diff --git a/tests/console/firewalld.pm b/tests/console/firewalld.pm index f35c919e0a9a..7630bbc8cdc3 100644 --- a/tests/console/firewalld.pm +++ b/tests/console/firewalld.pm @@ -361,6 +361,8 @@ sub test_default_backend { sub run { select_serial_terminal; + zypper_call('in iptables') if is_sle('>=16'); + # Check Service State, enable it if necessary, set default zone to public pre_test; diff --git a/tests/console/mdadm.pm b/tests/console/mdadm.pm index 1036c0384970..2b8142faafed 100644 --- a/tests/console/mdadm.pm +++ b/tests/console/mdadm.pm @@ -14,17 +14,21 @@ use base 'consoletest'; use testapi; use Utils::Logging 'save_and_upload_log'; use serial_terminal 'select_serial_terminal'; +use utils 'zypper_call'; use version_utils 'is_sle'; use strict; use warnings; sub run { select_serial_terminal; - my $timeout = 360; + + zypper_call('in mdadm'); record_info("mdadm build", script_output("rpm -q --qf '%{version}-%{release}' mdadm")); assert_script_run 'wget ' . data_url('qam/mdadm.sh'); + + my $timeout = 360; if (is_sle('<15')) { if (script_run('bash mdadm.sh |& tee mdadm.log; if [ ${PIPESTATUS[0]} -ne 0 ]; then false; fi', $timeout)) { record_soft_failure 'bsc#1105628'; diff --git a/tests/fips/strongswan/strongswan_client.pm b/tests/fips/strongswan/strongswan_client.pm index d30af0c76f5a..2bc4c9ac047d 100644 --- a/tests/fips/strongswan/strongswan_client.pm +++ b/tests/fips/strongswan/strongswan_client.pm @@ -58,15 +58,14 @@ sub run { mutex_create('STRONGSWAN_HOST2_UP'); mutex_wait('STRONGSWAN_HOST1_SERVER_START'); - # Start stronswan daemon - assert_script_run('rcstrongswan start'); + systemctl 'start strongswan'; # Establish the ipsec tunnel assert_script_run('ipsec up host-host'); mutex_create('STRONGSWAN_HOST2_START'); - validate_script_output('rcstrongswan status', sub { m/Active: active/ }); + systemctl 'is-active strongswan'; validate_script_output('ipsec status', sub { m/Routed Connections/ && m/host-host\{\d\}:\s+$local_ip\/32\s===\s$remote_ip\/32/ && m/Security Associations.*1 up/ }); diff --git a/tests/fips/strongswan/strongswan_server.pm b/tests/fips/strongswan/strongswan_server.pm index 22026afeba44..a2766333f5ce 100644 --- a/tests/fips/strongswan/strongswan_server.pm +++ b/tests/fips/strongswan/strongswan_server.pm @@ -17,12 +17,13 @@ use warnings; use utils; use lockapi; use mmapi qw(wait_for_children get_children); -use version_utils 'package_version_cmp'; +use version_utils qw(package_version_cmp is_sle); sub run { my $self = shift; select_console 'root-console'; zypper_call 'in strongswan strongswan-hmac tcpdump'; + zypper_call 'in strongswan-mysql strongswan-sqlite wget' if is_sle('>=16'); my $test_dir = '/root/strongswan'; my $ca_pem = 'ca.pem'; @@ -43,8 +44,8 @@ sub run { } # Integrate hkdf function test - # POO: https://progress.opensuse.org/issues/111581 - validate_script_output('rpm -q strongswan --changelog', sub { m/bsc#1195919/ }); + # on SLE >= 15 we have version 5.8.x or greater, which includes the fix. + validate_script_output('rpm -q strongswan --changelog', sub { m/bsc#1195919/ }) if is_sle('<15'); assert_script_run('openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -hexdump'); assert_script_run('openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -pkeyopt mode:EXTRACT_ONLY -hexdump'); assert_script_run('openssl pkeyutl -kdf HKDF -kdflen 48 -pkeyopt md:SHA256 -pkeyopt key:ff -pkeyopt salt:ff -pkeyopt mode:EXTRACT_AND_EXPAND -hexdump'); @@ -100,18 +101,18 @@ sub run { # Edit /etc/ipsec.secrets assert_script_run('echo ": RSA host1.pem" >> /etc/ipsec.secrets'); - # Start stronswan daemon - assert_script_run('rcstrongswan start'); + systemctl 'start strongswan'; mutex_create('STRONGSWAN_HOST1_SERVER_START'); mutex_wait('STRONGSWAN_HOST2_START', (keys %$children)[0]); - validate_script_output('rcstrongswan status', sub { m/Active: active/ }); + systemctl 'is-active strongswan'; # Check the tcpdump result my $tcpdump_log_file = '/tmp/tcpdump.log'; - my $pid = background_script_run("tcpdump -n -i eth0 -e \"esp\" -vv > $tcpdump_log_file 2>&1"); + my $net_device = script_output("ip route | awk '/default/ {print \$5}'"); + my $pid = background_script_run("tcpdump -n -i $net_device -e \"esp\" -vv > $tcpdump_log_file 2>&1"); mutex_create('TCPDUMP_READY'); mutex_wait('PING_DONE', (keys %$children)[0]); assert_script_run("kill -15 $pid"); diff --git a/tests/fips/stunnel.pm b/tests/fips/stunnel.pm index 99c68b2be6a6..b3b6b00954ba 100644 --- a/tests/fips/stunnel.pm +++ b/tests/fips/stunnel.pm @@ -20,17 +20,20 @@ use