Commit message (Collapse) | Author | Age | Files | Lines | ||
---|---|---|---|---|---|---|
... | ||||||
* | testing: Update test conditions because signature schemes are now logged | Tobias Brunner | 2015-03-04 | 22 | -35/+35 | |
| | | | | | RFC 7427 signature authentication is now used between strongSwan hosts by default, which causes the actual signature schemes to get logged. | |||||
* | testing: Add ikev2/rw-sig-auth scenario | Tobias Brunner | 2015-03-04 | 12 | -0/+180 | |
| | ||||||
* | testing: Add ikev2/net2net-cert-sha2 scenario | Tobias Brunner | 2015-03-04 | 9 | -0/+104 | |
| | ||||||
* | Implemented improved BLISS-B signature algorithm | Andreas Steffen | 2015-02-25 | 3 | -0/+0 | |
| | ||||||
* | testing: Add a forecast test case | Martin Willi | 2015-02-20 | 11 | -0/+152 | |
| | ||||||
* | testing: Add a connmark plugin test | Martin Willi | 2015-02-20 | 9 | -0/+109 | |
| | | | | | | | | | | In this test two hosts establish a transport mode connection from behind moon. sun uses the connmark plugin to distinguish the flows. This is an example that shows how one can terminate L2TP/IPsec connections from two hosts behind the same NAT. For simplification of the test, we use an SSH connection instead, but this works for any connection initiated flow that conntrack can track. | |||||
* | testing: Update description and test evaluation of host2host-transport-nat | Martin Willi | 2015-02-20 | 3 | -9/+8 | |
| | | | | | | | | As we now reuse the reqid for identical SAs, the behavior changes for transport connections to multiple peers behind the same NAT. Instead of rejecting the SA, we now have two valid SAs active. For the reverse path, however, sun sends traffic always over the newer SA, resembling the behavior before we introduced explicit SA conflicts for different reqids. | |||||
* | testing: Be a little more flexible in testing for established CHILD_SA modes | Martin Willi | 2015-02-20 | 5 | -13/+13 | |
| | | | | | As we now print the reqid parameter in the CHILD_SA details, adapt the grep to still match the CHILD_SA mode and protocol. | |||||
* | testing: Add a test scenario for make-before-break reauth using a virtual IP | Martin Willi | 2015-02-20 | 9 | -0/+100 | |
| | ||||||
* | testing: Add a test scenario for make-before-break reauth without a virtual IP | Martin Willi | 2015-02-20 | 9 | -0/+97 | |
| | ||||||
* | Updated RFC3779 certificates5.2.2 | Andreas Steffen | 2014-12-28 | 4 | -86/+86 | |
| | ||||||
* | Updated BLISS CA certificate in ikev2/rw-ntru-bliss scenario5.2.2rc1 | Andreas Steffen | 2014-12-12 | 3 | -0/+0 | |
| | ||||||
* | Updated BLISS scenario keys and certificates to new format | Andreas Steffen | 2014-12-12 | 6 | -0/+0 | |
| | ||||||
* | Renewed expired certificates | Andreas Steffen | 2014-11-29 | 3 | -61/+61 | |
| | ||||||
* | Created ikev2/rw-ntru-bliss scenario | Andreas Steffen | 2014-11-29 | 23 | -0/+188 | |
| | ||||||
* | testing: Add ikev2/net2net-fragmentation scenario | Tobias Brunner | 2014-10-10 | 9 | -0/+116 | |
| | ||||||
* | Updated revoked certificate in ikev2/ocsp-revoked scenario | Andreas Steffen | 2014-10-05 | 2 | -42/+42 | |
| | ||||||
* | The critical-extension scenarios need the old private keys | Andreas Steffen | 2014-10-05 | 2 | -0/+54 | |
| | ||||||
* | testing: Make sure the whitelist plugin is ready before configuring it | Tobias Brunner | 2014-10-03 | 1 | -1/+3 | |
| | ||||||
* | testing: Update PKCS#12 containers | Tobias Brunner | 2014-10-03 | 2 | -0/+0 | |
| | ||||||
* | testing: Update PKCS#8 keys | Tobias Brunner | 2014-10-03 | 3 | -81/+81 | |
| | ||||||
* | testing: Update public keys in DNSSEC scenarios | Tobias Brunner | 2014-10-03 | 3 | -0/+0 | |
| | | | | | The tests are successful even if the public keys are not stored locally, but an additional DNS query is required to fetch them. | |||||
* | testing: Update carols certificate in several test cases | Tobias Brunner | 2014-10-03 | 2 | -43/+43 | |
| | ||||||
* | testing: Add some notes about how to reissue attribute certificates | Martin Willi | 2014-10-03 | 3 | -0/+61 | |
| | ||||||
* | testing: Reissue attribute certificates for the new holder certificates | Martin Willi | 2014-10-03 | 8 | -72/+72 | |
