aboutsummaryrefslogtreecommitdiffstats
path: root/testing/tests/tnc
Commit message (Collapse)AuthorAgeFilesLines
* imv-os: Updated security update evaluationAndreas Steffen2017-09-013-3/+3
|
* imv-attestation: Fixed file hash measurementsAndreas Steffen2017-09-015-12/+12
| | | | | | The introduction of file versions broke file hash measurements. This has been fixed by using a generic product versions having an empty package name.
* testing: Move collector.db in tnc/tnccs-20-ev-pt-tls scenario to /etc/db.dTobias Brunner2017-08-073-2/+3
| | | | | Also move initialization to the pretest script (it's way faster in the in-memory database).
* testing: Added tnc/tnccs-20-ev-pt-tls scenarioAndreas Steffen2017-08-0431-0/+484
|
* testing: Fixed the path of pt-tls-clientAndreas Steffen2017-07-183-5/+5
|
* testing: Added tnc/tnccs-20-nea-pt-tls scenarioAndreas Steffen2017-07-0829-0/+455
|
* testing: Adaptation to ISO 19770-2:2015 SWID standardAndreas Steffen2017-07-081-1/+1
|
* testing: Fix ALLOWED_HOSTS in strongTNC settings.iniTobias Brunner2017-02-162-2/+2
|
* testing: strongTNC does not come with django.db any moreAndreas Steffen2016-12-172-2/+2
|
* testing: Start charon before Apache in tnc/tnccs-20-pdp-pt-tlsTobias Brunner2016-06-211-1/+1
| | | | | | | | | | | | | The change in c423d0e8a124 ("testing: Fix race in tnc/tnccs-20-pdp-pt-tls scenario") is not really ideal as now the vici plugin might not yet be ready when `swanctl --load-creds` is called. Perhaps starting charon before Apache causes enough delay. Once we switch to charon-systemd this isn't a problem anymore as starting the unit will block until everything is up and ready. Also, the individual swanctl calls will be redundant as the default service unit calls --load-all. But start scripts do run before charon-systemd signals that the daemon is ready, so using these would work too then.
* testing: Fix race in tnc/tnccs-20-pdp-pt-tls scenarioTobias Brunner2016-06-172-3/+1
| | | | | | | | | | aacf84d837e7 ("testing: Add expect-connection calls for all tests and hosts") removed the expect-connection call for the non-existing aaa connection. However, because the credentials were loaded asynchronously via start-script the clients might have been connecting when the secrets were not yet loaded. As `swanctl --load-creds` is a synchronous call this change avoids that issue without having to add a sleep or failing expect-connection call.
* testing: Use TLS 1.2 in RADIUS test casesTobias Brunner2016-06-171-0/+3
| | | | | | | | | This took a while as in the OpenSSL package shipped with Debian and on which our FIPS-enabled package is based, the function SSL_export_keying_material(), which is used by FreeRADIUS to derive the MSK, did not use the correct digest to calculate the result when TLS 1.2 was used. This caused IKE to fail with "verification of AUTH payload with EAP MSK failed". The fix was only backported to jessie recently.
* testing: Fix firewall rule on alice in tnc/tnccs-20-pdp-pt-tls scenarioTobias Brunner2016-06-171-2/+2
|
* testing: Add expect-connection calls for all tests and hostsTobias Brunner2016-06-1621-5/+40
| | | | There are some exceptions (e.g. those that use auto=start or p2pnat).
* testing: Update test scenarios for Debian jessieTobias Brunner2016-06-1619-66/+66
| | | | | | | The main difference is that ping now reports icmp_seq instead of icmp_req, so we match for icmp_.eq, which works with both releases. tcpdump now also reports port 4500 as ipsec-nat-t.
* testing: Update Apache config for newer Debian releasesTobias Brunner2016-06-154-52/+64
| | | | | | It is still compatible with the current release as the config in sites-available will be ignored, while conf-enabled does not exist and is not included in the main config.
* testing: Use absolute path of imv_policy_managerAndreas Steffen2016-04-268-8/+9
|
* testing: Include IKE port information in evaltestsAndreas Steffen2016-03-0519-68/+68
|
* testing: Some minor fixes in test scenariosAndreas Steffen2016-02-281-0/+2
|
* Fix of the mutual TNC measurement use caseAndreas Steffen2016-02-1615-8/+214
| | | | | | | | | | | | | | | | | If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches is continued until the IKEv2 responder acting as a TNC server has also finished its TNC measurements. In the past if these measurements in the other direction were correct the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication successful and the IPsec connection was established even though the TNC measurement verification on the EAP peer side failed. The fix adds an "allow" group membership on each endpoint if the corresponding TNC measurements of the peer are successful. By requiring a "allow" group membership in the IKEv2 connection definition the IPsec connection succeeds only if the TNC measurements on both sides are valid.
