diff options
Diffstat (limited to 'testing/tests')
176 files changed, 4606 insertions, 4315 deletions
diff --git a/testing/tests/ikev1/config-payload-push/description.txt b/testing/tests/ikev1/config-payload-push/description.txt new file mode 100644 index 000000000..36f47799e --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/description.txt @@ -0,0 +1,8 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>. +The gateway pushes <b>virtual IP</b> addresses to <b>carol</b> and <b>dave</b>via the IKEv1 +Mode Config protocol in <b>push</b> mode. +<p/> +<b>leftfirewall=yes</b> automatically inserts iptables-based firewall rules that let pass the +tunneled traffic. In order to test the tunnels, <b>carol</b> and <b>dave</b> then ping the +client <b>alice</b> behind the gateway <b>moon</b>. The source IP addresses of the two pings +will be the virtual IPs <b>carol1</b> and <b>dave1</b>, respectively. diff --git a/testing/tests/ikev1/config-payload-push/evaltest.dat b/testing/tests/ikev1/config-payload-push/evaltest.dat new file mode 100644 index 000000000..b46dfddf6 --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/evaltest.dat @@ -0,0 +1,26 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::installing new virtual IP PH_IP_CAROL1::YES +carol::ip addr list dev eth0::PH_IP_CAROL1::YES +carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: cat /var/log/daemon.log::installing new virtual IP PH_IP_DAVE1::YES +dave:: ip addr list dev eth0::PH_IP_DAVE1::YES +dave:: ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon:: ipsec status 2> /dev/null::rw-carol.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-dave.*ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-carol.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw-dave.*INSTALLED, TUNNEL::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..e85a49e5a --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + modeconfig=push + +conn home + left=PH_IP_CAROL + leftsourceip=%config + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0e4e57729 --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..c18221192 --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + modeconfig=push + +conn home + left=PH_IP_DAVE + leftsourceip=%config + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..0e4e57729 --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown resolve +} diff --git a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..c144ae20e --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/ipsec.conf @@ -0,0 +1,28 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev1 + modeconfig=push + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + +conn rw-carol + right=%any + rightid=carol@strongswan.org + rightsourceip=PH_IP_CAROL1 + auto=add + +conn rw-dave + right=%any + rightid=dave@strongswan.org + rightsourceip=PH_IP_DAVE1 + auto=add diff --git a/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..002166a54 --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/hosts/moon/etc/strongswan.conf @@ -0,0 +1,8 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default updown attr + + dns1 = PH_IP_WINNETOU + dns2 = PH_IP_VENUS +} diff --git a/testing/tests/ikev1/config-payload-push/posttest.dat b/testing/tests/ikev1/config-payload-push/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/config-payload-push/pretest.dat b/testing/tests/ikev1/config-payload-push/pretest.dat new file mode 100644 index 000000000..3864bdac3 --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/pretest.dat @@ -0,0 +1,10 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::ipsec start +dave::ipsec start +moon::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home +carol::sleep 1 diff --git a/testing/tests/ikev1/config-payload-push/test.conf b/testing/tests/ikev1/config-payload-push/test.conf new file mode 100644 index 000000000..164b07ff9 --- /dev/null +++ b/testing/tests/ikev1/config-payload-push/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon alice" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/host2host-ah/description.txt b/testing/tests/ikev1/host2host-ah/description.txt new file mode 100644 index 000000000..dccdd52a4 --- /dev/null +++ b/testing/tests/ikev1/host2host-ah/description.txt @@ -0,0 +1,5 @@ +An IPsec <b>AH transport-mode</b> connection using HMAC_SHA256 between the hosts +<b>moon</b> and <b>sun</b> is successfully set up using IKEv1. <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the decrypted +IP packets. In order to test the host-to-host connection <b>moon</b> pings +<b>sun</b>. diff --git a/testing/tests/ikev1/host2host-ah/evaltest.dat b/testing/tests/ikev1/host2host-ah/evaltest.dat new file mode 100644 index 000000000..92695477a --- /dev/null +++ b/testing/tests/ikev1/host2host-ah/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES diff --git a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..a05e5d040 --- /dev/null +++ b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/ipsec.conf @@ -0,0 +1,17 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + keyexchange=ikev1 + +conn host-host + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + type=transport + ah=sha256! + auto=add diff --git a/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8e685c862 --- /dev/null +++ b/testing/tests/ikev1/host2host-ah/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..6851ffb5c --- /dev/null +++ b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/ipsec.conf @@ -0,0 +1,17 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + keyexchange=ikev1 + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + type=transport + ah=sha256! + auto=add diff --git a/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..8e685c862 --- /dev/null +++ b/testing/tests/ikev1/host2host-ah/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev1/host2host-ah/posttest.dat b/testing/tests/ikev1/host2host-ah/posttest.dat new file mode 100644 index 000000000..1f7aa73a1 --- /dev/null +++ b/testing/tests/ikev1/host2host-ah/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/host2host-ah/pretest.dat b/testing/tests/ikev1/host2host-ah/pretest.dat new file mode 100644 index 000000000..99789b90f --- /dev/null +++ b/testing/tests/ikev1/host2host-ah/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up host-host diff --git a/testing/tests/ikev1/host2host-ah/test.conf b/testing/tests/ikev1/host2host-ah/test.conf new file mode 100644 index 000000000..9647dc6a2 --- /dev/null +++ b/testing/tests/ikev1/host2host-ah/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/net2net-ah/description.txt b/testing/tests/ikev1/net2net-ah/description.txt new file mode 100644 index 000000000..7ced7a551 --- /dev/null +++ b/testing/tests/ikev1/net2net-ah/description.txt @@ -0,0 +1,8 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> +is set up using the IKEv1 protocol. +With <b>ah=md5,sha1</b> gateway <b>moon</b> proposes the use of an +<b>AH proposal</b>. Gateway <b>sun</b> selects SHA1 for integrity protection +with its <b>ah=sha1!</b> configuration. +<p/> +Upon the successful establishment of the AH CHILD SA, client <b>alice</b> behind +gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev1/net2net-ah/evaltest.dat b/testing/tests/ikev1/net2net-ah/evaltest.dat new file mode 100644 index 000000000..bf6234b55 --- /dev/null +++ b/testing/tests/ikev1/net2net-ah/evaltest.dat @@ -0,0 +1,11 @@ +sun:: cat /var/log/daemon.log::received proposals: AH:HMAC_MD5_96/NO_EXT_SEQ, AH:HMAC_SHA1_96/NO_EXT_SEQ::YES +sun:: cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA1_96/NO_EXT_SEQ::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES +moon::ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES +sun:: ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..d062dfe57 --- /dev/null +++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="cfg 2, knl 3" + +conn %default + keyexchange=ikev1 + ike=aes128-sha1-modp1536! + ah=md5,sha1 + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8e685c862 --- /dev/null +++ b/testing/tests/ikev1/net2net-ah/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..c374adfc4 --- /dev/null +++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="cfg 2, knl 3" + +conn %default + keyexchange=ikev1 + ike=aes128-sha1-modp1536! + ah=sha1! + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..8e685c862 --- /dev/null +++ b/testing/tests/ikev1/net2net-ah/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev1/net2net-ah/posttest.dat b/testing/tests/ikev1/net2net-ah/posttest.dat new file mode 100644 index 000000000..1f7aa73a1 --- /dev/null +++ b/testing/tests/ikev1/net2net-ah/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev1/net2net-ah/pretest.dat b/testing/tests/ikev1/net2net-ah/pretest.dat new file mode 100644 index 000000000..81a98fa41 --- /dev/null +++ b/testing/tests/ikev1/net2net-ah/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev1/net2net-ah/test.conf b/testing/tests/ikev1/net2net-ah/test.conf new file mode 100644 index 000000000..afa2accbe --- /dev/null +++ b/testing/tests/ikev1/net2net-ah/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/host2host-ah/description.txt b/testing/tests/ikev2/host2host-ah/description.txt new file mode 100644 index 000000000..11d814f8c --- /dev/null +++ b/testing/tests/ikev2/host2host-ah/description.txt @@ -0,0 +1,5 @@ +An IPsec <b>AH transport-mode</b> connection using AES-XCBC between the hosts +<b>moon</b> and <b>sun</b> is successfully set up. <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the decrypted +IP packets. In order to test the host-to-host connection <b>moon</b> pings +<b>sun</b>. diff --git a/testing/tests/ikev2/host2host-ah/evaltest.dat b/testing/tests/ikev2/host2host-ah/evaltest.dat new file mode 100644 index 000000000..92695477a --- /dev/null +++ b/testing/tests/ikev2/host2host-ah/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TRANSPORT::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES diff --git a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..535e3d491 --- /dev/null +++ b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/ipsec.conf @@ -0,0 +1,17 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + keyexchange=ikev2 + +conn host-host + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + type=transport + ah=aesxcbc + auto=add diff --git a/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8e685c862 --- /dev/null +++ b/testing/tests/ikev2/host2host-ah/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..9537c187b --- /dev/null +++ b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/ipsec.conf @@ -0,0 +1,17 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + keyexchange=ikev2 + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + type=transport + ah=aesxcbc + auto=add diff --git a/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..8e685c862 --- /dev/null +++ b/testing/tests/ikev2/host2host-ah/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/host2host-ah/posttest.dat b/testing/tests/ikev2/host2host-ah/posttest.dat new file mode 100644 index 000000000..1f7aa73a1 --- /dev/null +++ b/testing/tests/ikev2/host2host-ah/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/host2host-ah/pretest.dat b/testing/tests/ikev2/host2host-ah/pretest.dat new file mode 100644 index 000000000..99789b90f --- /dev/null +++ b/testing/tests/ikev2/host2host-ah/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up host-host diff --git a/testing/tests/ikev2/host2host-ah/test.conf b/testing/tests/ikev2/host2host-ah/test.conf new file mode 100644 index 000000000..9647dc6a2 --- /dev/null +++ b/testing/tests/ikev2/host2host-ah/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-ah/description.txt b/testing/tests/ikev2/net2net-ah/description.txt new file mode 100644 index 000000000..a8ac7ee6b --- /dev/null +++ b/testing/tests/ikev2/net2net-ah/description.txt @@ -0,0 +1,7 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +With <b>ah=sha1-md5</b> gateway <b>moon</b> proposes the use of an +<b>AH proposal</b>. Gateway <b>sun</b> selects SHA1 for integrity protection +with its <b>ah=sha1!</b> configuration. +<p/> +Upon the successful establishment of the AH CHILD SA, client <b>alice</b> behind +gateway <b>moon</b> pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev2/net2net-ah/evaltest.dat b/testing/tests/ikev2/net2net-ah/evaltest.dat new file mode 100644 index 000000000..c5f2b1ecb --- /dev/null +++ b/testing/tests/ikev2/net2net-ah/evaltest.dat @@ -0,0 +1,11 @@ +sun:: cat /var/log/daemon.log::received proposals: AH:HMAC_SHA1_96/HMAC_MD5_96/NO_EXT_SEQ::YES +sun:: cat /var/log/daemon.log::selected proposal: AH:HMAC_SHA1_96/NO_EXT_SEQ::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: AH::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: AH::YES +moon::ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES +sun:: ipsec statusall 2> /dev/null::HMAC_SHA1_96::YES diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..602119553 --- /dev/null +++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="cfg 2, knl 2" + +conn %default + keyexchange=ikev2 + ike=aes128-sha1-modp1536! + ah=sha1-md5 + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..8e685c862 --- /dev/null +++ b/testing/tests/ikev2/net2net-ah/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..3f1ee5991 --- /dev/null +++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="cfg 2, knl 2" + +conn %default + keyexchange=ikev2 + ike=aes128-sha1-modp1536! + ah=sha1! + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..8e685c862 --- /dev/null +++ b/testing/tests/ikev2/net2net-ah/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-ah/posttest.dat b/testing/tests/ikev2/net2net-ah/posttest.dat new file mode 100644 index 000000000..1f7aa73a1 --- /dev/null +++ b/testing/tests/ikev2/net2net-ah/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/net2net-ah/pretest.dat b/testing/tests/ikev2/net2net-ah/pretest.dat new file mode 100644 index 000000000..81a98fa41 --- /dev/null +++ b/testing/tests/ikev2/net2net-ah/pretest.dat @@ -0,0 +1,6 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-ah/test.conf b/testing/tests/ikev2/net2net-ah/test.conf new file mode 100644 index 000000000..afa2accbe --- /dev/null +++ b/testing/tests/ikev2/net2net-ah/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-dnscert/description.txt b/testing/tests/ikev2/net2net-dnscert/description.txt new file mode 100644 index 000000000..40c112bc4 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/description.txt @@ -0,0 +1,8 @@ +A connection between the subnets behind the gateways <b>moon</b> and <b>sun</b> is set up. +The authentication is based on trustworthy public keys stored as <b>CERT</b> +resource records in the Domain Name System (DNS) and protected by <b>DNSSEC</b>. +<p/> +Upon the successful establishment of the IPsec tunnel, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client <b>alice</b> behind gateway <b>moon</b> +pings client <b>bob</b> located behind gateway <b>sun</b>. diff --git a/testing/tests/ikev2/net2net-dnscert/evaltest.dat b/testing/tests/ikev2/net2net-dnscert/evaltest.dat new file mode 100644 index 000000000..effc9bc1f --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/evaltest.dat @@ -0,0 +1,9 @@ +moon:: cat /var/log/daemon.log::performing a DNS query for CERT RRs of.*sun.strongswan.org::YES +sun:: cat /var/log/daemon.log::performing a DNS query for CERT RRs of.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3eaf60a1d --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftid=moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftsendcert=never + leftauth=pubkey + leftfirewall=yes + right=sun.strongswan.org + rightid=sun.strongswan.org + rightsubnet=10.2.0.0/16 + rightsendcert=never + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e9c79b333 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound dnscert random nonce x509 curl kernel-netlink socket-default stroke updown + + plugins { + dnscert { + enable = yes + } + } +} + +libstrongswan { + plugins { + unbound { + # trust_anchors = /etc/ipsec.d/dnssec.keys + # resolv_conf = /etc/resolv.conf + } + } +} diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..75c4addda --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftid=sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftcert=sunCert.pem + leftsendcert=never + leftauth=pubkey + leftfirewall=yes + right=moon.strongswan.org + rightid=moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightsendcert=never + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys new file mode 100644 index 000000000..d059d8476 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/ipsec.d/dnssec.keys @@ -0,0 +1,10 @@ +; This is a key-signing key, keyid 32329, for . +. IN DNSKEY 257 3 8 ( + AwEAAbcskaratFgvgvXl0bNq4I43ZBzd9jYnoPqsIcA0ahqXlUTUa+c2 + XzN2mS7DGcI4Z5Gn+8v/Ih4lQJQrlf9I/c2HjooCAsK1bA5cRS2DiU+b + L6Ge0nLtvNOf4C0MHGLrWcDONg5QoL0OcFvMXuUtOvDkoIMdtfDYDScx + E9vSokc98Sx553/MTxpssXeM9i+OauGqohIZU+MVRdWwvJPieCL7Ma4b + AttgG+KSbQy7x/qXPISoqzwGQvCxsL93fvD/cpp+KziqA0oH+Dfryvc5 + nWdCdra4gYz7WCFFwcY1PW6PbL5ie4jnjl3WWxopuzT46HKROxDhE+FO + O9fOgGnjzAk= + ) diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules new file mode 100644 index 000000000..b2c425289 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/iptables.rules @@ -0,0 +1,28 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow DNSSEC fetch from winnetou +-A INPUT -i eth0 -p udp --sport 53 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 53 -d PH_IP_WINNETOU -j ACCEPT + +COMMIT diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf new file mode 100644 index 000000000..73d926def --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/resolv.conf @@ -0,0 +1 @@ +nameserver PH_IP_WINNETOU diff --git a/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..e9c79b333 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,20 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = sha1 sha2 md5 aes des hmac gmp dnskey pem pkcs1 pubkey unbound dnscert random nonce x509 curl kernel-netlink socket-default stroke updown + + plugins { + dnscert { + enable = yes + } + } +} + +libstrongswan { + plugins { + unbound { + # trust_anchors = /etc/ipsec.d/dnssec.keys + # resolv_conf = /etc/resolv.conf + } + } +} diff --git a/testing/tests/ikev2/net2net-dnscert/posttest.dat b/testing/tests/ikev2/net2net-dnscert/posttest.dat new file mode 100644 index 000000000..c594c4dc8 --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/resolv.conf +sun::rm /etc/resolv.conf +moon::rm /etc/ipsec.d/dnssec.keys +sun::rm /etc/ipsec.d/dnssec.keys diff --git a/testing/tests/ikev2/net2net-dnscert/pretest.dat b/testing/tests/ikev2/net2net-dnscert/pretest.dat new file mode 100644 index 000000000..0f4ae0f4f --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-dnscert/test.conf b/testing/tests/ikev2/net2net-dnscert/test.conf new file mode 100644 index 000000000..afa2accbe --- /dev/null +++ b/testing/tests/ikev2/net2net-dnscert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/libipsec/host2host-cert/description.txt b/testing/tests/libipsec/host2host-cert/description.txt new file mode 100644 index 000000000..b240515fb --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/description.txt @@ -0,0 +1,10 @@ +A connection between the hosts <b>moon</b> and <b>sun</b> is set up. +The authentication is based on <b>X.509 certificates</b> and the <b>kernel-libipsec</b> +plugin is used for userland IPsec ESP encryption. <b>Firewall marks</b> are used to make +the direct ESP connection possible and still allow IKE traffic to flow freely between +the two hosts. +<p/> +Upon the successful establishment of the IPsec tunnel, an updown script automatically +inserts iptables-based firewall rules that let pass the traffic tunneled via the +<b>ipsec0</b> tun interface. In order to test both host-to-host tunnel and firewall, +<b>moon</b> pings <b>sun</b>. diff --git a/testing/tests/libipsec/host2host-cert/evaltest.dat b/testing/tests/libipsec/host2host-cert/evaltest.dat new file mode 100644 index 000000000..105c2a4ed --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/evaltest.dat @@ -0,0 +1,7 @@ +moon::ipsec status 2> /dev/null::host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES +sun:: ipsec status 2> /dev/null::host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES +moon::ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::host-host.