ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

Implemented PT-EAP protocol (RFC 7171)

This commit is contained in:
Andreas Steffen 2014-05-11 20:49:21 +02:00
parent ab21875f50
commit 8d59090349
56 changed files with 337 additions and 236 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
conf/plugins/eap-tnc.opt
View File

@ -1,6 +1,6 @@
charon.plugins.eap-tnc.max_message_count = 10
Maximum number of processed EAP-TNC packets (0 = no limit).
charon.plugins.eap-tnc.protocol = tnccs-1.1
charon.plugins.eap-tnc.protocol = tnccs-2.0
IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_,
_tnccs-dynamic_).

3
conf/plugins/eap-ttls.opt
View File

@ -16,5 +16,8 @@ charon.plugins.eap-ttls.phase2_piggyback = no
charon.plugins.eap-ttls.phase2_tnc = no
Start phase2 EAP TNC protocol after successful client authentication.
charon.plugins.eap-ttls.phase2_tnc_method = pt
Phase2 EAP TNC transport protocol (_pt_ as IETF standard or legacy _tnc_)
charon.plugins.eap-ttls.request_peer_auth = no
Request peer authentication based on a client certificate.

54
src/libcharon/plugins/eap_tnc/eap_tnc.c
View File

@ -46,6 +46,11 @@ struct private_eap_tnc_t {
*/
eap_tnc_t public;
/**
* Inner EAP authentication type
*/
eap_type_t type;
/**
* Outer EAP authentication type
*/
@ -124,7 +129,7 @@ METHOD(eap_method_t, initiate, status_t,
private_eap_tnc_t *this, eap_payload_t **out)
{
chunk_t data;
u_int32_t auth_type;
uint32_t auth_type;
/* Determine TNC Client Authentication Type */
switch (this->auth_type)
@ -175,10 +180,10 @@ METHOD(eap_method_t, process, status_t,
}
METHOD(eap_method_t, get_type, eap_type_t,
private_eap_tnc_t *this, u_int32_t *vendor)
private_eap_tnc_t *this, uint32_t *vendor)
{
*vendor = 0;
return EAP_TNC;
return this->type;
}
METHOD(eap_method_t, get_msk, status_t,
@ -192,14 +197,14 @@ METHOD(eap_method_t, get_msk, status_t,
return FAILED;
}
METHOD(eap_method_t, get_identifier, u_int8_t,
METHOD(eap_method_t, get_identifier, uint8_t,
private_eap_tnc_t *this)
{
return this->tls_eap->get_identifier(this->tls_eap);
}
METHOD(eap_method_t, set_identifier, void,
private_eap_tnc_t *this, u_int8_t identifier)
private_eap_tnc_t *this, uint8_t identifier)
{
this->tls_eap->set_identifier(this->tls_eap, identifier);
}
@ -214,7 +219,7 @@ METHOD(eap_method_t, destroy, void,
private_eap_tnc_t *this)
{
chunk_t pdp_server;
u_int16_t pdp_port;
uint16_t pdp_port;
tls_t *tls;
pdp_server = this->tnccs->get_pdp_server(this->tnccs, &pdp_port);
@ -245,13 +250,14 @@ METHOD(eap_inner_method_t, set_auth_type, void,
* Generic private constructor
*/
static eap_tnc_t *eap_tnc_create(identification_t *server,
identification_t *peer, bool is_server)
identification_t *peer, bool is_server,
eap_type_t type)
{
private_eap_tnc_t *this;
int max_msg_count;
char* protocol;
tnccs_t *tnccs;
tnccs_type_t type;
tnccs_type_t tnccs_type;
INIT(this,
.public = {
@ -270,24 +276,25 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
.set_auth_type = _set_auth_type,
},
},
.type = type,
);
max_msg_count = lib->settings->get_int(lib->settings,
"%s.plugins.eap-tnc.max_message_count",
EAP_TNC_MAX_MESSAGE_COUNT, lib->ns);
protocol = lib->settings->get_str(lib->settings,
"%s.plugins.eap-tnc.protocol", "tnccs-1.1", lib->ns);
"%s.plugins.eap-tnc.protocol", "tnccs-2.0", lib->ns);
if (strcaseeq(protocol, "tnccs-2.0"))
{
type = TNCCS_2_0;
tnccs_type = TNCCS_2_0;
}
else if (strcaseeq(protocol, "tnccs-1.1"))
{
type = TNCCS_1_1;
tnccs_type = TNCCS_1_1;
}
else if (strcaseeq(protocol, "tnccs-dynamic") && is_server)
{
type = TNCCS_DYNAMIC;
tnccs_type = TNCCS_DYNAMIC;
}
else
{
@ -295,8 +302,9 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
free(this);
return NULL;
}
tnccs = tnc->tnccs->create_instance(tnc->tnccs, type,
is_server, server, peer, TNC_IFT_EAP_1_1,
tnccs = tnc->tnccs->create_instance(tnc->tnccs, tnccs_type,
is_server, server, peer,
(type == EAP_TNC) ? TNC_IFT_EAP_1_1 : TNC_IFT_EAP_2_0,
is_server ? enforce_recommendation : NULL);
if (!tnccs)
{
@ -305,7 +313,7 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
return NULL;
}
this->tnccs = tnccs->get_ref(tnccs);
this->tls_eap = tls_eap_create(EAP_TNC, &tnccs->tls,
this->tls_eap = tls_eap_create(type, &tnccs->tls,
EAP_TNC_MAX_MESSAGE_LEN,
max_msg_count, FALSE);
if (!this->tls_eap)
@ -319,11 +327,23 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
eap_tnc_t *eap_tnc_create_server(identification_t *server,
identification_t *peer)
{
return eap_tnc_create(server, peer, TRUE);
return eap_tnc_create(server, peer, TRUE, EAP_TNC);
}
eap_tnc_t *eap_tnc_create_peer(identification_t *server,
identification_t *peer)
{
return eap_tnc_create(server, peer, FALSE);
return eap_tnc_create(server, peer, FALSE, EAP_TNC);
}
eap_tnc_t *eap_tnc_pt_create_server(identification_t *server,
identification_t *peer)
{
return eap_tnc_create(server, peer, TRUE, EAP_PT_EAP);
}
eap_tnc_t *eap_tnc_pt_create_peer(identification_t *server,
identification_t *peer)
{
return eap_tnc_create(server, peer, FALSE, EAP_PT_EAP);
}

