From: Andreas Steffen Date: Thu, 3 Jun 2021 08:22:59 +0000 (+0200) Subject: testing: Test wolfssl plugin X-Git-Tag: 5.9.3dr3~4 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=de5ca4021ae350fc9ff790f4ea3bf1488f774005;p=thirdparty%2Fstrongswan.git testing: Test wolfssl plugin --- diff --git a/testing/scripts/build-certs-chroot b/testing/scripts/build-certs-chroot index 8e096b0bbb..f21835c04a 100755 --- a/testing/scripts/build-certs-chroot +++ b/testing/scripts/build-certs-chroot @@ -415,10 +415,13 @@ KEY_PWD="nH5ZQEWtku0RJEZ6" openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \ 2> /dev/null -# Put a copy into the ikev2/rw-cert scenario -TEST="${TEST_DIR}/ikev2/rw-cert" -mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa -cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +# Put a copy into the ikev2, botan and wolfssl rw-cert scenarios +for d in ikev2 botan wolfssl +do + TEST="${TEST_DIR}/${d}/rw-cert" + mkdir -p ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa + cp ${HOST_KEY} ${TEST}/hosts/carol/${SWANCTL_DIR}/rsa +done # Generate another carol certificate and revoke it TEST="${TEST_DIR}/ikev2/crl-revoked" @@ -1413,18 +1416,21 @@ pki --issue --cakey ${SHA3_RSA_KEY} --cacert ${SHA3_RSA_CERT} --type rsa \ --crl ${SHA3_RSA_CDP} --digest sha3_256 --outform pem > ${MOON_CERT} cp ${MOON_CERT} ${SHA3_RSA_DIR}/certs/${SERIAL}.pem -# Put a copy in the botan/net2net-sha3-rsa-cert scenario -TEST="${TEST_DIR}/botan/net2net-sha3-rsa-cert" -cd ${TEST}/hosts/moon/${SWANCTL_DIR} -mkdir -p rsa x509 x509ca -cp ${MOON_KEY} rsa -cp ${MOON_CERT} x509 -cp ${SHA3_RSA_CERT} x509ca -cd ${TEST}/hosts/sun/${SWANCTL_DIR} -mkdir -p rsa x509 x509ca -cp ${SUN_KEY} rsa -cp ${SUN_CERT} x509 -cp ${SHA3_RSA_CERT} x509ca +# Put a copy in the botan and wolfssl net2net-sha3-rsa-cert scenarios +for d in botan wolfssl +do + TEST="${TEST_DIR}/${d}/net2net-sha3-rsa-cert" + cd ${TEST}/hosts/moon/${SWANCTL_DIR} + mkdir -p rsa x509 x509ca + cp ${MOON_KEY} rsa + cp ${MOON_CERT} x509 + cp ${SHA3_RSA_CERT} x509ca + cd ${TEST}/hosts/sun/${SWANCTL_DIR} + mkdir -p rsa x509 x509ca + cp ${SUN_KEY} rsa + cp ${SUN_CERT} x509 + cp ${SHA3_RSA_CERT} x509ca +done # Put a copy in the ikev2/rw-eap-tls-sha3-rsa scenario TEST="${TEST_DIR}/ikev2/rw-eap-tls-sha3-rsa" @@ -1519,18 +1525,21 @@ pki --issue --cakey ${ED25519_KEY} --cacert ${ED25519_CERT} --type ed25519 \ --crl ${ED25519_CDP} --outform pem > ${MOON_CERT} cp ${MOON_CERT} ${ED25519_DIR}/certs/${SERIAL}.pem -# Put a copy in the botan/net2net-ed25519 scenario -TEST="${TEST_DIR}/botan/net2net-ed25519" -cd ${TEST}/hosts/moon/${SWANCTL_DIR} -mkdir -p pkcs8 x509 x509ca -cp ${MOON_KEY} pkcs8 -cp ${MOON_CERT} x509 -cp ${ED25519_CERT} x509ca -cd ${TEST}/hosts/sun/${SWANCTL_DIR} -mkdir -p pkcs8 x509 x509ca -cp ${SUN_KEY} pkcs8 -cp ${SUN_CERT} x509 -cp ${ED25519_CERT} x509ca +# Put a copy in the botan and wolfssl net2net-ed25519 scenarios +for d in botan wolfssl +do + TEST="${TEST_DIR}/${d}/net2net-ed25519" + cd ${TEST}/hosts/moon/${SWANCTL_DIR} + mkdir -p pkcs8 x509 x509ca + cp ${MOON_KEY} pkcs8 + cp ${MOON_CERT} x509 + cp ${ED25519_CERT} x509ca + cd ${TEST}/hosts/sun/${SWANCTL_DIR} + mkdir -p pkcs8 x509 x509ca + cp ${SUN_KEY} pkcs8 + cp ${SUN_CERT} x509 + cp ${ED25519_CERT} x509ca +done # Put a copy in the ikev2/rw-ed25519-certpol scenario TEST="${TEST_DIR}/ikev2/rw-ed25519-certpol" diff --git a/testing/scripts/recipes/012_wolfssl.mk b/testing/scripts/recipes/012_wolfssl.mk new file mode 100644 index 0000000000..ca7f02f198 --- /dev/null +++ b/testing/scripts/recipes/012_wolfssl.mk @@ -0,0 +1,56 @@ +#!