*INSTALLED, TUNNEL::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org.4500 > sun.strongswan.org.4500: UDP-encap: ESP::YES +sun::tcpdump::IP sun.strongswan.org.4500 > moon.strongswan.org.4500: UDP-encap: ESP::YES diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..6e8329a44 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftupdown=/etc/updown + right=PH_IP_SUN + rightid=@sun.strongswan.org + auto=add diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..d5c4d2718 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no + plugins { + kernel-netlink { + fwmark = !0x42 + } + socket-default { + fwmark = 0x42 + } + kernel-libipsec { + allow_peer_ts = yes + } + } +} diff --git a/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown new file mode 100755 index 000000000..aea6d8555 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/hosts/moon/etc/updown @@ -0,0 +1,705 @@ +#! /bin/sh +# iproute2 version, default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# uncomment to log VPN connections +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# in order to use source IP routing the Linux kernel options +# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES +# must be enabled +# +# special routing table for sourceip routes +SOURCEIP_ROUTING_TABLE=220 +# +# priority of the sourceip routing table +SOURCEIP_ROUTING_TABLE_PRIO=220 + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + for dir in /etc/sysconfig /etc/conf.d; do + if [ -f "$dir/defaultsource" ] + then + . "$dir/defaultsource" + fi + done + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # leave because no route entry is required + return $st + fi + + parms1="$PLUTO_PEER_CLIENT" + + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + else + parms2="via $PLUTO_PEER" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + parms3= + if [ -n "$PLUTO_MY_SOURCEIP" ] + then + if test "$1" = "add" + then + addsource + if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" + then + ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE + fi + fi + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms1 $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} + +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +then + KLIPS=1 + IPSEC_POLICY_IN="" + IPSEC_POLICY_OUT="" +else + KLIPS= + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +fi + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # exit because no route will be added, + # so that existing routes can stay + exit 0 + fi + + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +prepare-host-v6:*|prepare-client-v6:*) + ;; +route-host-v6:*|route-client-v6:*) + # connection to me or my client subnet being routed + #uproute_v6 + ;; +unroute-host-v6:*|unroute-client-v6:*) + # connection to me or my client subnet being unrouted + #downroute_v6 + ;; +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..becb97e04 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/ipsec.conf @@ -0,0 +1,19 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn host-host + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftupdown=/etc/updown + right=PH_IP_MOON + rightid=@moon.strongswan.org + auto=add diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..d5c4d2718 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-libipsec kernel-netlink socket-default updown + multiple_authentication = no + plugins { + kernel-netlink { + fwmark = !0x42 + } + socket-default { + fwmark = 0x42 + } + kernel-libipsec { + allow_peer_ts = yes + } + } +} diff --git a/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown new file mode 100755 index 000000000..aea6d8555 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/hosts/sun/etc/updown @@ -0,0 +1,705 @@ +#! /bin/sh +# iproute2 version, default updown script +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2007 Andreas Steffen <andreas.steffen@strongswan.org> +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_UNIQUEID +# is the unique identifier of the associated IKE_SA +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# PLUTO_MY_SOURCEIP4_$i +# PLUTO_MY_SOURCEIP6_$i +# contains IPv4/IPv6 virtual IP received from a responder, +# $i enumerates from 1 to the number of IP per address family. +# PLUTO_MY_SOURCEIP is a legacy variable and equals to the first +# virtual IP, IPv4 or IPv6. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_UDP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# +# PLUTO_DNS4_$i +# PLUTO_DNS6_$i +# contains IPv4/IPv6 DNS server attribute received from a +# responder, $i enumerates from 1 to the number of servers per +# address family. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# uncomment to log VPN connections +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# in order to use source IP routing the Linux kernel options +# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES +# must be enabled +# +# special routing table for sourceip routes +SOURCEIP_ROUTING_TABLE=220 +# +# priority of the sourceip routing table +SOURCEIP_ROUTING_TABLE_PRIO=220 + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + for dir in /etc/sysconfig /etc/conf.d; do + if [ -f "$dir/defaultsource" ] + then + . "$dir/defaultsource" + fi + done + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # leave because no route entry is required + return $st + fi + + parms1="$PLUTO_PEER_CLIENT" + + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + else + parms2="via $PLUTO_PEER" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + parms3= + if [ -n "$PLUTO_MY_SOURCEIP" ] + then + if test "$1" = "add" + then + addsource + if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" + then + ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE + fi + fi + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms1 $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} + +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +then + KLIPS=1 + IPSEC_POLICY_IN="" + IPSEC_POLICY_OUT="" +else + KLIPS= + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +fi + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # exit because no route will be added, + # so that existing routes can stay + exit 0 + fi + + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + PLUTO_INTERFACE=ipsec0 + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT -j ACCEPT + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +# +# IPv6 +# +prepare-host-v6:*|prepare-client-v6:*) + ;; +route-host-v6:*|route-client-v6:*) + # connection to me or my client subnet being routed + #uproute_v6 + ;; +unroute-host-v6:*|unroute-client-v6:*) + # connection to me or my client subnet being unrouted + #downroute_v6 + ;; +up-host-v6:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host-v6:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client-v6:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-client-v6:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + ;; +up-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host-v6:iptables) + # connection to me, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, coming up + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + ip6tables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client-v6:iptables) + # connection to client subnet, with (left/right)firewall=yes, going down + # This is used only by the default updown script, not by your custom + # ones, so do not mess with it; see CAUTION comment up at top. + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/128" ] + then + ip6tables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + ip6tables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + ip6tables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + ip6tables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/128" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/libipsec/host2host-cert/posttest.dat b/testing/tests/libipsec/host2host-cert/posttest.dat new file mode 100644 index 000000000..8b6052f38 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::sysctl --pattern net.ipv4.conf.all.rp_filter --system +sun::sysctl --pattern net.ipv4.conf.all.rp_filter --system diff --git a/testing/tests/libipsec/host2host-cert/pretest.dat b/testing/tests/libipsec/host2host-cert/pretest.dat new file mode 100644 index 000000000..d8d30af02 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/pretest.dat @@ -0,0 +1,8 @@ +moon::sysctl -w net.ipv4.conf.all.rp_filter=2 +sun::sysctl -w net.ipv4.conf.all.rp_filter=2 +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up host-host diff --git a/testing/tests/libipsec/host2host-cert/test.conf b/testing/tests/libipsec/host2host-cert/test.conf new file mode 100644 index 000000000..9647dc6a2 --- /dev/null +++ b/testing/tests/libipsec/host2host-cert/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf index 733592087..abb34ac91 100644 --- a/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf +++ b/testing/tests/libipsec/rw-suite-b/hosts/moon/etc/ipsec.conf @@ -1,6 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup + charondebug="knl 3, esp 3" conn %default ikelifetime=60m diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt new file mode 100644 index 000000000..d0ae5a823 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/description.txt @@ -0,0 +1,17 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> +plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 +certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> +cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> +plugin for the Elliptic Curve Diffie-Hellman groups only. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +<b>carol</b> proposes the <b>Brainpool</b> DH groups ECP_256_BP and ECP_384_BP whereas +<b>dave</b> proposes ECP_256_BP and ECP_512_B P. Since <b>moon</b> does not support +ECP_256_BP the roadwarriors fall back to ECP_384_BP and ECP_512_BP, respectively. +<p> +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat new file mode 100644 index 000000000..b7606a48d --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/evaltest.dat @@ -0,0 +1,19 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::ECP_256_BP.*ECP_384_BP::YES +dave:: cat /var/log/daemon.log::ECP_256_BP.*ECP_512_BP::YES +carol::ipsec statusall 2> /dev/null::home.*AES_CBC_192/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384_BP::YES +dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_512_BP::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..bfca8965f --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ecp256bp,aes192-sha384-ecp384bp! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0bbf93a18 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..2b16165dc --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes128-sha256-ecp256bp,aes256-sha512-ecp512bp! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..785772254 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..8c02c9fea --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha384-ecp384bp,aes256-sha512-ecp512bp! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..0bbf93a18 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat new file mode 100644 index 000000000..8bbea1412 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-high/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt new file mode 100644 index 000000000..78eb0ffb3 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/description.txt @@ -0,0 +1,17 @@ +The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b> +plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509 +certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b> +cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b> +plugin for the Elliptic Curve Diffie-Hellman groups only. +<p> +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each +to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>. +<b>carol</b> proposes the <b>Brainpool</b> DH groups ECP_384_BP and ECP_224_BP whereas +<b>dave</b> proposes ECP_192_BP and ECP_256_BP. Since <b>moon</b> does not support +ECP_384_BP the roadwarriors fall back to ECP_224_BP and ECP_256_BP, respectively. +<p> +Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b> +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping +the client <b>alice</b> behind the gateway <b>moon</b>. + diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat new file mode 100644 index 000000000..5fb2073dd --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/evaltest.dat @@ -0,0 +1,19 @@ +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES +moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES +carol::cat /var/log/daemon.log::ECP_384_BP.*ECP_224_BP::YES +dave:: cat /var/log/daemon.log::ECP_384_BP.*ECP_256_BP::YES +carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224_BP::YES +dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256_BP::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..be85b6c1e --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha384-ecp384bp,3des-sha256-ecp224bp! + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..0bbf93a18 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..1adedc048 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=aes192-sha384-ecp384bp,aes128-sha256-ecp256bp! + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..785772254 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/dave/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..b4cd86c60 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/ipsec.conf @@ -0,0 +1,20 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + ike=3des-sha256-ecp224bp,aes128-sha256-ecp256bp! + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..0bbf93a18 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/hosts/moon/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 openssl revocation random nonce hmac stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat new file mode 100644 index 000000000..1865a1c60 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat new file mode 100644 index 000000000..8bbea1412 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf new file mode 100644 index 000000000..f29298850 --- /dev/null +++ b/testing/tests/openssl-ikev2/alg-ecp-brainpool-low/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt index c1a3da88e..26e42c4b7 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/description.txt @@ -3,7 +3,7 @@ but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = she ignores the repeated IKE requests sent by <b>dave</b>. <p/> After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a -connection to gateway <b>moon</b>. The authentication is based on Suite B with 128 bit +connection to gateway <b>moon</b>. The authentication is based on Suite B with <b>128 bit</b> security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b> authenticated encryption. <p/> diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem index d29ddb9ee..522a29607 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,5 +1,6 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIMDstKxdv/vNBPfM8iHvn5g5/8T5aRSnlh27HHt6iTfGoAoGCCqGSM49 -AwEHoUQDQgAEwYQaBELkyAVAzNzWJr9LqoK8gdKDv+Ns6D+ZQSAjBuX3bs5ZIn7B -rRxYd+mbnpZ2in7FjXPWkcLkIK/cgay2nw== ------END EC PRIVATE KEY----- +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIGxMBwGCiqGSIb3DQEMAQMwDgQIMZeZ6WcLRQICAggABIGQVdFY4uNX+wTljx5B +maey2lQKGzR1uWujrlgrnV5XUllz5riVLBQ62guQv2TWkQmwaiT503Fki+Hc+VfJ +9CYAg9UjPuT/2H0e5wq0ZnWNJkpWY2LRpMeCkS4Tdww8PBINAoDraeLxtYLm2xsX +mQ7raVahMTmSIO0YTkT7DJmevJAh2zYP7B613tY0PSKxcIdI +-----END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets index 3d6725162..4e53ef91a 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: ECDSA carolKey.pem +: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt index 24bb2b3df..b8cb4fb8b 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/description.txt @@ -3,7 +3,7 @@ but because <b>carol</b> has set the strongswan.conf option <b>initiator_only = she ignores the repeated IKE requests sent by <b>dave</b>. <p/> After the failed connection attempt by <b>dave</b>, roadwarrior <b>carol</b> sets up a -connection to gateway <b>moon</b>. The authentication is based on Suite B with 192 bit +connection to gateway <b>moon</b>. The authentication is based on Suite B with <b>192 bit</b> security based on <b>X.509 ECDSA</b> certificates, <b>ECP Diffie-Hellman</b> groups and <b>AES-GCM</b> authenticated encryption. <p/> diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem index b94625718..52e044d5e 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.d/private/carolKey.pem @@ -1,6 +1,8 @@ ------BEGIN EC PRIVATE KEY----- -MIGkAgEBBDCkhn8iMx3xfYLzonabc5FVG700UU6WKdke251F8ncgj1sGd5HZCV+N -6pHODLMII96gBwYFK4EEACKhZANiAARGIOWH9s4UOrptJF0OraK85w1zFZIaU7l3 -LnIFG8CFNaU0lzL3ePGEMjMXmbE+maA1el2ZIFEpubfJ2TDwttYj7n+WN7TpiXqc -4sE7plvsaodcU74GomtTHNt0dfDFaq0= ------END EC PRIVATE KEY----- +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIBBTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIBJ620rnDFmACAggA +MBQGCCqGSIb3DQMHBAh/kkTRYRcX+wSBwIWR0utZGuNjA73xHtLlpgEG+Bt3WfVk +f/C5nSAIov9F3x1BdJ6il25cdcZBsq8/I15kWU9M5CyAnoHFNLcyAHcRK6NONqlr +lFCrU0P5OBDbo6YbCVQKAufCCH1WIGdJvMKL5gaV4mytTrc0g8aYr+66lMKlMJb8 +43pzNGdEwLFfyrpKIFjysCIj30btCVzJWFDeBptmF9Vw0ST+x7x6FWjh2SRgnU10 +/0cs85hh6etFtXlUhzSw7P3abL/8zmWIHw== +-----END ENCRYPTED PRIVATE KEY----- diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets index 3d6725162..4e53ef91a 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/ipsec.secrets @@ -1,3 +1,3 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -: ECDSA carolKey.pem +: ECDSA carolKey.pem "nH5ZQEWtku0RJEZ6" diff --git a/testing/tests/sql/net2net-route-pem/evaltest.dat b/testing/tests/sql/net2net-route-pem/evaltest.dat index 3fd32907c..2c85542e6 100644 --- a/testing/tests/sql/net2net-route-pem/evaltest.dat +++ b/testing/tests/sql/net2net-route-pem/evaltest.dat @@ -2,10 +2,10 @@ moon:: ipsec status 2> /dev/null::net-1.*ROUTED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net-1.*ROUTED, TUNNEL::YES moon:: ipsec status 2> /dev/null::net-2.*ROUTED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net-2.*ROUTED, TUNNEL::YES -moon:: cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp\] with reqid {1}::YES +moon:: cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp/8\] with reqid {1}::YES moon:: ipsec status 2> /dev/null::net-1.*INSTALLED, TUNNEL::YES sun:: ipsec status 2> /dev/null::net-1.*INSTALLED. TUNNEL::YES -sun:: cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp\] with reqid {2}::YES +sun:: cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp/8\] with reqid {2}::YES moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org::YES sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org::YES moon:: ipsec status 2> /dev/null::net-2.