Merge branch 'cache-crls'

conf/options/charon.opt

@@ -30,6 +30,12 @@ charon.cert_cache = yes
 	Whether relations in validated certificate chains should be cached in
 	memory.
 
+charon.cache_crls = no
+	Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP should
+	be saved under a unique file name derived from the public key of the
+	Certification Authority (CA) to **/etc/ipsec.d/crls** (stroke) or
+	**/etc/swanctl/x509crl** (vici), respectively.
+
 charon.cisco_unity = no
 	Send Cisco Unity vendor ID payload (IKEv1 only).
 

src/libcharon/plugins/stroke/stroke_cred.c

@@ -562,7 +562,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
 	}
 }
 
-METHOD(stroke_cred_t, cache_cert, void,
+METHOD(credential_set_t, cache_cert, void,
 	private_stroke_cred_t *this, certificate_t *cert)
 {
 	if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
@@ -575,10 +575,14 @@ METHOD(stroke_cred_t, cache_cert, void,
 		{
 			char buf[BUF_LEN];
 			chunk_t chunk, hex;
+			bool is_delta_crl;
+
+			is_delta_crl = crl->is_delta_crl(crl, NULL);
 
 			chunk = crl->get_authKeyIdentifier(crl);
 			hex = chunk_to_hex(chunk, NULL, FALSE);
-			snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex.ptr);
+			snprintf(buf, sizeof(buf), "%s/%s%s.crl", CRL_DIR, hex.ptr,
+										is_delta_crl ? "_delta" : "");
 			free(hex.ptr);
 
 			if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
@@ -1497,6 +1501,10 @@ stroke_cred_t *stroke_cred_create(stroke_ca_t *ca)
 		.ca = ca,
 	);
 
+	if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
+	{
+		cachecrl(this, TRUE);
+	}
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 	lib->credmgr->add_set(lib->credmgr, &this->aacerts->set);
 

src/libcharon/plugins/stroke/stroke_socket.c

@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2011-2013 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the

src/libcharon/plugins/vici/Makefile.am

@@ -2,6 +2,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
 	-I$(top_srcdir)/src/libstrongswan/plugins/pubkey \
 	-I$(top_srcdir)/src/libcharon \
+	-DSWANCTLDIR=\""${swanctldir}\"" \
 	-DIPSEC_PIDDIR=\"${piddir}\"
 
 AM_CFLAGS = \

src/libcharon/plugins/vici/vici_cred.c

@@ -2,7 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -25,8 +25,15 @@
 #include <credentials/certificates/crl.h>
 #include <credentials/certificates/x509.h>
 
+#include <errno.h>
+
 typedef struct private_vici_cred_t private_vici_cred_t;
 
+/**
+ * Directory for saved X.509 CRLs
+ */
+#define CRL_DIR SWANCTLDIR "/x509crl"
+
 /**
  * Private data of an vici_cred_t object.
  */
@@ -46,8 +53,54 @@ struct private_vici_cred_t {
 	 * credentials
 	 */
 	mem_cred_t *creds;
+
+	/**
+	 * cache CRLs to disk?
+	 */
+	bool cachecrl;
+
 };
 
+METHOD(credential_set_t, cache_cert, void,
+	private_vici_cred_t *this, certificate_t *cert)
+{
+	if (cert->get_type(cert) == CERT_X509_CRL && this->cachecrl)
+	{
+		/* CRLs get written to /etc/swanctl/x509crl/<authkeyId>.crl */
+		crl_t *crl = (crl_t*)cert;
+
+		cert->get_ref(cert);
+		if (this->creds->add_crl(this->creds, crl))
+		{
+			char buf[BUF_LEN];
+			chunk_t chunk, hex;
+			bool is_delta_crl;
+
+			is_delta_crl = crl->is_delta_crl(crl, NULL);
+			chunk = crl->get_authKeyIdentifier(crl);
+			hex = chunk_to_hex(chunk, NULL, FALSE);
+			snprintf(buf, sizeof(buf), "%s/%s%s.crl", CRL_DIR, hex.ptr,
+										is_delta_crl ? "_delta" : "");
+			free(hex.ptr);
+
+			if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk))
+			{
+				if (chunk_write(chunk, buf, 022, TRUE))
+				{
+					DBG1(DBG_CFG, "  written crl file '%s' (%d bytes)",
+						 buf, chunk.len);
+				}
+				else
+				{
+					DBG1(DBG_CFG, "  writing crl file '%s' failed: %s",
+						 buf, strerror(errno));
+				}
+				free(chunk.ptr);
+			}
+		}
+	}
+}
+
 /**
  * Create a (error) reply message
  */
@@ -349,6 +402,13 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
 
