Andreas Steffen
1e0dc2c329
testing: Add chapoly, ntru and newhope plugins to crypto and integrity tests
2016-08-10 14:34:27 +02:00
Andreas Steffen
277ef8c2fa
testing: Added ikev2/rw-newhope-bliss scenario
2016-08-10 14:22:00 +02:00
Tobias Brunner
c3e5109c37
testing: Add ikev1/net2net-esn scenario
2016-06-29 11:16:48 +02:00
Tobias Brunner
5a09734c2c
testing: Start charon before Apache in tnc/tnccs-20-pdp-pt-tls
...
The change in c423d0e8a1
("testing: Fix race in tnc/tnccs-20-pdp-pt-tls
scenario") is not really ideal as now the vici plugin might not yet be
ready when `swanctl --load-creds` is called. Perhaps starting charon
before Apache causes enough delay.
Once we switch to charon-systemd this isn't a problem anymore as starting the
unit will block until everything is up and ready. Also, the individual
swanctl calls will be redundant as the default service unit calls --load-all.
But start scripts do run before charon-systemd signals that the daemon is
ready, so using these would work too then.
2016-06-21 17:24:43 +02:00
Tobias Brunner
c423d0e8a1
testing: Fix race in tnc/tnccs-20-pdp-pt-tls scenario
...
aacf84d837
("testing: Add expect-connection calls for all tests and
hosts") removed the expect-connection call for the non-existing aaa
connection. However, because the credentials were loaded asynchronously
via start-script the clients might have been connecting when the secrets
were not yet loaded. As `swanctl --load-creds` is a synchronous call
this change avoids that issue without having to add a sleep or failing
expect-connection call.
2016-06-17 18:43:36 +02:00
Tobias Brunner
44e83f76f3
testing: Use TLS 1.2 in RADIUS test cases
...
This took a while as in the OpenSSL package shipped with Debian and on which
our FIPS-enabled package is based, the function SSL_export_keying_material(),
which is used by FreeRADIUS to derive the MSK, did not use the correct digest
to calculate the result when TLS 1.2 was used. This caused IKE to fail with
"verification of AUTH payload with EAP MSK failed". The fix was only
backported to jessie recently.
2016-06-17 15:53:12 +02:00
Tobias Brunner
67b9e151fa
testing: Fix firewall rule on alice in tnc/tnccs-20-pdp-pt-tls scenario
2016-06-17 10:22:03 +02:00
Tobias Brunner
aacf84d837
testing: Add expect-connection calls for all tests and hosts
...
There are some exceptions (e.g. those that use auto=start or p2pnat).
2016-06-16 14:35:18 +02:00
Tobias Brunner
8f56bbc82b
testing: Update test scenarios for Debian jessie
...
The main difference is that ping now reports icmp_seq instead of
icmp_req, so we match for icmp_.eq, which works with both releases.
tcpdump now also reports port 4500 as ipsec-nat-t.
2016-06-16 14:04:11 +02:00
Tobias Brunner
b71104a3df
testing: Fix posttest.dat for ikev2/rw-dnssec scenario
2016-06-16 14:01:47 +02:00
Tobias Brunner
1c616eccae
testing: Update Apache config for newer Debian releases
...
It is still compatible with the current release as the config in
sites-available will be ignored, while conf-enabled does not exist and
is not included in the main config.
