From c5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9 Mon Sep 17 00:00:00 2001 From: Romain Francoise Date: Tue, 15 Apr 2014 19:34:32 +0200 Subject: Import upstream version 5.1.3 --- .../hosts/moon/etc/strongswan.conf | 2 -- .../openssl-ikev2/net2net-pgp-v3/description.txt | 6 ++++++ .../tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat | 7 +++++++ .../net2net-pgp-v3/hosts/moon/etc/ipsec.conf | 21 +++++++++++++++++++++ .../net2net-pgp-v3/hosts/moon/etc/ipsec.secrets | 3 +++ .../net2net-pgp-v3/hosts/moon/etc/strongswan.conf | 6 ++++++ .../net2net-pgp-v3/hosts/sun/etc/ipsec.conf | 21 +++++++++++++++++++++ .../net2net-pgp-v3/hosts/sun/etc/ipsec.secrets | 3 +++ .../net2net-pgp-v3/hosts/sun/etc/strongswan.conf | 6 ++++++ .../tests/openssl-ikev2/net2net-pgp-v3/posttest.dat | 8 ++++++++ .../tests/openssl-ikev2/net2net-pgp-v3/pretest.dat | 8 ++++++++ .../tests/openssl-ikev2/net2net-pgp-v3/test.conf | 21 +++++++++++++++++++++ .../rw-cert/hosts/carol/etc/strongswan.conf | 2 -- .../rw-cert/hosts/dave/etc/strongswan.conf | 2 -- .../rw-cert/hosts/moon/etc/strongswan.conf | 2 -- .../openssl-ikev2/rw-eap-tls-only/evaltest.dat | 2 +- .../rw-eap-tls-only/hosts/carol/etc/strongswan.conf | 2 +- .../rw-eap-tls-only/hosts/moon/etc/strongswan.conf | 6 ++---- .../rw-suite-b-128/hosts/carol/etc/strongswan.conf | 5 ++--- .../rw-suite-b-128/hosts/dave/etc/strongswan.conf | 5 ++--- .../rw-suite-b-128/hosts/moon/etc/strongswan.conf | 4 ++-- .../rw-suite-b-192/hosts/carol/etc/strongswan.conf | 5 ++--- .../rw-suite-b-192/hosts/dave/etc/strongswan.conf | 5 ++--- .../rw-suite-b-192/hosts/moon/etc/strongswan.conf | 4 ++-- 24 files changed, 126 insertions(+), 30 deletions(-) create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat create mode 100644 testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf (limited to 'testing/tests/openssl-ikev2') diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf index 628476313..490146249 100644 --- a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -3,9 +3,7 @@ charon { load = curl pem pkcs1 random nonce openssl revocation hmac stroke kernel-netlink socket-default updown multiple_authentication = no -} -libstrongswan { x509 { enforce_critical = no } diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt b/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt new file mode 100644 index 000000000..bd680b57a --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/description.txt @@ -0,0 +1,6 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on OpenPGP V3 keys. Upon the successful +establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat new file mode 100644 index 000000000..460c659d9 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/evaltest.dat @@ -0,0 +1,7 @@ +moon:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed.*sun ::YES +sun:: ipsec status 2> /dev/null::net-net.*ESTABLISHED.*sun .*71:27:04:32:cd:76:3a:18:02:0a:c9:88:c0:e7:5a:ed::YES +moon:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +sun:: ipsec status 2> /dev/null::net-net.*INSTALLED, TUNNEL::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_req=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..7601113ab --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.asc + leftid=@#71270432cd763a18020ac988c0e75aed + leftfirewall=yes + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightcert=sunCert.asc + auto=add diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..afb1ff927 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.asc diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..aea93d234 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown +} + diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf new file mode 100644 index 000000000..641c3d929 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.conf @@ -0,0 +1,21 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftcert=sunCert.asc + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightcert=moonCert.asc + rightid=@#71270432cd763a18020ac988c0e75aed + auto=add diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..ee98b1611 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA sunKey.asc diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..aea93d234 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = openssl pem pkcs1 pgp random nonce stroke kernel-netlink socket-default updown +} + diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat new file mode 100644 index 000000000..9a9513dc3 --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +sun::ipsec stop +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/ipsec.d/certs/* +moon::rm /etc/ipsec.d/private/* +sun::rm /etc/ipsec.d/certs/* +sun::rm /etc/ipsec.d/private/* diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat new file mode 100644 index 000000000..0f4ae0f4f --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/pretest.dat @@ -0,0 +1,8 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +sun::ipsec start +moon::sleep 2 +moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf b/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf new file mode 100644 index 000000000..afa2accbe --- /dev/null +++ b/testing/tests/openssl-ikev2/net2net-pgp-v3/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 9f31821cd..a952c8189 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 5708510ef..d9d650c8b 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac xcbc cmac ctr ccm gcm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { required = yes diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index f065861dc..065050d5b 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -2,9 +2,7 @@ charon { load = curl test-vectors pem pkcs1 openssl revocation nonce xcbc cmac ctr ccm stroke kernel-netlink socket-default updown -} -libstrongswan { integrity_test = yes crypto_test { on_add = yes diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat index a2c02f630..7d32c11c3 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/evaltest.dat @@ -1,7 +1,7 @@ carol::ipsec status 2> /dev/null::home.*ESTABLISHED::YES moon:: ipsec status 2> /dev/null::rw-eap.*ESTABLISHED::YES carol::cat /var/log/daemon.log::server requested EAP_TLS authentication::YES -carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256::YES +carol::cat /var/log/daemon.log::negotiated TLS 1.2 using suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256::YES carol::cat /var/log/daemon.log::allow mutual EAP-only authentication::YES carol::cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECSA 521 bit, CN=moon.strongswan.org' with EAP successful::YES moon:: cat /var/log/daemon.log::authentication of 'C=CH, O=Linux strongSwan, OU=ECDSA 256 bit, CN=carol@strongswan.org' with EAP successful::YES diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf index 6072bb335..c55b0a9b6 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown + load = curl pem pkcs1 random nonce openssl revocation stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no } diff --git a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf index 5660f4376..af4737fbe 100644 --- a/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-eap-tls-only/hosts/moon/etc/strongswan.conf @@ -1,13 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 random nonce openssl revocation hmac xcbc stroke kernel-netlink socket-default eap-tls updown + load = curl pem pkcs1 random nonce openssl revocation stroke kernel-netlink socket-default eap-tls updown multiple_authentication=no } libtls { - key_exchange = ecdhe-ecdsa - cipher = aes128 - mac = sha256 + suites = TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 } diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf index 128d4f2d9..8a8e08e22 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/carol/etc/strongswan.conf @@ -4,14 +4,13 @@ charon { load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default initiator_only = yes -} - -libstrongswan { integrity_test = yes + crypto_test { required = yes on_add = yes } + plugins { openssl { fips_mode = 2 diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf index 958a502c2..c97a52088 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/dave/etc/strongswan.conf @@ -7,14 +7,13 @@ charon { retransmit_base = 1.5 retransmit_tries = 3 initiator_only = yes -} - -libstrongswan { integrity_test = yes + crypto_test { required = yes on_add = yes } + plugins { openssl { fips_mode = 2 diff --git a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf index fc49f9fd2..a234b6cca 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-128/hosts/moon/etc/strongswan.conf @@ -2,14 +2,14 @@ charon { load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default -} -libstrongswan { integrity_test = yes + crypto_test { required = yes on_add = yes } + plugins { openssl { fips_mode = 2 diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf index 128d4f2d9..8a8e08e22 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/carol/etc/strongswan.conf @@ -4,14 +4,13 @@ charon { load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default initiator_only = yes -} - -libstrongswan { integrity_test = yes + crypto_test { required = yes on_add = yes } + plugins { openssl { fips_mode = 2 diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf index 958a502c2..c97a52088 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/dave/etc/strongswan.conf @@ -7,14 +7,13 @@ charon { retransmit_base = 1.5 retransmit_tries = 3 initiator_only = yes -} - -libstrongswan { integrity_test = yes + crypto_test { required = yes on_add = yes } + plugins { openssl { fips_mode = 2 diff --git a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf index fc49f9fd2..a234b6cca 100644 --- a/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-suite-b-192/hosts/moon/etc/strongswan.conf @@ -2,14 +2,14 @@ charon { load = test-vectors soup pem pkcs1 pkcs8 random nonce x509 revocation openssl stroke kernel-netlink socket-default -} -libstrongswan { integrity_test = yes + crypto_test { required = yes on_add = yes } + plugins { openssl { fips_mode = 2 -- cgit v1.2.3