 	INIT(this,
 		.public = {
+			.set = {
+				.create_private_enumerator = (void*)return_null,
+				.create_cert_enumerator = (void*)return_null,
+				.create_shared_enumerator = (void*)return_null,
+				.create_cdp_enumerator = (void*)return_null,
+				.cache_cert = (void*)_cache_cert,
+			},
 			.add_cert = _add_cert,
 			.destroy = _destroy,
 		},
@@ -356,6 +416,11 @@ vici_cred_t *vici_cred_create(vici_dispatcher_t *dispatcher)
 		.creds = mem_cred_create(),
 	);
 
+	if (lib->settings->get_bool(lib->settings, "%s.cache_crls", FALSE, lib->ns))
+	{
+		this->cachecrl = TRUE;
+		DBG1(DBG_CFG, "crl caching to %s enabled", CRL_DIR);
+	}
 	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
 
 	manage_commands(this, TRUE);

src/libcharon/plugins/vici/vici_cred.h

@@ -2,6 +2,9 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
+ * Copyright (C) 2016 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
  * Free Software Foundation; either version 2 of the License, or (at your
@@ -23,6 +26,8 @@
 
 #include "vici_dispatcher.h"
 
+#include <credentials/credential_set.h>
+
 typedef struct vici_cred_t vici_cred_t;
 
 /**
@@ -30,6 +35,11 @@ typedef struct vici_cred_t vici_cred_t;
  */
 struct vici_cred_t {
 
+	/**
+	 * Implements credential_set_t
+	 */
+	credential_set_t set;
+
 	/**
 	 * Add a certificate to the certificate store
 	 *

src/libcharon/plugins/vici/vici_plugin.c

@@ -2,7 +2,7 @@
  * Copyright (C) 2014 Martin Willi
  * Copyright (C) 2014 revosec AG
  *
- * Copyright (C) 2015 Andreas Steffen
+ * Copyright (C) 2015-2016 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -130,6 +130,7 @@ static bool register_vici(private_vici_plugin_t *this,
 			this->cred = vici_cred_create(this->dispatcher);
 			this->authority = vici_authority_create(this->dispatcher,
 													this->cred);
+			lib->credmgr->add_set(lib->credmgr, &this->cred->set);
 			lib->credmgr->add_set(lib->credmgr, &this->authority->set);
 			this->config = vici_config_create(this->dispatcher, this->authority,
 											  this->cred);
@@ -158,6 +159,7 @@ static bool register_vici(private_vici_plugin_t *this,
 		this->logger->destroy(this->logger);
 		this->attrs->destroy(this->attrs);
 		this->config->destroy(this->config);
+		lib->credmgr->remove_set(lib->credmgr, &this->cred->set);
 		lib->credmgr->remove_set(lib->credmgr, &this->authority->set);
 		this->authority->destroy(this->authority);
 		this->cred->destroy(this->cred);

