Disable mandatory ECP support for attestion

This commit is contained in:
Andreas Steffen 2014-03-07 21:54:51 +01:00
parent ac17ca1ad7
commit 342bc6e545
24 changed files with 347 additions and 9 deletions

View File

@ -7,6 +7,9 @@ charon.plugins.imc-attestation.aik_cert =
charon.plugins.imc-attestation.aik_key =
AIK public key file.
charon.plugins.imc-attestation.mandatory_dh_groups = yes
Enforce mandatory Diffie-Hellman groups.
charon.plugins.imc-attestation.nonce_len = 20
DH nonce length.

View File

@ -1,6 +1,9 @@
charon.plugins.imv-attestation.cadir =
Path to directory with AIK cacerts.
charon.plugins.imv-attestation.mandatory_dh_groups = yes
Enforce mandatory Diffie-Hellman groups.
charon.plugins.imv-attestation.dh_group = ecp256
Preferred Diffie-Hellman group.

View File

@ -66,6 +66,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
TNC_Version max_version,
TNC_Version *actual_version)
{
bool mandatory_dh_groups;
if (imc_attestation)
{
DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
@ -78,8 +80,11 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
return TNC_RESULT_FATAL;
}
mandatory_dh_groups = lib->settings->get_bool(lib->settings,
"%s.plugins.imc-attestation.mandatory_dh_groups", TRUE, lib->ns);
if (!pts_meas_algo_probe(&supported_algorithms) ||
!pts_dh_group_probe(&supported_dh_groups))
!pts_dh_group_probe(&supported_dh_groups, mandatory_dh_groups))
{
imc_attestation->destroy(imc_attestation);
imc_attestation = NULL;

View File

@ -706,6 +706,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
private_imv_attestation_agent_t *this;
imv_agent_t *agent;
char *hash_alg, *dh_group, *cadir;
bool mandatory_dh_groups;
agent = imv_agent_create(name, msg_types, countof(msg_types), id,
actual_version);
@ -718,6 +719,8 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
"%s.plugins.imv-attestation.hash_algorithm", "sha256", lib->ns);
dh_group = lib->settings->get_str(lib->settings,
"%s.plugins.imv-attestation.dh_group", "ecp256", lib->ns);
mandatory_dh_groups = lib->settings->get_bool(lib->settings,
"%s.plugins.imv-attestation.mandatory_dh_groups", TRUE, lib->ns);
cadir = lib->settings->get_str(lib->settings,
"%s.plugins.imv-attestation.cadir", NULL, lib->ns);
@ -742,7 +745,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
libpts_init();
if (!pts_meas_algo_probe(&this->supported_algorithms) ||
!pts_dh_group_probe(&this->supported_dh_groups) ||
!pts_dh_group_probe(&this->supported_dh_groups, mandatory_dh_groups) ||
!pts_meas_algo_update(hash_alg, &this->supported_algorithms) ||
!pts_dh_group_update(dh_group, &this->supported_dh_groups))
{

View File

@ -20,7 +20,7 @@
/**
* Described in header.
*/
bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups)
{
enumerator_t *enumerator;
diffie_hellman_group_t dh_group;
@ -68,14 +68,23 @@ bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
if (*dh_groups & PTS_DH_GROUP_IKE19)
{
/* mandatory PTS DH group is available */
return TRUE;
}
else
if (*dh_groups == PTS_DH_GROUP_NONE)
{
DBG1(DBG_PTS, "no PTS DH group available");
return FALSE;
}
if (mandatory_dh_groups)
{
DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
ECP_256_BIT);
}
return FALSE;
}
/* at least one optional PTS DH group is available */
return TRUE;
}
/**

View File

@ -60,9 +60,12 @@ enum pts_dh_group_t {
* Probe available PTS Diffie-Hellman groups
*
* @param dh_groups returns set of available DH groups
* @param mandatory_dh_groups if TRUE enforce mandatory PTS DH groups
* @return TRUE if mandatory DH groups are available
* or at least one optional DH group if
* mandatory_dh_groups is set to FALSE.
*/
bool pts_dh_group_probe(pts_dh_group_t *dh_groups);
bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups);
/**
* Update supported Diffie-Hellman groups according to configuration

View File

@ -0,0 +1,26 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
using EAP-TTLS authentication only with the gateway presenting a server certificate and
the clients doing EAP-MD5 password-based authentication.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
exchange PA-TNC attributes.
<p>
<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference
measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
measure a couple of individual files and the files in the <b>/bin</b> directory as
well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
<p>
Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements,
the mandatory default being <b>ecp256</b>, with the strongswan.conf option
<b>mandatory_dh_groups = no</b> no ECC support is required.
<p>
<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is
enabled. Based on these assessments which are communicated to the IMCs using the
<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b>
to the "rw-allow" and "rw-isolate" subnets, respectively.
</p>

View File

@ -0,0 +1,20 @@
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO

View File

@ -0,0 +1,23 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightauth=any
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add

View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"

View File

@ -0,0 +1,22 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
plugins {
imc-os {
push_info = yes
}
imc-attestation {
mandatory_dh_groups = no
}
}
}

View File

@ -0,0 +1,4 @@
#IMC configuration file for strongSwan client
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so

View File

@ -0,0 +1,23 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_DAVE
leftid=dave@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightauth=any
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add

View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
dave@strongswan.org : EAP "W7R0g3do"

View File

@ -0,0 +1,25 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = de
}
}
}
libimcv {
plugins {
imc-os {
push_info = no
}
imc-attestation {
mandatory_dh_groups = no
}
}
}

View File

@ -0,0 +1,4 @@
#IMC configuration file for strongSwan client
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so

View File

@ -0,0 +1,34 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imv 3, pts 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
leftfirewall=yes
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any

View File

@ -0,0 +1,6 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol@strongswan.org : EAP "Ar3etTnp"
dave@strongswan.org : EAP "W7R0g3do"

View File

@ -0,0 +1,29 @@
/* Devices */
INSERT INTO devices ( /* 1 */
value, product, created
) VALUES (
'aabbccddeeff11223344556677889900', 28, 1372330615
);
/* Groups Members */
INSERT INTO groups_members (
group_id, device_id
) VALUES (
10, 1
);
INSERT INTO enforcements (
policy, group_id, max_age, rec_fail, rec_noresult
) VALUES (
3, 10, 0, 2, 2
);
INSERT INTO enforcements (
policy, group_id, max_age
) VALUES (
16, 2, 0
);
DELETE FROM enforcements WHERE id = 1;

View File

@ -0,0 +1,34 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
multiple_authentication=no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
database = sqlite:///etc/pts/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-attestation {
hash_algorithm = sha1
dh_group = modp2048
mandatory_dh_groups = no
}
}
}
attest {
load = random nonce openssl sqlite
database = sqlite:///etc/pts/config.db
}

View File

@ -0,0 +1,4 @@
#IMV configuration file for strongSwan client
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so

View File

@ -0,0 +1,8 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
moon::rm /etc/pts/config.db

View File

@ -0,0 +1,18 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::ipsec start
dave::ipsec start
carol::ipsec start
dave::sleep 1
dave::ipsec up home
carol::ipsec up home
carol::sleep 1
moon::ipsec attest --sessions
moon::ipsec attest --devices

View File

@ -0,0 +1,26 @@
#!/bin/bash
#
# This configuration file provides information on the
# guest instances used for this test
# All guest instances that are required for this test
#
VIRTHOSTS="alice venus moon carol winnetou dave"
# Corresponding block diagram
#
DIAGRAM="a-v-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
# Guest instances on which FreeRadius is started
#
RADIUSHOSTS=