ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Make Attestation IMV independent of OS IMV

This commit is contained in:
Andreas Steffen 2014-04-05 15:38:06 +02:00
parent 4894bfa227
commit 48f37c448c
27 changed files with 446 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
src/libimcv/plugins/imv_os/imv_os_agent.c
View File

@ -118,24 +118,25 @@ METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
case TNC_CONNECTION_STATE_ACCESS_NONE:
if (imcv_db && this->agent->get_state(this->agent, id, &state))
if (this->agent->get_state(this->agent, id, &state) && imcv_db)
{
switch (new_state)
{
case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
break;
case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
break;
case TNC_CONNECTION_STATE_ACCESS_NONE:
default:
rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
}
session = state->get_session(state);
imcv_db->add_recommendation(imcv_db, session, rec);
if (session->get_policy_started(session))
{
switch (new_state)
{
case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
break;
case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
break;
case TNC_CONNECTION_STATE_ACCESS_NONE:
default:
rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
}
imcv_db->add_recommendation(imcv_db, session, rec);
if (!imcv_db->policy_script(imcv_db, session, FALSE))
{
DBG1(DBG_IMV, "error in policy script stop");
@ -233,7 +234,7 @@ static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state,
case IETF_ATTR_NUMERIC_VERSION:
{
ietf_attr_numeric_version_t *attr_cast;
u_int32_t major, minor;
uint32_t major, minor;
state->set_action_flags(state,
IMV_OS_ATTR_NUMERIC_VERSION);
@ -452,7 +453,7 @@ METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
/**
* Build an IETF Attribute Request attribute for missing attributes
*/
static pa_tnc_attr_t* build_attr_request(u_int32_t received)
static pa_tnc_attr_t* build_attr_request(uint32_t received)
{
pa_tnc_attr_t *attr;
ietf_attr_attr_request_t *attr_cast;
@ -505,7 +506,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
TNC_Result result = TNC_RESULT_SUCCESS;
bool no_workitems = TRUE;
enumerator_t *enumerator;
u_int32_t received;
uint32_t received;
if (!this->agent->get_state(this->agent, id, &state))
{
@ -568,6 +569,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
state->set_recommendation(state,
TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
session->set_policy_started(session, TRUE);
}
handshake_state = IMV_OS_STATE_POLICY_START;
}