src/libstrongswan/credentials/sets/mem_cred.c

@@ -1,6 +1,7 @@
 /*
- * Copyright (C) 2010-2015 Tobias Brunner
- * Hochschule fuer Technik Rapperwsil
+ * Copyright (C) 2010-2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperwsil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -223,6 +224,7 @@ METHOD(mem_cred_t, add_crl, bool,
 	{
 		if (current->get_type(current) == CERT_X509_CRL)
 		{
+			chunk_t base;
 			bool found = FALSE;
 			crl_t *crl_c = (crl_t*)current;
 			chunk_t authkey = crl->get_authKeyIdentifier(crl);
@@ -246,17 +248,37 @@ METHOD(mem_cred_t, add_crl, bool,
 			}
 			if (found)
 			{
-				new = crl_is_newer(crl, crl_c);
-				if (new)
+				/* we keep at most one delta CRL for each base CRL */
+				if (crl->is_delta_crl(crl, &base))
 				{
-					this->untrusted->remove_at(this->untrusted, enumerator);
-					current->destroy(current);
+					if (!crl_c->is_delta_crl(crl_c, NULL))
+					{
+						if (chunk_equals(base, crl_c->get_serial(crl_c)))
+						{	/* keep the added delta and the existing base CRL
+							 * but check if this is the newest delta CRL for
+							 * the same base */
+							continue;
+						}
+					}
 				}
-				else
+				else if (crl_c->is_delta_crl(crl_c, &base))
+				{
+					if (chunk_equals(base, crl->get_serial(crl)))
+					{	/* keep the existing delta and the added base CRL,
+						 * but check if we don't store it already */
+						continue;
+					}
+				}
+				new = crl_is_newer(crl, crl_c);
+				if (!new)
 				{
 					cert->destroy(cert);
+					break;
 				}
-				break;
+				/* we remove the existing older CRL but there might be other
+				 * delta or base CRLs we can replace */
+				this->untrusted->remove_at(this->untrusted, enumerator);
+				current->destroy(current);
 			}
 		}
 	}

src/libstrongswan/plugins/revocation/revocation_validator.c

@@ -403,6 +403,26 @@ static bool verify_crl(certificate_t *crl)
 	return verified;
 }
 
+/**
+ * Report the given CRL's validity and cache it if valid and requested
+ */
+static bool is_crl_valid(certificate_t *crl, bool cache)
+{
+	time_t valid_until;
+
+	if (crl->get_validity(crl, NULL, NULL, &valid_until))
+	{
+		DBG1(DBG_CFG, "  crl is valid: until %T", &valid_until, FALSE);
+		if (cache)
+		{
+			lib->credmgr->cache_cert(lib->credmgr, crl);
+		}
+		return TRUE;
+	}
+	DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
+	return FALSE;
+}
+
 /**
  * Get the better of two CRLs, and check for usable CRL info
  */
@@ -411,7 +431,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 					bool cache, crl_t *base)
 {
 	enumerator_t *enumerator;
-	time_t revocation, valid_until;
+	time_t revocation;
 	crl_reason_t reason;
 	chunk_t serial;
 	crl_t *crl = (crl_t*)cand;
@@ -447,8 +467,6 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 	{
 		if (chunk_equals(serial, subject->get_serial(subject)))
 		{
-			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
-				 &revocation, TRUE, crl_reason_names, reason);
 			if (reason != CRL_REASON_CERTIFICATE_HOLD)
 			{
 				*valid = VALIDATION_REVOKED;
@@ -458,6 +476,9 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 				/* if the cert is on hold, a newer CRL might not contain it */
 				*valid = VALIDATION_ON_HOLD;
 			}
+			is_crl_valid(cand, cache);
+			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
+				 &revocation, TRUE, crl_reason_names, reason);
 			enumerator->destroy(enumerator);
 			DESTROY_IF(best);
 			return cand;
@@ -470,18 +491,12 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 	{
 		DESTROY_IF(best);
 		best = cand;
-		if (best->get_validity(best, NULL, NULL, &valid_until))
+		if (is_crl_valid(best, cache))
 		{
-			DBG1(DBG_CFG, "  crl is valid: until %T", &valid_until, FALSE);
 			*valid = VALIDATION_GOOD;
-			if (cache)
-			{	/* we cache non-stale crls only, as a stale crls are refetched */
-				lib->credmgr->cache_cert(lib->credmgr, best);
-			}
 		}
 		else
 		{
-			DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
 			*valid = VALIDATION_STALE;
 		}
 	}