*INSTALLED, TUNNEL::YES diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql deleted file mode 100644 index 090eb47ff..000000000 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data.sql +++ /dev/null @@ -1,873 +0,0 @@ -/* Products */ - -INSERT INTO products ( /* 1 */ - name -) VALUES ( - 'Debian 6.0 i686' -); - -INSERT INTO products ( /* 2 */ - name -) VALUES ( - 'Debian 6.0 x86_64' -); - -INSERT INTO products ( /* 3 */ - name -) VALUES ( - 'Debian 7.0 i686' -); - -INSERT INTO products ( /* 4 */ - name -) VALUES ( - 'Debian 7.0 x86_64' -); - -INSERT INTO products ( /* 5 */ - name -) VALUES ( - 'Debian 8.0 i686' -); - -INSERT INTO products ( /* 6 */ - name -) VALUES ( - 'Debian 8.0 x86_64' -); - -INSERT INTO products ( /* 7 */ - name -) VALUES ( - 'Ubuntu 10.04 i686' -); - -INSERT INTO products ( /* 8 */ - name -) VALUES ( - 'Ubuntu 10.04 x86_64' -); - -INSERT INTO products ( /* 9 */ - name -) VALUES ( - 'Ubuntu 10.10 i686' -); - -INSERT INTO products ( /* 10 */ - name -) VALUES ( - 'Ubuntu 10.10 x86_64' -); - -INSERT INTO products ( /* 11 */ - name -) VALUES ( - 'Ubuntu 11.04 i686' -); - -INSERT INTO products ( /* 12 */ - name -) VALUES ( - 'Ubuntu 11.04 x86_64' -); - -INSERT INTO products ( /* 13 */ - name -) VALUES ( - 'Ubuntu 11.10 i686' -); - -INSERT INTO products ( /* 14 */ - name -) VALUES ( - 'Ubuntu 11.10 x86_64' -); - -INSERT INTO products ( /* 15 */ - name -) VALUES ( - 'Ubuntu 12.04 i686' -); - -INSERT INTO products ( /* 16 */ - name -) VALUES ( - 'Ubuntu 12.04 x86_64' -); - -INSERT INTO products ( /* 17 */ - name -) VALUES ( - 'Ubuntu 12.10 i686' -); - -INSERT INTO products ( /* 18 */ - name -) VALUES ( - 'Ubuntu 12.10 x86_64' -); - -INSERT INTO products ( /* 19 */ - name -) VALUES ( - 'Ubuntu 13.04 i686' -); - -INSERT INTO products ( /* 20 */ - name -) VALUES ( - 'Ubuntu 13.04 x86_64' -); - -INSERT INTO products ( /* 21 */ - name -) VALUES ( - 'Android 4.1.1' -); - -INSERT INTO products ( /* 22 */ - name -) VALUES ( - 'Android 4.2.1' -); - -/* Directories */ - -INSERT INTO directories ( /* 1 */ - path -) VALUES ( - '/bin' -); - -INSERT INTO directories ( /* 2 */ - path -) VALUES ( - '/etc' -); - -INSERT INTO directories ( /* 3 */ - path -) VALUES ( - '/lib' -); - -INSERT INTO directories ( /* 4 */ - path -) VALUES ( - '/lib/i386-linux-gnu' -); - -INSERT INTO directories ( /* 5 */ - path -) VALUES ( - '/lib/x86_64-linux-gnu' -); - -INSERT INTO directories ( /* 6 */ - path -) VALUES ( - '/lib/xtables' -); - -INSERT INTO directories ( /* 7 */ - path -) VALUES ( - '/sbin' -); - -INSERT INTO directories ( /* 8 */ - path -) VALUES ( - '/usr/bin' -); - -INSERT INTO directories ( /* 9 */ - path -) VALUES ( - '/usr/lib' -); - -INSERT INTO directories ( /* 10 */ - path -) VALUES ( - '/usr/lib/i386-linux-gnu' -); - -INSERT INTO directories ( /* 11 */ - path -) VALUES ( - '/usr/lib/x86_64-linux-gnu' -); - -INSERT INTO directories ( /* 12 */ - path -) VALUES ( - '/usr/sbin' -); - -INSERT INTO directories ( /* 13 */ - path -) VALUES ( - '/system/bin' -); - -INSERT INTO directories ( /* 14 */ - path -) VALUES ( - '/system/lib' -); - -/* Files */ - -INSERT INTO files ( /* 1 */ - name, dir -) VALUES ( - 'libcrypto.so.1.0.0', 5 -); - -INSERT INTO files ( /* 2 */ - name, dir -) VALUES ( - 'libcrypto.so.1.0.0', 11 -); - -INSERT INTO files ( /* 3 */ - name, dir -) VALUES ( - 'libssl.so.1.0.0', 5 -); - -INSERT INTO files ( /* 4 */ - name, dir -) VALUES ( - 'libssl.so.1.0.0', 11 -); - -INSERT INTO files ( /* 5 */ - name, dir -) VALUES ( - 'openssl', 8 -); - -INSERT INTO files ( /* 6 */ - name, dir -) VALUES ( - 'tnc_config', 2 -); - -/* Algorithms */ - -INSERT INTO algorithms ( - id, name -) VALUES ( - 65536, 'SHA1-IMA' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 32768, 'SHA1' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 16384, 'SHA256' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 8192, 'SHA384' -); - -/* File Hashes */ - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' -); - -/* Packages */ - -INSERT INTO packages ( /* 1 */ - name -) VALUES ( - 'libssl-dev' -); - -INSERT INTO packages ( /* 2 */ - name -) VALUES ( - 'libssl1.0.0' -); - -INSERT INTO packages ( /* 3 */ - name -) VALUES ( - 'libssl1.0.0-dbg' -); - -INSERT INTO packages ( /* 4 */ - name -) VALUES ( - 'openssl' -); - -/* Versions */ - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 1, 4, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 2, 4, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 3, 4, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 4, 4, '1.0.1e-2', 1366531494 -); - -/* Components */ - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 1, 33 /* ITA TGRUB */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 2, 33 /* ITA TBOOT */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 3, 33 /* ITA IMA - Trusted Platform */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 3, 34 /* ITA IMA - Operating System */ -); - -/* Groups */ - -INSERT INTO groups ( /* 1 */ - name -) VALUES ( - 'Default' -); - -INSERT INTO groups ( /* 2 */ - name, parent -) VALUES ( - 'Linux', 1 -); - -INSERT INTO groups ( /* 3 */ - name, parent -) VALUES ( - 'Android', 1 -); - -INSERT INTO groups ( /* 4 */ - name, parent -) VALUES ( - 'Debian i686', 2 -); - -INSERT INTO groups ( /* 5 */ - name, parent -) VALUES ( - 'Debian x86_64', 2 -); - -INSERT INTO groups ( /* 6 */ - name, parent -) VALUES ( - 'Ubuntu i686', 2 -); - -INSERT INTO groups ( /* 7 */ - name, parent -) VALUES ( - 'Ubuntu x86_64', 2 -); - -INSERT INTO groups ( /* 8 */ - name -) VALUES ( - 'Reference' -); - -INSERT INTO groups ( /* 9 */ - name, parent -) VALUES ( - 'Ref. Android', 8 -); - -INSERT INTO groups ( /* 10 */ - name, parent -) VALUES ( - 'Ref. Linux', 8 -); - -/* Default Product Groups */ - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 1 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 3 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 5 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 2 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 4 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 6 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 7 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 9 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 11 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 13 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 15 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 17 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 19 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 8 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 10 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 12 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 14 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 16 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 18 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 20 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 21 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 22 -); - -/* Devices */ - -INSERT INTO devices ( /* 1 */ - value, product, created -) VALUES ( - 'aabbccddeeff11223344556677889900', 4, 1372330615 -); - -/* Groups Members */ - -INSERT INTO groups_members ( - group_id, device_id -) VALUES ( - 10, 1 -); - -/* Policies */ - -INSERT INTO policies ( /* 1 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 1, 'Installed Packages', 2, 2 -); - -INSERT INTO policies ( /* 2 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 2, 'Unknown Source', 2, 2 -); - -INSERT INTO policies ( /* 3 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 3, 'IP Forwarding Enabled', 1, 1 -); - -INSERT INTO policies ( /* 4 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 4, 'Default Factory Password Enabled', 1, 1 -); - -INSERT INTO policies ( /* 5 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2 -); - -INSERT INTO policies ( /* 6 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2 -); - -INSERT INTO policies ( /* 7 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/bin/openssl', 5, 2, 2 -); - -INSERT INTO policies ( /* 8 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 11, 'No Open TCP Ports', 1, 1 -); - -INSERT INTO policies ( /* 9 */ - type, name, argument, rec_fail, rec_noresult -) VALUES ( - 13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1 -); - -INSERT INTO policies ( /* 10 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 7, 'Metadata of /etc/tnc_config', 6, 0, 0 -); - -INSERT INTO policies ( /* 11 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Get /bin', 1, 0, 0 -); - -INSERT INTO policies ( /* 12 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2 -); - -INSERT INTO policies ( /* 13 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2 -); - -INSERT INTO policies ( /* 14 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Get /system/bin', 13, 0, 0 -); - -INSERT INTO policies ( /* 15 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Get /system/lib', 14, 0, 0 -); - -INSERT INTO policies ( /* 16 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 9, 'Measure /bin', 1, 2, 2 -); - -/* Enforcements */ - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 2, 3, 0 -); - -INSERT INTO enforcements ( - policy, group_id, max_age, rec_fail, rec_noresult -) VALUES ( - 3, 2, 0, 2, 2 -); - -INSERT INTO enforcements ( - policy, group_id, max_age, rec_fail, rec_noresult -) VALUES ( - 3, 10, 0, 2, 2 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 5, 7, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 6, 7, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 7, 2, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 8, 1, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 9, 1, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 10, 2, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 11, 10, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 12, 5, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 13, 5, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 14, 9, 0 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 15, 9, 0 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 16, 2, 0 -); diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql new file mode 100644 index 000000000..2bb7e7924 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql @@ -0,0 +1,29 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 28, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 16, 2, 0 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat index 5f94f8dbb..a991d05ea 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-11-radius-pts/pretest.dat @@ -5,7 +5,7 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second -alice::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db +alice::cd /etc/pts; cat tables.sql data.sql data1.sql | sqlite3 config.db alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd alice::cat /etc/tnc_config carol::cat /etc/tnc_config diff --git a/testing/tests/tnc/tnccs-11-supplicant/description.txt b/testing/tests/tnc/tnccs-11-supplicant/description.txt new file mode 100644 index 000000000..6505750b2 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/description.txt @@ -0,0 +1,12 @@ +The layer 2 supplicants <b>carol</b> and <b>dave</b> want to connect to a network +via switch <b>moon</b> which delegates the IEEE 802.1X authentication to the RADIUS +server <b>alice</b>. <b>carol</b> and <b>dave</b> set up an <b>EAP-TTLS</b> tunnel +each via <b>moon</b> to the <a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup"> <b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated +by an X.509 AAA certificate. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface. +The communication between IMCs and IMVs is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>. +<p> +<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients +are connected by switch <b>moon</b> to the "allow" and "isolate" VLANs, respectively. diff --git a/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat b/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat new file mode 100644 index 000000000..2d43b3c7b --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/evaltest.dat @@ -0,0 +1,2 @@ +carol::cat /var/log/daemon.log::IMC.*changed state.*Allowed::YES +dave:: cat /var/log/daemon.log::IMC.*changed state.*Isolate::YES diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf new file mode 100644 index 000000000..31556361e --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/eap.conf @@ -0,0 +1,25 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + tnc_virtual_server = "inner-tunnel-second" + } +} + +eap eap_tnc { + default_eap_type = tnc + tnc { + } +} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default new file mode 100644 index 000000000..dd0825858 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/default @@ -0,0 +1,43 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second new file mode 100644 index 000000000..c5bde6a9e --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/sites-available/inner-tunnel-second @@ -0,0 +1,36 @@ +server inner-tunnel-second { + +authorize { + eap_tnc { + ok = return + } +} + +authenticate { + eap_tnc +} + +session { + radutmp +} + +post-auth { + if (control:TNC-Status == "Access") { + update reply { + Tunnel-Type := ESP + Filter-Id := "allow" + } + } + elsif (control:TNC-Status == "Isolate") { + update reply { + Tunnel-Type := ESP + Filter-Id := "isolate" + } + } + + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +} # inner-tunnel-second block diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/freeradius/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..45050f7e1 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libimcv { + debug_level = 3 + assessment_result = no + plugins { + imv-test { + rounds = 1 + } + } +} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties new file mode 100644 index 000000000..2bdc6e4de --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc/log4cxx.properties @@ -0,0 +1,15 @@ +# Set root logger level to DEBUG and its appenders to A1 and A2. +log4j.rootLogger=DEBUG, A1, A2 + +# A1 is set to be a ConsoleAppender. +log4j.appender.A1=org.apache.log4j.ConsoleAppender +log4j.appender.A1.layout=org.apache.log4j.PatternLayout +log4j.appender.A1.layout.ConversionPattern=[FHH] %m%n + +# A2 is set to be a SyslogAppender +log4j.appender.A2=org.apache.log4j.net.SyslogAppender +log4j.appender.A2.Facility=DAEMON +log4j.appender.A2.SyslogHost=localhost +log4j.appender.A2.Threshold=DEBUG +log4j.appender.A2.layout=org.apache.log4j.PatternLayout +log4j.appender.A2.layout.ConversionPattern=[FHH] %m%n diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..da732f68b --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/alice/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so +IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..f24455975 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.conf @@ -0,0 +1 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..ddd495699 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/ipsec.secrets @@ -0,0 +1 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..71fbae695 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libimcv { + debug_level = 3 + plugins { + imc-test { + command = allow + } + } +} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..b4288fd53 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf new file mode 100644 index 000000000..92d84f570 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/carol/etc/wpa_supplicant.conf @@ -0,0 +1,10 @@ + network={ + ssid="eap_ttls" + scan_ssid=0 + key_mgmt=IEEE8021X + eap=TTLS + identity="carol" + password="Ar3etTnp" + ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem" + id_str="" + } diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..f24455975 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.conf @@ -0,0 +1 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..ddd495699 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/ipsec.secrets @@ -0,0 +1 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..4ce2769f2 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libimcv { + debug_level = 3 + plugins { + imc-test { + command = isolate + } + } +} diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..b4288fd53 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so +IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf new file mode 100644 index 000000000..37a343df6 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/dave/etc/wpa_supplicant.conf @@ -0,0 +1,10 @@ + network={ + ssid="eap_ttls" + scan_ssid=0 + key_mgmt=IEEE8021X + eap=TTLS + identity="dave" + password="W7R0g3do" + ca_cert="/etc/ipsec.d/cacerts/strongswanCert.pem" + id_str="" + } diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf new file mode 100644 index 000000000..c84fcbd91 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/hostapd/hostapd.conf @@ -0,0 +1,1127 @@ +##### hostapd configuration file ############################################## +# Empty lines and lines starting with # are ignored + +# AP netdevice name (without 'ap' postfix, i.e., wlan0 uses wlan0ap for +# management frames); ath0 for madwifi +interface=eth0 + +# In case of madwifi, atheros, and nl80211 driver interfaces, an additional +# configuration parameter, bridge, may be used to notify hostapd if the +# interface is included in a bridge. This parameter is not used with Host AP +# driver. If the bridge parameter is not set, the drivers will automatically +# figure out the bridge interface (assuming sysfs is enabled and mounted to +# /sys) and this parameter may not be needed. +# +# For nl80211, this parameter can be used to request the AP interface to be +# added to the bridge automatically (brctl may refuse to do this before hostapd +# has been started to change the interface mode). If needed, the bridge +# interface is also created. +#bridge=br0 + +# Driver interface type (hostap/wired/madwifi/test/none/nl80211/bsd); +# default: hostap). nl80211 is used with all Linux mac80211 drivers. +# Use driver=none if building hostapd as a standalone RADIUS server that does +# not control any wireless/wired driver. +driver=wired + +# hostapd event logger configuration +# +# Two output method: syslog and stdout (only usable if not forking to +# background). +# +# Module bitfield (ORed bitfield of modules that will be logged; -1 = all +# modules): +# bit 0 (1) = IEEE 802.11 +# bit 1 (2) = IEEE 802.1X +# bit 2 (4) = RADIUS +# bit 3 (8) = WPA +# bit 4 (16) = driver interface +# bit 5 (32) = IAPP +# bit 6 (64) = MLME +# +# Levels (minimum value for logged events): +# 0 = verbose debugging +# 1 = debugging +# 2 = informational messages +# 3 = notification +# 4 = warning +# +logger_syslog=-1 +logger_syslog_level=2 +logger_stdout=-1 +logger_stdout_level=0 + +# Dump file for state information (on SIGUSR1) +dump_file=/tmp/hostapd.dump + +# Interface for separate control program. If this is specified, hostapd +# will create this directory and a UNIX domain socket for listening to requests +# from external programs (CLI/GUI, etc.) for status information and +# configuration. The socket file will be named based on the interface name, so +# multiple hostapd processes/interfaces can be run at the same time if more +# than one interface is used. +# /var/run/hostapd is the recommended directory for sockets and by default, +# hostapd_cli will use it when trying to connect with hostapd. +ctrl_interface=/var/run/hostapd + +# Access control for the control interface can be configured by setting the +# directory to allow only members of a group to use sockets. This way, it is +# possible to run hostapd as root (since it needs to change network +# configuration and open raw sockets) and still allow GUI/CLI components to be +# run as non-root users. However, since the control interface can be used to +# change the network configuration, this access needs to be protected in many +# cases. By default, hostapd is configured to use gid 0 (root). If you +# want to allow non-root users to use the contron interface, add a new group +# and change this value to match with that group. Add users that should have +# control interface access to this group. +# +# This variable can be a group name or gid. +#ctrl_interface_group=wheel +ctrl_interface_group=0 + + +##### IEEE 802.11 related configuration ####################################### + +# SSID to be used in IEEE 802.11 management frames +#ssid=test + +# Country code (ISO/IEC 3166-1). Used to set regulatory domain. +# Set as needed to indicate country in which device is operating. +# This can limit available channels and transmit power. +#country_code=US + +# Enable IEEE 802.11d. This advertises the country_code and the set of allowed +# channels and transmit power levels based on the regulatory limits. The +# country_code setting must be configured with the correct country for +# IEEE 802.11d functions. +# (default: 0 = disabled) +#ieee80211d=1 + +# Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g, +# Default: IEEE 802.11b +hw_mode=g + +# Channel number (IEEE 802.11) +# (default: 0, i.e., not set) +# Please note that some drivers do not use this value from hostapd and the +# channel will need to be configured separately with iwconfig. +channel=1 + +# Beacon interval in