Disable mandatory ECP support for attestion
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 7 Mar 2014 20:54:51 +0000 (21:54 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 7 Mar 2014 20:56:34 +0000 (21:56 +0100)
24 files changed:
conf/plugins/imc-attestation.opt
conf/plugins/imv-attestation.opt
src/libpts/plugins/imc_attestation/imc_attestation.c
src/libpts/plugins/imv_attestation/imv_attestation_agent.c
src/libpts/pts/pts_dh_group.c
src/libpts/pts/pts_dh_group.h
testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf [new file with mode: 0644]

index 9c10805..aaac4c2 100644 (file)
@@ -7,6 +7,9 @@ charon.plugins.imc-attestation.aik_cert =
 charon.plugins.imc-attestation.aik_key =
        AIK public key file.
 
+charon.plugins.imc-attestation.mandatory_dh_groups = yes
+       Enforce mandatory Diffie-Hellman groups.
+
 charon.plugins.imc-attestation.nonce_len = 20
        DH nonce length.
 
@@ -14,4 +17,4 @@ charon.plugins.imc-attestation.use_quote2 = yes
        Use Quote2 AIK signature instead of Quote signature.
 
 charon.plugins.imc-attestation.pcr_info = yes
-       Whether to send pcr_before and pcr_after info.
\ No newline at end of file
+       Whether to send pcr_before and pcr_after info.
index c0ae204..f266281 100644 (file)
@@ -1,6 +1,9 @@
 charon.plugins.imv-attestation.cadir =
        Path to directory with AIK cacerts.
 
+charon.plugins.imv-attestation.mandatory_dh_groups = yes
+       Enforce mandatory Diffie-Hellman groups.
+
 charon.plugins.imv-attestation.dh_group = ecp256
        Preferred Diffie-Hellman group.
 
index 467b998..c71b216 100644 (file)
@@ -66,6 +66,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
                                                          TNC_Version max_version,
                                                          TNC_Version *actual_version)
 {
+       bool mandatory_dh_groups;
+
        if (imc_attestation)
        {
                DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
@@ -78,8 +80,11 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
                return TNC_RESULT_FATAL;
        }
 
+       mandatory_dh_groups = lib->settings->get_bool(lib->settings,
+                       "%s.plugins.imc-attestation.mandatory_dh_groups", TRUE, lib->ns);
+
        if (!pts_meas_algo_probe(&supported_algorithms) ||
-               !pts_dh_group_probe(&supported_dh_groups))
+               !pts_dh_group_probe(&supported_dh_groups, mandatory_dh_groups))
        {
                imc_attestation->destroy(imc_attestation);
                imc_attestation = NULL;
index e8c3c5e..03e82db 100644 (file)
@@ -706,6 +706,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
        private_imv_attestation_agent_t *this;
        imv_agent_t *agent;
        char *hash_alg, *dh_group, *cadir;
+       bool mandatory_dh_groups;
 
        agent = imv_agent_create(name, msg_types, countof(msg_types), id,
                                                         actual_version);
@@ -718,6 +719,8 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
                                "%s.plugins.imv-attestation.hash_algorithm", "sha256", lib->ns);
        dh_group = lib->settings->get_str(lib->settings,
                                "%s.plugins.imv-attestation.dh_group", "ecp256", lib->ns);
+       mandatory_dh_groups = lib->settings->get_bool(lib->settings,
+                               "%s.plugins.imv-attestation.mandatory_dh_groups", TRUE, lib->ns);
        cadir = lib->settings->get_str(lib->settings,
                                "%s.plugins.imv-attestation.cadir", NULL, lib->ns);
 
@@ -742,7 +745,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
        libpts_init();
 
        if (!pts_meas_algo_probe(&this->supported_algorithms) ||
-               !pts_dh_group_probe(&this->supported_dh_groups) ||
+               !pts_dh_group_probe(&this->supported_dh_groups, mandatory_dh_groups) ||
                !pts_meas_algo_update(hash_alg, &this->supported_algorithms) ||
                !pts_dh_group_update(dh_group, &this->supported_dh_groups))
        {
index 41a4360..305b4ec 100644 (file)
@@ -20,7 +20,7 @@
 /**
  * Described in header.
  */
-bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
+bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups)
 {
        enumerator_t *enumerator;
        diffie_hellman_group_t dh_group;
@@ -68,14 +68,23 @@ bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
 
        if (*dh_groups & PTS_DH_GROUP_IKE19)
        {
+               /* mandatory PTS DH group is available */
                return TRUE;
        }
-       else
+       if (*dh_groups == PTS_DH_GROUP_NONE)
+       {
+               DBG1(DBG_PTS, "no PTS DH group available");
+               return FALSE;
+       }
+       if (mandatory_dh_groups)
        {
                DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
                                                                                        ECP_256_BIT);
+               return FALSE;
        }
-       return FALSE;
+
+       /* at least one optional PTS DH group is available */
+       return TRUE;
 }
 