* testing: Converted tnc scenarios to swanctlAndreas Steffen2015-12-11386-2383/+5091
|
* testing: Fixed some more timing issuesAndreas Steffen2015-11-101-0/+1
|
* testing: Reduce runtime of all tests that use SQLite databases by storing ↵Tobias Brunner2015-11-0930-66/+38
| | | | them in ramfs
* testing: tnc/tnccs-20-hcd-eap scenario does not use SWID IMV/strongTNCTobias Brunner2015-11-094-114/+1
|
* testing: Improve runtime of TNC tests by storing the SQLite DB in ramfsTobias Brunner2015-11-0914-9/+30
| | | | This saves about 50%-70% of the time needed for scenarios that use a DB.
* testing: Avoid delays with ping by using -W and -i optionsTobias Brunner2015-11-0917-32/+32
| | | | | | With -W we reduce timeouts when we don't expect a response. With -i the interval between pings is reduced (mostly in case of auto=route where the first ping yields no reply).
* testing: Remove nearly all sleep calls from pretest and posttest scriptsTobias Brunner2015-11-0923-51/+53
| | | | | By consistently using the `expect-connection` helper we can avoid pretty much all previously needed calls to sleep.
* testing: Adapt tests to retransmission settings and reduce DPD delay/timeoutTobias Brunner2015-11-097-1/+15
|
* Extend HCD attribute data for tnc/tnccs-20-hcd-eap scenarioAndreas Steffen2015-08-182-16/+45
|
* Added reason string support to HCD IMVAndreas Steffen2015-08-181-7/+10
|
* Fixed patches format delimited by CR/LFAndreas Steffen2015-08-184-50/+50
|
* testing: Added tnc/tnccs-20-hcd-eap scenarioAndreas Steffen2015-08-1824-0/+674
|
* testing: Updated expired AAA server certificateAndreas Steffen2015-08-044-84/+84
|
* testing: Fix URL to TNC@FHH project in scenario descriptionsTobias Brunner2015-05-056-8/+8
|
* imv_policy_manager: Added capability to execute an allow or block shell ↵Andreas Steffen2015-04-267-2/+24
| | | | command string
* Added tnc/tnccs-20-fail-init and tnc/tnccs-20-fail-resp scenariosAndreas Steffen2015-03-2730-0/+404
|
* Added tnc/tnccs-20-pt-tls scenarioAndreas Steffen2015-03-2724-5/+114
|
* testing: added tnc/tnccs-20-mutual scenarioAndreas Steffen2015-03-2311-0/+151
|
* testing: Update test conditions because signature schemes are now loggedTobias Brunner2015-03-044-8/+8
| | | | | RFC 7427 signature authentication is now used between strongSwan hosts by default, which causes the actual signature schemes to get logged.
* testing: Lower batch size to demonstrated segmetation of TCG/SWID Tag ID ↵5.2.1rc1Andreas Steffen2014-10-111-2/+2
| | | | Inventory attribute
* testing: Don't check for the actual number of SWID tags in PDP scenariosTobias Brunner2014-10-072-8/+8
| | | | | The number of SWID tags varies depending on the base image, but lets assume the number is in the hundreds.
* testing: Make TNC scenarios agnostic to the actual Debian versionTobias Brunner2014-10-0718-45/+52
| | | | | The scenarios will work with new or old base images as long as the version in use is included as product in the master data (src/libimcv/imv/data.sql).
* configure: Load fetcher plugins after crypto base pluginsMartin Willi2014-09-2456-60/+57
| | | | | | | | | | Some fetcher plugins (such as curl) might build upon OpenSSL to implement HTTPS fetching. As we set (and can't unset) threading callbacks in our openssl plugin, we must ensure that OpenSSL functions don't get called after openssl plugin unloading. We achieve that by loading curl and all other fetcher plugins after the base crypto plugins, including openssl.
* Updated description of TNC scenarios concerning RFC 7171 PT-EAP supportAndreas Steffen2014-06-266-24/+30
|
* Removed django.db from swid scenariosAndreas Steffen2014-06-262-0/+0
|
* Updated strongTNC configurationAndreas Steffen2014-06-116-8/+14
|
* Test SWID REST API ins tnc/tnccs-20-pdp scenariosAndreas Steffen2014-05-3121-69/+161
|
* Migration from Debian 7.4 to 7.5Andreas Steffen2014-05-3111-18/+18
|
* Minor changes in the test environment5.2.0dr4Andreas Steffen2014-05-152-0/+10
|
* Implemented PT-EAP protocol (RFC 7171)Andreas Steffen2014-05-1246-156/+163
|
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-28 01:03:10 +0000