28
src/libcharon/plugins/eap_tnc/eap_tnc.h
View File

@ -26,7 +26,7 @@ typedef struct eap_tnc_t eap_tnc_t;
#include <sa/eap/eap_inner_method.h>
/**
* Implementation of the eap_method_t interface using EAP-TNC.
* Implementation of the eap_method_t interface using EAP-TNC or PT-EAP.
*/
struct eap_tnc_t {
@ -43,7 +43,8 @@ struct eap_tnc_t {
* @param peer ID of the EAP client
* @return eap_tnc_t object
*/
eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *peer);
eap_tnc_t *eap_tnc_create_server(identification_t *server,
identification_t *peer);
/**
* Creates the EAP method EAP-TNC acting as peer.
@ -52,6 +53,27 @@ eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *pee
* @param peer ID of the EAP client
* @return eap_tnc_t object
*/
eap_tnc_t *eap_tnc_create_peer(identification_t *server, identification_t *peer);
eap_tnc_t *eap_tnc_create_peer(identification_t *server,
identification_t *peer);
/**
* Creates the EAP method PT-EAP acting as server.
*
* @param server ID of the EAP server
* @param peer ID of the EAP client
* @return eap_tnc_t object
*/
eap_tnc_t *eap_tnc_pt_create_server(identification_t *server,
identification_t *peer);
/**
* Creates the EAP method PT-EAP acting as peer.
*
* @param server ID of the EAP server
* @param peer ID of the EAP client
* @return eap_tnc_t object
*/
eap_tnc_t *eap_tnc_pt_create_peer(identification_t *server,
identification_t *peer);
#endif /** EAP_TNC_H_ @}*/

8
src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
View File

@ -36,6 +36,14 @@ METHOD(plugin_t, get_features, int,
PLUGIN_PROVIDE(EAP_PEER, EAP_TNC),
PLUGIN_DEPENDS(EAP_PEER, EAP_TTLS),
PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
PLUGIN_CALLBACK(eap_method_register, eap_tnc_pt_create_server),
PLUGIN_PROVIDE(EAP_SERVER, EAP_PT_EAP),
PLUGIN_DEPENDS(EAP_SERVER, EAP_TTLS),
PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
PLUGIN_CALLBACK(eap_method_register, eap_tnc_pt_create_peer),
PLUGIN_PROVIDE(EAP_PEER, EAP_PT_EAP),
PLUGIN_DEPENDS(EAP_PEER, EAP_TTLS),
PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
};
*features = f;
return countof(f);