src/pki/commands/signcrl.c

@@ -369,18 +369,22 @@ static int sign_crl()
 	}
 	else
 	{
-		crl_serial = chunk_from_chars(0x00);
+		if (!crl_serial.ptr)
+		{
+			crl_serial = chunk_from_chars(0x00);
+		}
 		lastenum = enumerator_create_empty();
 	}
 
-	/* remove superfluous leading zeros */
-	while (crl_serial.len > 1 && crl_serial.ptr[0] == 0x00 &&
-		  (crl_serial.ptr[1] & 0x80) == 0x00)
-	{
-		crl_serial = chunk_skip_zero(crl_serial);
+	if (!crl_serial.len || crl_serial.ptr[0] & 0x80)
+	{	/* add leading 0x00 to handle potential overflow if serial is encoded
+		 * incorrectly */
+		crl_serial = chunk_cat("cc", chunk_from_chars(0x00), crl_serial);
+	}
+	else
+	{
+		crl_serial = chunk_clone(crl_serial);
 	}
-	crl_serial = chunk_clone(crl_serial);
-
 	/* increment the serial number by one */
 	chunk_increment(crl_serial);
 

testing/hosts/winnetou/etc/openssl/generate-crl

@@ -31,6 +31,12 @@ cp index.html         ${ROOT}
 # revoke moon's current CERT
 pki --signcrl --cacert strongswanCert.pem --cakey strongswanKey.pem --lifetime 30 --reason key-compromise --cert newcerts/2B.pem --lastcrl strongswan.crl > strongswan_moon_revoked.crl
 cp strongswan_moon_revoked.crl ${ROOT}
+# generate a base CRL
+pki --signcrl --lastcrl strongswan.crl --cacert strongswanCert.der --cakey strongswanKey.pem --lifetime 30 --crluri http://crl.strongswan.org/strongswan_delta.crl --digest sha256 > strongswan_base.crl
+cp strongswan_base.crl ${ROOT}
+# generate a delta CRL revoking moon's current cert
+pki --signcrl --basecrl strongswan_base.crl --reason key-compromise --cert newcerts/2B.pem --cacert strongswanCert.der --cakey strongswanKey.pem --lifetime 10 --digest sha256 > strongswan_delta.crl
+cp strongswan_delta.crl ${ROOT}
 cd /etc/openssl/research
 openssl ca -gencrl -crldays 15 -config /etc/openssl/research/openssl.cnf -out crl.pem
 openssl crl -in crl.pem -outform der -out research.crl

testing/tests/ikev2/crl-from-cache/hosts/moon/etc/ipsec.conf

@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	cachecrls=yes
 
 conn %default
 	ikelifetime=60m

testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf

@@ -2,4 +2,6 @@
 
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+
+  cache_crls = yes
 }

testing/tests/ikev2/crl-to-cache/hosts/moon/etc/ipsec.conf

@@ -2,7 +2,6 @@
 
 config setup
 	strictcrlpolicy=yes
-	cachecrls=yes
 
 conn %default
 	ikelifetime=60m

testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf

@@ -2,4 +2,6 @@
 
 charon {
   load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac xcbc stroke kernel-netlink socket-default
+
+  cache_crls = yes
 }

testing/tests/swanctl/crl-to-cache/description.txt

@@ -0,0 +1,8 @@
+By setting <b>cache_crls = yes</b> in <b>/etc/strongswan.conf</b>, a copy of
+both the <b>base CRL</b> and the latest <b>delta CRL</b> fetched via http from
+the web server <b>winnetou</b> is saved locally in the directory
+<b>/etc/swanctl/x509crl</b> on both the roadwarrior <b>carol</b> and the
+gateway <b>moon</b> when the IPsec connection is set up.
+The <b>subjectKeyIdentifier</b> of the issuing CA plus the suffixes
+<b>.crl</b> and <b>_delta.crl</b> are used as unique filename for the
+cached <b>base CRL</b> and <b>delta CRL</b>, respectively.

