Test TLS AEAD cipher suites

2014-04-01 10:12:15 +02:00 · 2014-04-01 10:12:15 +02:00 · 96e3142c39
parent 37ef086ea7
commit 96e3142c39
10 changed files with 17 additions and 10 deletions
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/carol/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac gcm stroke kernel-netlink socket-default eap-tls updown
  multiple_authentication=no

  plugins {
--- a/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-fragments/hosts/moon/etc/strongswan.conf
@ -1,7 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 hmac gcm stroke kernel-netlink socket-default eap-tls updown
  multiple_authentication=no

  plugins {
--- a/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/ikev2/rw-eap-tls-only/evaltest.dat
@ -1,5 +1,6 @@
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' with EAP successful::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/ipsec.conf
@ -1,6 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file

 config setup
+	charondebug="tls 2"

 conn %default
 	ikelifetime=60m
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@ -1,6 +1,7 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
+
  multiple_authentication=no
 }
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/ipsec.conf
@ -1,6 +1,7 @@
 # /etc/ipsec.conf - strongSwan IPsec configuration file

 config setup
+	charondebug="tls 2"

 conn %default
 	ikelifetime=60m
--- a/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@ -1,6 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-tls updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac gcm stroke kernel-netlink socket-default eap-tls updown
+
  multiple_authentication=no
 }
+
+libtls {
+  suites = TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+}
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat
@ -1,7 +1,7 @@
 carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES
 moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES
 carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES
-carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES
+carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::YES
 carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES
 carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES
 moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf
@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon {
-  load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  load = curl pem pkcs1 random nonce openssl revocation stroke kernel-netlink socket-default eap-tls updown
  multiple_authentication=no
 }
--- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf
@ -1,13 +1,11 @@
 # /etc/strongswan.conf - strongSwan configuration file

 charon {
-  load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown
+  load = curl pem pkcs1 random nonce openssl revocation stroke kernel-netlink socket-default eap-tls updown
  multiple_authentication=no
 }

 libtls {
-  key_exchange = ecdhe-ecdsa
-  cipher = aes128
-  mac = sha256
+  suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 }