30
src/libcharon/plugins/eap_ttls/eap_ttls_server.c
View File

@ -1,6 +1,6 @@
/*
* Copyright (C) 2010 Andreas Steffen
* Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
* Copyright (C) 2010-2014 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
@ -107,22 +107,34 @@ static status_t start_phase2_auth(private_eap_ttls_server_t *this)
}
/**
* If configured, start EAP-TNC protocol
* If configured, start PT-EAP or legacy EAP-TNC protocol
*/
static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
eap_type_t auth_type)
{
eap_inner_method_t *inner_method;
eap_type_t type;
char *eap_type_str;
if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
"%s.plugins.eap-ttls.phase2_tnc", FALSE, lib->ns))
{
DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
this->method = charon->eap->create_instance(charon->eap, EAP_TNC,
eap_type_str = lib->settings->get_str(lib->settings,
"%s.plugins.eap-ttls.phase2_tnc_method", "pt",
lib->ns);
type = eap_type_from_string(eap_type_str);
if (type == 0)
{
DBG1(DBG_IKE, "unrecognized phase2 EAP TNC method \"%s\"",
eap_type_str);
return FAILED;
}
DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, type);
this->method = charon->eap->create_instance(charon->eap, type,
0, EAP_SERVER, this->server, this->peer);
if (this->method == NULL)
{
DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
DBG1(DBG_IKE, "%N method not available", eap_type_names, type);
return FAILED;
}
inner_method = (eap_inner_method_t *)this->method;
@ -135,7 +147,7 @@ static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
}
else
{
DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_TNC);
DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
return FAILED;
}
}
@ -151,7 +163,7 @@ METHOD(tls_application_t, process, status_t,
eap_payload_t *in;
eap_code_t code;
eap_type_t type = EAP_NAK, received_type;
u_int32_t vendor, received_vendor;
uint32_t vendor, received_vendor;
status = this->avp->process(this->avp, reader, &data);
switch (status)
@ -297,7 +309,7 @@ METHOD(tls_application_t, build, status_t,
chunk_t data;
eap_code_t code;
eap_type_t type;
u_int32_t vendor;
uint32_t vendor;
if (this->method == NULL && this->start_phase2 &&
lib->settings->get_bool(lib->settings,

11
src/libstrongswan/eap/eap.c
View File

@ -57,7 +57,9 @@ ENUM_NEXT(eap_type_names, EAP_MSTLV, EAP_MSTLV, EAP_MSCHAPV2,
"EAP_MSTLV");
ENUM_NEXT(eap_type_names, EAP_TNC, EAP_TNC, EAP_MSTLV,
"EAP_TNC");
ENUM_NEXT(eap_type_names, EAP_EXPANDED, EAP_DYNAMIC, EAP_TNC,
ENUM_NEXT(eap_type_names, EAP_PT_EAP, EAP_PT_EAP, EAP_TNC,
"EAP_PT_EAP");
ENUM_NEXT(eap_type_names, EAP_EXPANDED, EAP_DYNAMIC, EAP_PT_EAP,
"EAP_EXPANDED",
"EAP_EXPERIMENTAL",
"EAP_RADIUS",
@ -86,7 +88,9 @@ ENUM_NEXT(eap_type_short_names, EAP_MSTLV, EAP_MSTLV, EAP_MSCHAPV2,
"MSTLV");
ENUM_NEXT(eap_type_short_names, EAP_TNC, EAP_TNC, EAP_MSTLV,
"TNC");
ENUM_NEXT(eap_type_short_names, EAP_EXPANDED, EAP_DYNAMIC, EAP_TNC,
ENUM_NEXT(eap_type_short_names, EAP_PT_EAP, EAP_PT_EAP, EAP_TNC,
"PT");
ENUM_NEXT(eap_type_short_names, EAP_EXPANDED, EAP_DYNAMIC, EAP_PT_EAP,
"EXP",
"XP",
"RAD",
@ -114,6 +118,7 @@ eap_type_t eap_type_from_string(char *name)
{"peap", EAP_PEAP},
{"mschapv2", EAP_MSCHAPV2},
{"tnc", EAP_TNC},
{"pt", EAP_PT_EAP},
{"dynamic", EAP_DYNAMIC},
{"radius", EAP_RADIUS},
};
@ -136,7 +141,7 @@ eap_vendor_type_t *eap_vendor_type_from_string(char *str)
enumerator_t *enumerator;
eap_vendor_type_t *result = NULL;
eap_type_t type = 0;
u_int32_t vendor = 0;
uint32_t vendor = 0;
char *part, *end;
/* parse EAP method string of the form: [eap-]type[-vendor] */