kus (1.024 ms) (default: 100; range 15..65535) +beacon_int=100 + +# DTIM (delivery traffic information message) period (range 1..255): +# number of beacons between DTIMs (1 = every beacon includes DTIM element) +# (default: 2) +dtim_period=2 + +# Maximum number of stations allowed in station table. New stations will be +# rejected after the station table is full. IEEE 802.11 has a limit of 2007 +# different association IDs, so this number should not be larger than that. +# (default: 2007) +max_num_sta=255 + +# RTS/CTS threshold; 2347 = disabled (default); range 0..2347 +# If this field is not included in hostapd.conf, hostapd will not control +# RTS threshold and 'iwconfig wlan# rts <val>' can be used to set it. +rts_threshold=2347 + +# Fragmentation threshold; 2346 = disabled (default); range 256..2346 +# If this field is not included in hostapd.conf, hostapd will not control +# fragmentation threshold and 'iwconfig wlan# frag <val>' can be used to set +# it. +fragm_threshold=2346 + +# Rate configuration +# Default is to enable all rates supported by the hardware. This configuration +# item allows this list be filtered so that only the listed rates will be left +# in the list. If the list is empty, all rates are used. This list can have +# entries that are not in the list of rates the hardware supports (such entries +# are ignored). The entries in this list are in 100 kbps, i.e., 11 Mbps = 110. +# If this item is present, at least one rate have to be matching with the rates +# hardware supports. +# default: use the most common supported rate setting for the selected +# hw_mode (i.e., this line can be removed from configuration file in most +# cases) +#supported_rates=10 20 55 110 60 90 120 180 240 360 480 540 + +# Basic rate set configuration +# List of rates (in 100 kbps) that are included in the basic rate set. +# If this item is not included, usually reasonable default set is used. +#basic_rates=10 20 +#basic_rates=10 20 55 110 +#basic_rates=60 120 240 + +# Short Preamble +# This parameter can be used to enable optional use of short preamble for +# frames sent at 2 Mbps, 5.5 Mbps, and 11 Mbps to improve network performance. +# This applies only to IEEE 802.11b-compatible networks and this should only be +# enabled if the local hardware supports use of short preamble. If any of the +# associated STAs do not support short preamble, use of short preamble will be +# disabled (and enabled when such STAs disassociate) dynamically. +# 0 = do not allow use of short preamble (default) +# 1 = allow use of short preamble +#preamble=1 + +# Station MAC address -based authentication +# Please note that this kind of access control requires a driver that uses +# hostapd to take care of management frame processing and as such, this can be +# used with driver=hostap or driver=nl80211, but not with driver=madwifi. +# 0 = accept unless in deny list +# 1 = deny unless in accept list +# 2 = use external RADIUS server (accept/deny lists are searched first) +macaddr_acl=0 + +# Accept/deny lists are read from separate files (containing list of +# MAC addresses, one per line). Use absolute path name to make sure that the +# files can be read on SIGHUP configuration reloads. +#accept_mac_file=/etc/hostapd.accept +#deny_mac_file=/etc/hostapd.deny + +# IEEE 802.11 specifies two authentication algorithms. hostapd can be +# configured to allow both of these or only one. Open system authentication +# should be used with IEEE 802.1X. +# Bit fields of allowed authentication algorithms: +# bit 0 = Open System Authentication +# bit 1 = Shared Key Authentication (requires WEP) +auth_algs=3 + +# Send empty SSID in beacons and ignore probe request frames that do not +# specify full SSID, i.e., require stations to know SSID. +# default: disabled (0) +# 1 = send empty (length=0) SSID in beacon and ignore probe request for +# broadcast SSID +# 2 = clear SSID (ASCII 0), but keep the original length (this may be required +# with some clients that do not support empty SSID) and ignore probe +# requests for broadcast SSID +ignore_broadcast_ssid=0 + +# TX queue parameters (EDCF / bursting) +# tx_queue_<queue name>_<param> +# queues: data0, data1, data2, data3, after_beacon, beacon +# (data0 is the highest priority queue) +# parameters: +# aifs: AIFS (default 2) +# cwmin: cwMin (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023) +# cwmax: cwMax (1, 3, 7, 15, 31, 63, 127, 255, 511, 1023); cwMax >= cwMin +# burst: maximum length (in milliseconds with precision of up to 0.1 ms) for +# bursting +# +# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): +# These parameters are used by the access point when transmitting frames +# to the clients. +# +# Low priority / AC_BK = background +#tx_queue_data3_aifs=7 +#tx_queue_data3_cwmin=15 +#tx_queue_data3_cwmax=1023 +#tx_queue_data3_burst=0 +# Note: for IEEE 802.11b mode: cWmin=31 cWmax=1023 burst=0 +# +# Normal priority / AC_BE = best effort +#tx_queue_data2_aifs=3 +#tx_queue_data2_cwmin=15 +#tx_queue_data2_cwmax=63 +#tx_queue_data2_burst=0 +# Note: for IEEE 802.11b mode: cWmin=31 cWmax=127 burst=0 +# +# High priority / AC_VI = video +#tx_queue_data1_aifs=1 +#tx_queue_data1_cwmin=7 +#tx_queue_data1_cwmax=15 +#tx_queue_data1_burst=3.0 +# Note: for IEEE 802.11b mode: cWmin=15 cWmax=31 burst=6.0 +# +# Highest priority / AC_VO = voice +#tx_queue_data0_aifs=1 +#tx_queue_data0_cwmin=3 +#tx_queue_data0_cwmax=7 +#tx_queue_data0_burst=1.5 +# Note: for IEEE 802.11b mode: cWmin=7 cWmax=15 burst=3.3 + +# 802.1D Tag (= UP) to AC mappings +# WMM specifies following mapping of data frames to different ACs. This mapping +# can be configured using Linux QoS/tc and sch_pktpri.o module. +# 802.1D Tag 802.1D Designation Access Category WMM Designation +# 1 BK AC_BK Background +# 2 - AC_BK Background +# 0 BE AC_BE Best Effort +# 3 EE AC_BE Best Effort +# 4 CL AC_VI Video +# 5 VI AC_VI Video +# 6 VO AC_VO Voice +# 7 NC AC_VO Voice +# Data frames with no priority information: AC_BE +# Management frames: AC_VO +# PS-Poll frames: AC_BE + +# Default WMM parameters (IEEE 802.11 draft; 11-03-0504-03-000e): +# for 802.11a or 802.11g networks +# These parameters are sent to WMM clients when they associate. +# The parameters will be used by WMM clients for frames transmitted to the +# access point. +# +# note - txop_limit is in units of 32microseconds +# note - acm is admission control mandatory flag. 0 = admission control not +# required, 1 = mandatory +# note - here cwMin and cmMax are in exponent form. the actual cw value used +# will be (2^n)-1 where n is the value given here +# +wmm_enabled=1 +# +# WMM-PS Unscheduled Automatic Power Save Delivery [U-APSD] +# Enable this flag if U-APSD supported outside hostapd (eg., Firmware/driver) +#uapsd_advertisement_enabled=1 +# +# Low priority / AC_BK = background +wmm_ac_bk_cwmin=4 +wmm_ac_bk_cwmax=10 +wmm_ac_bk_aifs=7 +wmm_ac_bk_txop_limit=0 +wmm_ac_bk_acm=0 +# Note: for IEEE 802.11b mode: cWmin=5 cWmax=10 +# +# Normal priority / AC_BE = best effort +wmm_ac_be_aifs=3 +wmm_ac_be_cwmin=4 +wmm_ac_be_cwmax=10 +wmm_ac_be_txop_limit=0 +wmm_ac_be_acm=0 +# Note: for IEEE 802.11b mode: cWmin=5 cWmax=7 +# +# High priority / AC_VI = video +wmm_ac_vi_aifs=2 +wmm_ac_vi_cwmin=3 +wmm_ac_vi_cwmax=4 +wmm_ac_vi_txop_limit=94 +wmm_ac_vi_acm=0 +# Note: for IEEE 802.11b mode: cWmin=4 cWmax=5 txop_limit=188 +# +# Highest priority / AC_VO = voice +wmm_ac_vo_aifs=2 +wmm_ac_vo_cwmin=2 +wmm_ac_vo_cwmax=3 +wmm_ac_vo_txop_limit=47 +wmm_ac_vo_acm=0 +# Note: for IEEE 802.11b mode: cWmin=3 cWmax=4 burst=102 + +# Static WEP key configuration +# +# The key number to use when transmitting. +# It must be between 0 and 3, and the corresponding key must be set. +# default: not set +#wep_default_key=0 +# The WEP keys to use. +# A key may be a quoted string or unquoted hexadecimal digits. +# The key length should be 5, 13, or 16 characters, or 10, 26, or 32 +# digits, depending on whether 40-bit (64-bit), 104-bit (128-bit), or +# 128-bit (152-bit) WEP is used. +# Only the default key must be supplied; the others are optional. +# default: not set +#wep_key0=123456789a +#wep_key1="vwxyz" +#wep_key2=0102030405060708090a0b0c0d +#wep_key3=".2.4.6.8.0.23" + +# Station inactivity limit +# +# If a station does not send anything in ap_max_inactivity seconds, an +# empty data frame is sent to it in order to verify whether it is +# still in range. If this frame is not ACKed, the station will be +# disassociated and then deauthenticated. This feature is used to +# clear station table of old entries when the STAs move out of the +# range. +# +# The station can associate again with the AP if it is still in range; +# this inactivity poll is just used as a nicer way of verifying +# inactivity; i.e., client will not report broken connection because +# disassociation frame is not sent immediately without first polling +# the STA with a data frame. +# default: 300 (i.e., 5 minutes) +ap_max_inactivity=30 + +# Disassociate stations based on excessive transmission failures or other +# indications of connection loss. This depends on the driver capabilities and +# may not be available with all drivers. +#disassoc_low_ack=1 + +# Maximum allowed Listen Interval (how many Beacon periods STAs are allowed to +# remain asleep). Default: 65535 (no limit apart from field size) +#max_listen_interval=100 + +# WDS (4-address frame) mode with per-station virtual interfaces +# (only supported with driver=nl80211) +# This mode allows associated stations to use 4-address frames to allow layer 2 +# bridging to be used. +#wds_sta=1 + +# If bridge parameter is set, the WDS STA interface will be added to the same +# bridge by default. This can be overridden with the wds_bridge parameter to +# use a separate bridge. +#wds_bridge=wds-br0 + +# Client isolation can be used to prevent low-level bridging of frames between +# associated stations in the BSS. By default, this bridging is allowed. +#ap_isolate=1 + +##### IEEE 802.11n related configuration ###################################### + +# ieee80211n: Whether IEEE 802.11n (HT) is enabled +# 0 = disabled (default) +# 1 = enabled +# Note: You will also need to enable WMM for full HT functionality. +#ieee80211n=1 + +# ht_capab: HT capabilities (list of flags) +# LDPC coding capability: [LDPC] = supported +# Supported channel width set: [HT40-] = both 20 MHz and 40 MHz with secondary +# channel below the primary channel; [HT40+] = both 20 MHz and 40 MHz +# with secondary channel below the primary channel +# (20 MHz only if neither is set) +# Note: There are limits on which channels can be used with HT40- and +# HT40+. Following table shows the channels that may be available for +# HT40- and HT40+ use per IEEE 802.11n Annex J: +# freq HT40- HT40+ +# 2.4 GHz 5-13 1-7 (1-9 in Europe/Japan) +# 5 GHz 40,48,56,64 36,44,52,60 +# (depending on the location, not all of these channels may be available +# for use) +# Please note that 40 MHz channels may switch their primary and secondary +# channels if needed or creation of 40 MHz channel maybe rejected based +# on overlapping BSSes. These changes are done automatically when hostapd +# is setting up the 40 MHz channel. +# Spatial Multiplexing (SM) Power Save: [SMPS-STATIC] or [SMPS-DYNAMIC] +# (SMPS disabled if neither is set) +# HT-greenfield: [GF] (disabled if not set) +# Short GI for 20 MHz: [SHORT-GI-20] (disabled if not set) +# Short GI for 40 MHz: [SHORT-GI-40] (disabled if not set) +# Tx STBC: [TX-STBC] (disabled if not set) +# Rx STBC: [RX-STBC1] (one spatial stream), [RX-STBC12] (one or two spatial +# streams), or [RX-STBC123] (one, two, or three spatial streams); Rx STBC +# disabled if none of these set +# HT-delayed Block Ack: [DELAYED-BA] (disabled if not set) +# Maximum A-MSDU length: [MAX-AMSDU-7935] for 7935 octets (3839 octets if not +# set) +# DSSS/CCK Mode in 40 MHz: [DSSS_CCK-40] = allowed (not allowed if not set) +# PSMP support: [PSMP] (disabled if not set) +# L-SIG TXOP protection support: [LSIG-TXOP-PROT] (disabled if not set) +#ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40] + +# Require stations to support HT PHY (reject association if they do not) +#require_ht=1 + +##### IEEE 802.1X-2004 related configuration ################################## + +# Require IEEE 802.1X authorization +ieee8021x=1 + +# IEEE 802.1X/EAPOL version +# hostapd is implemented based on IEEE Std 802.1X-2004 which defines EAPOL +# version 2. However, there are many client implementations that do not handle +# the new version number correctly (they seem to drop the frames completely). +# In order to make hostapd interoperate with these clients, the version number +# can be set to the older version (1) with this configuration value. +#eapol_version=2 + +# Optional displayable message sent with EAP Request-Identity. The first \0 +# in this string will be converted to ASCII-0 (nul). This can be used to +# separate network info (comma separated list of attribute=value pairs); see, +# e.g., RFC 4284. +#eap_message=hello +#eap_message=hello\0networkid=netw,nasid=foo,portid=0,NAIRealms=example.com + +# WEP rekeying (disabled if key lengths are not set or are set to 0) +# Key lengths for default/broadcast and individual/unicast keys: +# 5 = 40-bit WEP (also known as 64-bit WEP with 40 secret bits) +# 13 = 104-bit WEP (also known as 128-bit WEP with 104 secret bits) +#wep_key_len_broadcast=5 +#wep_key_len_unicast=5 +# Rekeying period in seconds. 0 = do not rekey (i.e., set keys only once) +#wep_rekey_period=300 + +# EAPOL-Key index workaround (set bit7) for WinXP Supplicant (needed only if +# only broadcast keys are used) +eapol_key_index_workaround=0 + +# EAP reauthentication period in seconds (default: 3600 seconds; 0 = disable +# reauthentication). +#eap_reauth_period=3600 + +# Use PAE group address (01:80:c2:00:00:03) instead of individual target +# address when sending EAPOL frames with driver=wired. This is the most common +# mechanism used in wired authentication, but it also requires that the port +# is only used by one station. +#use_pae_group_addr=1 + +##### Integrated EAP server ################################################### + +# Optionally, hostapd can be configured to use an integrated EAP server +# to process EAP authentication locally without need for an external RADIUS +# server. This functionality can be used both as a local authentication server +# for IEEE 802.1X/EAPOL and as a RADIUS server for other devices. + +# Use integrated EAP server instead of external RADIUS authentication +# server. This is also needed if hostapd is configured to act as a RADIUS +# authentication server. +eap_server=0 + +# Path for EAP server user database +#eap_user_file=/etc/hostapd.eap_user + +# CA certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS +#ca_cert=/etc/hostapd.ca.pem + +# Server certificate (PEM or DER file) for EAP-TLS/PEAP/TTLS +#server_cert=/etc/hostapd.server.pem + +# Private key matching with the server certificate for EAP-TLS/PEAP/TTLS +# This may point to the same file as server_cert if both certificate and key +# are included in a single file. PKCS#12 (PFX) file (.p12/.pfx) can also be +# used by commenting out server_cert and specifying the PFX file as the +# private_key. +#private_key=/etc/hostapd.server.prv + +# Passphrase for private key +#private_key_passwd=secret passphrase + +# Enable CRL verification. +# Note: hostapd does not yet support CRL downloading based on CDP. Thus, a +# valid CRL signed by the CA is required to be included in the ca_cert file. +# This can be done by using PEM format for CA certificate and CRL and +# concatenating these into one file. Whenever CRL changes, hostapd needs to be +# restarted to take the new CRL into use. +# 0 = do not verify CRLs (default) +# 1 = check the CRL of the user certificate +# 2 = check all CRLs in the certificate path +#check_crl=1 + +# dh_file: File path to DH/DSA parameters file (in PEM format) +# This is an optional configuration file for setting parameters for an +# ephemeral DH key exchange. In most cases, the default RSA authentication does +# not use this configuration. However, it is possible setup RSA to use +# ephemeral DH key exchange. In addition, ciphers with DSA keys always use +# ephemeral DH keys. This can be used to achieve forward secrecy. If the file +# is in DSA parameters format, it will be automatically converted into DH +# params. This parameter is required if anonymous EAP-FAST is used. +# You can generate DH parameters file with OpenSSL, e.g., +# "openssl dhparam -out /etc/hostapd.dh.pem 1024" +#dh_file=/etc/hostapd.dh.pem + +# Fragment size for EAP methods +#fragment_size=1400 + +# Configuration data for EAP-SIM database/authentication gateway interface. +# This is a text string in implementation specific format. The example +# implementation in eap_sim_db.c uses this as the UNIX domain socket name for +# the HLR/AuC gateway (e.g., hlr_auc_gw). In this case, the path uses "unix:" +# prefix. +#eap_sim_db=unix:/tmp/hlr_auc_gw.sock + +# Encryption key for EAP-FAST PAC-Opaque values. This key must be a secret, +# random value. It is configured as a 16-octet value in hex format. It can be +# generated, e.g., with the following command: +# od -tx1 -v -N16 /dev/random | colrm 1 8 | tr -d ' ' +#pac_opaque_encr_key=000102030405060708090a0b0c0d0e0f + +# EAP-FAST authority identity (A-ID) +# A-ID indicates the identity of the authority that issues PACs. The A-ID +# should be unique across all issuing servers. In theory, this is a variable +# length field, but due to some existing implementations requiring A-ID to be +# 16 octets in length, it is strongly recommended to use that length for the +# field to provid interoperability with deployed peer implementations. This +# field is configured in hex format. +#eap_fast_a_id=101112131415161718191a1b1c1d1e1f + +# EAP-FAST authority identifier information (A-ID-Info) +# This is a user-friendly name for the A-ID. For example, the enterprise name +# and server name in a human-readable format. This field is encoded as UTF-8. +#eap_fast_a_id_info=test server + +# Enable/disable different EAP-FAST provisioning modes: +#0 = provisioning disabled +#1 = only anonymous provisioning allowed +#2 = only authenticated provisioning allowed +#3 = both provisioning modes allowed (default) +#eap_fast_prov=3 + +# EAP-FAST PAC-Key lifetime in seconds (hard limit) +#pac_key_lifetime=604800 + +# EAP-FAST PAC-Key refresh time in seconds (soft limit on remaining hard +# limit). The server will generate a new PAC-Key when this number of seconds +# (or fewer) of the lifetime remains. +#pac_key_refresh_time=86400 + +# EAP-SIM and EAP-AKA protected success/failure indication using AT_RESULT_IND +# (default: 0 = disabled). +#eap_sim_aka_result_ind=1 + +# Trusted Network Connect (TNC) +# If enabled, TNC validation will be required before the peer is allowed to +# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other +# EAP method is enabled, the peer will be allowed to connect without TNC. +#tnc=1 + + +##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) ####################### + +# Interface to be used for IAPP broadcast packets +#iapp_interface=eth0 + + +##### RADIUS client configuration ############################################# +# for IEEE 802.1X with external Authentication Server, IEEE 802.11 +# authentication with external ACL for MAC addresses, and accounting + +# The own IP address of the access point (used as NAS-IP-Address) +own_ip_addr=10.1.0.1 + +# Optional NAS-Identifier string for RADIUS messages. When used, this should be +# a unique to the NAS within the scope of the RADIUS server. For example, a +# fully qualified domain name can be used here. +# When using IEEE 802.11r, nas_identifier must be set and must be between 1 and +# 48 octets long. +#nas_identifier=ap.example.com + +# RADIUS authentication server +auth_server_addr=10.1.0.10 +#auth_server_port=1812 +auth_server_shared_secret=gv6URkSs + +# RADIUS accounting server +#acct_server_addr=127.0.0.1 +#acct_server_port=1813 +#acct_server_shared_secret=secret + +# Secondary RADIUS servers; to be used if primary one does not reply to +# RADIUS packets. These are optional and there