0ff486f507
testing: Added swanctl/rw-multi-ciphers-ikev1 scenario
2016-04-12 18:50:58 +02:00
d3edc8aa0f
testing: Added swanctl/manual_prio scenario
2016-04-09 16:51:02 +02:00
638b4638e3
testing: Add swanctl/net2net-gw scenario
2016-04-09 16:51:00 +02:00
ea3a4d3f72
testing: List conntrack table on sun in ikev2/host2host-transport-connmark scenario
2016-04-06 14:01:18 +02:00
aa65b8c147
testing: Version bump to 5.4.0
...
References #1382 .
2016-04-06 11:17:40 +02:00
76397efa21
testing: Disable leak detective when generating CRLs
...
GnuTLS, which can get loaded by the curl plugin, does not properly cleanup
some allocated memory when deinitializing. This causes invalid frees if
leak detective is active. Other invalid frees are related to time
conversions (tzset).
References #1382 .
2016-04-06 11:16:59 +02:00
a9f9598ed0
testing: Updated updown scripts in libipsec scenarios to latest version
2016-03-23 14:13:07 +01:00
90ef7e8af6
Updated swanctl/rw-psk-ikev1 scenario
2016-03-10 13:59:37 +01:00
dc57c1b817
testing: Add ikev2/reauth-mbb-revoked scenario
2016-03-10 11:07:15 +01:00
d163aa5eaf
testing: Generate a CRL that has moon's actual certificate revoked
2016-03-10 11:07:15 +01:00
c2523355a4
testing: Added swanctl/mult-auth-rsa-eap-sim-id scenario
2016-03-06 19:09:03 +01:00
70ff382e41
testing: Added swanctl/xauth-rsa scenario
2016-03-06 12:28:55 +01:00
07b0eac4b1
testing: attr-sql is a charon plugin
2016-03-05 15:53:22 +01:00
26d2011b14
testing: Added swanctl/rw-psk-ikev1 scenario
2016-03-05 13:50:41 +01:00
1989c7a381
testing: Include IKE port information in evaltests
2016-03-05 13:44:06 +01:00
f80e910cce
testing: Add ikev2/redirect-active scenario
2016-03-04 16:03:00 +01:00
ba919f393d
testing: Added swanctl/protoport-range scenario
2016-03-04 09:52:34 +01:00
28649f6d91
libhydra: Remove empty unused library
2016-03-03 17:36:11 +01:00
efefa0c6a1
testing: Added swanctl/shunt-policies-nat-rw
2016-02-28 22:25:50 +01:00
13891e2a4f
testing: Some minor fixes in test scenarios
2016-02-28 22:25:21 +01:00
68c9f0bb80
testing: Added swanctl/protoport-dual scenario
2016-02-28 14:33:48 +01:00
ddf1fc7692
testing: converted af-alg scenarios to swanctl
2016-02-26 13:31:36 +01:00
4625113b1a
testing: Use absolute path to the _updown script in SQL scenarios
...
/usr/local/sbin is not included in PATH set by the charon init script and
since the ipsec script is obsolete when using swanctl it makes sense to
change this anyway.
2016-02-17 12:00:20 +01:00
963b080810
testing: Increased ping interval in ikev2/trap-any scenario
2016-02-16 18:21:19 +01:00
726a45b2f2
Corrected the description of the swanctl/dhcp-dynamic scenario
2016-02-16 18:17:17 +01:00
4d83c5b4a6
Fix of the mutual TNC measurement use case
...
If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements
from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches
is continued until the IKEv2 responder acting as a TNC server has also finished
its TNC measurements.
In the past if these measurements in the other direction were correct
the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication
successful and the IPsec connection was established even though the TNC
measurement verification on the EAP peer side failed.
The fix adds an "allow" group membership on each endpoint if the corresponding
TNC measurements of the peer are successful. By requiring a "allow" group
membership in the IKEv2 connection definition the IPsec connection succeeds
only if the TNC measurements on both sides are valid.
2016-02-16 18:00:27 +01:00
ac134b470a
testing: Added swanctl/dhcp-dynamic scenario
2016-02-03 12:10:59 +01:00
beb4a07ea8
ikev1: Log successful authentication with signature scheme
...