115
src/libpts/plugins/imv_attestation/imv_attestation_agent.c
View File

@ -32,6 +32,8 @@
#include <ietf/ietf_attr_pa_tnc_error.h>
#include <ietf/ietf_attr_product_info.h>
#include <ietf/ietf_attr_string_version.h>
#include <ita/ita_attr.h>
#include <ita/ita_attr_device_id.h>
#include <libpts.h>
@ -113,7 +115,9 @@ METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
private_imv_attestation_agent_t *this, TNC_ConnectionID id,
TNC_ConnectionState new_state)
{
TNC_IMV_Action_Recommendation rec;
imv_state_t *state;
imv_session_t *session;
switch (new_state)
{
@ -122,6 +126,35 @@ METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
return this->agent->create_state(this->agent, state);
case TNC_CONNECTION_STATE_DELETE:
return this->agent->delete_state(this->agent, id);
case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
case TNC_CONNECTION_STATE_ACCESS_NONE:
if (this->agent->get_state(this->agent, id, &state) && imcv_db)
{
session = state->get_session(state);
if (session->get_policy_started(session))
{
switch (new_state)
{
case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
break;
case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
break;
case TNC_CONNECTION_STATE_ACCESS_NONE:
default:
rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
}
imcv_db->add_recommendation(imcv_db, session, rec);
if (!imcv_db->policy_script(imcv_db, session, FALSE))
{
DBG1(DBG_IMV, "error in policy script stop");
}
}
}
/* fall through to default state */
default:
return this->agent->change_state(this->agent, id, new_state, NULL);
}
@ -135,7 +168,7 @@ static TNC_Result receive_msg(private_imv_attestation_agent_t *this,
{
imv_msg_t *out_msg;
imv_session_t *session;
imv_os_info_t *os_info = NULL;
imv_os_info_t *os_info;
enumerator_t *enumerator;
pa_tnc_attr_t *attr;
pen_type_t type;
@ -189,12 +222,27 @@ static TNC_Result receive_msg(private_imv_attestation_agent_t *this,
case IETF_ATTR_PRODUCT_INFORMATION:
{
ietf_attr_product_info_t *attr_cast;
pen_t vendor_id;
state->set_action_flags(state,
IMV_ATTESTATION_ATTR_PRODUCT_INFO);
attr_cast = (ietf_attr_product_info_t*)attr;
os_name = attr_cast->get_info(attr_cast, NULL, NULL);
os_name = attr_cast->get_info(attr_cast, &vendor_id, NULL);
os_info->set_name(os_info, os_name);
if (vendor_id != PEN_IETF)
{
DBG1(DBG_IMV, "operating system name is '%.*s' "
"from vendor %N", os_name.len, os_name.ptr,
pen_names, vendor_id);
}
else
{
DBG1(DBG_IMV, "operating system name is '%.*s'",
os_name.len, os_name.ptr);
}
break;
break;
}
case IETF_ATTR_STRING_VERSION:
@ -206,6 +254,32 @@ static TNC_Result receive_msg(private_imv_attestation_agent_t *this,
attr_cast = (ietf_attr_string_version_t*)attr;
os_version = attr_cast->get_version(attr_cast, NULL, NULL);
os_info->set_version(os_info, os_version);
if (os_version.len)
{
DBG1(DBG_IMV, "operating system version is '%.*s'",
os_version.len, os_version.ptr);
}
break;
}
default:
break;
}
}
else if (type.vendor_id == PEN_ITA)
{
switch (type.type)
{
case ITA_ATTR_DEVICE_ID:
{
chunk_t value;
state->set_action_flags(state,
IMV_ATTESTATION_ATTR_DEVICE_ID);
value = attr->get_value(attr);
DBG1(DBG_IMV, "device ID is %.*s", value.len, value.ptr);
session->set_device_id(session, value);
break;
}
default:
@ -289,7 +363,7 @@ METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
/**
* Build an IETF Attribute Request attribute for missing attributes
*/
static pa_tnc_attr_t* build_attr_request(u_int32_t received)
static pa_tnc_attr_t* build_attr_request(uint32_t received)
{
pa_tnc_attr_t *attr;
ietf_attr_attr_request_t *attr_cast;
@ -303,12 +377,11 @@ static pa_tnc_attr_t* build_attr_request(u_int32_t received)
attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_PRODUCT_INFORMATION);
attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION);
}
/*
if (!(received & IMV_ATTESTATION_ATTR_DEVICE_ID))
{
attr_cast->add(attr_cast, PEN_ITA, ITA_ATTR_DEVICE_ID);
}
*/
return attr;
}
@ -327,7 +400,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
TNC_IMVID imv_id;
TNC_Result result = TNC_RESULT_SUCCESS;
pts_t *pts;
u_int32_t actions;
uint32_t actions;
enumerator_t *enumerator;
if (!this->agent->get_state(this->agent, id, &state))
@ -369,6 +442,29 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
state->set_action_flags(state, IMV_ATTESTATION_ATTR_REQ);
}
if (!session->get_policy_started(session) &&
(actions & IMV_ATTESTATION_ATTR_PRODUCT_INFO) &&
(actions & IMV_ATTESTATION_ATTR_STRING_VERSION) &&
(actions & IMV_ATTESTATION_ATTR_DEVICE_ID))
{
if (imcv_db)
{
/* start the policy script */
if (!imcv_db->policy_script(imcv_db, session, TRUE))
{
DBG1(DBG_IMV, "error in policy script start");
}
}
else
{
DBG2(DBG_IMV, "no workitems available - no evaluation possible");
state->set_recommendation(state,
TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
session->set_policy_started(session, TRUE);
}
}
if (handshake_state == IMV_ATTESTATION_STATE_INIT)
{
pa_tnc_attr_t *attr;
@ -399,10 +495,11 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
}
/* exit if we are not ready yet for PTS measurements */
if (!session->get_policy_started(session) || !(actions & IMV_ATTESTATION_ALGO))
if (!(actions & IMV_ATTESTATION_ALGO))
{
return TNC_RESULT_SUCCESS;
}
os_info = session->get_os_info(session);
pts->set_platform_info(pts, os_info->get_info(os_info));
@ -414,8 +511,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
if (!(actions & IMV_ATTESTATION_FILE_MEAS))
{
bool is_dir, no_workitems = TRUE;
u_int32_t delimiter = SOLIDUS_UTF;
u_int16_t request_id;
uint32_t delimiter = SOLIDUS_UTF;
uint16_t request_id;
pa_tnc_attr_t *attr;
char *pathname;