can be more than one secondary +# server listed. +#auth_server_addr=127.0.0.2 +#auth_server_port=1812 +#auth_server_shared_secret=secret2 +# +#acct_server_addr=127.0.0.2 +#acct_server_port=1813 +#acct_server_shared_secret=secret2 + +# Retry interval for trying to return to the primary RADIUS server (in +# seconds). RADIUS client code will automatically try to use the next server +# when the current server is not replying to requests. If this interval is set, +# primary server will be retried after configured amount of time even if the +# currently used secondary server is still working. +#radius_retry_primary_interval=600 + + +# Interim accounting update interval +# If this is set (larger than 0) and acct_server is configured, hostapd will +# send interim accounting updates every N seconds. Note: if set, this overrides +# possible Acct-Interim-Interval attribute in Access-Accept message. Thus, this +# value should not be configured in hostapd.conf, if RADIUS server is used to +# control the interim interval. +# This value should not be less 600 (10 minutes) and must not be less than +# 60 (1 minute). +#radius_acct_interim_interval=600 + +# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN +# is used for the stations. This information is parsed from following RADIUS +# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN), +# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value +# VLANID as a string). vlan_file option below must be configured if dynamic +# VLANs are used. Optionally, the local MAC ACL list (accept_mac_file) can be +# used to set static client MAC address to VLAN ID mapping. +# 0 = disabled (default) +# 1 = option; use default interface if RADIUS server does not include VLAN ID +# 2 = required; reject authentication if RADIUS server does not include VLAN ID +#dynamic_vlan=0 + +# VLAN interface list for dynamic VLAN mode is read from a separate text file. +# This list is used to map VLAN ID from the RADIUS server to a network +# interface. Each station is bound to one interface in the same way as with +# multiple BSSIDs or SSIDs. Each line in this text file is defining a new +# interface and the line must include VLAN ID and interface name separated by +# white space (space or tab). +#vlan_file=/etc/hostapd.vlan + +# Interface where 802.1q tagged packets should appear when a RADIUS server is +# used to determine which VLAN a station is on. hostapd creates a bridge for +# each VLAN. Then hostapd adds a VLAN interface (associated with the interface +# indicated by 'vlan_tagged_interface') and the appropriate wireless interface +# to the bridge. +#vlan_tagged_interface=eth0 + + +##### RADIUS authentication server configuration ############################## + +# hostapd can be used as a RADIUS authentication server for other hosts. This +# requires that the integrated EAP server is also enabled and both +# authentication services are sharing the same configuration. + +# File name of the RADIUS clients configuration for the RADIUS server. If this +# commented out, RADIUS server is disabled. +#radius_server_clients=/etc/hostapd.radius_clients + +# The UDP port number for the RADIUS authentication server +#radius_server_auth_port=1812 + +# Use IPv6 with RADIUS server (IPv4 will also be supported using IPv6 API) +#radius_server_ipv6=1 + + +##### WPA/IEEE 802.11i configuration ########################################## + +# Enable WPA. Setting this variable configures the AP to require WPA (either +# WPA-PSK or WPA-RADIUS/EAP based on other configuration). For WPA-PSK, either +# wpa_psk or wpa_passphrase must be set and wpa_key_mgmt must include WPA-PSK. +# For WPA-RADIUS/EAP, ieee8021x must be set (but without dynamic WEP keys), +# RADIUS authentication server must be configured, and WPA-EAP must be included +# in wpa_key_mgmt. +# This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0) +# and/or WPA2 (full IEEE 802.11i/RSN): +# bit0 = WPA +# bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled) +#wpa=1 + +# WPA pre-shared keys for WPA-PSK. This can be either entered as a 256-bit +# secret in hex format (64 hex digits), wpa_psk, or as an ASCII passphrase +# (8..63 characters) that will be converted to PSK. This conversion uses SSID +# so the PSK changes when ASCII passphrase is used and the SSID is changed. +# wpa_psk (dot11RSNAConfigPSKValue) +# wpa_passphrase (dot11RSNAConfigPSKPassPhrase) +#wpa_psk=0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef +#wpa_passphrase=secret passphrase + +# Optionally, WPA PSKs can be read from a separate text file (containing list +# of (PSK,MAC address) pairs. This allows more than one PSK to be configured. +# Use absolute path name to make sure that the files can be read on SIGHUP +# configuration reloads. +#wpa_psk_file=/etc/hostapd.wpa_psk + +# Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The +# entries are separated with a space. WPA-PSK-SHA256 and WPA-EAP-SHA256 can be +# added to enable SHA256-based stronger algorithms. +# (dot11RSNAConfigAuthenticationSuitesTable) +#wpa_key_mgmt=WPA-PSK WPA-EAP + +# Set of accepted cipher suites (encryption algorithms) for pairwise keys +# (unicast packets). This is a space separated list of algorithms: +# CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0] +# TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0] +# Group cipher suite (encryption algorithm for broadcast and multicast frames) +# is automatically selected based on this configuration. If only CCMP is +# allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, +# TKIP will be used as the group cipher. +# (dot11RSNAConfigPairwiseCiphersTable) +# Pairwise cipher for WPA (v1) (default: TKIP) +#wpa_pairwise=TKIP CCMP +# Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value) +#rsn_pairwise=CCMP + +# Time interval for rekeying GTK (broadcast/multicast encryption keys) in +# seconds. (dot11RSNAConfigGroupRekeyTime) +#wpa_group_rekey=600 + +# Rekey GTK when any STA that possesses the current GTK is leaving the BSS. +# (dot11RSNAConfigGroupRekeyStrict) +#wpa_strict_rekey=1 + +# Time interval for rekeying GMK (master key used internally to generate GTKs +# (in seconds). +#wpa_gmk_rekey=86400 + +# Maximum lifetime for PTK in seconds. This can be used to enforce rekeying of +# PTK to mitigate some attacks against TKIP deficiencies. +#wpa_ptk_rekey=600 + +# Enable IEEE 802.11i/RSN/WPA2 pre-authentication. This is used to speed up +# roaming be pre-authenticating IEEE 802.1X/EAP part of the full RSN +# authentication and key handshake before actually associating with a new AP. +# (dot11RSNAPreauthenticationEnabled) +#rsn_preauth=1 +# +# Space separated list of interfaces from which pre-authentication frames are +# accepted (e.g., 'eth0' or 'eth0 wlan0wds0'. This list should include all +# interface that are used for connections to other APs. This could include +# wired interfaces and WDS links. The normal wireless data interface towards +# associated stations (e.g., wlan0) should not be added, since +# pre-authentication is only used with APs other than the currently associated +# one. +#rsn_preauth_interfaces=eth0 + +# peerkey: Whether PeerKey negotiation for direct links (IEEE 802.11e) is +# allowed. This is only used with RSN/WPA2. +# 0 = disabled (default) +# 1 = enabled +#peerkey=1 + +# ieee80211w: Whether management frame protection (MFP) is enabled +# 0 = disabled (default) +# 1 = optional +# 2 = required +#ieee80211w=0 + +# Association SA Query maximum timeout (in TU = 1.024 ms; for MFP) +# (maximum time to wait for a SA Query response) +# dot11AssociationSAQueryMaximumTimeout, 1...4294967295 +#assoc_sa_query_max_timeout=1000 + +# Association SA Query retry timeout (in TU = 1.024 ms; for MFP) +# (time between two subsequent SA Query requests) +# dot11AssociationSAQueryRetryTimeout, 1...4294967295 +#assoc_sa_query_retry_timeout=201 + +# disable_pmksa_caching: Disable PMKSA caching +# This parameter can be used to disable caching of PMKSA created through EAP +# authentication. RSN preauthentication may still end up using PMKSA caching if +# it is enabled (rsn_preauth=1). +# 0 = PMKSA caching enabled (default) +# 1 = PMKSA caching disabled +#disable_pmksa_caching=0 + +# okc: Opportunistic Key Caching (aka Proactive Key Caching) +# Allow PMK cache to be shared opportunistically among configured interfaces +# and BSSes (i.e., all configurations within a single hostapd process). +# 0 = disabled (default) +# 1 = enabled +#okc=1 + + +##### IEEE 802.11r configuration ############################################## + +# Mobility Domain identifier (dot11FTMobilityDomainID, MDID) +# MDID is used to indicate a group of APs (within an ESS, i.e., sharing the +# same SSID) between which a STA can use Fast BSS Transition. +# 2-octet identifier as a hex string. +#mobility_domain=a1b2 + +# PMK-R0 Key Holder identifier (dot11FTR0KeyHolderID) +# 1 to 48 octet identifier. +# This is configured with nas_identifier (see RADIUS client section above). + +# Default lifetime of the PMK-RO in minutes; range 1..65535 +# (dot11FTR0KeyLifetime) +#r0_key_lifetime=10000 + +# PMK-R1 Key Holder identifier (dot11FTR1KeyHolderID) +# 6-octet identifier as a hex string. +#r1_key_holder=000102030405 + +# Reassociation deadline in time units (TUs / 1.024 ms; range 1000..65535) +# (dot11FTReassociationDeadline) +#reassociation_deadline=1000 + +# List of R0KHs in the same Mobility Domain +# format: <MAC address> <NAS Identifier> <128-bit key as hex string> +# This list is used to map R0KH-ID (NAS Identifier) to a destination MAC +# address when requesting PMK-R1 key from the R0KH that the STA used during the +# Initial Mobility Domain Association. +#r0kh=02:01:02:03:04:05 r0kh-1.example.com 000102030405060708090a0b0c0d0e0f +#r0kh=02:01:02:03:04:06 r0kh-2.example.com 00112233445566778899aabbccddeeff +# And so on.. One line per R0KH. + +# List of R1KHs in the same Mobility Domain +# format: <MAC address> <R1KH-ID> <128-bit key as hex string> +# This list is used to map R1KH-ID to a destination MAC address when sending +# PMK-R1 key from the R0KH. This is also the list of authorized R1KHs in the MD +# that can request PMK-R1 keys. +#r1kh=02:01:02:03:04:05 02:11:22:33:44:55 000102030405060708090a0b0c0d0e0f +#r1kh=02:01:02:03:04:06 02:11:22:33:44:66 00112233445566778899aabbccddeeff +# And so on.. One line per R1KH. + +# Whether PMK-R1 push is enabled at R0KH +# 0 = do not push PMK-R1 to all configured R1KHs (default) +# 1 = push PMK-R1 to all configured R1KHs whenever a new PMK-R0 is derived +#pmk_r1_push=1 + +##### Neighbor table ########################################################## +# Maximum number of entries kept in AP table (either for neigbor table or for +# detecting Overlapping Legacy BSS Condition). The oldest entry will be +# removed when adding a new entry that would make the list grow over this +# limit. Note! WFA certification for IEEE 802.11g requires that OLBC is +# enabled, so this field should not be set to 0 when using IEEE 802.11g. +# default: 255 +#ap_table_max_size=255 + +# Number of seconds of no frames received after which entries may be deleted +# from the AP table. Since passive scanning is not usually performed frequently +# this should not be set to very small value. In addition, there is no +# guarantee that every scan cycle will receive beacon frames from the +# neighboring APs. +# default: 60 +#ap_table_expiration_time=3600 + + +##### Wi-Fi Protected Setup (WPS) ############################################# + +# WPS state +# 0 = WPS disabled (default) +# 1 = WPS enabled, not configured +# 2 = WPS enabled, configured +#wps_state=2 + +# AP can be configured into a locked state where new WPS Registrar are not +# accepted, but previously authorized Registrars (including the internal one) +# can continue to add new Enrollees. +#ap_setup_locked=1 + +# Universally Unique IDentifier (UUID; see RFC 4122) of the device +# This value is used as the UUID for the internal WPS Registrar. If the AP +# is also using UPnP, this value should be set to the device's UPnP UUID. +# If not configured, UUID will be generated based on the local MAC address. +#uuid=12345678-9abc-def0-1234-56789abcdef0 + +# Note: If wpa_psk_file is set, WPS is used to generate random, per-device PSKs +# that will be appended to the wpa_psk_file. If wpa_psk_file is not set, the +# default PSK (wpa_psk/wpa_passphrase) will be delivered to Enrollees. Use of +# per-device PSKs is recommended as the more secure option (i.e., make sure to +# set wpa_psk_file when using WPS with WPA-PSK). + +# When an Enrollee requests access to the network with PIN method, the Enrollee +# PIN will need to be entered for the Registrar. PIN request notifications are +# sent to hostapd ctrl_iface monitor. In addition, they can be written to a +# text file that could be used, e.g., to populate the AP administration UI with +# pending PIN requests. If the following variable is set, the PIN requests will +# be written to the configured file. +#wps_pin_requests=/var/run/hostapd_wps_pin_requests + +# Device Name +# User-friendly description of device; up to 32 octets encoded in UTF-8 +#device_name=Wireless AP + +# Manufacturer +# The manufacturer of the device (up to 64 ASCII characters) +#manufacturer=Company + +# Model Name +# Model of the device (up to 32 ASCII characters) +#model_name=WAP + +# Model Number +# Additional device description (up to 32 ASCII characters) +#model_number=123 + +# Serial Number +# Serial number of the device (up to 32 characters) +#serial_number=12345 + +# Primary Device Type +# Used format: <categ>-<OUI>-<subcateg> +# categ = Category as an integer value +# OUI = OUI and type octet as a 4-octet hex-encoded value; 0050F204 for +# default WPS OUI +# subcateg = OUI-specific Sub Category as an integer value +# Examples: +# 1-0050F204-1 (Computer / PC) +# 1-0050F204-2 (Computer / Server) +# 5-0050F204-1 (Storage / NAS) +# 6-0050F204-1 (Network Infrastructure / AP) +#device_type=6-0050F204-1 + +# OS Version +# 4-octet operating system version number (hex string) +#os_version=01020300 + +# Config Methods +# List of the supported configuration methods +# Available methods: usba ethernet label display ext_nfc_token int_nfc_token +# nfc_interface push_button keypad virtual_display physical_display +# virtual_push_button physical_push_button +#config_methods=label virtual_display virtual_push_button keypad + +# WPS capability discovery workaround for PBC with Windows 7 +# Windows 7 uses incorrect way of figuring out AP's WPS capabilities by acting +# as a Registrar and using M1 from the AP. The config methods attribute in that +# message is supposed to indicate only the configuration method supported by +# the AP in Enrollee role, i.e., to add an external Registrar. For that case, +# PBC shall not be used and as such, the PushButton config method is removed +# from M1 by default. If pbc_in_m1=1 is included in the configuration file, +# the PushButton config method is left in M1 (if included in config_methods +# parameter) to allow Windows 7 to use PBC instead of PIN (e.g., from a label +# in the AP). +#pbc_in_m1=1 + +# Static access point PIN for initial configuration and adding Registrars +# If not set, hostapd will not allow external WPS Registrars to control the +# access point. The AP PIN can also be set at runtime with hostapd_cli +# wps_ap_pin command. Use of temporary (enabled by user action) and random +# AP PIN is much more secure than configuring a static AP PIN here. As such, +# use of the ap_pin parameter is not recommended if the AP device has means for +# displaying a random PIN. +#ap_pin=12345670 + +# Skip building of automatic WPS credential +# This can be used to allow the automatically generated Credential attribute to +# be replaced with pre-configured Credential(s). +#skip_cred_build=1 + +# Additional Credential attribute(s) +# This option can be used to add pre-configured Credential attributes into M8 +# message when acting as a Registrar. If skip_cred_build=1, this data will also +# be able to override the Credential attribute that would have otherwise been +# automatically generated based on network configuration. This configuration +# option points to an external file that much contain the WPS Credential +# attribute(s) as binary data. +#extra_cred=hostapd.cred + +# Credential processing +# 0 = process received credentials internally (default) +# 1 = do not process received credentials; just pass them over ctrl_iface to +# external program(s) +# 2 = process received credentials internally and pass them over ctrl_iface +# to external program(s) +# Note: With wps_cred_processing=1, skip_cred_build should be set to 1 and +# extra_cred be used to provide the Credential data for Enrollees. +# +# wps_cred_processing=1 will disabled automatic updates of hostapd.conf file +# both for Credential processing and for marking AP Setup Locked based on +# validation failures of AP PIN. An external program is responsible on updating +# the configuration appropriately in this case. +#wps_cred_processing=0 + +# AP Settings Attributes for M7 +# By default, hostapd generates the AP Settings Attributes for M7 based on the +# current configuration. It is possible to override this by providing a file +# with pre-configured attributes. This is similar to extra_cred file format, +# but the AP Settings attributes are not encapsulated in a Credential +# attribute. +#ap_settings=hostapd.ap_settings + +# WPS UPnP interface +# If set, support for external Registrars is enabled. +#upnp_iface=br0 + +# Friendly Name (required for UPnP) +# Short description for end use. Should be less than 64 characters. +#friendly_name=WPS Access Point + +# Manufacturer URL (optional for UPnP) +#manufacturer_url=http://www.example.com/ + +# Model Description (recommended for UPnP) +# Long description for end user. Should be less than 128 characters. +#model_description=Wireless Access Point + +# Model URL (optional for UPnP) +#model_url=http://www.example.com/model/ + +# Universal Product Code (optional for UPnP) +# 12-digit, all-numeric code that identifies the consumer package. +#upc=123456789012 + +##### Wi-Fi Direct (P2P) ###################################################### + +# Enable P2P Device management +#manage_p2p=1 + +# Allow cross connection +#allow_cross_connection=1 + +#### TDLS (IEEE 802.11z-2010) ################################################# + +# Prohibit use of TDLS in this BSS +#tdls_prohibit=1 + +# Prohibit use of TDLS Channel Switching in this BSS +#tdls_prohibit_chan_switch=1 + +##### IEEE 802.11v-2011 ####################################################### + +# Time advertisement +# 0 = disabled (default) +# 2 = UTC time at which the TSF timer is 0 +#time_advertisement=2 + +# Local time zone as specified in 8.3 of IEEE Std 1003.1-2004: +# stdoffset[dst[offset][,start[/time],end[/time]]] +#time_zone=EST5 + +##### IEEE 802.11u-2011 ####################################################### + +# Enable Interworking service +#interworking=1 + +# Access Network Type +# 0 = Private network +# 1 = Private network with guest access +# 2 = Chargeable public network +# 3 = Free public network +# 4 = Personal device network +# 5 = Emergency services only network +# 14 = Test or experimental +# 15 = Wildcard +#access_network_type=0 + +# Whether the network provides connectivity to the Internet +# 0 = Unspecified +# 1 = Network provides connectivity to the Internet +#internet=1 + +# Additional Step Required for Access +# Note: This is only used with open network, i.e., ASRA shall ne set to 0 if +# RSN is used. +#asra=0 + +# Emergency services reachable +#esr=0 + +# Unauthenticated emergency service accessible +#uesa=0 + +# Venue Info (optional) +# The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34. +# Example values (group,type): +# 0,0 = Unspecified +# 1,7 = Convention Center +# 1,13 = Coffee Shop +# 2,0 = Unspecified Business +# 7,1 Private Residence +#venue_group=7 +#venue_type=1 + +# Homogeneous ESS identifier (optional; dot11HESSID) +# If set, this shall be identifical to one of the BSSIDs in the homogeneous +# ESS and this shall be set to the same value across all BSSs in