Merge branch 'hash-url-multi-level'

Adds support to send intermediate CA certificates in hash-and-URL
encoding.  For that it moves the generation of URLs from the config
backends to the ike-cert-post task.

Fixes #3234.

src/libcharon/plugins/stroke/stroke_ca.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008-2015 Tobias Brunner
+ * Copyright (C) 2008-2019 Tobias Brunner
  * Copyright (C) 2008 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -89,11 +89,6 @@ struct ca_section_t {
 	 */
 	linked_list_t *ocsp;
 
-	/**
-	 * Hashes of certificates issued by this CA
-	 */
-	linked_list_t *hashes;
-
 	/**
 	 * Base URI used for certificates from this CA
 	 */
@@ -132,7 +127,6 @@ static ca_section_t *ca_section_create(char *name, char *path)
 	ca->path = strdup(path);
 	ca->crl = linked_list_create();
 	ca->ocsp = linked_list_create();
-	ca->hashes = linked_list_create();
 	ca->certuribase = NULL;
 	return ca;
 }
@@ -144,7 +138,6 @@ static void ca_section_destroy(ca_section_t *this)
 {
 	this->crl->destroy_function(this->crl, free);
 	this->ocsp->destroy_function(this->ocsp, free);
-	this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy));
 	this->cert->destroy(this->cert);
 	free(this->certuribase);
 	free(this->path);
@@ -308,32 +301,18 @@ static enumerator_t *create_inner_cdp(ca_section_t *section, cdp_data_t *data)
  */
 static enumerator_t *create_inner_cdp_hashandurl(ca_section_t *section, cdp_data_t *data)
 {
-	enumerator_t *enumerator = NULL, *hash_enum;
-	identification_t *current;
+	enumerator_t *enumerator = NULL;
 
 	if (!data->id || !section->certuribase)
 	{
 		return NULL;
 	}
 
-	hash_enum = section->hashes->create_enumerator(section->hashes);
-	while (hash_enum->enumerate(hash_enum, &current))
+	if (section->cert->has_subject(section->cert, data->id) != ID_MATCH_NONE)
 	{
-		if (current->matches(current, data->id))
-		{
-			char *url, *hash;
-
-			url = malloc(strlen(section->certuribase) + 40 + 1);
-			strcpy(url, section->certuribase);
-			hash = chunk_to_hex(current->get_encoding(current), NULL, FALSE).ptr;
-			strncat(url, hash, 40);
-			free(hash);
-
-			enumerator = enumerator_create_single(url, free);
-			break;
-		}
+		enumerator = enumerator_create_single(strdup(section->certuribase),
+											  free);
 	}
-	hash_enum->destroy(hash_enum);
 	return enumerator;
 }
 
@@ -621,46 +600,6 @@ static void list_uris(linked_list_t *list, char *label, FILE *out)
 	enumerator->destroy(enumerator);
 }
 
-METHOD(stroke_ca_t, check_for_hash_and_url, void,
-	private_stroke_ca_t *this, certificate_t* cert)
-{
-	ca_section_t *section;
-	enumerator_t *enumerator;
-
-	hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
-		return;
-	}
-
-	this->lock->write_lock(this->lock);
-	enumerator = this->sections->create_enumerator(this->sections);
-	while (enumerator->enumerate(enumerator, (void**)&section))
-	{
-		if (section->certuribase && cert->issued_by(cert, section->cert, NULL))
-		{
-			chunk_t hash, encoded;
-
-			if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
-			{
-				if (hasher->allocate_hash(hasher, encoded, &hash))
-				{
-					section->hashes->insert_last(section->hashes,
-						identification_create_from_encoding(ID_KEY_ID, hash));
-					chunk_free(&hash);
-				}
-				chunk_free(&encoded);
-			}
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-
-	hasher->destroy(hasher);
-}
-
 METHOD(stroke_ca_t, list, void,
 	private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out)
 {
@@ -740,7 +679,6 @@ stroke_ca_t *stroke_ca_create()
 			.get_cert_ref = _get_cert_ref,
 			.reload_certs = _reload_certs,
 			.replace_certs = _replace_certs,
-			.check_for_hash_and_url = _check_for_hash_and_url,
 			.destroy = _destroy,
 		},
 		.sections = linked_list_create(),

src/libcharon/plugins/stroke/stroke_ca.h

@@ -58,13 +58,6 @@ struct stroke_ca_t {
 	 */
 	void (*list)(stroke_ca_t *this, stroke_msg_t *msg, FILE *out);
 