4
src/libpts/plugins/imv_attestation/imv_attestation_build.c
View File

@ -90,8 +90,8 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
enumerator_t *enumerator;
pts_comp_func_name_t *name;
chunk_t keyid;
u_int8_t flags;
u_int32_t depth;
uint8_t flags;
uint32_t depth;
bool first_component = TRUE;
attestation_state->set_handshake_state(attestation_state,

12
src/libpts/plugins/imv_attestation/imv_attestation_process.c
View File

@ -222,11 +222,10 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
TNC_IMV_Evaluation_Result eval;
TNC_IMV_Action_Recommendation rec;
tcg_pts_attr_file_meas_t *attr_cast;
u_int16_t request_id;
uint16_t request_id;
int arg_int, file_count;
pts_meas_algorithms_t algo;
pts_file_meas_t *measurements;
imv_session_t *session;
imv_workitem_t *workitem, *found = NULL;
imv_workitem_type_t type;
char result_str[BUF_LEN], *platform_info;
@ -234,7 +233,6 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
enumerator_t *enumerator;
eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
session = state->get_session(state);
algo = pts->get_meas_algorithm(pts);
platform_info = pts->get_platform_info(pts);
attr_cast = (tcg_pts_attr_file_meas_t*)attr;
@ -390,7 +388,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
pts_comp_func_name_t *name;
pts_comp_evidence_t *evidence;
pts_component_t *comp;
u_int32_t depth;
uint32_t depth;
status_t status;
attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
@ -415,11 +413,10 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
case TCG_PTS_SIMPLE_EVID_FINAL:
{
tcg_pts_attr_simple_evid_final_t *attr_cast;
u_int8_t flags;
uint8_t flags;
pts_meas_algorithms_t comp_hash_algorithm;
chunk_t pcr_comp, tpm_quote_sig, evid_sig;
chunk_t pcr_composite, quote_info;
imv_session_t *session;
imv_workitem_t *workitem;
enumerator_t *enumerator;
bool use_quote2, use_ver_info;
@ -470,7 +467,6 @@ quote_error:
*/
attestation_state->finalize_components(attestation_state);
session = state->get_session(state);
enumerator = session->create_workitem_enumerator(session);
while (enumerator->enumerate(enumerator, &workitem))
{
@ -479,7 +475,7 @@ quote_error:
TNC_IMV_Action_Recommendation rec;
TNC_IMV_Evaluation_Result eval;
char *result_str;
u_int32_t error;
uint32_t error;
error = attestation_state->get_measurement_error(
attestation_state);

2
src/libpts/plugins/imv_attestation/imv_attestation_state.c
View File

@ -409,7 +409,7 @@ METHOD(imv_attestation_state_t, create_component, pts_component_t*,
/**
* Enumerate file measurement entries
*/
static bool entry_filter(void *null, func_comp_t **entry, u_int8_t *flags,
static bool entry_filter(void *null, func_comp_t **entry, uint8_t *flags,
void *i2, uint32_t *depth,
void *i3, pts_comp_func_name_t **comp_name)
{

