c2d6ac1124
Version bump to 5.8.2rc1
2019-12-07 23:06:22 +01:00
f95d512251
testing: Use identity based CA restrictions in rw-hash-and-url-multi-level
...
This is a prominent example where the identity based CA constraint is
benefical. While the description of the test claims a strict binding
of the client to the intermediate CA, this is not fully true if CA operators
are not fully trusted: A rogue OU=Sales intermediate may issue certificates
containing a OU=Research.
By binding the connection to the CA, we can avoid this, and using the identity
based constraint still allows moon to receive the intermediate over IKE
or hash-and-url.
2019-12-06 10:07:47 +01:00
ccaedf8761
Version bump to 5.8.2dr2
2019-11-26 22:36:55 +01:00
91dabace11
testing: Add scenario with hash-and-URL encoding for intermediate CA certificates
2019-11-26 11:12:26 +01:00
29b4b2e8e2
testing: Import sys in Python updown script
2019-11-21 16:57:25 +01:00
662574386a
testing: Accept LANG and LC_* env variables via SSH on guests
...
The client config already includes SendEnv for them. Without that these
variables currently default to POSIX.
2019-11-14 16:11:03 +01:00
a5b3c62091
testing: Remove unused connection definition in ikev2/force-udp-encaps
2019-11-07 11:35:43 +01:00
9d8d85f23c
testing: Fix SHA description in ikev*/esp-alg-null scenarios
2019-11-07 11:33:09 +01:00
4f4e026d3b
Version bump to 5.8.2dr1
2019-10-18 16:26:41 +02:00
f05e9eebb0
testing: Added drbg plugin where required
2019-10-18 16:24:39 +02:00
9cc24ca39e
Use Botan 2.12.1 for tests
2019-10-14 11:43:58 +02:00
0736882678
Use Botan 2.12.0 for tests
2019-10-07 14:31:40 +02:00
1e38151b30
Version bump to 5.8.1
2019-09-02 14:39:16 +02:00
7cfe85cc85
Version bump to 5.8.1rc2
2019-08-29 11:15:18 +02:00
d2b771203f
Version bump to 5.8.1rc1
2019-08-28 16:38:40 +02:00
17c9972252
Fixed some typos, courtesy of codespell
2019-08-28 14:03:41 +02:00
b9949e98c2
Some whitespace fixes
...
Didn't change some of the larger testing scripts that use an inconsistent
indentation style.
2019-08-22 15:18:06 +02:00
de07b77442
Use Botan 2.11.0 for tests
2019-07-02 11:35:21 +02:00
ab1aa03bf5
Version bump to 5.8.1dr1
2019-06-26 17:32:33 +02:00
55dd0361b8
Version bump to 5.8.0
2019-05-20 12:31:08 +02:00
74ac0c9efd
Version bump to 5.8.0rc1
2019-05-10 12:55:48 +02:00
47879ca638
testing: Use strongswan systemd service
2019-05-10 12:55:09 +02:00
6d8e6ec61b
testing: Load PEM keys in ikev2/net2-net-rsa scenario
2019-05-10 12:54:28 +02:00
c9d898c9f4
testing: Copy keys and certs to swanctl/rw-newhope-bliss scenario
2019-05-10 12:53:33 +02:00
27f6d37544
testing: Return an error if any command in the certificate build script fails
2019-05-08 14:56:48 +02:00
d3f678c08f
testing: Build certificates before guests after building strongSwan
...
If the script is run on a clean working copy, building the guests will
fail if the certificates don't exist.
2019-05-08 14:56:48 +02:00
287149cbf9
testing: Automatically build guest images after generating certificates
...
This (re-)generates the CRLs on winnetou.
2019-05-08 14:56:48 +02:00
ac66ca25f9
testing: Use custom plugin configuration to build SHA-3 CA
2019-05-08 14:56:48 +02:00
21280da9f5
testing: Fix ikev2/net2net-rsa scenario
2019-05-08 14:56:48 +02:00
da8e33f3ca
testing: Add wrapper script to build certificates in root image
...