-	/**
-	 * Check if a certificate can be made available through hash and URL.
-	 *
-	 * @param cert		peer certificate
-	 */
-	void (*check_for_hash_and_url)(stroke_ca_t *this, certificate_t* cert);
-
 	/**
 	 * Get a reference to a CA certificate if it is already stored,
 	 * otherwise returns the same certificate.

src/libcharon/plugins/stroke/stroke_config.c

@@ -425,10 +425,6 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this,
 			certificate = this->cred->load_peer(this->cred, cert);
 			if (certificate)
 			{
-				if (local)
-				{
-					this->ca->check_for_hash_and_url(this->ca, certificate);
-				}
 				cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate);
 				if (!first)
 				{

src/libcharon/plugins/vici/vici_authority.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2016 Tobias Brunner
+ * Copyright (C) 2016-2019 Tobias Brunner
  * Copyright (C) 2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -87,11 +87,6 @@ struct authority_t {
 	 */
 	linked_list_t *ocsp_uris;
 
-	/**
-	 * Hashes of certificates issued by this CA
-	 */
-	linked_list_t *hashes;
-
 	/**
 	 * Base URI used for certificates from this CA
 	 */
@@ -109,7 +104,6 @@ static authority_t *authority_create(char *name)
 		.name = strdup(name),
 		.crl_uris = linked_list_create(),
 		.ocsp_uris = linked_list_create(),
-		.hashes = linked_list_create(),
 	);
 
 	return authority;
@@ -122,7 +116,6 @@ static void authority_destroy(authority_t *this)
 {
 	this->crl_uris->destroy_function(this->crl_uris, free);
 	this->ocsp_uris->destroy_function(this->ocsp_uris, free);
-	this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy));
 	DESTROY_IF(this->cert);
 	free(this->cert_uri_base);
 	free(this->name);
@@ -694,32 +687,18 @@ static enumerator_t *create_inner_cdp(authority_t *authority, cdp_data_t *data)
 static enumerator_t *create_inner_cdp_hashandurl(authority_t *authority,
 												 cdp_data_t *data)
 {
-	enumerator_t *enumerator = NULL, *hash_enum;
-	identification_t *current;
+	enumerator_t *enumerator = NULL;
 
 	if (!data->id || !authority->cert_uri_base)
 	{
 		return NULL;
 	}
 
-	hash_enum = authority->hashes->create_enumerator(authority->hashes);
-	while (hash_enum->enumerate(hash_enum, &current))
+	if (authority->cert->has_subject(authority->cert, data->id) != ID_MATCH_NONE)
 	{
-		if (current->matches(current, data->id))
-		{
-			char *url, *hash;
-
-			url = malloc(strlen(authority->cert_uri_base) + 40 + 1);
-			strcpy(url, authority->cert_uri_base);
-			hash = chunk_to_hex(current->get_encoding(current), NULL, FALSE).ptr;
-			strncat(url, hash, 40);
-			free(hash);
-
-			enumerator = enumerator_create_single(url, free);
-			break;
-		}
+		enumerator = enumerator_create_single(strdup(authority->cert_uri_base),
+											  free);
 	}
-	hash_enum->destroy(hash_enum);
 	return enumerator;
 }
 
@@ -752,48 +731,6 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*,
 			(void*)create_inner_cdp, data, (void*)cdp_data_destroy);
 }
 
-METHOD(vici_authority_t, check_for_hash_and_url, void,
-	private_vici_authority_t *this, certificate_t* cert)
-{
-	authority_t *authority;
-	enumerator_t *enumerator;
-	hasher_t *hasher;
-
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (hasher == NULL)
-	{
-		DBG1(DBG_CFG, "unable to use hash-and-url: sha1 not supported");
-		return;
-	}
-
-	this->lock->write_lock(this->lock);
-	enumerator = this->authorities->create_enumerator(this->authorities);
-	while (enumerator->enumerate(enumerator, &authority))
-	{
-		if (authority->cert_uri_base &&
-			cert->issued_by(cert, authority->cert, NULL))
-		{
-			chunk_t hash, encoded;
-
-			if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
-			{
-				if (hasher->allocate_hash(hasher, encoded, &hash))
-				{
-					authority->hashes->insert_last(authority->hashes,
-						identification_create_from_encoding(ID_KEY_ID, hash));
-					chunk_free(&hash);
-				}
-				chunk_free(&encoded);
-			}
-			break;
-		}
-	}
-	enumerator->destroy(enumerator);
-	this->lock->unlock(this->lock);
-
-	hasher->destroy(hasher);
-}
-
 METHOD(vici_authority_t, destroy, void,
 	private_vici_authority_t *this)
 {
@@ -822,7 +759,6 @@ vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher,
 				.create_cdp_enumerator = _create_cdp_enumerator,
 				.cache_cert = (void*)nop,
 			},
-			.check_for_hash_and_url = _check_for_hash_and_url,
 			.destroy = _destroy,
 		},
 		.dispatcher = dispatcher,

