From: Andreas Steffen Date: Wed, 5 Feb 2025 14:48:02 +0000 (+0100) Subject: testing: rw-ml-kem-dsa scenarios X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=028e7d1f877e240a1217ad5f97ae40552fd26c09;p=thirdparty%2Fstrongswan.git testing: rw-ml-kem-dsa scenarios --- diff --git a/testing/hosts/winnetou/etc/ca/generate-crl b/testing/hosts/winnetou/etc/ca/generate-crl index 2c4067a84a..a29b5be479 100755 --- a/testing/hosts/winnetou/etc/ca/generate-crl +++ b/testing/hosts/winnetou/etc/ca/generate-crl @@ -131,6 +131,14 @@ cd /etc/ca/ed25519 pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ > ${ROOT}/strongswan_ed25519.crl +## +# strongSwan ML-DSA Root CA +cd /etc/ca/ml_dsa + +# generate CRL for strongSwan ML-DSA Root CA +pki --signcrl --cakey strongswanKey.pem --cacert strongswanCert.pem \ + > ${ROOT}/strongswan_ml_dsa.crl + ## # strongSwan Monster Root CA cd /etc/ca/monster diff --git a/testing/hosts/winnetou/etc/strongswan.conf b/testing/hosts/winnetou/etc/strongswan.conf index aec8d76ce4..e99e14d0be 100644 --- a/testing/hosts/winnetou/etc/strongswan.conf +++ b/testing/hosts/winnetou/etc/strongswan.conf @@ -1,5 +1,5 @@ # strongswan.conf - strongSwan configuration file pki { - load = random drbg pem sha1 sha2 sha3 pkcs1 pkcs8 pem gmp mgf1 curve25519 x509 openssl + load = random drbg pem sha1 sha2 sha3 pkcs1 pkcs8 pem gmp mgf1 curve25519 x509 ml openssl } diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot index 0cafb99ce5..91de11d580 100755 --- a/testing/scripts/build-certs-chroot +++ b/testing/scripts/build-certs-chroot @@ -85,6 +85,11 @@ ED25519_KEY="${ED25519_DIR}/strongswanKey.pem" ED25519_CERT="${ED25519_DIR}/strongswanCert.pem" ED25519_CDP="http://crl.strongswan.org/strongswan_ed25519.crl" # +ML_DSA_DIR="${CA_DIR}/ml_dsa" +ML_DSA_KEY="${ML_DSA_DIR}/strongswanKey.pem" +ML_DSA_CERT="${ML_DSA_DIR}/strongswanCert.pem" +ML_DSA_CDP="http://crl.strongswan.org/strongswan_ml_dsa.crl" +# MONSTER_DIR="${CA_DIR}/monster" MONSTER_KEY="${MONSTER_DIR}/strongswanKey.pem" MONSTER_CERT="${MONSTER_DIR}/strongswanCert.pem" @@ -112,6 +117,7 @@ mkdir -p ${ECDSA_DIR}/certs mkdir -p ${RFC3779_DIR}/certs mkdir -p ${SHA3_RSA_DIR}/certs mkdir -p ${ED25519_DIR}/certs +mkdir -p ${ML_DSA_DIR}/certs mkdir -p ${MONSTER_DIR}/certs ################################################################################ @@ -1573,6 +1579,89 @@ pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \ --crl ${ED25519_CDP} --outform pem > ${TEST_CERT} cp ${TEST_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem +################################################################################ +# strongSwan ML-DSA Root CA # +################################################################################ + +# Generate strongSwan ML-DSA Root CA +pki --gen --type mldsa87 --outform pem > ${ML_DSA_KEY} +pki --self --type priv --in ${ML_DSA_KEY} \ + --not-before "${START}" --not-after "${CA_END}" --ca \ + --dn "C=CH, O=${PROJECT}, CN=strongSwan ML-DSA Root CA" \ + --outform pem > ${ML_DSA_CERT} + +# Put a copy in the ikev2/rw-ml-kem-dsa scenario +TEST="${TEST_DIR}/ikev2/rw-ml-kem-dsa" +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca +cp ${ML_DSA_CERT} ${TEST}/hosts/moon/${SWANCTL_DIR}/x509ca +cp ${ML_DSA_CERT} ${TEST}/hosts/carol/${SWANCTL_DIR}/x509ca +cp ${ML_DSA_CERT} ${TEST}/hosts/dave/${SWANCTL_DIR}/x509ca + +# Generate a moon ML-DSA certificate +MOON_KEY="${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8/moonKey.pem" +MOON_CERT="${TEST}/hosts/moon/${SWANCTL_DIR}/x509/moonCert.pem" +CN="moon.strongswan.org" +SERIAL="01" +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/pkcs8 +mkdir -p ${TEST}/hosts/moon/${SWANCTL_DIR}/x509 +pki --gen --type mldsa65 --outform pem > ${MOON_KEY} +pki --issue --cakey ${ML_DSA_KEY} --cacert ${ML_DSA_CERT} --type priv \ + --in ${MOON_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ML-DSA, CN=${CN}" \ + --flag "serverAuth" --crl ${ML_DSA_CDP} --outform