Output is now identical to that of the IKEv2 pubkey authenticator.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2016-02-01 15:58:53 +01:00
4cfcbe97a4
testing: Don't attempt to start the daemon twice in ha/active-passive scenario
2016-02-01 10:51:12 +01:00
67a38ac6f1
testing: Added swanctl/config-payload scenario
2016-01-14 06:31:28 +01:00
e7b5171e43
testing: Use include statement in swanctl/rw-pubkey-keyid scenario
2016-01-14 01:44:17 +01:00
2aa2b17d41
testing: swanctl/rw-pubkey-anon uses anonymous public keys in remote access scenario
2016-01-09 07:23:30 +01:00
b83cef2412
testing: added swanctl scenarios net2net-pubkey, rw-pubkey-keyid and rw-dnssec
2016-01-09 07:23:30 +01:00
bffbf2f5fd
testing: Fixed description of swanctl/frags-iv4 scenario
2016-01-09 00:17:31 +01:00
9db530493f
testing: Change sql scenarios to swanctl
2016-01-03 06:28:48 +01:00
1a79525559
testing: Fix some IKEv1 scenarios after listing DH groups for CHILD_SAs
2015-12-21 12:14:12 +01:00
490ba67682
testing: Fixed description in swanctl/rw-ntru-bliss scenario
2015-12-18 15:24:59 +01:00
9463350943
testing: swanctl is enabled by default
2015-12-18 15:22:29 +01:00
76cbf1df34
testing: Added swanctl/rw-ntru-bliss scenario
2015-12-17 17:49:48 +01:00
5e2b740a00
128 bit default security strength requires 3072 bit prime DH group
2015-12-14 10:39:40 +01:00
36b6d400d2
testing: swanctl/rw-cert scenario tests password-protected RSA key
2015-12-12 17:12:44 +01:00
4f7f2538c4
Upgraded IKE and ESP proposals in swanctl scenarios to consistent 128 bit security
2015-12-12 15:54:48 +01:00
fad851e2d3
Use VICI 2.0 protocol version for certificate queries
2015-12-11 18:26:54 +01:00
6789d79d46
testing: Added swanctl --list-algs output
2015-12-11 18:26:54 +01:00
6aa7703122
testing: Converted tnc scenarios to swanctl
2015-12-11 18:26:54 +01:00
74270c8c86
vici: Don't report memory usage via leak-detective
...
This slowed down the `swanctl --stats` calls in the test scenarios
significantly, with not much added value.
2015-12-11 18:26:53 +01:00
ae37090e65
testing: Use expect-connection in swanctl scenarios
...
Only in net2net-start do we have to use `sleep` to ensure the SA is
up when the tests are running.
2015-12-11 18:26:53 +01:00
b77e25c381
testing: The expect-connection helper may use swanctl to check for connections
...
Depending on the plugin configuration in the test scenario either
`ipsec statusall` or `swanctl --list-conns` is used to check for a named
connection.
2015-12-11 18:26:53 +01:00
cbc43f1b43
testing: Some more timing fixes
2015-12-01 14:51:23 +01:00
dddb32329c
testing: Updated expired mars.strongswan.org certificate
2015-11-26 09:55:28 +01:00
1c1f713431
testing: Error messages of curl plugin have changed
2015-11-13 14:02:45 +01:00
c4b9b7ef2c
testing: Fixed another timing issue
2015-11-13 14:02:06 +01:00
019c7c2310
testing: Check for leases in swanctl/ip-pool scenario
2015-11-11 08:43:43 +01:00
946bc3a3f5
testing: Fixed some more timing issues
2015-11-10 16:54:38 +01:00
10051b01e9
testing: Reduce runtime of all tests that use SQLite databases by storing them in ramfs
2015-11-09 15:18:39 +01:00
3102da20a7
testing: tnc/tnccs-20-hcd-eap scenario does not use SWID IMV/strongTNC
2015-11-09 15:18:38 +01:00
e873cb5a28
testing: Add test config to create and remove a directory for DBs stored in ramfs
2015-11-09 15:18:38 +01:00
10fa70ee5c
testing: Improve runtime of TNC tests by storing the SQLite DB in ramfs
...
This saves about 50%-70% of the time needed for scenarios that use a DB.
2015-11-09 15:18:38 +01:00
f24ec20ebb
testing: Fix test constraints in ikev2/rw-ntru-bliss scenario
...
Changed with a88d958933
2015-11-09 15:18:38 +01:00
529357f09a
testing: Use sha3 plugin in ikev2/rw-cert scenario
2015-11-09 15:18:38 +01:00
bcad0f761f
testing: Report the actual strongSwan and kernel versions
2015-11-09 15:18:37 +01:00
5a919312b3
testing: Record strongSwan version when building from tarball
2015-11-09 15:18:37 +01:00
aee35392d1
testing: Record strongSwan version when building from source tree
2015-11-09 15:18:37 +01:00
d4908c06c1
testing: Report time required for all scenarios on test overview page
2015-11-09 15:18:37 +01:00
f7234e5e9f
testing: Remove old SWID tags when building from repository
...
