From: Tobias Brunner Date: Wed, 17 Nov 2021 13:43:38 +0000 (+0100) Subject: testing: Add TKM scenarios with multiple key exchanges X-Git-Tag: 6.0.0rc1~46^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b1885b8926fa372ca54cfbffd14d7639486db21;p=thirdparty%2Fstrongswan.git testing: Add TKM scenarios with multiple key exchanges --- diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot index 4cd8d74bdb..5130a9b609 100755 --- a/testing/scripts/build-certs-chroot +++ b/testing/scripts/build-certs-chroot @@ -176,9 +176,9 @@ do done # Put DER-encoded moon private key and Root CA certificate into tkm scenarios -for t in host2host-initiator host2host-responder host2host-xfrmproxy \ - multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \ - xfrmproxy-rekey +for t in host2host-initiator host2host-initiator-multi-ke host2host-responder \ + host2host-responder-multi-ke host2host-xfrmproxy multi-level-ca \ + net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey do TEST="${TEST_DIR}/tkm/${t}" mkdir -p ${TEST}/hosts/moon/${TKM_DIR} @@ -1919,9 +1919,9 @@ done # TKM CA ID mapping # ################################################################################ -for t in host2host-initiator host2host-responder host2host-xfrmproxy \ - multi-level-ca net2net-initiator net2net-xfrmproxy xfrmproxy-expire \ - xfrmproxy-rekey +for t in host2host-initiator host2host-initiator-multi-ke host2host-responder \ + host2host-responder-multi-ke host2host-xfrmproxy multi-level-ca \ + net2net-initiator net2net-xfrmproxy xfrmproxy-expire xfrmproxy-rekey do for h in moon do diff --git a/testing/tests/tkm/host2host-initiator-multi-ke/description.txt b/testing/tests/tkm/host2host-initiator-multi-ke/description.txt new file mode 100644 index 0000000000..2458b6e4a5 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator-multi-ke/description.txt @@ -0,0 +1,5 @@ +A connection between the hosts moon and sun is set up using +multiple key exchanges. The host moon uses the Trusted Key Manager (TKM) +and is the initiator of the transport connection. The authentication is based +on X.509 certificates. Rekeyings are initiated by moon for both the IKE +and the ESP SA to test rekeying with multiple key exchanges. diff --git a/testing/tests/tkm/host2host-initiator-multi-ke/evaltest.dat b/testing/tests/tkm/host2host-initiator-multi-ke/evaltest.dat new file mode 100644 index 0000000000..81b737d157 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator-multi-ke/evaltest.dat @@ -0,0 +1,24 @@ +moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072 ake1=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072 ake1=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --rekey --ike conn1 +moon::sleep 1 +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +moon::swanctl --rekey --child conn1 +moon::sleep 1 +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::3 +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::3 +moon::cat /tmp/tkm.log::Updating ISA context with ID 1 (KE 1)::YES +moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES +moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES +moon::cat /tmp/tkm.log::Linked CC context 1 with CA certificate 1::YES +moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::YES +moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES +moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +moon::cat /tmp/tkm.log::Creating new child ISA context with ID 2 (Parent Isa 1, KE 1 #1 / 2, nonce 1, spi_loc.*::YES +moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 2, Sp 1, Ea 1, Ke_Id 1 #1 / 2, Nc_Loc_Id 1, Initiator TRUE, spi_loc.*::YES +moon::swanctl --terminate --ike conn1 && sleep 1::no output expected::NO +moon::cat /var/log/daemon.log::deleting child SA (esa: 1, spi:.