src/libcharon/plugins/vici/vici_authority.h

@@ -36,13 +36,6 @@ struct vici_authority_t {
 	 */
 	credential_set_t set;
 
-	/**
-	 * Check if a certificate can be made available through hash and URL.
-	 *
-	 * @param cert		end entity certificate
-	 */
-	void (*check_for_hash_and_url)(vici_authority_t *this, certificate_t* cert);
-
 	/**
 	 * Destroy a vici_authority_t.
 	 */

src/libcharon/plugins/vici/vici_config.c

@@ -1417,14 +1417,8 @@ CALLBACK(parse_cert_policy, bool,
  */
 static bool add_cert(auth_data_t *auth, auth_rule_t rule, certificate_t *cert)
 {
-	vici_authority_t *authority;
 	vici_cred_t *cred;
 
-	if (rule == AUTH_RULE_SUBJECT_CERT)
-	{
-		authority = auth->request->this->authority;
-		authority->check_for_hash_and_url(authority, cert);
-	}
 	cred = auth->request->this->cred;
 	cert = cred->add_cert(cred, cert);
 	auth->cfg->add(auth->cfg, rule, cert);

src/libcharon/sa/ikev2/tasks/ike_cert_post.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2019 Tobias Brunner
  * Copyright (C) 2006-2009 Martin Willi
  * HSR Hochschule fuer Technik Rapperswil
  *
@@ -48,17 +48,58 @@ struct private_ike_cert_post_t {
 	bool initiator;
 };
 
+/**
+ * Generate the payload for a hash-and-URL encoded certificate
+ */
+static bool build_hash_url_payload(char *base, certificate_t *cert,
+								   cert_payload_t **payload)
+{
+	hasher_t *hasher;
+	chunk_t hash, encoded;
+	char *url, *hex_hash;
+
+	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+	if (!hasher)
+	{
+		DBG1(DBG_IKE, "unable to use hash-and-url: SHA-1 not supported");
+		return FALSE;
+	}
+
+	if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
+	{
+		hasher->destroy(hasher);
+		return FALSE;
+	}
+	if (!hasher->allocate_hash(hasher, encoded, &hash))
+	{
+		hasher->destroy(hasher);
+		chunk_free(&encoded);
+		return FALSE;
+	}
+	chunk_free(&encoded);
+	hasher->destroy(hasher);
+
+	url = malloc(strlen(base) + 40 + 1);
+	strcpy(url, base);
+	hex_hash = chunk_to_hex(hash, NULL, FALSE).ptr;
+	strncat(url, hex_hash, 40);
+	free(hex_hash);
+
+	DBG1(DBG_IKE, "sending hash-and-url \"%s\"", url);
+	*payload = cert_payload_create_from_hash_and_url(hash, url);
+	chunk_free(&hash);
+	free(url);
+	return TRUE;
+}
+
 /**
  * Generates the cert payload, if possible with "Hash and URL"
  */
 static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
 										 certificate_t *cert)
 {
-	hasher_t *hasher;
-	identification_t *id;
-	chunk_t hash, encoded ;
 	enumerator_t *enumerator;
-	char *url;
+	char *base;
 	cert_payload_t *payload = NULL;
 
 	if (!this->ike_sa->supports_extension(this->ike_sa, EXT_HASH_AND_URL))
@@ -66,42 +107,14 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this,
 		return cert_payload_create_from_cert(PLV2_CERTIFICATE, cert);
 	}
 
