added ikev2/rw-pkcs8 scenario

testing/scripts/build-umlrootfs

@@ -352,6 +352,11 @@ then
     echo -n " --enable-whitelist" >> $INSTALLSHELL
 fi
 
+if [ "$USE_PKCS8" = "yes" ]
+then
+    echo -n " --enable-pkcs8" >> $INSTALLSHELL
+fi
+
 if [ "$USE_IFMAP" = "yes" ]
 then
     echo -n " --enable-tnc-ifmap" >> $INSTALLSHELL

testing/testing.conf

@@ -78,6 +78,7 @@ USE_GCM="yes"
 USE_HA="yes"
 USE_AF_ALG="yes"
 USE_WHITELIST="yes"
+USE_PKCS8="yes"
 USE_IFMAP="no"
 USE_CISCO_QUIRKS="no"
 

testing/tests/ikev2/rw-pkcs8/description.txt

@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each 
+to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>
+and matching RSA private keys stored in the <b>PKCS#8</b> format. <b>moon</b>'s key
+is unencrypted, <b>carol</b>'s key is encrypted with the default PKCS#5 v1.5
+DES algorithm and <b>dave</b>'s key with the PKCS#5 v2.0 3DES algorithm.
+<p/>
+Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
+automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
+the client <b>alice</b> behind the gateway <b>moon</b>.

testing/tests/ikev2/rw-pkcs8/evaltest.dat

@@ -0,0 +1,10 @@
+moon::ipsec statusall::rw.*ESTABLISHED::YES
+carol::ipsec statusall::home.*ESTABLISHED::YES
+dave::ipsec statusall::home.*ESTABLISHED::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
+moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
+moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
+

testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.conf

@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add

testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.d/private/carolKey.pem

@@ -0,0 +1,29 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIE6TAbBgkqhkiG9w0BBQMwDgQI+eazNjQUVoACAggABIIEyMUe2rc1ZsQgFwUm
