Test SWID REST API ins tnc/tnccs-20-pdp scenarios
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 31 May 2014 18:23:15 +0000 (20:23 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 31 May 2014 19:25:46 +0000 (21:25 +0200)
83 files changed:
testing/do-tests
testing/hosts/default/etc/hosts
testing/scripts/build-baseimage
testing/scripts/build-guestimages
testing/scripts/recipes/015_strongTNC.mk [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat
testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat
testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
testing/tnccs-20-pdp-eap/description.txt [new file with mode: 0644]
testing/tnccs-20-pdp-eap/evaltest.dat [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules [new file with mode: 0644]
testing/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tnccs-20-pdp-eap/posttest.dat [new file with mode: 0644]
testing/tnccs-20-pdp-eap/pretest.dat [new file with mode: 0644]
testing/tnccs-20-pdp-eap/test.conf [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/description.txt [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/evaltest.dat [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/posttest.dat [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/pretest.dat [new file with mode: 0644]
testing/tnccs-20-pdp-pt-tls/test.conf [new file with mode: 0644]

index becb7f1..cf1bd2d 100755 (executable)
@@ -653,7 +653,7 @@ do
        for host in $IPSECHOSTS
        do
            eval HOSTLOGIN=root@\$ipv4_${host}
-           ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv' \
+           ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv|pt-tls-client' \
                /var/log/auth.log" >> $TESTRESULTDIR/${host}.auth.log
        done
 
index 75a8fdd..bcb766a 100644 (file)
@@ -12,7 +12,7 @@
 10.1.0.254     uml1.strongswan.org     uml1
 10.2.0.254     uml1.strongswan.org     uml2
 
-10.1.0.10      alice.strongswan.org    alice aaa.strongswan.org
+10.1.0.10      alice.strongswan.org    alice aaa.strongswan.org tnc.strongswan.org
 10.1.0.20      venus.strongswan.org    venus
 10.1.0.30      carol2.strongswan.org   carol2
 10.1.0.40      dave2.strongswan.org    dave2
index 549bbc7..956fc93 100755 (executable)
@@ -18,7 +18,8 @@ INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core
 INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen
 INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev
 INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev,ca-certificates,unzip
-INC=$INC,python,python-setuptools
+INC=$INC,python,python-setuptools,python-dev,python-pip
+INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi
 SERVICES="apache2 dbus isc-dhcp-server slapd bind9"
 INC=$INC,${SERVICES// /,}
 
index f7fb1f8..b84536a 100755 (executable)
@@ -48,7 +48,17 @@ do
        execute "cp -rf $HOSTSDIR/default/* $LOOPDIR" 0
        execute_chroot "ldconfig" 0
 
-       if [ "$host" = "winnetou" ]
+       if [ "$host" = "alice" ]
+       then
+               execute "mkdir $LOOPDIR/var/log/apache2/tnc" 0
+               execute "mkdir $LOOPDIR/etc/strongTNC" 0
+               execute "mkdir $LOOPDIR/etc/pts" 0
+               execute_chroot "chgrp www-data /etc/strongTNC" 0
+               execute_chroot "chmod g+w /etc/strongTNC" 0
+               execute_chroot "chgrp www-data /etc/pts" 0
+               execute_chroot "chmod g+w /etc/pts" 0
+       fi
+    if [ "$host" = "winnetou" ]
        then
                execute "mkdir $LOOPDIR/var/log/apache2/ocsp" 0
                execute "cp -rf $DIR/../images $LOOPDIR/var/www/" 0
diff --git a/testing/scripts/recipes/015_strongTNC.mk b/testing/scripts/recipes/015_strongTNC.mk
new file mode 100644 (file)
index 0000000..6746b91
--- /dev/null
@@ -0,0 +1,17 @@
+#!/usr/bin/make
+
+PKG = strongTNC
+ZIP = $(PKG)-master.zip
+SRC = https://github.com/strongswan/$(PKG)/archive/master.zip
+
+all: install
+
+$(ZIP):
+       wget --ca-directory=/usr/share/ca-certificates/mozilla/ $(SRC) -O $(ZIP)
+
+$(PKG)-master: $(ZIP)
+       unzip -u $(ZIP)
+
+install: $(PKG)-master
+       cd $(PKG)-master && pip install -r requirements.txt
+       cp -r $(PKG)-master /var/www/tnc && chgrp -R www-data /var/www/tnc
index 505a4d0..9a477bd 100644 (file)
@@ -1,21 +1,28 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
-carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
 dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
+dave:: cat /var/log/daemon.log::collected 372 SWID tags::YES
 dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
-moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
+carol::cat /var/log/daemon.log::collected 373 SWID tag IDs::YES