This does not modify the root image but uses the strongSwan version
installed there (avoids build dependencies on version installed on the
host to use pki to generate all the keys and certificates).
2019-05-08 14:56:48 +02:00
a89ad28b89
testing: Upgrade to Linux 5.1 kernel
2019-05-08 14:56:48 +02:00
b213204b3b
testing: Updated build-certs script
2019-05-08 14:56:48 +02:00
cfeae14b06
testing: Deleting dynamic test keys and certificates
2019-05-08 14:56:48 +02:00
2a72056cee
testing: Exclude files that are ignored in Git from the distribution
...
Since the complete hosts and tests directories are part of the tarball
this would include generated certificates and keys.
2019-05-08 14:56:48 +02:00
92c001f766
testing: Remove dynamic keys and certs from repository
2019-05-08 14:56:48 +02:00
00f1d09729
testing: Build data.sql files for SQL test cases
2019-05-08 14:56:48 +02:00
05275905ef
testing: Build CERT and IPSECKEY RRs for strongswan.org zone
...
Also copy generated keys to DNSSEC test cases.
2019-05-08 14:56:48 +02:00
1e059c837b
testing: Rename public keys in DNSSEC scenarios
...
We will generate PEM-encoded public keys with the script.
2019-05-08 14:56:48 +02:00
326bb5f2c5
testing: Convert keys and certificates for all TKM scenarios
2019-05-08 14:56:48 +02:00
0136852f19
testing: Disable leak detective in build-certs script
2019-05-08 14:56:48 +02:00
8db01c6a3f
testing: Script building fresh certificates
2019-05-08 14:56:48 +02:00
bc0a01ff2e
testing: Update documentation in headers of all updown scripts
2019-04-29 17:43:04 +02:00
012221a867
testing: Add swanctl/net2net-childless scenario
2019-04-25 15:23:19 +02:00
35392aa869
testing: Use renamed systemd unit
...
While the alias is available after enabling the unit, we don't
actually do that in our testing environment (adding a symlink manually
would work too, then again, why not just use the proper name?).
2019-04-24 13:57:48 +02:00
e601b89c00
testing: Use latest tkm-rpc and x509-ada versions
...
Includes fixes for larger signatures, critical extensions and
utf8Strings in DNs.
2019-04-15 18:31:12 +02:00
cfac7305ab
testing: Create new files in mounted strongSwan sources as regular user
2019-04-15 14:01:02 +02:00
072de7c150
testing: Add scenario that uses IKE-specific interface IDs
2019-04-04 09:36:38 +02:00
14e999c8d5
testing: Install python-daemon with strongSwan for use in updown scripts
2019-04-04 09:36:38 +02:00
181801317b
testing: Add /etc/resolv.conf when building strongSwan
2019-04-04 09:36:38 +02:00
ceca26c88e
testing: Enable Python eggs in testing environment (i.e. vici's Python bindings)
2019-04-04 09:36:38 +02:00
760d7c9b4f
testing: Add scenarios that use XFRM interfaces
...
The network namespace scenario requires a kernel patch in 4.19 and 4.20
kernels (the fix is included in 5.0 kernels).
2019-04-04 09:31:38 +02:00
5b2078ad09
testing: Enable XFRM interfaces and network namespaces in 4.19 and 5.0 kernel
2019-04-04 09:31:38 +02:00
f43302dc10
Use Botan 2.10.0 for tests
2019-04-01 11:01:46 +02:00
7b5eee65a0
Version bump to 5.8.0dr2
2019-03-30 17:11:34 +01:00
195ee25dba
testing: Updated expired certificates
2019-03-30 17:10:51 +01:00
d93532553c
Testing: Removed tnc/tnccs-20-server-retry scenario
2019-03-29 17:04:43 +01:00
35b82000f1
testing: Disable gcrypt plugin for swanctl
...
