Fix of the mutual TNC measurement use case
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 16 Feb 2016 17:00:27 +0000 (18:00 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 16 Feb 2016 17:00:27 +0000 (18:00 +0100)
commit4d83c5b4a6bcbf6a6426d7ba79fac4494ab36329
tree89f4416c6942a8fe9b6b2fde4555a8684feab1e4
parent70934d94367d485cb599071671941b5d0c5c19fb
Fix of the mutual TNC measurement use case

If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements
from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches
is continued until the IKEv2 responder acting as a TNC server has also finished
its TNC measurements.

In the past if these measurements in the other direction were correct
the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication
successful and the IPsec connection was established even though the TNC
measurement verification on the EAP peer side failed.

The fix adds an "allow" group membership on each endpoint if the corresponding
TNC measurements of the peer are successful. By requiring a "allow" group
membership in the IKEv2 connection definition the IPsec connection succeeds
only if the TNC measurements on both sides are valid.
17 files changed:
src/libcharon/plugins/eap_tnc/eap_tnc.c
src/libtnccs/plugins/tnccs_20/tnccs_20.c
testing/tests/tnc/tnccs-20-mutual-eap-fail/description.txt [new file with mode: 0644]
testing/tests/tnc/tnccs-20-mutual-eap-fail/evaltest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/moon/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/swanctl/swanctl.conf [new file with mode: 0755]
testing/tests/tnc/tnccs-20-mutual-eap-fail/hosts/sun/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-mutual-eap-fail/posttest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-mutual-eap-fail/pretest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-mutual-eap-fail/test.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-mutual-eap/description.txt
testing/tests/tnc/tnccs-20-mutual-eap/evaltest.dat
testing/tests/tnc/tnccs-20-mutual-eap/hosts/moon/etc/swanctl/swanctl.conf
testing/tests/tnc/tnccs-20-mutual-eap/hosts/sun/etc/swanctl/swanctl.conf