Implemented segmented SWID tag attributes on IMV side
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 11 Apr 2014 14:30:55 +0000 (16:30 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 15 Apr 2014 07:21:06 +0000 (09:21 +0200)
105 files changed:
src/libimcv/plugins/imv_os/imv_os_agent.c
src/libpts/plugins/imc_swid/imc_swid.c
src/libpts/plugins/imv_swid/imv_swid_agent.c
src/libpts/plugins/imv_swid/imv_swid_state.h
testing/tests/tnc/tnccs-20-pdp-eap/description.txt [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-eap/test.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pdp/description.txt [deleted file]
testing/tests/tnc/tnccs-20-pdp/evaltest.dat [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules [deleted file]
testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf [deleted file]
testing/tests/tnc/tnccs-20-pdp/posttest.dat [deleted file]
testing/tests/tnc/tnccs-20-pdp/pretest.dat [deleted file]
testing/tests/tnc/tnccs-20-pdp/test.conf [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/description.txt [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/posttest.dat [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/pretest.dat [deleted file]
testing/tests/tnc/tnccs-20-pt-tls/test.conf [deleted file]

index 9dc0244..d186fb9 100644 (file)
@@ -671,7 +671,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                                        int count, count_update, count_blacklist, count_ok;
 
                                        if (!(received & IMV_OS_ATTR_INSTALLED_PACKAGES) ||
-                                               os_state->get_angel_count(os_state))
+                                               os_state->get_angel_count(os_state) > 0)
                                        {
                                                continue;
                                        }
index 265f467..4fad431 100644 (file)
@@ -273,6 +273,16 @@ static bool add_swid_inventory(imc_state_t *state, imc_msg_t *msg,
        msg->add_attribute(msg, attr);
        swid_inventory->destroy(swid_inventory);
 
+       if (!first)
+       {
+               /**
+                * If we sent an ITA Start Angel attribute in the first place,
+                * terminate by appending a matching ITA Stop Angel attribute.
+                */
+               attr_angel = ita_attr_angel_create(FALSE);
+               msg->add_attribute(msg, attr_angel);
+       }
+
        return TRUE;
 }
 
index 70ff80e..fdf1dcf 100644 (file)
@@ -45,6 +45,14 @@ static pen_type_t msg_types[] = {
 };
 
 /**
+ * Flag set when corresponding attribute has been received
+ */
+enum imv_swid_attr_t {
+       IMV_SWID_ATTR_TAG_INV =    (1<<0),
+       IMV_SWID_ATTR_TAG_ID_INV = (1<<1)
+};
+
+/**
  * Private data of an imv_swid_agent_t object.
  */
 struct private_imv_swid_agent_t {
@@ -113,13 +121,11 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this,
        enumerator = in_msg->create_attribute_enumerator(in_msg);
        while (enumerator->enumerate(enumerator, &attr))
        {
-               TNC_IMV_Evaluation_Result eval;
-               TNC_IMV_Action_Recommendation rec;
                pen_type_t type;
                uint32_t request_id, last_eid, eid_epoch;
                swid_inventory_t *inventory;
                int tag_count;
-               char result_str[BUF_LEN], *tag_item;
+               char *tag_item;
                imv_workitem_t *workitem, *found = NULL;
                enumerator_t *et, *ew;
                
@@ -176,12 +182,12 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this,
                        {
                                case ITA_ATTR_START_ANGEL:
                                        swid_state->set_angel_count(swid_state, TRUE);
-                                       break;
+                                       continue;
                                case ITA_ATTR_STOP_ANGEL:
                                        swid_state->set_angel_count(swid_state, FALSE);
-                                       break;
+                                       continue;
                                default:
-                                       break;
+                                       continue;
                        }
                }
                else if (type.vendor_id != PEN_TCG)
@@ -197,6 +203,8 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this,
                                swid_tag_id_t *tag_id;
                                chunk_t tag_creator, unique_sw_id;
 
+                               state->set_action_flags(state, IMV_SWID_ATTR_TAG_ID_INV);
+
                                attr_cast = (tcg_swid_attr_tag_id_inv_t*)attr;
                                request_id = attr_cast->get_request_id(attr_cast);
                                last_eid = attr_cast->get_last_eid(attr_cast, &eid_epoch);
@@ -230,6 +238,8 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this,
                                swid_tag_t *tag;
                                chunk_t tag_encoding;
 
+                               state->set_action_flags(state, IMV_SWID_ATTR_TAG_INV);
+
                                attr_cast = (tcg_swid_attr_tag_inv_t*)attr;
                                request_id = attr_cast->get_request_id(attr_cast);
                                last_eid = attr_cast->get_last_eid(attr_cast, &eid_epoch);
@@ -257,8 +267,6 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this,
                        default:
                                continue;
                 }
-               tag_count = inventory->get_count(inventory);
-               swid_state->set_count(swid_state, tag_count);
 
                ew = session->create_workitem_enumerator(session);
                while (ew->enumerate(ew, &workitem))
@@ -269,28 +277,18 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this,
                                break;
                        }
                }
-               if (!found)
+               if (found)
                {
-                       DBG1(DBG_IMV, "no workitem found for SWID %s inventory "
-                                                 "with request ID %d", tag_item, request_id);
-                       ew->destroy(ew);
-                       continue;
+                       /* accumulate the swid tag [ID] count */
+                       tag_count = inventory->get_count(inventory);
+                       swid_state->set_count(swid_state, tag_count);
                }
-
-               if (!swid_state->get_angel_count(swid_state))
+               else
                {
-                       swid_state->get_count(swid_state, &tag_count);
-                       snprintf(result_str, BUF_LEN, "received inventory of %d SWID %s%s",
-                                        tag_count, tag_item, (tag_count == 1) ? "" : "s");
