Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | imv-os: Updated security update evaluation | Andreas Steffen | 2017-09-01 | 3 | -3/+3 |
| | |||||
* | imv-attestation: Fixed file hash measurements | Andreas Steffen | 2017-09-01 | 5 | -12/+12 |
| | | | | | | The introduction of file versions broke file hash measurements. This has been fixed by using a generic product versions having an empty package name. | ||||
* | testing: Move collector.db in tnc/tnccs-20-ev-pt-tls scenario to /etc/db.d | Tobias Brunner | 2017-08-07 | 3 | -2/+3 |
| | | | | | Also move initialization to the pretest script (it's way faster in the in-memory database). | ||||
* | testing: Added tnc/tnccs-20-ev-pt-tls scenario | Andreas Steffen | 2017-08-04 | 31 | -0/+484 |
| | |||||
* | testing: Fixed the path of pt-tls-client | Andreas Steffen | 2017-07-18 | 3 | -5/+5 |
| | |||||
* | testing: Added tnc/tnccs-20-nea-pt-tls scenario | Andreas Steffen | 2017-07-08 | 29 | -0/+455 |
| | |||||
* | testing: Adaptation to ISO 19770-2:2015 SWID standard | Andreas Steffen | 2017-07-08 | 1 | -1/+1 |
| | |||||
* | testing: Fix ALLOWED_HOSTS in strongTNC settings.ini | Tobias Brunner | 2017-02-16 | 2 | -2/+2 |
| | |||||
* | testing: strongTNC does not come with django.db any more | Andreas Steffen | 2016-12-17 | 2 | -2/+2 |
| | |||||
* | testing: Start charon before Apache in tnc/tnccs-20-pdp-pt-tls | Tobias Brunner | 2016-06-21 | 1 | -1/+1 |
| | | | | | | | | | | | | | The change in c423d0e8a124 ("testing: Fix race in tnc/tnccs-20-pdp-pt-tls scenario") is not really ideal as now the vici plugin might not yet be ready when `swanctl --load-creds` is called. Perhaps starting charon before Apache causes enough delay. Once we switch to charon-systemd this isn't a problem anymore as starting the unit will block until everything is up and ready. Also, the individual swanctl calls will be redundant as the default service unit calls --load-all. But start scripts do run before charon-systemd signals that the daemon is ready, so using these would work too then. | ||||
* | testing: Fix race in tnc/tnccs-20-pdp-pt-tls scenario | Tobias Brunner | 2016-06-17 | 2 | -3/+1 |
| | | | | | | | | | | aacf84d837e7 ("testing: Add expect-connection calls for all tests and hosts") removed the expect-connection call for the non-existing aaa connection. However, because the credentials were loaded asynchronously via start-script the clients might have been connecting when the secrets were not yet loaded. As `swanctl --load-creds` is a synchronous call this change avoids that issue without having to add a sleep or failing expect-connection call. | ||||
* | testing: Use TLS 1.2 in RADIUS test cases | Tobias Brunner | 2016-06-17 | 1 | -0/+3 |
| | | | | | | | | | This took a while as in the OpenSSL package shipped with Debian and on which our FIPS-enabled package is based, the function SSL_export_keying_material(), which is used by FreeRADIUS to derive the MSK, did not use the correct digest to calculate the result when TLS 1.2 was used. This caused IKE to fail with "verification of AUTH payload with EAP MSK failed". The fix was only backported to jessie recently. | ||||
* | testing: Fix firewall rule on alice in tnc/tnccs-20-pdp-pt-tls scenario | Tobias Brunner | 2016-06-17 | 1 | -2/+2 |
| | |||||
* | testing: Add expect-connection calls for all tests and hosts | Tobias Brunner | 2016-06-16 | 21 | -5/+40 |
| | | | | There are some exceptions (e.g. those that use auto=start or p2pnat). | ||||
* | testing: Update test scenarios for Debian jessie | Tobias Brunner | 2016-06-16 | 19 | -66/+66 |
| | | | | | | | The main difference is that ping now reports icmp_seq instead of icmp_req, so we match for icmp_.eq, which works with both releases. tcpdump now also reports port 4500 as ipsec-nat-t. | ||||
* | testing: Update Apache config for newer Debian releases | Tobias Brunner | 2016-06-15 | 4 | -52/+64 |
| | | | | | | It is still compatible with the current release as the config in sites-available will be ignored, while conf-enabled does not exist and is not included in the main config. | ||||
* | testing: Use absolute path of imv_policy_manager | Andreas Steffen | 2016-04-26 | 8 | -8/+9 |
| | |||||
* | testing: Include IKE port information in evaltests | Andreas Steffen | 2016-03-05 | 19 | -68/+68 |
| | |||||
* | testing: Some minor fixes in test scenarios | Andreas Steffen | 2016-02-28 | 1 | -0/+2 |
| | |||||
* | Fix of the mutual TNC measurement use case | Andreas Steffen | 2016-02-16 | 15 | -8/+214 |
| | | | | | | | | | | | | | | | | | If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches is continued until the IKEv2 responder acting as a TNC server has also finished its TNC measurements. In the past if these measurements in the other direction were correct the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication successful and the IPsec connection was established even though the TNC measurement verification on the EAP peer side failed. The fix adds an "allow" group membership on each endpoint if the corresponding TNC measurements of the peer are successful. By requiring a "allow" group membership in the IKEv2 connection definition the IPsec connection succeeds only if the TNC measurements on both sides are valid. | ||||