| | | | | | | Due to the expired and reissued holder certificates of carol and dave, new attribute certificates are required to match the holder certificates serial in the ikev2/acert-{cached,fallback,inline} tests. | |||||
* | configure: Load fetcher plugins after crypto base plugins | Martin Willi | 2014-09-24 | 321 | -321/+321 | |
| | | | | | | | | | | Some fetcher plugins (such as curl) might build upon OpenSSL to implement HTTPS fetching. As we set (and can't unset) threading callbacks in our openssl plugin, we must ensure that OpenSSL functions don't get called after openssl plugin unloading. We achieve that by loading curl and all other fetcher plugins after the base crypto plugins, including openssl. | |||||
* | Generated new test certificates | Andreas Steffen | 2014-08-28 | 2 | -42/+42 | |
| | ||||||
* | testing: Add pfkey/shunt-policies-nat-rw scenario | Tobias Brunner | 2014-06-26 | 1 | -0/+2 | |
| | ||||||
* | testing: Add ikev2/shunt-policies-nat-rw scenario | Tobias Brunner | 2014-06-19 | 12 | -0/+171 | |
| | ||||||
* | testing: Remove ikev2/shunt-policies scenario | Tobias Brunner | 2014-06-19 | 10 | -166/+0 | |
| | | | | | This scenario doesn't really apply anymore (especially its use of drop policies). | |||||
* | Renewed expired user certificate | Andreas Steffen | 2014-04-15 | 2 | -42/+42 | |
| | ||||||
* | testing: Run 'conntrack -F' before all test scenarios | Tobias Brunner | 2014-04-02 | 18 | -27/+4 | |
| | | | | This prevents failures due to remaining conntrack entries. | |||||
* | Test TLS AEAD cipher suites | Andreas Steffen | 2014-04-01 | 7 | -4/+13 | |
| | ||||||
* | Slightly edited evaltest of ikev2/ocsp-untrusted-cert scenario | Andreas Steffen | 2014-03-31 | 1 | -1/+1 | |
| | ||||||
* | revocation: Restrict OCSP signing to specific certificates | Martin Willi | 2014-03-31 | 2 | -3/+2 | |
| | | | | | | | | | | | | | To avoid considering each cached OCSP response and evaluating its trustchain, we limit the certificates considered for OCSP signing to: - The issuing CA of the checked certificate - A directly delegated signer by the same CA, having the OCSP signer constraint - Any locally installed (trusted) certificate having the OCSP signer constraint The first two options cover the requirements from RFC 6960 2.6. For compatibility with non-conforming CAs, we allow the third option as exception, but require the installation of such certificates locally. | |||||
* | testing: Add an acert test that forces a fallback connection based on groups | Martin Willi | 2014-03-31 | 13 | -0/+199 | |
| | ||||||
* | testing: Add an acert test case sending attribute certificates inline | Martin Willi | 2014-03-31 | 18 | -0/+291 | |
| | ||||||
* | testing: Add an acert test using locally cached attribute certificates | Martin Willi | 2014-03-31 | 16 | -0/+239 | |
| | ||||||
* | Renewed self-signed OCSP signer certificate | Andreas Steffen | 2014-03-27 | 2 | -28/+28 | |
| | ||||||
* | Check that valid OCSP responses are received in the ikev2/ocsp-multi-level ↵ | Andreas Steffen | 2014-03-24 | 1 | -0/+4 | |
| | | | | scenario | |||||
* | Updated expired certificates issued by the Research and Sales Intermediate CAs | Andreas Steffen | 2014-03-24 | 4 | -87/+87 | |
| | ||||||
* | Renewed revoked Research CA certificate5.1.3dr1 | Andreas Steffen | 2014-03-22 | 1 | -9/+9 | |
| | ||||||
* | Completed integration of ntru_crypto library into ntru plugin | Andreas Steffen | 2014-03-22 | 9 | -0/+128 | |
| | ||||||
* | Merged libstrongswan options into charon section | Andreas Steffen | 2014-03-15 | 20 | -51/+4 | |
| | ||||||
* | Added ikev2/lookip scenario | Andreas Steffen | 2014-02-17 | 11 | -0/+149 | |
| | ||||||
* | testing: Use installed SQL schema instead of local copy | Tobias Brunner | 2014-02-12 | 5 | -11/+11 | |
| | ||||||
* | testing: Add ikev2/host2host-transport-nat scenario | Tobias Brunner | 2014-01-23 | 9 | -0/+146 | |
| | ||||||
* | testing: Add ikev2/compress-nat scenario | Tobias Brunner | 2014-01-23 | 12 | -0/+187 | |
| | ||||||
* | testing: Enable firewall for ikev2/compress scenario | Tobias Brunner | 2014-01-23 | 8 | -7/+14 | |
| | | | | | Additionally, send a regular (small) ping as the kernel does not compress small packets and handles those differently inbound. | |||||
* | Any of the four NTRU parameter sets can be selected | Andreas Steffen | 2013-11-27 | 1 | -0/+8 | |
| |