2016-06-15 16:24:44 +02:00
Tobias Brunner
796c36ade1
testing: Fix scenarios that check /etc/resolv.conf
2016-06-13 16:18:38 +02:00
Andreas Steffen
78adb5a7b1
testing: Changed gcrypt-ikev1 scenarios to swanctl
2016-05-15 19:02:57 +02:00
Andreas Steffen
141ac4df8f
testing: wait until connections are loaded
2016-05-15 19:02:57 +02:00
Andreas Steffen
b9522f9d64
swanctl: Do not display rekey times for shunts
2016-05-05 14:53:22 +02:00
Andreas Steffen
ff4e01dab5
testing: Use reauthentication and set CHILD_SA rekey time, bytes and packets limits
2016-05-04 18:13:52 +02:00
Andreas Steffen
87381a55a9
testing: uses xauth_id in swanctl/xauth-rsa scenario
2016-05-04 18:13:52 +02:00
Andreas Steffen
278497f2ba
testing: Use absolute path of imv_policy_manager
2016-04-26 17:15:37 +02:00
Andreas Steffen
0ff486f507
testing: Added swanctl/rw-multi-ciphers-ikev1 scenario
2016-04-12 18:50:58 +02:00
Andreas Steffen
d3edc8aa0f
testing: Added swanctl/manual_prio scenario
2016-04-09 16:51:02 +02:00
Tobias Brunner
638b4638e3
testing: Add swanctl/net2net-gw scenario
2016-04-09 16:51:00 +02:00
Tobias Brunner
ea3a4d3f72
testing: List conntrack table on sun in ikev2/host2host-transport-connmark scenario
2016-04-06 14:01:18 +02:00
Tobias Brunner
a9f9598ed0
testing: Updated updown scripts in libipsec scenarios to latest version
2016-03-23 14:13:07 +01:00
Andreas Steffen
90ef7e8af6
Updated swanctl/rw-psk-ikev1 scenario
2016-03-10 13:59:37 +01:00
Tobias Brunner
dc57c1b817
testing: Add ikev2/reauth-mbb-revoked scenario
2016-03-10 11:07:15 +01:00
Andreas Steffen
c2523355a4
testing: Added swanctl/mult-auth-rsa-eap-sim-id scenario
2016-03-06 19:09:03 +01:00
Andreas Steffen
70ff382e41
testing: Added swanctl/xauth-rsa scenario
2016-03-06 12:28:55 +01:00
Andreas Steffen
07b0eac4b1
testing: attr-sql is a charon plugin
2016-03-05 15:53:22 +01:00
Andreas Steffen
26d2011b14
testing: Added swanctl/rw-psk-ikev1 scenario
2016-03-05 13:50:41 +01:00
Andreas Steffen
1989c7a381
testing: Include IKE port information in evaltests
2016-03-05 13:44:06 +01:00
Tobias Brunner
f80e910cce
testing: Add ikev2/redirect-active scenario
2016-03-04 16:03:00 +01:00
Andreas Steffen
ba919f393d
testing: Added swanctl/protoport-range scenario
2016-03-04 09:52:34 +01:00
Tobias Brunner
28649f6d91
libhydra: Remove empty unused library
2016-03-03 17:36:11 +01:00
Andreas Steffen
efefa0c6a1
testing: Added swanctl/shunt-policies-nat-rw
2016-02-28 22:25:50 +01:00
Andreas Steffen
13891e2a4f
testing: Some minor fixes in test scenarios
2016-02-28 22:25:21 +01:00
Andreas Steffen
68c9f0bb80
testing: Added swanctl/protoport-dual scenario
2016-02-28 14:33:48 +01:00
Andreas Steffen
ddf1fc7692
testing: converted af-alg scenarios to swanctl
2016-02-26 13:31:36 +01:00
Tobias Brunner
4625113b1a
testing: Use absolute path to the _updown script in SQL scenarios
...
/usr/local/sbin is not included in PATH set by the charon init script and
since the ipsec script is obsolete when using swanctl it makes sense to
change this anyway.
2016-02-17 12:00:20 +01:00
Andreas Steffen
963b080810
testing: Increased ping interval in ikev2/trap-any scenario
2016-02-16 18:21:19 +01:00
Andreas Steffen
726a45b2f2
Corrected the description of the swanctl/dhcp-dynamic scenario
2016-02-16 18:17:17 +01:00
Andreas Steffen
4d83c5b4a6
Fix of the mutual TNC measurement use case
...
If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements
from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches
is continued until the IKEv2 responder acting as a TNC server has also finished
its TNC measurements.
In the past if these measurements in the other direction were correct
the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication
successful and the IPsec connection was established even though the TNC
measurement verification on the EAP peer side failed.
The fix adds an "allow" group membership on each endpoint if the corresponding
TNC measurements of the peer are successful. By requiring a "allow" group
membership in the IKEv2 connection definition the IPsec connection succeeds
only if the TNC measurements on both sides are valid.
2016-02-16 18:00:27 +01:00
Andreas Steffen
ac134b470a
testing: Added swanctl/dhcp-dynamic scenario
2016-02-03 12:10:59 +01:00
Thomas Egerer
beb4a07ea8
ikev1: Log successful authentication with signature scheme
...
Output is now identical to that of the IKEv2 pubkey authenticator.
Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
2016-02-01 15:58:53 +01:00
Tobias Brunner
4cfcbe97a4
testing: Don't attempt to start the daemon twice in ha/active-passive scenario
2016-02-01 10:51:12 +01:00
Andreas Steffen
67a38ac6f1
testing: Added swanctl/config-payload scenario
2016-01-14 06:31:28 +01:00
Andreas Steffen
e7b5171e43
testing: Use include statement in swanctl/rw-pubkey-keyid scenario
2016-01-14 01:44:17 +01:00
Andreas Steffen
2aa2b17d41
testing: swanctl/rw-pubkey-anon uses anonymous public keys in remote access scenario
2016-01-09 07:23:30 +01:00
Andreas Steffen
b83cef2412
testing: added swanctl scenarios net2net-pubkey, rw-pubkey-keyid and rw-dnssec
2016-01-09 07:23:30 +01:00
Andreas Steffen
bffbf2f5fd
testing: Fixed description of swanctl/frags-iv4 scenario
2016-01-09 00:17:31 +01:00
Andreas Steffen
9db530493f
testing: Change sql scenarios to swanctl
2016-01-03 06:28:48 +01:00
Tobias Brunner
1a79525559
testing: Fix some IKEv1 scenarios after listing DH groups for CHILD_SAs
2015-12-21 12:14:12 +01:00
Andreas Steffen
490ba67682
testing: Fixed description in swanctl/rw-ntru-bliss scenario
2015-12-18 15:24:59 +01:00
Andreas Steffen
76cbf1df34
testing: Added swanctl/rw-ntru-bliss scenario
2015-12-17 17:49:48 +01:00
Andreas Steffen
5e2b740a00
128 bit default security strength requires 3072 bit prime DH group
2015-12-14 10:39:40 +01:00
Andreas Steffen
36b6d400d2
testing: swanctl/rw-cert scenario tests password-protected RSA key
2015-12-12 17:12:44 +01:00
Andreas Steffen
4f7f2538c4
Upgraded IKE and ESP proposals in swanctl scenarios to consistent 128 bit security
2015-12-12 15:54:48 +01:00
Andreas Steffen
fad851e2d3
Use VICI 2.0 protocol version for certificate queries
2015-12-11 18:26:54 +01:00
Andreas Steffen
6aa7703122
testing: Converted tnc scenarios to swanctl
2015-12-11 18:26:54 +01:00
Tobias Brunner
ae37090e65
testing: Use expect-connection in swanctl scenarios
...
Only in net2net-start do we have to use `sleep` to ensure the SA is
up when the tests are running.
2015-12-11 18:26:53 +01:00
Andreas Steffen
cbc43f1b43
testing: Some more timing fixes
2015-12-01 14:51:23 +01:00
Andreas Steffen
dddb32329c
testing: Updated expired mars.strongswan.org certificate
2015-11-26 09:55:28 +01:00
Andreas Steffen
1c1f713431
testing: Error messages of curl plugin have changed
2015-11-13 14:02:45 +01:00
Andreas Steffen
c4b9b7ef2c
testing: Fixed another timing issue
2015-11-13 14:02:06 +01:00
Andreas Steffen
019c7c2310
testing: Check for leases in swanctl/ip-pool scenario
2015-11-11 08:43:43 +01:00
Andreas Steffen
946bc3a3f5
testing: Fixed some more timing issues
2015-11-10 16:54:38 +01:00
Tobias Brunner
10051b01e9
testing: Reduce runtime of all tests that use SQLite databases by storing them in ramfs
2015-11-09 15:18:39 +01:00
Tobias Brunner
3102da20a7
testing: tnc/tnccs-20-hcd-eap scenario does not use SWID IMV/strongTNC
2015-11-09 15:18:38 +01:00
Tobias Brunner
10fa70ee5c
testing: Improve runtime of TNC tests by storing the SQLite DB in ramfs
...
This saves about 50%-70% of the time needed for scenarios that use a DB.
2015-11-09 15:18:38 +01:00
Tobias Brunner
f24ec20ebb
testing: Fix test constraints in ikev2/rw-ntru-bliss scenario
...
Changed with a88d958933
("Explicitly mention SHA2 algorithm in BLISS
OIDs and signature schemes").
2015-11-09 15:18:38 +01:00
Andreas Steffen
529357f09a
testing: Use sha3 plugin in ikev2/rw-cert scenario
2015-11-09 15:18:38 +01:00
Tobias Brunner
bde9fb6fa1
testing: Don't run redundant crypto tests in sql/rw-cert scenario
...
They run in all other rw-cert scenarios but in the SQL version there is
no change in the loaded crypto plugins.
2015-11-09 15:18:36 +01:00
Tobias Brunner
1091b3a636
testing: Fix CRL URIs in ipv6/net2net-ip4-in-ip6-ikev* scenarios
2015-11-09 15:18:36 +01:00
Tobias Brunner
bb66b4d56b
testing: Speed up OCSP scenarios
...