pem > ${MOON_CERT} +cp ${MOON_CERT} ${ML_DSA_DIR}/certs/${SERIAL}.pem + +# Generate a carol ML-DSA certificate +CAROL_KEY="${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8/carolKey.pem" +CAROL_CERT="${TEST}/hosts/carol/${SWANCTL_DIR}/x509/carolCert.pem" +CN="carol@strongswan.org" +SERIAL="02" +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/pkcs8 +mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/x509 +pki --gen --type mldsa44 --outform pem > ${CAROL_KEY} +pki --issue --cakey ${ML_DSA_KEY} --cacert ${ML_DSA_CERT} --type priv \ + --in ${CAROL_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ML-DSA, CN=${CN}" \ + --flag "clientAuth" --crl ${ML_DSA_CDP} --outform pem > ${CAROL_CERT} +cp ${CAROL_CERT} ${ML_DSA_DIR}/certs/${SERIAL}.pem + +# Generate a dave ML-DSA certificate +DAVE_KEY="${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8/daveKey.pem" +DAVE_CERT="${TEST}/hosts/dave/${SWANCTL_DIR}/x509/daveCert.pem" +CN="dave@strongswan.org" +SERIAL="03" +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/pkcs8 +mkdir -p ${TEST}/hosts/dave/${SWANCTL_DIR}/x509 +pki --gen --type mldsa44 --outform pem > ${DAVE_KEY} +pki --issue --cakey ${ML_DSA_KEY} --cacert ${ML_DSA_CERT} --type priv \ + --in ${DAVE_KEY} --not-before "${START}" --not-after "${EE_END}" --san ${CN} \ + --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=ML-DSA, CN=${CN}" \ + --flag "clientAuth" --crl ${ML_DSA_CDP} --outform pem > ${DAVE_CERT} +cp ${DAVE_CERT} ${ML_DSA_DIR}/certs/${SERIAL}.pem + +# Put a copy in the botan and wolfssl rw-ml-kem scenarios +for d in botan wolfssl +do + TEST="${TEST_DIR}/${d}/rw-ml-kem-dsa" + cd ${TEST}/hosts/moon/${SWANCTL_DIR} + mkdir -p pkcs8 x509 x509ca + cp ${MOON_KEY} pkcs8 + cp ${MOON_CERT} x509 + cp ${ML_DSA_CERT} x509ca + cd ${TEST}/hosts/carol/${SWANCTL_DIR} + mkdir -p pkcs8 x509 x509ca + cp ${CAROL_KEY} pkcs8 + cp ${CAROL_CERT} x509 + cp ${ML_DSA_CERT} x509ca + cd ${TEST}/hosts/dave/${SWANCTL_DIR} + mkdir -p pkcs8 x509 x509ca + cp ${DAVE_KEY} pkcs8 + cp ${DAVE_CERT} x509 + cp ${ML_DSA_CERT} x509ca +done + ################################################################################ # strongSwan Monster Root CA # ################################################################################ diff --git a/testing/scripts/recipes/012_wolfssl.mk b/testing/scripts/recipes/012_wolfssl.mk index 1d4c8c8d6d..9bcee5708e 100644 --- a/testing/scripts/recipes/012_wolfssl.mk +++ b/testing/scripts/recipes/012_wolfssl.mk @@ -31,6 +31,7 @@ CONFIG_OPTS = \ --enable-rsapss \ --enable-sha3 \ --enable-shake256 \ + --enable-dilithium \ --with-max-rsa-bits=8192 all: install diff --git a/testing/tests/botan/rw-ml-kem-dsa/description.txt b/testing/tests/botan/rw-ml-kem-dsa/description.txt new file mode 100755 index 0000000000..1849ae2e28 --- /dev/null +++ b/testing/tests/botan/rw-ml-kem-dsa/description.txt @@ -0,0 +1,11 @@ +The roadwarrior carol and the gateway moon use the botan +plugin based on the Botan library for all cryptographical functions whereas +roadwarrior dave uses the openssl and ml plugins. The +authentication is based on ML-DSA-type X.509 certificates and the key +exchange on x25519-ke1_mlkem512 for carol and ecp384-ke1_mlkem786 +for dave. +

+Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/botan/rw-mlkem/evaltest.dat b/testing/tests/botan/rw-ml-kem-dsa/evaltest.dat similarity index 100% rename from testing/tests/botan/rw-mlkem/evaltest.dat rename to testing/tests/botan/rw-ml-kem-dsa/evaltest.dat diff --git a/testing/tests/botan/rw-ml-kem-dsa/hosts/carol/etc/strongswan.conf b/testing/tests/botan/rw-ml-kem-dsa/hosts/carol/etc/strongswan.conf new file mode 100755 index 0000000000..60a1b331d2 --- /dev/null +++ b/testing/tests/botan/rw-ml-kem-dsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = botan pem x509 revocation constraints pubkey +} + +charon-systemd { + load = nonce botan pem x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici + + retransmit_timeout = 4 + max_packet = 12000 +} diff --git a/testing/tests/botan/rw-mlkem/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/botan/rw-ml-kem-dsa/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/botan/rw-mlkem/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/botan/rw-ml-kem-dsa/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/botan/rw-ml-kem-dsa/hosts/dave/etc/strongswan.conf b/testing/tests/botan/rw-ml-kem-dsa/hosts/dave/etc/strongswan.conf new file mode 100755 index 0000000000..352eac127a --- /dev/null +++ b/testing/tests/botan/rw-ml-kem-dsa/hosts/dave/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem ml x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = nonce pkcs8 ml x509 openssl pem revocation constraints pubkey curl kernel-netlink socket-default updown vici + + retransmit_timeout = 4 + max_packet = 12000 +} diff --git a/testing/tests/botan/rw-mlkem/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/botan/rw-ml-kem-dsa/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/botan/rw-mlkem/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/botan/rw-ml-kem-dsa/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/botan/rw-ml-kem-dsa/hosts/moon/etc/strongswan.conf b/testing/tests/botan/rw-ml-kem-dsa/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..06e8bf6d53 --- /dev/null +++ b/testing/tests/botan/rw-ml-kem-dsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem botan x509 revocation constraints pubkey +} + +charon-systemd { + load = nonce test-vectors botan pem x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici + + retransmit_timeout = 4 + max_packet = 12000 +} diff --git a/testing/tests/botan/rw-mlkem/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/rw-ml-kem-dsa/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/botan/rw-mlkem/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/botan/rw-ml-kem-dsa/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/botan/rw-ml-kem-dsa/posttest.dat b/testing/tests/botan/rw-ml-kem-dsa/posttest.dat new file mode 100755 index 0000000000..f3b4dc9995 --- /dev/null +++ b/testing/tests/botan/rw-ml-kem-dsa/posttest.dat @@ -0,0 +1,11 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::rm /etc/swanctl/pkcs8/* +carol::rm /etc/swanctl/pkcs8/* +dave::rm /etc/swanctl/pkcs8/* +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/botan/rw-ml-kem-dsa/pretest.dat b/testing/tests/botan/rw-ml-kem-dsa/pretest.dat new file mode 100755 index 0000000000..85426cbb49 --- /dev/null +++ b/testing/tests/botan/rw-ml-kem-dsa/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/botan/rw-mlkem/test.conf b/testing/tests/botan/rw-ml-kem-dsa/test.conf similarity index 100% rename from testing/tests/botan/rw-mlkem/test.conf rename to testing/tests/botan/rw-ml-kem-dsa/test.conf diff --git a/testing/tests/botan/rw-mlkem/description.txt b/testing/tests/botan/rw-ml-kem/description.txt similarity index 100% rename from testing/tests/botan/rw-mlkem/description.txt rename to testing/tests/botan/rw-ml-kem/description.txt diff --git a/testing/tests/wolfssl/rw-mlkem/evaltest.dat b/testing/tests/botan/rw-ml-kem/evaltest.dat similarity index 100% rename from testing/tests/wolfssl/rw-mlkem/evaltest.dat rename to testing/tests/botan/rw-ml-kem/evaltest.dat diff --git a/testing/tests/botan/rw-mlkem/hosts/carol/etc/strongswan.conf b/testing/tests/botan/rw-ml-kem/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/botan/rw-mlkem/hosts/carol/etc/strongswan.conf rename to testing/tests/botan/rw-ml-kem/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/wolfssl/rw-mlkem/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/botan/rw-ml-kem/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/wolfssl/rw-mlkem/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/botan/rw-ml-kem/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/botan/rw-mlkem/hosts/dave/etc/strongswan.conf