From 81c63b0eed39432878f78727f60a1e7499645199 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Fri, 11 Jul 2014 07:23:31 +0200 Subject: Imported Upstream version 5.2.0 --- .../tnccs-11-fhh/hosts/carol/etc/strongswan.conf | 7 +++ .../tnccs-11-fhh/hosts/dave/etc/strongswan.conf | 7 +++ .../tnccs-11-fhh/hosts/moon/etc/strongswan.conf | 8 ++- .../hosts/carol/etc/strongswan.conf | 7 +++ .../hosts/dave/etc/strongswan.conf | 7 +++ .../hosts/alice/etc/pts/data1.sql | 2 +- .../hosts/carol/etc/strongswan.conf | 7 +++ .../hosts/dave/etc/strongswan.conf | 7 +++ .../hosts/carol/etc/strongswan.conf | 7 +++ .../tnccs-11-radius/hosts/dave/etc/strongswan.conf | 7 +++ .../tnc/tnccs-11/hosts/carol/etc/strongswan.conf | 7 +++ .../tnc/tnccs-11/hosts/dave/etc/strongswan.conf | 7 +++ .../tnc/tnccs-11/hosts/moon/etc/strongswan.conf | 8 ++- .../tnccs-20-block/hosts/carol/etc/strongswan.conf | 7 ++- .../tnccs-20-block/hosts/dave/etc/strongswan.conf | 5 +- .../tnccs-20-block/hosts/moon/etc/strongswan.conf | 7 ++- .../hosts/carol/etc/strongswan.conf | 8 +-- .../hosts/dave/etc/strongswan.conf | 7 ++- .../hosts/moon/etc/strongswan.conf | 7 ++- .../tnccs-20-fhh/hosts/carol/etc/strongswan.conf | 8 +-- .../tnccs-20-fhh/hosts/dave/etc/strongswan.conf | 8 +-- .../tnccs-20-fhh/hosts/moon/etc/strongswan.conf | 7 ++- testing/tests/tnc/tnccs-20-os-pts/description.txt | 22 ++++++++ testing/tests/tnc/tnccs-20-os-pts/evaltest.dat | 20 +++++++ .../tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf | 23 ++++++++ .../tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets | 3 ++ .../hosts/carol/etc/strongswan.conf | 15 ++++++ .../tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config | 4 ++ .../tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf | 23 ++++++++ .../tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets | 3 ++ .../tnccs-20-os-pts/hosts/dave/etc/strongswan.conf | 21 ++++++++ .../tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config | 4 ++ .../tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf | 34 ++++++++++++ .../tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets | 6 +++ .../tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql | 29 ++++++++++ .../tnccs-20-os-pts/hosts/moon/etc/strongswan.conf | 31 +++++++++++ .../tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config | 4 ++ testing/tests/tnc/tnccs-20-os-pts/posttest.dat | 8 +++ testing/tests/tnc/tnccs-20-os-pts/pretest.dat | 18 +++++++ testing/tests/tnc/tnccs-20-os-pts/test.conf | 26 +++++++++ testing/tests/tnc/tnccs-20-os/description.txt | 13 ++--- testing/tests/tnc/tnccs-20-os/evaltest.dat | 4 +- .../tnccs-20-os/hosts/carol/etc/strongswan.conf | 8 +-- .../tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf | 7 ++- .../tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql | 4 +- .../tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf | 7 ++- testing/tests/tnc/tnccs-20-os/pretest.dat | 2 +- testing/tests/tnc/tnccs-20-pdp-eap/description.txt | 12 +++++ testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat | 29 ++++++++++ .../alice/etc/apache2/sites-available/default | 26 +++++++++ .../tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf | 9 ++++ .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem | 25 +++++++++ .../hosts/alice/etc/ipsec.d/private/aaaKey.pem | 27 ++++++++++ .../tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets | 6 +++ .../tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql | 61 ++++++++++++++++++++++ .../hosts/alice/etc/strongTNC/settings.ini | 19 +++++++ .../hosts/alice/etc/strongswan.conf | 35 +++++++++++++ .../tnccs-20-pdp-eap/hosts/alice/etc/tnc_config | 4 ++ .../tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf | 23 ++++++++ .../tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets | 3 ++ .../hosts/carol/etc/strongswan.conf | 18 +++++++ .../tnccs-20-pdp-eap/hosts/carol/etc/tnc_config | 4 ++ .../tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf | 23 ++++++++ .../tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets | 3 ++ .../hosts/dave/etc/strongswan.conf | 30 +++++++++++ .../tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config | 4 ++ .../tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf | 33 ++++++++++++ .../tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets | 3 ++ .../tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules | 32 ++++++++++++ .../hosts/moon/etc/strongswan.conf | 14 +++++ testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat | 9 ++++ testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat | 21 ++++++++ testing/tests/tnc/tnccs-20-pdp-eap/test.conf | 26 +++++++++ .../tests/tnc/tnccs-20-pdp-pt-tls/description.txt | 9 ++++ testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat | 19 +++++++ .../alice/etc/apache2/sites-available/default | 26 +++++++++ .../tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf | 9 ++++ .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem | 25 +++++++++ .../hosts/alice/etc/ipsec.d/private/aaaKey.pem | 27 ++++++++++ .../hosts/alice/etc/ipsec.secrets | 6 +++ .../hosts/alice/etc/iptables.rules | 24 +++++++++ .../hosts/alice/etc/pts/data1.sql | 61 ++++++++++++++++++++++ .../hosts/alice/etc/strongTNC/settings.ini | 19 +++++++ .../hosts/alice/etc/strongswan.conf | 29 ++++++++++ .../tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config | 4 ++ .../tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf | 3 ++ .../hosts/carol/etc/ipsec.secrets | 3 ++ .../tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql | 4 ++ .../hosts/carol/etc/iptables.rules | 20 +++++++ .../hosts/carol/etc/pts/options | 6 +++ .../hosts/carol/etc/strongswan.conf | 9 ++++ .../tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config | 4 ++ .../tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf | 3 ++ .../hosts/dave/etc/ipsec.secrets | 3 ++ .../tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql | 4 ++ .../hosts/dave/etc/iptables.rules | 20 +++++++ .../tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options | 7 +++ .../hosts/dave/etc/strongswan.conf | 21 ++++++++ .../tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config | 4 ++ testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat | 9 ++++ testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat | 23 ++++++++ testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf | 26 +++++++++ testing/tests/tnc/tnccs-20-pdp/description.txt | 12 ----- testing/tests/tnc/tnccs-20-pdp/evaltest.dat | 22 -------- .../tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf | 9 ---- .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem | 25 --------- .../hosts/alice/etc/ipsec.d/private/aaaKey.pem | 27 ---------- .../tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets | 6 --- .../tnccs-20-pdp/hosts/alice/etc/strongswan.conf | 30 ----------- .../tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config | 4 -- .../tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf | 23 -------- .../tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets | 3 -- .../tnccs-20-pdp/hosts/carol/etc/strongswan.conf | 18 ------- .../tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config | 4 -- .../tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf | 23 -------- .../tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets | 3 -- .../tnccs-20-pdp/hosts/dave/etc/strongswan.conf | 21 -------- .../tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config | 4 -- .../tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf | 33 ------------ .../tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets | 3 -- .../tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules | 32 ------------ .../tnccs-20-pdp/hosts/moon/etc/strongswan.conf | 14 ----- testing/tests/tnc/tnccs-20-pdp/posttest.dat | 7 --- testing/tests/tnc/tnccs-20-pdp/pretest.dat | 14 ----- testing/tests/tnc/tnccs-20-pdp/test.conf | 26 --------- testing/tests/tnc/tnccs-20-pt-tls/description.txt | 9 ---- testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat | 12 ----- .../tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf | 9 ---- .../hosts/alice/etc/ipsec.d/certs/aaaCert.pem | 25 --------- .../hosts/alice/etc/ipsec.d/private/aaaKey.pem | 27 ---------- .../tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets | 6 --- .../tnccs-20-pt-tls/hosts/alice/etc/iptables.rules | 20 ------- .../tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql | 61 ---------------------- .../hosts/alice/etc/strongswan.conf | 28 ---------- .../tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config | 4 -- .../tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf | 3 -- .../tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets | 3 -- .../tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql | 4 -- .../tnccs-20-pt-tls/hosts/carol/etc/iptables.rules | 20 ------- .../tnccs-20-pt-tls/hosts/carol/etc/pts/options | 5 -- .../hosts/carol/etc/strongswan.conf | 25 --------- .../tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config | 4 -- .../tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf | 3 -- .../tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets | 3 -- .../tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql | 4 -- .../tnccs-20-pt-tls/hosts/dave/etc/iptables.rules | 20 ------- .../tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options | 6 --- .../tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf | 22 -------- .../tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config | 4 -- testing/tests/tnc/tnccs-20-pt-tls/posttest.dat | 8 --- testing/tests/tnc/tnccs-20-pt-tls/pretest.dat | 19 ------- testing/tests/tnc/tnccs-20-pt-tls/test.conf | 26 --------- .../tests/tnc/tnccs-20-pts-no-ecc/description.txt | 15 +++--- testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat | 4 +- .../hosts/carol/etc/strongswan.conf | 8 +-- .../hosts/dave/etc/strongswan.conf | 7 ++- .../hosts/moon/etc/pts/data1.sql | 2 +- .../hosts/moon/etc/strongswan.conf | 7 ++- testing/tests/tnc/tnccs-20-pts/description.txt | 13 ++--- testing/tests/tnc/tnccs-20-pts/evaltest.dat | 16 +++--- .../tnccs-20-pts/hosts/carol/etc/strongswan.conf | 8 +-- .../tnccs-20-pts/hosts/dave/etc/strongswan.conf | 6 +-- .../tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql | 2 +- .../tnccs-20-pts/hosts/moon/etc/strongswan.conf | 7 ++- .../tnc/tnccs-20-pts/hosts/moon/etc/tnc_config | 1 - .../tnc/tnccs-20-server-retry/description.txt | 9 ++-- .../hosts/carol/etc/strongswan.conf | 8 +-- .../hosts/dave/etc/strongswan.conf | 7 ++- .../hosts/moon/etc/strongswan.conf | 7 ++- testing/tests/tnc/tnccs-20-tls/description.txt | 9 ++-- .../tnccs-20-tls/hosts/carol/etc/strongswan.conf | 8 +-- .../tnccs-20-tls/hosts/dave/etc/strongswan.conf | 8 +-- .../tnccs-20-tls/hosts/moon/etc/strongswan.conf | 17 ++---- .../tnc/tnccs-20/hosts/carol/etc/strongswan.conf | 8 +-- .../tnc/tnccs-20/hosts/dave/etc/strongswan.conf | 7 ++- .../tnc/tnccs-20/hosts/moon/etc/strongswan.conf | 7 ++- testing/tests/tnc/tnccs-dynamic/description.txt | 1 + .../tnccs-dynamic/hosts/carol/etc/strongswan.conf | 5 ++ .../tnccs-dynamic/hosts/dave/etc/strongswan.conf | 5 ++ .../tnccs-dynamic/hosts/moon/etc/strongswan.conf | 1 + 180 files changed, 1435 insertions(+), 928 deletions(-) create mode 100644 testing/tests/tnc/tnccs-20-os-pts/description.txt create mode 100644 testing/tests/tnc/tnccs-20-os-pts/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-os-pts/posttest.dat create mode 100644 testing/tests/tnc/tnccs-20-os-pts/pretest.dat create mode 100644 testing/tests/tnc/tnccs-20-os-pts/test.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/description.txt create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat create mode 100644 testing/tests/tnc/tnccs-20-pdp-eap/test.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat create mode 100644 testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/description.txt delete mode 100644 testing/tests/tnc/tnccs-20-pdp/evaltest.dat delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pdp/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-20-pdp/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-20-pdp/test.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/description.txt delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/posttest.dat delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/pretest.dat delete mode 100644 testing/tests/tnc/tnccs-20-pt-tls/test.conf (limited to 'testing/tests/tnc') diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf index 73646f8db..2f104f53a 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf @@ -2,5 +2,12 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf index 73646f8db..2f104f53a 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf @@ -2,5 +2,12 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } diff --git a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf index 3975f09a9..51425ac98 100644 --- a/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf @@ -2,12 +2,18 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes + phase2_tnc_method = tnc + } + eap-tnc { + protocol = tnccs-1.1 } } } diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf index 4cc205cf7..4c770388d 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf index ac469590c..df385d55b 100644 --- a/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql index 2bb7e7924..8b36df5e3 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 42, 1372330615 ); /* Groups Members */ diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf index 56c6b9f57..4eeff496c 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf index 145ad9d2d..7c27dbd71 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf index 4cc205cf7..4c770388d 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf index 5dbee558f..5424f4ca2 100644 --- a/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf index 4cc205cf7..4c770388d 100644 --- a/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf index 5dbee558f..5424f4ca2 100644 --- a/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf @@ -2,7 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown + multiple_authentication=no + + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } } libimcv { diff --git a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf index 2fe4cf001..3037d0082 100644 --- a/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf @@ -2,12 +2,18 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes + phase2_tnc_method = tnc + } + eap-tnc { + protocol = tnccs-1.1 } } } diff --git a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf index ced332cc4..20c0928b9 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = de, en } diff --git a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf index 70a1b07e6..64a25b405 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + multiple_authentication=no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = ru, fr, en } diff --git a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf index 59dce1874..7ee2ead8c 100644 --- a/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } tnc-imv { recommendation_policy = all } diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf index f202bbfa8..c0e5e9476 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf index 996169add..4c31a78f6 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = ru , de, en } diff --git a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf index 3e6bc65a6..46c736700 100644 --- a/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf index 18e715785..d71893aad 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf @@ -2,10 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf index 18e715785..d71893aad 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf @@ -2,10 +2,6 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } diff --git a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf index 602979cf6..768138888 100644 --- a/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf @@ -2,15 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-20-os-pts/description.txt b/testing/tests/tnc/tnccs-20-os-pts/description.txt new file mode 100644 index 000000000..0ade4ba30 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/description.txt @@ -0,0 +1,22 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +state of carol's and dave's operating system via the TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The OS and Attestation IMCs +exchange PA-TNC attributes with the OS and Attestation IMVs via the IF-M 1.0 measurement +protocol defined by RFC 5792 PA-TNC. +