-                       session->remove_workitem(session, ew);
-                       ew->destroy(ew);
-
-                       eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
-                       rec = found->set_result(found, result_str, eval);
-                       state->update_recommendation(state, rec, eval);
-                       imcv_db->finalize_workitem(imcv_db, found);
-                       found->destroy(found);
+                       DBG1(DBG_IMV, "no workitem found for SWID %s inventory "
+                                                 "with request ID %d", tag_item, request_id);
                }
+               ew->destroy(ew);
        }
        enumerator->destroy(enumerator);
 
@@ -366,7 +364,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
        TNC_IMVID imv_id;
        TNC_Result result = TNC_RESULT_SUCCESS;
        bool no_workitems = TRUE;
-       uint32_t request_id;
+       uint32_t request_id, received;
        uint8_t flags;
        enumerator_t *enumerator;
 
@@ -456,6 +454,40 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                }
        }
 
+       received = state->get_action_flags(state);
+
+       if (handshake_state == IMV_SWID_STATE_WORKITEMS &&
+          (received & (IMV_SWID_ATTR_TAG_INV|IMV_SWID_ATTR_TAG_ID_INV)) &&
+               swid_state->get_angel_count(swid_state) <= 0)
+       {
+               TNC_IMV_Evaluation_Result eval;
+               TNC_IMV_Action_Recommendation rec;
+               char result_str[BUF_LEN], *tag_item;
+               int tag_count;
+
+               enumerator = session->create_workitem_enumerator(session);
+               while (enumerator->enumerate(enumerator, &workitem))
+               {
+                       if (workitem->get_type(workitem) == IMV_WORKITEM_SWID_TAGS)
+                       {
+                               swid_state->get_count(swid_state, &tag_count);
+                               tag_item = (received & IMV_SWID_ATTR_TAG_INV) ? "" : " ID";
+                               snprintf(result_str, BUF_LEN, "received inventory of %d "
+                                               "SWID tag%s%s", tag_count, tag_item,
+                                               (tag_count == 1) ? "" : "s");
+                               session->remove_workitem(session, enumerator);
+
+                               eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+                               rec = workitem->set_result(workitem, result_str, eval);
+                               state->update_recommendation(state, rec, eval);
+                               imcv_db->finalize_workitem(imcv_db, workitem);
+                               workitem->destroy(workitem);
+                               break;
+                       }
+               }
+               enumerator->destroy(enumerator);
+       }
+
        /* finalized all workitems ? */
        if (handshake_state == IMV_SWID_STATE_WORKITEMS &&
                session->get_workitem_count(session, imv_id) == 0)
index 7263fe9..8e7cd61 100644 (file)
@@ -65,13 +65,6 @@ struct imv_swid_state_t {
        imv_swid_handshake_state_t (*get_handshake_state)(imv_swid_state_t *this);
 
        /**
-        * Increase/Decrease the ITA Angel count
-        *
-        * @param start                 TRUE increases and FALSE decreases count by one
-        */
-       void (*set_angel_count)(imv_swid_state_t *this, bool start);
-
-       /**
         * Set [or with multiple attributes increment] SWID Tag [ID] counters
         *
         * @param count                         Number of received SWID Tags or SWID Tag IDs
@@ -86,6 +79,13 @@ struct imv_swid_state_t {
        void (*get_count)(imv_swid_state_t *this, int *count);
 
        /**
+        * Increase/Decrease the ITA Angel count
+        *
+        * @param start                 TRUE increases and FALSE decreases count by one
+        */
+       void (*set_angel_count)(imv_swid_state_t *this, bool start);
+
+       /**
         * Get the ITA Angel count
         *
         * @return                              ITA Angel count
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/description.txt b/testing/tests/tnc/tnccs-20-pdp-eap/description.txt
new file mode 100644 (file)
index 0000000..a178211
--- /dev/null
@@ -0,0 +1,12 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to the policy enforcement
+point <b>moon</b>. At the outset the gateway authenticates itself to the clients by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate. <b>carol</b> and <b>dave</b> then set up an
+<b>EAP-TTLS</b> tunnel each via gateway <b>moon</b> to the policy decision point <b>alice</b>
+authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak
+client authentication based on <b>EAP-MD5</b>. In a next step the EAP-TNC protocol is used within
+the EAP-TTLS tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b>
+client-server interface defined by <b>RFC 5793 PB-TNC</b>. The communication between IMCs and IMVs
+is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
+are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat
new file mode 100644 (file)
index 0000000..505a4d0
--- /dev/null
@@ -0,0 +1,22 @@
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
+moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES
+moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
+moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..f2e6119
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tnc 2, imv 3"
+
+conn aaa
+       leftcert=aaaCert.pem
+       leftid=aaa.strongswan.org
+       auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
new file mode 100644 (file)
index 0000000..6aeb0c0
--- /dev/null
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
+RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
+Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
+Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
+AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
+wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
+EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
+yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
+iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
+bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
+HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
+EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
+v42sww==
+-----END CERTIFICATE-----
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem
new file mode 100644 (file)
index 0000000..da8cdb0
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
+bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
+9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
+/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
+NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
+BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
+Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
+NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
+IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
+Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
+aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
+YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
+b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
+/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
+P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
+V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
+cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
+PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
+a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
+NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
+xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
+J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
+YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
+SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
+EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..11d45cd
--- /dev/null
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA aaaKey.pem
+
+carol : EAP "Ar3etTnp"
+dave  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql
new file mode 100644 (file)
index 0000000..60edb79
--- /dev/null
@@ -0,0 +1,61 @@
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 40, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+  type, value
+) VALUES ( /* dave@strongswan.org */
+  5, X'64617665'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+  time, connection, identity, device, product, rec
+) VALUES (
+  NOW, 1, 1, 1, 40, 0
+);
+
+/* Results */
+
+INSERT INTO results (
+  session, policy, rec, result
+) VALUES (
+  1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  17, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  18, 10, 86400
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..61bf86f
--- /dev/null
@@ -0,0 +1,29 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+      max_message_count = 0
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+      max_message_count = 20
+    }
+    tnc-pdp {
+      server = aaa.strongswan.org
+      radius {
+        secret = gv6URkSs
+      }
+    }
+  }
+}
+
+libimcv {
+  debug_level = 3 
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config
new file mode 100644 (file)
index 0000000..ebe88bc
--- /dev/null
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS"       /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "SWID"     /usr/local/lib/ipsec/imcvs/imv-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..5956373
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tnc 3, imc 3"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn home
+       left=PH_IP_CAROL
+       leftauth=eap
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightsubnet=10.1.0.0/16
+       rightauth=pubkey
+       eap_identity=carol
+       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+       auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..23d79cf
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..be6c0ad
--- /dev/null
@@ -0,0 +1,20 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
+  plugins {
+    eap-ttls {
+      max_message_count = 0
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+      max_message_count = 20
+    }
+    tnccs-20 {
+      max_batch_size = 32754
+      max_message_size = 32722
+    }
+  }
+}
+
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config
new file mode 100644 (file)
index 0000000..a954883
--- /dev/null
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"       /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWID"     /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..8c27c78
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tnc 3, imc 3"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn home
+       left=PH_IP_DAVE
+       leftauth=eap
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightsubnet=10.1.0.0/16
+       rightauth=pubkey
+       eap_identity=dave
+       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+       auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..02e0c99
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..c542b44
--- /dev/null
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
+  plugins {    
+   eap-ttls {
+      max_message_count = 0
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+      max_message_count = 20
+    }
+    tnccs-20 {
+      max_batch_size = 32754
+      max_message_size = 32722
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config
new file mode 100644 (file)
index 0000000..a954883
--- /dev/null
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"       /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWID"     /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..02ada56
--- /dev/null
@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn rw-allow
+       rightgroups=allow
+       leftsubnet=10.1.0.0/28
+       also=rw-eap
+       auto=add
+
+conn rw-isolate
+       rightgroups=isolate
+       leftsubnet=10.1.0.16/28
+       also=rw-eap
+       auto=add
+
+conn rw-eap
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftauth=pubkey
+       leftfirewall=yes
+       rightauth=eap-radius
+       rightsendcert=never
+       right=%any
+       eap_identity=%any
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..e86d6aa
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules
new file mode 100644 (file)
index 0000000..1eb7553
--- /dev/null
@@ -0,0 +1,32 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..d329518
--- /dev/null
@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      #server = PH_IP6_ALICE 
+      server = PH_IP_ALICE
+      filter_id = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat
new file mode 100644 (file)
index 0000000..916e433
--- /dev/null
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::ipsec stop
+alice::rm /etc/pts/config.db
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat
new file mode 100644 (file)
index 0000000..6709b89
--- /dev/null
@@ -0,0 +1,18 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
+alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+alice::ipsec start
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/test.conf b/testing/tests/tnc/tnccs-20-pdp-eap/test.conf
new file mode 100644 (file)
index 0000000..c4ca1a1
--- /dev/null
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave alice"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-pdp-pt-tls/description.txt
new file mode 100644 (file)
index 0000000..45a77e9
--- /dev/null
@@ -0,0 +1,9 @@
+The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision 
+point (PDP) <b>alice</b>. <b>carol</b> uses password-based SASL PLAIN client authentication during the
+<b>PT-TLS negotiation phase</b> and <b>dave</b> uses certificate-based TLS client authentication during the
+<b>TLS setup phase</b>.