1
src/libstrongswan/eap/eap.h
View File

@ -67,6 +67,7 @@ enum eap_type_t {
EAP_MSCHAPV2 = 26,
EAP_MSTLV = 33,
EAP_TNC = 38,
EAP_PT_EAP = 54,
EAP_EXPANDED = 254,
EAP_EXPERIMENTAL = 255,
/** not a method, but an implementation providing different methods */

113
src/libtls/tls_eap.c
View File

@ -47,7 +47,7 @@ struct private_tls_eap_t {
/**
* Current value of EAP identifier
*/
u_int8_t identifier;
uint8_t identifier;
/**
* TLS stack
@ -59,6 +59,11 @@ struct private_tls_eap_t {
*/
bool is_server;
/**
* Supported version of the EAP tunnel protocol
*/
uint8_t supported_version;
/**
* If FALSE include the total length of an EAP message
* in the first fragment of fragmented messages only.
@ -94,22 +99,24 @@ typedef enum {
EAP_TLS_LENGTH = (1<<7), /* shared with EAP-TTLS/TNC/PEAP */
EAP_TLS_MORE_FRAGS = (1<<6), /* shared with EAP-TTLS/TNC/PEAP */
EAP_TLS_START = (1<<5), /* shared with EAP-TTLS/TNC/PEAP */
EAP_TTLS_VERSION = (0x07), /* shared with EAP-TNC/PEAP */
EAP_TTLS_VERSION = (0x07), /* shared with EAP-TNC/PEAP/PT-EAP */
EAP_PT_START = (1<<7) /* PT-EAP only */
} eap_tls_flags_t;
#define EAP_TTLS_SUPPORTED_VERSION 0
#define EAP_TNC_SUPPORTED_VERSION 1
#define EAP_PEAP_SUPPORTED_VERSION 0
#define EAP_TTLS_SUPPORTED_VERSION 0
#define EAP_TNC_SUPPORTED_VERSION 1
#define EAP_PEAP_SUPPORTED_VERSION 0
#define EAP_PT_EAP_SUPPORTED_VERSION 1
/**
* EAP-TLS/TTLS packet format
*/
typedef struct __attribute__((packed)) {
u_int8_t code;
u_int8_t identifier;
u_int16_t length;
u_int8_t type;
u_int8_t flags;
uint8_t code;
uint8_t identifier;
uint16_t length;
uint8_t type;
uint8_t flags;
} eap_tls_packet_t;
METHOD(tls_eap_t, initiate, status_t,
@ -120,18 +127,18 @@ METHOD(tls_eap_t, initiate, status_t,
eap_tls_packet_t pkt = {
.type = this->type,
.code = EAP_REQUEST,
.flags = EAP_TLS_START,
.flags = this->supported_version
};
switch (this->type)
{
case EAP_TLS:
case EAP_TTLS:
pkt.flags |= EAP_TTLS_SUPPORTED_VERSION;
break;
case EAP_TNC:
pkt.flags |= EAP_TNC_SUPPORTED_VERSION;
break;
case EAP_PEAP:
pkt.flags |= EAP_PEAP_SUPPORTED_VERSION;
pkt.flags |= EAP_TLS_START;
break;
case EAP_PT_EAP:
pkt.flags |= EAP_PT_START;
break;
default:
break;
@ -153,13 +160,25 @@ METHOD(tls_eap_t, initiate, status_t,
*/
static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt)
{
u_int16_t pkt_len;
u_int32_t msg_len;
uint8_t version;
uint16_t pkt_len;
uint32_t msg_len;
size_t msg_len_offset = 0;
/* EAP-TLS doesn't have a version field */
if (this->type != EAP_TLS)
{
version = pkt->flags & EAP_TTLS_VERSION;
if (version != this->supported_version)
{
DBG1(DBG_TLS, "received %N packet with unsupported version v%u",
eap_type_names, this->type, version);
return FAILED;
}
}
pkt_len = untoh16(&pkt->length);
if (pkt->flags & EAP_TLS_LENGTH)
if (this->type != EAP_PT_EAP && (pkt->flags & EAP_TLS_LENGTH))
{
if (pkt_len < sizeof(eap_tls_packet_t) + sizeof(msg_len))
{
@ -200,27 +219,12 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