+carol sends information on her operating system consisting of the PA-TNC attributes +Product Information, String Version, and Device ID up-front +to the Attestation IMV, whereas dave must be prompted by the IMV to do so via an +Attribute Request PA-TNC attribute. dave is instructed to do a reference +measurement on all files in the /bin directory. carol is then prompted to +measure a couple of individual files and the files in the /bin directory as +well as to get metadata on the /etc/tnc_confg configuration file. +

+carol passes the health test and dave fails because IP forwarding is +enabled. Based on these assessments which are communicated to the IMCs using the +Assessment Result PA-TNC attribute, the clients are connected by gateway moon +to the "rw-allow" and "rw-isolate" subnets, respectively. +

diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat new file mode 100644 index 000000000..f9bb03357 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat @@ -0,0 +1,20 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES +moon:: cat /var/log/daemon.log::added group membership 'allow'::YES +moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - isolate::YES +moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES +moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..d17473db1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3, pts 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f64fe6a0c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown + + multiple_authentication = no +} + +libimcv { + plugins { + imc-os { + push_info = yes + } + } +} diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..15dc93a0a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..d459bfc6c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imc 3, pts 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightauth=any + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..075919aec --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + + multiple_authentication = no + + plugins { + tnc-imc { + preferred_language = de + } + } +} + +libimcv { + plugins { + imc-os { + push_info = no + } + } +} diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..15dc93a0a --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..bc8b2d8f9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf @@ -0,0 +1,34 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 3, imv 3, pts 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql new file mode 100644 index 000000000..8b36df5e3 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql @@ -0,0 +1,29 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 42, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 16, 2, 0 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..e81908f31 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf @@ -0,0 +1,31 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite + + multiple_authentication = no + + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + } +} + +libimcv { + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + plugins { + imv-attestation { + hash_algorithm = sha1 + } + } +} + +attest { + load = random nonce openssl sqlite + database = sqlite:///etc/pts/config.db +} + diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..6507baaa1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so +IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so diff --git a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat new file mode 100644 index 000000000..48514d6e0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush +carol::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::rm /etc/pts/config.db diff --git a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat new file mode 100644 index 000000000..49ea0416e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat @@ -0,0 +1,18 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +moon::ipsec start +dave::ipsec start +carol::ipsec start +dave::sleep 1 +dave::ipsec up home +carol::ipsec up home +carol::sleep 1 +moon::ipsec attest --sessions +moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-os-pts/test.conf b/testing/tests/tnc/tnccs-20-os-pts/test.conf new file mode 100644 index 000000000..a8a05af19 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-os-pts/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/tnc/tnccs-20-os/description.txt b/testing/tests/tnc/tnccs-20-os/description.txt index 941113434..c4a2c90c4 100644 --- a/testing/tests/tnc/tnccs-20-os/description.txt +++ b/testing/tests/tnc/tnccs-20-os/description.txt @@ -1,12 +1,13 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -state of carol's and dave's operating system via the TNCCS 2.0 -client-server interface compliant with RFC 5793 PB-TNC. The OS IMC and OS IMV pair -is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC to -exchange PA-TNC attributes. -

+

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS tunnel +to determine the state of carol's and dave's operating system via the IF-TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The OS and Attestation IMCs +exchange PA-TNC attributes with the OS IMV via the IF-M 1.0 measurement protocol +defined by RFC 5792 PA-TNC. +

carol sends information on her operating system consisting of the PA-TNC attributes Product Information, String Version, Numeric Version, Operational Status, Forwarding Enabled, Factory Default Password Enabled diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat index 21a7278d7..b9f094ffd 100644 --- a/testing/tests/tnc/tnccs-20-os/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat @@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: ipsec attest --sessions 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES +moon:: ipsec attest --sessions 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec attest --sessions 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES +moon:: ipsec attest --sessions 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES diff --git a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf index 34941e52c..4f5993e07 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf index 49f778f5b..4ed358dee 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = de } diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql index 6682a5a1c..6e7e10feb 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 42, 1372330615 ); /* Groups Members */ @@ -27,7 +27,7 @@ INSERT INTO identities ( INSERT INTO sessions ( time, connection, identity, device, product, rec ) VALUES ( - NOW, 1, 1, 1, 28, 0 + NOW, 1, 1, 1, 42, 0 ); /* Results */ diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf index 3e017e905..ed81c1778 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat index 0ac88dd8d..d991ee325 100644 --- a/testing/tests/tnc/tnccs-20-os/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os/pretest.dat @@ -15,6 +15,6 @@ carol::sleep 1 carol::ipsec up home dave::ipsec up home dave::sleep 1 -moon::ipsec attest --packages --product 'Debian 7.2 x86_64' +moon::ipsec attest --packages --product 'Debian 7.4 x86_64' moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/description.txt b/testing/tests/tnc/tnccs-20-pdp-eap/description.txt new file mode 100644 index 000000000..a178211e1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/description.txt @@ -0,0 +1,12 @@ +The roadwarriors carol and dave set up a connection each to the policy enforcement +point moon. At the outset the gateway authenticates itself to the clients by sending an IKEv2 +RSA signature accompanied by a certificate. carol and dave then set up an +EAP-TTLS tunnel each via gateway moon to the policy decision point alice +authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak +client authentication based on EAP-MD5. In a next step the EAP-TNC protocol is used within +the EAP-TTLS tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 +client-server interface defined by RFC 5793 PB-TNC. The communication between IMCs and IMVs +is based on the IF-M protocol defined by RFC 5792 PA-TNC. +

