diff options
Diffstat (limited to 'testing/tests/tnc/tnccs-20-pdp-pt-tls')
8 files changed, 41 insertions, 19 deletions
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt index 45a77e900..90e85485c 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt @@ -1,9 +1,9 @@ The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision -point (PDP) <b>alice</b>. <b>carol</b> uses password-based SASL PLAIN client authentication during the -<b>PT-TLS negotiation phase</b> and <b>dave</b> uses certificate-based TLS client authentication during the -<b>TLS setup phase</b>. +point (PDP) <b>alice</b>. Endpoint <b>carol</b> uses password-based SASL PLAIN client authentication during the +<b>PT-TLS negotiation phase</b> whereas endpoint <b>dave</b> uses certificate-based TLS client authentication +during the <b>TLS setup phase</b>. <p/> -During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWID</b> IMC/IMV pairs +During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWIMA</b> IMC/IMV pairs loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages -embedded in PB-TNC (RFC 5793) batches. The <b>SWID</b> IMC on <b>carol</b> is requested to deliver -a concise <b>SWID Tag ID Inventory</b> whereas <b>dave</b> must send a full <b>SWID Tag Inventory</b>. +embedded in PB-TNC (RFC 5793) batches. The <b>SWIMA</b> IMC on <b>carol</b> is requested to deliver +a concise <b>Software ID Inventory</b> whereas <b>dave</b> must send a full <b>Software Inventory</b>. diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat index bf4191618..bded669da 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat @@ -1,23 +1,25 @@ dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES -dave:: cat /var/log/auth.log::collected ... SWID tags::YES +dave:: cat /var/log/auth.log::collected ... SW records::YES carol::cat /var/log/auth.log::received SASL Success result::YES -carol::cat /var/log/auth.log::collected ... SWID tag IDs::YES -carol::cat /var/log/auth.log::collected 1 SWID tag::YES +carol::cat /var/log/auth.log::collected ... SW ID records::YES +carol::cat /var/log/auth.log::strongswan.org__strongSwan.*swidtag::YES +carol::cat /var/log/auth.log::collected 1 SW record::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES alice::cat /var/log/daemon.log::certificate status is good::YES alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES -alice::cat /var/log/daemon.log::received SWID tag inventory with ... items for request 3 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::received software inventory with ... items for request 3 at last eid 1 of epoch::YES alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES -alice::cat /var/log/daemon.log::received SWID tag ID inventory with ... items for request 9 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::failed to collect SW ID events, fallback to SW ID inventory::YES +alice::cat /var/log/daemon.log::received software ID inventory with ... items for request 9 at last eid 1 of epoch::YES alice::cat /var/log/daemon.log::1 SWID tag target::YES -alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES -alice::cat /var/log/daemon.log::strongswan.org__strongSwan-::YES +alice::cat /var/log/daemon.log::received software inventory with 1 item for request 9 at last eid 1 of epoch::YES +alice::cat /var/log/daemon.log::strongswan.org__strongSwan.*@ file:///usr/local/share/strongswan::YES alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon-systemd -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf index 944a5928d..04d7dbacc 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -17,6 +17,9 @@ charon-systemd { secret = gv6URkSs } } + tnc-imv { + dlclose = no + } } } @@ -29,8 +32,10 @@ libimcv { policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { - imv-swid { - rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + imv-swima { + rest_api { + uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + } } } } diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config index ebe88bc99..1499dfc90 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config @@ -1,4 +1,4 @@ #IMV configuration file for strongSwan client IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so -IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so +IMV "SWIMA" /usr/local/lib/ipsec/imcvs/imv-swima.so diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf index c83805aae..5aad08905 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf @@ -4,6 +4,15 @@ libtls { suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 } +libimcv { + swid_gen { + tag_creator { + name = Debian Project + regid = debian.org + } + } +} + pt-tls-client { load = revocation constraints pem openssl curl nonce tnc-tnccs tnc-imc tnccs-20 } diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config index f40174e57..3975056ca 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config @@ -1,4 +1,4 @@ #IMC configuration file for strongSwan client IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so -IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so +IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf index 2e2fccd10..cf08b969d 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf @@ -1,11 +1,17 @@ # /etc/strongswan.conf - strongSwan configuration file libimcv { + swid_gen { + tag_creator { + name = Debian Project + regid = debian.org + } + } plugins { imc-os { push_info = no } - imc-swid { + imc-swima { swid_directory = /usr/share swid_pretty = yes } diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config index f40174e57..3975056ca 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config @@ -1,4 +1,4 @@ #IMC configuration file for strongSwan client IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so -IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so +IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so |