homogeneous +# ESS. +#hessid=02:03:04:05:06:07 + +# Roaming Consortium List +# Arbitrary number of Roaming Consortium OIs can be configured with each line +# adding a new OI to the list. The first three entries are available through +# Beacon and Probe Response frames. Any additional entry will be available only +# through ANQP queries. Each OI is between 3 and 15 octets and is configured a +# a hexstring. +#roaming_consortium=021122 +#roaming_consortium=2233445566 + +##### Multiple BSSID support ################################################## +# +# Above configuration is using the default interface (wlan#, or multi-SSID VLAN +# interfaces). Other BSSIDs can be added by using separator 'bss' with +# default interface name to be allocated for the data packets of the new BSS. +# +# hostapd will generate BSSID mask based on the BSSIDs that are +# configured. hostapd will verify that dev_addr & MASK == dev_addr. If this is +# not the case, the MAC address of the radio must be changed before starting +# hostapd (ifconfig wlan0 hw ether <MAC addr>). If a BSSID is configured for +# every secondary BSS, this limitation is not applied at hostapd and other +# masks may be used if the driver supports them (e.g., swap the locally +# administered bit) +# +# BSSIDs are assigned in order to each BSS, unless an explicit BSSID is +# specified using the 'bssid' parameter. +# If an explicit BSSID is specified, it must be chosen such that it: +# - results in a valid MASK that covers it and the dev_addr +# - is not the same as the MAC address of the radio +# - is not the same as any other explicitly specified BSSID +# +# Please note that hostapd uses some of the values configured for the first BSS +# as the defaults for the following BSSes. However, it is recommended that all +# BSSes include explicit configuration of all relevant configuration items. +# +#bss=wlan0_0 +#ssid=test2 +# most of the above items can be used here (apart from radio interface specific +# items, like channel) + +#bss=wlan0_1 +#bssid=00:13:10:95:fe:0b +# ... diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..294964fe7 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..390c42ccf --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + filter_id = yes + } + } +} diff --git a/testing/tests/tnc/tnccs-11-supplicant/posttest.dat b/testing/tests/tnc/tnccs-11-supplicant/posttest.dat new file mode 100644 index 000000000..b55e0457c --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/posttest.dat @@ -0,0 +1,5 @@ +carol::killall wpa_supplicant +dave::killall wpa_supplicant +moon::killall hostapd +alice::killall radiusd +alice::rm /etc/freeradius/sites-enabled/inner-tunnel-second diff --git a/testing/tests/tnc/tnccs-11-supplicant/pretest.dat b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat new file mode 100644 index 000000000..ac03fedbb --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/pretest.dat @@ -0,0 +1,11 @@ +alice::ln -s /etc/freeradius/sites-available/inner-tunnel-second /etc/freeradius/sites-enabled/inner-tunnel-second +alice::cat /etc/freeradius/sites-enabled/inner-tunnel-second +alice::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties radiusd +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +moon::hostapd -B /etc/hostapd/hostapd.conf +carol::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0 +carol::sleep 4 +dave::LEAK_DETECTIVE_DISABLE=1 LOG4CXX_CONFIGURATION=/etc/tnc/log4cxx.properties wpa_supplicant -B -c /etc/wpa_supplicant.conf -D wired -i eth0 +dave::sleep 4 diff --git a/testing/tests/tnc/tnccs-11-supplicant/test.conf b/testing/tests/tnc/tnccs-11-supplicant/test.conf new file mode 100644 index 000000000..f23a19329 --- /dev/null +++ b/testing/tests/tnc/tnccs-11-supplicant/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/tnc/tnccs-20-os/description.txt b/testing/tests/tnc/tnccs-20-os/description.txt index f660a0b63..941113434 100644 --- a/testing/tests/tnc/tnccs-20-os/description.txt +++ b/testing/tests/tnc/tnccs-20-os/description.txt @@ -10,7 +10,7 @@ exchange PA-TNC attributes. <b>carol</b> sends information on her operating system consisting of the PA-TNC attributes <em>Product Information</em>, <em>String Version</em>, <em>Numeric Version</em>, <em>Operational Status</em>, <em>Forwarding Enabled</em>, <em>Factory Default Password Enabled</em> -and <em>Device ID> up-front, whereas <b>dave</b> must be prompted by the IMV to do so via an +and <em>Device ID</em> up-front, whereas <b>dave</b> must be prompted by the IMV to do so via an <em>Attribute Request</em> PA-TNC attribute. <b>carol</b> is then prompted to send a list of installed packages using the <em>Installed Packages</em> PA-TNC attribute. Since <b>dave</b> successfully connected to the VPN gateway shortly before, no new list of installed packages is diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat index 0d3f55b45..21a7278d7 100644 --- a/testing/tests/tnc/tnccs-20-os/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat @@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: ipsec attest --sessions 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org - allow::YES +moon:: ipsec attest --sessions 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec attest --sessions 2> /dev/null::Debian 7.0 x86_64.*dave@strongswan.org - isolate::YES +moon:: ipsec attest --sessions 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql deleted file mode 100644 index d17aac15e..000000000 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql +++ /dev/null @@ -1,892 +0,0 @@ -/* Products */ - -INSERT INTO products ( /* 1 */ - name -) VALUES ( - 'Debian 6.0 i686' -); - -INSERT INTO products ( /* 2 */ - name -) VALUES ( - 'Debian 6.0 x86_64' -); - -INSERT INTO products ( /* 3 */ - name -) VALUES ( - 'Debian 7.0 i686' -); - -INSERT INTO products ( /* 4 */ - name -) VALUES ( - 'Debian 7.0 x86_64' -); - -INSERT INTO products ( /* 5 */ - name -) VALUES ( - 'Debian 8.0 i686' -); - -INSERT INTO products ( /* 6 */ - name -) VALUES ( - 'Debian 8.0 x86_64' -); - -INSERT INTO products ( /* 7 */ - name -) VALUES ( - 'Ubuntu 10.04 i686' -); - -INSERT INTO products ( /* 8 */ - name -) VALUES ( - 'Ubuntu 10.04 x86_64' -); - -INSERT INTO products ( /* 9 */ - name -) VALUES ( - 'Ubuntu 10.10 i686' -); - -INSERT INTO products ( /* 10 */ - name -) VALUES ( - 'Ubuntu 10.10 x86_64' -); - -INSERT INTO products ( /* 11 */ - name -) VALUES ( - 'Ubuntu 11.04 i686' -); - -INSERT INTO products ( /* 12 */ - name -) VALUES ( - 'Ubuntu 11.04 x86_64' -); - -INSERT INTO products ( /* 13 */ - name -) VALUES ( - 'Ubuntu 11.10 i686' -); - -INSERT INTO products ( /* 14 */ - name -) VALUES ( - 'Ubuntu 11.10 x86_64' -); - -INSERT INTO products ( /* 15 */ - name -) VALUES ( - 'Ubuntu 12.04 i686' -); - -INSERT INTO products ( /* 16 */ - name -) VALUES ( - 'Ubuntu 12.04 x86_64' -); - -INSERT INTO products ( /* 17 */ - name -) VALUES ( - 'Ubuntu 12.10 i686' -); - -INSERT INTO products ( /* 18 */ - name -) VALUES ( - 'Ubuntu 12.10 x86_64' -); - -INSERT INTO products ( /* 19 */ - name -) VALUES ( - 'Ubuntu 13.04 i686' -); - -INSERT INTO products ( /* 20 */ - name -) VALUES ( - 'Ubuntu 13.04 x86_64' -); - -INSERT INTO products ( /* 21 */ - name -) VALUES ( - 'Android 4.1.1' -); - -INSERT INTO products ( /* 22 */ - name -) VALUES ( - 'Android 4.2.1' -); - -/* Directories */ - -INSERT INTO directories ( /* 1 */ - path -) VALUES ( - '/bin' -); - -INSERT INTO directories ( /* 2 */ - path -) VALUES ( - '/etc' -); - -INSERT INTO directories ( /* 3 */ - path -) VALUES ( - '/lib' -); - -INSERT INTO directories ( /* 4 */ - path -) VALUES ( - '/lib/i386-linux-gnu' -); - -INSERT INTO directories ( /* 5 */ - path -) VALUES ( - '/lib/x86_64-linux-gnu' -); - -INSERT INTO directories ( /* 6 */ - path -) VALUES ( - '/lib/xtables' -); - -INSERT INTO directories ( /* 7 */ - path -) VALUES ( - '/sbin' -); - -INSERT INTO directories ( /* 8 */ - path -) VALUES ( - '/usr/bin' -); - -INSERT INTO directories ( /* 9 */ - path -) VALUES ( - '/usr/lib' -); - -INSERT INTO directories ( /* 10 */ - path -) VALUES ( - '/usr/lib/i386-linux-gnu' -); - -INSERT INTO directories ( /* 11 */ - path -) VALUES ( - '/usr/lib/x86_64-linux-gnu' -); - -INSERT INTO directories ( /* 12 */ - path -) VALUES ( - '/usr/sbin' -); - -INSERT INTO directories ( /* 13 */ - path -) VALUES ( - '/system/bin' -); - -INSERT INTO directories ( /* 14 */ - path -) VALUES ( - '/system/lib' -); - -/* Files */ - -INSERT INTO files ( /* 1 */ - name, dir -) VALUES ( - 'libcrypto.so.1.0.0', 5 -); - -INSERT INTO files ( /* 2 */ - name, dir -) VALUES ( - 'libcrypto.so.1.0.0', 11 -); - -INSERT INTO files ( /* 3 */ - name, dir -) VALUES ( - 'libssl.so.1.0.0', 5 -); - -INSERT INTO files ( /* 4 */ - name, dir -) VALUES ( - 'libssl.so.1.0.0', 11 -); - -INSERT INTO files ( /* 5 */ - name, dir -) VALUES ( - 'openssl', 8 -); - -INSERT INTO files ( /* 6 */ - name, dir -) VALUES ( - 'tnc_config', 2 -); - -/* Algorithms */ - -INSERT INTO algorithms ( - id, name -) VALUES ( - 65536, 'SHA1-IMA' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 32768, 'SHA1' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 16384, 'SHA256' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 8192, 'SHA384' -); - -/* File Hashes */ - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' -); - -/* Packages */ - -INSERT INTO packages ( /* 1 */ - name -) VALUES ( - 'libssl-dev' -); - -INSERT INTO packages ( /* 2 */ - name -) VALUES ( - 'libssl1.0.0' -); - -INSERT INTO packages ( /* 3 */ - name -) VALUES ( - 'libssl1.0.0-dbg' -); - -INSERT INTO packages ( /* 4 */ - name -) VALUES ( - 'openssl' -); - -/* Versions */ - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 1, 4, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 2, 4, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 3, 4, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 4, 4, '1.0.1e-2', 1366531494 -); - -/* Components */ - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 1, 33 /* ITA TGRUB */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 2, 33 /* ITA TBOOT */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 3, 33 /* ITA IMA - Trusted Platform */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 3, 34 /* ITA IMA - Operating System */ -); - -/* Groups */ - -INSERT INTO groups ( /* 1 */ - name -) VALUES ( - 'Default' -); - -INSERT INTO groups ( /* 2 */ - name, parent -) VALUES ( - 'Linux', 1 -); - -INSERT INTO groups ( /* 3 */ - name, parent -) VALUES ( - 'Android', 1 -); - -INSERT INTO groups ( /* 4 */ - name, parent -) VALUES ( - 'Debian i686', 2 -); - -INSERT INTO groups ( /* 5 */ - name, parent -) VALUES ( - 'Debian x86_64', 2 -); - -INSERT INTO groups ( /* 6 */ - name, parent -) VALUES ( - 'Ubuntu i686', 2 -); - -INSERT INTO groups ( /* 7 */ - name, parent -) VALUES ( - 'Ubuntu x86_64', 2 -); - -INSERT INTO groups ( /* 8 */ - name -) VALUES ( - 'Reference' -); - -INSERT INTO groups ( /* 9 */ - name, parent -) VALUES ( - 'Ref. Android', 8 -); - -INSERT INTO groups ( /* 10 */ - name, parent -) VALUES ( - 'Ref. Linux', 8 -); - -/* Default Product Groups */ - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 1 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 3 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 5 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 2 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 4 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 6 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 7 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 9 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 11 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 13 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 15 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 17 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 19 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 8 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 10 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 12 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 14 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 16 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 18 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 20 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 21 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 22 -); - -/* Devices */ - -INSERT INTO devices ( /* 1 */ - value, product, created -) VALUES ( - 'aabbccddeeff11223344556677889900', 4, 1372330615 -); - -/* Groups Members */ - -INSERT INTO groups_members ( - group_id, device_id -) VALUES ( - 5, 1 -); - -/* Identities */ - -INSERT INTO identities ( - type, value -) VALUES ( /* dave@strongswan.org */ - 4, X'64617665407374726f6e677377616e2e6f7267' -); - -/* Sessions */ - -INSERT INTO sessions ( - time, connection, identity, device, product, rec -) VALUES ( - NOW, 1, 1, 1, 4, 0 -); - -/* Results */ - -INSERT INTO results ( - session, policy, rec, result -) VALUES ( - 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' -); - -/* Policies */ - -INSERT INTO policies ( /* 1 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 1, 'Installed Packages', 2, 2 -); - -INSERT INTO policies ( /* 2 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 2, 'Unknown Source', 2, 2 -); - -INSERT INTO policies ( /* 3 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 3, 'IP Forwarding Enabled', 1, 1 -); - -INSERT INTO policies ( /* 4 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 4, 'Default Factory Password Enabled', 1, 1 -); - -INSERT INTO policies ( /* 5 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2 -); - -INSERT INTO policies ( /* 6 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2 -); - -INSERT INTO policies ( /* 7 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/bin/openssl', 5, 2, 2 -); - -INSERT INTO policies ( /* 8 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 11, 'No Open TCP Ports', 1, 1 -); - -INSERT INTO policies ( /* 9 */ - type, name, argument, rec_fail, rec_noresult -) VALUES ( - 13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1 -); - -INSERT INTO policies ( /* 10 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 7, 'Metadata of /etc/tnc_config', 6, 0, 0 -); - -INSERT INTO policies ( /* 11 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Get /bin', 1, 0, 0 -); - -INSERT INTO policies ( /* 12 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2 -); - -INSERT INTO policies ( /* 13 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2 -); - -INSERT INTO policies ( /* 14 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Get /system/bin', 13, 0, 0 -); - -INSERT INTO policies ( /* 15 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Get /system/lib', 14, 0, 0 -); - -INSERT INTO policies ( /* 16 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 9, 'Measure /bin', 1, 2, 2 -); - -/* Enforcements */ - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 1, 1, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 2, 3, 0 -); - -INSERT INTO enforcements ( - policy, group_id, max_age, rec_fail, rec_noresult -) VALUES ( - 3, 2, 0, 2, 2 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 5, 7, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 6, 7, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 7, 2, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 8, 1, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 9, 1, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 10, 2, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 11, 10, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 12, 5, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 13, 5, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 14, 9, 0 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 15, 9, 0 -); - diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~ deleted file mode 100644 index 7373dd4b6..000000000 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data.sql~ +++ /dev/null @@ -1,852 +0,0 @@ -/* Products */ - -INSERT INTO products ( /* 1 */ - name -) VALUES ( - 'Debian 6.0 i686' -); - -INSERT INTO products ( /* 2 */ - name -) VALUES ( - 'Debian 6.0 x86_64' -); - -INSERT INTO products ( /* 3 */ - name -) VALUES ( - 'Debian 7.0 i686' -); - -INSERT INTO products ( /* 4 */ - name -) VALUES ( - 'Debian 7.0 x86_64' -); - -INSERT INTO products ( /* 5 */ - name -) VALUES ( - 'Debian 8.0 i686' -); - -INSERT INTO products ( /* 6 */ - name -) VALUES ( - 'Debian 8.0 x86_64' -); - -INSERT INTO products ( /* 7 */ - name -) VALUES ( - 'Ubuntu 10.04 i686' -); - -INSERT INTO products ( /* 8 */ - name -) VALUES ( - 'Ubuntu 10.04 x86_64' -); - -INSERT INTO products ( /* 9 */ - name -) VALUES ( - 'Ubuntu 10.10 i686' -); - -INSERT INTO products ( /* 10 */ - name -) VALUES ( - 'Ubuntu 10.10 x86_64' -); - -INSERT INTO products ( /* 11 */ - name -) VALUES ( - 'Ubuntu 11.04 i686' -); - -INSERT INTO products ( /* 12 */ - name -) VALUES ( - 'Ubuntu 11.04 x86_64' -); - -INSERT INTO products ( /* 13 */ - name -) VALUES ( - 'Ubuntu 11.10 i686' -); - -INSERT INTO products ( /* 14 */ - name -) VALUES ( - 'Ubuntu 11.10 x86_64' -); - -INSERT INTO products ( /* 15 */ - name -) VALUES ( - 'Ubuntu 12.04 i686' -); - -INSERT INTO products ( /* 16 */ - name -) VALUES ( - 'Ubuntu 12.04 x86_64' -); - -INSERT INTO products ( /* 17 */ - name -) VALUES ( - 'Ubuntu 12.10 i686' -); - -INSERT INTO products ( /* 18 */ - name -) VALUES ( - 'Ubuntu 12.10 x86_64' -); - -INSERT INTO products ( /* 19 */ - name -) VALUES ( - 'Ubuntu 13.04 i686' -); - -INSERT INTO products ( /* 20 */ - name -) VALUES ( - 'Ubuntu 13.04 x86_64' -); - -INSERT INTO products ( /* 21 */ - name -) VALUES ( - 'Android 4.1.1' -); - -INSERT INTO products ( /* 22 */ - name -) VALUES ( - 'Android 4.2.1' -); - -/* Directories */ - -INSERT INTO directories ( /* 1 */ - path -) VALUES ( - '/bin' -); - -INSERT INTO directories ( /* 2 */ - path -) VALUES ( - '/etc' -); - -INSERT INTO directories ( /* 3 */ - path -) VALUES ( - '/lib' -); - -INSERT INTO directories ( /* 4 */ - path -) VALUES ( - '/lib/i386-linux-gnu' -); - -INSERT INTO directories ( /* 5 */ - path -) VALUES ( - '/lib/x86_64-linux-gnu' -); - -INSERT INTO directories ( /* 6 */ - path -) VALUES ( - '/lib/xtables' -); - -INSERT INTO directories ( /* 7 */ - path -) VALUES ( - '/sbin' -); - -INSERT INTO directories ( /* 8 */ - path -) VALUES ( - '/usr/bin' -); - -INSERT INTO directories ( /* 9 */ - path -) VALUES ( - '/usr/lib' -); - -INSERT INTO directories ( /* 10 */ - path -) VALUES ( - '/usr/lib/i386-linux-gnu' -); - -INSERT INTO directories ( /* 11 */ - path -) VALUES ( - '/usr/lib/x86_64-linux-gnu' -); - -INSERT INTO directories ( /* 12 */ - path -) VALUES ( - '/usr/sbin' -); - -INSERT INTO directories ( /* 13 */ - path -) VALUES ( - '/system/bin' -); - -INSERT INTO directories ( /* 14 */ - path -) VALUES ( - '/system/lib' -); - -/* Files */ - -INSERT INTO files ( /* 1 */ - name, dir -) VALUES ( - 'libcrypto.so.1.0.0', 5 -); - -INSERT INTO files ( /* 2 */ - name, dir -) VALUES ( - 'libcrypto.so.1.0.0', 11 -); - -INSERT INTO files ( /* 3 */ - name, dir -) VALUES ( - 'libssl.so.1.0.0', 5 -); - -INSERT INTO files ( /* 4 */ - name, dir -) VALUES ( - 'libssl.so.1.0.0', 11 -); - -INSERT INTO files ( /* 5 */ - name, dir -) VALUES ( - 'openssl', 8 -); - -INSERT INTO files ( /* 6 */ - name, dir -) VALUES ( - 'tnc_config', 2 -); - -/* Algorithms */ - -INSERT INTO algorithms ( - id, name -) VALUES ( - 65536, 'SHA1-IMA' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 32768, 'SHA1' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 16384, 'SHA256' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 8192, 'SHA384' -); - -/* File Hashes */ - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' -); - -/* Packages */ - -INSERT INTO packages ( /* 1 */ - name -) VALUES ( - 'libssl-dev' -); - -INSERT INTO packages ( /* 2 */ - name -) VALUES ( - 'libssl1.0.0' -); - -INSERT INTO packages ( /* 3 */ - name -) VALUES ( - 'libssl1.0.0-dbg' -); - -INSERT INTO packages ( /* 4 */ - name -) VALUES ( - 'openssl' -); - -/* Versions */ - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 1, 4, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 2, 4, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 3, 4, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 4, 4, '1.0.1e-2', 1366531494 -); - -/* Components */ - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 1, 33 /* ITA TGRUB */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 2, 33 /* ITA TBOOT */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 3, 33 /* ITA IMA - Trusted Platform */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 3, 34 /* ITA IMA - Operating System */ -); - -/* Groups */ - -INSERT INTO groups ( /* 1 */ - name -) VALUES ( - 'Default' -); - -INSERT INTO groups ( /* 2 */ - name, parent -) VALUES ( - 'Linux', 1 -); - -INSERT INTO groups ( /* 3 */ - name, parent -) VALUES ( - 'Android', 1 -); - -INSERT INTO groups ( /* 4 */ - name, parent -) VALUES ( - 'Debian i686', 2 -); - -INSERT INTO groups ( /* 5 */ - name, parent -) VALUES ( - 'Debian x86_64', 2 -); - -INSERT INTO groups ( /* 6 */ - name, parent -) VALUES ( - 'Ubuntu i686', 2 -); - -INSERT INTO groups ( /* 7 */ - name, parent -) VALUES ( - 'Ubuntu x86_64', 2 -); - -INSERT INTO groups ( /* 8 */ - name -) VALUES ( - 'Reference' -); - -INSERT INTO groups ( /* 9 */ - name, parent -) VALUES ( - 'Ref. Android', 8 -); - -INSERT INTO groups ( /* 10 */ - name, parent -) VALUES ( - 'Ref. Linux', 8 -); - -/* Default Product Groups */ - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 1 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 3 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 5 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 2 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 4 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 6 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 7 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 9 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 11 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 13 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 15 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 17 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 19 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 8 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 10 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 12 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 14 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 16 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 18 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 20 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 21 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 22 -); - -/* Policies */ - -INSERT INTO policies ( /* 1 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 1, 'Installed Packages', 2, 2 -); - -INSERT INTO policies ( /* 2 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 2, 'Unknown Source', 2, 2 -); - -INSERT INTO policies ( /* 3 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 3, 'IP Forwarding Enabled', 1, 1 -); - -INSERT INTO policies ( /* 4 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 4, 'Default Factory Password Enabled', 1, 1 -); - -INSERT INTO policies ( /* 5 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2 -); - -INSERT INTO policies ( /* 6 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2 -); - -INSERT INTO policies ( /* 7 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/bin/openssl', 5, 2, 2 -); - -INSERT INTO policies ( /* 8 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 11, 'No Open TCP Ports', 1, 1 -); - -INSERT INTO policies ( /* 9 */ - type, name, argument, rec_fail, rec_noresult -) VALUES ( - 13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1 -); - -INSERT INTO policies ( /* 10 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 7, 'Metadata of /etc/tnc_config', 6, 0, 0 -); - -INSERT INTO policies ( /* 11 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Get /bin', 1, 0, 0 -); - -INSERT INTO policies ( /* 12 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2 -); - -INSERT INTO policies ( /* 13 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2 -); - -INSERT INTO policies ( /* 14 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Get /system/bin', 13, 0, 0 -); - -INSERT INTO policies ( /* 15 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Get /system/lib', 14, 0, 0 -); - -INSERT INTO policies ( /* 16 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 9, 'Measure /bin', 1, 2, 2 -); - -/* Enforcements */ - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 1, 1, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 2, 3, 0 -); - -INSERT INTO enforcements ( - policy, group_id, max_age, rec_fail, rec_noresult -) VALUES ( - 3, 2, 0, 2, 2 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 5, 7, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 6, 7, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 7, 2, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 8, 1, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 9, 1, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 10, 2, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 11, 10, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 12, 5, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 13, 5, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 14, 9, 0 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 15, 9, 0 -); - diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql new file mode 100644 index 000000000..6682a5a1c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql @@ -0,0 +1,45 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 28, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 5, 1 +); + +/* Identities */ + +INSERT INTO identities ( + type, value +) VALUES ( /* dave@strongswan.org */ + 4, X'64617665407374726f6e677377616e2e6f7267' +); + +/* Sessions */ + +INSERT INTO sessions ( + time, connection, identity, device, product, rec +) VALUES ( + NOW, 1, 1, 1, 28, 0 +); + +/* Results */ + +INSERT INTO results ( + session, policy, rec, result +) VALUES ( + 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' +); + +/* Enforcements */ + +UPDATE enforcements SET + rec_fail = 2, rec_noresult = 2 +WHERE id = 3; diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat index 333ac7462..e1434e481 100644 --- a/testing/tests/tnc/tnccs-20-os/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os/pretest.dat @@ -3,7 +3,8 @@ carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id -moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db +moon::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql +moon::cd /etc/pts; cat tables.sql data.sql data1.sql | sqlite3 config.db moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config @@ -14,6 +15,6 @@ carol::sleep 1 carol::ipsec up home dave::ipsec up home dave::sleep 1 -moon::ipsec attest --packages --product 'Debian 7.0 x86_64' +moon::ipsec attest --packages --product 'Debian 7.2 x86_64' moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat index f028ec609..505a4d079 100644 --- a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat @@ -1,8 +1,10 @@ carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf index 70da7766a..ec4956c31 100644 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf @@ -13,7 +13,9 @@ charon { } tnc-pdp { server = aaa.strongswan.org - secret = gv6URkSs + radius { + secret = gv6URkSs + } } } } diff --git a/testing/tests/tnc/tnccs-20-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-pt-tls/description.txt new file mode 100644 index 000000000..45a77e900 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/description.txt @@ -0,0 +1,9 @@ +The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision +point (PDP) <b>alice</b>. <b>carol</b> uses password-based SASL PLAIN client authentication during the +<b>PT-TLS negotiation phase</b> and <b>dave</b> uses certificate-based TLS client authentication during the +<b>TLS setup phase</b>. +<p/> +During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWID</b> IMC/IMV pairs +loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages +embedded in PB-TNC (RFC 5793) batches. The <b>SWID</b> IMC on <b>carol</b> is requested to deliver +a concise <b>SWID Tag ID Inventory</b> whereas <b>dave</b> must send a full <b>SWID Tag Inventory</b>. diff --git a/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat new file mode 100644 index 000000000..3139ca082 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat @@ -0,0 +1,12 @@ +alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES +alice:: cat /var/log/daemon.log::SASL PLAIN authentication successful::YES +alice:: cat /var/log/daemon.log::SASL client identity is.*carol::YES +alice:: cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES +alice:: cat /var/log/daemon.log::received SWID tag ID inventory for request 6 at eid 1 of epoch::YES +alice:: cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-.*.swidtag::YES +alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES +alice:: cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES +alice:: cat /var/log/daemon.log::certificate status is good::YES +alice:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES +alice:: cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES +alice:: cat /var/log/daemon.log::received SWID tag inventory for request 11 at eid 1 of epoch::YES diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..d8b84334a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf @@ -0,0 +1,9 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tls 2, tnc 3, imv 3" + +conn aaa + leftcert=aaaCert.pem + leftid=aaa.strongswan.org + auto=add diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem new file mode 100644 index 000000000..6aeb0c0b1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R +RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm +Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W +Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF +AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni +wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg +EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y +Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa +yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp +iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2 +bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d +HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr +EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4 +v42sww== +-----END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem new file mode 100644 index 000000000..da8cdb051 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx +bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh +9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ +/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp +NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR +BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds +Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi +NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV +IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3 +Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI +aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X +YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq +b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If +/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN +P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X +V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t +cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c +PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m +a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo +NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b +xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/ +J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5 +YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ +SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu +EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..11d45cd14 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA aaaKey.pem + +carol : EAP "Ar3etTnp" +dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules new file mode 100644 index 000000000..5b275392b --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow PT-TLS +-A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql new file mode 100644 index 000000000..71592211b --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql @@ -0,0 +1,61 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 28, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +/* Identities */ + +INSERT INTO identities ( + type, value +) VALUES ( /* dave@strongswan.org */ + 4, X'64617665407374726f6e677377616e2e6f7267' +); + +/* Sessions */ + +INSERT INTO sessions ( + time, connection, identity, device, product, rec +) VALUES ( + NOW, 1, 1, 1, 28, 0 +); + +/* Results */ + +INSERT INTO results ( + session, policy, rec, result +) VALUES ( + 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' +); + +/* Enforcements */ + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 17, 2, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 18, 10, 86400 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..21961d4b1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf @@ -0,0 +1,28 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + + plugins { + tnc-pdp { + server = aaa.strongswan.org + radius { + secret = gv6URkSs + } + } + } +} + +libtnccs { + plugins { + tnccs-20 { + max_batch_size = 131056 + max_message_size = 131024 + } + } +} + +libimcv { + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager +} diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..ebe88bc99 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so +IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..4a41e7ed9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# the PT-TLS client reads its configuration via the command line diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..d2f6378b8 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# the PT-TLS client loads its secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql new file mode 100644 index 000000000..805c8bfd9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from the command line */ +/* credentials are read from the command line */ diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules new file mode 100644 index 000000000..d01d0a3c9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow PT-TLS +-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT +-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options new file mode 100644 index 000000000..f04e9472a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options @@ -0,0 +1,5 @@ +--connect aaa.strongswan.org +--client carol +--secret "Ar3etTnp" +--cert /etc/ipsec.d/cacerts/strongswanCert.pem +--debug 2 diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..de2fea244 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf @@ -0,0 +1,25 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libimcv { + plugins { + imc-os { + push_info = yes + } + imc-swid { + #swid_directory = /usr/share + } + } +} + +libtnccs { + plugins { + tnccs-20 { + max_batch_size = 131056 + max_message_size = 131024 + } + } +} + +pt-tls-client { + load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 +} diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..f40174e57 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..4a41e7ed9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# the PT-TLS client reads its configuration via the command line diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..d2f6378b8 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# the PT-TLS client loads its secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql new file mode 100644 index 000000000..805c8bfd9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from the command line */ +/* credentials are read from the command line */ diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules new file mode 100644 index 000000000..d01d0a3c9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow PT-TLS +-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT +-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options new file mode 100644 index 000000000..46821ec73 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options @@ -0,0 +1,6 @@ +--connect aaa.strongswan.org +--client dave@strongswan.org +--key /etc/ipsec.d/private/daveKey.pem +--cert /etc/ipsec.d/certs/daveCert.pem +--cert /etc/ipsec.d/cacerts/strongswanCert.pem +--debug 2 diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..39b2577ae --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf @@ -0,0 +1,22 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libimcv { + plugins { + imc-os { + push_info = no + } + } +} + +libtnccs { + plugins { + tnccs-20 { + max_batch_size = 131056 + max_message_size = 131024 + } + } +} + +pt-tls-client { + load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 +} diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..f40174e57 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat new file mode 100644 index 000000000..c98df8671 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat @@ -0,0 +1,8 @@ +carol::ip route del 10.1.0.0/16 via 192.168.0.1 +dave::ip route del 10.1.0.0/16 via 192.168.0.1 +winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 +alice::ipsec stop +alice::rm /etc/pts/config.db +alice::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat new file mode 100644 index 000000000..2a53977c0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat @@ -0,0 +1,19 @@ +alice::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +dave::cat /etc/tnc_config +alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data.sql +alice::cd /etc/pts; cat tables.sql data.sql data1.sql | sqlite3 config.db +alice::ipsec start +winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 +carol::ip route add 10.1.0.0/16 via 192.168.0.1 +carol::cat /etc/pts/options +carol::ipsec pt-tls-client --optionsfrom /etc/pts/options +dave::ip route add 10.1.0.0/16 via 192.168.0.1 +dave::cat /etc/pts/options +dave::ipsec pt-tls-client --optionsfrom /etc/pts/options +dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pt-tls/test.conf new file mode 100644 index 000000000..0887e4d09 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pt-tls/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="carol dave alice" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat index 100754332..5eb944055 100644 --- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat @@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.0 x86_64.*carol@strongswan.org - allow::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.0 x86_64.