+carol passes the health test and dave fails. Based on these measurements the clients +are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat new file mode 100644 index 000000000..9a477bd04 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat @@ -0,0 +1,29 @@ +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES +dave:: cat /var/log/daemon.log::collected 372 SWID tags::YES +dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES +dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES +carol::cat /var/log/daemon.log::collected 373 SWID tag IDs::YES +carol::cat /var/log/daemon.log::collected 1 SWID tag::YES +carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES +alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and 372 SWID tags::YES +alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES +alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 9: allow - received inventory of 373 SWID tag IDs and 1 SWID tag::YES +moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES +moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES +moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES +moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES +moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default new file mode 100644 index 000000000..626000612 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default @@ -0,0 +1,26 @@ +WSGIPythonPath /var/www/tnc + + + ServerName tnc.strongswan.org + ServerAlias tnc + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/tnc + + + + Order deny,allow + Allow from all + + + + WSGIScriptAlias / /var/www/tnc/config/wsgi.py + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + + Alias /static/ /var/www/tnc/static/ + + ErrorLog ${APACHE_LOG_DIR}/tnc/error.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined + diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..f2e611952 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf @@ -0,0 +1,9 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imv 3" + +conn aaa + leftcert=aaaCert.pem + leftid=aaa.strongswan.org + auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem new file mode 100644 index 000000000..6aeb0c0b1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R +RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm +Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W +Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF +AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni +wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg +EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y +Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa +yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp +iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2 +bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d +HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr +EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4 +v42sww== +-----END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem new file mode 100644 index 000000000..da8cdb051 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx +bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh +9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ +/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp +NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR +BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds +Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi +NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV +IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3 +Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI +aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X +YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq +b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If +/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN +P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X +V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t +cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c +PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m +a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo +NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b +xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/ +J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5 +YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ +SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu +EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..11d45cd14 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA aaaKey.pem + +carol : EAP "Ar3etTnp" +dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql new file mode 100644 index 000000000..8adc45915 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql @@ -0,0 +1,61 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 42, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +/* Identities */ + +INSERT INTO identities ( + type, value +) VALUES ( /* dave@strongswan.org */ + 5, X'64617665' +); + +/* Sessions */ + +INSERT INTO sessions ( + time, connection, identity, device, product, rec +) VALUES ( + NOW, 1, 1, 1, 42, 0 +); + +/* Results */ + +INSERT INTO results ( + session, policy, rec, result +) VALUES ( + 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' +); + +/* Enforcements */ + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 17, 2, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 18, 10, 86400 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini new file mode 100644 index 000000000..5e7b7b556 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini @@ -0,0 +1,19 @@ +[debug] +DEBUG=0 +TEMPLATE_DEBUG=0 +DEBUG_TOOLBAR=0 + +[db] +DJANGO_DB_URL=sqlite:////var/www/tnc/django.db +STRONGTNC_DB_URL = sqlite:////etc/pts/config.db + +[localization] +LANGUAGE_CODE=en-us +TIME_ZONE=Europe/Zurich + +[admins] +Your Name: alice@strongswan.org + +[security] +SECRET_KEY=strongSwan +ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..a60f1dead --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf @@ -0,0 +1,35 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + max_message_count = 0 + } + eap-tnc { + max_message_count = 0 + } + tnc-pdp { + server = aaa.strongswan.org + radius { + secret = gv6URkSs + } + } + } +} + +libimcv { + debug_level = 3 + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + + plugins { + imv-swid { + rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..ebe88bc99 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so +IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..6e6430e4d --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + eap_identity=carol + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..23d79cf2e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c040f0997 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + + plugins { + eap-ttls { + max_message_count = 0 + } + eap-tnc { + max_message_count = 0 + } + tnccs-20 { + max_batch_size = 32754 + max_message_size = 32722 + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a954883a4 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..4846af279 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + eap_identity=dave + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..02e0c9963 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..cd9efeecb --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf @@ -0,0 +1,30 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + + plugins { + eap-ttls { + max_message_count = 0 + } + eap-tnc { + max_message_count = 0 + } + tnccs-20 { + max_batch_size = 32754 + max_message_size = 32722 + } + } +} + +libimcv { + plugins { + imc-os { + push_info = no + } + imc-swid { + swid_directory = /usr/share + swid_pretty = no + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a954883a4 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..02ada5665 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightsendcert=never + right=%any + eap_identity=%any diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..d32951866 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + #server = PH_IP6_ALICE + server = PH_IP_ALICE + filter_id = yes + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat new file mode 100644 index 000000000..1e5c3f8cd --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat @@ -0,0 +1,9 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::ipsec stop +alice::service apache2 stop +alice::rm /etc/pts/config.db +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat new file mode 100644 index 000000000..4ba63d1c5 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat @@ -0,0 +1,21 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql +alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db +alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan +alice::service apache2 start +alice::ipsec start +moon::ipsec start +dave::ipsec start +carol::ipsec start +carol::sleep 1 +dave::ipsec up home +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf new file mode 100644 index 000000000..c4ca1a19f --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave alice" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt new file mode 100644 index 000000000..45a77e900 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt @@ -0,0 +1,9 @@ +The PT-TLS (RFC 6876) clients carol and dave set up a connection each to the policy decision +point (PDP) alice. carol uses password-based SASL PLAIN client authentication during the +PT-TLS negotiation phase and dave uses certificate-based TLS client authentication during the +TLS setup phase. +