+carol::cat /var/log/daemon.log::collected 1 SWID tag::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES
+alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and 372 SWID tags::YES
+alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
+alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 9: allow - received inventory of 373 SWID tag IDs and 1 SWID tag::YES
 moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES
 moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
-moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
 moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
 dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default
new file mode 100644 (file)
index 0000000..f6bf635
--- /dev/null
@@ -0,0 +1,24 @@
+WSGIPythonPath /var/www/tnc
+
+<VirtualHost *:80>
+    ServerName tnc.strongswan.org
+    ServerAlias tnc
+    ServerAdmin webmaster@localhost
+
+    DocumentRoot /var/www/tnc
+
+    <Directory /var/www/tnc/config>
+        <Files wsgi.py>
+            Order deny,allow
+            Allow from all
+        </Files>
+    </Directory>
+
+    WSGIScriptAlias / /var/www/tnc/config/wsgi.py
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+
+    ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
+</VirtualHost>
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db
new file mode 100644 (file)
index 0000000..3866bfa
Binary files /dev/null and b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db differ
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini
new file mode 100644 (file)
index 0000000..5d12736
--- /dev/null
@@ -0,0 +1,19 @@
+[debug]
+DEBUG=1
+TEMPLATE_DEBUG=1
+DEBUG_TOOLBAR=0
+
+[db]
+DJANGO_DB_URL=sqlite:////etc/strongTNC/django.db
+STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
+
+[localization]
+LANGUAGE_CODE=en-us
+TIME_ZONE=Europe/Zurich
+
+[admins]
+Your Name: alice@strongswan.org
+
+[security]
+SECRET_KEY=strongSwan
+
index 1237d23..a60f1de 100644 (file)
@@ -11,7 +11,7 @@ charon {
       max_message_count = 0
     }
     eap-tnc {
-      max_message_count = 20
+      max_message_count = 0
     }
     tnc-pdp {
       server = aaa.strongswan.org
@@ -26,4 +26,10 @@ libimcv {
   debug_level = 3 
   database = sqlite:///etc/pts/config.db
   policy_script = ipsec imv_policy_manager
+
+  plugins {
+    imv-swid {
+      rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
+    }
+  }
 }
index eeb8e42..c040f09 100644 (file)
@@ -8,7 +8,7 @@ charon {
       max_message_count = 0
     }
     eap-tnc {
-      max_message_count = 20
+      max_message_count = 0
     }
     tnccs-20 {
       max_batch_size = 32754
@@ -16,4 +16,3 @@ charon {
     }
   }
 }
-
index c9cbad9..cd9efee 100644 (file)
@@ -8,7 +8,7 @@ charon {
       max_message_count = 0
     }
     eap-tnc {
-      max_message_count = 20
+      max_message_count = 0
     }
     tnccs-20 {
       max_batch_size = 32754
@@ -23,6 +23,7 @@ libimcv {
      push_info = no
     }
     imc-swid {
+      swid_directory = /usr/share
       swid_pretty = no
     }
   }
index 916e433..1e5c3f8 100644 (file)
@@ -2,6 +2,7 @@ moon::ipsec stop
 carol::ipsec stop
 dave::ipsec stop
 alice::ipsec stop
+alice::service apache2 stop
 alice::rm /etc/pts/config.db
 moon::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
index 6709b89..6c74777 100644 (file)
@@ -8,11 +8,13 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward
 dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
 alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
 alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db
+alice::service apache2 start
 alice::ipsec start
 moon::ipsec start
-carol::ipsec start
 dave::ipsec start
+carol::ipsec start
 carol::sleep 1
-carol::ipsec up home
 dave::ipsec up home
-dave::sleep 1
+carol::ipsec up home
+carol::sleep 1
index 4be71af..9327f51 100644 (file)
@@ -1,12 +1,19 @@
-alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
-alice:: cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
-alice:: cat /var/log/daemon.log::SASL client identity is.*carol::YES
-alice:: cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
-alice:: cat /var/log/daemon.log::received SWID tag ID inventory for request 6 at eid 1 of epoch::YES
-alice:: cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES
-alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
-alice:: cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
-alice:: cat /var/log/daemon.log::certificate status is good::YES
-alice:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
-alice:: cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
-alice:: cat /var/log/daemon.log::received SWID tag inventory for request 11 at eid 1 of epoch::YES
+dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES
+dave:: cat /var/log/auth.log::collected 372 SWID tags::YES
+carol::cat /var/log/auth.log::received SASL Success result::YES
+carol::cat /var/log/auth.log::collected 373 SWID tag IDs::YES
+carol::cat /var/log/auth.log::collected 1 SWID tag::YES
+alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
+alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
+alice::cat /var/log/daemon.log::certificate status is good::YES
+alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
+alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
+alice::cat /var/log/daemon.log::received SWID tag inventory with 372 items for request 3 at eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
+alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
+alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES
+alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
+alice::cat /var/log/daemon.log::received SWID tag ID inventory with 373 items for request 9 at eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::1 SWID tag target::YES
+alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default
new file mode 100644 (file)
index 0000000..f6bf635
--- /dev/null
@@ -0,0 +1,24 @@
+WSGIPythonPath /var/www/tnc
+
+<VirtualHost *:80>
+    ServerName tnc.strongswan.org
+    ServerAlias tnc
+    ServerAdmin webmaster@localhost
+
+    DocumentRoot /var/www/tnc
+
+    <Directory /var/www/tnc/config>
+        <Files wsgi.py>
+            Order deny,allow
+            Allow from all
+        </Files>
+    </Directory>
+
+    WSGIScriptAlias / /var/www/tnc/config/wsgi.py
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+
+    ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
+</VirtualHost>
index 5b27539..1586214 100644 (file)
@@ -5,6 +5,10 @@
 -P OUTPUT DROP
 -P FORWARD DROP
 
+# open loopback interface
+-A INPUT  -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
 # allow PT-TLS 
 -A INPUT  -i eth0 -p tcp --dport 271 -j ACCEPT
 -A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db
new file mode 100644 (file)
index 0000000..3866bfa
Binary files /dev/null and b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db differ
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini
new file mode 100644 (file)
index 0000000..5d12736
--- /dev/null
@@ -0,0 +1,19 @@
+[debug]
+DEBUG=1
+TEMPLATE_DEBUG=1
+DEBUG_TOOLBAR=0
+
+[db]
+DJANGO_DB_URL=sqlite:////etc/strongTNC/django.db
+STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
+
+[localization]
+LANGUAGE_CODE=en-us
+TIME_ZONE=Europe/Zurich
+
+[admins]
+Your Name: alice@strongswan.org
+
+[security]
+SECRET_KEY=strongSwan
+
index 21961d4..eb807b1 100644 (file)
@@ -13,16 +13,17 @@ charon {
   }
 }
 
-libtnccs {
-  plugins {
-    tnccs-20 {
-      max_batch_size = 131056
-      max_message_size = 131024
-    }
-  }
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 }
 
 libimcv {
   database = sqlite:///etc/pts/config.db
   policy_script = ipsec imv_policy_manager
+
+  plugins {
+    imv-swid {
+      rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
+    }
+  }
 }
index 685a652..29fdf02 100644 (file)
@@ -1,25 +1,5 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
-libimcv {
-  plugins {
-    imc-os {
-      push_info = yes 
-    }
-    imc-swid {
-      #swid_directory = /usr/share
-    }
-  }
-}
-
-libtnccs {
-  plugins {
-    tnccs-20 {
-      max_batch_size   = 131056
-      max_message_size = 131024
-    }
-  }
-}
-
 libtls {
   suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 }
index 46821ec..ca3ca3a 100644 (file)
@@ -3,4 +3,5 @@
 --key  /etc/ipsec.d/private/daveKey.pem
 --cert /etc/ipsec.d/certs/daveCert.pem
 --cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--quiet
 --debug 2
index 4996d03..0a7f048 100644 (file)
@@ -6,20 +6,12 @@ libimcv {
       push_info = no
     }
     imc-swid {
+      swid_directory = /usr/share
       swid_pretty = yes
     }
   }
 }
 
-libtnccs {
-  plugins {
-    tnccs-20 {
-      max_batch_size   = 131056
-      max_message_size = 131024
-    }
-  }
-}
-
 libtls {
   suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 }
index c98df86..b7da857 100644 (file)
@@ -2,6 +2,7 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1
 dave::ip route del 10.1.0.0/16 via 192.168.0.1
 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
 alice::ipsec stop
+alice::service apache2 stop
 alice::rm /etc/pts/config.db
 alice::iptables-restore < /etc/iptables.flush
 carol::iptables-restore < /etc/iptables.flush
index 97ff0c1..0918909 100644 (file)
@@ -8,12 +8,15 @@ dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
 dave::cat /etc/tnc_config
 alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
 alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db
+alice::service apache2 start
 alice::ipsec start
+alice::sleep 1
 winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
-carol::ip route add 10.1.0.0/16 via 192.168.0.1
-carol::cat /etc/pts/options
-carol::ipsec pt-tls-client --optionsfrom /etc/pts/options
 dave::ip route add 10.1.0.0/16 via 192.168.0.1
 dave::cat /etc/pts/options
 dave::ipsec pt-tls-client --optionsfrom /etc/pts/options
-dave::sleep 1
+carol::ip route add 10.1.0.0/16 via 192.168.0.1
+carol::cat /etc/pts/options
+carol::ipsec pt-tls-client --optionsfrom /etc/pts/options
+carol::sleep 1
diff --git a/testing/tnccs-20-pdp-eap/description.txt b/testing/tnccs-20-pdp-eap/description.txt
new file mode 100644 (file)
index 0000000..a178211
--- /dev/null
@@ -0,0 +1,12 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to the policy enforcement
+point <b>moon</b>. At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate. <b>carol</b> and <b>dave</b> then set up an
+<b>EAP-TTLS</b> tunnel each via gateway <b>moon</b> to the policy decision point <b>alice</b>
+authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak
+client authentication based on <b>EAP-MD5</b>. In a next step the EAP-TNC protocol is used within
+the EAP-TTLS tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b>
+client-server interface defined by <b>RFC 5793 PB-TNC</b>. The communication between IMCs and IMVs
+is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
+are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tnccs-20-pdp-eap/evaltest.dat b/testing/tnccs-20-pdp-eap/evaltest.dat
new file mode 100644 (file)
index 0000000..9a477bd
--- /dev/null
@@ -0,0 +1,29 @@
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
+dave:: cat /var/log/daemon.log::collected 372 SWID tags::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
+carol::cat /var/log/daemon.log::collected 373 SWID tag IDs::YES
+carol::cat /var/log/daemon.log::collected 1 SWID tag::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES
+alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and 372 SWID tags::YES
+alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
+alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 9: allow - received inventory of 373 SWID tag IDs and 1 SWID tag::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default
new file mode 100644 (file)
index 0000000..f6bf635
--- /dev/null
@@ -0,0 +1,24 @@
+WSGIPythonPath /var/www/tnc
+
+<VirtualHost *:80>
+    ServerName tnc.strongswan.org
+    ServerAlias tnc
+    ServerAdmin webmaster@localhost
+
+    DocumentRoot /var/www/tnc
+
+    <Directory /var/www/tnc/config>
+        <Files wsgi.py>
+            Order deny,allow
+            Allow from all
+        </Files>
+    </Directory>
+
+    WSGIScriptAlias / /var/www/tnc/config/wsgi.py
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+
+    ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
+</VirtualHost>
diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf b/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..f2e6119
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tnc 2, imv 3"
+
+conn aaa
+       leftcert=aaaCert.pem
+       leftid=aaa.strongswan.org
+       auto=add
diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
new file mode 100644 (file)
index 0000000..6aeb0c0
--- /dev/null
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
+RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
+Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
+Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
+AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
+wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
+EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
+yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
+iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
+bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
+HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
+EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
+v42sww==
+-----END CERTIFICATE-----
diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem
new file mode 100644 (file)
index 0000000..da8cdb0
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
+bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
+9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
+/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
+NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
+BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
+Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
+NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
+IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
+Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
+aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
+YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
+b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
+/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
+P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
+V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
+cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
+PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
+a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
+NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
+xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
+J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
+YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
+SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
+EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets b/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..11d45cd
--- /dev/null
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA aaaKey.pem
+
+carol : EAP "Ar3etTnp"
+dave  : EAP "W7R0g3do"
diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql b/testing/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql
new file mode 100644 (file)
index 0000000..8adc459
--- /dev/null
@@ -0,0 +1,61 @@
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 42, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+  type, value
+) VALUES ( /* dave@strongswan.org */
+  5, X'64617665'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+  time, connection, identity, device, product, rec
+) VALUES (
+  NOW, 1, 1, 1, 42, 0
+);
+
+/* Results */
+
+INSERT INTO results (
+  session, policy, rec, result
+) VALUES (
+  1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  17, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  18, 10, 86400
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db b/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db
new file mode 100644 (file)
index 0000000..3866bfa
Binary files /dev/null and b/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db differ
diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini
new file mode 100644 (file)
index 0000000..5d12736
--- /dev/null
@@ -0,0 +1,19 @@
+[debug]
+DEBUG=1
+TEMPLATE_DEBUG=1
+DEBUG_TOOLBAR=0
+
+[db]
+DJANGO_DB_URL=sqlite:////etc/strongTNC/django.db
+STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
+
+[localization]
+LANGUAGE_CODE=en-us
+TIME_ZONE=Europe/Zurich
+
+[admins]
+Your Name: alice@strongswan.org
+
+[security]
+SECRET_KEY=strongSwan
+
diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..a60f1de
--- /dev/null
@@ -0,0 +1,35 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+      max_message_count = 0
+    }
+    eap-tnc {
+      max_message_count = 0
+    }
+    tnc-pdp {
+      server = aaa.strongswan.org
+      radius {
+        secret = gv6URkSs
+      }
+    }
+  }
+}
+
+libimcv {
+  debug_level = 3 
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+
+  plugins {
+    imv-swid {
+      rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
+    }
+  }
+}
diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config b/testing/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config
new file mode 100644 (file)
index 0000000..ebe88bc
--- /dev/null
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS"       /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "SWID"     /usr/local/lib/ipsec/imcvs/imv-swid.so
diff --git a/testing/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf b/testing/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..6e6430e
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tnc 2, imc 3"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn home
+       left=PH_IP_CAROL
+       leftauth=eap
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightsubnet=10.1.0.0/16
+       rightauth=pubkey
+       eap_identity=carol
+       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+       auto=add
diff --git a/testing/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets b/testing/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..23d79cf
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp"
diff --git a/testing/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..c040f09
--- /dev/null
@@ -0,0 +1,18 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
+  plugins {
+    eap-ttls {
+      max_message_count = 0
+    }
+    eap-tnc {
+      max_message_count = 0
+    }
+    tnccs-20 {
+      max_batch_size = 32754
+      max_message_size = 32722
+    }
+  }
+}