 /**
index 2aab902..f5d951e 100644 (file)
@@ -59,10 +59,13 @@ enum pts_dh_group_t {
 /**
  * Probe available PTS Diffie-Hellman groups
  *
- * @param dh_groups                    returns set of available DH groups
- * @return                                     TRUE if mandatory DH groups are available
+ * @param dh_groups                            returns set of available DH groups
+ * @param mandatory_dh_groups  if TRUE enforce mandatory PTS DH groups
+ * @return                                             TRUE if mandatory DH groups are available
+ *                                                             or at least one optional DH group if 
+ *                                                             mandatory_dh_groups is set to FALSE.
  */
-bool pts_dh_group_probe(pts_dh_group_t *dh_groups);
+bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups);
 
 /**
  * Update supported Diffie-Hellman groups according to configuration
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt
new file mode 100644 (file)
index 0000000..2997650
--- /dev/null
@@ -0,0 +1,26 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
+is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
+exchange PA-TNC attributes.
+<p>
+<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
+<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
+to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
+<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference
+measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
+measure a couple of individual files and the files in the <b>/bin</b> directory as
+well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
+<p>
+Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements,
+the mandatory default being <b>ecp256</b>, with the strongswan.conf option
+<b>mandatory_dh_groups = no</b> no ECC support is required.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is
+enabled. Based on these assessments which are communicated to the IMCs using the
+<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b>
+to the "rw-allow" and "rw-isolate" subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat
new file mode 100644 (file)
index 0000000..5eb9440
--- /dev/null
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..d17473d
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn home
+       left=PH_IP_CAROL
+       leftid=carol@strongswan.org
+       leftauth=eap
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightauth=any
+       rightsendcert=never
+       rightsubnet=10.1.0.0/16
+       auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..74942af
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..72bf2c7
--- /dev/null
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = yes
+    }
+    imc-attestation {
+      mandatory_dh_groups = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/tnc_config
new file mode 100644 (file)
index 0000000..15dc93a
--- /dev/null
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..d459bfc
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn home
+       left=PH_IP_DAVE
+       leftid=dave@strongswan.org
+       leftauth=eap
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightauth=any
+       rightsendcert=never
+       rightsubnet=10.1.0.0/16
+       auto=add
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..5496df7
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..6f71994
--- /dev/null
@@ -0,0 +1,25 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = de
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = no
+    }
+    imc-attestation {
+      mandatory_dh_groups = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/tnc_config
new file mode 100644 (file)
index 0000000..15dc93a
--- /dev/null
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..bc8b2d8
--- /dev/null
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tnc 3, imv 3, pts 3"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn rw-allow
+       rightgroups=allow
+       leftsubnet=10.1.0.0/28
+       also=rw-eap
+       auto=add
+
+conn rw-isolate
+       rightgroups=isolate
+       leftsubnet=10.1.0.16/28
+       also=rw-eap
+       auto=add
+
+conn rw-eap
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftauth=eap-ttls
+       leftfirewall=yes
+       rightauth=eap-ttls
+       rightid=*@strongswan.org
+       rightsendcert=never
+       right=%any
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..2e277cc
--- /dev/null
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql
new file mode 100644 (file)
index 0000000..2bb7e79
--- /dev/null
@@ -0,0 +1,29 @@
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 28, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  16, 2, 0
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..e76598b
--- /dev/null
@@ -0,0 +1,34 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+  plugins {
+    imv-attestation {
+      hash_algorithm = sha1
+      dh_group = modp2048
+      mandatory_dh_groups = no
+    }
+  }
+}
+
+attest {
+  load = random nonce openssl sqlite
+  database = sqlite:///etc/pts/config.db
+}
+
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/tnc_config
new file mode 100644 (file)
index 0000000..6507baa
--- /dev/null
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS"          /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/posttest.dat
new file mode 100644 (file)
index 0000000..48514d6
--- /dev/null
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/pretest.dat
new file mode 100644 (file)
index 0000000..49ea041
--- /dev/null
@@ -0,0 +1,18 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+dave::ipsec start
+carol::ipsec start
+dave::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
+moon::ipsec attest --sessions
+moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf b/testing/tests/tnc/tnccs-20-pts-no-ecc/test.conf
new file mode 100644 (file)
index 0000000..a8a05af
--- /dev/null
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+