+During the ensuing PT-TLS data transport phase the OS and SWID IMC/IMV pairs +loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages +embedded in PB-TNC (RFC 5793) batches. The SWID IMC on carol is requested to deliver +a concise SWID Tag ID Inventory whereas dave must send a full SWID Tag Inventory. diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat new file mode 100644 index 000000000..9327f51bf --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat @@ -0,0 +1,19 @@ +dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES +dave:: cat /var/log/auth.log::collected 372 SWID tags::YES +carol::cat /var/log/auth.log::received SASL Success result::YES +carol::cat /var/log/auth.log::collected 373 SWID tag IDs::YES +carol::cat /var/log/auth.log::collected 1 SWID tag::YES +alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES +alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES +alice::cat /var/log/daemon.log::certificate status is good::YES +alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES +alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES +alice::cat /var/log/daemon.log::received SWID tag inventory with 372 items for request 3 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES +alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES +alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES +alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES +alice::cat /var/log/daemon.log::received SWID tag ID inventory with 373 items for request 9 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::1 SWID tag target::YES +alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default new file mode 100644 index 000000000..626000612 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default @@ -0,0 +1,26 @@ +WSGIPythonPath /var/www/tnc + + + ServerName tnc.strongswan.org + ServerAlias tnc + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/tnc + + + + Order deny,allow + Allow from all + + + + WSGIScriptAlias / /var/www/tnc/config/wsgi.py + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + + Alias /static/ /var/www/tnc/static/ + + ErrorLog ${APACHE_LOG_DIR}/tnc/error.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined + diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..7b2118f7e --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf @@ -0,0 +1,9 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tls 2, tnc 2, imv 3" + +conn aaa + leftcert=aaaCert.pem + leftid=aaa.strongswan.org + auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem new file mode 100644 index 000000000..6aeb0c0b1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R +RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm +Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W +Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF +AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni +wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg +EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y +Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa +yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp +iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2 +bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d +HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr +EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4 +v42sww== +-----END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem new file mode 100644 index 000000000..da8cdb051 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx +bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh +9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ +/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp +NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR +BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds +Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi +NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV +IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3 +Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI +aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X +YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq +b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If +/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN +P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X +V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t +cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c +PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m +a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo +NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b +xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/ +J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5 +YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ +SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu +EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..11d45cd14 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA aaaKey.pem + +carol : EAP "Ar3etTnp" +dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules new file mode 100644 index 000000000..1586214d8 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# open loopback interface +-A INPUT -i lo -j ACCEPT +-A OUTPUT -o lo -j ACCEPT + +# allow PT-TLS +-A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql new file mode 100644 index 000000000..14f9d7de6 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql @@ -0,0 +1,61 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 42, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +/* Identities */ + +INSERT INTO identities ( + type, value +) VALUES ( /* dave@strongswan.org */ + 4, X'64617665407374726f6e677377616e2e6f7267' +); + +/* Sessions */ + +INSERT INTO sessions ( + time, connection, identity, device, product, rec +) VALUES ( + NOW, 1, 1, 1, 42, 0 +); + +/* Results */ + +INSERT INTO results ( + session, policy, rec, result +) VALUES ( + 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' +); + +/* Enforcements */ + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 17, 2, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 18, 10, 86400 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini new file mode 100644 index 000000000..5e7b7b556 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini @@ -0,0 +1,19 @@ +[debug] +DEBUG=0 +TEMPLATE_DEBUG=0 +DEBUG_TOOLBAR=0 + +[db] +DJANGO_DB_URL=sqlite:////var/www/tnc/django.db +STRONGTNC_DB_URL = sqlite:////etc/pts/config.db + +[localization] +LANGUAGE_CODE=en-us +TIME_ZONE=Europe/Zurich + +[admins] +Your Name: alice@strongswan.org + +[security] +SECRET_KEY=strongSwan +ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..eb807b189 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -0,0 +1,29 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + + plugins { + tnc-pdp { + server = aaa.strongswan.org + radius { + secret = gv6URkSs + } + } + } +} + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +} + +libimcv { + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + + plugins { + imv-swid { + rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + } + } +} diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..ebe88bc99 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so +IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..4a41e7ed9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# the PT-TLS client reads its configuration via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..d2f6378b8 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# the PT-TLS client loads its secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql new file mode 100644 index 000000000..805c8bfd9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from the command line */ +/* credentials are read from the command line */ diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules new file mode 100644 index 000000000..d01d0a3c9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow PT-TLS +-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT +-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options new file mode 100644 index 000000000..d485e9bf7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options @@ -0,0 +1,6 @@ +--connect aaa.strongswan.org +--client carol +--secret "Ar3etTnp" +--cert /etc/ipsec.d/cacerts/strongswanCert.pem +--quiet +--debug 2 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..29fdf0235 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +} + +pt-tls-client { + load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 +} diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..f40174e57 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..4a41e7ed9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# the PT-TLS client reads its configuration via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..d2f6378b8 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# the PT-TLS client loads its secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql new file mode 100644 index 000000000..805c8bfd9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from the command line */ +/* credentials are read from the command line */ diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules new file mode 100644 index 000000000..d01d0a3c9 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow PT-TLS +-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT +-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options new file mode 100644 index 000000000..ca3ca3aa1 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options @@ -0,0 +1,7 @@ +--connect aaa.strongswan.org +--client dave@strongswan.org +--key /etc/ipsec.d/private/daveKey.pem +--cert /etc/ipsec.d/certs/daveCert.pem +--cert /etc/ipsec.d/cacerts/strongswanCert.pem +--quiet +--debug 2 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..0a7f048bf --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libimcv { + plugins { + imc-os { + push_info = no + } + imc-swid { + swid_directory = /usr/share + swid_pretty = yes + } + } +} + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +} + +pt-tls-client { + load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 +} diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..f40174e57 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat new file mode 100644 index 000000000..b7da857a7 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat @@ -0,0 +1,9 @@ +carol::ip route del 10.1.0.0/16 via 192.168.0.1 +dave::ip route del 10.1.0.0/16 via 192.168.0.1 +winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 +alice::ipsec stop +alice::service apache2 stop +alice::rm /etc/pts/config.db +alice::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat new file mode 100644 index 000000000..ca8f47db0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat @@ -0,0 +1,23 @@ +alice::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +dave::cat /etc/tnc_config +alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql +alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db +alice::/var/www/tnc/manage.py setpassword strongSwan strongSwan +alice::service apache2 start +alice::ipsec start +alice::sleep 1 +winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 +dave::ip route add 10.1.0.0/16 via 192.168.0.1 +dave::cat /etc/pts/options +dave::ipsec pt-tls-client --optionsfrom /etc/pts/options +carol::ip route add 10.1.0.0/16 via 192.168.0.1 +carol::cat /etc/pts/options +carol::ipsec pt-tls-client --optionsfrom /etc/pts/options +carol::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf new file mode 100644 index 000000000..0887e4d09 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="carol dave alice" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/tnc/tnccs-20-pdp/description.txt b/testing/tests/tnc/tnccs-20-pdp/description.txt deleted file mode 100644 index a178211e1..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/description.txt +++ /dev/null @@ -1,12 +0,0 @@ -The roadwarriors carol and dave set up a connection each to the policy enforcement -point moon. At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. carol and dave then set up an -EAP-TTLS tunnel each via gateway moon to the policy decision point alice -authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak -client authentication based on EAP-MD5. In a next step the EAP-TNC protocol is used within -the EAP-TTLS tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 -client-server interface defined by RFC 5793 PB-TNC. The communication between IMCs and IMVs -is based on the IF-M protocol defined by RFC 5792 PA-TNC. -