Sometimes swanctl hangs when initializing the plugin and it apparently
gathers entropy.
2019-03-28 18:16:56 +01:00
fa1f4d199e
testing: Prolonged Duck end entity certificate
2019-03-13 19:02:42 +01:00
08a7326181
Version bump to 5.8.0dr1
2019-03-13 19:02:42 +01:00
6639288b1a
Use Botan 2.9.0 for tests
2019-01-16 17:11:46 +01:00
eb16352232
Version bump to 5.7.2
2018-12-27 12:11:49 +01:00
023b9c0edc
Version bump to 5.7.2rc1
2018-12-19 13:21:48 +01:00
7cf3f97e56
Version bump to 5.7.2dr4
2018-12-09 19:53:31 +01:00
030de21b7b
testing: Migrated ikev2 scenarios to swanctl
2018-12-09 13:16:41 +01:00
48afa6b783
testing: Switch to Debian stretch base images
2018-11-21 14:34:16 +01:00
7511a6fd9c
testing: Install a package via apt-get to get a second SWIMA software event
...
This installs tmux and its two dependencies libevent-2.0-5 and libutempter0.
For the tnc/tnccs-20-ev-pt-tls test scenario older, apparently replaced
versions of these packages are entered to the collector.db database, so that
dummy SWID tags for these packages can be requested via SWIMA.
2018-11-21 14:33:29 +01:00
b217bdf75f
testing: Add additional memory to alice
...
strongTNC seems to require a lot more memory than we assign by default,
not sure this increase is enough.
2018-11-21 14:32:25 +01:00
b3d9ada385
testing: Generate some UTF-8 locales
2018-11-21 14:32:25 +01:00
1741d1ac07
testing: Disable systemd's NTP service
...
This produces a lot of useless traffic as no NTP servers are reachable (or
even resolvable via winnetou).
2018-11-21 14:32:25 +01:00
c7a74fd3e5
testing: Allow enabling only timestamps without verbose command output
...
-t enables only the timestamps, -v additionally logs command output
(includes -t).
2018-11-21 14:32:25 +01:00
2132031d0e
testing: Show config files of FreeRADIUS 3.0 in test results
2018-11-21 14:32:25 +01:00
231828f810
testing: Config changes for FreeRADIUS 3.0
...
Also includes some changes for jessie's version of FreeRADIUS 2 (was
previously a custom version).
Besides the move to a subdir the config files were adapted for 3.0.
The rlm_sim_files module was removed with FreeRADIUS 3 and Debian's
package of FreeRADIUS 2 does not ship it, so we now replicate it using
the files module (via users file, which is actually a symlink to
mods-config/files/authorize in the default installation of FreeRADIUS 3).
Another approach was tried using rlm_passwd, however, that module does
not read binary/hex data, only printable strings, which would require
changing the triplets.
For 2.x a hack in the site config is necessary to make the attributes
available to the EAP-SIM module.
2018-11-21 14:32:25 +01:00
a8112cc174
testing: Use freeradius instead of the removed radiusd to start FreeRADIUS
2018-11-21 14:32:25 +01:00
2e39b1db0a
testing: Remove unused/inexistent DSA key from sshd config
2018-11-21 14:32:25 +01:00
30e68c80d2
testing: Only run DHCPv4 by setting an listening interface explicitly
...
Debian stretch's init script for isc-dhcp-server uses the INTERFACESv4|6
variables to decide whether to start the v4 and/or v6 DHCP server.
If they are not empty, the daemon is started for the respective version,
however, if both are empty (the default), to listen on all interfaces, the
daemon is started for both versions. The latter would require a subnet
config for IPv6 as the daemon otherwise exits, letting the init script fail,
while keeping the successfully started v4 version running, which, in turn,
can't be stopped anymore with the init script because it thinks the daemon
is not running.
