1515 Commits

Author SHA1 Message Date
Andreas Steffen
d2577aa3c5 Version bump to 5.5.1dr2 2016-08-26 22:55:41 +02:00
Andreas Steffen
ce20979ce2 testing: Virtual IPs went missing 2016-08-16 17:18:17 +02:00
Andreas Steffen
5afaf0dba2 Version bump to 5.5.1dr1 2016-08-10 18:11:53 +02:00
Andreas Steffen
c1a1f9f548 testing: Added swanctl/rw-newhope-bliss scenario 2016-08-10 15:14:26 +02:00
Andreas Steffen
1e0dc2c329 testing: Add chapoly, ntru and newhope plugins to crypto and integrity tests 2016-08-10 14:34:27 +02:00
Andreas Steffen
277ef8c2fa testing: Added ikev2/rw-newhope-bliss scenario 2016-08-10 14:22:00 +02:00
Andreas Steffen
74de8c3727 Version bump to 5.5.0 2016-07-13 13:26:16 +02:00
Tobias Brunner
5e5dee36b6 testing: Remove obsolete openssl-fips recipe
This was only required when we initially started and OpenSSL was built
from sources, which was changed with b97dd59ba841 ("install FIPS-aware
OpenSSL Debian packages").
2016-07-04 12:18:51 +02:00
Tobias Brunner
7b879874d7 Revert "testing: Only load selected plugins in swanctl"
This reverts commit dee01d019ba9743b2784b417155601d10c173a66.

Thanks to 505c31870162 ("leak-detective: Try to properly free
allocations after deinitialization") this is not required anymore.
2016-07-01 17:35:52 +02:00
Andreas Steffen
ee2644dd3f testing: Version bump to 4.6.3 kernel and strongSwan 5.5.0 2016-06-30 16:20:10 +02:00
Tobias Brunner
c3e5109c37 testing: Add ikev1/net2net-esn scenario 2016-06-29 11:16:48 +02:00
Tobias Brunner
c01df20ebf testing: Ignore tests/local directory
This could be used for experimental test scenarios that should not get
tracked in the repository.
2016-06-29 10:36:10 +02:00
Tobias Brunner
5a09734c2c testing: Start charon before Apache in tnc/tnccs-20-pdp-pt-tls
The change in c423d0e8a124 ("testing: Fix race in tnc/tnccs-20-pdp-pt-tls
scenario") is not really ideal as now the vici plugin might not yet be
ready when `swanctl --load-creds` is called.  Perhaps starting charon
before Apache causes enough delay.

Once we switch to charon-systemd this isn't a problem anymore as starting the
unit will block until everything is up and ready.  Also, the individual
swanctl calls will be redundant as the default service unit calls --load-all.
But start scripts do run before charon-systemd signals that the daemon is
ready, so using these would work too then.
2016-06-21 17:24:43 +02:00
Tobias Brunner
dee01d019b testing: Only load selected plugins in swanctl
The main issue is that the ldap and curl plugins, or rather the libraries
they use, initialize GnuTLS (curl, strangely, even when it is, by its own
account, linked against OpenSSL).  Some of these allocations are only freed
once the libraries are unloaded.  This means that the leak detective causes
invalid frees when swanctl is terminated and libraries are unloaded after the
leak detective is already deinitialized.
2016-06-20 18:23:45 +02:00
Tobias Brunner
c423d0e8a1 testing: Fix race in tnc/tnccs-20-pdp-pt-tls scenario
aacf84d837e7 ("testing: Add expect-connection calls for all tests and
hosts") removed the expect-connection call for the non-existing aaa
connection.  However, because the credentials were loaded asynchronously
via start-script the clients might have been connecting when the secrets
were not yet loaded.  As `swanctl --load-creds` is a synchronous call
this change avoids that issue without having to add a sleep or failing
expect-connection call.
2016-06-17 18:43:36 +02:00
Tobias Brunner
44e83f76f3 testing: Use TLS 1.2 in RADIUS test cases
This took a while as in the OpenSSL package shipped with Debian and on which
our FIPS-enabled package is based, the function SSL_export_keying_material(),
which is used by FreeRADIUS to derive the MSK, did not use the correct digest
to calculate the result when TLS 1.2 was used.  This caused IKE to fail with
"verification of AUTH payload with EAP MSK failed".  The fix was only
backported to jessie recently.
2016-06-17 15:53:12 +02:00
Tobias Brunner
545e529190 testing: Update FreeRADIUS to 2.2.8
While this is not the latest 2.x release it is the latest in /old.