-carol passes the health test and dave fails. Based on these measurements the clients -are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat deleted file mode 100644 index 505a4d079..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat +++ /dev/null @@ -1,22 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES -carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES -dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES -dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES -moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES -moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES -moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES -moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES -moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf deleted file mode 100644 index 6f673dcc5..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imv 3" - -conn aaa - leftcert=aaaCert.pem - leftid=aaa.strongswan.org - auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem deleted file mode 100644 index 6aeb0c0b1..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z -dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R -RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm -Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W -Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF -AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni -wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg -EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD -AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd -p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT -EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB -ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB -BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y -Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa -yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp -iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2 -bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d -HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr -EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4 -v42sww== ------END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem deleted file mode 100644 index da8cdb051..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx -bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh -9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ -/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp -NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR -BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds -Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi -NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV -IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3 -Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI -aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X -YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq -b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If -/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN -P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X -V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t -cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c -PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m -a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo -NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b -xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/ -J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5 -YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ -SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu -EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b ------END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets deleted file mode 100644 index 11d45cd14..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA aaaKey.pem - -carol : EAP "Ar3etTnp" -dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf deleted file mode 100644 index ec4956c31..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,30 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - phase2_tnc = yes - } - eap-tnc { - protocol = tnccs-2.0 - } - tnc-pdp { - server = aaa.strongswan.org - radius { - secret = gv6URkSs - } - } - } -} - -libimcv { - debug_level = 3 - plugins { - imv-test { - rounds = 1 - } - } -} diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config deleted file mode 100644 index da732f68b..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan client - -IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so -IMV "Scanner" /usr/local/lib/ipsec/imcvs/imv-scanner.so diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 59563730b..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - eap_identity=carol - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 23d79cf2e..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol : EAP "Ar3etTnp" diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 808f1d11a..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,18 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } -} - -libimcv { - plugins { - imc-test { - command = allow - } - } -} diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config deleted file mode 100644 index 6166552f5..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 8c27c78d2..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tnc 3, imc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - eap_identity=dave - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 02e0c9963..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 96ff63ab1..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,21 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } -} - -libimcv { - plugins { - imc-test { - command = isolate - } - imc-scannner { - push_info = no - } - } -} diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config deleted file mode 100644 index 6166552f5..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so -IMC "Scanner" /usr/local/lib/ipsec/imcvs/imc-scanner.so diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 02ada5665..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,33 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightsendcert=never - right=%any - eap_identity=%any diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules deleted file mode 100644 index 1eb755354..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules +++ /dev/null @@ -1,32 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow esp --A INPUT -i eth0 -p 50 -j ACCEPT --A OUTPUT -o eth0 -p 50 -j ACCEPT - -# allow IKE --A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - -# allow MobIKE --A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT --A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - -# allow RADIUS protocol with alice --A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT --A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf deleted file mode 100644 index d32951866..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,14 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown - multiple_authentication=no - plugins { - eap-radius { - secret = gv6URkSs - #server = PH_IP6_ALICE - server = PH_IP_ALICE - filter_id = yes - } - } -} diff --git a/testing/tests/tnc/tnccs-20-pdp/posttest.dat b/testing/tests/tnc/tnccs-20-pdp/posttest.dat deleted file mode 100644 index e7eecd5f4..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/posttest.dat +++ /dev/null @@ -1,7 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -alice::ipsec stop -moon::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp/pretest.dat b/testing/tests/tnc/tnccs-20-pdp/pretest.dat deleted file mode 100644 index 32ed4d854..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/pretest.dat +++ /dev/null @@ -1,14 +0,0 @@ -moon::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -alice::ipsec start -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pdp/test.conf b/testing/tests/tnc/tnccs-20-pdp/test.conf deleted file mode 100644 index c4ca1a19f..000000000 --- a/testing/tests/tnc/tnccs-20-pdp/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave alice" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/tnc/tnccs-20-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-pt-tls/description.txt deleted file mode 100644 index 45a77e900..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The PT-TLS (RFC 6876) clients carol and dave set up a connection each to the policy decision -point (PDP) alice. carol uses password-based SASL PLAIN client authentication during the -PT-TLS negotiation phase and dave uses certificate-based TLS client authentication during the -TLS setup phase. -