So it's not possible with this init script to start DHCPv4 on all interfaces
without having to configure and run DHCPv6 also.
2018-11-21 14:32:25 +01:00
c2742f9bf5
testing: Remove unused dhcpd config on moon
2018-11-21 14:32:25 +01:00
9083ccd05c
testing: Accept ping6 output with IP address after hostname
...
Newer versions of ping6 add the IP address after the FQDN in the output.
2018-11-21 14:32:25 +01:00
f9a42f828a
testing: Install traceroute utility in base image
...
It seems this was previously installed automatically.
2018-11-21 14:32:24 +01:00
99f6457e53
testing: Only attempt to copy patches if there are any
2018-11-21 14:32:24 +01:00
2fbe44bef3
testing: Remove TNC@FHH dependencies and scenarios that rely on them
...
While we could continue to use FreeRADIUS 2.x that branch is officially EOL.
So instead of investing time and effort in updating/migrating the patches to
FreeRADIUS 3.x (the module changed quite significantly as it relies solely on
the naeap library in that release), for a protocol that is superseded anyway,
we just remove these scenarios and the dependencies. Actually, the
complete rlm_eap_tnc module will be removed with FreeRADIUS 4.0.
2018-11-21 14:32:24 +01:00
d3a59022dd
testing: Remove Apache config hacks for Debian wheezy
2018-11-21 14:32:24 +01:00
af6e26ec08
testing: Support build with Debian stretch base image
...
Remove support for wheezy.
2018-11-21 14:32:24 +01:00
ff3f09af45
Version bump to 5.7.2dr3
2018-11-12 16:24:53 +01:00
b5747192bd
testing: Added botan/net2net-pkcs12 scenario
2018-11-12 13:51:01 +01:00
440e6a03c1
testing: Migrated openssl-ikev2/net2net-pkcs12 scenario to swanctl
2018-11-12 13:46:16 +01:00
836e870912
testing: Removed openssl-ikev2/rw-eap-tls-only scenario
2018-11-12 12:41:11 +01:00
280cf56411
testing: Removed openssl-ikev2/net2net-pgp-v3 scenario
2018-11-12 12:35:37 +01:00
e259ff3979
testing: migrated openssl-ikev2/critical-extension to swanctl
2018-11-12 11:50:05 +01:00
97493cbe17
testing: Migrated openssl/rw-cert scenario to swanctl
2018-11-09 21:45:12 +01:00
6617341390
testing: Migrated openssl-ikev2/ecdsa-pkcs8 scenario to swanctl
2018-11-09 16:38:33 +01:00
6ea531d926
testing: Migrated openssl brainpool scenarios to swanctl
2018-11-09 15:00:26 +01:00
1cab8ed5f8
testing: Migrated openssl alg-ecp-low scenarios to swanctl
2018-11-09 12:42:14 +01:00
21735750df
testing: Migrated openssl alg-ecp-high scenarios
2018-11-09 11:52:59 +01:00
a4c085978c
testing: Migrated openssl alg-camellia scenarios to swanctl
2018-11-09 10:02:26 +01:00
873a6ab0ef
testing: Removed openssl alg-aes-gcm and alg-blowfish scenarios
2018-11-08 21:28:19 +01:00
fcaa081825
testing: Removed openssl suite B scenarios
2018-11-08 21:23:10 +01:00
99b66151fd
testing: Moved openssl ecdsa-certs scenarios to swanctl
2018-11-08 21:16:32 +01:00
0e80eb235d
Version bump to 5.7.2dr2
2018-10-31 14:22:03 +01:00
9be6dee6a4
botan: SHA-3 support
2018-10-30 16:06:15 +01:00
ae271810dc
Use Botan 2.8.0 for tests
2018-10-30 15:08:31 +01:00
a29f70e4fb
testing: Use AES-GCM for SSH connections
...