+MiU+qAl2g7uzI1Pz6XzgvjZrV5n62XXAbIbG4WP08slkD2VXA5iVTnfI7nj0HEtD
+d2eaLU0GKNwmW7eSAXmhwBiUA623Xo0Y/X4eAY9VUfSlVshnNKOsgETQxQhUsKK1
+NXSpXfAjSgd+HDwQ+uvFQQD9WgibO3rIxfuO9+QqwnYXWz/p2bmc128mBibaFxwa
+SdVlYhR9l1hhFHN5cdD5AXFsflbLzGVR6gJpArU1m1soOEYp6q314L75KALYAVaY
+tQTC6gcPtXRZZvNsg9iRttPKsky0XJF7t5YGIqM4NNu5b534iXATm5Lt9jkrNKqm
+3SGD+KDLrk2aIaU9jCgY73Um1MJOls8AzUU0ZqwmAQAYoaZOwMDZ/P0Uw/du3Oaz
+O9FbzfPoS46muRZHMDVXEB0Zt8laSjwryeIU26MNye1xEU0aJJRaQQP2Vq8FTGtM
+Gi4gR9vdjyBhRE51z0kd5vPc7YkpqJNGB59KHRlHVmozo3v7zjkY/ROsiy1a0Vy/
+6ZkwtS0cnFzFhUBvUefzCsRKSiWWULqGIn3Qb7o+JQYc8vxuEua8DGnEmQEUBRgE
+j/YeI8wtObYm+u6eE0lbTopdSkfHu5UzTDYpnYDhW5nwv5ZOKeRBdXyX4BOrITnR
+xEsmp34/ql3/C9W1MXkjStaSRiWfbHt35gVlFaJNXZJXtKVOlFgxFxuslrawGI0c
+DLhPu1aMfHNc8LlD8cN5W2OQ/jsYlQDDd+n1WPpn+9VuBqSlnDl/mn4/0R7Yy53m
++lgruhfA7S26NG+SxHPXBq8PE052ohDLylKRGEqBTJp2aXNEKKZLrK8I1zbdIx1h
+0YAAtERtvqPu2xSvJ7lGuHD+87TlWa54p3H+0UM803RBQUcH5lsNUzQ4lAN/eFgg
+7TK2BqRTqWTVm8he0tVY8XJ4dLPLsXxUKb/tiFvtjBdQM7bq0UlTxign8VGZro7v
+dKkGqdsEEiFzCnOvDwyjOEG7wUVmO/ejWkuI510U80x/APuOUH0zQOTBhMSrz1Eh
+AdWWeSvNuyWyRPNNzlQ4DJd3UKnu4BZu4zobe4imhwCCrkGkfE5FhnyXExA8FppT
+2BNe5AmIfI1joEQyRgXm/nAvwvN9pawKfDxg8gmhBLjVfk50tAydWurhrhF6CnBL
+4h/hhb+C6HZBbNpmY+O12bDk81unZ8Vvtbkix5n7/371XbaAQN1WYxNaH6SDeT1J
+qDRWAZhGPBn7VLVaQ6ZmLB73U8vkcju8r6atWasZTPsZQl2eng9J/5UoL/0Ubri2
+Jlmj/fScAhlK7yM62dVYVwezYtKV8QUcaDmcqO8qhuVCnYlaqu6SO5ApYWkOMzMW
+EpvY0SqD6QkfKvT8bVU9GOaNSMaEKUR7NPPgettVcEkg50TeyBRvXvOAexD6qcE0
+NO/sYx9do0WpY4u85DZt3Toper0hchbEmXVHlxh8CKPgUTFVsDQ6AVyrVWrtoY1k
+VpJutwWV5sPIxq17bFLTJ7pP2NIvNBvwnDedn5WKNDFu9E2U8vAujVdzlQd/gsJi
+JLCreDt+rcmJVBJHMxZC+SpLbR4kNMAe5vwwESVo6wBsxMuyn1b+82C8rum5qbJ9
+RGF8RGrZzrPWbBITPw==
+-----END ENCRYPTED PRIVATE KEY-----

testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/ipsec.secrets

@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA carolKey.pem "nH5ZQEWtku0RJEZ6"

testing/tests/ikev2/rw-pkcs8/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}

testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.conf

@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn home
+	left=PH_IP_DAVE
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	keyexchange=ikev2
+	auto=add

testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.d/private/daveKey.pem

@@ -0,0 +1,30 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIRwFyB7jCGskCAggA
+MBQGCCqGSIb3DQMHBAjDqug87twvJwSCBMiBb1Y4B1FxGPGQwAgZd6aE8J6xH4VZ
+MNpkm4+MPCVYBvpG1q3I1YcvIw0GcAlLQASGLXEytuVEH5xCUaGdCsa5zVpf+6Ex
+i8Oyqf0dbRRafzN+K+jVLBa+higxXESE6jYxBP/auH4v5pcEy+fbljwDauyEP0bF
+EgURF5nTsa5c+MTmWho+OMy/1pAuP92XmwLeeBXWuRWs+s3wkBOIe3SerW5MOyMN
+mwqqu/6J4RU9VL7kooVE/B0oWJblvBTjeJoKDy5iX/iE2oRqXjihWPXYIhWqeCEB
+2QCpZ1/9hEN7FLX87GBD7yivhhQMF/uBnTRIjmgbKmNtwY1+rybz0MUJrXVfS1iE
+JYHlo4/cqudjsMjtjhTV9n4FJd9IsuSmZjMHVk3enIyhZ1oliugS25OpWKHnybzj
+65cgxVGPTW31o21w/fEqRRR/KzrEaMZiPyO2EEMcKlB7xmEX9cIdvD99OvLMPEuQ
+UA2hzRKO+A4roidNUT7yp8yy3BkQGLAr4JYaFINreeD+9BrIFx1jRbG3z8xqxtwh
+8P+uR2pyLYaDxeyxkjM7zDV4ax/iV1+L+z3GiC5GnPZEKkpm89MdI7fzeChttVVk
+CtpnxR3vxK2HqfcQFrTG5HNldzpAJk/tBrHRcyAnXrKs+XZhpOQ3gYoNY4fGeGYM
+c9NyeAUZkqJ1nCfHBAR9bmmCEwZSmhSt5voqZ+zS3DWKG30WtNpYMNEEchtWq8Op
+IEimZ341pZOjWqJ396zJ8qJ1XncffC/yAnRsb0xvhS149dwkDyH+17qVyF+V/pyb
+5unjg6V9g0yZ9TKyH858sRG8acVXo6NhuxCg0w8mJ4LCxcJSTgDA0lXFQcuTBLlZ
+YaXfD/dr60HfyH2ll4b5hlkww9jrg1uNW++FcsCHsZu5DV5QbhyVIYdhyp4dTV/7
+9SJJPmeMacQCNJqg783bpUyVaEecHAg8H/u+Zir0vWdRdpeekO28NLVqgQuPEqzs
+Y53RCbjlbilzHud50HHUAqN3fKJK51I1GrjrSeV9xSVnB5psjmOjPvEagGu4kv+s
+fu/fEge0HPx9FUA2xJR9u1/8swYsiAugoWxXFJVBSDJh2a4759ftd7b2mid0aX86
+OeJcY164mlLbu3d905Ez5mgVBHXDuk/LRwrvdprw48tqMB0Tv77egKbSeQzyQLD0
+ZhUQFIJ1cBlmFIw2ZdXUVlV2MJcK6XMlFkdyHRBTfiHI1V/Q2QFFLkTb64X3iTHC
+Ckow0ibsT76pDCP+Buotfk7gho6WgiojC0URzZPG/KDHUHO173S6Nr23NBpVzxun
+lKf5LiAC5LDoJmAx/XouYjh77LZLsi+jhuG3/DnIULZt8aSm5RKGZ6A3VgaaCXhp
+tG3kSSCD6gKrYt7FrKHQ1dwPakPaDdOrBtd13823sPth7GMKmbhrC/x4Q768ml/i
+Gk7DQoYbRkqi7t66aiYuJASxpYpsUWwO7MYOz2vGxDdskp/AukwnNJTA8e2rL0ki
+seqJ2l7+snUXZ4SFJ/D+wfMK2WeQRTJB4hgu7AQyp543mQ+EYZaNMtKIdgQL86q7
+MZVAx5ad82GNtAMgGLyf72bE1mkTK44poT6dob25z7MxFsM7zjadNDzcgBiYdEHq
+/8U=
+-----END ENCRYPTED PRIVATE KEY-----

testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/ipsec.secrets

@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA daveKey.pem "OJlNZBx+80dLh4wC6fw5LmBd"

testing/tests/ikev2/rw-pkcs8/hosts/dave/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}

testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.conf

@@ -0,0 +1,22 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+        crlcheckinterval=180
+	strictcrlpolicy=no
+	plutostart=no
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+
+conn rw
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftsubnet=10.1.0.0/16
+	leftfirewall=yes
+	right=%any
+	keyexchange=ikev2
+	auto=add

testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/ipsec.d/private/moonKey.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDKL2M91Lu6BYYh
+WxWgMS9z9TMSTwszm5rhO7ZIsCtMRo4PAeYw+++SGXt3CPXb/+p+SWKGlm11rPE7
+1eQ3ehgh2C3hAurfmWO0iQQaCw+fdreeIVCqOQIOP6UqZ327h5yYYpHk8VQv4vBJ
+TpxclU1PqnWheqe1ZlLxsW773LRml/fQt/UgvJkCBTZZONLNMfK+7TDnYaVsAtnc
+gvDN78nUNEe2qY92KK7SrBJ6SpUEg49m51F+XgsGcsgWVHS85on3Om/G48crLEVJ
+jdu8CxewSRVgb+lPJWzHd8QsU0Vg/7vlqs3ZRMyNtNKrr4opSvVbA6agGlTXhDCr
+eDiXU8KHAgMBAAECggEAIEUH9epqO/p9uf0rqnGvPTa5fAaZpxcC1UgOg/N6NaZd
+LhADiXXseskOZ6VKeF6UMqvLyedgeROtPPuafTBDgcNbLzqj+iQlQb9MpEt3pt/v
+1pFCqqiGp3eJCQeTjcbLO5cf6gaKhUoXR9wAINbDjB+MvsUw10cJngHP0Osc7/Kw
+d70Hqu9JibdVlGFLFqd4iRouSQNp0qlXHd9c0WUzFjioo8lhhKglnrWIyqs7v6uc
+D3e2bIMOzw8pTcG2el82t14+CV4keGTxmrIS/b804JJTFsoTw0K0ukZOz5PSqOOe
+7iTdY93dk4EBqfS48N6Qdl4cH9pcYuFhzHEnlK6uoQKBgQD4XWCmmQRHkm2hq523
+8JSl1DWxH3DF/vlUGongWJgAEZDP3GUbiiPMv+jnvazSJXdvAWmdBr5a5avEaQ/p
+m4H9nzaelzQ3+8ui79vh3G+Difsr5444R/TwUyOyx7a2pMhcoKpyZCdHQ09DWPC6
+8Qqxc/nD8k6WdFcBed3iPGwkjQKBgQDQZpPrXJK21Rb2MLebG5jqORDLxMRCpHec
+4W9bCYJchY6k38xNM+6z5N6XGn+l0qFT6ag+ZfdSfKd7k+/CV5YOrdjOW1flkNkY
+nlQmUq42d8YjNDo5wdFtvvMGlAbqpJE+66BuCjrzyFOdvUvn2crzzNZUrjl65/qn
+K6gj5LAgYwKBgQDvK8TySfKEFe97O6/TPVt4YeYenn9UPBjQNApIQCiIEGJauQuo
+vJuDBd/8onx1llzwSfTxoVfYYsnJh78qIHXKzfKkQEmqC9FrI/6j/0pn6o01F3Su
+oCSw9e8vsAE023STNqlNJUNp7di7qz+PVqYMgvmoB4REgN50bm4M+lDN1QKBgHsy
+2Ok/rcAGEu/xdulsFCcLG0HLDdbz0X5dyu2/nmBB2EThxK4zMD8K4wfi82k9LoAj
+1oEk2GPcK0qj9w4lpyEAZvX/C+Q7kAu8tbR+Fl0+y1ROcMlqKfu98X+HDNuz8+WF
+eC71P0qUt9G9cV0b5J3iDya6ZGKjNwuShHDLpc9PAoGAMk/6z3BeZ0b3QdJP9qoL
+sUqtVcukHrd1jmzA1R9A/qxrSkWc43SvQkKH9gKwYUUgB5tDa46QzeDd/2eTBOnv
+3XSi/7/m5OG9EjbDYEE/LSZW4As+PLIXVnZxv3OnIqIi5ehdEJ/ix3yvWVH1ufQX
+HHRK+nF/5+kwZIjmq4c0Epg=
+-----END PRIVATE KEY-----

testing/tests/ikev2/rw-pkcs8/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,5 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 pkcs8 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown
+}

testing/tests/ikev2/rw-pkcs8/posttest.dat

@@ -0,0 +1,6 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::/etc/init.d/iptables stop 2> /dev/null
+carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null

testing/tests/ikev2/rw-pkcs8/pretest.dat

@@ -0,0 +1,9 @@
+moon::/etc/init.d/iptables start 2> /dev/null
+carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home

testing/tests/ikev2/rw-pkcs8/test.conf

@@ -0,0 +1,21 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# UML instances used for this test
+
+# All UML instances that are required for this test
+#
+UMLHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# UML instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# UML instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"