8
src/libpts/plugins/imv_attestation/imv_attestation_state.h
View File

@ -42,8 +42,8 @@ typedef enum imv_meas_error_t imv_meas_error_t;
enum imv_attestation_flag_t {
IMV_ATTESTATION_ATTR_PRODUCT_INFO = (1<<0),
IMV_ATTESTATION_ATTR_STRING_VERSION = (1<<1),
IMV_ATTESTATION_ATTR_MUST = (1<<2)-1,
IMV_ATTESTATION_ATTR_DEVICE_ID = (1<<2),
IMV_ATTESTATION_ATTR_MUST = (1<<3)-1,
IMV_ATTESTATION_ATTR_REQ = (1<<3),
IMV_ATTESTATION_ALGO = (1<<4),
IMV_ATTESTATION_FILE_MEAS = (1<<5),
@ -118,7 +118,7 @@ struct imv_attestation_state_t {
*/
pts_component_t* (*create_component)(imv_attestation_state_t *this,
pts_comp_func_name_t *name,
u_int32_t depth,
uint32_t depth,
pts_database_t *pts_db);
/**
@ -148,7 +148,7 @@ struct imv_attestation_state_t {
*
* @return Measurement error flags
*/
u_int32_t (*get_measurement_error)(imv_attestation_state_t *this);
uint32_t (*get_measurement_error)(imv_attestation_state_t *this);
/**
* Call if a measurement error is encountered
@ -156,7 +156,7 @@ struct imv_attestation_state_t {
* @param error Measurement error type
*/
void (*set_measurement_error)(imv_attestation_state_t *this,
u_int32_t error);
uint32_t error);
/**
* Returns a concatenation of File Measurement reason strings

22
testing/tests/tnc/tnccs-20-os-pts/description.txt Normal file
View File

@ -0,0 +1,22 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
using EAP-TTLS authentication only with the gateway presenting a server certificate and
the clients doing EAP-MD5 password-based authentication.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS and Attestation IMCs
exchange PA-TNC attributes with the OS and Attestation IMVs via the <b>IF-M 1.0</b> measurement
protocol defined by <b>RFC 5792 PA-TNC</b>.
<p>
<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference
measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
measure a couple of individual files and the files in the <b>/bin</b> directory as
well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
<p>
<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is
enabled. Based on these assessments which are communicated to the IMCs using the
<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b>
to the "rw-allow" and "rw-isolate" subnets, respectively.
</p>

20
testing/tests/tnc/tnccs-20-os-pts/evaltest.dat Normal file
View File

@ -0,0 +1,20 @@
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO

23
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf Normal file
View File

@ -0,0 +1,23 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_CAROL
leftid=carol@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightauth=any
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
carol@strongswan.org : EAP "Ar3etTnp"

19
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf Normal file
View File

@ -0,0 +1,19 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
plugins {
imc-os {
push_info = yes
}
}
}

4
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config Normal file
View File

@ -0,0 +1,4 @@
#IMC configuration file for strongSwan client
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so

23
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf Normal file
View File

@ -0,0 +1,23 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imc 3, pts 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn home
left=PH_IP_DAVE
leftid=dave@strongswan.org
leftauth=eap
leftfirewall=yes
right=PH_IP_MOON
rightid=@moon.strongswan.org
rightauth=any
rightsendcert=never
rightsubnet=10.1.0.0/16
auto=add

3
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,3 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
dave@strongswan.org : EAP "W7R0g3do"

22
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf Normal file
View File

@ -0,0 +1,22 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = de
}
}
}
libimcv {
plugins {
imc-os {
push_info = no
}
}
}

4
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config Normal file
View File

@ -0,0 +1,4 @@
#IMC configuration file for strongSwan client
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so