*dave@strongswan.org - isolate::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql deleted file mode 100644 index 090eb47ff..000000000 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data.sql +++ /dev/null @@ -1,873 +0,0 @@ -/* Products */ - -INSERT INTO products ( /* 1 */ - name -) VALUES ( - 'Debian 6.0 i686' -); - -INSERT INTO products ( /* 2 */ - name -) VALUES ( - 'Debian 6.0 x86_64' -); - -INSERT INTO products ( /* 3 */ - name -) VALUES ( - 'Debian 7.0 i686' -); - -INSERT INTO products ( /* 4 */ - name -) VALUES ( - 'Debian 7.0 x86_64' -); - -INSERT INTO products ( /* 5 */ - name -) VALUES ( - 'Debian 8.0 i686' -); - -INSERT INTO products ( /* 6 */ - name -) VALUES ( - 'Debian 8.0 x86_64' -); - -INSERT INTO products ( /* 7 */ - name -) VALUES ( - 'Ubuntu 10.04 i686' -); - -INSERT INTO products ( /* 8 */ - name -) VALUES ( - 'Ubuntu 10.04 x86_64' -); - -INSERT INTO products ( /* 9 */ - name -) VALUES ( - 'Ubuntu 10.10 i686' -); - -INSERT INTO products ( /* 10 */ - name -) VALUES ( - 'Ubuntu 10.10 x86_64' -); - -INSERT INTO products ( /* 11 */ - name -) VALUES ( - 'Ubuntu 11.04 i686' -); - -INSERT INTO products ( /* 12 */ - name -) VALUES ( - 'Ubuntu 11.04 x86_64' -); - -INSERT INTO products ( /* 13 */ - name -) VALUES ( - 'Ubuntu 11.10 i686' -); - -INSERT INTO products ( /* 14 */ - name -) VALUES ( - 'Ubuntu 11.10 x86_64' -); - -INSERT INTO products ( /* 15 */ - name -) VALUES ( - 'Ubuntu 12.04 i686' -); - -INSERT INTO products ( /* 16 */ - name -) VALUES ( - 'Ubuntu 12.04 x86_64' -); - -INSERT INTO products ( /* 17 */ - name -) VALUES ( - 'Ubuntu 12.10 i686' -); - -INSERT INTO products ( /* 18 */ - name -) VALUES ( - 'Ubuntu 12.10 x86_64' -); - -INSERT INTO products ( /* 19 */ - name -) VALUES ( - 'Ubuntu 13.04 i686' -); - -INSERT INTO products ( /* 20 */ - name -) VALUES ( - 'Ubuntu 13.04 x86_64' -); - -INSERT INTO products ( /* 21 */ - name -) VALUES ( - 'Android 4.1.1' -); - -INSERT INTO products ( /* 22 */ - name -) VALUES ( - 'Android 4.2.1' -); - -/* Directories */ - -INSERT INTO directories ( /* 1 */ - path -) VALUES ( - '/bin' -); - -INSERT INTO directories ( /* 2 */ - path -) VALUES ( - '/etc' -); - -INSERT INTO directories ( /* 3 */ - path -) VALUES ( - '/lib' -); - -INSERT INTO directories ( /* 4 */ - path -) VALUES ( - '/lib/i386-linux-gnu' -); - -INSERT INTO directories ( /* 5 */ - path -) VALUES ( - '/lib/x86_64-linux-gnu' -); - -INSERT INTO directories ( /* 6 */ - path -) VALUES ( - '/lib/xtables' -); - -INSERT INTO directories ( /* 7 */ - path -) VALUES ( - '/sbin' -); - -INSERT INTO directories ( /* 8 */ - path -) VALUES ( - '/usr/bin' -); - -INSERT INTO directories ( /* 9 */ - path -) VALUES ( - '/usr/lib' -); - -INSERT INTO directories ( /* 10 */ - path -) VALUES ( - '/usr/lib/i386-linux-gnu' -); - -INSERT INTO directories ( /* 11 */ - path -) VALUES ( - '/usr/lib/x86_64-linux-gnu' -); - -INSERT INTO directories ( /* 12 */ - path -) VALUES ( - '/usr/sbin' -); - -INSERT INTO directories ( /* 13 */ - path -) VALUES ( - '/system/bin' -); - -INSERT INTO directories ( /* 14 */ - path -) VALUES ( - '/system/lib' -); - -/* Files */ - -INSERT INTO files ( /* 1 */ - name, dir -) VALUES ( - 'libcrypto.so.1.0.0', 5 -); - -INSERT INTO files ( /* 2 */ - name, dir -) VALUES ( - 'libcrypto.so.1.0.0', 11 -); - -INSERT INTO files ( /* 3 */ - name, dir -) VALUES ( - 'libssl.so.1.0.0', 5 -); - -INSERT INTO files ( /* 4 */ - name, dir -) VALUES ( - 'libssl.so.1.0.0', 11 -); - -INSERT INTO files ( /* 5 */ - name, dir -) VALUES ( - 'openssl', 8 -); - -INSERT INTO files ( /* 6 */ - name, dir -) VALUES ( - 'tnc_config', 2 -); - -/* Algorithms */ - -INSERT INTO algorithms ( - id, name -) VALUES ( - 65536, 'SHA1-IMA' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 32768, 'SHA1' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 16384, 'SHA256' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 8192, 'SHA384' -); - -/* File Hashes */ - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' -); - -/* Packages */ - -INSERT INTO packages ( /* 1 */ - name -) VALUES ( - 'libssl-dev' -); - -INSERT INTO packages ( /* 2 */ - name -) VALUES ( - 'libssl1.0.0' -); - -INSERT INTO packages ( /* 3 */ - name -) VALUES ( - 'libssl1.0.0-dbg' -); - -INSERT INTO packages ( /* 4 */ - name -) VALUES ( - 'openssl' -); - -/* Versions */ - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 1, 4, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 2, 4, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 3, 4, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 4, 4, '1.0.1e-2', 1366531494 -); - -/* Components */ - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 1, 33 /* ITA TGRUB */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 2, 33 /* ITA TBOOT */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 3, 33 /* ITA IMA - Trusted Platform */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 3, 34 /* ITA IMA - Operating System */ -); - -/* Groups */ - -INSERT INTO groups ( /* 1 */ - name -) VALUES ( - 'Default' -); - -INSERT INTO groups ( /* 2 */ - name, parent -) VALUES ( - 'Linux', 1 -); - -INSERT INTO groups ( /* 3 */ - name, parent -) VALUES ( - 'Android', 1 -); - -INSERT INTO groups ( /* 4 */ - name, parent -) VALUES ( - 'Debian i686', 2 -); - -INSERT INTO groups ( /* 5 */ - name, parent -) VALUES ( - 'Debian x86_64', 2 -); - -INSERT INTO groups ( /* 6 */ - name, parent -) VALUES ( - 'Ubuntu i686', 2 -); - -INSERT INTO groups ( /* 7 */ - name, parent -) VALUES ( - 'Ubuntu x86_64', 2 -); - -INSERT INTO groups ( /* 8 */ - name -) VALUES ( - 'Reference' -); - -INSERT INTO groups ( /* 9 */ - name, parent -) VALUES ( - 'Ref. Android', 8 -); - -INSERT INTO groups ( /* 10 */ - name, parent -) VALUES ( - 'Ref. Linux', 8 -); - -/* Default Product Groups */ - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 1 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 3 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 5 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 2 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 4 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 6 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 7 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 9 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 11 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 13 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 15 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 17 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 6, 19 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 8 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 10 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 12 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 14 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 16 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 18 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 7, 20 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 21 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 22 -); - -/* Devices */ - -INSERT INTO devices ( /* 1 */ - value, product, created -) VALUES ( - 'aabbccddeeff11223344556677889900', 4, 1372330615 -); - -/* Groups Members */ - -INSERT INTO groups_members ( - group_id, device_id -) VALUES ( - 10, 1 -); - -/* Policies */ - -INSERT INTO policies ( /* 1 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 1, 'Installed Packages', 2, 2 -); - -INSERT INTO policies ( /* 2 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 2, 'Unknown Source', 2, 2 -); - -INSERT INTO policies ( /* 3 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 3, 'IP Forwarding Enabled', 1, 1 -); - -INSERT INTO policies ( /* 4 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 4, 'Default Factory Password Enabled', 1, 1 -); - -INSERT INTO policies ( /* 5 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2 -); - -INSERT INTO policies ( /* 6 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2 -); - -INSERT INTO policies ( /* 7 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/bin/openssl', 5, 2, 2 -); - -INSERT INTO policies ( /* 8 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 11, 'No Open TCP Ports', 1, 1 -); - -INSERT INTO policies ( /* 9 */ - type, name, argument, rec_fail, rec_noresult -) VALUES ( - 13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1 -); - -INSERT INTO policies ( /* 10 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 7, 'Metadata of /etc/tnc_config', 6, 0, 0 -); - -INSERT INTO policies ( /* 11 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Get /bin', 1, 0, 0 -); - -INSERT INTO policies ( /* 12 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2 -); - -INSERT INTO policies ( /* 13 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2 -); - -INSERT INTO policies ( /* 14 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Get /system/bin', 13, 0, 0 -); - -INSERT INTO policies ( /* 15 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Get /system/lib', 14, 0, 0 -); - -INSERT INTO policies ( /* 16 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 9, 'Measure /bin', 1, 2, 2 -); - -/* Enforcements */ - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 2, 3, 0 -); - -INSERT INTO enforcements ( - policy, group_id, max_age, rec_fail, rec_noresult -) VALUES ( - 3, 2, 0, 2, 2 -); - -INSERT INTO enforcements ( - policy, group_id, max_age, rec_fail, rec_noresult -) VALUES ( - 3, 10, 0, 2, 2 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 5, 7, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 6, 7, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 7, 2, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 8, 1, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 9, 1, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 10, 2, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 11, 10, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 12, 5, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 13, 5, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 14, 9, 0 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 15, 9, 0 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 16, 2, 0 -); diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql new file mode 100644 index 000000000..2bb7e7924 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql @@ -0,0 +1,29 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 28, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 16, 2, 0 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-pts/pretest.dat b/testing/tests/tnc/tnccs-20-pts/pretest.dat index cb6c131ef..794aef9fb 100644 --- a/testing/tests/tnc/tnccs-20-pts/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pts/pretest.dat @@ -3,7 +3,7 @@ carol::iptables-restore < /etc/iptables.rules dave::iptables-restore < /etc/iptables.rules carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id -moon::cd /etc/pts; cat tables.sql data.sql | sqlite3 config.db +moon::cd /etc/pts; cat tables.sql data.sql data1.sql | sqlite3 config.db moon::cat /etc/tnc_config carol::cat /etc/tnc_config dave::cat /etc/tnc_config diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql b/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql deleted file mode 100644 index dcc4e75d1..000000000 --- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/pts/data.sql +++ /dev/null @@ -1,793 +0,0 @@ -/* Products */ - -INSERT INTO products ( /* 1 */ - name -) VALUES ( - 'Debian 7.0' -); - -INSERT INTO products ( /* 2 */ - name -) VALUES ( - 'Debian 7.0 i686' -); - -INSERT INTO products ( /* 3 */ - name -) VALUES ( - 'Debian 7.0 x86_64' -); - -INSERT INTO products ( /* 4 */ - name -) VALUES ( - 'Ubuntu 10.04' -); - -INSERT INTO products ( /* 5 */ - name -) VALUES ( - 'Ubuntu 10.04 i686' -); - -INSERT INTO products ( /* 6 */ - name -) VALUES ( - 'Ubuntu 10.04 x86_64' -); - -INSERT INTO products ( /* 7 */ - name -) VALUES ( - 'Ubuntu 10.10' -); - -INSERT INTO products ( /* 8 */ - name -) VALUES ( - 'Ubuntu 10.10 i686' -); - -INSERT INTO products ( /* 9 */ - name -) VALUES ( - 'Ubuntu 10.10 x86_64' -); - -INSERT INTO products ( /* 10 */ - name -) VALUES ( - 'Ubuntu 11.04' -); - -INSERT INTO products ( /* 11 */ - name -) VALUES ( - 'Ubuntu 11.04 i686' -); - -INSERT INTO products ( /* 12 */ - name -) VALUES ( - 'Ubuntu 11.04 x86_64' -); - -INSERT INTO products ( /* 13 */ - name -) VALUES ( - 'Ubuntu 11.10' -); - -INSERT INTO products ( /* 14 */ - name -) VALUES ( - 'Ubuntu 11.10 i686' -); - -INSERT INTO products ( /* 15 */ - name -) VALUES ( - 'Ubuntu 11.10 x86_64' -); - -INSERT INTO products ( /* 16 */ - name -) VALUES ( - 'Ubuntu 12.04' -); - -INSERT INTO products ( /* 17 */ - name -) VALUES ( - 'Ubuntu 12.04 i686' -); - -INSERT INTO products ( /* 18 */ - name -) VALUES ( - 'Ubuntu 12.04 x86_64' -); - -INSERT INTO products ( /* 19 */ - name -) VALUES ( - 'Ubuntu 12.10' -); - -INSERT INTO products ( /* 20 */ - name -) VALUES ( - 'Ubuntu 12.10 i686' -); - -INSERT INTO products ( /* 21 */ - name -) VALUES ( - 'Ubuntu 12.10 x86_64' -); - -INSERT INTO products ( /* 22 */ - name -) VALUES ( - 'Ubuntu 13.04' -); - -INSERT INTO products ( /* 23 */ - name -) VALUES ( - 'Ubuntu 13.04 i686' -); - -INSERT INTO products ( /* 24 */ - name -) VALUES ( - 'Ubuntu 13.04 x86_64' -); - -INSERT INTO products ( /* 25 */ - name -) VALUES ( - 'Android 4.1.1' -); - -INSERT INTO products ( /* 26 */ - name -) VALUES ( - 'Android 4.2.1' -); - -/* Directories */ - -INSERT INTO directories ( /* 1 */ - path -) VALUES ( - '/bin' -); - -INSERT INTO directories ( /* 2 */ - path -) VALUES ( - '/etc' -); - -INSERT INTO directories ( /* 3 */ - path -) VALUES ( - '/lib' -); - -INSERT INTO directories ( /* 4 */ - path -) VALUES ( - '/lib/i386-linux-gnu' -); - -INSERT INTO directories ( /* 5 */ - path -) VALUES ( - '/lib/x86_64-linux-gnu' -); - -INSERT INTO directories ( /* 6 */ - path -) VALUES ( - '/lib/xtables' -); - -INSERT INTO directories ( /* 7 */ - path -) VALUES ( - '/sbin' -); - -INSERT INTO directories ( /* 8 */ - path -) VALUES ( - '/usr/bin' -); - -INSERT INTO directories ( /* 9 */ - path -) VALUES ( - '/usr/lib' -); - -INSERT INTO directories ( /* 10 */ - path -) VALUES ( - '/usr/lib/i386-linux-gnu' -); - -INSERT INTO directories ( /* 11 */ - path -) VALUES ( - '/usr/lib/x86_64-linux-gnu' -); - -INSERT INTO directories ( /* 12 */ - path -) VALUES ( - '/usr/sbin' -); - -/* Files */ - -INSERT INTO files ( /* 1 */ - name, dir -) VALUES ( - 'libcrypto.so.1.0.0', 5 -); - -INSERT INTO files ( /* 2 */ - name, dir -) VALUES ( - 'libcrypto.so.1.0.0', 11 -); - -INSERT INTO files ( /* 3 */ - name, dir -) VALUES ( - 'libssl.so.1.0.0', 5 -); - -INSERT INTO files ( /* 4 */ - name, dir -) VALUES ( - 'libssl.so.1.0.0', 11 -); - -INSERT INTO files ( /* 5 */ - name, dir -) VALUES ( - 'openssl', 8 -); - -INSERT INTO files ( /* 6 */ - name, dir -) VALUES ( - 'tnc_config', 2 -); - -/* Algorithms */ - -INSERT INTO algorithms ( - id, name -) VALUES ( - 65536, 'SHA1-IMA' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 32768, 'SHA1' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 16384, 'SHA256' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( - 8192, 'SHA384' -); - -/* File Hashes */ - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 3, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 3, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 3, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 3, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 3, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 3, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 3, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 3, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 3, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 21, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 21, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 21, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 21, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 21, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 21, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 21, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 21, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' -); - -INSERT INTO file_hashes ( - product, file, algo, hash -) VALUES ( - 21, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' -); - -/* Packages */ - -INSERT INTO packages ( /* 1 */ - name -) VALUES ( - 'libssl-dev' -); - -INSERT INTO packages ( /* 2 */ - name -) VALUES ( - 'libssl1.0.0' -); - -INSERT INTO packages ( /* 3 */ - name -) VALUES ( - 'libssl1.0.0-dbg' -); - -INSERT INTO packages ( /* 4 */ - name -) VALUES ( - 'openssl' -); - -/* Versions */ - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 1, 1, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 2, 1, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 3, 1, '1.0.1e-2', 1366531494 -); - -INSERT INTO versions ( - package, product, release, time -) VALUES ( - 4, 1, '1.0.1e-2', 1366531494 -); - -/* Components */ - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 1, 33 /* ITA TGRUB */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 2, 33 /* ITA TBOOT */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 3, 33 /* ITA IMA - Trusted Platform */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 3, 34 /* ITA IMA - Operating System */ -); - -/* Groups */ - -INSERT INTO groups ( /* 1 */ - name, parent -) VALUES ( - 'Debian i686', 6 -); - -INSERT INTO groups ( /* 2 */ - name, parent -) VALUES ( - 'Debian x86_64', 6 -); - -INSERT INTO groups ( /* 3 */ - name, parent -) VALUES ( - 'Ubuntu i686', 6 -); - -INSERT INTO groups ( /* 4 */ - name, parent -) VALUES ( - 'Ubuntu x86_64', 6 -); - -INSERT INTO groups ( /* 5 */ - name, parent -) VALUES ( - 'Android', 7 -); - -INSERT INTO groups ( /* 6 */ - name, parent -) VALUES ( - 'Linux', 7 -); - -INSERT INTO groups ( /* 7 */ - name -) VALUES ( - 'Default' -); - -/* Default Product Groups */ - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 1, 2 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 2, 3 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 5 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 8 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 11 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 14 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 17 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 20 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 3, 23 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 6 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 9 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 12 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 15 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 18 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 21 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 4, 24 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 25 -); - -INSERT INTO groups_product_defaults ( - group_id, product_id -) VALUES ( - 5, 26 -); - -/* Policies */ - -INSERT INTO policies ( /* 1 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 1, 'Installed Packages', 2, 2 -); - -INSERT INTO policies ( /* 2 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 2, 'Unknown Source', 2, 2 -); - -INSERT INTO policies ( /* 3 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 3, 'IP Forwarding Enabled', 1, 1 -); - -INSERT INTO policies ( /* 4 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 4, 'Default Factory Password Enabled', 1, 1 -); - -INSERT INTO policies ( /* 5 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2 -); - -INSERT INTO policies ( /* 6 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2 -); - -INSERT INTO policies ( /* 7 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/bin/openssl', 5, 2, 2 -); - -INSERT INTO policies ( /* 8 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 11, 'No Open TCP Ports', 1, 1 -); - -INSERT INTO policies ( /* 9 */ - type, name, rec_fail, rec_noresult -) VALUES ( - 13, 'No Open UDP Ports', 1, 1 -); - -INSERT INTO policies ( /* 10 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 7, 'Metadata of /etc/tnc_config', 6, 0, 0 -); - -INSERT INTO policies ( /* 11 */ - type, name, dir, rec_fail, rec_noresult -) VALUES ( - 8, 'Measure as reference /bin', 1, 0, 0 -); - -INSERT INTO policies ( /* 12 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2 -); - -INSERT INTO policies ( /* 13 */ - type, name, file, rec_fail, rec_noresult -) VALUES ( - 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2 -); - - -/* Enforcements */ - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 1, 7, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 2, 5, 0 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 3, 6, 0 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 5, 4, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 6, 4, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 7, 6, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 8, 7, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 9, 7, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 10, 6, 60 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 11, 6, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 12, 2, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 13, 2, 86400 -); - diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf index 032ae7e91..1a0cc202e 100644 --- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf @@ -20,10 +20,5 @@ libimcv { imv-test { rounds = 1 } - imv-scanner { - closed_port_policy = yes - udp_ports = 500 4500 - tcp_ports = 22 - } } } |