/usr/bin/make + +PKG = wolfssl +REV = 4.7.1r +DIR = $(PKG)-$(REV) +TAR = v$(REV).tar.gz +SRC = https://github.com/wolfSSL/$(PKG)/archive/refs/tags/$(TAR) + +NUM_CPUS := $(shell getconf _NPROCESSORS_ONLN) + +CFLAGS = \ + -DWOLFSSL_PUBLIC_MP \ + -DWOLFSSL_DES_ECB \ + -DHAVE_AES_ECB \ + -DHAVE_ECC_BRAINPOOL \ + -DWOLFSSL_MIN_AUTH_TAG_SZ=8 \ + -DHAVE_EX_DATA + +CONFIG_OPTS = \ + --disable-crypttests \ + --disable-examples \ + --enable-silent-rules \ + --enable-aesccm \ + --enable-aesctr \ + --enable-ecccustcurves \ + --enable-curve25519 \ + --enable-ed25519 \ + --enable-curve448 \ + --enable-ed448 \ + --enable-rsapss \ + --enable-des3 \ + --enable-sha3 \ + --enable-shake256 \ + --enable-md4 \ + --enable-camellia \ + --enable-keygen \ + --enable-certgen \ + --enable-certreq \ + --enable-certext \ + --enable-sessioncerts + +all: install + +$(TAR): + wget $(SRC) + +.$(PKG)-unpacked-$(REV): $(TAR) + [ -d $(DIR) ] || tar xf $(TAR) + @touch $@ + +.$(PKG)-built-$(REV): .$(PKG)-unpacked-$(REV) + cd $(DIR) && ./autogen.sh && ./configure C_FLAGS="$(CFLAGS)" $(CONFIG_OPTS) && make -j $(NUM_CPUS) + @rm -f .$(PKG)-built-* && touch $@ + +install: .$(PKG)-built-$(REV) + cd $(DIR) && make install && ldconfig diff --git a/testing/scripts/recipes/013_strongswan.mk b/testing/scripts/recipes/013_strongswan.mk index efd0b1c3cf..b4c7d3629d 100644 --- a/testing/scripts/recipes/013_strongswan.mk +++ b/testing/scripts/recipes/013_strongswan.mk @@ -107,7 +107,8 @@ CONFIG_OPTS = \ --enable-systemd \ --enable-counters \ --enable-save-keys \ - --enable-python-eggs + --enable-python-eggs \ + --enable-wolfssl export ADA_PROJECT_PATH=/usr/local/ada/lib/gnat diff --git a/testing/tests/wolfssl/.gitignore b/testing/tests/wolfssl/.gitignore new file mode 100644 index 0000000000..c67f9a2786 --- /dev/null +++ b/testing/tests/wolfssl/.gitignore @@ -0,0 +1,2 @@ +*.pem +*.p12 diff --git a/testing/tests/wolfssl/net2net-ed25519/description.txt b/testing/tests/wolfssl/net2net-ed25519/description.txt new file mode 100755 index 0000000000..f50109769b --- /dev/null +++ b/testing/tests/wolfssl/net2net-ed25519/description.txt @@ -0,0 +1,10 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates containing Ed25519 keys. +moon uses the wolfssl plugin based on the wolfCrypt library for all +cryptographical functions whereas sun uses the default strongSwan +cryptographical plugins. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/wolfssl/net2net-ed25519/evaltest.dat b/testing/tests/wolfssl/net2net-ed25519/evaltest.dat new file mode 100755 index 0000000000..ebbb8ae753 --- /dev/null +++ b/testing/tests/wolfssl/net2net-ed25519/evaltest.dat @@ -0,0 +1,7 @@ +moon::cat /var/log/daemon.log::authentication of.*sun.strongswan.org.*with ED25519 successful::YES +sun:: cat /var/log/daemon.log::authentication of.*moon.strongswan.org.*with ED25519 successful::YES +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/wolfssl/net2net-ed25519/hosts/moon/etc/strongswan.conf b/testing/tests/wolfssl/net2net-ed25519/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..b32eaf53a6 --- /dev/null +++ b/testing/tests/wolfssl/net2net-ed25519/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = random pem wolfssl pkcs1 pkcs8 x509 revocation constraints +} + +charon-systemd { + load = random nonce pem wolfssl pkcs1 pkcs8 x509 revocation curl kernel-netlink socket-default updown vici + syslog { + daemon { + lib = 2 + } + } +} diff --git a/testing/tests/wolfssl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..bcc2742f78 --- /dev/null +++ b/testing/tests/wolfssl/net2net-ed25519/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/wolfssl/net2net-ed25519/hosts/sun/etc/strongswan.conf b/testing/tests/wolfssl/net2net-ed25519/hosts/sun/etc/strongswan.conf new file mode 100755 index 0000000000..a35aea01cc --- /dev/null +++ b/testing/tests/wolfssl/net2net-ed25519/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 