|
#!/bin/bash
|
|
###############################################################################
|
|
# (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of version 2 the GNU General Public License as
|
|
# published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
###############################################################################
|
|
#
|
|
# PURPOSE:
|
|
# Test all the allowed ciphers for ipsec
|
|
|
|
source tp_selinux_functions.bash || exit 2
|
|
|
|
declare -a dh_groups=(modp1024 modp1536 modp2048 modp3072 modp4096 modp6144 modp8192 ecp256 ecp384 ecp521 modp1024s160 modp2048s224 modp2048s256 ecp224bp ecp256bp ecp384bp ecp512bp);
|
|
declare -a enc_algos=(3des aes128 aes192 aes256 aes128ctr aes192ctr aes256ctr aes128ccm8 aes192ccm8 aes256ccm8 aes128ccm12 aes192ccm12 aes256ccm12 aes128ccm16 aes192ccm16 aes256ccm16 aes128gcm8 aes192gcm8 aes256gcm8 aes128gcm12 aes192gcm12 aes256gcm12 aes128gcm16 aes192gcm16 aes256gcm16);
|
|
declare -A algos_to_sas=( ['3des-sha512-modp1024!']='3DES_CBC/HMAC_SHA2_512_256' ['aes128-sha512-modp1536!']='AES_CBC_128/HMAC_SHA2_512_256' ['aes192-sha512-modp2048!']='AES_CBC_192/HMAC_SHA2_512_256' ['aes256-sha512-modp3072!']='AES_CBC_256/HMAC_SHA2_512_256' ['aes128ctr-sha512-modp4096!']='AES_CTR_128/HMAC_SHA2_512_256' ['aes192ctr-sha512-modp6144!']='AES_CTR_192/HMAC_SHA2_512_256' ['aes256ctr-sha512-modp8192!']='AES_CTR_256/HMAC_SHA2_512_256' ['aes128ccm8-sha512-ecp256!']='AES_CCM_8_128' ['aes192ccm8-sha512-ecp384!']='AES_CCM_8_192' ['aes256ccm8-sha512-ecp521!']='AES_CCM_8_256' ['aes128ccm12-sha512-modp1024s160!']='AES_CCM_12_128' ['aes192ccm12-sha512-modp2048s224!']='AES_CCM_12_192' ['aes256ccm12-sha512-modp2048s256!']='AES_CCM_12_256' ['aes128ccm16-sha512-ecp224bp!']='AES_CCM_16_128' ['aes192ccm16-sha512-ecp256bp!']='AES_CCM_16_192' ['aes256ccm16-sha512-ecp384bp!']='AES_CCM_16_256' ['aes128gcm8-sha512-ecp512bp!']='AES_GCM_8_128' ['aes192gcm8-sha512-modp1024!']='AES_GCM_8_192' ['aes256gcm8-sha512-modp1536!']='AES_GCM_8_256' ['aes128gcm12-sha512-modp2048!']='AES_GCM_12_128' ['aes192gcm12-sha512-modp3072!']='AES_GCM_12_192' ['aes256gcm12-sha512-modp4096!']='AES_GCM_12_256' ['aes128gcm16-sha512-modp6144!']='AES_GCM_16_128' ['aes192gcm16-sha512-modp8192!']='AES_GCM_16_192' ['aes256gcm16-sha512-ecp256!']='AES_GCM_16_256' )
|
|
|
|
counter=0
|
|
for alg in "${enc_algos[@]}"; do
|
|
dh=${dh_groups[$(($counter % ${#dh_groups[@]}))]}
|
|
combination="${alg}-sha512-${dh}!"
|
|
echo "Testing ${combination}"
|
|
expected_sa="${algos_to_sas[$combination]}"
|
|
echo $expected_sa
|
|
sed -i -e "s/esp=.*/esp=${combination}/" /etc/ipsec.conf
|
|
ipsec purgeocsp
|
|
ipsec purgecrls
|
|
ipsec purgecerts
|
|
ipsec purgeike
|
|
systemctl stop strongswan
|
|
systemctl start strongswan
|
|
sleep 5
|
|
# first ping might fail, triggers ipsec
|
|
ping -c 1 192.168.0.1 > /dev/null
|
|
sleep 5
|
|
# this ping must not fail
|
|
ping -c 1 192.168.0.1 > /dev/null
|
|
if [ $? != 0 ]; then
|
|
exit_fail "couldn't send data packet"
|
|
fi
|
|
ipsec_sa_state=$(ipsec statusall | grep 'Security Associations' -A 5 | grep "$expected_sa")
|
|
# check if the SA is for the configured ciphers
|
|
if [ -z "$ipsec_sa_state" ]; then
|
|
exit_fail "test failed, didn't find expected SA"
|
|
fi
|
|
|
|
counter=$(($counter+1))
|
|
done
|
|
|
|
exit_pass
|