Disable mandatory ECP support for attestion
parent
ac17ca1ad7
commit
342bc6e545
|
@ -7,6 +7,9 @@ charon.plugins.imc-attestation.aik_cert =
|
|||
charon.plugins.imc-attestation.aik_key =
|
||||
AIK public key file.
|
||||
|
||||
charon.plugins.imc-attestation.mandatory_dh_groups = yes
|
||||
Enforce mandatory Diffie-Hellman groups.
|
||||
|
||||
charon.plugins.imc-attestation.nonce_len = 20
|
||||
DH nonce length.
|
||||
|
||||
|
@ -14,4 +17,4 @@ charon.plugins.imc-attestation.use_quote2 = yes
|
|||
Use Quote2 AIK signature instead of Quote signature.
|
||||
|
||||
charon.plugins.imc-attestation.pcr_info = yes
|
||||
Whether to send pcr_before and pcr_after info.
|
||||
Whether to send pcr_before and pcr_after info.
|
||||
|
|
|
@ -1,6 +1,9 @@
|
|||
charon.plugins.imv-attestation.cadir =
|
||||
Path to directory with AIK cacerts.
|
||||
|
||||
charon.plugins.imv-attestation.mandatory_dh_groups = yes
|
||||
Enforce mandatory Diffie-Hellman groups.
|
||||
|
||||
charon.plugins.imv-attestation.dh_group = ecp256
|
||||
Preferred Diffie-Hellman group.
|
||||
|
||||
|
|
|
@ -66,6 +66,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
|
|||
TNC_Version max_version,
|
||||
TNC_Version *actual_version)
|
||||
{
|
||||
bool mandatory_dh_groups;
|
||||
|
||||
if (imc_attestation)
|
||||
{
|
||||
DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
|
||||
|
@ -78,8 +80,11 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
|
|||
return TNC_RESULT_FATAL;
|
||||
}
|
||||
|
||||
mandatory_dh_groups = lib->settings->get_bool(lib->settings,
|
||||
"%s.plugins.imc-attestation.mandatory_dh_groups", TRUE, lib->ns);
|
||||
|
||||
if (!pts_meas_algo_probe(&supported_algorithms) ||
|
||||
!pts_dh_group_probe(&supported_dh_groups))
|
||||
!pts_dh_group_probe(&supported_dh_groups, mandatory_dh_groups))
|
||||
{
|
||||
imc_attestation->destroy(imc_attestation);
|
||||
imc_attestation = NULL;
|
||||
|
|
|
@ -706,6 +706,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
|
|||
private_imv_attestation_agent_t *this;
|
||||
imv_agent_t *agent;
|
||||
char *hash_alg, *dh_group, *cadir;
|
||||
bool mandatory_dh_groups;
|
||||
|
||||
agent = imv_agent_create(name, msg_types, countof(msg_types), id,
|
||||
actual_version);
|
||||
|
@ -718,6 +719,8 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
|
|||
"%s.plugins.imv-attestation.hash_algorithm", "sha256", lib->ns);
|
||||
dh_group = lib->settings->get_str(lib->settings,
|
||||
"%s.plugins.imv-attestation.dh_group", "ecp256", lib->ns);
|
||||
mandatory_dh_groups = lib->settings->get_bool(lib->settings,
|
||||
"%s.plugins.imv-attestation.mandatory_dh_groups", TRUE, lib->ns);
|
||||
cadir = lib->settings->get_str(lib->settings,
|
||||
"%s.plugins.imv-attestation.cadir", NULL, lib->ns);
|
||||
|
||||
|
@ -742,7 +745,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
|
|||
libpts_init();
|
||||
|
||||
if (!pts_meas_algo_probe(&this->supported_algorithms) ||
|
||||
!pts_dh_group_probe(&this->supported_dh_groups) ||
|
||||
!pts_dh_group_probe(&this->supported_dh_groups, mandatory_dh_groups) ||
|
||||
!pts_meas_algo_update(hash_alg, &this->supported_algorithms) ||
|
||||
!pts_dh_group_update(dh_group, &this->supported_dh_groups))
|
||||
{
|
||||
|
|
|
@ -20,7 +20,7 @@
|
|||
/**
|
||||
* Described in header.
|
||||
*/
|
||||
bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
|
||||
bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups)
|
||||
{
|
||||
enumerator_t *enumerator;
|
||||
diffie_hellman_group_t dh_group;
|
||||
|
@ -68,14 +68,23 @@ bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
|
|||
|
||||
if (*dh_groups & PTS_DH_GROUP_IKE19)
|
||||
{
|
||||
/* mandatory PTS DH group is available */
|
||||
return TRUE;
|
||||
}
|
||||
else
|
||||
if (*dh_groups == PTS_DH_GROUP_NONE)
|
||||
{
|
||||
DBG1(DBG_PTS, "no PTS DH group available");
|
||||
return FALSE;
|
||||
}
|
||||
if (mandatory_dh_groups)
|
||||
{
|
||||
DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
|
||||
ECP_256_BIT);
|
||||
return FALSE;
|
||||
}
|
||||
return FALSE;
|
||||
|
||||
/* at least one optional PTS DH group is available */
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
@ -59,10 +59,13 @@ enum pts_dh_group_t {
|
|||
/**
|
||||
* Probe available PTS Diffie-Hellman groups
|
||||
*
|
||||
* @param dh_groups returns set of available DH groups
|
||||
* @return TRUE if mandatory DH groups are available
|
||||
* @param dh_groups returns set of available DH groups
|
||||
* @param mandatory_dh_groups if TRUE enforce mandatory PTS DH groups
|
||||
* @return TRUE if mandatory DH groups are available
|
||||
* or at least one optional DH group if
|
||||
* mandatory_dh_groups is set to FALSE.