pkt->code = this->is_server ? EAP_REQUEST : EAP_RESPONSE;
pkt->identifier = this->identifier;
pkt->type = this->type;
pkt->flags = 0;
switch (this->type)
{
case EAP_TTLS:
pkt->flags |= EAP_TTLS_SUPPORTED_VERSION;
break;
case EAP_TNC:
pkt->flags |= EAP_TNC_SUPPORTED_VERSION;
break;
case EAP_PEAP:
pkt->flags |= EAP_PEAP_SUPPORTED_VERSION;
break;
default:
break;
}
pkt->flags = this->supported_version;
if (this->first_fragment)
{
len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(u_int32_t);
msg_len_offset = sizeof(u_int32_t);
len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(uint32_t);
msg_len_offset = sizeof(uint32_t);
}
else
{
@ -251,7 +255,7 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
}
kind = "packet";
}
else if (this->type != EAP_TNC)
else if (this->type != EAP_TNC && this->type != EAP_PT_EAP)
{
this->first_fragment = TRUE;
kind = "final fragment";
@ -269,14 +273,14 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
if (pkt->flags & EAP_TLS_LENGTH)
{
htoun32(pkt + 1, reclen);
len += sizeof(u_int32_t);
len += sizeof(uint32_t);
pkt->flags |= EAP_TLS_LENGTH;
}
else
{
/* get rid of the reserved length field */
memmove(buf + sizeof(eap_tls_packet_t),
buf + sizeof(eap_tls_packet_t) + sizeof(u_int32_t), len);
buf + sizeof(eap_tls_packet_t) + sizeof(uint32_t), len);
}
}
len += sizeof(eap_tls_packet_t);
@ -352,10 +356,11 @@ METHOD(tls_eap_t, process, status_t,
}
DBG3(DBG_TLS, "%N payload %B", eap_type_names, this->type, &in);
if (pkt->flags & EAP_TLS_START)
if ((this->type == EAP_PT_EAP && (pkt->flags & EAP_PT_START)) ||
(pkt->flags & EAP_TLS_START))
{
if (this->type == EAP_TTLS || this->type == EAP_TNC ||
this->type == EAP_PEAP)
this->type == EAP_PEAP || this->type == EAP_PT_EAP)
{
DBG1(DBG_TLS, "%N version is v%u", eap_type_names, this->type,
pkt->flags & EAP_TTLS_VERSION);
@ -409,14 +414,14 @@ METHOD(tls_eap_t, get_msk, chunk_t,
return this->tls->get_eap_msk(this->tls);
}
METHOD(tls_eap_t, get_identifier, u_int8_t,
METHOD(tls_eap_t, get_identifier, uint8_t,
private_tls_eap_t *this)
{
return this->identifier;
}
METHOD(tls_eap_t, set_identifier, void,
private_tls_eap_t *this, u_int8_t identifier)
private_tls_eap_t *this, uint8_t identifier)
{
this->identifier = identifier;
}
@ -452,13 +457,31 @@ tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
},
.type = type,
.is_server = tls->is_server(tls),
.first_fragment = (type != EAP_TNC),
.first_fragment = (type != EAP_TNC && type != EAP_PT_EAP),
.frag_size = frag_size,
.max_msg_count = max_msg_count,
.include_length = include_length,
.tls = tls,
);
switch (type)
{
case EAP_TTLS:
this->supported_version = EAP_TTLS_SUPPORTED_VERSION;
break;
case EAP_TNC:
this->supported_version = EAP_TNC_SUPPORTED_VERSION;
break;
case EAP_PEAP:
this->supported_version = EAP_PEAP_SUPPORTED_VERSION;
break;
case EAP_PT_EAP:
this->supported_version = EAP_PT_EAP_SUPPORTED_VERSION;
break;
default:
break;
}
if (this->is_server)
{
do

