From 342bc6e545b7f952a288ff7791cc2450e44e3fd6 Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Fri, 7 Mar 2014 21:54:51 +0100 Subject: [PATCH] Disable mandatory ECP support for attestion --- conf/plugins/imc-attestation.opt | 5 ++- conf/plugins/imv-attestation.opt | 3 ++ .../plugins/imc_attestation/imc_attestation.c | 7 +++- .../imv_attestation/imv_attestation_agent.c | 5 ++- src/libpts/pts/pts_dh_group.c | 15 ++++++-- src/libpts/pts/pts_dh_group.h | 9 +++-- .../tnc/tnccs-20-pts-no-ecc/description.txt | 26 ++++++++++++++ .../tnc/tnccs-20-pts-no-ecc/evaltest.dat | 20 +++++++++++ .../hosts/carol/etc/ipsec.conf | 23 +++++++++++++ .../hosts/carol/etc/ipsec.secrets | 3 ++ .../hosts/carol/etc/strongswan.conf | 22 ++++++++++++ .../hosts/carol/etc/tnc_config | 4 +++ .../hosts/dave/etc/ipsec.conf | 23 +++++++++++++ .../hosts/dave/etc/ipsec.secrets | 3 ++ .../hosts/dave/etc/strongswan.conf | 25 ++++++++++++++ .../hosts/dave/etc/tnc_config | 4 +++ .../hosts/moon/etc/ipsec.conf | 34 +++++++++++++++++++ .../hosts/moon/etc/ipsec.secrets | 6 ++++ .../hosts/moon/etc/pts/data1.sql | 29 ++++++++++++++++ .../hosts/moon/etc/strongswan.conf | 34 +++++++++++++++++++ .../hosts/moon/etc/tnc_config | 4 +++ .../tnc/tnccs-20-pts-no-ecc/posttest.dat | 8 +++++ .../tests/tnc/tnccs-20-pts-no-ecc/pretest.dat | 18 ++++++++++ .../tests/tnc/tnccs-20-pts-no-ecc/test.conf | 26 ++++++++++++++ 24 files changed, 347 insertions(+), 9 deletions(-) create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat create mode 100644 testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf diff --git a/conf/plugins/imc-attestation.opt b/conf/plugins/imc-attestation.opt index 9c108053b..aaac4c2c1 100644 --- a/conf/plugins/imc-attestation.opt +++ b/conf/plugins/imc-attestation.opt @@ -7,6 +7,9 @@ charon.plugins.imc-attestation.aik_cert = charon.plugins.imc-attestation.aik_key = AIK public key file. +charon.plugins.imc-attestation.mandatory_dh_groups = yes + Enforce mandatory Diffie-Hellman groups. + charon.plugins.imc-attestation.nonce_len = 20 DH nonce length. @@ -14,4 +17,4 @@ charon.plugins.imc-attestation.use_quote2 = yes Use Quote2 AIK signature instead of Quote signature. charon.plugins.imc-attestation.pcr_info = yes - Whether to send pcr_before and pcr_after info. \ No newline at end of file + Whether to send pcr_before and pcr_after info. diff --git a/conf/plugins/imv-attestation.opt b/conf/plugins/imv-attestation.opt index c0ae20488..f266281e6 100644 --- a/conf/plugins/imv-attestation.opt +++ b/conf/plugins/imv-attestation.opt @@ -1,6 +1,9 @@ charon.plugins.imv-attestation.cadir = Path to directory with AIK cacerts. +charon.plugins.imv-attestation.mandatory_dh_groups = yes + Enforce mandatory Diffie-Hellman groups. + charon.plugins.imv-attestation.dh_group = ecp256 Preferred Diffie-Hellman group. diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c index 467b998c8..c71b21666 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation.c @@ -66,6 +66,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, TNC_Version max_version, TNC_Version *actual_version) { + bool mandatory_dh_groups; + if (imc_attestation) { DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name); @@ -78,8 +80,11 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, return TNC_RESULT_FATAL; } + mandatory_dh_groups = lib->settings->get_bool(lib->settings, + "%s.plugins.imc-attestation.mandatory_dh_groups", TRUE, lib->ns); + if (!pts_meas_algo_probe(&supported_algorithms) || - !pts_dh_group_probe(&supported_dh_groups)) + !pts_dh_group_probe(&supported_dh_groups, mandatory_dh_groups)) { imc_attestation->destroy(imc_attestation); imc_attestation = NULL; diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c index e8c3c5e40..03e82db70 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c @@ -706,6 +706,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id, private_imv_attestation_agent_t *this; imv_agent_t *agent; char *hash_alg, *dh_group, *cadir; + bool mandatory_dh_groups; agent = imv_agent_create(name, msg_types, countof(msg_types), id, actual_version); @@ -718,6 +719,8 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id, "%s.plugins.imv-attestation.hash_algorithm", "sha256", lib->ns); dh_group = lib->settings->get_str(lib->settings, "%s.plugins.imv-attestation.dh_group", "ecp256", lib->ns); + mandatory_dh_groups = lib->settings->get_bool(lib->settings, + "%s.plugins.imv-attestation.mandatory_dh_groups", TRUE, lib->ns); cadir = lib->settings->get_str(lib->settings, "%s.plugins.imv-attestation.cadir", NULL, lib->ns); @@ -742,7 +745,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id, libpts_init(); if (!pts_meas_algo_probe(&this->supported_algorithms) || - !pts_dh_group_probe(&this->supported_dh_groups) || + !pts_dh_group_probe(&this->supported_dh_groups, mandatory_dh_groups) || !pts_meas_algo_update(hash_alg, &this->supported_algorithms) || !pts_dh_group_update(dh_group, &this->supported_dh_groups)) { diff --git a/src/libpts/pts/pts_dh_group.c b/src/libpts/pts/pts_dh_group.c index 41a436036..305b4ec4f 100644 --- a/src/libpts/pts/pts_dh_group.c +++ b/src/libpts/pts/pts_dh_group.c @@ -20,7 +20,7 @@ /** * Described in header. */ -bool pts_dh_group_probe(pts_dh_group_t *dh_groups) +bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups) { enumerator_t *enumerator; diffie_hellman_group_t dh_group; @@ -68,14 +68,23 @@ bool pts_dh_group_probe(pts_dh_group_t *dh_groups) if (*dh_groups & PTS_DH_GROUP_IKE19) { + /* mandatory PTS DH group is available */ return TRUE; } - else + if (*dh_groups == PTS_DH_GROUP_NONE) + { + DBG1(DBG_PTS, "no PTS DH group available"); + return FALSE; + } + if (mandatory_dh_groups) { DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names, ECP_256_BIT); + return FALSE; } - return FALSE; + + /* at least one optional PTS DH group is available */ + return TRUE; } /** diff --git a/src/libpts/pts/pts_dh_group.h b/src/libpts/pts/pts_dh_group.h index 2aab90263..f5d951e9a 100644 --- a/src/libpts/pts/pts_dh_group.h +++ b/src/libpts/pts/pts_dh_group.h @@ -59,10 +59,13 @@ enum pts_dh_group_t { /** * Probe available PTS Diffie-Hellman groups * - * @param dh_groups returns set of available DH groups - * @return TRUE if mandatory DH groups are available + * @param dh_groups returns set of available DH groups + * @param mandatory_dh_groups if TRUE enforce mandatory PTS DH groups + * @return TRUE if mandatory DH groups are available + * or at least one optional DH group if + * mandatory_dh_groups is set to FALSE. */ -bool pts_dh_group_probe(pts_dh_group_t *dh_groups); +bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups); /** * Update supported Diffie-Hellman groups according to configuration diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt new file mode 100644 index 000000000..29976509a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt @@ -0,0 +1,26 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +state of carol's and dave's operating system via the TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The OS IMC and OS IMV pair +is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC to +exchange PA-TNC attributes. +