diff --git a/testing/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config b/testing/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config
new file mode 100644 (file)
index 0000000..a954883
--- /dev/null
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"       /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWID"     /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf b/testing/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..4846af2
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tnc 2, imc 3"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn home
+       left=PH_IP_DAVE
+       leftauth=eap
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightsubnet=10.1.0.0/16
+       rightauth=pubkey
+       eap_identity=dave
+       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+       auto=add
diff --git a/testing/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets b/testing/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..02e0c99
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave : EAP "W7R0g3do"
diff --git a/testing/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..cd9efee
--- /dev/null
@@ -0,0 +1,30 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
+  plugins {    
+   eap-ttls {
+      max_message_count = 0
+    }
+    eap-tnc {
+      max_message_count = 0
+    }
+    tnccs-20 {
+      max_batch_size = 32754
+      max_message_size = 32722
+    }
+  }
+}
+
+libimcv {
+  plugins {
+   imc-os {
+     push_info = no
+    }
+    imc-swid {
+      swid_directory = /usr/share
+      swid_pretty = no
+    }
+  }
+}
diff --git a/testing/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config b/testing/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config
new file mode 100644 (file)
index 0000000..a954883
--- /dev/null
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"       /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWID"     /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf b/testing/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..02ada56
--- /dev/null
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn rw-allow
+       rightgroups=allow
+       leftsubnet=10.1.0.0/28
+       also=rw-eap
+       auto=add
+
+conn rw-isolate
+       rightgroups=isolate
+       leftsubnet=10.1.0.16/28
+       also=rw-eap
+       auto=add
+
+conn rw-eap
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftauth=pubkey
+       leftfirewall=yes
+       rightauth=eap-radius
+       rightsendcert=never
+       right=%any
+       eap_identity=%any
diff --git a/testing/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets b/testing/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..e86d6aa
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules b/testing/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules
new file mode 100644 (file)
index 0000000..1eb7553
--- /dev/null
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf b/testing/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..d329518
--- /dev/null
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      #server = PH_IP6_ALICE 
+      server = PH_IP_ALICE
+      filter_id = yes
+    }
+  }
+}
diff --git a/testing/tnccs-20-pdp-eap/posttest.dat b/testing/tnccs-20-pdp-eap/posttest.dat
new file mode 100644 (file)
index 0000000..1e5c3f8
--- /dev/null
@@ -0,0 +1,9 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::ipsec stop
+alice::service apache2 stop
+alice::rm /etc/pts/config.db
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tnccs-20-pdp-eap/pretest.dat b/testing/tnccs-20-pdp-eap/pretest.dat
new file mode 100644 (file)
index 0000000..6c74777
--- /dev/null
@@ -0,0 +1,20 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
+alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db
+alice::service apache2 start
+alice::ipsec start
+moon::ipsec start
+dave::ipsec start
+carol::ipsec start
+carol::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
diff --git a/testing/tnccs-20-pdp-eap/test.conf b/testing/tnccs-20-pdp-eap/test.conf
new file mode 100644 (file)
index 0000000..c4ca1a1
--- /dev/null
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave alice"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tnccs-20-pdp-pt-tls/description.txt b/testing/tnccs-20-pdp-pt-tls/description.txt
new file mode 100644 (file)
index 0000000..45a77e9
--- /dev/null
@@ -0,0 +1,9 @@
+The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision 
+point (PDP) <b>alice</b>. <b>carol</b> uses password-based SASL PLAIN client authentication during the
+<b>PT-TLS negotiation phase</b> and <b>dave</b> uses certificate-based TLS client authentication during the
+<b>TLS setup phase</b>.