* | testing: Converted tnc scenarios to swanctl | Andreas Steffen | 2015-12-11 | 386 | -2383/+5091 |
| | |||||
* | testing: Fixed some more timing issues | Andreas Steffen | 2015-11-10 | 1 | -0/+1 |
| | |||||
* | testing: Reduce runtime of all tests that use SQLite databases by storing ↵ | Tobias Brunner | 2015-11-09 | 30 | -66/+38 |
| | | | | them in ramfs | ||||
* | testing: tnc/tnccs-20-hcd-eap scenario does not use SWID IMV/strongTNC | Tobias Brunner | 2015-11-09 | 4 | -114/+1 |
| | |||||
* | testing: Improve runtime of TNC tests by storing the SQLite DB in ramfs | Tobias Brunner | 2015-11-09 | 14 | -9/+30 |
| | | | | This saves about 50%-70% of the time needed for scenarios that use a DB. | ||||
* | testing: Avoid delays with ping by using -W and -i options | Tobias Brunner | 2015-11-09 | 17 | -32/+32 |
| | | | | | | With -W we reduce timeouts when we don't expect a response. With -i the interval between pings is reduced (mostly in case of auto=route where the first ping yields no reply). | ||||
* | testing: Remove nearly all sleep calls from pretest and posttest scripts | Tobias Brunner | 2015-11-09 | 23 | -51/+53 |
| | | | | | By consistently using the `expect-connection` helper we can avoid pretty much all previously needed calls to sleep. | ||||
* | testing: Adapt tests to retransmission settings and reduce DPD delay/timeout | Tobias Brunner | 2015-11-09 | 7 | -1/+15 |
| | |||||
* | Extend HCD attribute data for tnc/tnccs-20-hcd-eap scenario | Andreas Steffen | 2015-08-18 | 2 | -16/+45 |
| | |||||
* | Added reason string support to HCD IMV | Andreas Steffen | 2015-08-18 | 1 | -7/+10 |
| | |||||
* | Fixed patches format delimited by CR/LF | Andreas Steffen | 2015-08-18 | 4 | -50/+50 |
| | |||||
* | testing: Added tnc/tnccs-20-hcd-eap scenario | Andreas Steffen | 2015-08-18 | 24 | -0/+674 |
| | |||||
* | testing: Updated expired AAA server certificate | Andreas Steffen | 2015-08-04 | 4 | -84/+84 |
| | |||||
* | testing: Fix URL to TNC@FHH project in scenario descriptions | Tobias Brunner | 2015-05-05 | 6 | -8/+8 |
| | |||||
* | imv_policy_manager: Added capability to execute an allow or block shell ↵ | Andreas Steffen | 2015-04-26 | 7 | -2/+24 |
| | | | | command string | ||||
* | Added tnc/tnccs-20-fail-init and tnc/tnccs-20-fail-resp scenarios | Andreas Steffen | 2015-03-27 | 30 | -0/+404 |
| | |||||
* | Added tnc/tnccs-20-pt-tls scenario | Andreas Steffen | 2015-03-27 | 24 | -5/+114 |
| | |||||
* | testing: added tnc/tnccs-20-mutual scenario | Andreas Steffen | 2015-03-23 | 11 | -0/+151 |
| | |||||
* | testing: Update test conditions because signature schemes are now logged | Tobias Brunner | 2015-03-04 | 4 | -8/+8 |
| | | | | | RFC 7427 signature authentication is now used between strongSwan hosts by default, which causes the actual signature schemes to get logged. | ||||
* | testing: Lower batch size to demonstrated segmetation of TCG/SWID Tag ID ↵5.2.1rc1 | Andreas Steffen | 2014-10-11 | 1 | -2/+2 |
| | | | | Inventory attribute | ||||
* | testing: Don't check for the actual number of SWID tags in PDP scenarios | Tobias Brunner | 2014-10-07 | 2 | -8/+8 |
| | | | | | The number of SWID tags varies depending on the base image, but lets assume the number is in the hundreds. | ||||
* | testing: Make TNC scenarios agnostic to the actual Debian version | Tobias Brunner | 2014-10-07 | 18 | -45/+52 |
| | | | | | The scenarios will work with new or old base images as long as the version in use is included as product in the master data (src/libimcv/imv/data.sql). | ||||
* | configure: Load fetcher plugins after crypto base plugins | Martin Willi | 2014-09-24 | 56 | -60/+57 |
| | | | | | | | | | | Some fetcher plugins (such as curl) might build upon OpenSSL to implement HTTPS fetching. As we set (and can't unset) threading callbacks in our openssl plugin, we must ensure that OpenSSL functions don't get called after openssl plugin unloading. We achieve that by loading curl and all other fetcher plugins after the base crypto plugins, including openssl. | ||||
* | Updated description of TNC scenarios concerning RFC 7171 PT-EAP support | Andreas Steffen | 2014-06-26 | 6 | -24/+30 |
| | |||||
* | Removed django.db from swid scenarios | Andreas Steffen | 2014-06-26 | 2 | -0/+0 |
| | |||||
* | Updated strongTNC configuration | Andreas Steffen | 2014-06-11 | 6 | -8/+14 |
| | |||||
* | Test SWID REST API ins tnc/tnccs-20-pdp scenarios | Andreas Steffen | 2014-05-31 | 21 | -69/+161 |
| | |||||
* | Migration from Debian 7.4 to 7.5 | Andreas Steffen | 2014-05-31 | 11 | -18/+18 |
| | |||||
* | Minor changes in the test environment5.2.0dr4 | Andreas Steffen | 2014-05-15 | 2 | -0/+10 |
| | |||||
* | Implemented PT-EAP protocol (RFC 7171) | Andreas Steffen | 2014-05-12 | 46 | -156/+163 |
| |