Upgrading to 3.0 might be possible, not sure if the TNC-FHH patches could
be easily updated, though.  Upgrading to 3.1 will definitely not be possible
directly as that version removes the EAP-TNC module.  So we'd first have to
get rid of the TNC-FHH stuff.
2016-06-17 15:53:12 +02:00
Tobias Brunner
67b9e151fa testing: Fix firewall rule on alice in tnc/tnccs-20-pdp-pt-tls scenario 2016-06-17 10:22:03 +02:00
Tobias Brunner
1f98c38283 testing: Build hostapd from sources
There is a bug (fix at [1]) in hostapd 2.1-2.3 that let it crash when used
with the wired driver.  The package in jessie (and sid) is affected, so we
build it from sources (same, older, version as wpa_supplicant).

[1] http://w1.fi/cgit/hostap/commit/?id=e9b783d58c23a7bb50b2f25bce7157f1f3
2016-06-16 14:36:15 +02:00
Tobias Brunner
63d9370249 testing: Update download URL for wpa_supplicant 2016-06-16 14:36:15 +02:00
Tobias Brunner
63acd803f0 testing: Wait for packets to be processed by tcpdump
Sometimes tcpdump fails to process all packets during the short running
time of a scenario:

0 packets captured
18 packets received by filter
0 packets dropped by kernel

So 18 packets were captured by libpcap but tcpdump did not yet process
and print them.

This tries to use --immediate-mode if supported by tcpdump (the one
currently in jessie or wheezy does not, but the one in jessie-backports
does), which disables the buffering in libpcap.

However, even with immediate mode there are cases where it takes a while
longer for all packets to get processed.  And without it we also need a
workaround (even though the version in wheezy actually works fine).
That's why there now is a loop checking for differences in captured vs.
received packets.  There are actually cases where these numbers are not
equal but we still captured all packets we're interested in, so we abort
after 1s of retrying.  But sometimes it could still happen that packets
we expected got lost somewhere ("packets dropped by kernel" is not
always 0 either).
2016-06-16 14:36:15 +02:00
Tobias Brunner
eb25b1a73d testing: Fix expect-connection for tkm tests
We don't use swanctl there but there is no load statement either.
2016-06-16 14:35:26 +02:00
Tobias Brunner
aacf84d837 testing: Add expect-connection calls for all tests and hosts
There are some exceptions (e.g. those that use auto=start or p2pnat).
2016-06-16 14:35:18 +02:00
Tobias Brunner
8f56bbc82b testing: Update test scenarios for Debian jessie
The main difference is that ping now reports icmp_seq instead of
icmp_req, so we match for icmp_.eq, which works with both releases.

tcpdump now also reports port 4500 as ipsec-nat-t.
2016-06-16 14:04:11 +02:00
Tobias Brunner
b71104a3df testing: Fix posttest.dat for ikev2/rw-dnssec scenario 2016-06-16 14:01:47 +02:00
Tobias Brunner
71424a2f85 testing: Make sure tcpdump is actually terminated before analyzing/collecting logs 2016-06-16 14:01:47 +02:00
Tobias Brunner
654343d942 testing: Correctly dis-/enable services with systemd 2016-06-16 14:01:47 +02:00
Tobias Brunner
f565f954a7 testing: Install packages like the FIPS-enabled OpenSSL from a custom apt repo 2016-06-16 14:01:47 +02:00
Tobias Brunner
257e5db0d0 testing: Update base image to Debian jessie
Several packages got renamed/updated, libgcrypt was apparently installed
by default previously.