-During the ensuing PT-TLS data transport phase the OS and SWID IMC/IMV pairs -loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages -embedded in PB-TNC (RFC 5793) batches. The SWID IMC on carol is requested to deliver -a concise SWID Tag ID Inventory whereas dave must send a full SWID Tag Inventory. diff --git a/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat deleted file mode 100644 index 3139ca082..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES -alice:: cat /var/log/daemon.log::SASL PLAIN authentication successful::YES -alice:: cat /var/log/daemon.log::SASL client identity is.*carol::YES -alice:: cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES -alice:: cat /var/log/daemon.log::received SWID tag ID inventory for request 6 at eid 1 of epoch::YES -alice:: cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-.*.swidtag::YES -alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES -alice:: cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES -alice:: cat /var/log/daemon.log::certificate status is good::YES -alice:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES -alice:: cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES -alice:: cat /var/log/daemon.log::received SWID tag inventory for request 11 at eid 1 of epoch::YES diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf deleted file mode 100644 index d8b84334a..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - charondebug="tls 2, tnc 3, imv 3" - -conn aaa - leftcert=aaaCert.pem - leftid=aaa.strongswan.org - auto=add diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem deleted file mode 100644 index 6aeb0c0b1..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem +++ /dev/null @@ -1,25 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ -MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS -b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE -BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z -dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R -RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm -Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W -Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF -AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni -wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg -EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD -AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd -p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT -EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB -ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB -BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y -Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa -yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp -iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2 -bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d -HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr -EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4 -v42sww== ------END CERTIFICATE----- diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem deleted file mode 100644 index da8cdb051..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx -bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh -9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ -/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp -NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR -BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds -Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi -NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV -IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3 -Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI -aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X -YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq -b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If -/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN -P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X -V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t -cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c -PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m -a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo -NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b -xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/ -J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5 -YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ -SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu -EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b ------END RSA PRIVATE KEY----- diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets deleted file mode 100644 index 11d45cd14..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA aaaKey.pem - -carol : EAP "Ar3etTnp" -dave : EAP "W7R0g3do" diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules deleted file mode 100644 index 5b275392b..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules +++ /dev/null @@ -1,20 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow PT-TLS --A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT --A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql deleted file mode 100644 index 71592211b..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql +++ /dev/null @@ -1,61 +0,0 @@ -/* Devices */ - -INSERT INTO devices ( /* 1 */ - value, product, created -) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 -); - -/* Groups Members */ - -INSERT INTO groups_members ( - group_id, device_id -) VALUES ( - 10, 1 -); - -/* Identities */ - -INSERT INTO identities ( - type, value -) VALUES ( /* dave@strongswan.org */ - 4, X'64617665407374726f6e677377616e2e6f7267' -); - -/* Sessions */ - -INSERT INTO sessions ( - time, connection, identity, device, product, rec -) VALUES ( - NOW, 1, 1, 1, 28, 0 -); - -/* Results */ - -INSERT INTO results ( - session, policy, rec, result -) VALUES ( - 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' -); - -/* Enforcements */ - -INSERT INTO enforcements ( - policy, group_id, max_age, rec_fail, rec_noresult -) VALUES ( - 3, 10, 0, 2, 2 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 17, 2, 86400 -); - -INSERT INTO enforcements ( - policy, group_id, max_age -) VALUES ( - 18, 10, 86400 -); - -DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf deleted file mode 100644 index 21961d4b1..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf +++ /dev/null @@ -1,28 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite - - plugins { - tnc-pdp { - server = aaa.strongswan.org - radius { - secret = gv6URkSs - } - } - } -} - -libtnccs { - plugins { - tnccs-20 { - max_batch_size = 131056 - max_message_size = 131024 - } - } -} - -libimcv { - database = sqlite:///etc/pts/config.db - policy_script = ipsec imv_policy_manager -} diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config deleted file mode 100644 index ebe88bc99..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMV configuration file for strongSwan client - -IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so -IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 4a41e7ed9..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -# the PT-TLS client reads its configuration via the command line diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index d2f6378b8..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# the PT-TLS client loads its secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql deleted file mode 100644 index 805c8bfd9..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql +++ /dev/null @@ -1,4 +0,0 @@ -/* strongSwan SQLite database */ - -/* configuration is read from the command line */ -/* credentials are read from the command line */ diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules deleted file mode 100644 index d01d0a3c9..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules +++ /dev/null @@ -1,20 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow PT-TLS --A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT --A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options deleted file mode 100644 index f04e9472a..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options +++ /dev/null @@ -1,5 +0,0 @@ ---connect aaa.strongswan.org ---client carol ---secret "Ar3etTnp" ---cert /etc/ipsec.d/cacerts/strongswanCert.pem ---debug 2 diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf deleted file mode 100644 index de2fea244..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - plugins { - imc-os { - push_info = yes - } - imc-swid { - #swid_directory = /usr/share - } - } -} - -libtnccs { - plugins { - tnccs-20 { - max_batch_size = 131056 - max_message_size = 131024 - } - } -} - -pt-tls-client { - load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 -} diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config deleted file mode 100644 index f40174e57..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so -IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 4a41e7ed9..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -# the PT-TLS client reads its configuration via the command line diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index d2f6378b8..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -# the PT-TLS client loads its secrets via the command line diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql deleted file mode 100644 index 805c8bfd9..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql +++ /dev/null @@ -1,4 +0,0 @@ -/* strongSwan SQLite database */ - -/* configuration is read from the command line */ -/* credentials are read from the command line */ diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules deleted file mode 100644 index d01d0a3c9..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules +++ /dev/null @@ -1,20 +0,0 @@ -*filter - -# default policy is DROP --P INPUT DROP --P OUTPUT DROP --P FORWARD DROP - -# allow PT-TLS --A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT --A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT - -# allow ssh --A INPUT -p tcp --dport 22 -j ACCEPT --A OUTPUT -p tcp --sport 22 -j ACCEPT - -# allow crl fetch from winnetou --A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT --A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT - -COMMIT diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options deleted file mode 100644 index 46821ec73..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options +++ /dev/null @@ -1,6 +0,0 @@ ---connect aaa.strongswan.org ---client dave@strongswan.org ---key /etc/ipsec.d/private/daveKey.pem ---cert /etc/ipsec.d/certs/daveCert.pem ---cert /etc/ipsec.d/cacerts/strongswanCert.pem ---debug 2 diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 39b2577ae..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,22 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -libimcv { - plugins { - imc-os { - push_info = no - } - } -} - -libtnccs { - plugins { - tnccs-20 { - max_batch_size = 131056 - max_message_size = 131024 - } - } -} - -pt-tls-client { - load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 -} diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config deleted file mode 100644 index f40174e57..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,4 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so -IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat deleted file mode 100644 index c98df8671..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -carol::ip route del 10.1.0.0/16 via 192.168.0.1 -dave::ip route del 10.1.0.0/16 via 192.168.0.1 -winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 -alice::ipsec stop -alice::rm /etc/pts/config.db -alice::iptables-restore < /etc/iptables.flush -carol::iptables-restore < /etc/iptables.flush -dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat deleted file mode 100644 index 97ff0c1ec..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat +++ /dev/null @@ -1,19 +0,0 @@ -alice::iptables-restore < /etc/iptables.rules -carol::iptables-restore < /etc/iptables.rules -dave::iptables-restore < /etc/iptables.rules -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -carol::echo 0 > /proc/sys/net/ipv4/ip_forward -dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id -dave::cat /etc/tnc_config -alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql -alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db -alice::ipsec start -winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 -carol::ip route add 10.1.0.0/16 via 192.168.0.1 -carol::cat /etc/pts/options -carol::ipsec pt-tls-client --optionsfrom /etc/pts/options -dave::ip route add 10.1.0.0/16 via 192.168.0.1 -dave::cat /etc/pts/options -dave::ipsec pt-tls-client --optionsfrom /etc/pts/options -dave::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pt-tls/test.conf deleted file mode 100644 index 0887e4d09..000000000 --- a/testing/tests/tnc/tnccs-20-pt-tls/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# guest instances used for this test - -# All guest instances that are required for this test -# -VIRTHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# Guest instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# Guest instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="carol dave alice" - -# Guest instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt index 29976509a..febf07401 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt @@ -1,12 +1,13 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -state of carol's and dave's operating system via the TNCCS 2.0 -client-server interface compliant with RFC 5793 PB-TNC. The OS IMC and OS IMV pair -is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC to -exchange PA-TNC attributes. -