+<p/>
+During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWID</b> IMC/IMV pairs
+loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
+embedded in PB-TNC (RFC 5793) batches. The <b>SWID</b> IMC on <b>carol</b> is requested to deliver
+a concise <b>SWID Tag ID Inventory</b> whereas <b>dave</b> must send a full <b>SWID Tag Inventory</b>.
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat
new file mode 100644 (file)
index 0000000..3139ca0
--- /dev/null
@@ -0,0 +1,12 @@
+alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
+alice:: cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
+alice:: cat /var/log/daemon.log::SASL client identity is.*carol::YES
+alice:: cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
+alice:: cat /var/log/daemon.log::received SWID tag ID inventory for request 6 at eid 1 of epoch::YES
+alice:: cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-.*.swidtag::YES
+alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
+alice:: cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
+alice:: cat /var/log/daemon.log::certificate status is good::YES
+alice:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
+alice:: cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
+alice:: cat /var/log/daemon.log::received SWID tag inventory for request 11 at eid 1 of epoch::YES
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..d8b8433
--- /dev/null
@@ -0,0 +1,9 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tls 2, tnc 3, imv 3"
+
+conn aaa
+       leftcert=aaaCert.pem
+       leftid=aaa.strongswan.org
+       auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
new file mode 100644 (file)
index 0000000..6aeb0c0
--- /dev/null
@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
+RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
+Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
+Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
+AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
+wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
+EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
+yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
+iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
+bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
+HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
+EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
+v42sww==
+-----END CERTIFICATE-----
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem
new file mode 100644 (file)
index 0000000..da8cdb0
--- /dev/null
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
+bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
+9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
+/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
+NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
+BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
+Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
+NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
+IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
+Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
+aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
+YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
+b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
+/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
+P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
+V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
+cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
+PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
+a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
+NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
+xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
+J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
+YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
+SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
+EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
+-----END RSA PRIVATE KEY-----
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..11d45cd
--- /dev/null
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA aaaKey.pem
+
+carol : EAP "Ar3etTnp"
+dave  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules
new file mode 100644 (file)
index 0000000..5b27539
--- /dev/null
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow PT-TLS 
+-A INPUT  -i eth0 -p tcp --dport 271 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql
new file mode 100644 (file)
index 0000000..b70fb6a
--- /dev/null
@@ -0,0 +1,61 @@
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 40, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+  type, value
+) VALUES ( /* dave@strongswan.org */
+  4, X'64617665407374726f6e677377616e2e6f7267'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+  time, connection, identity, device, product, rec
+) VALUES (
+  NOW, 1, 1, 1, 40, 0
+);
+
+/* Results */
+
+INSERT INTO results (
+  session, policy, rec, result
+) VALUES (
+  1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  17, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  18, 10, 86400
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..21961d4
--- /dev/null
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+
+  plugins { 
+    tnc-pdp {
+      server = aaa.strongswan.org
+      radius {
+        secret = gv6URkSs
+      }
+    }
+  }
+}
+
+libtnccs {
+  plugins {
+    tnccs-20 {
+      max_batch_size = 131056
+      max_message_size = 131024
+    }
+  }
+}
+
+libimcv {
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config
new file mode 100644 (file)
index 0000000..ebe88bc
--- /dev/null
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS"       /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "SWID"     /usr/local/lib/ipsec/imcvs/imv-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..4a41e7e
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# the PT-TLS client reads its configuration via the command line
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..d2f6378
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# the PT-TLS client loads its secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql
new file mode 100644 (file)
index 0000000..805c8bf
--- /dev/null
@@ -0,0 +1,4 @@
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules
new file mode 100644 (file)
index 0000000..d01d0a3
--- /dev/null
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow PT-TLS 
+-A INPUT  -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
+-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options
new file mode 100644 (file)
index 0000000..f04e947
--- /dev/null
@@ -0,0 +1,5 @@
+--connect aaa.strongswan.org
+--client carol
+--secret "Ar3etTnp"
+--cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--debug 2 
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..685a652
--- /dev/null
@@ -0,0 +1,29 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = yes 
+    }
+    imc-swid {
+      #swid_directory = /usr/share
+    }
+  }
+}
+
+libtnccs {
+  plugins {
+    tnccs-20 {
+      max_batch_size   = 131056
+      max_message_size = 131024
+    }
+  }
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+pt-tls-client {
+  load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config
new file mode 100644 (file)
index 0000000..f40174e
--- /dev/null
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"       /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWID"     /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..4a41e7e