Don't make clients wait for the TCP connections to timeout by dropping
packets. By rejecting them the OCSP requests fail immediately.
2015-11-09 15:18:35 +01:00
Tobias Brunner
0ee4a333a8
testing: Speed up ifdown calls in ikev2/mobike scenarios
...
ifdown calls bind's rndc, which tries to access TCP port 953 on lo.
If these packets are dropped by the firewall we have to wait for the TCP
connections to time out, which takes quite a while.
2015-11-09 15:18:35 +01:00
Tobias Brunner
cbaafa03c7
testing: Avoid delays with ping by using -W and -i options
...
With -W we reduce timeouts when we don't expect a response. With -i the
interval between pings is reduced (mostly in case of auto=route where
the first ping yields no reply).
2015-11-09 15:18:35 +01:00
Tobias Brunner
f519acd42f
testing: Remove nearly all sleep calls from pretest and posttest scripts
...
By consistently using the `expect-connection` helper we can avoid pretty
much all previously needed calls to sleep.
2015-11-09 15:18:35 +01:00
Tobias Brunner
f36b6d49af
testing: Adapt tests to retransmission settings and reduce DPD delay/timeout
2015-11-09 15:18:34 +01:00
Tobias Brunner
17816515d2
testing: Add libipsec/net2net-null scenario
2015-11-09 11:09:48 +01:00
Andreas Steffen
a98360a64c
testing: BLISS CA uses SHA-3 in its CRL
2015-11-03 21:35:09 +01:00
Tobias Brunner
c6aa606a65
testing: Actually send an uncompressed packet in the ipv6/rw-compress-ikev2 scenario
...
The default of 56 bytes already exceeds the threshold of 90 bytes (8 bytes
ICMP + 40 bytes IPv6 = 104 bytes). By reducing the size we make sure the
packet is not compressed (40 + 8 + 40 = 88).
This also fixes a strange failure of this scenario due to the recently
added post-test `ip xfrm state` check. The kernel stores a reference to
the used SAs on the inbound skbuffs and since these are garbage collected
it could take a while until all references to an SA disappear and the SA
is finally destroyed. But while SAs might not get destroyed immediately
when we delete them, they are actually marked as dead and therefore won't
show up in `ip xfrm state`. However, that's not the case for the tunnel
SAs the kernel attaches to IPComp SAs, which we don't explicitly delete,
and which aren't modified by the kernel until the IPComp SA is destroyed.
So what happened when the last ping unintentionally got compressed is that
the skbuff had a reference to the IPComp SA and therefore the tunnel SA.
This skbuff often was destroyed after the `ip xfrm state` check ran and
because the tunnel SA would still get reported the test case failed.
2015-10-06 15:48:55 +02:00
Andreas Steffen
2b5c543051
testing: added ikev2/alg-chacha20poly1305 scenario
2015-09-01 17:30:15 +02:00
Tobias Brunner
e9ea7e6fb7
testing: Updated environment variable documentation in updown scripts
2015-08-31 11:00:05 +02:00
Andreas Steffen
cdb61c3e88
Added some spaces in swanctl.conf
2015-08-25 15:10:13 +02:00
Tobias Brunner
8923621280
testing: Fix typo in p2pnat/behind-same-nat scenario
2015-08-21 17:48:37 +02:00
Tobias Brunner
efb4b9440a
testing: Add missing sim_files file to ikev2/rw-eap-sim-radius scenario
2015-08-21 11:37:23 +02:00
Tobias Brunner
161d75f403
testing: alice is RADIUS server in the ikev2/rw-eap-sim-radius scenario
2015-08-21 11:17:25 +02:00
Tobias Brunner
18943c1f1b
testing: Print triplets.dat files of clients in EAP-SIM scenarios
...
References #1078 .