b/testing/tests/botan/rw-ml-kem/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/botan/rw-mlkem/hosts/dave/etc/strongswan.conf rename to testing/tests/botan/rw-ml-kem/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/wolfssl/rw-mlkem/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/botan/rw-ml-kem/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/wolfssl/rw-mlkem/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/botan/rw-ml-kem/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/botan/rw-mlkem/hosts/moon/etc/strongswan.conf b/testing/tests/botan/rw-ml-kem/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/botan/rw-mlkem/hosts/moon/etc/strongswan.conf rename to testing/tests/botan/rw-ml-kem/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/wolfssl/rw-mlkem/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/botan/rw-ml-kem/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/wolfssl/rw-mlkem/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/botan/rw-ml-kem/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/botan/rw-mlkem/posttest.dat b/testing/tests/botan/rw-ml-kem/posttest.dat similarity index 100% rename from testing/tests/botan/rw-mlkem/posttest.dat rename to testing/tests/botan/rw-ml-kem/posttest.dat diff --git a/testing/tests/botan/rw-mlkem/pretest.dat b/testing/tests/botan/rw-ml-kem/pretest.dat similarity index 100% rename from testing/tests/botan/rw-mlkem/pretest.dat rename to testing/tests/botan/rw-ml-kem/pretest.dat diff --git a/testing/tests/ikev2/rw-mlkem/test.conf b/testing/tests/botan/rw-ml-kem/test.conf similarity index 100% rename from testing/tests/ikev2/rw-mlkem/test.conf rename to testing/tests/botan/rw-ml-kem/test.conf diff --git a/testing/tests/ikev2/rw-ml-kem-dsa/description.txt b/testing/tests/ikev2/rw-ml-kem-dsa/description.txt new file mode 100755 index 0000000000..bc7da0c8a7 --- /dev/null +++ b/testing/tests/ikev2/rw-ml-kem-dsa/description.txt @@ -0,0 +1,12 @@ +The roadwarriors carol and dave as well as the gateway moon use +openssl plugin based on the OpenSSL library for all cryptographical +functions plus the ml plugin for the post-quantum ML-KEM key exchange and +ML-DSA signature algorithms. +The authentication is based on ML-DSA-type X.509 certificates and the key +exchange on x25519-ke1_mlkem512 for carol and ecp384-ke1_mlkem786 +for dave. +

+Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/ikev2/rw-mlkem/evaltest.dat b/testing/tests/ikev2/rw-ml-kem-dsa/evaltest.dat similarity index 100% rename from testing/tests/ikev2/rw-mlkem/evaltest.dat rename to testing/tests/ikev2/rw-ml-kem-dsa/evaltest.dat diff --git a/testing/tests/ikev2/rw-ml-kem-dsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ml-kem-dsa/hosts/carol/etc/strongswan.conf new file mode 100755 index 0000000000..64dd220bd1 --- /dev/null +++ b/testing/tests/ikev2/rw-ml-kem-dsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs8 ml x509 openssl revocation constraints pubkey +} + +charon-systemd { + load = nonce pem pkcs8 ml x509 openssl revocation constraints pubkey curl kernel-netlink socket-default updown vici + + retransmit_timeout = 4 + max_packet = 12000 +} diff --git a/testing/tests/ikev2/rw-mlkem/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ml-kem-dsa/hosts/carol/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/ikev2/rw-mlkem/hosts/carol/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-ml-kem-dsa/hosts/carol/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-ml-kem-dsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ml-kem-dsa/hosts/dave/etc/strongswan.conf new file mode 100755 index 0000000000..64dd220bd1 --- /dev/null +++ b/testing/tests/ikev2/rw-ml-kem-dsa/hosts/dave/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs8 ml x509 openssl revocation constraints pubkey +} + +charon-systemd { + load = nonce pem pkcs8 ml x509 openssl revocation constraints pubkey curl kernel-netlink socket-default updown vici + + retransmit_timeout = 4 + max_packet = 12000 +} diff --git a/testing/tests/ikev2/rw-mlkem/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ml-kem-dsa/hosts/dave/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/ikev2/rw-mlkem/hosts/dave/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-ml-kem-dsa/hosts/dave/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-ml-kem-dsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ml-kem-dsa/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..64dd220bd1 --- /dev/null +++ b/testing/tests/ikev2/rw-ml-kem-dsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs8 ml x509 openssl revocation constraints pubkey +} + +charon-systemd { + load = nonce pem pkcs8 ml x509 openssl revocation constraints pubkey curl kernel-netlink socket-default updown vici + + retransmit_timeout = 4 + max_packet = 12000 +} diff --git a/testing/tests/ikev2/rw-mlkem/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ml-kem-dsa/hosts/moon/etc/swanctl/swanctl.conf similarity index 100% rename from testing/tests/ikev2/rw-mlkem/hosts/moon/etc/swanctl/swanctl.conf rename to testing/tests/ikev2/rw-ml-kem-dsa/hosts/moon/etc/swanctl/swanctl.conf diff --git a/testing/tests/ikev2/rw-ml-kem-dsa/posttest.dat b/testing/tests/ikev2/rw-ml-kem-dsa/posttest.dat new file mode 100755 index 0000000000..f3b4dc9995 --- /dev/null +++ b/testing/tests/ikev2/rw-ml-kem-dsa/posttest.dat @@ -0,0 +1,11 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::rm /etc/swanctl/pkcs8/* +carol::rm /etc/swanctl/pkcs8/* +dave::rm /etc/swanctl/pkcs8/* +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/ikev2/rw-ml-kem-dsa/pretest.dat b/testing/tests/ikev2/rw-ml-kem-dsa/pretest.dat new file mode 100755 index 0000000000..85426cbb49 --- /dev/null +++ b/testing/tests/ikev2/rw-ml-kem-dsa/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/wolfssl/rw-mlkem/test.conf b/testing/tests/ikev2/rw-ml-kem-dsa/test.conf similarity index 100% rename from testing/tests/wolfssl/rw-mlkem/test.conf rename to testing/tests/ikev2/rw-ml-kem-dsa/test.conf diff --git a/testing/tests/ikev2/rw-mlkem/description.txt b/testing/tests/ikev2/rw-ml-kem/description.txt similarity index 100% rename from testing/tests/ikev2/rw-mlkem/description.txt rename to testing/tests/ikev2/rw-ml-kem/description.txt diff --git a/testing/tests/ikev2/rw-ml-kem/evaltest.dat b/testing/tests/ikev2/rw-ml-kem/evaltest.dat new file mode 100755 index 0000000000..14a94d647c --- /dev/null +++ b/testing/tests/ikev2/rw-ml-kem/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ake1=ML_KEM_512.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384 ake1=ML_KEM_768.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 ake1=ML_KEM_512.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384 ake1=ML_KEM_768.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/rw-mlkem/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-ml-kem/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-mlkem/hosts/carol/etc/strongswan.conf rename to testing/tests/ikev2/rw-ml-kem/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-ml-kem/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ml-kem/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..0ddd655ef1 --- /dev/null +++ b/testing/tests/ikev2/rw-ml-kem/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519-ke1_mlkem512 + } + } + version = 2 + proposals = aes128-sha256-x25519-ke1_mlkem512 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/ikev2/rw-mlkem/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-ml-kem/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-mlkem/hosts/dave/etc/strongswan.conf rename to testing/tests/ikev2/rw-ml-kem/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-ml-kem/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ml-kem/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..fa5b719fd3 --- /dev/null +++ b/testing/tests/ikev2/rw-ml-kem/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128-ecp384-ke1_mlkem768 + } + } + version = 2 + proposals = aes256-sha384-ecp384-ke1_mlkem768 + } +} diff --git a/testing/tests/ikev2/rw-mlkem/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-ml-kem/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/ikev2/rw-mlkem/hosts/moon/etc/strongswan.conf rename to testing/tests/ikev2/rw-ml-kem/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/ikev2/rw-ml-kem/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/ikev2/rw-ml-kem/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..2730ba08a8 --- /dev/null +++ b/testing/tests/ikev2/rw-ml-kem/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes256gcm128-aes128gcm128-ecp384-x25519-ke1_mlkem768-ke1_mlkem1024-ke1_mlkem512-ke1_none + } + } + version = 2 + proposals = aes256-aes128-sha384-sha256-ecp384-x25519-ke1_mlkem768-ke1_mlkem1024-ke1_mlkem512-ke1_none + } +} diff --git a/testing/tests/ikev2/rw-mlkem/posttest.dat b/testing/tests/ikev2/rw-ml-kem/posttest.dat similarity index 100% rename from testing/tests/ikev2/rw-mlkem/posttest.dat rename to testing/tests/ikev2/rw-ml-kem/posttest.dat diff --git a/testing/tests/ikev2/rw-mlkem/pretest.dat b/testing/tests/ikev2/rw-ml-kem/pretest.dat similarity index 100% rename from testing/tests/ikev2/rw-mlkem/pretest.dat rename to testing/tests/ikev2/rw-ml-kem/pretest.dat diff --git a/testing/tests/ikev2/rw-ml-kem/test.conf b/testing/tests/ikev2/rw-ml-kem/test.conf new file mode 100755 index 0000000000..1227b9d1c0 --- /dev/null +++ b/testing/tests/ikev2/rw-ml-kem/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/wolfssl/rw-ml-kem-dsa/description.txt b/testing/tests/wolfssl/rw-ml-kem-dsa/description.txt new file mode 100755 index 0000000000..e052bdc511 --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem-dsa/description.txt @@ -0,0 +1,11 @@ +The roadwarrior carol and the gateway moon use the wolfssl +plugin based on the wolfSSL library for all cryptographical functions whereas +roadwarrior dave uses the openssl and ml plugins. The +authentication is based on ML-DSA-type X.509 certificates and the key +exchange on x25519-ke1_mlkem512 for carol and ecp384-ke1_mlkem786 +for dave. +

+Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/wolfssl/rw-ml-kem-dsa/evaltest.dat b/testing/tests/wolfssl/rw-ml-kem-dsa/evaltest.dat new file mode 100755 index 0000000000..dec4073670 --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem-dsa/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_384 ake1=ML_KEM_768.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_521 ake1=ML_KEM_1024.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_384 ake1=ML_KEM_768.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_521 ake1=ML_KEM_1024.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/carol/etc/strongswan.conf b/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/carol/etc/strongswan.conf new file mode 100755 index 0000000000..f2cdbe918c --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem x509 wolfssl revocation constraints pubkey +} + +charon-systemd { + load = nonce pem pkcs8 x509 wolfssl revocation constraints pubkey curl kernel-netlink socket-default updown vici + + retransmit_timeout = 4 + max_packet = 12000 +} diff --git a/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..248b57e9fd --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp384-ke1_mlkem768 + } + } + version = 2 + proposals = aes128-sha256-ecp384-ke1_mlkem768 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/dave/etc/strongswan.conf b/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/dave/etc/strongswan.conf new file mode 100755 index 0000000000..352eac127a --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/dave/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem ml x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = nonce pkcs8 ml x509 openssl pem revocation constraints pubkey curl kernel-netlink