|
||||
*/
|
||||
bool pts_dh_group_probe(pts_dh_group_t *dh_groups);
|
||||
bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups);
|
||||
|
||||
/**
|
||||
* Update supported Diffie-Hellman groups according to configuration
|
||||
|
|
|
@ -0,0 +1,26 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
|
||||
using EAP-TTLS authentication only with the gateway presenting a server certificate and
|
||||
the clients doing EAP-MD5 password-based authentication.
|
||||
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
|
||||
state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
|
||||
client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
|
||||
is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
|
||||
exchange PA-TNC attributes.
|
||||
<p>
|
||||
<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
|
||||
<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
|
||||
to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
|
||||
<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference
|
||||
measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
|
||||
measure a couple of individual files and the files in the <b>/bin</b> directory as
|
||||
well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
|
||||
<p>
|
||||
Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements,
|
||||
the mandatory default being <b>ecp256</b>, with the strongswan.conf option
|
||||
<b>mandatory_dh_groups = no</b> no ECC support is required.
|
||||
<p>
|
||||
<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is
|
||||
enabled. Based on these assessments which are communicated to the IMCs using the
|
||||
<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b>
|
||||
to the "rw-allow" and "rw-isolate" subnets, respectively.
|
||||
</p>
|
|
@ -0,0 +1,20 @@
|
|||
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
|
||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
||||
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
|
||||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
||||
moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
|
||||
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||
moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
|
||||
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
|
@ -0,0 +1,23 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3, pts 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftid=carol@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=any
|
||||
rightsendcert=never
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
@ -0,0 +1,22 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-2.0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-os {
|
||||
push_info = yes
|
||||
}
|
||||
imc-attestation {
|
||||
mandatory_dh_groups = no
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
#IMC configuration file for strongSwan client
|
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
||||
IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
|
|
@ -0,0 +1,23 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3, pts 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftid=dave@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=any
|
||||
rightsendcert=never
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -0,0 +1,25 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-2.0
|
||||
}
|
||||
tnc-imc {
|
||||
preferred_language = de
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-os {
|
||||
push_info = no
|
||||
}
|
||||
imc-attestation {
|
||||
mandatory_dh_groups = no
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,4 @@
|
|||
#IMC configuration file for strongSwan client
|
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
||||
IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
|
|
@ -0,0 +1,34 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imv 3, pts 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-allow
|
||||
rightgroups=allow
|
||||
leftsubnet=10.1.0.0/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-isolate
|
||||
rightgroups=isolate
|
||||
leftsubnet=10.1.0.16/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftauth=eap-ttls
|
||||
leftfirewall=yes
|
||||
rightauth=eap-ttls
|
||||
rightid=*@strongswan.org
|
||||
rightsendcert=never
|
||||
right=%any
|
|
@ -0,0 +1,6 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -0,0 +1,29 @@
|
|||
/* Devices */
|
||||
|
||||
INSERT INTO devices ( /* 1 */
|
||||
value, product, created
|
||||
) VALUES (
|
||||
'aabbccddeeff11223344556677889900', 28, 1372330615
|
||||
);
|
||||
|
||||
/* Groups Members */
|
||||
|
||||
INSERT INTO groups_members (
|
||||
group_id, device_id
|
||||
) VALUES (
|
||||
10, 1
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age, rec_fail, rec_noresult
|
||||
) VALUES (
|
||||
3, 10, 0, 2, 2
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
16, 2, 0
|
||||
);
|
||||
|
||||
DELETE FROM enforcements WHERE id = 1;
|
|
@ -0,0 +1,34 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-ttls {
|
||||
phase2_method = md5
|
||||
phase2_piggyback = yes
|
||||
phase2_tnc = yes
|
||||
}
|
||||
eap-tnc {
|
||||
protocol = tnccs-2.0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
database = sqlite:///etc/pts/config.db
|
||||
policy_script = ipsec imv_policy_manager
|
||||
plugins {
|
||||
imv-attestation {
|
||||
hash_algorithm = sha1
|
||||
dh_group = modp2048
|
||||
mandatory_dh_groups = no
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
attest {
|
||||
load = random nonce openssl sqlite
|
||||
database = sqlite:///etc/pts/config.db
|
||||
}
|
||||
|
|
@ -0,0 +1,4 @@
|
|||
#IMV configuration file for strongSwan client
|
||||
|
||||
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
|
||||
IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
|
|
@ -0,0 +1,8 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
moon::rm /etc/pts/config.db
|
|
@ -0,0 +1,18 @@
|
|||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
|
||||
moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
|
||||
moon::cat /etc/tnc_config
|
||||
carol::cat /etc/tnc_config
|
||||
dave::cat /etc/tnc_config
|
||||
moon::ipsec start
|
||||
dave::ipsec start
|
||||
carol::ipsec start
|
||||
dave::sleep 1
|
||||
dave::ipsec up home
|
||||
carol::ipsec up home
|
||||
carol::sleep 1
|
||||
moon::ipsec attest --sessions
|
||||
moon::ipsec attest --devices
|
|
@ -0,0 +1,26 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice venus moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# Guest instances on which FreeRadius is started
|
||||
#
|
||||
RADIUSHOSTS=
|
||||
|
Loading…
Reference in New Issue