pkcs8 curve25519 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce aes sha1 sha2 hmac pem pkcs1 pkcs8 x509 revocation curve25519 curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/wolfssl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..12cee0fc6d --- /dev/null +++ b/testing/tests/wolfssl/net2net-ed25519/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/wolfssl/net2net-ed25519/posttest.dat b/testing/tests/wolfssl/net2net-ed25519/posttest.dat new file mode 100755 index 0000000000..321fd34e2b --- /dev/null +++ b/testing/tests/wolfssl/net2net-ed25519/posttest.dat @@ -0,0 +1,7 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush +moon::rm /etc/swanctl/pkcs8/* +sun::rm /etc/swanctl/pkcs8/* diff --git a/testing/tests/wolfssl/net2net-ed25519/pretest.dat b/testing/tests/wolfssl/net2net-ed25519/pretest.dat new file mode 100755 index 0000000000..1ab4f5f459 --- /dev/null +++ b/testing/tests/wolfssl/net2net-ed25519/pretest.dat @@ -0,0 +1,9 @@ +moon::rm /etc/swanctl/rsa/moonKey.pem +sun::rm /etc/swanctl/rsa/sunKey.pem +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/wolfssl/net2net-ed25519/test.conf b/testing/tests/wolfssl/net2net-ed25519/test.conf new file mode 100755 index 0000000000..07a3b247a1 --- /dev/null +++ b/testing/tests/wolfssl/net2net-ed25519/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/description.txt b/testing/tests/wolfssl/net2net-sha3-rsa-cert/description.txt new file mode 100755 index 0000000000..2db82a9413 --- /dev/null +++ b/testing/tests/wolfssl/net2net-sha3-rsa-cert/description.txt @@ -0,0 +1,8 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates with signatures consisting of +RSA-encrypted SHA-3 hashes. +

+Upon the successful establishment of the IPsec tunnel, the updown script automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/evaltest.dat b/testing/tests/wolfssl/net2net-sha3-rsa-cert/evaltest.dat new file mode 100755 index 0000000000..4c56d5299b --- /dev/null +++ b/testing/tests/wolfssl/net2net-sha3-rsa-cert/evaltest.dat @@ -0,0 +1,5 @@ +moon::swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[10.2.0.0/16]::YES +sun:: swanctl --list-sas --raw 2> /dev/null::gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net-net.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/16] remote-ts=\[10.1.0.0/16]::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_.eq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf b/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..c18b002fd2 --- /dev/null +++ b/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem wolfssl pkcs1 x509 revocation constraints pubkeyrandom +} + +charon-systemd { + load = random nonce pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..bcc2742f78 --- /dev/null +++ b/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.1 + remote_addrs = 192.168.0.2 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + id = sun.strongswan.org + } + children { + net-net { + local_ts = 10.1.0.0/16 + remote_ts = 10.2.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf b/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf new file mode 100755 index 0000000000..ea977a3916 --- /dev/null +++ b/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/sun/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem wolfssl pkcs1 x509 revocation constraints pubkey random +} + +charon-systemd { + load = random nonce pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici +} diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..12cee0fc6d --- /dev/null +++ b/testing/tests/wolfssl/net2net-sha3-rsa-cert/hosts/sun/etc/swanctl/swanctl.conf @@ -0,0 +1,33 @@ +connections { + + gw-gw { + local_addrs = 192.168.0.2 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = sunCert.pem + id = sun.strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + net-net { + local_ts = 10.2.0.0/16 + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + rekey_time = 5400 + rekey_bytes = 500000000 + rekey_packets = 1000000 + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + mobike = no + reauth_time = 10800 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/posttest.dat b/testing/tests/wolfssl/net2net-sha3-rsa-cert/posttest.dat new file mode 100755 index 0000000000..cc6a5bff73 --- /dev/null +++ b/testing/tests/wolfssl/net2net-sha3-rsa-cert/posttest.dat @@ -0,0 +1,5 @@ +moon::swanctl --terminate --ike gw-gw 2> /dev/null +moon::systemctl stop strongswan +sun::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +sun::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/pretest.dat b/testing/tests/wolfssl/net2net-sha3-rsa-cert/pretest.dat new file mode 100755 index 0000000000..2d3c8c1e20 --- /dev/null +++ b/testing/tests/wolfssl/net2net-sha3-rsa-cert/pretest.dat @@ -0,0 +1,7 @@ +moon::iptables-restore < /etc/iptables.rules +sun::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +sun::systemctl start strongswan +moon::expect-connection gw-gw +sun::expect-connection gw-gw +moon::swanctl --initiate --child net-net 2> /dev/null diff --git a/testing/tests/wolfssl/net2net-sha3-rsa-cert/test.conf b/testing/tests/wolfssl/net2net-sha3-rsa-cert/test.conf new file mode 100755 index 0000000000..07a3b247a1 --- /dev/null +++ b/testing/tests/wolfssl/net2net-sha3-rsa-cert/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/wolfssl/rw-cert/description.txt b/testing/tests/wolfssl/rw-cert/description.txt new file mode 100755 index 0000000000..9006bcb513 --- /dev/null +++ b/testing/tests/wolfssl/rw-cert/description.txt @@ -0,0 +1,10 @@ +The roadwarrior carol and the gateway moon use the wolfssl +plugin based on the wolfSSL library for all cryptographical functions whereas +roadwarrior dave uses the default strongSwan cryptographical +plugins. The authentication is based on X.509 certificates and the key exchange +on x25519. +

+Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/wolfssl/rw-cert/evaltest.dat b/testing/tests/wolfssl/rw-cert/evaltest.dat new file mode 100755 index 0000000000..8a8a95f7ec --- /dev/null +++ b/testing/tests/wolfssl/rw-cert/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/wolfssl/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/wolfssl/rw-cert/hosts/carol/etc/strongswan.conf new file mode 100755 index 0000000000..eccb2d37ab --- /dev/null +++ b/testing/tests/wolfssl/rw-cert/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem wolfssl x509 revocation constraints pkcs1 pubkey +} + +charon-systemd { + load = nonce pem wolfssl x509 revocation constraints pkcs1 pubkey curl kernel-netlink socket-default updown vici + + rsa_pss = yes +} diff --git a/testing/tests/wolfssl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..c9ffac8485 --- /dev/null +++ b/testing/tests/wolfssl/rw-cert/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/wolfssl/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/wolfssl/rw-cert/hosts/dave/etc/strongswan.conf new file mode 100755 index 0000000000..f4441217cf --- /dev/null +++ b/testing/tests/wolfssl/rw-cert/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pkcs1 pem openssl x509 revocation constraints +} + +charon-systemd { + load = random nonce sha1 sha2 sha3 aes curve25519 hmac mgf1 pem pkcs1 x509 revocation constraints gmp curl kernel-netlink socket-default updown vici + + rsa_pss = yes +} diff --git a/testing/tests/wolfssl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..7fcdea8349 --- /dev/null +++ b/testing/tests/wolfssl/rw-cert/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/wolfssl/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/wolfssl/rw-cert/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..d88319dee6 --- /dev/null +++ b/testing/tests/wolfssl/rw-cert/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem wolfssl x509 revocation constraints pkcs1 pubkey +} + +charon-systemd { + load = nonce test-vectors pem wolfssl x509 revocation constraints pkcs1 pubkey curl kernel-netlink socket-default updown vici + + rsa_pss = yes + integrity_test = yes + crypto_test { + on_add = yes + } +} diff --git a/testing/tests/wolfssl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..4ba02ad6c6 --- /dev/null +++ b/testing/tests/wolfssl/rw-cert/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-x25519 + } + } + version = 2 + proposals = aes128-sha256-x25519 + } +} diff --git a/testing/tests/wolfssl/rw-cert/posttest.dat b/testing/tests/wolfssl/rw-cert/posttest.dat new file mode 100755 index 0000000000..eb21008563 --- /dev/null +++ b/testing/tests/wolfssl/rw-cert/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/wolfssl/rw-cert/pretest.dat b/testing/tests/wolfssl/rw-cert/pretest.dat new file mode 100755 index 0000000000..3d37a86e52 --- /dev/null +++ b/testing/tests/wolfssl/rw-cert/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/wolfssl/rw-cert/test.conf b/testing/tests/wolfssl/rw-cert/test.conf new file mode 100755 index 0000000000..1227b9d1c0 --- /dev/null +++ b/testing/tests/wolfssl/rw-cert/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/wolfssl/rw-ecp256/description.txt b/testing/tests/wolfssl/rw-ecp256/description.txt new file mode 100755 index 0000000000..84656caf8f --- /dev/null +++ b/testing/tests/wolfssl/rw-ecp256/description.txt @@ -0,0 +1,9 @@ +The roadwarrior carol and the gateway moon use the wolfssl +plugin based on the wolfCrypt library for all cryptographical functions whereas +roadwarrior dave uses the openssl plugin. The authentication is based +on X.509 certificates and the key exchange on ecp256. +

+Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/wolfssl/rw-ecp256/evaltest.dat b/testing/tests/wolfssl/rw-ecp256/evaltest.dat new file mode 100755 index 0000000000..dc67b2d20b --- /dev/null +++ b/testing/tests/wolfssl/rw-ecp256/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/wolfssl/rw-ecp256/hosts/carol/etc/strongswan.conf b/testing/tests/wolfssl/rw-ecp256/hosts/carol/etc/strongswan.conf new file mode 100755 index 0000000000..72624afbf1 --- /dev/null +++ b/testing/tests/wolfssl/rw-ecp256/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem wolfssl pkcs1 x509 revocation constraints pubkey +} + +charon-systemd { + load = nonce pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici + + rsa_pss = yes +} diff --git a/testing/tests/wolfssl/rw-ecp256/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-ecp256/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..a50497eed9 --- /dev/null +++ b/testing/tests/wolfssl/rw-ecp256/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/wolfssl/rw-ecp256/hosts/dave/etc/strongswan.conf b/testing/tests/wolfssl/rw-ecp256/hosts/dave/etc/strongswan.conf new file mode 100755 index 0000000000..3ee76327ce --- /dev/null +++ b/testing/tests/wolfssl/rw-ecp256/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = nonce openssl pem revocation constraints pubkey curl kernel-netlink socket-default updown vici + + rsa_pss = yes +} diff --git a/testing/tests/wolfssl/rw-ecp256/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-ecp256/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..66c6cd1c9f --- /dev/null +++ b/testing/tests/wolfssl/rw-ecp256/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/wolfssl/rw-ecp256/hosts/moon/etc/strongswan.conf