RC4, which was previously used for performance reasons, is not supported
anymore with newer versions of SSH (stretch still supports it, but it
requires explicit configuration on the guests when they act as clients
too - the version in Ubuntu 18.04 apparently doesn't support it anymore
at all).
AES-GCM should actually be faster (at least for larger amounts of data and
in particular with hardware acceleration).
2018-10-30 15:06:57 +01:00
67fd36e884
testing: Avoid unnecessary rebuilds of components built from Git repos
...
Installing apparently changes the timestamp on the repo dir triggering make
to checkout and build the whole thing again.
2018-10-30 15:06:47 +01:00
3a4372c1eb
testing: Disable predictable network interface names assigned by systemd/udev
2018-10-30 15:06:33 +01:00
3fbeeef908
testing: Remove unused custom OIDs from openssl.cnf files
...
ClientAuthentication is known in OpenSSL 1.1 and the redefinition, therefore,
causes an error. These two OIDs are not used anyway in these config
files.
2018-10-30 15:03:34 +01:00
e660f4579b
testing: Fixed evaluation in swanctl/rw-cert-pss scenario
2018-10-27 08:47:57 +02:00
f5565683b9
Version bump to 5.7.2dr1
2018-10-26 18:47:48 +02:00
534ab34df6
testing: Added botan/net2net-ed25519 scenario
2018-10-26 18:46:59 +02:00
04ef28b4df
Version bump to 5.7.1
2018-10-01 17:46:17 +02:00
2a327d438c
Version bump to 5.7.0
2018-09-24 11:10:12 +02:00
1dd382b888
Version bump to 5.7.0rc2
2018-09-18 16:03:23 +02:00
11b4a87050
Version bump to 5.7.0rc1
2018-09-16 09:30:18 +02:00
9a4b47ef96
testing: Extended Botan scenarios
2018-09-16 09:30:18 +02:00
72a6831e7c
testing: Added botan/rw-cert scenario
2018-09-12 16:25:00 +02:00
a5c682e87d
testing: Enable Botan and the plugin
...
ldconfig is required, otherwise the library won't be found by
strongSwan in the same session.
Should later be changed to 2.8.0 or a newer stable release.
2018-09-12 16:25:00 +02:00
d1c5e6816d
testing: Add some PPK scenarios
2018-09-10 18:04:23 +02:00
a019c95b72
Version bump to 5.7.0dr8
2018-08-02 07:30:05 +02:00
041efa6ed3
Version bump to 5.7.0dr6
2018-07-21 09:30:53 +02:00
9a7a962348
Version bump to 5.7.0dr5
2018-07-19 14:57:18 +02:00
75214fabd8
testing: Optionally build/install strongSwan only on a specific guest
...
This may be used to test different strongSwan versions against each
other.
2018-07-11 18:38:09 +02:00
47ec761674
testing: Fix checks after changing fragmentation log messages
2018-07-09 17:15:07 +02:00
df411bfa30
testing: The dhcp plugin uses the DHCP client port again by default
...
This reverts parts of commit becf027cd9707b70725a
2018-07-05 18:14:54 +02:00
1ecac75f37
testing: Fix IKE proposal in swanctl/net2net-gw scenario
...
Also simplify config by using references.
2018-06-28 18:46:42 +02:00
2ad1df9571
Replace 'inacceptable' with the more common 'unacceptable'
2018-06-28 18:46:42 +02:00
80c9ae4521
testing: Add wrapper for systemctl to collect leaks from charon-systemd
...
Similar to the wrapper around `service` added with 71d59af58a
2018-06-28 16:45:54 +02:00
5b91e8c03c
Version bump to 5.7.0dr4
2018-06-22 11:21:02 +02:00
424de401b4
testing: Added swanctl/rw-ed25519-certpol scenario
2018-06-22 10:39:40 +02:00
711e0bdbe4
Version bumpt to 5.7.0dr3
2018-06-14 17:07:59 +02:00
5cfd7311d0
testing: Print command output if test fails
...