This fixes the TNC-PDP scenarios.
2015-11-09 15:18:36 +01:00
e22a663129
testing: Don't log anything to the console if auth.log or daemon.log do not exist
2015-11-09 15:18:36 +01:00
12f08e07e1
testing: Simplify fetching of swanctl --list-* output
2015-11-09 15:18:36 +01:00
bde9fb6fa1
testing: Don't run redundant crypto tests in sql/rw-cert scenario
...
They run in all other rw-cert scenarios but in the SQL version there is
no change in the loaded crypto plugins.
2015-11-09 15:18:36 +01:00
1091b3a636
testing: Fix CRL URIs in ipv6/net2net-ip4-in-ip6-ikev* scenarios
2015-11-09 15:18:36 +01:00
bb66b4d56b
testing: Speed up OCSP scenarios
...
Don't make clients wait for the TCP connections to timeout by dropping
packets. By rejecting them the OCSP requests fail immediately.
2015-11-09 15:18:35 +01:00
0ee4a333a8
testing: Speed up ifdown calls in ikev2/mobike scenarios
...
ifdown calls bind's rndc, which tries to access TCP port 953 on lo.
If these packets are dropped by the firewall we have to wait for the TCP
connections to time out, which takes quite a while.
2015-11-09 15:18:35 +01:00
cbaafa03c7
testing: Avoid delays with ping by using -W and -i options
...
With -W we reduce timeouts when we don't expect a response. With -i the
interval between pings is reduced (mostly in case of auto=route where
the first ping yields no reply).
2015-11-09 15:18:35 +01:00
f519acd42f
testing: Remove nearly all sleep calls from pretest and posttest scripts
...
By consistently using the `expect-connection` helper we can avoid pretty
much all previously needed calls to sleep.
2015-11-09 15:18:35 +01:00
f36b6d49af
testing: Adapt tests to retransmission settings and reduce DPD delay/timeout
2015-11-09 15:18:34 +01:00
8713e32435
testing: Only send two retransmits after 1 second each to fail negative tests earlier
2015-11-09 15:18:34 +01:00
9a0871ab94
testing: Add a base strongswan.conf file used by all hosts in all scenarios
...
We will use this to set some defaults (e.g. timeouts to make testing
negative tests quicker). We don't want these settings to show up in the
configs of the actual scenarios though.
2015-11-09 15:18:34 +01:00
17816515d2
testing: Add libipsec/net2net-null scenario
2015-11-09 11:09:48 +01:00
a98360a64c
testing: BLISS CA uses SHA-3 in its CRL
2015-11-03 21:35:09 +01:00
92ef3c2f21
testing: Update tkm to version 0.1.3
...
Adds XFRM state/policy flush when terminating which caused tests to fail
due to the check added with 9086f060d3
2015-10-30 11:19:44 +01:00
c6aa606a65
testing: Actually send an uncompressed packet in the ipv6/rw-compress-ikev2 scenario
...
The default of 56 bytes already exceeds the threshold of 90 bytes (8 bytes
ICMP + 40 bytes IPv6 = 104 bytes). By reducing the size we make sure the
packet is not compressed (40 + 8 + 40 = 88).
This also fixes a strange failure of this scenario due to the recently
added post-test `ip xfrm state` check. The kernel stores a reference to
the used SAs on the inbound skbuffs and since these are garbage collected
it could take a while until all references to an SA disappear and the SA
is finally destroyed. But while SAs might not get destroyed immediately
when we delete them, they are actually marked as dead and therefore won't
show up in `ip xfrm state`. However, that's not the case for the tunnel
SAs the kernel attaches to IPComp SAs, which we don't explicitly delete,
and which aren't modified by the kernel until the IPComp SA is destroyed.
So what happened when the last ping unintentionally got compressed is that
the skbuff had a reference to the IPComp SA and therefore the tunnel SA.
This skbuff often was destroyed after the `ip xfrm state` check ran and
because the tunnel SA would still get reported the test case failed.
2015-10-06 15:48:55 +02:00
2b5c543051
testing: added ikev2/alg-chacha20poly1305 scenario
2015-09-01 17:30:15 +02:00
57eb3b2b25
testing: update to Linux 4.2 kernel
2015-09-01 17:29:30 +02:00
e9ea7e6fb7
testing: Updated environment variable documentation in updown scripts
2015-08-31 11:00:05 +02:00
cdb61c3e88
Added some spaces in swanctl.conf
2015-08-25 15:10:13 +02:00
9086f060d3
testing: Let test scenarios fail if IPsec SAs or policies are not removed
...