testing/tests/swanctl/crl-to-cache/evaltest.dat

@@ -0,0 +1,8 @@
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org::NO
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org::NO
+moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+moon:: cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def_delta.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def.crl::YES
+carol::cat /var/log/daemon.log::written crl .*/etc/swanctl/x509crl/5da7dd700651327ee7b66db3b5e5e060ea2e4def_delta.crl::YES
+carol::cat /var/log/daemon.log::certificate was revoked::YES
+carol::cat /var/log/daemon.log::no trusted RSA public key found for.*moon.strongswan.org::YES

testing/tests/swanctl/crl-to-cache/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+
+  cache_crls = yes
+}

testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,23 @@
+connections {
+
+   home {
+      local_addrs  = 192.168.0.100
+      remote_addrs = 192.168.0.1 
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+         id = carol@strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org 
+      }
+      children {
+         home {
+            remote_ts = 10.1.0.0/16 
+         }
+      }
+      version = 2
+   }
+}

testing/tests/swanctl/crl-to-cache/hosts/carol/etc/swanctl/x509/carolCert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoDCCAoigAwIBAgIBMDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE0MDgyNzE1MDUzNloXDTE5MDgyNjE1MDUzNlowWjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsTCFJlc2Vh
+cmNoMR0wGwYDVQQDDBRjYXJvbEBzdHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcN
+AQEBBQADggEPADCCAQoCggEBALfz1DcXyt/sOALi1IZ/RcuPa5m+4fiSST2wVWWr
+lw3hUjeiwLfgoLrtKaGX4i+At82Zol2mdbEXFpO+9qxXliP2u0fexqP4mBuZus3E
+LA82EOL0lQ2ahAi8O3qafkDMBSgvoeJpEwNe00Ugh53g7hT7dw8tSgcPGqQkWutI
+IKT9T6e/HbHNjRtYlw9ZlHsp8gSYjg/Q6vV6ofttueMUD9NRv8w2Y76rnRRmUGf3
+GlNFFmgxZntCJRuYltnxV7VcCFoppyauYt/fPmjAxbPRuhHKacnzIzq83Ixf5fSj
+MTlluGCfWFX/NGENXamBqChkRLHmuCHNexxRp9s2F1S10hECAwEAAaOBhTCBgjAf
+BgNVHSMEGDAWgBRdp91wBlEyfue2bbO15eBg6i5N7zAfBgNVHREEGDAWgRRjYXJv
+bEBzdHJvbmdzd2FuLm9yZzA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fYmFzZS5jcmwwDQYJKoZIhvcNAQELBQAD
+ggEBABxfR7BK9IlDFdycldmYVfL2W2U/2b5tEZx/n943wEhc+AM+J1bba3yTeo61
+6AOEhO7QeaNnsAY9ZIRHfH827Lk1dWjub88ze/rS7qmozStF23Rzs4BimeiMQ6xI
+f1hJA1OiNXja2/lLijprevBY824Cd2iEq8LdU+9PIstsYKoLaSD/Ohilk4PGHIqX
+unhdasBKogtvS/PxKWSq+qdEFgHjM70uaf1Tx6QnPS9sqo/qxAQqxKOLstRmXRd6
+ojkTNWRO1miG1rOQkMcc4L2nbsb8nYFrUFLw7PjeJ1ugPL6R+tVjp32OWqCwvWtP
+SGaAJ/regpHs89VLbTKz1ybcqhw=
+-----END CERTIFICATE-----

