {"profile", 'P', 1, "certificate profile name to include in cert request"}, {"password", 'p', 1, "challengePassword to include in cert request"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, - {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pss"}, {"outform", 'f', 1, "encoding of generated request, default: der"}, } }); diff --git a/src/pki/commands/scep.c b/src/pki/commands/scep.c index de36d0abd2..7e2e6cf6d9 100644 --- a/src/pki/commands/scep.c +++ b/src/pki/commands/scep.c @@ -1,7 +1,7 @@ /* * Copyright (C) 2005 Jan Hutter, Martin Willi * Copyright (C) 2012 Tobias Brunner - * Copyright (C) 2022 Andreas Steffen, strongSec GmbH + * Copyright (C) 2022-2023 Andreas Steffen, strongSec GmbH * * Copyright (C) secunet Security Networks AG * @@ -74,7 +74,7 @@ static int scep() bool ok, http_post = FALSE; bool pss = lib->settings->get_bool(lib->settings, - "%s.rsa_pss", FALSE, lib->ns); + "%s.rsa_pss", TRUE, lib->ns); bool renewal_via_pkcs_req = lib->settings->get_bool(lib->settings, "%s.scep.renewal_via_pkcs_req", FALSE, lib->ns); @@ -634,7 +634,7 @@ static void __attribute__ ((constructor))reg() "[--profile profile] [--password password]", " --cacert-enc file --cacert-sig file [--cacert file]+", " --oldcert file --oldkey file] [--cipher aes|des3]", - "[--digest sha256|sha384|sha512|sha224|sha1] [--rsa-padding pkcs1|pss]", + "[--digest sha256|sha384|sha512|sha224|sha1] [--rsa-padding pss|pkcs1]", "[--interval time] [--maxpolltime time] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, @@ -651,7 +651,7 @@ static void __attribute__ ((constructor))reg() {"key", 'k', 1, "Old RSA private key about to be replaced"}, {"cipher", 'E', 1, "encryption cipher, default: aes"}, {"digest", 'g', 1, "digest for signature creation, default: sha256"}, - {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pss"}, {"interval", 't', 1, "poll interval, default: 60s"}, {"maxpolltime", 'm', 1, "maximum poll time, default: 0 (no limit)"}, {"outform", 'f', 1, "encoding of stored certificates, default: der"}, diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index e76d3a14a2..c86d965506 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2009 Martin Willi - * Copyright (C) 2015-2019 Andreas Steffen + * Copyright (C) 2015-2023 Andreas Steffen * * Copyright (C) secunet Security Networks AG * @@ -73,7 +73,7 @@ static int self() x509_cert_policy_t *policy = NULL; traffic_selector_t *ts; char *arg; - bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", TRUE, lib->ns); san = linked_list_create(); @@ -129,7 +129,11 @@ static int self() { pss = TRUE; } - else if (!streq(arg, "pkcs1")) + else if (streq(arg, "pkcs1")) + { + pss = FALSE; + } + else { error = "invalid RSA padding"; goto usage; @@ -464,7 +468,7 @@ static void __attribute__ ((constructor))reg() "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--cert-policy oid [--cps-uri uri] [--user-notice text]]+", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", - "[--rsa-padding pkcs1|pss] [--critical oid]", + "[--rsa-padding pss|pkcs1] [--critical oid]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, @@ -493,7 +497,7 @@ static void __attribute__ ((constructor))reg() {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, - {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pss"}, {"critical", 'X', 1, "critical extension OID to include for test purposes"}, {"outform", 'f', 1, "encoding of generated cert, default: der"}, } diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 8df42220c1..2e5cf5b10b 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2017-2022 Andreas Steffen + * Copyright (C) 2017-2023 Andreas Steffen * Copyright (C) 2010 Martin Willi * * Copyright (C) secunet Security Networks AG @@ -126,7 +126,7 @@ static int sign_crl() chunk_t crl_serial = chunk_empty, baseCrlNumber = chunk_empty; chunk_t critical_extension_oid = chunk_empty; chunk_t encoding = chunk_empty; - bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", FALSE, + bool pss = lib->settings->get_bool(lib->settings, "%s.rsa_pss", TRUE, lib->ns); list = linked_list_create(); @@ -150,7 +150,11 @@ static int sign_crl() { pss = TRUE; } - else if (!streq(arg, "pkcs1")) + else if (streq(arg, "pkcs1")) + { + pss = FALSE; + } + else { error = "invalid RSA padding"; goto usage; @@ -469,7 +473,7 @@ static void __attribute__ ((constructor))reg() " superseded|cessation-of-operation|certificate-hold]", " [--date timestamp] --cert file|--serial hex]*", "[--digest md5|sha1|sha224|sha256|sha384|sha512|sha3_224|sha3_256|sha3_384|sha3_512]", - "[--rsa-padding pkcs1|pss] [--critical oid]", + "[--rsa-padding pss|pkcs1] [--critical oid]", "[--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, @@ -488,7 +492,7 @@ static void __attribute__ ((constructor))reg() {"reason", 'r', 1, "reason for certificate revocation"}, {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, {"digest", 'g', 1, "digest for signature creation, default: key-specific"}, - {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pkcs1"}, + {"rsa-padding", 'R', 1, "padding for RSA signatures, default: pss"}, {"critical", 'X', 1, "critical extension OID to include for test purposes"}, {"outform", 'f', 1, "encoding of generated crl, default: der"}, } diff --git a/src/pki/man/pki---acert.1.in b/src/pki/man/pki---acert.1.in index 6c574f2732..d45fcb46a6 100644 --- a/src/pki/man/pki---acert.1.in +++ b/src/pki/man/pki---acert.1.in @@ -105,8 +105,7 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, determined based on the type and size of the signature key. .TP .BI "\-R, \-\-rsa\-padding " padding -Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults -to \fIpkcs1\fR. +Padding to use for RSA signatures. Either \fIpss\fR (the default) or \fIpkcs1\fR. .TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or diff --git a/src/pki/man/pki---issue.1.in b/src/pki/man/pki---issue.1.in index e734d19649..febb41adfa 100644 --- a/src/pki/man/pki---issue.1.in +++ b/src/pki/man/pki---issue.1.in @@ -136,8 +136,7 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, determined based on the type and size of the signature key. .TP .BI "\-R, \-\-rsa\-padding " padding -Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults -to \fIpkcs1\fR. +Padding to use for RSA signatures. Either \fIpss\fR (the default) or \fIpkcs1\fR. .TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or diff --git a/src/pki/man/pki---req.1.in b/src/pki/man/pki---req.1.in index 55ad007e01..9ebd220350 100644 --- a/src/pki/man/pki---req.1.in +++ b/src/pki/man/pki---req.1.in @@ -116,8 +116,7 @@ Digest to use for signature creation. One of \fIsha1\fR, \fIsha224\fR, the type and size of the signature key. .TP .BI "\-R, \-\-rsa\-padding " padding -Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults -to \fIpkcs1\fR. +Padding to use for RSA signatures. Either \fIpss\fR (the default) or \fIpkcs1\fR. .TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or diff --git a/src/pki/man/pki---scep.1.in b/src/pki/man/pki---scep.1.in index 8817cffc11..a8ea8c5021 100644 --- a/src/pki/man/pki---scep.1.in +++ b/src/pki/man/pki---scep.1.in @@ -110,7 +110,7 @@ Digest to use for signature creation. One of \fIsha256\fR (the default), \fIsha384\fR, \fIsha512\fR, or \fIsha1\fR. .TP .BI "\-R, \-\-rsa\-padding " padding -Padding to use for RSA signatures. Either \fIpkcs1\fR (the default) or \fIpss\fR. +Padding to use for RSA signatures. Either \fIpss\fR (the default) or \fIpkcs1\fR. .TP .BI "\-t, \-\-interval " time Poll interval in seconds, defaults to \fI60s\fR. diff --git a/src/pki/man/pki---self.1.in b/src/pki/man/pki---self.1.in index cf25235b6c..f27eac58c0 100644 --- a/src/pki/man/pki---self.1.in +++ b/src/pki/man/pki---self.1.in @@ -118,8 +118,7 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, determined based on the type and size of the signature key. .TP .BI "\-R, \-\-rsa\-padding " padding -Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults -to \fIpkcs1\fR. +Padding to use for RSA signatures. Either \fIpss\fR (the default) or \fIpkcs1\fR. .TP .BI "\-f, \-\-outform " encoding Encoding of the created certificate file. Either \fIder\fR (ASN.1 DER) or diff --git a/src/pki/man/pki---signcrl.1.in