Since most libraries changed we have to completely rebuild all the tools
installed in the root image.  We currently don't provide a clean target in
the recipes, and even if we did we'd have to track which base image we
last built for.  It's easier to just use a different build directory for
each base image, at the cost of some additional disk space (if not manually
cleaned).  However, that's also the case when updating kernel or
software versions.
2016-06-15 17:58:24 +02:00
Tobias Brunner
0889628957 testing: Update 4.x kernel configs to be compatible with Debian 8/systemd 2016-06-15 16:24:44 +02:00
Tobias Brunner
5c71cbfa94 testing: Add root to fstab
This seems to be required for systemd to remount it.
2016-06-15 16:24:44 +02:00
Tobias Brunner
1c616eccae testing: Update Apache config for newer Debian releases
It is still compatible with the current release as the config in
sites-available will be ignored, while conf-enabled does not exist and
is not included in the main config.
2016-06-15 16:24:44 +02:00
Tobias Brunner
2b0a6811ab testing: Explicitly enable RC4 in SSH server config
Newer OpenSSH versions disable this by default because it's unsafe.
Since this is not relevant for our use case we enable it due to its
speed.
2016-06-15 16:24:44 +02:00
Tobias Brunner
6466546f81 testing: Add script to chroot into an image
If changes are made to the base or root image the images depending on
these have to be rebuilt.
2016-06-15 16:24:43 +02:00
Tobias Brunner
cac9051eed testing: Add a patch to tnc-fhh that avoids building the tncsim package
This sub-package does not build on Debian jessie.
2016-06-15 16:24:43 +02:00
Tobias Brunner
c857621e70 testing: Don't attempt to stop services when building base image
Unlike `apt-get install` in a chroot debootstrap does not seem to start
the services but stopping them might cause problems if they were running
outside the chroot.
2016-06-15 16:24:43 +02:00
Tobias Brunner
796c36ade1 testing: Fix scenarios that check /etc/resolv.conf 2016-06-13 16:18:38 +02:00
Andreas Steffen
78adb5a7b1 testing: Changed gcrypt-ikev1 scenarios to swanctl 2016-05-15 19:02:57 +02:00
Andreas Steffen
141ac4df8f testing: wait until connections are loaded 2016-05-15 19:02:57 +02:00
Andreas Steffen
b9522f9d64 swanctl: Do not display rekey times for shunts 2016-05-05 14:53:22 +02:00
Andreas Steffen
ff4e01dab5 testing: Use reauthentication and set CHILD_SA rekey time, bytes and packets limits 2016-05-04 18:13:52 +02:00
Andreas Steffen
87381a55a9 testing: uses xauth_id in swanctl/xauth-rsa scenario 2016-05-04 18:13:52 +02:00
Andreas Steffen
278497f2ba testing: Use absolute path of imv_policy_manager 2016-04-26 17:15:37 +02:00
Andreas Steffen
b85422b90c testing: -D and -u options in sfdisk are not supported any more 2016-04-26 17:15:37 +02:00
Andreas Steffen
029d3a0ce6 testing: updated testing.conf 2016-04-24 13:36:31 +02:00
Andreas Steffen
0ff486f507 testing: Added swanctl/rw-multi-ciphers-ikev1 scenario 2016-04-12 18:50:58 +02:00
Andreas Steffen
d3edc8aa0f testing: Added swanctl/manual_prio scenario 2016-04-09 16:51:02 +02:00
Tobias Brunner
638b4638e3 testing: Add swanctl/net2net-gw scenario 2016-04-09 16:51:00 +02:00
Tobias Brunner
ea3a4d3f72 testing: List conntrack table on sun in ikev2/host2host-transport-connmark scenario 2016-04-06 14:01:18 +02:00
Tobias Brunner
aa65b8c147 testing: Version bump to 5.4.0
References #1382.
2016-04-06 11:17:40 +02:00