testing/tests/swanctl/crl-to-cache/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,16 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random 
+}
+
+charon {
+  load = random nonce aes sha1 sha2 pem pkcs1 gmp x509 curl revocation hmac kernel-netlink socket-default vici
+
+  start-scripts {
+    creds = /usr/local/sbin/swanctl --load-creds 
+    conns = /usr/local/sbin/swanctl --load-conns
+  } 
+
+  cache_crls = yes
+}

testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,21 @@
+connections {
+
+   rw {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+      }
+      children {
+         net {
+            local_ts  = 10.1.0.0/16 
+         }
+      }
+      version = 2
+   }
+}

testing/tests/swanctl/crl-to-cache/hosts/moon/etc/swanctl/x509/moonCert.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDoDCCAoigAwIBAgIBKzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTE0MDgyNzE0NDQ1NloXDTE5MDgyNjE0NDQ1NlowRjELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAMTE21vb24u
+c3Ryb25nc3dhbi5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCk
+fAX6xRdB0f5bBjN08zOmO7CEYa8eCyYFqHUhCw+x10v2BnKB6vOlMzW+9DiRtG68
+TdJlYt/24oRuJBX0gAGvzsv0kC9rnoQcgCJQy4bxaLNVsgoiFCVlzxLaYjABbQlz
+oSaegm/2PoX+1UP37rG8wlvAcuLSHsFQ720FUs/LvZh4Y0FjoKhvgKs64U4nIAJ7
+MnuL29n5fM5+dem7uovQOBg/+faZo8QkYSK9MW6eQkP+YnwN5zItNBxyGwKPbXXw
+Ey5/aqNWfhRY8IEG6HJgrnCwBMHUA14C2UV+Af7Cy4eNnC1Mmu7TmUYcFncXaFn0
+87ryFUdshlmPpIHxfjufAgMBAAGjgZkwgZYwHwYDVR0jBBgwFoAUXafdcAZRMn7n
+tm2zteXgYOouTe8wHgYDVR0RBBcwFYITbW9vbi5zdHJvbmdzd2FuLm9yZzATBgNV
+HSUEDDAKBggrBgEFBQcDATA+BgNVHR8ENzA1MDOgMaAvhi1odHRwOi8vY3JsLnN0
+cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW5fYmFzZS5jcmwwDQYJKoZIhvcNAQELBQAD
+ggEBAD7YFpbQoRC0nte5t/hpoaxiOwE4Wm+rKexOt8zbYhUc0Yrw6a89LELdqoa8
+vuSAxeHAUY4VmeWLOy7rSf/wURmjdMGO2su3Db+ZaOcrA8J5Oqxv3IAhdBcO4PUz
+e0Lu2+f8RyKhKUQGpkSJBIlHhv0APN6TBX0R8cvvZ5XnFKj+GNd7fT4RN5Qjp+9H
+f8kZboA3/Rg2+JcWOWgNu9sjqevoqjSJiDV8s3n5QO1VRZi32DAgSMAWWorDdKtd
+uMPizLDy7W1nSQGf/vhXDkE95g689Md04dul6vAerCdsf389ckjthCIUqAPoLWn7
+XZnkIiV5xba29D9dTq0QElCzU+M=
+-----END CERTIFICATE-----

testing/tests/swanctl/crl-to-cache/posttest.dat

@@ -0,0 +1,4 @@
+carol::service charon stop 2> /dev/null
+moon::service charon stop 2> /dev/null
+moon::rm /etc/swanctl/x509crl/*
+carol::rm /etc/swanctl/x509crl/*

testing/tests/swanctl/crl-to-cache/pretest.dat

@@ -0,0 +1,5 @@
+moon::service charon start 2> /dev/null
+carol::service charon start 2> /dev/null
+moon::expect-connection rw
+carol::expect-connection home
+carol::swanctl --initiate --child home 2> /dev/null

testing/tests/swanctl/crl-to-cache/test.conf

@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# charon controlled by swanctl
+SWANCTL=1