2015-08-21 11:16:56 +02:00
Tobias Brunner
bb1d9e454d
testing: Add ikev2/trap-any scenario
2015-08-19 11:34:25 +02:00
Andreas Steffen
5f60c55919
Extend HCD attribute data for tnc/tnccs-20-hcd-eap scenario
2015-08-18 21:25:39 +02:00
Andreas Steffen
b19ef52d51
Added reason string support to HCD IMV
2015-08-18 21:25:39 +02:00
Andreas Steffen
627e4b9659
Fixed patches format delimited by CR/LF
2015-08-18 21:25:39 +02:00
Andreas Steffen
ac28daac38
testing: Added tnc/tnccs-20-hcd-eap scenario
2015-08-18 21:25:39 +02:00
Andreas Steffen
9b1eaf083f
testing: Updated expired AAA server certificate
2015-08-04 21:50:01 +02:00
Andreas Steffen
493ad293b7
testing: Adapted ha/both-active scenario to new jhash values
2015-07-31 14:43:40 +02:00
Andreas Steffen
fbcac07043
testing: Regenerated BLISS certificates due to oracle changes
2015-07-27 22:09:08 +02:00
Andreas Steffen
aaeb524cea
testing: Updated loop ca certificates
2015-07-22 17:11:00 +02:00
Andreas Steffen
73cbd5c7f8
testing: Updated all swanctl scenarios and added some new ones
2015-07-22 13:27:08 +02:00
Andreas Steffen
db69295d2e
tests: Introduced IPV6 flag in tests.conf
2015-07-21 23:17:14 +02:00
Andreas Steffen
6b265c5e5c
tests: Introduced SWANCTL flag in test.conf
2015-07-21 23:17:14 +02:00
Andreas Steffen
3d9bfb607c
tests: fixed evaltest of swanctl/rw-cert scenario
2015-07-21 23:17:13 +02:00
Andreas Steffen
f335e2f848
tests: fixed description of swanctl ip-pool scenarios
2015-07-21 23:17:13 +02:00
Andreas Steffen
b8399a2edc
testing: use a decent PSK
2015-05-30 16:56:41 +02:00
Andreas Steffen
1047d44b57
testing: Added ha/active-passive scenario
2015-05-30 16:48:17 +02:00
Tobias Brunner
966efbc10d
testing: Fix URL to TNC@FHH project in scenario descriptions
2015-05-05 11:48:56 +02:00
Reto Buerki
41e9a261ac
testing: Update TKM assert strings
2015-05-05 10:55:14 +02:00
Andreas Steffen
362e87e3e0
testing: Updated carol's certificate from research CA and dave's certificate from sales CA
2015-04-26 16:52:06 +02:00
Andreas Steffen
d04e47a9eb
testing: Wait for DH crypto tests to complete
2015-04-26 11:51:49 +02:00
Andreas Steffen
79b5a33c11
imv_policy_manager: Added capability to execute an allow or block shell command string
2015-04-26 10:55:24 +02:00
Andreas Steffen
883c11caa0
Added tnc/tnccs-20-fail-init and tnc/tnccs-20-fail-resp scenarios
2015-03-27 20:56:44 +01:00
Andreas Steffen
85aa509e84
Added tnc/tnccs-20-pt-tls scenario
2015-03-27 20:56:43 +01:00
Andreas Steffen
be04f90815
testing: added tnc/tnccs-20-mutual scenario
2015-03-23 23:01:13 +01:00
Tobias Brunner
3d964213f5
testing: Remove obsolete leftnexthop option from configs
2015-03-12 15:51:25 +01:00
Martin Willi
2b0f34a2ef
testing: Don't check for exact IKEv1 fragment size
...
Similar to 7a9c0d51
, the exact packet size depends on many factors we don't
want to consider in this test case.
2015-03-10 10:21:16 +01:00
Martin Willi
58c3e09918
testing: Fix active/passive role description in ha/both-active test case
2015-03-10 10:02:21 +01:00
Tobias Brunner
8b2af616ac
testing: Update modified updown scripts to the latest template
...
This avoids confusion and makes identifying the changes needed for each
scenario easier.
2015-03-06 16:51:50 +01:00
Andreas Steffen
3fcb59b62a
use SHA512 for moon's BLISS signature
2015-03-04 14:08:37 +01:00
Tobias Brunner
26ebe5fea8
testing: Test classic public key authentication in ikev2/net2net-cert scenario
2015-03-04 13:54:12 +01:00
Tobias Brunner
53217d70b0
testing: Disable signature authentication on dave in openssl-ikev2/ecdsa-certs scenario
2015-03-04 13:54:12 +01:00
Tobias Brunner
7a9c0d51f4
testing: Don't check for exact IKEv2 fragment size
...
Because SHA-256 is now used for signatures the size of the two IKE_AUTH
messages changed.
2015-03-04 13:54:10 +01:00
Tobias Brunner
4aa24d4c13
testing: Update test conditions because signature schemes are now logged
...
RFC 7427 signature authentication is now used between strongSwan hosts
by default, which causes the actual signature schemes to get logged.