b/src/pki/man/pki---signcrl.1.in index 781de8bfa3..cc622042f4 100644 --- a/src/pki/man/pki---signcrl.1.in +++ b/src/pki/man/pki---signcrl.1.in @@ -105,8 +105,7 @@ Digest to use for signature creation. One of \fImd5\fR, \fIsha1\fR, determined based on the type and size of the signature key. .TP .BI "\-R, \-\-rsa\-padding " padding -Padding to use for RSA signatures. Either \fIpkcs1\fR or \fIpss\fR, defaults -to \fIpkcs1\fR. +Padding to use for RSA signatures. Either \fIpss\fR (the default) or \fIpkcs1\fR. .TP .BI "\-X, \-\-critical " oid Add a critical extension with the given OID. diff --git a/testing/hosts/winnetou/etc/ca/generate-crl b/testing/hosts/winnetou/etc/ca/generate-crl index 2c4067a84a..35b59e5928 100755 --- a/testing/hosts/winnetou/etc/ca/generate-crl +++ b/testing/hosts/winnetou/etc/ca/generate-crl @@ -123,6 +123,14 @@ cd /etc/ca/sha3-rsa pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ --digest sha3_256 > ${ROOT}/strongswan_sha3_rsa.crl +## +# strongSwan TKM-RSA Root CA +cd /etc/ca/tkm-rsa + +# generate CRL for strongSwan TKM-RSA Root CA +pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ + --rsa-padding pkcs1 > ${ROOT}/strongswan_tkm_rsa.crl + ## # strongSwan Ed25519 Root CA cd /etc/ca/ed25519 diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot index ea68dd16a8..928461d1ce 100755 --- a/testing/scripts/build-certs-chroot +++ b/testing/scripts/build-certs-chroot @@ -74,6 +74,12 @@ SHA3_RSA_KEY="${SHA3_RSA_DIR}/strongswanKey.pem" SHA3_RSA_CERT="${SHA3_RSA_DIR}/strongswanCert.pem" SHA3_RSA_CDP="http://crl.strongswan.org/strongswan_sha3_rsa.crl" # +TKM_RSA_DIR="${CA_DIR}/tkm-rsa" +TKM_RSA_KEY="${TKM_RSA_DIR}/strongswanKey.pem" +TKM_RSA_CERT="${TKM_RSA_DIR}/strongswanCert.pem" +TKM_RSA_CERT_DER="${TKM_RSA_DIR}/strongswanCert.der" +TKM_RSA_CDP="http://crl.strongswan.org/strongswan_tkm_rsa.crl" +# ED25519_DIR="${CA_DIR}/ed25519" ED25519_KEY="${ED25519_DIR}/strongswanKey.pem" ED25519_CERT="${ED25519_DIR}/strongswanCert.pem" @@ -105,6 +111,7 @@ mkdir -p ${DUCK_DIR}/certs mkdir -p ${ECDSA_DIR}/certs mkdir -p ${RFC3779_DIR}/certs mkdir -p ${SHA3_RSA_DIR}/certs +mkdir -p ${TKM_RSA_DIR}/certs mkdir -p ${ED25519_DIR}/certs mkdir -p ${MONSTER_DIR}/certs @@ -163,21 +170,6 @@ do 2> /dev/null done -# Put DER-encoded moon private key and Root CA certificate into tkm scenarios -for t in host2host-initiator host2host-responder host2host-xfrmproxy \ - multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \ - xfrmproxy-rekey -do - TEST="${TEST_DIR}/tkm/${t}" - mkdir -p ${TEST}/hosts/moon/${TKM_DIR} - cp ${CA_DIR}/keys/moonKey.der ${CA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR} -done - -# Put DER_encoded sun private key and Root CA certificate into tkm scenarios -TEST="${TEST_DIR}/tkm/multiple-clients" -mkdir -p ${TEST}/hosts/sun/${TKM_DIR} -cp ${CA_DIR}/keys/sunKey.der ${CA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR} - # Convert moon private key into unencrypted PKCS#8 format TEST="${TEST_DIR}/ikev2/rw-pkcs8" HOST_KEY="${DIR}/hosts/moon/${SWANCTL_DIR}/rsa/moonKey.pem" @@ -549,14 +541,14 @@ done openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER} ################################################################################ -# Multi-level CA Certificate Generation # +# Multi-level CA Certificate Generation with legacy RSA PKCS#1.5 padding # ################################################################################ # Generate Levels Root CA (pathlen is higher than the regular root) pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_KEY} pki --self --type rsa --in ${LEVELS_KEY} --not-before "${START}" --not-after "${CA_END}" \ --ca --pathlen 2 --dn "C=CH, O=${PROJECT}, CN=strongSwan Levels Root CA" \ - --outform pem > ${LEVELS_CERT} + --rsa-padding pkcs1 --outform pem > ${LEVELS_CERT} # For TKM's CA ID mapping LEVELS_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${LEVELS_KEY}` @@ -566,14 +558,14 @@ pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L2_KEY} pki --issue --cakey ${LEVELS_KEY} --cacert ${LEVELS_CERT} --crl ${LEVELS_CDP} \ --type