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# the PT-TLS client reads its configuration via the command line
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..d2f6378
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# the PT-TLS client loads its secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql
new file mode 100644 (file)
index 0000000..805c8bf
--- /dev/null
@@ -0,0 +1,4 @@
+/* strongSwan SQLite database */
+
+/* configuration is read from the command line */
+/* credentials are read from the command line */
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules
new file mode 100644 (file)
index 0000000..d01d0a3
--- /dev/null
@@ -0,0 +1,20 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow PT-TLS 
+-A INPUT  -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
+-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
+
+COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options
new file mode 100644 (file)
index 0000000..46821ec
--- /dev/null
@@ -0,0 +1,6 @@
+--connect aaa.strongswan.org
+--client dave@strongswan.org
+--key  /etc/ipsec.d/private/daveKey.pem
+--cert /etc/ipsec.d/certs/daveCert.pem
+--cert /etc/ipsec.d/cacerts/strongswanCert.pem
+--debug 2
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..0fa2acb
--- /dev/null
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = no
+    }
+  }
+}
+
+libtnccs {
+  plugins {
+    tnccs-20 {
+      max_batch_size   = 131056
+      max_message_size = 131024
+    }
+  }
+}
+
+libtls {
+  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+pt-tls-client {
+  load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config
new file mode 100644 (file)
index 0000000..f40174e
--- /dev/null
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"       /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "SWID"     /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat
new file mode 100644 (file)
index 0000000..c98df86
--- /dev/null
@@ -0,0 +1,8 @@
+carol::ip route del 10.1.0.0/16 via 192.168.0.1
+dave::ip route del 10.1.0.0/16 via 192.168.0.1
+winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
+alice::ipsec stop
+alice::rm /etc/pts/config.db
+alice::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat
new file mode 100644 (file)
index 0000000..97ff0c1
--- /dev/null
@@ -0,0 +1,19 @@
+alice::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+dave::cat /etc/tnc_config
+alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
+alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+alice::ipsec start
+winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
+carol::ip route add 10.1.0.0/16 via 192.168.0.1
+carol::cat /etc/pts/options
+carol::ipsec pt-tls-client --optionsfrom /etc/pts/options
+dave::ip route add 10.1.0.0/16 via 192.168.0.1
+dave::cat /etc/pts/options
+dave::ipsec pt-tls-client --optionsfrom /etc/pts/options
+dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
new file mode 100644 (file)
index 0000000..0887e4d
--- /dev/null
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="carol dave alice"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-pdp/description.txt b/testing/tests/tnc/tnccs-20-pdp/description.txt
deleted file mode 100644 (file)
index a178211..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to the policy enforcement
-point <b>moon</b>. At the outset the gateway authenticates itself to the clients by sending an IKEv2
-<b>RSA signature</b> accompanied by a certificate. <b>carol</b> and <b>dave</b> then set up an
-<b>EAP-TTLS</b> tunnel each via gateway <b>moon</b> to the policy decision point <b>alice</b>
-authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak
-client authentication based on <b>EAP-MD5</b>. In a next step the EAP-TNC protocol is used within
-the EAP-TTLS tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b>
-client-server interface defined by <b>RFC 5793 PB-TNC</b>. The communication between IMCs and IMVs
-is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
-<p>
-<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients
-are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
diff --git a/testing/tests/tnc/tnccs-20-pdp/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp/evaltest.dat
deleted file mode 100644 (file)
index 505a4d0..0000000
+++ /dev/null
@@ -1,22 +0,0 @@
-carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
-carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES
-carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES
-dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES
-moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES
-moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES
-moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
-moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES
-moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES
-moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
-carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
-carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.conf
deleted file mode 100644 (file)
index 6f673dc..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imv 3"
-
-conn aaa
-       leftcert=aaaCert.pem
-       leftid=aaa.strongswan.org
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
deleted file mode 100644 (file)
index 6aeb0c0..0000000
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
-dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
-RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
-Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
-Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
-AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
-wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
-EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
-p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
-EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
-ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
-BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
-Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
-yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
-iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
-bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
-HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
-EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
-v42sww==
------END CERTIFICATE-----
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.d/private/aaaKey.pem
deleted file mode 100644 (file)
index da8cdb0..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
-bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
-9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
-/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
-NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
-BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
-Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
-NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
-IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
-Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
-aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
-YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
-b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
-/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
-P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
-V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
-cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
-PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