2015-03-04 13:54:10 +01:00
Tobias Brunner
2f1b2d9183
testing: Add ikev2/rw-sig-auth scenario
2015-03-04 13:54:10 +01:00
Tobias Brunner
3b31245a0f
testing: Add ikev2/net2net-cert-sha2 scenario
2015-03-04 13:54:10 +01:00
Andreas Steffen
c2aca9eed2
Implemented improved BLISS-B signature algorithm
2015-02-25 21:45:34 +01:00
Martin Willi
c10b2be967
testing: Add a forecast test case
2015-02-20 16:34:55 +01:00
Martin Willi
9ed09d5f77
testing: Add a connmark plugin test
...
In this test two hosts establish a transport mode connection from behind
moon. sun uses the connmark plugin to distinguish the flows.
This is an example that shows how one can terminate L2TP/IPsec connections
from two hosts behind the same NAT. For simplification of the test, we use
an SSH connection instead, but this works for any connection initiated flow
that conntrack can track.
2015-02-20 16:34:54 +01:00
Martin Willi
f27fb58ae0
testing: Update description and test evaluation of host2host-transport-nat
...
As we now reuse the reqid for identical SAs, the behavior changes for
transport connections to multiple peers behind the same NAT. Instead of
rejecting the SA, we now have two valid SAs active. For the reverse path,
however, sun sends traffic always over the newer SA, resembling the behavior
before we introduced explicit SA conflicts for different reqids.
2015-02-20 13:34:58 +01:00
Martin Willi
050556bf59
testing: Be a little more flexible in testing for established CHILD_SA modes
...
As we now print the reqid parameter in the CHILD_SA details, adapt the grep
to still match the CHILD_SA mode and protocol.
2015-02-20 13:34:58 +01:00
Martin Willi
b1ff437bbc
testing: Add a test scenario for make-before-break reauth using a virtual IP
2015-02-20 13:34:58 +01:00
Martin Willi
ae3fdf2603
testing: Add a test scenario for make-before-break reauth without a virtual IP
2015-02-20 13:34:57 +01:00
Reto Buerki
65566c37ca
testing: Add tkm xfrmproxy-expire test
...
This test asserts that the handling of XFRM expire messages from the
kernel are handled correctly by the xfrm-proxy and the Esa Event Service
(EES) in charon-tkm.
2015-02-20 13:34:54 +01:00
Reto Buerki
03409ac7a0
testing: Assert ees acquire messages in xfrmproxy tests
2015-02-20 13:34:54 +01:00
Reto Buerki
8fce649d9a
testing: Assert proper ESA deletion
...
Extend the tkm/host2host-initiator testcase by asserting proper ESA
deletion after connection shutdown.
2015-02-20 13:34:52 +01:00
Andreas Steffen
5028644943
Updated RFC3779 certificates
2014-12-28 12:53:16 +01:00
Andreas Steffen
ac0cb2d363
Updated BLISS CA certificate in ikev2/rw-ntru-bliss scenario
2014-12-12 13:55:03 +01:00
Andreas Steffen
c44f481ae0
Updated BLISS scenario keys and certificates to new format
2014-12-12 12:00:20 +01:00
Andreas Steffen
9b01a061ec
Increased check size du to INITIAL_CONTACT notify
2014-11-29 14:57:41 +01:00
Andreas Steffen
c02ebf1ecd
Renewed expired certificates
2014-11-29 14:51:18 +01:00
Andreas Steffen
43d9247599
Created ikev2/rw-ntru-bliss scenario
2014-11-29 14:51:18 +01:00
Reto Buerki
0de4ba58ce
testing: Update tkm/multiple-clients/evaltest.dat
...
Since the CC context is now properly reset in the bus listener plugin,
the second connection from host dave re-uses the first CC ID. Adjust
the expect string on gateway sun accordingly.
2014-10-31 13:49:40 +01:00
Andreas Steffen
a521ef3b8e
Increased fragment size to 1400 in ipv6/net2net-ikev1 scenario
2014-10-18 14:05:53 +02:00
Andreas Steffen
09b46cdb6a
Enabled IKEv2 fragmentation in ipv6/net2net-ikev2 scenario
2014-10-18 14:05:18 +02:00
Andreas Steffen
cb5ad2ba3d
testing: Lower batch size to demonstrated segmetation of TCG/SWID Tag ID Inventory attribute
2014-10-11 15:01:21 +02:00
Tobias Brunner
1836c1845b
testing: Add ikev2/net2net-fragmentation scenario
2014-10-10 09:33:23 +02:00
Tobias Brunner
144b40e07c
testing: Update ikev1/net2net-fragmentation scenario
2014-10-10 09:32:42 +02:00
Tobias Brunner
89e953797d
testing: Don't check for the actual number of SWID tags in PDP scenarios
...