+<p/>
+During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWID</b> IMC/IMV pairs
+loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
+embedded in PB-TNC (RFC 5793) batches. The <b>SWID</b> IMC on <b>carol</b> is requested to deliver
+a concise <b>SWID Tag ID Inventory</b> whereas <b>dave</b> must send a full <b>SWID Tag Inventory</b>.
diff --git a/testing/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tnccs-20-pdp-pt-tls/evaltest.dat
new file mode 100644 (file)
index 0000000..a9457ec
--- /dev/null
@@ -0,0 +1,19 @@
+dave:: cat/var/log/auth.log::received SASL Success result::YES
+dave:: cat /var/log/auth.log::collected 372 SWID tags::YES
+carol::cat/var/log/auth.log::received SASL Success result::YES
+carol::cat /var/log/auth.log::collected 373 SWID tag IDs::YES
+carol::cat /var/log/auth.log::collected 1 SWID tag::YES
+alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
+alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
+alice::cat /var/log/daemon.log::certificate status is good::YES
+alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
+alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
+alice::cat /var/log/daemon.log::received SWID tag inventory with 372 items for request 3 at eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
+alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
+alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES
+alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
+alice::cat /var/log/daemon.log::received SWID tag ID inventory with 373 items for request 9 at eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::1 SWID tag target::YES
+alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default
new file mode 100644 (file)
index 0000000..f6bf635
--- /dev/null
@@ -0,0 +1,24 @@
+WSGIPythonPath /var/www/tnc
+
+<VirtualHost *:80>
+    ServerName tnc.strongswan.org
+    ServerAlias tnc
+    ServerAdmin webmaster@localhost
+
+    DocumentRoot /var/www/tnc
+
+    <Directory /var/www/tnc/config>
+        <Files wsgi.py>
+            Order deny,allow
+            Allow from all
+        </Files>
+    </Directory>
+
+    WSGIScriptAlias / /var/www/tnc/config/wsgi.py
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+
+    ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
+</VirtualHost>
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..7b2118f
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tls 2, tnc 2, imv 3"
+
+conn aaa
+       leftcert=aaaCert.pem
+       leftid=aaa.strongswan.org
+       auto=add
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
new file mode 100644 (file)
index 0000000..6aeb0c0
--- /dev/null
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
+RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
+Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
+Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
+AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
+wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
+EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
+yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
+iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
+bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
+HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
+EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
+v42sww==
+-----END CERTIFICATE-----
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem
new file mode 100644 (file)
index 0000000..da8cdb0
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
+bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
+9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
+/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
+NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
+BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
+Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
+NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
+IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
+Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
+aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
+YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
+b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
+/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
+P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
+V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
+cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
+PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
+a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
+NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
+xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
+J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
+YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
+SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
+EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..11d45cd
--- /dev/null
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA aaaKey.pem
+
+carol : EAP "Ar3etTnp"
+dave  : EAP "W7R0g3do"
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules
new file mode 100644 (file)
index 0000000..1586214
--- /dev/null
@@ -0,0 +1,24 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# open loopback interface
+-A INPUT  -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+
+# allow PT-TLS 
+-A INPUT  -i eth0 -p tcp --dport 271 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql
new file mode 100644 (file)
index 0000000..14f9d7d
--- /dev/null
@@ -0,0 +1,61 @@
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 42, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+  type, value
+) VALUES ( /* dave@strongswan.org */
+  4, X'64617665407374726f6e677377616e2e6f7267'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+  time, connection, identity, device, product, rec
+) VALUES (
+  NOW, 1, 1, 1, 42, 0
+);
+
+/* Results */
+
+INSERT INTO results (
+  session, policy, rec, result
+) VALUES (
+  1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  17, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  18, 10, 86400
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db