*)::YES +moon::cat /tmp/tkm.log::Resetting ESA context 1::YES +moon::cat /tmp/tkm.log::Deleting ESA \[ 1, 192.168.0.1 <=> 192.168.0.2, SPI_in.*, SPI_out.* \]::YES diff --git a/testing/tests/tkm/host2host-initiator-multi-ke/hosts/moon/etc/strongswan.conf.in b/testing/tests/tkm/host2host-initiator-multi-ke/hosts/moon/etc/strongswan.conf.in new file mode 100644 index 0000000000..243fa98a13 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator-multi-ke/hosts/moon/etc/strongswan.conf.in @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-tkm { + ke_mapping { + 15 = 1 + 16 = 2 + } + ca_mapping { + strongswan_ca { + id = 1 + fingerprint = CA_SPK_HEX + } + } + start-scripts { + swanctl = /usr/local/sbin/swanctl --load-all --noprompt + } +} diff --git a/testing/tests/tkm/host2host-initiator-multi-ke/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tkm/host2host-initiator-multi-ke/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..9830e50871 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator-multi-ke/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +# pre-generated and modified as tkm_cfgtool doesn't support multiple KEs yet + +connections { + conn1 { + local_addrs=192.168.0.1 + remote_addrs=192.168.0.2 + proposals=aes256-sha512-modp3072-ke1_modp4096 + local { + id=moon.strongswan.org + certs=moonCert.pem + } + remote { + id=sun.strongswan.org + } + children { + conn1 { + reqid=1 + life_time=60 + rekey_time=30 + mode=transport + esp_proposals=aes256-sha512-modp3072-ke1_modp4096 + start_action=trap + } + } + } +} diff --git a/testing/tests/tkm/host2host-initiator-multi-ke/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-initiator-multi-ke/hosts/moon/etc/tkm/tkm.conf new file mode 100644 index 0000000000..2619c0089a --- /dev/null +++ b/testing/tests/tkm/host2host-initiator-multi-ke/hosts/moon/etc/tkm/tkm.conf @@ -0,0 +1,21 @@ + + + moon.strongswan.org + moonCert.pem + + + transport + + 1 + 192.168.0.1 + + + sun.strongswan.org + 192.168.0.2 + + + 30 + 60 + + + diff --git a/testing/tests/tkm/host2host-initiator-multi-ke/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/host2host-initiator-multi-ke/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..009d413983 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator-multi-ke/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,22 @@ +connections { + + host-host { + proposals = aes256-sha512-modp3072-ke1_modp4096 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + esp_proposals = aes256-sha512-modp3072-ke1_modp4096 + } + } + } +} diff --git a/testing/tests/tkm/host2host-initiator-multi-ke/posttest.dat b/testing/tests/tkm/host2host-initiator-multi-ke/posttest.dat new file mode 100644 index 0000000000..5bfa138fe4 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator-multi-ke/posttest.dat @@ -0,0 +1,4 @@ +moon::service charon-tkm stop +moon::killall tkm_keymanager +moon::rm -f /tmp/swanctl.conf /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log +sun::systemctl stop strongswan diff --git a/testing/tests/tkm/host2host-initiator-multi-ke/pretest.dat b/testing/tests/tkm/host2host-initiator-multi-ke/pretest.dat new file mode 100644 index 0000000000..621478b4b8 --- /dev/null +++ b/testing/tests/tkm/host2host-initiator-multi-ke/pretest.dat @@ -0,0 +1,11 @@ +moon::rm /etc/swanctl/rsa/* +# swanctl.conf is not generated as tkm_cfgtool doesn't support multiple KEs yet +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /tmp/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/swanctl/swanctl.conf +moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 & +moon::expect-file /tmp/tkm.rpc.ike +moon::service charon-tkm start +sun::systemctl start strongswan +sun::expect-connection host-host +moon::expect-connection conn1 +moon::swanctl --initiate --child conn1 2> /dev/null diff --git a/testing/tests/tkm/host2host-initiator-multi-ke/test.conf b/testing/tests/tkm/host2host-initiator-multi-ke/test.conf new file mode 100644 index 0000000000..52d886dcce --- /dev/null +++ b/testing/tests/tkm/host2host-initiator-multi-ke/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/tkm/host2host-responder-multi-ke/description.txt b/testing/tests/tkm/host2host-responder-multi-ke/description.txt new file mode 100644 index 0000000000..270a9f7d14 --- /dev/null +++ b/testing/tests/tkm/host2host-responder-multi-ke/description.txt @@ -0,0 +1,5 @@ +A connection between the hosts moon and sun is set up using +multiple key exchanges. The host moon uses the Trusted Key Manager (TKM) +and is the responder of the transport connection. The authentication is based +on X.509 certificates. Rekeyings are initiated by sun for both the IKE +and the ESP SA to test rekeying with multiple key exchanges. diff --git a/testing/tests/tkm/host2host-responder-multi-ke/evaltest.dat b/testing/tests/tkm/host2host-responder-multi-ke/evaltest.dat new file mode 100644 index 0000000000..04d80998f8 --- /dev/null +++ b/testing/tests/tkm/host2host-responder-multi-ke/evaltest.dat @@ -0,0 +1,20 @@ +moon::swanctl --list-sas --raw 2> /dev/null::conn1.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072 ake1=MODP_4096.*child-sas.*conn1.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.1/32] remote-ts=\[192.168.0.2/32]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::host-host.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256 prf-alg=PRF_HMAC_SHA2_512 dh-group=MODP_3072 ake1=MODP_4096.*child-sas.*host-host.*state=INSTALLED mode=TRANSPORT.*ESP.*encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_512_256.*local-ts=\[192.168.0.2/32] remote-ts=\[192.168.0.1/32]::YES +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +sun::swanctl --rekey --ike host-host +sun::sleep 1 +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +sun::swanctl --rekey --child host-host +sun::sleep 1 +moon::ping -c 1 PH_IP_SUN::64 bytes from PH_IP_SUN: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::3 +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::3 +moon::cat /tmp/tkm.log::Updating ISA context with ID 1 (KE 1)::YES +moon::cat /tmp/tkm.log::RSA private key '/etc/tkm/moonKey.der' loaded::YES +moon::cat /tmp/tkm.log::Adding policy \[ 1, 192.168.0.1 <-> 192.168.0.2 \]::YES +moon::cat /tmp/tkm.log::Linked CC context 1 with CA certificate 1::YES +moon::cat /tmp/tkm.log::Certificate chain of CC context 1 is valid::YES +moon::cat /tmp/tkm.log::Authentication of ISA context 1 successful::YES +moon::cat /tmp/tkm.log::Adding ESA \[ 1, 192.168.0.1 <-> 192.168.0.2, SPI_in.*, SPI_out.*, soft 30, hard 60 \]::YES +moon::cat /tmp/tkm.log::Creating new child ISA context with ID 2 (Parent Isa 1, KE 1 #1 / 2, nonce 1, spi_loc.*::YES +moon::cat /tmp/tkm.log::Creating ESA context with ID 2 (Isa 2, Sp 1, Ea 1, Ke_Id 1 #1 / 2, Nc_Loc_Id 1, Initiator FALSE, spi_loc.*::YES diff --git a/testing/tests/tkm/host2host-responder-multi-ke/hosts/moon/etc/strongswan.conf.in b/testing/tests/tkm/host2host-responder-multi-ke/hosts/moon/etc/strongswan.conf.in new file mode 100644 index 0000000000..243fa98a13 --- /dev/null +++ b/testing/tests/tkm/host2host-responder-multi-ke/hosts/moon/etc/strongswan.conf.in @@ -0,0 +1,17 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon-tkm { + ke_mapping { + 15 = 1 + 16 = 2 + } + ca_mapping { + strongswan_ca { + id = 1 + fingerprint = CA_SPK_HEX + } + } + start-scripts { + swanctl = /usr/local/sbin/swanctl --load-all --noprompt + } +} diff --git a/testing/tests/tkm/host2host-responder-multi-ke/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/tkm/host2host-responder-multi-ke/hosts/moon/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..9830e50871 --- /dev/null +++ b/testing/tests/tkm/host2host-responder-multi-ke/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,26 @@ +# pre-generated and modified as tkm_cfgtool doesn't support multiple KEs yet + +connections { + conn1 { + local_addrs=192.168.0.1 + remote_addrs=192.168.0.2 + proposals=aes256-sha512-modp3072-ke1_modp4096 + local { + id=moon.strongswan.org + certs=moonCert.pem + } + remote { + id=sun.strongswan.org + } + children { + conn1 { + reqid=1 + life_time=60 + rekey_time=30 + mode=transport + esp_proposals=aes256-sha512-modp3072-ke1_modp4096 + start_action=trap + } + } + } +} diff --git a/testing/tests/tkm/host2host-responder-multi-ke/hosts/moon/etc/tkm/tkm.conf b/testing/tests/tkm/host2host-responder-multi-ke/hosts/moon/etc/tkm/tkm.conf new file mode 100644 index 0000000000..2619c0089a --- /dev/null +++ b/testing/tests/tkm/host2host-responder-multi-ke/hosts/moon/etc/tkm/tkm.conf @@ -0,0 +1,21 @@ + + + moon.strongswan.org + moonCert.pem + + + transport + + 1 + 192.168.0.1 + + + sun.strongswan.org + 192.168.0.2 + + + 30 + 60 + + + diff --git a/testing/tests/tkm/host2host-responder-multi-ke/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/tkm/host2host-responder-multi-ke/hosts/sun/etc/swanctl/swanctl.conf new file mode 100644 index 0000000000..143796a4e8 --- /dev/null +++ b/testing/tests/tkm/host2host-responder-multi-ke/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + host-host { + local_addrs = PH_IP_SUN + remote_addrs = PH_IP_MOON + + proposals = aes256-sha512-modp3072-ke1_modp4096 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + host-host { + mode = transport + esp_proposals = aes256-sha512-modp3072-ke1_modp4096 + } + } + } +} diff --git a/testing/tests/tkm/host2host-responder-multi-ke/posttest.dat b/testing/tests/tkm/host2host-responder-multi-ke/posttest.dat new file mode 100644 index 0000000000..50ac9cb3c8 --- /dev/null +++ b/testing/tests/tkm/host2host-responder-multi-ke/posttest.dat @@ -0,0 +1,5 @@ +moon::service charon-tkm stop +moon::killall tkm_keymanager +moon::cat /tmp/tkm.log +moon::rm -f /tmp/swanctl.conf /tmp/tkm.rpc.ike /tmp/tkm.rpc.ees /tmp/tkm.log +sun::systemctl stop strongswan diff --git a/testing/tests/tkm/host2host-responder-multi-ke/pretest.dat b/testing/tests/tkm/host2host-responder-multi-ke/pretest.dat new file mode 100644 index 0000000000..716484022f --- /dev/null +++ b/testing/tests/tkm/host2host-responder-multi-ke/pretest.dat @@ -0,0 +1,11 @@ +moon::rm /etc/swanctl/rsa/* +# swanctl.conf is not generated as tkm_cfgtool doesn't support multiple KEs yet +moon::tkm_cfgtool -c /etc/tkm/tkm.conf -i /tmp/swanctl.conf -t /etc/tkm/tkm.bin -s /usr/local/share/tkm/tkmconfig.xsd +moon::cat /etc/swanctl/swanctl.conf +moon::tkm_keymanager -c /etc/tkm/tkm.bin -k /etc/tkm/moonKey.der -r /etc/tkm/strongswanCert.der:1 >/tmp/tkm.log 2>&1 & +moon::expect-file /tmp/tkm.rpc.ike +moon::service charon-tkm start +sun::systemctl start strongswan +sun::expect-connection host-host +moon::expect-connection conn1 +sun::swanctl --initiate --child host-host 2> /dev/null diff --git a/testing/tests/tkm/host2host-responder-multi-ke/test.conf b/testing/tests/tkm/host2host-responder-multi-ke/test.conf new file mode 100644 index 0000000000..52d886dcce --- /dev/null +++ b/testing/tests/tkm/host2host-responder-multi-ke/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="moon winnetou sun" + +# Corresponding block diagram +# +DIAGRAM="m-w-s.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1