The number of SWID tags varies depending on the base image, but lets
assume the number is in the hundreds.
2014-10-07 12:18:36 +02:00
Tobias Brunner
8f9016b1e2
testing: Make TNC scenarios agnostic to the actual Debian version
...
The scenarios will work with new or old base images as long as the version
in use is included as product in the master data (src/libimcv/imv/data.sql).
2014-10-07 12:18:25 +02:00
Andreas Steffen
100c1a4bf1
testing: Updated certificates and keys in sql scenarios
2014-10-06 09:42:58 +02:00
Andreas Steffen
73af3a1b04
Updated revoked certificate in ikev2/ocsp-revoked scenario
2014-10-05 21:33:35 +02:00
Andreas Steffen
006518e859
The critical-extension scenarios need the old private keys
2014-10-05 20:58:03 +02:00
Tobias Brunner
12e9ed12ec
testing: Wait a bit in swanctl scenarios before interacting with the daemon
2014-10-03 12:44:14 +02:00
Tobias Brunner
722a8a177e
testing: Make sure the whitelist plugin is ready before configuring it
2014-10-03 12:44:14 +02:00
Tobias Brunner
09f1fb82f9
testing: Update PKCS#12 containers
2014-10-03 12:44:13 +02:00
Tobias Brunner
079c797421
testing: Update PKCS#8 keys
2014-10-03 12:44:13 +02:00
Tobias Brunner
9f5fd7899e
testing: Update public keys in DNSSEC scenarios
...
The tests are successful even if the public keys are not stored locally,
but an additional DNS query is required to fetch them.
2014-10-03 12:44:13 +02:00
Tobias Brunner
2c7ad260f9
testing: Update carols certificate in several test cases
2014-10-03 12:44:13 +02:00
Martin Willi
7ab320def3
testing: Add some notes about how to reissue attribute certificates
2014-10-03 12:31:01 +02:00
Martin Willi
16469e8474
testing: Reissue attribute certificates for the new holder certificates
...
Due to the expired and reissued holder certificates of carol and dave, new
attribute certificates are required to match the holder certificates serial in
the ikev2/acert-{cached,fallback,inline} tests.
2014-10-03 12:28:11 +02:00
Martin Willi
44b6a34d43
configure: Load fetcher plugins after crypto base plugins
...
Some fetcher plugins (such as curl) might build upon OpenSSL to implement
HTTPS fetching. As we set (and can't unset) threading callbacks in our
openssl plugin, we must ensure that OpenSSL functions don't get called after
openssl plugin unloading.
We achieve that by loading curl and all other fetcher plugins after the base
crypto plugins, including openssl.
2014-09-24 17:34:54 +02:00
Reto Buerki
e0d59e10f8
testing: Update certs and keys in tkm tests
...
References #705 .
2014-09-17 17:08:35 +02:00
Andreas Steffen
51da5b920b
Generated new test certificates
2014-08-28 21:34:40 +02:00
Tobias Brunner
be41910e19
testing: Add sql/shunt-policies-nat-rw scenario
2014-06-26 18:13:26 +02:00
Tobias Brunner
73211f9b74
testing: Add pfkey/shunt-policies-nat-rw scenario
2014-06-26 18:13:26 +02:00
Tobias Brunner
945e1df738
testing: Remove obsolete shunt-policies scenarios
2014-06-26 18:12:00 +02:00
Andreas Steffen
75598e5053
Updated description of TNC scenarios concerning RFC 7171 PT-EAP support
2014-06-26 09:47:03 +02:00
Andreas Steffen
21aebe3781
Removed django.db from swid scenarios
2014-06-26 09:45:54 +02:00
Tobias Brunner
2ef6f57456
testing: Add ikev2/shunt-policies-nat-rw scenario
2014-06-19 14:23:07 +02:00
Tobias Brunner
d93987ce24
testing: Remove ikev2/shunt-policies scenario
...
This scenario doesn't really apply anymore (especially its use of drop
policies).
