From: Andreas Steffen Date: Mon, 9 Jan 2023 18:49:43 +0000 (+0100) Subject: wolfssl: RSA-PSS with SHA3 is not supported by wolfSSL X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb75bb5ffee1f191ed98d05d7d276919ea555718;p=thirdparty%2Fstrongswan.git wolfssl: RSA-PSS with SHA3 is not supported by wolfSSL --- diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot index 928461d1ce..aecb62bce7 100755 --- a/testing/scripts/build-certs-chroot +++ b/testing/scripts/build-certs-chroot @@ -1388,8 +1388,8 @@ pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \ --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT} cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem -# Put a copy in the botan and wolfssl net2net-sha3-rsa-cert scenarios -for d in botan wolfssl +# Put a copy in the botan net2net-sha3-rsa-cert scenarios +for d in botan do TEST="${TEST_DIR}/${d}/net2net-sha3-rsa-cert" cd ${TEST}/hosts/moon/${SWANCTL_DIR} diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/description.txt b/testing/tests/wolfssl/net2net-sha3-rsa-cert/description.txt deleted file mode 100755 index 2db82a9413..0000000000 --- a/testing/tests/wolfssl/net2net-sha3-rsa-cert/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -A connection between the subnets behind the gateways moon and sun is set up. -The authentication is based on X.509 certificates with signatures consisting of -RSA-encrypted SHA-3 hashes. -

-Upon the successful establishment of the IPsec tunnel, the updown script automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, client alice behind gateway moon -pings client bob located behind gateway sun. diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/evaltest.dat b/testing/tests/wolfssl/net2net-sha3-rsa-cert/evaltest.dat deleted file mode 100755 index 4c56d5299b..0000000000 --- a/testing/tests/wolfssl/net2net-sha3-rsa-cert/evaltest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES -sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf deleted file mode 100755 index c18b002fd2..0000000000 --- a/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem wolfssl pkcs1 x509 revocation constraints pubkeyrandom -} - -charon-systemd { - load = random nonce pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf deleted file mode 100755 index bcc2742f78..0000000000 --- a/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,33 +0,0 @@ -connections { - - gw-gw { - local_addrs = 192.168.0.1 - remote_addrs = 192.168.0.2 - - local { - auth = pubkey - certs = moonCert.pem - id = moon.strongswan.org - } - remote { - auth = pubkey - id = sun.strongswan.org - } - children { - net-net { - local_ts = 10.1.0.0/16 - remote_ts = 10.2.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 5400 - rekey_bytes = 500000000 - rekey_packets = 1000000 - esp_proposals = aes128gcm128-x25519 - } - } - version = 2 - mobike = no - reauth_time = 10800 - proposals = aes128-sha256-x25519 - } -} diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf deleted file mode 100755 index ea977a3916..0000000000 --- a/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -swanctl { - load = pem wolfssl pkcs1 x509 revocation constraints pubkey random -} - -charon-systemd { - load = random nonce pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici -} diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf deleted file mode 100755 index 12cee0fc6d..0000000000 --- a/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf +++ /dev/null @@ -1,33 +0,0 @@ -connections { - - gw-gw { - local_addrs = 192.168.0.2 - remote_addrs = 192.168.0.1 - - local { - auth = pubkey - certs = sunCert.pem - id = sun.strongswan.org - } - remote { - auth = pubkey - id = moon.strongswan.org - } - children { - net-net { - local_ts = 10.2.0.0/16 - remote_ts = 10.1.0.0/16 - - updown = /usr/local/libexec/ipsec/_updown iptables - rekey_time = 5400 - rekey_bytes = 500000000 - rekey_packets = 1000000 - esp_proposals = aes128gcm128-x25519 - } - } - version = 2 - mobike = no - reauth_time = 10800 - proposals = aes128-sha256-x25519 - } -} diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/wolfssl/net2net-sha3-rsa-cert/posttest.dat deleted file mode 100755 index cc6a5bff73..0000000000 --- a/testing/tests/wolfssl/net2net-sha3-rsa-cert/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::swanctl --terminate --ike gw-gw 2> /dev/null -moon::systemctl stop strongswan -sun::systemctl stop strongswan -moon::iptables-restore < /etc/iptables.flush -sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/wolfssl/net2net-sha3-rsa-cert/pretest.dat deleted file mode 100755 index 2d3c8c1e20..0000000000 --- a/testing/tests/wolfssl/net2net-sha3-rsa-cert/pretest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -sun::iptables-restore < /etc/iptables.rules -moon::systemctl start strongswan -sun::systemctl start strongswan -moon::expect-connection gw-gw -sun::expect-connection gw-gw -moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/test.conf b/testing/tests/wolfssl/net2net-sha3-rsa-cert/test.conf deleted file mode 100755 index 07a3b247a1..0000000000 --- a/testing/tests/wolfssl/net2net-sha3-rsa-cert/test.conf +++ /dev/null @@ -1,25 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" - -# charon controlled by swanctl -# -SWANCTL=1