rsa --in ${LEVELS_L2_KEY} --not-before "${START}" --not-after "${IM_END}" \ --ca --dn "C=CH, O=${PROJECT}, OU=L2, CN=Levels L2 CA" \ - --outform pem > ${LEVELS_L2_CERT} + --rsa-padding pkcs1 --outform pem > ${LEVELS_L2_CERT} # Generate Levels L3 CA signed by Levels L2 CA pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${LEVELS_L3_KEY} pki --issue --cakey ${LEVELS_L2_KEY} --cacert ${LEVELS_L2_CERT} --crl ${LEVELS_L2_CDP} \ --type rsa --in ${LEVELS_L3_KEY} --not-before "${START}" --not-after "${IM_END}" \ --ca --dn "C=CH, O=${PROJECT}, OU=L3, CN=Levels L3 CA" \ - --outform pem > ${LEVELS_L3_CERT} + --rsa-padding pkcs1 --outform pem > ${LEVELS_L3_CERT} for t in ikev2-multi-ca/crls-l3 tkm/multi-level-ca do @@ -1107,7 +1099,7 @@ pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} pki --issue --cakey ${LEVELS_L3_KEY} --cacert ${LEVELS_L3_CERT} --type rsa \ --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=L3, CN=${CN}" \ - --crl ${LEVELS_L3_CDP} --outform pem > ${TEST_CERT} + --rsa-padding pkcs1 --crl ${LEVELS_L3_CDP} --outform pem > ${TEST_CERT} cp ${TEST_CERT} ${LEVELS_DIR}/certs/${SERIAL}.pem for t in tkm/multi-level-ca @@ -1349,7 +1341,7 @@ cp ${TEST_CERT} ${RFC3779_DIR}/certs/${SERIAL}.pem # Use specific plugin configuration to issue certificates with SHA-3 signatures # as not all crypto plugins support them. To avoid entropy issues use the # default plugins to generate the keys. -SHA3_PKI_PLUGINS="gmp pem pkcs1 random sha1 sha3 x509" +SHA3_PKI_PLUGINS="gmp pem pkcs1 random mgf1 sha1 sha3 x509" # Generate strongSwan SHA3-RSA Root CA pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SHA3_RSA_KEY} @@ -1455,6 +1447,142 @@ do cp ${SHA3_RSA_CERT} ${TEST}/hosts/${h}/${SWANCTL_DIR}/x509ca done +################################################################################ +# strongSwan TKM Root CA using legacy RSA PKCS#1.5 padding # +################################################################################ + +# Generate strongSwan TKM-RSA Root CA +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TKM_RSA_KEY} +pki --self --type rsa --in ${TKM_RSA_KEY} --rsa-padding pkcs1 \ + --not-before "${START}" --not-after "${CA_END}" --ca \ + --dn "C=CH, O=${PROJECT}, OU=TKM, CN=strongSwan Root CA" \ + --outform pem > ${TKM_RSA_CERT} + +# Put a copy in the following tkm scenarios +for t in multi-level-ca multiple-clients +do + TEST="${TEST_DIR}/tkm/${t}" + mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca + mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca + cp ${TKM_RSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca + cp ${TKM_RSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca +done + +# Convert strongSwan Root CA certificate into DER format +openssl x509 -in ${TKM_RSA_CERT} -outform der -out ${TKM_RSA_CERT_DER} + +TKM_RSA_SPK_HEX=`pki --keyid --type rsa --format hex --id spk --in ${TKM_RSA_KEY}` +TKM_RSA_SPKI_HEX=`pki --keyid --type rsa --format hex --id spki --in ${TKM_RSA_KEY}` + +# Generate a moon TKM-RSA certificate +TEST="${TEST_DIR}/tkm/host2host-initiator" +MOON_KEY="${TEST}/hosts/moon/${TKM_DIR}/moonKey.der" +MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" +CN="moon.strongswan.org" +SERIAL="01" +mkdir -p ${TEST}/hosts/moon/${TKM_DIR} +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +pki --gen --type rsa --size ${RSA_SIZE} > ${MOON_KEY} +pki --issue --cakey ${TKM_RSA_KEY} --cacert ${TKM_RSA_CERT} --type rsa \ + --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU= TKM, CN=${CN}" \ + --rsa-padding pkcs1 --crl ${TKM_RSA_CDP} --outform pem > ${MOON_CERT} +cp ${TKM_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +cp ${TKM_RSA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR} +cp ${MOON_CERT} ${TKM_RSA_DIR}/certs/${SERIAL}.pem + +# Generate a sun TKM-RSA certificate +SUN_KEY="${TEST}/hosts/sun/${SWANCTL_DIR}/rsa/sunKey.pem" +SUN_CERT="${TEST}/hosts/sun/${SWANCTL_DIR}/x509/sunCert.pem" +CN="sun.strongswan.org" +SERIAL="02" +mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509 +mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${SUN_KEY} +pki --issue --cakey ${TKM_RSA_KEY} --cacert ${TKM_RSA_CERT} --type rsa \ + --in ${SUN_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=TKM, CN=${CN}" \ + --rsa-padding pkcs1 --crl ${TKM_RSA_CDP} --outform pem > ${SUN_CERT} +cp ${SUN_CERT} ${TKM_RSA_DIR}/certs/${SERIAL}.pem +cp ${TKM_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca + + +# Put DER-encoded moon private key and Root CA certificate as well as PEM-encoded +# moon cert into the tkm/multi-level-ca +TEST="${TEST_DIR}/tkm/multi-level-ca" +mkdir -p ${TEST}/hosts/moon/${TKM_DIR} +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +cp ${MOON_KEY} ${TKM_RSA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR} +cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 +cp ${TKM_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca + +# Put key and certificate copies into the following tkm scenarios: +for t in host2host-responder host2host-xfrmproxy net2net-initiator \ + net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey +do + TEST="${TEST_DIR}/tkm/${t}" + mkdir -p ${TEST}/hosts/moon/${TKM_DIR} + mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 + mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca + mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca + mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa + mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509 + cp ${MOON_KEY} ${TKM_RSA_CERT_DER} ${TEST}/hosts/moon/${TKM_DIR} + cp ${MOON_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 + cp ${TKM_RSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca + cp ${TKM_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca + cp ${SUN_KEY} ${TEST}/hosts/sun/${SWANCTL_DIR}/rsa + cp ${SUN_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509 +done + +# Generate a carol TKM-RSA certificate +TEST="${TEST_DIR}/tkm/multiple-clients" +TEST_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/rsa/carolKey.pem" +TEST_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" +CN="carol@strongswan.org" +SERIAL="03" +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${TKM_RSA_KEY} --cacert ${TKM_RSA_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=TKM, CN=${CN}" \ + --rsa-padding pkcs1 --crl ${TKM_RSA_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${TKM_RSA_DIR}/certs/${SERIAL}.pem + +# Generate a dave TKM-RSA certificate +TEST_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/rsa/daveKey.pem" +TEST_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem" +CN="dave@strongswan.org" +SERIAL="04" +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 +pki --gen --type rsa --size ${RSA_SIZE} --outform pem > ${TEST_KEY} +pki --issue --cakey ${TKM_RSA_KEY} --cacert ${TKM_RSA_CERT} --type rsa \ + --in ${TEST_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=TKM, CN=${CN}" \ + --rsa-padding pkcs1 --crl ${TKM_RSA_CDP} --outform pem > ${TEST_CERT} +cp ${TEST_CERT} ${TKM_RSA_DIR}/certs/${SERIAL}.pem + +# Put DER_encoded sun private key tkm/multiple-client scenario +mkdir -p ${TEST}/hosts/sun/${TKM_DIR} +mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509 +mkdir -p ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca +openssl rsa -in ${SUN_KEY} -outform der -out ${TEST}/hosts/sun/${TKM_DIR}/sunKey.der +cp ${TKM_RSA_CERT_DER} ${TEST}/hosts/sun/${TKM_DIR} +cp ${SUN_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509 +cp ${TKM_RSA_CERT} ${TEST}/hosts/sun/${SWANCTL_DIR}/x509ca + +# Put dave private key and certificate in tkm/multi-level-ca scenario: +TEST="${TEST_DIR}/tkm/multi-level-ca" +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 +cp ${TEST_KEY} ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa +cp ${TEST_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 + ################################################################################ # strongSwan Ed25519 Root CA # ################################################################################ @@ -1810,8 +1938,8 @@ do for h in moon do TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/moon/etc/strongswan.conf" - sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \ - -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \ + sed -e "s/CA_SPK_HEX/${TKM_RSA_SPK_HEX}/g" \ + -e "s/CA_SPKI_HEX/${TKM_RSA_SPKI_HEX}/g" \ -e "s/LEVELS_SPK_HEX/${LEVELS_SPK_HEX}/g" \ ${TEST_DATA}.in > ${TEST_DATA} done @@ -1822,8 +1950,8 @@ do for h in sun do TEST_DATA="${TEST_DIR}/tkm/${t}/hosts/${h}/etc/strongswan.conf" - sed -e "s/CA_SPK_HEX/${CA_SPK_HEX}/g" \ - -e "s/CA_SPKI_HEX/${CA_SPKI_HEX}/g" \ + sed -e "s/CA_SPK_HEX/${TKM_RSA_SPK_HEX}/g" \ + -e "s/CA_SPKI_HEX/${TKM_RSA_SPKI_HEX}/g" \ ${TEST_DATA}.in > ${TEST_DATA} done done diff --git a/testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/strongswan.conf index f3b571a1b4..5a809ce854 100644 --- a/testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2-multi-ca/crls-l3/hosts/carol/etc/strongswan.conf @@ -6,4 +6,6 @@ swanctl { charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici + + rsa_pss = no } diff --git a/testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/strongswan.conf index f3b571a1b4..5a809ce854 100644 --- a/testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2-multi-ca/crls-l3/hosts/dave/etc/strongswan.conf @@ -6,4 +6,6 @@ swanctl { charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici + + rsa_pss = no } diff --git a/testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/strongswan.conf index f3b571a1b4..5a809ce854 100644 --- a/testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2-multi-ca/crls-l3/hosts/moon/etc/strongswan.conf @@ -6,4 +6,6 @@ swanctl { charon-systemd { load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici + + rsa_pss = no } diff --git a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat index a9abc6034f..06942024e6 100644 --- a/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat +++ b/testing/tests/ikev2/net2net-cert-sha2/evaltest.dat @@ -1,5 +1,5 @@ -moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_512 successful::YES -sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA2_384 successful::YES +moon:: cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with RSA_EMSA_PSS_SHA2_512_SALT_64 successful::YES +sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with RSA_EMSA_PSS_SHA2_384_SALT_48 successful::YES moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_MOON local-port=500 local-id=moon.strongswan.org remote-host=PH_IP_SUN remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=PH_IP_SUN local-port=500 local-id=sun.strongswan.org remote-host=PH_IP_MOON remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES diff --git a/testing/tests/ikev2/rw-sig-auth/description.txt b/testing/tests/ikev2/rw-sig-auth/description.txt index 6384f16aba..15ef8481c4 100755 --- a/testing/tests/ikev2/rw-sig-auth/description.txt +++ b/testing/tests/ikev2/rw-sig-auth/description.txt @@ -4,7 +4,7 @@ they use different hash algorithms. moon uses signature scheme constraint to only allow access to the research and accounting subnets if specific algorithms are used.

-Note: Because the client certificate's are signedwith SHA-256 we have to +Note: Because the client certificate's are signed with SHA-256 we have to accept that algorithm too because signature schemes in rightauth are also used as constraints for the whole certificate chain. Therefore, carol obtains access to the research subnet behind gateway diff --git a/testing/tests/ikev2/rw-sig-auth/evaltest.dat b/testing/tests/ikev2/rw-sig-auth/evaltest.dat index 0004f434f0..2038fb2b4b 100755 --- a/testing/tests/ikev2/rw-sig-auth/evaltest.dat +++ b/testing/tests/ikev2/rw-sig-auth/evaltest.dat @@ -2,10 +2,10 @@ carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED dave :: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES moon :: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*alice-net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES moon :: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::accounting.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*venus-net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES -carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PKCS1_SHA2_384 successful::YES -dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA.* successful::YES -moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PKCS1_SHA2_512 successful::YES +carol::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA_EMSA_PSS_SHA2_256_SALT_32 successful::YES +moon ::cat /var/log/daemon.log::authentication of .*carol@strongswan.org.* with RSA_EMSA_PSS_SHA2_384_SALT_48 successful::YES +dave ::cat /var/log/daemon.log::authentication of .*moon.strongswan.org.* with RSA_EMSA_PSS_SHA2_256_SALT_32 successful::YES +moon ::cat /var/log/daemon.log::authentication of .*dave@strongswan.org.* with RSA_EMSA_PSS_SHA2_512_SALT_64 successful::YES moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.20/32 === 192.168.0.100/32 unacceptable::YES moon ::cat /var/log/daemon.log::traffic selectors 10.1.0.10/32 === 192.168.0.200/32 unacceptable::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES diff --git a/testing/tests/tkm/.gitignore b/testing/tests/tkm/.gitignore index 86d75283bb..0a2d28e00c 100644 --- a/testing/tests/tkm/.gitignore +++ b/testing/tests/tkm/.gitignore @@ -1,3 +1,2 @@ *.der *.pem -strongswan.conf diff --git a/testing/tests/tkm/host2host-initiator/hosts/moon/.gitignore b/testing/tests/tkm/host2host-initiator/hosts/moon/.gitignore new file mode 100644 index 0000000000..3796fd5279 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator/hosts/moon/.gitignore @@ -0,0 +1 @@ +strongswan.conf diff --git a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf index 6741344843..a7d4c47a57 100644 --- a/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/host2host-initiator/hosts/sun/etc/strongswan.conf @@ -6,4 +6,6 @@ swanctl { charon-systemd { load = pem pkcs1 random nonce openssl curl revocation xcbc vici kernel-netlink socket-default updown + + rsa_pss = no } diff --git a/testing/tests/tkm/host2host-responder/hosts/moon/.gitignore b/testing/tests/tkm/host2host-responder/hosts/moon/.gitignore new file mode 100644 index 0000000000..3796fd5279 --- /dev/null +++ b/testing/tests/tkm/host2host-responder/hosts/moon/.gitignore @@ -0,0 +1 @@ +strongswan.conf diff --git a/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf index 6741344843..a7d4c47a57 100644 --- a/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/host2host-responder/hosts/sun/etc/strongswan.conf @@ -6,4 +6,6 @@ swanctl { charon-systemd { load = pem pkcs1 random nonce openssl curl revocation xcbc vici kernel-netlink socket-default updown + + rsa_pss = no } diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/.gitignore b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/.gitignore new file mode 100644 index 0000000000..3796fd5279 --- /dev/null +++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/moon/.gitignore @@ -0,0 +1 @@ +strongswan.conf diff --git a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf index 6741344843..a7d4c47a57 100644 --- a/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/host2host-xfrmproxy/hosts/sun/etc/strongswan.conf @@ -6,4 +6,6 @@ swanctl { charon-systemd { load = pem pkcs1 random nonce openssl curl revocation xcbc vici kernel-netlink socket-default updown + + rsa_pss = no } diff --git a/testing/tests/tkm/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/tkm/multi-level-ca/hosts/carol/etc/strongswan.conf new file mode 100644 index 0000000000..a7d4c47a57 --- /dev/null +++ b/testing/tests/tkm/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 openssl revocation random +} + +charon-systemd { + load = pem pkcs1 random nonce openssl curl revocation xcbc vici kernel-netlink socket-default updown + + rsa_pss = no +} diff --git a/testing/tests/tkm/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/tkm/multi-level-ca/hosts/dave/etc/strongswan.conf new file mode 100644 index 0000000000..a7d4c47a57 --- /dev/null +++ b/testing/tests/tkm/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 openssl revocation random +} + +charon-systemd { + load = pem pkcs1 random nonce openssl curl revocation xcbc vici kernel-netlink socket-default updown + + rsa_pss = no +} diff --git a/testing/tests/tkm/multi-level-ca/hosts/moon/.gitignore b/testing/tests/tkm/multi-level-ca/hosts/moon/.gitignore new file mode 100644 index 0000000000..3796fd5279 --- /dev/null +++ b/testing/tests/tkm/multi-level-ca/hosts/moon/.gitignore @@ -0,0 +1 @@ +strongswan.conf diff --git a/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf index 6741344843..a7d4c47a57 100644 --- a/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tkm/multiple-clients/hosts/carol/etc/strongswan.conf @@ -6,4 +6,6 @@ swanctl { charon-systemd { load = pem pkcs1 random nonce openssl curl revocation xcbc vici kernel-netlink socket-default updown + + rsa_pss = no } diff --git a/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf b/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf index 6741344843..a7d4c47a57 100644 --- a/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tkm/multiple-clients/hosts/dave/etc/strongswan.conf @@ -6,4 +6,6 @@ swanctl { charon-systemd { load = pem pkcs1 random nonce openssl curl revocation xcbc vici kernel-netlink socket-default updown + + rsa_pss = no } diff --git a/testing/tests/tkm/multiple-clients/hosts/sun/.gitignore b/testing/tests/tkm/multiple-clients/hosts/sun/.gitignore new file mode 100644 index 0000000000..3796fd5279 --- /dev/null +++ b/testing/tests/tkm/multiple-clients/hosts/sun/.gitignore @@ -0,0 +1 @@ +strongswan.conf diff --git a/testing/tests/tkm/net2net-initiator/hosts/moon/.gitignore b/testing/tests/tkm/net2net-initiator/hosts/moon/.gitignore new file mode 100644 index 0000000000..3796fd5279 --- /dev/null +++ b/testing/tests/tkm/net2net-initiator/hosts/moon/.gitignore @@ -0,0 +1 @@ +strongswan.conf diff --git a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf index 6741344843..a7d4c47a57 100644 --- a/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/net2net-initiator/hosts/sun/etc/strongswan.conf @@ -6,4 +6,6 @@ swanctl { charon-systemd { load = pem pkcs1 random nonce openssl curl revocation xcbc vici kernel-netlink socket-default updown + + rsa_pss = no } diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/.gitignore b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/.gitignore new file mode 100644 index 0000000000..3796fd5279 --- /dev/null +++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/moon/.gitignore @@ -0,0 +1 @@ +strongswan.conf diff --git a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf index 6741344843..5da9949874 100644 --- a/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/net2net-xfrmproxy/hosts/sun/etc/strongswan.conf @@ -6,4 +6,6 @@ swanctl { charon-systemd { load = pem pkcs1 random nonce openssl curl revocation xcbc vici kernel-netlink socket-default updown + + rsa_pss = noS } diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/moon/.gitignore b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/.gitignore new file mode 100644 index 0000000000..3796fd5279 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/moon/.gitignore @@ -0,0 +1 @@ +strongswan.conf diff --git a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf index 6741344843..a7d4c47a57 100644 --- a/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/xfrmproxy-expire/hosts/sun/etc/strongswan.conf @@ -6,4 +6,6 @@ swanctl { charon-systemd { load = pem pkcs1 random nonce openssl curl revocation xcbc vici kernel-netlink socket-default updown + + rsa_pss = no } diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/.gitignore b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/.gitignore new file mode 100644 index 0000000000..3796fd5279 --- /dev/null +++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/moon/.gitignore @@ -0,0 +1 @@ +strongswan.conf diff --git a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf index 6741344843..a7d4c47a57 100644 --- a/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf +++ b/testing/tests/tkm/xfrmproxy-rekey/hosts/sun/etc/strongswan.conf @@ -6,4 +6,6 @@ swanctl { charon-systemd { load = pem pkcs1 random nonce openssl curl revocation xcbc vici kernel-netlink socket-default updown + + rsa_pss = no }