-a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
-NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
-xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
-J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
-YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
-SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
-EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/ipsec.secrets
deleted file mode 100644 (file)
index 11d45cd..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA aaaKey.pem
-
-carol : EAP "Ar3etTnp"
-dave  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/strongswan.conf
deleted file mode 100644 (file)
index ec4956c..0000000
+++ /dev/null
@@ -1,30 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20
-  plugins {
-    eap-ttls {
-      phase2_method = md5
-      phase2_piggyback = yes
-      phase2_tnc = yes
-    }
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-    tnc-pdp {
-      server = aaa.strongswan.org
-      radius {
-        secret = gv6URkSs
-      }
-    }
-  }
-}
-
-libimcv {
-  debug_level = 3 
-  plugins {
-    imv-test {
-      rounds = 1 
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/alice/etc/tnc_config
deleted file mode 100644 (file)
index da732f6..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client 
-
-IMV "Test"     /usr/local/lib/ipsec/imcvs/imv-test.so
-IMV "Scanner"  /usr/local/lib/ipsec/imcvs/imv-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index 5956373..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_CAROL
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       eap_identity=carol
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index 23d79cf..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-carol : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/strongswan.conf
deleted file mode 100644 (file)
index 808f1d1..0000000
+++ /dev/null
@@ -1,18 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
-}
-
-libimcv {
-  plugins {
-    imc-test {
-      command = allow
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/carol/etc/tnc_config
deleted file mode 100644 (file)
index 6166552..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Test"     /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner"  /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index 8c27c78..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tnc 3, imc 3"
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn home
-       left=PH_IP_DAVE
-       leftauth=eap
-       leftfirewall=yes
-       right=PH_IP_MOON
-       rightid=@moon.strongswan.org
-       rightsubnet=10.1.0.0/16
-       rightauth=pubkey
-       eap_identity=dave
-       aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/ipsec.secrets
deleted file mode 100644 (file)
index 02e0c99..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-dave : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/strongswan.conf
deleted file mode 100644 (file)
index 96ff63a..0000000
+++ /dev/null
@@ -1,21 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  plugins {    
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
-}
-
-libimcv {
-  plugins {
-    imc-test {
-      command = isolate
-    }
-    imc-scannner {
-      push_info = no
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp/hosts/dave/etc/tnc_config
deleted file mode 100644 (file)
index 6166552..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "Test"     /usr/local/lib/ipsec/imcvs/imc-test.so
-IMC "Scanner"  /usr/local/lib/ipsec/imcvs/imc-scanner.so
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.conf
deleted file mode 100644 (file)
index 02ada56..0000000
+++ /dev/null
@@ -1,33 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
-       ikelifetime=60m
-       keylife=20m
-       rekeymargin=3m
-       keyingtries=1
-       keyexchange=ikev2
-
-conn rw-allow
-       rightgroups=allow
-       leftsubnet=10.1.0.0/28
-       also=rw-eap
-       auto=add
-
-conn rw-isolate
-       rightgroups=isolate
-       leftsubnet=10.1.0.16/28
-       also=rw-eap
-       auto=add
-
-conn rw-eap
-       left=PH_IP_MOON
-       leftcert=moonCert.pem
-       leftid=@moon.strongswan.org
-       leftauth=pubkey
-       leftfirewall=yes
-       rightauth=eap-radius
-       rightsendcert=never
-       right=%any
-       eap_identity=%any
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/ipsec.secrets
deleted file mode 100644 (file)
index e86d6aa..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA moonKey.pem
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/iptables.rules
deleted file mode 100644 (file)
index 1eb7553..0000000
+++ /dev/null
@@ -1,32 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow esp
--A INPUT  -i eth0 -p 50 -j ACCEPT
--A OUTPUT -o eth0 -p 50 -j ACCEPT
-
-# allow IKE
--A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
-
-# allow MobIKE
--A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
--A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
-
-# allow RADIUS protocol with alice
--A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
--A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp/hosts/moon/etc/strongswan.conf
deleted file mode 100644 (file)
index d329518..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
-  multiple_authentication=no
-  plugins {
-    eap-radius {
-      secret = gv6URkSs
-      #server = PH_IP6_ALICE 
-      server = PH_IP_ALICE
-      filter_id = yes
-    }
-  }
-}
diff --git a/testing/tests/tnc/tnccs-20-pdp/posttest.dat b/testing/tests/tnc/tnccs-20-pdp/posttest.dat
deleted file mode 100644 (file)
index e7eecd5..0000000
+++ /dev/null
@@ -1,7 +0,0 @@
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
-alice::ipsec stop
-moon::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pdp/pretest.dat b/testing/tests/tnc/tnccs-20-pdp/pretest.dat
deleted file mode 100644 (file)
index 32ed4d8..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-moon::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-dave::cat /etc/tnc_config
-alice::ipsec start
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
-carol::sleep 1
-carol::ipsec up home
-dave::ipsec up home
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-pdp/test.conf b/testing/tests/tnc/tnccs-20-pdp/test.conf
deleted file mode 100644 (file)
index c4ca1a1..0000000
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice venus moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-v-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="moon carol dave alice"
-
-# Guest instances on which FreeRadius is started
-#
-RADIUSHOSTS=
-
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/description.txt b/testing/tests/tnc/tnccs-20-pt-tls/description.txt
deleted file mode 100644 (file)
index 45a77e9..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
-The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision 
-point (PDP) <b>alice</b>. <b>carol</b> uses password-based SASL PLAIN client authentication during the
-<b>PT-TLS negotiation phase</b> and <b>dave</b> uses certificate-based TLS client authentication during the
-<b>TLS setup phase</b>.
-<p/>
-During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWID</b> IMC/IMV pairs
-loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages
-embedded in PB-TNC (RFC 5793) batches. The <b>SWID</b> IMC on <b>carol</b> is requested to deliver
-a concise <b>SWID Tag ID Inventory</b> whereas <b>dave</b> must send a full <b>SWID Tag Inventory</b>.