version_utils 'package_version_cmp'; my $hostname = get_var('HOSTNAME'); # Set vnc password my $message = 'Hello from the server'; +# Set stunnel dir +my $stunnel_chroot_dir = "/var/run/stunnel"; sub conf_stunnel_netcat { my $stunnel_config = < '5.62'}; - zypper_call("in " . join(' ', keys %$pkg_list)); - package_upgrade_check($pkg_list); + zypper_call("in stunnel netcat-openbsd"); if ($hostname =~ /server|master/) { # Generate a self-signed certificate assert_script_run('mkdir stunnel_fips; cd stunnel_fips'); @@ -62,6 +63,7 @@ q(openssl req -new -x509 -newkey rsa:2048 -keyout stunnel.key -days 356 -out stu assert_script_run('cat stunnel.key stunnel.crt > stunnel.pem'); # Copy the certificate to "/etc/stunnel" assert_script_run('cp stunnel.pem /etc/stunnel; cd'); + assert_script_run('chmod 600 /etc/stunnel/stunnel.pem'); # Configure stunnel file conf_stunnel_netcat; # Add lock for client @@ -70,8 +72,7 @@ q(openssl req -new -x509 -newkey rsa:2048 -keyout stunnel.key -days 356 -out stu assert_script_run("echo $message|nc -l 127.0.0.1 5905", timeout => 300); # Finish job wait_for_children; - } - else { + } else { mutex_wait('stunnel'); # Copy the certificate from server exec_and_insert_password('scp -o StrictHostKeyChecking=no root@10.0.2.101:/etc/stunnel/stunnel.pem /etc/stunnel'); diff --git a/tests/security/dm_crypt.pm b/tests/security/dm_crypt.pm index 4213f808e9bb..dbbef2bf5631 100644 --- a/tests/security/dm_crypt.pm +++ b/tests/security/dm_crypt.pm @@ -13,10 +13,13 @@ use base "consoletest"; use testapi; use serial_terminal 'select_serial_terminal'; use utils; +use version_utils 'is_sle'; sub run { select_serial_terminal; + zypper_call('in cryptsetup'); + my $crypt_pass = "dm#*crypt_iYBJY_rIekeV123"; my $crypt_tmp = "/tmp/foo"; my $crypt_dev = "foo"; @@ -35,18 +38,16 @@ sub run { my $check = script_run "grep '$i' $bench_log | grep -E -v 'N\/A\\s+N\/A'"; die "$i should not be supported anywhere!" if ($check eq 0); } - } - elsif ($ret) { + } elsif ($ret) { die "Benchmark failed with return value $ret"; } # Here we check the ciphers in the practice with LUKS support, since # cryptsetup benchmark does not support cipher+hash combination as a # parameter - assert_script_run "dd if=/dev/urandom of=$crypt_tmp bs=4M count=3"; + assert_script_run "dd if=/dev/urandom of=$crypt_tmp bs=4M count=25"; my @check_list = ( - {name => "aes", mode => "xts-plain64", hash => "sha1"}, {name => "aes", mode => "xts-plain64", hash => "md5", no_support => 1}, {name => "aes", mode => "xts-plain64", hash => "sha256"}, {name => "aes", mode => "xts-plain", hash => "sha512"}, @@ -54,6 +55,7 @@ sub run { {name => "serpent", mode => "xts-plain64", hash => "sha256", no_fips => 1}, {name => "twofish", mode => "cbc-plain64", hash => "sha1", no_fips => 1}, ); # Not all the combinations will be checked here + push @check_list, {name => "aes", mode => "xts-plain64", hash => "sha1"} if is_sle('<16'); foreach my $c (@check_list) { my $cipher = "@$c{name}-@$c{mode}"; @@ -64,20 +66,24 @@ sub run { die "$cipher with @$c{hash} verification failed"; } - validate_script_output "cryptsetup luksDump $crypt_tmp", sub { - m/ - Cipher\sname:\s+@$c{name}.* - Cipher\smode:\s+@$c{mode}.* - Hash\sspec:\s+@$c{hash}/sxx - }; + if (is_sle('>=16')) { + validate_script_output "cryptsetup luksDump $crypt_tmp", sub { + m/ + .*Cipher:\s+@$c{name}-@$c{mode}.* + .*AF\shash:\s+@$c{hash}/sxx + }; + } else { + validate_script_output "cryptsetup luksDump $crypt_tmp", sub { + m/ + Cipher\sname:\s+@$c{name}.* + Cipher\smode:\s+@$c{mode}.* + Hash\sspec:\s+@$c{hash}/sxx + }; + } assert_script_run "echo -e $crypt_pass | cryptsetup -q luksOpen $crypt_tmp $crypt_dev"; assert_script_run "cryptsetup luksClose $crypt_dev"; } } -sub test_flags { - return {always_rollback => 1}; -} - 1; diff --git a/tests/security/vsftpd/vsftpd_setup.pm b/tests/security/vsftpd/vsftpd_setup.pm index f055e8fdea74..080788393d73 100644 --- a/tests/security/vsftpd/vsftpd_setup.pm +++ b/tests/security/vsftpd/vsftpd_setup.pm @@ -29,7 +29,7 @@ sub run { zypper_call("in vsftpd expect openssl wget"); # Create self-signed certificate - assert_script_run("mkdir $vsftpd_path && cd $vsftpd_path"); + assert_script_run("(test -d $vsftpd_path || mkdir $vsftpd_path) && cd $vsftpd_path"); assert_script_run "expect -c 'spawn openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $key_file -out $cert_file; expect \"Country Name (2 letter code) \\[AU\\]\"; send \"DE\\r\"; expect \"State or Province Name (full name) \\[Some-State\\]:\"; send \"Nuremberg\\r\";