socket-default updown vici + + retransmit_timeout = 4 + max_packet = 12000 +} diff --git a/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..a06a2bfdd4 --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp521-ke1_mlkem1024 + } + } + version = 2 + proposals = aes128-sha256-ecp521-ke1_mlkem1024 + } +} diff --git a/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/moon/etc/strongswan.conf b/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..f2cdbe918c --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem x509 wolfssl revocation constraints pubkey +} + +charon-systemd { + load = nonce pem pkcs8 x509 wolfssl revocation constraints pubkey curl kernel-netlink socket-default updown vici + + retransmit_timeout = 4 + max_packet = 12000 +} diff --git a/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..a806a3661e --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem-dsa/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp384-ecp521-ke1_mlkem768-ke1_mlkem1024-ke1_mlkem512-ke1_none + } + } + version = 2 + proposals = aes128-sha256-ecp384-ecp521-ke1_mlkem768-ke1_mlkem1024-ke1_mlkem512-ke1_none + } +} diff --git a/testing/tests/wolfssl/rw-ml-kem-dsa/posttest.dat b/testing/tests/wolfssl/rw-ml-kem-dsa/posttest.dat new file mode 100755 index 0000000000..f3b4dc9995 --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem-dsa/posttest.dat @@ -0,0 +1,11 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::rm /etc/swanctl/pkcs8/* +carol::rm /etc/swanctl/pkcs8/* +dave::rm /etc/swanctl/pkcs8/* +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/wolfssl/rw-ml-kem-dsa/pretest.dat b/testing/tests/wolfssl/rw-ml-kem-dsa/pretest.dat new file mode 100755 index 0000000000..85426cbb49 --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem-dsa/pretest.dat @@ -0,0 +1,14 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::rm /etc/swanctl/rsa/* +carol::rm /etc/swanctl/rsa/* +dave::rm /etc/swanctl/rsa/* +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/wolfssl/rw-ml-kem-dsa/test.conf b/testing/tests/wolfssl/rw-ml-kem-dsa/test.conf new file mode 100755 index 0000000000..1227b9d1c0 --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem-dsa/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/wolfssl/rw-mlkem/description.txt b/testing/tests/wolfssl/rw-ml-kem/description.txt similarity index 100% rename from testing/tests/wolfssl/rw-mlkem/description.txt rename to testing/tests/wolfssl/rw-ml-kem/description.txt diff --git a/testing/tests/wolfssl/rw-ml-kem/evaltest.dat b/testing/tests/wolfssl/rw-ml-kem/evaltest.dat new file mode 100755 index 0000000000..dec4073670 --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_384 ake1=ML_KEM_768.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_521 ake1=ML_KEM_1024.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_384 ake1=ML_KEM_768.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_521 ake1=ML_KEM_1024.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/wolfssl/rw-mlkem/hosts/carol/etc/strongswan.conf b/testing/tests/wolfssl/rw-ml-kem/hosts/carol/etc/strongswan.conf similarity index 100% rename from testing/tests/wolfssl/rw-mlkem/hosts/carol/etc/strongswan.conf rename to testing/tests/wolfssl/rw-ml-kem/hosts/carol/etc/strongswan.conf diff --git a/testing/tests/wolfssl/rw-ml-kem/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-ml-kem/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..248b57e9fd --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp384-ke1_mlkem768 + } + } + version = 2 + proposals = aes128-sha256-ecp384-ke1_mlkem768 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/wolfssl/rw-mlkem/hosts/dave/etc/strongswan.conf b/testing/tests/wolfssl/rw-ml-kem/hosts/dave/etc/strongswan.conf similarity index 100% rename from testing/tests/wolfssl/rw-mlkem/hosts/dave/etc/strongswan.conf rename to testing/tests/wolfssl/rw-ml-kem/hosts/dave/etc/strongswan.conf diff --git