b/testing/tests/wolfssl/rw-ecp256/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..87af233ea7 --- /dev/null +++ b/testing/tests/wolfssl/rw-ecp256/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem wolfssl pkcs1 x509 revocation constraints pubkey +} + +charon-systemd { + load = nonce test-vectors pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici + + rsa_pss = yes +} diff --git a/testing/tests/wolfssl/rw-ecp256/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-ecp256/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..240cccf443 --- /dev/null +++ b/testing/tests/wolfssl/rw-ecp256/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-ecp256 + } + } + version = 2 + proposals = aes128-sha256-ecp256 + } +} diff --git a/testing/tests/wolfssl/rw-ecp256/posttest.dat b/testing/tests/wolfssl/rw-ecp256/posttest.dat new file mode 100755 index 0000000000..eb21008563 --- /dev/null +++ b/testing/tests/wolfssl/rw-ecp256/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/wolfssl/rw-ecp256/pretest.dat b/testing/tests/wolfssl/rw-ecp256/pretest.dat new file mode 100755 index 0000000000..3d37a86e52 --- /dev/null +++ b/testing/tests/wolfssl/rw-ecp256/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/wolfssl/rw-ecp256/test.conf b/testing/tests/wolfssl/rw-ecp256/test.conf new file mode 100755 index 0000000000..1227b9d1c0 --- /dev/null +++ b/testing/tests/wolfssl/rw-ecp256/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1 diff --git a/testing/tests/wolfssl/rw-modp3072/description.txt b/testing/tests/wolfssl/rw-modp3072/description.txt new file mode 100755 index 0000000000..a847d2652d --- /dev/null +++ b/testing/tests/wolfssl/rw-modp3072/description.txt @@ -0,0 +1,10 @@ +The roadwarrior carol and the gateway moon use the wolfssl +plugin based on the wolfCrypt library for all cryptographical functions whereas +roadwarrior dave uses the default strongSwan cryptographical +plugins. The authentication is based on X.509 certificates and the key exchange +on modp3072. +

+Upon the successful establishment of the IPsec tunnels, the updown script +automatically inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, both carol and dave ping +the client alice behind the gateway moon. diff --git a/testing/tests/wolfssl/rw-modp3072/evaltest.dat b/testing/tests/wolfssl/rw-modp3072/evaltest.dat new file mode 100755 index 0000000000..51bf8c1ba0 --- /dev/null +++ b/testing/tests/wolfssl/rw-modp3072/evaltest.dat @@ -0,0 +1,10 @@ +carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES +dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES +moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES +moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES +alice::ping -c 1 192.168.0.100::64 bytes from 192.168.0.100: icmp_.eq=1::YES +alice::ping -c 1 192.168.0.200::64 bytes from 192.168.0.200: icmp_.eq=1::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/wolfssl/rw-modp3072/hosts/carol/etc/strongswan.conf b/testing/tests/wolfssl/rw-modp3072/hosts/carol/etc/strongswan.conf new file mode 100755 index 0000000000..72624afbf1 --- /dev/null +++ b/testing/tests/wolfssl/rw-modp3072/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem wolfssl pkcs1 x509 revocation constraints pubkey +} + +charon-systemd { + load = nonce pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici + + rsa_pss = yes +} diff --git a/testing/tests/wolfssl/rw-modp3072/hosts/carol/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-modp3072/hosts/carol/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..8485bc3fb7 --- /dev/null +++ b/testing/tests/wolfssl/rw-modp3072/hosts/carol/etc/swanctl/swanctl.conf @@ -0,0 +1,35 @@ +connections { + + home { + local_addrs = 192.168.0.100 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = carolCert.pem + id = carol@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} + +secrets { + + rsa-carol { + file = carolKey.pem + secret = "nH5ZQEWtku0RJEZ6" + } +} diff --git a/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/strongswan.conf b/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/strongswan.conf new file mode 100755 index 0000000000..b682bc054a --- /dev/null +++ b/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem pkcs1 x509 revocation constraints pubkey openssl random +} + +charon-systemd { + load = random nonce sha1 sha2 aes hmac mgf1 pem pkcs1 x509 revocation constraints pubkey gmp curl kernel-netlink socket-default updown vici + + rsa_pss = yes +} diff --git a/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..27c6f12ba8 --- /dev/null +++ b/testing/tests/wolfssl/rw-modp3072/hosts/dave/etc/swanctl/swanctl.conf @@ -0,0 +1,27 @@ +connections { + + home { + local_addrs = 192.168.0.200 + remote_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = daveCert.pem + id = dave@strongswan.org + } + remote { + auth = pubkey + id = moon.strongswan.org + } + children { + home { + remote_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/wolfssl/rw-modp3072/hosts/moon/etc/strongswan.conf b/testing/tests/wolfssl/rw-modp3072/hosts/moon/etc/strongswan.conf new file mode 100755 index 0000000000..87af233ea7 --- /dev/null +++ b/testing/tests/wolfssl/rw-modp3072/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +swanctl { + load = pem wolfssl pkcs1 x509 revocation constraints pubkey +} + +charon-systemd { + load = nonce test-vectors pem wolfssl pkcs1 x509 revocation constraints pubkey curl kernel-netlink socket-default updown vici + + rsa_pss = yes +} diff --git a/testing/tests/wolfssl/rw-modp3072/hosts/moon/etc/swanctl/swanctl.conf b/testing/tests/wolfssl/rw-modp3072/hosts/moon/etc/swanctl/swanctl.conf new file mode 100755 index 0000000000..75c21c663a --- /dev/null +++ b/testing/tests/wolfssl/rw-modp3072/hosts/moon/etc/swanctl/swanctl.conf @@ -0,0 +1,25 @@ +connections { + + rw { + local_addrs = 192.168.0.1 + + local { + auth = pubkey + certs = moonCert.pem + id = moon.strongswan.org + } + remote { + auth = pubkey + } + children { + net { + local_ts = 10.1.0.0/16 + + updown = /usr/local/libexec/ipsec/_updown iptables + esp_proposals = aes128gcm128-modp3072 + } + } + version = 2 + proposals = aes128-sha256-modp3072 + } +} diff --git a/testing/tests/wolfssl/rw-modp3072/posttest.dat b/testing/tests/wolfssl/rw-modp3072/posttest.dat new file mode 100755 index 0000000000..eb21008563 --- /dev/null +++ b/testing/tests/wolfssl/rw-modp3072/posttest.dat @@ -0,0 +1,8 @@ +carol::swanctl --terminate --ike home +dave::swanctl --terminate --ike home +carol::systemctl stop strongswan +dave::systemctl stop strongswan +moon::systemctl stop strongswan +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/wolfssl/rw-modp3072/pretest.dat b/testing/tests/wolfssl/rw-modp3072/pretest.dat new file mode 100755 index 0000000000..3d37a86e52 --- /dev/null +++ b/testing/tests/wolfssl/rw-modp3072/pretest.dat @@ -0,0 +1,11 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +moon::systemctl start strongswan +carol::systemctl start strongswan +dave::systemctl start strongswan +moon::expect-connection rw +carol::expect-connection home +carol::swanctl --initiate --child home 2> /dev/null +dave::expect-connection home +dave::swanctl --initiate --child home 2> /dev/null diff --git a/testing/tests/wolfssl/rw-modp3072/test.conf b/testing/tests/wolfssl/rw-modp3072/test.conf new file mode 100755 index 0000000000..1227b9d1c0 --- /dev/null +++ b/testing/tests/wolfssl/rw-modp3072/test.conf @@ -0,0 +1,25 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# charon controlled by swanctl +# +SWANCTL=1