sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-12-04 00:00:21 -05:00
Code Issues Projects Releases Wiki Activity
14,742 Commits 104 Branches 331 Tags
Commit Graph

1439 Commits

Author SHA1 Message Date
Andreas Steffen
2aa2b17d41 testing: swanctl/rw-pubkey-anon uses anonymous public keys in remote access scenario 2016-01-09 07:23:30 +01:00
Andreas Steffen
b83cef2412 testing: added swanctl scenarios net2net-pubkey, rw-pubkey-keyid and rw-dnssec 2016-01-09 07:23:30 +01:00
Andreas Steffen
bffbf2f5fd testing: Fixed description of swanctl/frags-iv4 scenario 2016-01-09 00:17:31 +01:00
Andreas Steffen
9db530493f testing: Change sql scenarios to swanctl 2016-01-03 06:28:48 +01:00
Tobias Brunner
1a79525559 testing: Fix some IKEv1 scenarios after listing DH groups for CHILD_SAs 2015-12-21 12:14:12 +01:00
Andreas Steffen
490ba67682 testing: Fixed description in swanctl/rw-ntru-bliss scenario 2015-12-18 15:24:59 +01:00
Andreas Steffen
9463350943 testing: swanctl is enabled by default 2015-12-18 15:22:29 +01:00
Andreas Steffen
76cbf1df34 testing: Added swanctl/rw-ntru-bliss scenario 2015-12-17 17:49:48 +01:00
Andreas Steffen
5e2b740a00 128 bit default security strength requires 3072 bit prime DH group 2015-12-14 10:39:40 +01:00
Andreas Steffen
36b6d400d2 testing: swanctl/rw-cert scenario tests password-protected RSA key 2015-12-12 17:12:44 +01:00
Andreas Steffen
4f7f2538c4 Upgraded IKE and ESP proposals in swanctl scenarios to consistent 128 bit security 2015-12-12 15:54:48 +01:00
Andreas Steffen
fad851e2d3 Use VICI 2.0 protocol version for certificate queries 2015-12-11 18:26:54 +01:00
Andreas Steffen
6789d79d46 testing: Added swanctl --list-algs output 2015-12-11 18:26:54 +01:00
Andreas Steffen
6aa7703122 testing: Converted tnc scenarios to swanctl 2015-12-11 18:26:54 +01:00
Tobias Brunner
74270c8c86 vici: Don't report memory usage via leak-detective 
This slowed down the `swanctl --stats` calls in the test scenarios
significantly, with not much added value.
 2015-12-11 18:26:53 +01:00
Tobias Brunner
ae37090e65 testing: Use expect-connection in swanctl scenarios 
Only in net2net-start do we have to use `sleep` to ensure the SA is
up when the tests are running.
 2015-12-11 18:26:53 +01:00
Tobias Brunner
b77e25c381 testing: The expect-connection helper may use swanctl to check for connections 
Depending on the plugin configuration in the test scenario either
`ipsec statusall` or `swanctl --list-conns` is used to check for a named
connection.
 2015-12-11 18:26:53 +01:00
Andreas Steffen
cbc43f1b43 testing: Some more timing fixes 2015-12-01 14:51:23 +01:00
Andreas Steffen
dddb32329c testing: Updated expired mars.strongswan.org certificate 2015-11-26 09:55:28 +01:00
Andreas Steffen
1c1f713431 testing: Error messages of curl plugin have changed 2015-11-13 14:02:45 +01:00
Andreas Steffen
c4b9b7ef2c testing: Fixed another timing issue 2015-11-13 14:02:06 +01:00
Andreas Steffen
019c7c2310 testing: Check for leases in swanctl/ip-pool scenario 2015-11-11 08:43:43 +01:00
Andreas Steffen
946bc3a3f5 testing: Fixed some more timing issues 2015-11-10 16:54:38 +01:00
Tobias Brunner
10051b01e9 testing: Reduce runtime of all tests that use SQLite databases by storing them in ramfs 2015-11-09 15:18:39 +01:00
Tobias Brunner
3102da20a7 testing: tnc/tnccs-20-hcd-eap scenario does not use SWID IMV/strongTNC 2015-11-09 15:18:38 +01:00
Tobias Brunner
e873cb5a28 testing: Add test config to create and remove a directory for DBs stored in ramfs 2015-11-09 15:18:38 +01:00
Tobias Brunner
10fa70ee5c testing: Improve runtime of TNC tests by storing the SQLite DB in ramfs 
This saves about 50%-70% of the time needed for scenarios that use a DB.
 2015-11-09 15:18:38 +01:00
Tobias Brunner
f24ec20ebb testing: Fix test constraints in ikev2/rw-ntru-bliss scenario 
Changed with a88d958933ef ("Explicitly mention SHA2 algorithm in BLISS
OIDs and signature schemes").
 2015-11-09 15:18:38 +01:00
Andreas Steffen
529357f09a testing: Use sha3 plugin in ikev2/rw-cert scenario 2015-11-09 15:18:38 +01:00
Tobias Brunner
bcad0f761f testing: Report the actual strongSwan and kernel versions 2015-11-09 15:18:37 +01:00
Tobias Brunner
5a919312b3 testing: Record strongSwan version when building from tarball 2015-11-09 15:18:37 +01:00
Tobias Brunner
aee35392d1 testing: Record strongSwan version when building from source tree 2015-11-09 15:18:37 +01:00