4
src/libtls/tls_eap.h
View File

@ -66,7 +66,7 @@ struct tls_eap_t {
*
* @return identifier
*/
u_int8_t (*get_identifier)(tls_eap_t *this);
uint8_t (*get_identifier)(tls_eap_t *this);
/**
* Set the EAP identifier to a deterministic value, overwriting
@ -74,7 +74,7 @@ struct tls_eap_t {
*
* @param identifier EAP identifier
*/
void (*set_identifier) (tls_eap_t *this, u_int8_t identifier);
void (*set_identifier) (tls_eap_t *this, uint8_t identifier);
/**
* Destroy a tls_eap_t.

7
testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
View File

@ -2,5 +2,12 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}

7
testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
View File

@ -2,5 +2,12 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}

8
testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
View File

@ -2,12 +2,18 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
phase2_tnc_method = tnc
}
eap-tnc {
protocol = tnccs-1.1
}
}
}

7
testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
View File

@ -2,7 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {

7
testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
View File

@ -2,7 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {

7
testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
View File

@ -2,7 +2,14 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {

7
testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
View File

@ -2,7 +2,14 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {

7
testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
View File

@ -2,7 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {

7
testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
View File

@ -2,7 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {

7
testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
View File

@ -2,7 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {

7
testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
View File

@ -2,7 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-1.1
}
}
}
libimcv {

8
testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
View File

@ -2,12 +2,18 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
phase2_tnc_method = tnc
}
eap-tnc {
protocol = tnccs-1.1
}
}
}

7
testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
View File

@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = de, en
}

5
testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
View File

@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = ru, fr, en
}

7
testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
View File

@ -2,16 +2,15 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
tnc-imv {
recommendation_policy = all
}

8
testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
View File

@ -2,12 +2,8 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
multiple_authentication = no
}
libimcv {

7
testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
View File

@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = ru , de, en
}

7
testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
View File

@ -2,16 +2,15 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}

8
testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
View File

@ -2,10 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
multiple_authentication = no
}

8
testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
View File

@ -2,10 +2,6 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
multiple_authentication = no
}

7
testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
View File

@ -2,15 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}

8
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf
View File

@ -2,12 +2,8 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
multiple_authentication = no
}
libimcv {

7
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf
View File

@ -2,11 +2,10 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = de
}

7
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf
View File

@ -2,16 +2,15 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
multiple_authentication=no
multiple_authentication = no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}

8
testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
View File

@ -2,12 +2,8 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
multiple_authentication = no
}
libimcv {

7
testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
View File

@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = de
}

7
testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
View File

@ -2,16 +2,15 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
multiple_authentication=no
multiple_authentication = no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}

2
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
View File

@ -2,6 +2,7 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
plugins {
eap-ttls {
phase2_method = md5
@ -10,7 +11,6 @@ charon {
max_message_count = 0
}
eap-tnc {
protocol = tnccs-2.0
max_message_count = 20
}
tnc-pdp {

1
testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
View File

@ -8,7 +8,6 @@ charon {
max_message_count = 0
}
eap-tnc {
protocol = tnccs-2.0
max_message_count = 20
}
tnccs-20 {

1
testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
View File

@ -8,7 +8,6 @@ charon {
max_message_count = 0
}
eap-tnc {
protocol = tnccs-2.0
max_message_count = 20
}
tnccs-20 {

8
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
View File

@ -2,12 +2,8 @@
charon {
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
multiple_authentication = no
}
libimcv {

7
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
View File

@ -2,11 +2,10 @@
charon {
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = de
}

7
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
View File

@ -2,16 +2,15 @@
charon {
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
multiple_authentication=no
multiple_authentication = no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}

8
testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
View File

@ -2,12 +2,8 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
multiple_authentication = no
}
libimcv {

6
testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
View File

@ -2,11 +2,9 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = de
}

7
testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
View File

@ -2,16 +2,15 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
multiple_authentication=no
multiple_authentication = no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}

8
testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
View File

@ -2,12 +2,8 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
multiple_authentication = no
}
libimcv {

7
testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
View File

@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = ru , de, en
}

7
testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
View File

@ -2,16 +2,15 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}

8
testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
View File

@ -2,12 +2,8 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
multiple_authentication = no
}
libimcv {

8
testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
View File

@ -2,12 +2,8 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
multiple_authentication = no
}
libimcv {

17
testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
View File

@ -2,25 +2,14 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-ttls {
request_peer_auth = yes
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}
libimcv {
plugins {
imv-scanner {
closed_port_policy = no
tcp_ports = 80 443
udp_ports =
}
}
}

8
testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
View File

@ -2,12 +2,8 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
multiple_authentication=no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
}
multiple_authentication = no
}
libimcv {

7
testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
View File

@ -2,11 +2,10 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-tnc {
protocol = tnccs-2.0
}
tnc-imc {
preferred_language = ru, pl , de
}

7
testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
View File

@ -2,16 +2,15 @@
charon {
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
multiple_authentication=no
multiple_authentication = no
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
eap-tnc {
protocol = tnccs-2.0
}
}
}

1
testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf
View File

@ -11,6 +11,7 @@ charon {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
phase2_tnc_method = tnc
}
eap-tnc {
protocol = tnccs-dynamic