From bba25e2ff6c4a193acb54560ea4417537bd2954e Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Tue, 30 May 2017 20:59:31 +0200 Subject: New upstream version 5.5.3 --- .../tests/ikev2/rw-eap-aka-sql-rsa/description.txt | 9 +++++++++ .../tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat | 14 +++++++++++++ .../rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf | 21 ++++++++++++++++++++ .../hosts/carol/etc/ipsec.d/data.sql | 9 +++++++++ .../hosts/carol/etc/ipsec.d/tables.sql | 10 ++++++++++ .../hosts/carol/etc/ipsec.secrets | 1 + .../hosts/carol/etc/strongswan.conf | 11 +++++++++++ .../rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf | 23 ++++++++++++++++++++++ .../hosts/moon/etc/ipsec.d/data.sql | 9 +++++++++ .../hosts/moon/etc/ipsec.d/tables.sql | 10 ++++++++++ .../hosts/moon/etc/strongswan.conf | 11 +++++++++++ .../tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat | 4 ++++ testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat | 9 +++++++++ testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf | 21 ++++++++++++++++++++ testing/tests/ikev2/two-certs/evaltest.dat | 2 +- 15 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/description.txt create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf (limited to 'testing/tests/ikev2') diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/description.txt b/testing/tests/ikev2/rw-eap-aka-sql-rsa/description.txt new file mode 100644 index 000000000..a7410c1b6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/description.txt @@ -0,0 +1,9 @@ +At the outset the gateway authenticates itself to the client by sending an +IKEv2 RSA signature accompanied by a certificate. +The roadwarrior carol sets up a connection to gateway moon. +carol uses the Extensible Authentication Protocol +in association with the Authentication and Key Agreement protocol +(EAP-AKA) to authenticate against the gateway. In this scenario, +quintuplets from the SQL database /etc/ipsec.d/ipsec.db are used instead +of a physical USIM card on the client carol. The USIM provider on +gateway moon also stores the quintuplets in an SQL database. diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat b/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat new file mode 100644 index 000000000..b31a46809 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +carol::cat /var/log/daemon.log::server requested EAP_AKA authentication::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +moon:: cat /var/log/daemon.log::EAP method EAP_AKA succeeded, MSK established +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES +carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES +moon:: ipsec status 2> /dev/null::rw-eap.*INSTALLED, TUNNEL::YES +carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES + + diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..ade0c7c36 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftfirewall=yes + leftauth=eap + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + auto=add diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..038c454aa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,9 @@ +INSERT INTO quintuplets + (id, used, rand, autn, ck, ik, res) VALUES + ('carol@strongswan.org', 0, + X'00112233445566778899AABBCCDDEEFF', + X'112233445566778899AABBCCDDEEFF00', + X'2233445566778899AABBCCDDEEFF0011', + X'33445566778899AABBCCDDEEFF001122', + X'00112233445566778899' + ); diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql new file mode 100644 index 000000000..301f2bfd6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.d/tables.sql @@ -0,0 +1,10 @@ +DROP TABLE IF EXISTS quintuplets; +CREATE TABLE quintuplets ( + id TEXT NOT NULL, + used INTEGER NOT NULL, + rand BLOB NOT NULL, + autn BLOB NOT NULL, + ck BLOB NOT NULL, + ik BLOB NOT NULL, + res BLOB NOT NULL +); diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..ddd495699 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/ipsec.secrets @@ -0,0 +1 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..81d2c8e74 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown + + plugins { + eap-simaka-sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } +} diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..0875bed8b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftid=@moon.strongswan.org + leftcert=moonCert.pem + leftauth=pubkey + leftfirewall=yes + right=%any + rightid=*@strongswan.org + rightsendcert=never + rightauth=eap-aka + auto=add diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..038c454aa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,9 @@ +INSERT INTO quintuplets + (id, used, rand, autn, ck, ik, res) VALUES + ('carol@strongswan.org', 0, + X'00112233445566778899AABBCCDDEEFF', + X'112233445566778899AABBCCDDEEFF00', + X'2233445566778899AABBCCDDEEFF0011', + X'33445566778899AABBCCDDEEFF001122', + X'00112233445566778899' + ); diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql new file mode 100644 index 000000000..301f2bfd6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/ipsec.d/tables.sql @@ -0,0 +1,10 @@ +DROP TABLE IF EXISTS quintuplets; +CREATE TABLE quintuplets ( + id TEXT NOT NULL, + used INTEGER NOT NULL, + rand BLOB NOT NULL, + autn BLOB NOT NULL, + ck BLOB NOT NULL, + ik BLOB NOT NULL, + res BLOB NOT NULL +); diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..81d2c8e74 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = random nonce aes sha1 sha2 pem pkcs1 curve25519 gmp x509 curl revocation hmac stroke kernel-netlink socket-default sqlite fips-prf eap-aka eap-simaka-sql updown + + plugins { + eap-simaka-sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } +} diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat b/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat new file mode 100644 index 000000000..046d4cfdc --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/posttest.dat @@ -0,0 +1,4 @@ +moon::ipsec stop +carol::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat b/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat new file mode 100644 index 000000000..e3d7998a9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/pretest.dat @@ -0,0 +1,9 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +carol::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db +moon::cd /etc/ipsec.d; cat tables.sql data.sql > ipsec.sql; cat ipsec.sql | sqlite3 ipsec.db +moon::ipsec start +carol::ipsec start +moon::expect-connection rw-eap +carol::expect-connection home +carol::ipsec up home diff --git a/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf b/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf new file mode 100644 index 000000000..e093d43d8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-aka-sql-rsa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice carol moon" + +# Corresponding block diagram +# +DIAGRAM="a-m-c.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol" diff --git a/testing/tests/ikev2/two-certs/evaltest.dat b/testing/tests/ikev2/two-certs/evaltest.dat index 422c76e2e..41601102f 100644 --- a/testing/tests/ikev2/two-certs/evaltest.dat +++ b/testing/tests/ikev2/two-certs/evaltest.dat @@ -2,7 +2,7 @@ moon:: cat /var/log/daemon.log::using certificate.*OU=Research, CN=carol@strongs moon:: ipsec status 2> /dev/null::alice.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::alice.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES -moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::YES +moon:: cat /var/log/daemon.log::signature validation failed, looking for another key::NO moon:: cat /var/log/daemon.log::using certificate.*OU=Research, SN=002, CN=carol@strongswan.org::YES moon:: ipsec status 2> /dev/null::venus.*INSTALLED, TUNNEL::YES carol::ipsec status 2> /dev/null::venus.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES -- cgit v1.2.3