The IKE daemon should delete all installed SAs and policies when
everything works properly, so we fail the test if that's not the case.
2015-08-21 18:27:06 +02:00
c91682d1b8
testing: Flush state and policies before every scenario
...
Similar to conntrack we make sure we are working on a clean slate.
2015-08-21 18:27:06 +02:00
8923621280
testing: Fix typo in p2pnat/behind-same-nat scenario
2015-08-21 17:48:37 +02:00
efb4b9440a
testing: Add missing sim_files file to ikev2/rw-eap-sim-radius scenario
2015-08-21 11:37:23 +02:00
161d75f403
testing: alice is RADIUS server in the ikev2/rw-eap-sim-radius scenario
2015-08-21 11:17:25 +02:00
18943c1f1b
testing: Print triplets.dat files of clients in EAP-SIM scenarios
...
References #1078 .
2015-08-21 11:16:56 +02:00
bb1d9e454d
testing: Add ikev2/trap-any scenario
2015-08-19 11:34:25 +02:00
5f60c55919
Extend HCD attribute data for tnc/tnccs-20-hcd-eap scenario
2015-08-18 21:25:39 +02:00
b19ef52d51
Added reason string support to HCD IMV
2015-08-18 21:25:39 +02:00
627e4b9659
Fixed patches format delimited by CR/LF
2015-08-18 21:25:39 +02:00
ac28daac38
testing: Added tnc/tnccs-20-hcd-eap scenario
2015-08-18 21:25:39 +02:00
ebed384887
testing: enable HCD IMC and IMV
2015-08-18 21:25:38 +02:00
626b2e85f0
testing: Update AAA certificate on Freeradius as well
2015-08-05 10:01:21 +02:00
9b1eaf083f
testing: Updated expired AAA server certificate
2015-08-04 21:50:01 +02:00
008a9ad12c
testing: Don't run do-tests when hosts are not running
...
running_any is satisfied if at least one host is running. We could
easily add a running_all() helper to check if all hosts are running if
it turns out that's not strong enough.
2015-08-03 13:34:05 +02:00
50dd7de226
testing: Suppress errors when checking for running hosts
...
If libvirt is not running virsh can't connect to it and will complain that
the socket does not exist.
2015-08-03 12:54:09 +02:00
493ad293b7
testing: Adapted ha/both-active scenario to new jhash values
2015-07-31 14:43:40 +02:00
1f406f3e6e
testing: Fix initial kernel build
...
The directory does not exist yet if the kernel was never built.
Fixes: a4a13d0be2
2015-07-31 12:34:44 +02:00
fbcac07043
testing: Regenerated BLISS certificates due to oracle changes
2015-07-27 22:09:08 +02:00
aaeb524cea
testing: Updated loop ca certificates
2015-07-22 17:11:00 +02:00
450c6e8dd9
testing: Added swanctl --list-authorities output to do-tests
2015-07-22 13:27:08 +02:00
73cbd5c7f8
testing: Updated all swanctl scenarios and added some new ones
2015-07-22 13:27:08 +02:00
db69295d2e
tests: Introduced IPV6 flag in tests.conf
2015-07-21 23:17:14 +02:00
6b265c5e5c
tests: Introduced SWANCTL flag in test.conf
2015-07-21 23:17:14 +02:00
3d9bfb607c
tests: fixed evaltest of swanctl/rw-cert scenario
2015-07-21 23:17:13 +02:00
f335e2f848
tests: fixed description of swanctl ip-pool scenarios
2015-07-21 23:17:13 +02:00
170e8d141c
testing: Do not attempt to start the test environment if hosts are still running
2015-07-15 16:53:37 +02:00
918dfce551
testing: Enable AESNI/PCLMULQD in moon/sun guests, if supported
2015-07-12 13:54:08 +02:00
2a75c6e487
testing: Do not overwrite kernel configuration if it already exists
...
This allows us to do changes to the kernel configuration using menuconfig
and friends, and update the kernel with make-testing.
2015-07-12 13:54:08 +02:00
a4a13d0be2
testing: Extract and patch each kernel version only once
...
This allows us to do modifications to the kernel tree and rebuild that kernel
using make-testing. We can even have a git kernel tree in a directory to
do kernel development.
