4d83c5b4a6
If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches is continued until the IKEv2 responder acting as a TNC server has also finished its TNC measurements. In the past if these measurements in the other direction were correct the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication successful and the IPsec connection was established even though the TNC measurement verification on the EAP peer side failed. The fix adds an "allow" group membership on each endpoint if the corresponding TNC measurements of the peer are successful. By requiring a "allow" group membership in the IKEv2 connection definition the IPsec connection succeeds only if the TNC measurements on both sides are valid. |
||
|---|---|---|
| .. | ||
| batch | ||
| messages | ||
| state_machine | ||
| Makefile.am | ||
| tnccs_20.c | ||
| tnccs_20.h | ||
| tnccs_20_client.c | ||
| tnccs_20_client.h | ||
| tnccs_20_handler.h | ||
| tnccs_20_plugin.c | ||
| tnccs_20_plugin.h | ||
| tnccs_20_server.c | ||
| tnccs_20_server.h | ||