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pt-tls/evaltest.dat
deleted file mode 100644 (file)
index 3139ca0..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
-alice:: cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
-alice:: cat /var/log/daemon.log::SASL client identity is.*carol::YES
-alice:: cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES
-alice:: cat /var/log/daemon.log::received SWID tag ID inventory for request 6 at eid 1 of epoch::YES
-alice:: cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-.*.swidtag::YES
-alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES
-alice:: cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES
-alice:: cat /var/log/daemon.log::certificate status is good::YES
-alice:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
-alice:: cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
-alice:: cat /var/log/daemon.log::received SWID tag inventory for request 11 at eid 1 of epoch::YES
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.conf
deleted file mode 100644 (file)
index d8b8433..0000000
+++ /dev/null
@@ -1,9 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-       charondebug="tls 2, tnc 3, imv 3"
-
-conn aaa
-       leftcert=aaaCert.pem
-       leftid=aaa.strongswan.org
-       auto=add
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem
deleted file mode 100644 (file)
index 6aeb0c0..0000000
+++ /dev/null
@@ -1,25 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
-MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
-b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
-BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
-dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
-RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
-Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
-Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
-AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
-wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
-EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
-AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
-p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
-EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
-ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
-BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
-Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
-yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
-iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
-bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
-HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
-EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
-v42sww==
------END CERTIFICATE-----
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem
deleted file mode 100644 (file)
index da8cdb0..0000000
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
-bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
-9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
-/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
-NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
-BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
-Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
-NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
-IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
-Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
-aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
-YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
-b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
-/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
-P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
-V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
-cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
-PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
-a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
-NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
-xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
-J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
-YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
-SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
-EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
------END RSA PRIVATE KEY-----
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/ipsec.secrets
deleted file mode 100644 (file)
index 11d45cd..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-: RSA aaaKey.pem
-
-carol : EAP "Ar3etTnp"
-dave  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/iptables.rules
deleted file mode 100644 (file)
index 5b27539..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow PT-TLS 
--A INPUT  -i eth0 -p tcp --dport 271 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql
deleted file mode 100644 (file)
index b70fb6a..0000000
+++ /dev/null
@@ -1,61 +0,0 @@
-/* Devices */
-
-INSERT INTO devices (                  /*  1 */
-  value, product, created  
-) VALUES (
-  'aabbccddeeff11223344556677889900', 40, 1372330615
-);
-
-/* Groups Members */
-
-INSERT INTO groups_members (
-  group_id, device_id
-) VALUES (
-  10, 1
-);
-
-/* Identities */
-
-INSERT INTO identities (
-  type, value
-) VALUES ( /* dave@strongswan.org */
-  4, X'64617665407374726f6e677377616e2e6f7267'
-);
-
-/* Sessions */
-
-INSERT INTO sessions (
-  time, connection, identity, device, product, rec
-) VALUES (
-  NOW, 1, 1, 1, 40, 0
-);
-
-/* Results */
-
-INSERT INTO results (
-  session, policy, rec, result
-) VALUES (
-  1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
-);
-
-/* Enforcements */
-
-INSERT INTO enforcements (
-  policy, group_id, max_age, rec_fail, rec_noresult
-) VALUES (
-  3, 10, 0, 2, 2
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  17, 2, 86400
-);
-
-INSERT INTO enforcements (
-  policy, group_id, max_age
-) VALUES (
-  18, 10, 86400
-);
-
-DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/strongswan.conf
deleted file mode 100644 (file)
index 21961d4..0000000
+++ /dev/null
@@ -1,28 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
-  load = curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
-
-  plugins { 
-    tnc-pdp {
-      server = aaa.strongswan.org
-      radius {
-        secret = gv6URkSs
-      }
-    }
-  }
-}
-
-libtnccs {
-  plugins {
-    tnccs-20 {
-      max_batch_size = 131056
-      max_message_size = 131024
-    }
-  }
-}
-
-libimcv {
-  database = sqlite:///etc/pts/config.db
-  policy_script = ipsec imv_policy_manager
-}
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/tnc_config
deleted file mode 100644 (file)
index ebe88bc..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMV configuration file for strongSwan client 
-
-IMV "OS"       /usr/local/lib/ipsec/imcvs/imv-os.so
-IMV "SWID"     /usr/local/lib/ipsec/imcvs/imv-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.conf