34
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf Normal file
View File

@ -0,0 +1,34 @@
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="tnc 3, imv 3, pts 3"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
conn rw-allow
rightgroups=allow
leftsubnet=10.1.0.0/28
also=rw-eap
auto=add
conn rw-isolate
rightgroups=isolate
leftsubnet=10.1.0.16/28
also=rw-eap
auto=add
conn rw-eap
left=PH_IP_MOON
leftcert=moonCert.pem
leftid=@moon.strongswan.org
leftauth=eap-ttls
leftfirewall=yes
rightauth=eap-ttls
rightid=*@strongswan.org
rightsendcert=never
right=%any

6
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets Normal file
View File

@ -0,0 +1,6 @@
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
carol@strongswan.org : EAP "Ar3etTnp"
dave@strongswan.org : EAP "W7R0g3do"

29
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql Normal file
View File

@ -0,0 +1,29 @@
/* Devices */
INSERT INTO devices ( /* 1 */
value, product, created
) VALUES (
'aabbccddeeff11223344556677889900', 28, 1372330615
);
/* Groups Members */
INSERT INTO groups_members (
group_id, device_id
) VALUES (
10, 1
);
INSERT INTO enforcements (
policy, group_id, max_age, rec_fail, rec_noresult
) VALUES (
3, 10, 0, 2, 2
);
INSERT INTO enforcements (
policy, group_id, max_age
) VALUES (
16, 2, 0
);
DELETE FROM enforcements WHERE id = 1;

32
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf Normal file
View File

@ -0,0 +1,32 @@
# /etc/strongswan.conf - strongSwan configuration file
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
multiple_authentication=no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
database = sqlite:///etc/pts/config.db
policy_script = ipsec imv_policy_manager
plugins {
imv-attestation {
hash_algorithm = sha1
}
}
}
attest {
load = random nonce openssl sqlite
database = sqlite:///etc/pts/config.db
}

4
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config Normal file
View File

@ -0,0 +1,4 @@
#IMV configuration file for strongSwan client
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so

8
testing/tests/tnc/tnccs-20-os-pts/posttest.dat Normal file
View File

@ -0,0 +1,8 @@
moon::ipsec stop
carol::ipsec stop
dave::ipsec stop
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
moon::rm /etc/pts/config.db

18
testing/tests/tnc/tnccs-20-os-pts/pretest.dat Normal file
View File

@ -0,0 +1,18 @@
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
moon::cat /etc/tnc_config
carol::cat /etc/tnc_config
dave::cat /etc/tnc_config
moon::ipsec start
dave::ipsec start
carol::ipsec start
dave::sleep 1
dave::ipsec up home
carol::ipsec up home
carol::sleep 1
moon::ipsec attest --sessions
moon::ipsec attest --devices

26
testing/tests/tnc/tnccs-20-os-pts/test.conf Normal file
View File

@ -0,0 +1,26 @@
#!/bin/bash
#
# This configuration file provides information on the
# guest instances used for this test
# All guest instances that are required for this test
#
VIRTHOSTS="alice venus moon carol winnetou dave"
# Corresponding block diagram
#
DIAGRAM="a-v-m-c-w-d.png"
# Guest instances on which tcpdump is to be started
#
TCPDUMPHOSTS="moon"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
# Guest instances on which FreeRadius is started
#
RADIUSHOSTS=

6
testing/tests/tnc/tnccs-20-pts/description.txt
View File

@ -3,9 +3,9 @@ using EAP-TTLS authentication only with the gateway presenting a server certific
the clients doing EAP-MD5 password-based authentication.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
exchange PA-TNC attributes.
client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS and Attestation IMCs
exchange PA-TNC attributes with the OS IMV via the <b>IF-M 1.0</b> measurement protocol
defined by <b>RFC 5792 PA-TNC</b>.
<p>
<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front

14
testing/tests/tnc/tnccs-20-pts/evaltest.dat
View File

@ -2,19 +2,19 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/28::YES
moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO

1
testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
View File

@ -1,4 +1,3 @@
#IMV configuration file for strongSwan client
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so