+carol sends information on her operating system consisting of the PA-TNC attributes +Product Information, String Version, and Device ID up-front +to the Attestation IMV, whereas dave must be prompted by the IMV to do so via an +Attribute Request PA-TNC attribute. dave is instructed to do a reference +measurement on all files in the /bin directory. carol is then prompted to +measure a couple of individual files and the files in the /bin directory as +well as to get metadata on the /etc/tnc_confg configuration file. +

+Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements, +the mandatory default being ecp256, with the strongswan.conf option +mandatory_dh_groups = no no ECC support is required. +

+carol passes the health test and dave fails because IP forwarding is +enabled. Based on these assessments which are communicated to the IMCs using the +Assessment Result PA-TNC attribute, the clients are connected by gateway moon +to the "rw-allow" and "rw-isolate" subnets, respectively. +

diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat new file mode 100644 index 000000000..5eb944055 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat @@ -0,0 +1,20 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES +moon:: cat /var/log/daemon.log::added group membership 'allow'::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES +moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..d17473db1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3, pts 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..72bf2c7c9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf @@ -0,0 +1,22 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} + +libimcv { + plugins { + imc-os { + push_info = yes + } + imc-attestation { + mandatory_dh_groups = no + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..15dc93a0a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..d459bfc6c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3, pts 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..6f71994ae --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf @@ -0,0 +1,25 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + tnc-imc { + preferred_language = de + } + } +} + +libimcv { + plugins { + imc-os { + push_info = no + } + imc-attestation { + mandatory_dh_groups = no + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..15dc93a0a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..bc8b2d8f9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf @@ -0,0 +1,34 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imv 3, pts 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql new file mode 100644 index 000000000..2bb7e7924 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql @@ -0,0 +1,29 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 28, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 16, 2, 0 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e76598b9a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf @@ -0,0 +1,34 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-2.0 + } + } +} + +libimcv { + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + plugins { + imv-attestation { + hash_algorithm = sha1 + dh_group = modp2048 + mandatory_dh_groups = no + } + } +} + +attest { + load = random nonce openssl sqlite + database = sqlite:///etc/pts/config.db +} + diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..6507baaa1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so +IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat new file mode 100644 index 000000000..48514d6e0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +carol::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat new file mode 100644 index 000000000..49ea0416e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat @@ -0,0 +1,18 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +moon::ipsec start +dave::ipsec start +carol::ipsec start +dave::sleep 1 +dave::ipsec up home +carol::ipsec up home +carol::sleep 1 +moon::ipsec attest --sessions +moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf new file mode 100644 index 000000000..a8a05af19 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= +