2015-07-12 13:54:08 +02:00
6f913def3c
testing: Build with --enable-chapoly
2015-07-12 13:54:08 +02:00
b8399a2edc
testing: use a decent PSK
2015-05-30 16:56:41 +02:00
1047d44b57
testing: Added ha/active-passive scenario
2015-05-30 16:48:17 +02:00
13497e6cc1
testing: Include iperf and htop in base image
2015-05-22 13:30:10 +02:00
682aab205e
testing: Don't check parent dir (and subdirs) when downloading OpenSSL packages
2015-05-21 09:32:37 +02:00
c077642cbd
testing: Fix kernel download URL for kernel versions != 4.x
2015-05-19 17:00:06 +02:00
966efbc10d
testing: Fix URL to TNC@FHH project in scenario descriptions
2015-05-05 11:48:56 +02:00
41e9a261ac
testing: Update TKM assert strings
2015-05-05 10:55:14 +02:00
3ff0edd804
testing: Update alog to version 0.3.1
2015-05-05 10:55:14 +02:00
2fc53e76f8
testing: Update tkm to version 0.1.2
2015-05-05 10:55:14 +02:00
3c13ff0a97
testing: Update tkm-rpc to version 0.2
2015-05-05 10:55:14 +02:00
362e87e3e0
testing: Updated carol's certificate from research CA and dave's certificate from sales CA
2015-04-26 16:52:06 +02:00
d04e47a9eb
testing: Wait for DH crypto tests to complete
2015-04-26 11:51:49 +02:00
79b5a33c11
imv_policy_manager: Added capability to execute an allow or block shell command string
2015-04-26 10:55:24 +02:00
ce354443bf
testing: Migration of KVM framework to Linux 4.x kernel
2015-04-25 18:05:00 +02:00
883c11caa0
Added tnc/tnccs-20-fail-init and tnc/tnccs-20-fail-resp scenarios
2015-03-27 20:56:44 +01:00
193e057509
Added configurations for 3.18 and 3.19 KMV guest kernels
2015-03-27 20:56:44 +01:00
85aa509e84
Added tnc/tnccs-20-pt-tls scenario
2015-03-27 20:56:43 +01:00
be04f90815
testing: added tnc/tnccs-20-mutual scenario
2015-03-23 23:01:13 +01:00
3d964213f5
testing: Remove obsolete leftnexthop option from configs
2015-03-12 15:51:25 +01:00
2b0f34a2ef
testing: Don't check for exact IKEv1 fragment size
...
Similar to 7a9c0d51
2015-03-10 10:21:16 +01:00
58c3e09918
testing: Fix active/passive role description in ha/both-active test case
2015-03-10 10:02:21 +01:00
8b2af616ac
testing: Update modified updown scripts to the latest template
...
This avoids confusion and makes identifying the changes needed for each
scenario easier.
2015-03-06 16:51:50 +01:00
3fcb59b62a
use SHA512 for moon's BLISS signature
2015-03-04 14:08:37 +01:00
26ebe5fea8
testing: Test classic public key authentication in ikev2/net2net-cert scenario
2015-03-04 13:54:12 +01:00
53217d70b0
testing: Disable signature authentication on dave in openssl-ikev2/ecdsa-certs scenario
2015-03-04 13:54:12 +01:00
7a9c0d51f4
testing: Don't check for exact IKEv2 fragment size
...
Because SHA-256 is now used for signatures the size of the two IKE_AUTH
messages changed.
2015-03-04 13:54:10 +01:00
4aa24d4c13
testing: Update test conditions because signature schemes are now logged
...
RFC 7427 signature authentication is now used between strongSwan hosts
by default, which causes the actual signature schemes to get logged.
2015-03-04 13:54:10 +01:00
2f1b2d9183
testing: Add ikev2/rw-sig-auth scenario
2015-03-04 13:54:10 +01:00
3b31245a0f
testing: Add ikev2/net2net-cert-sha2 scenario
2015-03-04 13:54:10 +01:00
c2aca9eed2
Implemented improved BLISS-B signature algorithm
2015-02-25 21:45:34 +01:00
c10b2be967
testing: Add a forecast test case
2015-02-20 16:34:55 +01:00
3748fc70a7
testing: Build forecast plugin
2015-02-20 16:34:55 +01:00
9ed09d5f77
testing: Add a connmark plugin test
...
In this test two hosts establish a transport mode connection from behind
moon. sun uses the connmark plugin to distinguish the flows.
This is an example that shows how one can terminate L2TP/IPsec connections
from two hosts behind the same NAT. For simplification of the test, we use
an SSH connection instead, but this works for any connection initiated flow
that conntrack can track.
2015-02-20 16:34:54 +01:00
15f392d9ed
testing: Build strongSwan with the connmark plugin
2015-02-20 16:34:54 +01:00
f3a419e9c4
testing: Install iptables-dev to guest images
2015-02-20 16:34:54 +01:00
Andreas Steffen