a/testing/tests/wolfssl/rw-ml-kem/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-ml-kem/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..a06a2bfdd4 --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp521-ke1_mlkem1024 + } + } + version = 2 + proposals = aes128-sha256-ecp521-ke1_mlkem1024 + } +} diff --git a/testing/tests/wolfssl/rw-mlkem/hosts/moon/etc/strongswan.conf b/testing/tests/wolfssl/rw-ml-kem/hosts/moon/etc/strongswan.conf similarity index 100% rename from testing/tests/wolfssl/rw-mlkem/hosts/moon/etc/strongswan.conf rename to testing/tests/wolfssl/rw-ml-kem/hosts/moon/etc/strongswan.conf diff --git a/testing/tests/wolfssl/rw-ml-kem/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-ml-kem/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..a806a3661e --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp384-ecp521-ke1_mlkem768-ke1_mlkem1024-ke1_mlkem512-ke1_none + } + } + version = 2 + proposals = aes128-sha256-ecp384-ecp521-ke1_mlkem768-ke1_mlkem1024-ke1_mlkem512-ke1_none + } +} diff --git a/testing/tests/wolfssl/rw-mlkem/posttest.dat b/testing/tests/wolfssl/rw-ml-kem/posttest.dat similarity index 100% rename from testing/tests/wolfssl/rw-mlkem/posttest.dat rename to testing/tests/wolfssl/rw-ml-kem/posttest.dat diff --git a/testing/tests/wolfssl/rw-mlkem/pretest.dat b/testing/tests/wolfssl/rw-ml-kem/pretest.dat similarity index 100% rename from testing/tests/wolfssl/rw-mlkem/pretest.dat rename to testing/tests/wolfssl/rw-ml-kem/pretest.dat diff --git a/testing/tests/wolfssl/rw-ml-kem/test.conf b/testing/tests/wolfssl/rw-ml-kem/test.conf new file mode 100755 index 0000000000..1227b9d1c0 --- /dev/null +++ b/testing/tests/wolfssl/rw-ml-kem/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/wolfssl/rw-modp3072/hosts/carol/etc/strongswan.conf b/testing/tests/wolfssl/rw-modp3072/hosts/carol/etc/strongswan.conf index 72624afbf1..b71a1f21ab 100755 --- a/testing/tests/wolfssl/rw-modp3072/hosts/carol/etc/strongswan.conf +++ b/testing/tests/wolfssl/rw-modp3072/hosts/carol/etc/strongswan.conf @@ -1,11 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem wolfssl pkcs1 x509 revocation constraints pubkey + load = pem pkcs1 wolfssl x509 revocation constraints pubkey } charon-systemd { - load = nonce pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici + load = nonce pem pkcs1 pkcs8 wolfssl x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici rsa_pss = yes } diff --git a/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/strongswan.conf b/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/strongswan.conf index 033ea6b297..0004af68d7 100755 --- a/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/strongswan.conf +++ b/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/strongswan.conf @@ -1,11 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem pkcs1 revocation constraints pubkey openssl random + load = pem revocation constraints pubkey openssl random } charon-systemd { - load = random nonce openssl pem pkcs1 revocation constraints pubkey curl kernel-netlink socket-default updown vici + load = random nonce openssl pem revocation constraints pubkey curl kernel-netlink socket-default updown vici rsa_pss = yes } diff --git a/testing/tests/wolfssl/rw-modp3072/hosts/moon/etc/strongswan.conf b/testing/tests/wolfssl/rw-modp3072/hosts/moon/etc/strongswan.conf index 87af233ea7..0e91e88f04 100755 --- a/testing/tests/wolfssl/rw-modp3072/hosts/moon/etc/strongswan.conf +++ b/testing/tests/wolfssl/rw-modp3072/hosts/moon/etc/strongswan.conf @@ -1,11 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file swanctl { - load = pem wolfssl pkcs1 x509 revocation constraints pubkey + load = pem pkcs1 wolfssl x509 revocation constraints pubkey } charon-systemd { - load = nonce test-vectors pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici + load = nonce test-vectors pem pkcs1 wolfssl x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici rsa_pss = yes }