Tobias Brunner
d4908c06c1 testing: Report time required for all scenarios on test overview page 2015-11-09 15:18:37 +01:00
Tobias Brunner
f7234e5e9f testing: Remove old SWID tags when building from repository 
This fixes the TNC-PDP scenarios.
 2015-11-09 15:18:36 +01:00
Tobias Brunner
e22a663129 testing: Don't log anything to the console if auth.log or daemon.log do not exist 2015-11-09 15:18:36 +01:00
Tobias Brunner
12f08e07e1 testing: Simplify fetching of swanctl --list-* output 2015-11-09 15:18:36 +01:00
Tobias Brunner
bde9fb6fa1 testing: Don't run redundant crypto tests in sql/rw-cert scenario 
They run in all other rw-cert scenarios but in the SQL version there is
no change in the loaded crypto plugins.
 2015-11-09 15:18:36 +01:00
Tobias Brunner
1091b3a636 testing: Fix CRL URIs in ipv6/net2net-ip4-in-ip6-ikev* scenarios 2015-11-09 15:18:36 +01:00
Tobias Brunner
bb66b4d56b testing: Speed up OCSP scenarios 
Don't make clients wait for the TCP connections to timeout by dropping
packets.  By rejecting them the OCSP requests fail immediately.
 2015-11-09 15:18:35 +01:00
Tobias Brunner
0ee4a333a8 testing: Speed up ifdown calls in ikev2/mobike scenarios 
ifdown calls bind's rndc, which tries to access TCP port 953 on lo.
If these packets are dropped by the firewall we have to wait for the TCP
connections to time out, which takes quite a while.
 2015-11-09 15:18:35 +01:00
Tobias Brunner
cbaafa03c7 testing: Avoid delays with ping by using -W and -i options 
With -W we reduce timeouts when we don't expect a response.  With -i the
interval between pings is reduced (mostly in case of auto=route where
the first ping yields no reply).
 2015-11-09 15:18:35 +01:00
Tobias Brunner
f519acd42f testing: Remove nearly all sleep calls from pretest and posttest scripts 
By consistently using the `expect-connection` helper we can avoid pretty
much all previously needed calls to sleep.
 2015-11-09 15:18:35 +01:00
Tobias Brunner
f36b6d49af testing: Adapt tests to retransmission settings and reduce DPD delay/timeout 2015-11-09 15:18:34 +01:00
Tobias Brunner
8713e32435 testing: Only send two retransmits after 1 second each to fail negative tests earlier 2015-11-09 15:18:34 +01:00
Tobias Brunner
9a0871ab94 testing: Add a base strongswan.conf file used by all hosts in all scenarios 
We will use this to set some defaults (e.g. timeouts to make testing
negative tests quicker).  We don't want these settings to show up in the
configs of the actual scenarios though.
 2015-11-09 15:18:34 +01:00
Tobias Brunner
17816515d2 testing: Add libipsec/net2net-null scenario 2015-11-09 11:09:48 +01:00
Andreas Steffen
a98360a64c testing: BLISS CA uses SHA-3 in its CRL 2015-11-03 21:35:09 +01:00
Tobias Brunner
92ef3c2f21 testing: Update tkm to version 0.1.3 
Adds XFRM state/policy flush when terminating which caused tests to fail
due to the check added with 9086f060d35a ("testing: Let test scenarios
fail if IPsec SAs or policies are not removed").
 2015-10-30 11:19:44 +01:00
Tobias Brunner
c6aa606a65 testing: Actually send an uncompressed packet in the ipv6/rw-compress-ikev2 scenario 
The default of 56 bytes already exceeds the threshold of 90 bytes (8 bytes
ICMP + 40 bytes IPv6 = 104 bytes).  By reducing the size we make sure the
packet is not compressed (40 + 8 + 40 = 88).

This also fixes a strange failure of this scenario due to the recently
added post-test `ip xfrm state` check.  The kernel stores a reference to
the used SAs on the inbound skbuffs and since these are garbage collected
it could take a while until all references to an SA disappear and the SA
is finally destroyed.  But while SAs might not get destroyed immediately
when we delete them, they are actually marked as dead and therefore won't
show up in `ip xfrm state`.  However, that's not the case for the tunnel
SAs the kernel attaches to IPComp SAs, which we don't explicitly delete,
and which aren't modified by the kernel until the IPComp SA is destroyed.
So what happened when the last ping unintentionally got compressed is that
the skbuff had a reference to the IPComp SA and therefore the tunnel SA.
This skbuff often was destroyed after the `ip xfrm state` check ran and
because the tunnel SA would still get reported the test case failed.
 2015-10-06 15:48:55 +02:00
Andreas Steffen
2b5c543051 testing: added ikev2/alg-chacha20poly1305 scenario 2015-09-01 17:30:15 +02:00