This is quite helpful to debug why a pattern didn't match.
As it could produce quite a lot of output if something is not found in a
log file, the complete output is only printed in verbose mode, otherwise,
`head` is used to print the first 10 lines of output.
We only get stdout from SSH, so the stderr redirection is only really
for errors ssh itself produces.
2018-06-14 09:29:26 +02:00
60719e39bf
testing: Fixed evaltest of tnc/tnccs-20-pdp-pt-tls scenario
2018-06-13 17:57:10 +02:00
78584d7efc
Version bump to 5.7.0dr2
2018-06-13 17:07:58 +02:00
295493f46f
testing: Renewed ECDSA certificates
2018-06-13 17:07:25 +02:00
ce4b8f65d6
testing: Removed TCG SWID IMC/IMV scenarios
2018-06-12 21:47:39 +02:00
a31f9b7691
libimcv: Removed TCG SWID IMC/IMV support
2018-06-12 21:47:39 +02:00
3a8a9c7029
Version bump to 5.7.0dr1
2018-05-30 23:02:57 +02:00
b2ab0995c1
Version bump to 5.6.3
2018-05-28 15:38:58 +02:00
88205674e5
Version bump to 5.6.3rc1
2018-05-23 22:36:39 +02:00
89bd016ef4
Fixed some typos, courtesy of codespell
2018-05-23 16:33:02 +02:00
26b45beda9
Version bump to 5.6.3dr2
2018-05-22 21:58:32 +02:00
9746c308ff
testing: Add ikev2/multi-level-ca-skipped scenario
2018-05-22 09:50:47 +02:00
7b660944b6
dhcp: Only send client identifier if identity_lease is enabled
...
The client identifier serves as unique identifier just like a unique MAC
address would, so even with identity_leases disabled some DHCP servers
might assign unique leases per identity.
2018-05-18 18:04:01 +02:00
becf027cd9
dhcp: Bind server port when a specific server address is specified
...
DHCP servers will respond to port 67 if giaddr is non-zero, which we set
if we are not broadcasting. While such messages are received fine via
RAW socket the kernel will respond with an ICMP port unreachable if no
socket is bound to that port. Instead of opening a dummy socket on port
67 just to avoid the ICMPs we can also just operate with a single
socket, bind it to port 67 and send our requests from that port.
Since SO_REUSEADDR behaves on Linux like SO_REUSEPORT does on other
systems we can bind that port even if a DHCP server is running on the
same host as the daemon (this might have to be adapted to make this work
on other systems, but due to the raw socket the plugin is not that portable
anyway).
2018-05-18 18:04:01 +02:00
69ee158e2a
Version bump to 5.6.3dr1
2018-04-19 16:34:06 +02:00
51d5b35f51
testing: Fixed ikev2/alg-chacha20poly1305 scenario
2018-04-19 16:33:04 +02:00
c8f45e4573
testing: Fix typo in sysctl.conf file
...
Closes strongswan/strongswan#97 .
2018-04-03 09:55:05 +02:00
dc2dfedda9
testing: Use HA patch compatible with 4.15.6+
2018-03-08 10:07:33 +01:00
39e860ea34
testing: Use a HA patch that's actually compatible with 4.15 kernels
2018-03-07 17:16:54 +01:00
0f785f6be8
testing: Revert typo fix in FreeRADIUS patch
...
Fixes: 2db6d5b8b3Fixes #2582 .
2018-03-07 16:39:37 +01:00
68c00bc839
Version bump to 5.6.2
2018-02-19 12:59:37 +01:00
0bb4d2179d
Version bump to 5.6.2rc1
2018-02-16 13:37:00 +01:00
22157b8163
testing: Enable counters and save-keys plugins
2018-02-16 13:36:44 +01:00
Andreas Steffen