-	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (!hasher)
-	{
-		DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported");
-		return cert_payload_create_from_cert(PLV2_CERTIFICATE, cert);
-	}
-
-	if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoded))
-	{
-		DBG1(DBG_IKE, "encoding certificate for cert payload failed");
-		hasher->destroy(hasher);
-		return NULL;
-	}
-	if (!hasher->allocate_hash(hasher, encoded, &hash))
-	{
-		hasher->destroy(hasher);
-		chunk_free(&encoded);
-		return cert_payload_create_from_cert(PLV2_CERTIFICATE, cert);
-	}
-	chunk_free(&encoded);
-	hasher->destroy(hasher);
-	id = identification_create_from_encoding(ID_KEY_ID, hash);
-
-	enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, CERT_X509, id);
-	if (enumerator->enumerate(enumerator, &url))
-	{
-		payload = cert_payload_create_from_hash_and_url(hash, url);
-		DBG1(DBG_IKE, "sending hash-and-url \"%s\"", url);
-	}
-	else
+	enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, CERT_X509,
+													 cert->get_issuer(cert));
+	if (!enumerator->enumerate(enumerator, &base) ||
+		!build_hash_url_payload(base, cert, &payload))
 	{
 		payload = cert_payload_create_from_cert(PLV2_CERTIFICATE, cert);
 	}
 	enumerator->destroy(enumerator);
-	chunk_free(&hash);
-	id->destroy(id);
 	return payload;
 }
 
@@ -145,7 +158,7 @@ static void add_im_certs(private_ike_cert_post_t *this, auth_cfg_t *auth,
 	{
 		if (type == AUTH_RULE_IM_CERT)
 		{
-			payload = cert_payload_create_from_cert(PLV2_CERTIFICATE, cert);
+			payload = build_cert_payload(this, cert);
 			if (payload)
 			{
 				DBG1(DBG_IKE, "sending issuer cert \"%Y\"",

testing/scripts/build-certs-chroot

@@ -513,6 +513,13 @@ do
   cp ${RESEARCH_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
 done
 
+for t in rw-hash-and-url-multi-level
+do
+  TEST="${TEST_DIR}/swanctl/${t}"
+  mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+  cp ${RESEARCH_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca
+done
+
 # Convert Research CA certificate into DER format
 openssl x509 -in ${RESEARCH_CERT} -outform der -out ${RESEARCH_CERT_DER}
 
@@ -562,6 +569,13 @@ do
   cp ${SALES_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca
 done
 
+for t in rw-hash-and-url-multi-level
+do
+  TEST="${TEST_DIR}/swanctl/${t}"
+  mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+  cp ${SALES_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca
+done
+
 # Convert Sales CA certificate into DER format
 openssl x509 -in ${SALES_CERT} -outform der -out ${SALES_CERT_DER}
 
@@ -936,7 +950,7 @@ do
   cp ${TEST_CERT} ${TEST}/hosts/carol/${IPSEC_DIR}/certs
 done
 
-for t in multi-level-ca ocsp-multi-level
+for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
 do
   TEST="${TEST_DIR}/swanctl/${t}"
   mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa
@@ -1051,7 +1065,7 @@ do
   cp ${TEST_CERT} ${TEST}/hosts/dave/${IPSEC_DIR}/certs
 done
 
-for t in multi-level-ca ocsp-multi-level
+for t in multi-level-ca rw-hash-and-url-multi-level ocsp-multi-level
 do
   TEST="${TEST_DIR}/swanctl/${t}"
   mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/rsa

testing/tests/swanctl/rw-hash-and-url-multi-level/description.txt

@@ -0,0 +1,12 @@
+The VPN gateway <b>moon</b> controls the access to the hosts <b>alice</b> and
+<b>venus</b> by means of two different Intermediate CAs. Access to
+<b>alice</b> is granted to users presenting a certificate issued by the Research CA
+whereas <b>venus</b> can only be reached with a certificate issued by the
+Sales CA. The roadwarriors <b>carol</b> and <b>dave</b> have certificates from
+the Research CA and Sales CA, respectively. Therefore <b>carol</b> can access
+<b>alice</b> and <b>dave</b> can reach <b>venus</b>.
+<p/>
+The gateway <b>moon</b> doesn't have the intermediate CA certificate installed
+and instead of sending the actual certificates, the two clients send "Hash and URL"
+certificate payloads. The gateway fetches the certificates via HTTP from server
+<b>winnetou</b>.