2014-06-19 14:23:07 +02:00
Andreas Steffen
d345f0b75d
Added swanctl/net2net-route scenario
2014-06-18 14:57:33 +02:00
Andreas Steffen
3f5f0b8940
Added swanctl/net2net-start scenario
2014-06-18 14:35:59 +02:00
Andreas Steffen
4402bae77d
Minor changes in swanctl scenarios
2014-06-18 14:35:36 +02:00
Andreas Steffen
39d6469d76
Added swanctl/rw-psk-fqdn and swanctl/rw-psk-ipv4 scenarios
2014-06-14 15:40:23 +02:00
Andreas Steffen
3eb22f1f00
Single-line --raw mode simplifies evaltest of swanctl scenarios
2014-06-14 15:40:23 +02:00
Andreas Steffen
12d618e280
Added swanctl/ip-pool-db scenario
2014-06-11 18:12:35 +02:00
Andreas Steffen
cda2a1e4dc
Updated strongTNC configuration
2014-06-11 18:12:34 +02:00
Andreas Steffen
d643f2cf91
Added swanctl/ip-pool scenario
2014-06-10 16:48:16 +02:00
Andreas Steffen
c621847395
Added swanctl/rw-cert scenario
2014-06-10 16:48:15 +02:00
Andreas Steffen
b09016377a
Define default swanctl credentials in hosts directory
2014-06-10 16:19:00 +02:00
Andreas Steffen
2721832a45
First swanctl scenario
2014-06-01 21:12:15 +02:00
Andreas Steffen
2382d45b1c
Test SWID REST API ins tnc/tnccs-20-pdp scenarios
2014-05-31 21:25:46 +02:00
Andreas Steffen
2997077bae
Migration from Debian 7.4 to 7.5
2014-05-31 20:37:57 +02:00
Andreas Steffen
0f000cdd6c
Minor changes in the test environment
2014-05-15 21:30:42 +02:00
Andreas Steffen
8d59090349
Implemented PT-EAP protocol (RFC 7171)
2014-05-12 06:59:21 +02:00
Tobias Brunner
1dfd11fd92
testing: Added pfkey/compress test case
2014-04-24 17:36:17 +02:00
Andreas Steffen
fa6c5f3506
Handle tag separators
2014-04-15 09:28:38 +02:00
Andreas Steffen
edd2ed860f
Renewed expired user certificate
2014-04-15 09:28:37 +02:00
Andreas Steffen
9b7f9ab5d2
Updated SWID scenarios
2014-04-15 09:21:06 +02:00
Andreas Steffen
3e7044b45e
Implemented segmented SWID tag attributes on IMV side
2014-04-15 09:21:06 +02:00
Andreas Steffen
8c40609f96
Use python-based swidGenerator to generated SWID tags
2014-04-15 09:21:06 +02:00
Andreas Steffen
48f37c448c
Make Attestation IMV independent of OS IMV
2014-04-15 09:21:05 +02:00
Andreas Steffen
ab8ed95bfc
Fixed pretest script in tnc/tnccs-20-pt-tls scenario
2014-04-04 23:04:54 +02:00
Tobias Brunner
7a61bf9032
testing: Run 'conntrack -F' before all test scenarios
...
This prevents failures due to remaining conntrack entries.
2014-04-02 11:55:05 +02:00
Andreas Steffen
96e3142c39
Test TLS AEAD cipher suites
2014-04-01 10:12:15 +02:00
Andreas Steffen
05eb83e986
Slightly edited evaltest of ikev2/ocsp-untrusted-cert scenario
2014-03-31 22:22:58 +02:00
Martin Willi
91d71abb16
revocation: Restrict OCSP signing to specific certificates
...
To avoid considering each cached OCSP response and evaluating its trustchain,
we limit the certificates considered for OCSP signing to:
- The issuing CA of the checked certificate
- A directly delegated signer by the same CA, having the OCSP signer constraint
- Any locally installed (trusted) certificate having the OCSP signer constraint
The first two options cover the requirements from RFC 6960 2.6. For
compatibility with non-conforming CAs, we allow the third option as exception,
but require the installation of such certificates locally.
2014-03-31 14:40:33 +02:00
Martin Willi
babd848778
testing: Add an acert test that forces a fallback connection based on groups
2014-03-31 11:14:59 +02:00
Martin Willi
1a4d3222be
testing: Add an acert test case sending attribute certificates inline
2014-03-31 11:14:59 +02:00
Martin Willi
9f676321a9
testing: Add an acert test using locally cached attribute certificates
2014-03-31 11:14:59 +02:00
Andreas Steffen
959ef1a2e4
Added libipsec/net2net-3des scenario
2014-03-28 09:21:51 +01:00
Andreas Steffen
7afd217ff9
Renewed self-signed OCSP signer certificate
2014-03-27 22:52:11 +01:00
Andreas Steffen
c6d173a1f1
Check that valid OCSP responses are received in the ikev2/ocsp-multi-level scenario
2014-03-24 23:57:55 +01:00