new file mode 100644 (file)
index 0000000..3866bfa
Binary files /dev/null and b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db differ
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini
new file mode 100644 (file)
index 0000000..5d12736
--- /dev/null
@@ -0,0 +1,19 @@
+[debug]
+DEBUG=1
+TEMPLATE_DEBUG=1
+DEBUG_TOOLBAR=0
+
+[db]
+DJANGO_DB_URL=sqlite:////etc/strongTNC/django.db
+STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
+
+[localization]
+LANGUAGE_CODE=en-us
+TIME_ZONE=Europe/Zurich
+
+[admins]
+Your Name: alice@strongswan.org
+
+[security]
+SECRET_KEY=strongSwan
+
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..eb807b1
--- /dev/null
@@ -0,0 +1,29 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+
+  plugins { 
+    tnc-pdp {
+      server = aaa.strongswan.org
+      radius {
+        secret = gv6URkSs
+      }
+    }
+  }
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+libimcv {
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+
+  plugins {
+    imv-swid {
+      rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
+    }
+  }
+}
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config
new file mode 100644 (file)
index 0000000..ebe88bc
--- /dev/null
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS"       /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "SWID"     /usr/local/lib/ipsec/imcvs/imv-swid.so
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..4a41e7e
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# the PT-TLS client reads its configuration via the command line
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..d2f6378
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# the PT-TLS client loads its secrets via the command line
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql
new file mode 100644 (file)
index 0000000..805c8bf
--- /dev/null
@@ -0,0 +1,4 @@
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules
new file mode 100644 (file)
index 0000000..d01d0a3
--- /dev/null
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow PT-TLS 
+-A INPUT  -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
+-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options
new file mode 100644 (file)
index 0000000..d485e9b
--- /dev/null
@@ -0,0 +1,6 @@
+--connect aaa.strongswan.org
+--client carol
+--secret "Ar3etTnp"
+--cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--quiet
+--debug 2
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..29fdf02
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+pt-tls-client {
+  load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20
+}
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config
new file mode 100644 (file)
index 0000000..f40174e
--- /dev/null
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"       /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWID"     /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..4a41e7e
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# the PT-TLS client reads its configuration via the command line
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..d2f6378
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# the PT-TLS client loads its secrets via the command line
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql
new file mode 100644 (file)
index 0000000..805c8bf
--- /dev/null
@@ -0,0 +1,4 @@
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules
new file mode 100644 (file)
index 0000000..d01d0a3
--- /dev/null
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow PT-TLS 
+-A INPUT  -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
+-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options
new file mode 100644 (file)
index 0000000..ca3ca3a
--- /dev/null
@@ -0,0 +1,7 @@
+--connect aaa.strongswan.org
+--client dave@strongswan.org
+--key  /etc/ipsec.d/private/daveKey.pem
+--cert /etc/ipsec.d/certs/daveCert.pem
+--cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--quiet
+--debug 2
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..0a7f048
--- /dev/null
@@ -0,0 +1,21 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = no
+    }
+    imc-swid {
+      swid_directory = /usr/share
+      swid_pretty = yes
+    }
+  }
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+pt-tls-client {
+  load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20
+}
diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config
new file mode 100644 (file)
index 0000000..f40174e
--- /dev/null
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"       /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWID"     /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tnccs-20-pdp-pt-tls/posttest.dat
new file mode 100644 (file)
index 0000000..b7da857
--- /dev/null
@@ -0,0 +1,9 @@
+carol::ip route del 10.1.0.0/16 via 192.168.0.1
+dave::ip route del 10.1.0.0/16 via 192.168.0.1
+winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
+alice::ipsec stop
+alice::service apache2 stop
+alice::rm /etc/pts/config.db
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tnccs-20-pdp-pt-tls/pretest.dat
new file mode 100644 (file)
index 0000000..0918909
--- /dev/null
@@ -0,0 +1,22 @@
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+dave::cat /etc/tnc_config
+alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
+alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db
+alice::service apache2 start
+alice::ipsec start
+alice::sleep 1
+winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
+dave::ip route add 10.1.0.0/16 via 192.168.0.1
+dave::cat /etc/pts/options
+dave::ipsec pt-tls-client --optionsfrom /etc/pts/options
+carol::ip route add 10.1.0.0/16 via 192.168.0.1
+carol::cat /etc/pts/options
+carol::ipsec pt-tls-client --optionsfrom /etc/pts/options
+carol::sleep 1
diff --git a/testing/tnccs-20-pdp-pt-tls/test.conf b/testing/tnccs-20-pdp-pt-tls/test.conf
new file mode 100644 (file)
index 0000000..0887e4d
--- /dev/null
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol dave alice"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+