deleted file mode 100644 (file)
index 4a41e7e..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-# the PT-TLS client reads its configuration via the command line
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.secrets
deleted file mode 100644 (file)
index d2f6378..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# the PT-TLS client loads its secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/ipsec.sql
deleted file mode 100644 (file)
index 805c8bf..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-/* strongSwan SQLite database */
-
-/* configuration is read from the command line */
-/* credentials are read from the command line */
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/iptables.rules
deleted file mode 100644 (file)
index d01d0a3..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow PT-TLS 
--A INPUT  -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
--A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/pts/options
deleted file mode 100644 (file)
index f04e947..0000000
+++ /dev/null
@@ -1,5 +0,0 @@
---connect aaa.strongswan.org
---client carol
---secret "Ar3etTnp"
---cert /etc/ipsec.d/cacerts/strongswanCert.pem
---debug 2 
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf
deleted file mode 100644 (file)
index 685a652..0000000
+++ /dev/null
@@ -1,29 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
-  plugins {
-    imc-os {
-      push_info = yes 
-    }
-    imc-swid {
-      #swid_directory = /usr/share
-    }
-  }
-}
-
-libtnccs {
-  plugins {
-    tnccs-20 {
-      max_batch_size   = 131056
-      max_message_size = 131024
-    }
-  }
-}
-
-libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-}
-
-pt-tls-client {
-  load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20
-}
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/tnc_config
deleted file mode 100644 (file)
index f40174e..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "OS"       /usr/local/lib/ipsec/imcvs/imc-os.so
-IMC "SWID"     /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.conf
deleted file mode 100644 (file)
index 4a41e7e..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-# the PT-TLS client reads its configuration via the command line
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.secrets
deleted file mode 100644 (file)
index d2f6378..0000000
+++ /dev/null
@@ -1,3 +0,0 @@
-# /etc/ipsec.secrets - strongSwan IPsec secrets file
-
-# the PT-TLS client loads its secrets via the command line
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/ipsec.sql
deleted file mode 100644 (file)
index 805c8bf..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-/* strongSwan SQLite database */
-
-/* configuration is read from the command line */
-/* credentials are read from the command line */
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/iptables.rules
deleted file mode 100644 (file)
index d01d0a3..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-*filter
-
-# default policy is DROP
--P INPUT DROP
--P OUTPUT DROP
--P FORWARD DROP
-
-# allow PT-TLS 
--A INPUT  -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT
--A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT
-
-# allow ssh
--A INPUT  -p tcp --dport 22 -j ACCEPT
--A OUTPUT -p tcp --sport 22 -j ACCEPT
-
-# allow crl fetch from winnetou
--A INPUT  -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
--A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
-
-COMMIT
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/pts/options
deleted file mode 100644 (file)
index 46821ec..0000000
+++ /dev/null
@@ -1,6 +0,0 @@
---connect aaa.strongswan.org
---client dave@strongswan.org
---key  /etc/ipsec.d/private/daveKey.pem
---cert /etc/ipsec.d/certs/daveCert.pem
---cert /etc/ipsec.d/cacerts/strongswanCert.pem
---debug 2
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf
deleted file mode 100644 (file)
index 0fa2acb..0000000
+++ /dev/null
@@ -1,26 +0,0 @@
-# /etc/strongswan.conf - strongSwan configuration file
-
-libimcv {
-  plugins {
-    imc-os {
-      push_info = no
-    }
-  }
-}
-
-libtnccs {
-  plugins {
-    tnccs-20 {
-      max_batch_size   = 131056
-      max_message_size = 131024
-    }
-  }
-}
-
-libtls {
-  suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-}
-
-pt-tls-client {
-  load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20
-}
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/tnc_config
deleted file mode 100644 (file)
index f40174e..0000000
+++ /dev/null
@@ -1,4 +0,0 @@
-#IMC configuration file for strongSwan client 
-
-IMC "OS"       /usr/local/lib/ipsec/imcvs/imc-os.so
-IMC "SWID"     /usr/local/lib/ipsec/imcvs/imc-swid.so
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pt-tls/posttest.dat
deleted file mode 100644 (file)
index c98df86..0000000
+++ /dev/null
@@ -1,8 +0,0 @@
-carol::ip route del 10.1.0.0/16 via 192.168.0.1
-dave::ip route del 10.1.0.0/16 via 192.168.0.1
-winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
-alice::ipsec stop
-alice::rm /etc/pts/config.db
-alice::iptables-restore < /etc/iptables.flush
-carol::iptables-restore < /etc/iptables.flush
-dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pt-tls/pretest.dat
deleted file mode 100644 (file)
index 97ff0c1..0000000
+++ /dev/null
@@ -1,19 +0,0 @@
-alice::iptables-restore < /etc/iptables.rules
-carol::iptables-restore < /etc/iptables.rules
-dave::iptables-restore < /etc/iptables.rules
-alice::cat /etc/tnc_config
-carol::cat /etc/tnc_config
-carol::echo 0 > /proc/sys/net/ipv4/ip_forward
-dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
-dave::cat /etc/tnc_config
-alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql
-alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
-alice::ipsec start
-winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
-carol::ip route add 10.1.0.0/16 via 192.168.0.1
-carol::cat /etc/pts/options
-carol::ipsec pt-tls-client --optionsfrom /etc/pts/options
-dave::ip route add 10.1.0.0/16 via 192.168.0.1
-dave::cat /etc/pts/options
-dave::ipsec pt-tls-client --optionsfrom /etc/pts/options
-dave::sleep 1
diff --git a/testing/tests/tnc/tnccs-20-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pt-tls/test.conf
deleted file mode 100644 (file)
index 0887e4d..0000000
+++ /dev/null
@@ -1,26 +0,0 @@
-#!/bin/bash
-#
-# This configuration file provides information on the
-# guest instances used for this test
-
-# All guest instances that are required for this test
-#
-VIRTHOSTS="alice moon carol winnetou dave"
-
-# Corresponding block diagram
-#
-DIAGRAM="a-m-c-w-d.png"
-
-# Guest instances on which tcpdump is to be started
-#
-TCPDUMPHOSTS="moon"
-
-# Guest instances on which IPsec is started
-# Used for IPsec logging purposes
-#
-IPSECHOSTS="carol dave alice"
-
-# Guest instances on which FreeRadius is started
-#
-RADIUSHOSTS=
-