+

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS +tunnel to determine the state of carol's and dave's operating system via the +TNCCS 2.0 client-server interface compliant with RFC 5793 PB-TNC. The OS IMC +and OS IMV pair is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC +to exchange PA-TNC attributes. +

carol sends information on her operating system consisting of the PA-TNC attributes Product Information, String Version, and Device ID up-front to the Attestation IMV, whereas dave must be prompted by the IMV to do so via an @@ -14,7 +15,7 @@ to the Attestation IMV, whereas dave must be prompted by the IMV to do so measurement on all files in the /bin directory. carol is then prompted to measure a couple of individual files and the files in the /bin directory as well as to get metadata on the /etc/tnc_confg configuration file. -

+

Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements, the mandatory default being ecp256, with the strongswan.conf option mandatory_dh_groups = no no ECC support is required. diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat index 5eb944055..f9bb03357 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat @@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf index 72bf2c7c9..53bb9dfaa 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf index 6f71994ae..25c27be8b 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = de } diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql index 2bb7e7924..8b36df5e3 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 42, 1372330615 ); /* Groups Members */ diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf index e76598b9a..07d620c0e 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-20-pts/description.txt b/testing/tests/tnc/tnccs-20-pts/description.txt index e78a70091..e532ab2cf 100644 --- a/testing/tests/tnc/tnccs-20-pts/description.txt +++ b/testing/tests/tnc/tnccs-20-pts/description.txt @@ -1,12 +1,13 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -state of carol's and dave's operating system via the TNCCS 2.0 -client-server interface compliant with RFC 5793 PB-TNC. The OS IMC and OS IMV pair -is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC to -exchange PA-TNC attributes. -

+

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS tunnel +to determine the state of carol's and dave's operating system via the TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The OS and Attestation IMCs +exchange PA-TNC attributes with the OS IMV via the IF-M 1.0 measurement protocol +defined by RFC 5792 PA-TNC. +

carol sends information on her operating system consisting of the PA-TNC attributes Product Information, String Version, and Device ID up-front to the Attestation IMV, whereas dave must be prompted by the IMV to do so via an diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat index 5eb944055..2d18138e4 100644 --- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat @@ -2,19 +2,19 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed' carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES +dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/28::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES -moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - allow::YES +moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.200/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO -dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES -dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf index e6046833c..f64fe6a0c 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf index 3236a18fa..79c79b87f 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf @@ -2,11 +2,9 @@ charon { load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = de } diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql index 2bb7e7924..8b36df5e3 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 42, 1372330615 ); /* Groups Members */ diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf index 0298a5151..e81908f31 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config index 6507baaa1..4865036f4 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config @@ -1,4 +1,3 @@ #IMV configuration file for strongSwan client -IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so diff --git a/testing/tests/tnc/tnccs-20-server-retry/description.txt b/testing/tests/tnc/tnccs-20-server-retry/description.txt index b37fbd445..f9ee7b803 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/description.txt +++ b/testing/tests/tnc/tnccs-20-server-retry/description.txt @@ -1,10 +1,11 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the TNCCS 2.0 client-server interface -compliant with RFC 5793 PB-TNC. The IMC and IMV communicate are using the IF-M -protocol defined by RFC 5792 PA-TNC. +

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS +tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The IMCs and IMVs exchange +messages over the IF-M protocol defined by RFC 5792 PA-TNC.

The first time the TNC clients carol and dave send their measurements, TNC server moon requests a handshake retry. In the retry carol succeeds diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf index 6f145ab0b..5e661c36e 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf index fce949901..6b86fe897 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = ru , de, en } diff --git a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf index 3e6bc65a6..46c736700 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-20-tls/description.txt b/testing/tests/tnc/tnccs-20-tls/description.txt index a032d2d05..f193bd27b 100644 --- a/testing/tests/tnc/tnccs-20-tls/description.txt +++ b/testing/tests/tnc/tnccs-20-tls/description.txt @@ -1,9 +1,10 @@ The roadwarriors carol and dave set up a connection each to gateway moon, both ends doing certificate-based EAP-TLS authentication only. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 2.0 client-server interface -compliant with RFC 5793 PB-TNC. The IMC and IMV communicate are using the IF-M -protocol defined by RFC 5792 PA-TNC. +

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS +tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The IMCs and IMVs exchange +messages over the IF-M protocol defined by RFC 5792 PA-TNC.

carol passes the health test and dave fails. Based on these measurements the clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf index ada13a325..1cf2f0e72 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf index 0870ca667..0e63eaba4 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf index bc1d421c1..1a4dc8521 100644 --- a/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf @@ -2,25 +2,14 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { request_peer_auth = yes phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } - } -} - -libimcv { - plugins { - imv-scanner { - closed_port_policy = no - tcp_ports = 80 443 - udp_ports = - } } } diff --git a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf index 6d8c10eab..292bfa53f 100644 --- a/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf @@ -2,12 +2,8 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown - multiple_authentication=no - plugins { - eap-tnc { - protocol = tnccs-2.0 - } - } + + multiple_authentication = no } libimcv { diff --git a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf index 1e5f50b05..75f6d73da 100644 --- a/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf @@ -2,11 +2,10 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { - eap-tnc { - protocol = tnccs-2.0 - } tnc-imc { preferred_language = ru, pl , de } diff --git a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf index 1a0cc202e..94e1ee926 100644 --- a/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf @@ -2,16 +2,15 @@ charon { load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown - multiple_authentication=no + + multiple_authentication = no + plugins { eap-ttls { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes } - eap-tnc { - protocol = tnccs-2.0 - } } } diff --git a/testing/tests/tnc/tnccs-dynamic/description.txt b/testing/tests/tnc/tnccs-dynamic/description.txt index 21e9bc675..86f6323c3 100644 --- a/testing/tests/tnc/tnccs-dynamic/description.txt +++ b/testing/tests/tnc/tnccs-dynamic/description.txt @@ -1,6 +1,7 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. +

In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the health of TNC client carol via the TNCCS 1.1 client-server interface and of TNC client dave via the TNCCS 2.0 client-server interface. TNC server diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf index f4ea047ec..c8e5e8ad3 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/carol/etc/strongswan.conf @@ -10,6 +10,11 @@ charon { eap-tnc { protocol = tnccs-1.1 } + } +} + +libimcv { + plugins { imc-test { command = allow } diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf index 4c738ce42..9fc9cecee 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/dave/etc/strongswan.conf @@ -10,6 +10,11 @@ charon { eap-tnc { protocol = tnccs-2.0 } + } +} + +libimcv { + plugins { imc-test { command = isolate } diff --git a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf index 0b1cf10eb..0d547cbe0 100644 --- a/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf @@ -11,6 +11,7 @@ charon { phase2_method = md5 phase2_piggyback = yes phase2_tnc = yes + phase2_tnc_method = tnc } eap-tnc { protocol = tnccs-dynamic -- cgit v1.2.3