From 20c47af319c014aa1ebedbe14b278f8e3f859e21 Mon Sep 17 00:00:00 2001
From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Sun, 21 Feb 2021 09:48:34 +0100
Subject: [PATCH] testing: Use TLS 1.3 in TNC PT-TLS tests

---
 testing/tests/tnc/tnccs-20-ev-pt-tls/description.txt          | 2 +-
 .../tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf    | 4 +++-
 .../tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/strongswan.conf    | 4 +++-
 .../tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/strongswan.conf     | 4 +++-
 testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt      | 2 +-
 .../tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf | 4 +++-
 .../tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf  | 4 +++-
 testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt         | 2 +-
 .../tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf   | 3 ++-
 .../tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf   | 3 ++-
 .../tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf    | 3 ++-
 11 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-ev-pt-tls/description.txt
index a4d9b4cf40..730d0781bf 100644
--- a/testing/tests/tnc/tnccs-20-ev-pt-tls/description.txt
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/description.txt
@@ -1,7 +1,7 @@
 The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision 
 point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the
 <b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication
-during the <b>TLS setup phase</b>.
+during the <b>TLS setup phase</b>. In both connections TLS 1.3 is used.
 <p/>
 During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs
 loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf
index 04d7dbacc7..51ae13e3de 100644
--- a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/strongswan.conf
@@ -24,7 +24,9 @@ charon-systemd {
 }
 
 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
+  ke_group = curve25519, curve448
+  version_max = 1.3
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/strongswan.conf
index 87c3745a31..389a68a575 100644
--- a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,9 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
+  ke_group = curve25519, curve448
+  version_max = 1.3
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/strongswan.conf
index 93cbb7101b..d91c3837fa 100644
--- a/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/dave/etc/strongswan.conf
@@ -12,7 +12,9 @@ libimcv {
 }
 
 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
+  ke_group = curve25519, curve448
+  version_max = 1.3
 }
 
 pt-tls-client {
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt
index 09ab8e9f17..dba6fc5e58 100644
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/description.txt
@@ -1,3 +1,3 @@
 The hosts <b>moon</b> and <b>sun</b> do mutual TNC measurements using the
 PA-TNC, PB-TNC and PT-TLS protocols. The authentication is based on
-X.509 certificates.
+X.509 certificates and transport on TLS 1.3.
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
index a476878ac3..f0291d5d59 100644
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/moon/etc/strongswan.conf
@@ -5,7 +5,9 @@ pt-tls-client {
 }
 
 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
+  ke_group = curve25519
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
index b596dbc1bf..d7e33f52e6 100644
--- a/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-mutual-pt-tls/hosts/sun/etc/strongswan.conf
@@ -24,7 +24,9 @@ charon-systemd {
 }
 
 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256
+  ke_group = curve25519
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt
index 90e85485cb..9da98de2a9 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt
@@ -1,7 +1,7 @@
 The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision 
 point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the
 <b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication
-during the <b>TLS setup phase</b>.
+during the <b>TLS setup phase</b>. In both connections TLS 1.3 is used.
 <p/>
 During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs
 loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
index 04d7dbacc7..df8750c5a1 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
@@ -24,7 +24,8 @@ charon-systemd {
 }
 
 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf
index 5aad089057..c9bc663ffa 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf
@@ -1,7 +1,8 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
 }
 
 libimcv {
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf
index cf08b969d4..408c35091a 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf
@@ -19,7 +19,8 @@ libimcv {
 }
 
 libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+  version_max = 1.3
+  suites = TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384
 }
 
 pt-tls-client {