testing/tests/swanctl/rw-hash-and-url-multi-level/evaltest.dat

@@ -0,0 +1,22 @@
+carol::cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
+dave:: cat /var/log/daemon.log::fetched certificate.*moon.strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*carol@strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*CN=Research CA::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*dave@strongswan.org::YES
+moon:: cat /var/log/daemon.log::fetched certificate.*CN=Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES
+moon:: cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES
+moon:: cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.10/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*alice.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.10/32] remote-ts=\[192.168.0.100/32]::YES
+carol::cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*venus.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*child-sas.*venus.*state=INSTALLED::NO
+dave:: cat /var/log/daemon.log::received TS_UNACCEPTABLE notify, no CHILD_SA built::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED::NO
+moon:: swanctl --list-sas --raw 2> /dev/null::research.*version=2 state=ESTABLISHED.*remote-host=192.168.0.100 remote-port=4500 remote-id=dave@strongswan.org.*child-sas.*alice.*state=INSTALLED::NO
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=C=CH, O=strongSwan Project, OU=Sales, CN=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.20/32]::YES
+moon:: swanctl --list-sas --raw 2> /dev/null::sales.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=C=CH, O=strongSwan Project, OU=Sales, CN=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*venus.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.20/32] remote-ts=\[192.168.0.200/32]::YES

testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+
+  hash_and_url = yes
+}

testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/carol/etc/swanctl/swanctl.conf

@@ -0,0 +1,41 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = carolCert.pem
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      cert_uri_base = http://winnetou.strongswan.org/certs/
+   }
+
+   research {
+      cacert = researchCert.pem
+      cert_uri_base = http://winnetou.strongswan.org/certs/research/
+   }
+}

testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/strongswan.conf

@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+
+  hash_and_url = yes
+}

testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/dave/etc/swanctl/swanctl.conf

@@ -0,0 +1,41 @@
+connections {
+
+   home {
+      remote_addrs = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = daveCert.pem
+      }
+      remote {
+         auth = pubkey
+         id = moon.strongswan.org
+         revocation = strict
+      }
+      children {
+         alice {
+            remote_ts = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+         venus {
+            remote_ts = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      cert_uri_base = http://winnetou.strongswan.org/certs/
+   }
+
+   sales {
+      cacert = salesCert.pem
+      cert_uri_base = http://winnetou.strongswan.org/certs/sales/
+   }
+}

testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,11 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+swanctl {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random
+}
+
+charon-systemd {
+  load = pem pkcs1 x509 revocation constraints pubkey openssl random nonce curl kernel-netlink socket-default vici
+
+  hash_and_url = yes
+}

testing/tests/swanctl/rw-hash-and-url-multi-level/hosts/moon/etc/swanctl/swanctl.conf

@@ -0,0 +1,54 @@
+connections {
+
+   research {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = "C=CH, O=strongSwan Project, OU=Research, CN=*"
+      }
+      children {
+         alice {
+            local_ts  = 10.1.0.10/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+
+   sales {
+      local_addrs  = 192.168.0.1
+
+      local {
+         auth = pubkey
+         certs = moonCert.pem
+         id = moon.strongswan.org
+      }
+      remote {
+         auth = pubkey
+         id = "C=CH, O=strongSwan Project, OU=Sales, CN=*"
+      }
+      children {
+         venus {
+            local_ts  = 10.1.0.20/32
+            esp_proposals = aes128-sha256-ecp256
+         }
+      }
+      version = 2
+      proposals = aes128-sha256-ecp256
+   }
+}
+
+authorities {
+
+   strongswan {
+      cacert = strongswanCert.pem
+      cert_uri_base = http://winnetou.strongswan.org/certs/
+   }
+}

testing/tests/swanctl/rw-hash-and-url-multi-level/posttest.dat

@@ -0,0 +1,8 @@
+carol::swanctl --terminate --ike home 2> /dev/null
+dave::swanctl --terminate --ike home 2> /dev/null
+carol::systemctl stop strongswan
+dave::systemctl stop strongswan
+moon::systemctl stop strongswan
+carol::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+dave::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*
+moon::cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*

testing/tests/swanctl/rw-hash-and-url-multi-level/pretest.dat

@@ -0,0 +1,10 @@
+moon::systemctl start strongswan
+carol::systemctl start strongswan
+dave::systemctl start strongswan
+moon::expect-connection research
+carol::expect-connection alice
+carol::swanctl --initiate --child alice 2> /dev/null
+carol::swanctl --initiate --child venus 2> /dev/null
+dave::expect-connection alice
+dave::swanctl --initiate --child alice 2> /dev/null
+dave::swanctl --initiate --child venus 2> /dev/null

testing/tests/swanctl/rw-hash-and-url-multi-level/test.conf

@@ -0,0 +1,25 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1