Make Attestation IMV independent of OS IMV
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 5 Apr 2014 13:38:06 +0000 (15:38 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 15 Apr 2014 07:21:05 +0000 (09:21 +0200)
27 files changed:
src/libimcv/plugins/imv_os/imv_os_agent.c
src/libpts/plugins/imv_attestation/imv_attestation_agent.c
src/libpts/plugins/imv_attestation/imv_attestation_build.c
src/libpts/plugins/imv_attestation/imv_attestation_process.c
src/libpts/plugins/imv_attestation/imv_attestation_state.c
src/libpts/plugins/imv_attestation/imv_attestation_state.h
testing/tests/tnc/tnccs-20-os-pts/description.txt [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/evaltest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/posttest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/pretest.dat [new file with mode: 0644]
testing/tests/tnc/tnccs-20-os-pts/test.conf [new file with mode: 0644]
testing/tests/tnc/tnccs-20-pts/description.txt
testing/tests/tnc/tnccs-20-pts/evaltest.dat
testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config

index 874f0a5..9dc0244 100644 (file)
@@ -118,24 +118,25 @@ METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
                case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
                case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
                case TNC_CONNECTION_STATE_ACCESS_NONE:
-                       if (imcv_db && this->agent->get_state(this->agent, id, &state))
+                       if (this->agent->get_state(this->agent, id, &state) && imcv_db)
                        {
-                               switch (new_state)
-                               {
-                                       case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
-                                               rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
-                                               break;
-                                       case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
-                                               rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
-                                               break;
-                                       case TNC_CONNECTION_STATE_ACCESS_NONE:
-                                       default:
-                                               rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
-                               }
                                session = state->get_session(state);
-                               imcv_db->add_recommendation(imcv_db, session, rec);
+
                                if (session->get_policy_started(session))
                                {
+                                       switch (new_state)
+                                       {
+                                               case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+                                                       rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
+                                                       break;
+                                               case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+                                                       rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
+                                                       break;
+                                               case TNC_CONNECTION_STATE_ACCESS_NONE:
+                                               default:
+                                                       rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
+                                       }
+                                       imcv_db->add_recommendation(imcv_db, session, rec);
                                        if (!imcv_db->policy_script(imcv_db, session, FALSE))
                                        {
                                                DBG1(DBG_IMV, "error in policy script stop");
@@ -233,7 +234,7 @@ static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state,
                                case IETF_ATTR_NUMERIC_VERSION:
                                {
                                        ietf_attr_numeric_version_t *attr_cast;
-                                       u_int32_t major, minor;
+                                       uint32_t major, minor;
 
                                        state->set_action_flags(state,
                                                                                        IMV_OS_ATTR_NUMERIC_VERSION);
@@ -452,7 +453,7 @@ METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
 /**
  * Build an IETF Attribute Request attribute for missing attributes
  */
-static pa_tnc_attr_t* build_attr_request(u_int32_t received)
+static pa_tnc_attr_t* build_attr_request(uint32_t received)
 {
        pa_tnc_attr_t *attr;
        ietf_attr_attr_request_t *attr_cast;
@@ -505,7 +506,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
        TNC_Result result = TNC_RESULT_SUCCESS;
        bool no_workitems = TRUE;
        enumerator_t *enumerator;
-       u_int32_t received;
+       uint32_t received;
 
        if (!this->agent->get_state(this->agent, id, &state))
        {
@@ -568,6 +569,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                                        state->set_recommendation(state,
                                                                        TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
                                                                        TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+                                       session->set_policy_started(session, TRUE);
                                }
                                handshake_state = IMV_OS_STATE_POLICY_START;
                        }
index 1201319..2adb375 100644 (file)
@@ -32,6 +32,8 @@
 #include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ietf/ietf_attr_product_info.h>
 #include <ietf/ietf_attr_string_version.h>
+#include <ita/ita_attr.h>
+#include <ita/ita_attr_device_id.h>
 
 #include <libpts.h>
 
@@ -113,7 +115,9 @@ METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
        private_imv_attestation_agent_t *this, TNC_ConnectionID id,
        TNC_ConnectionState new_state)
 {
+       TNC_IMV_Action_Recommendation rec;
        imv_state_t *state;
+       imv_session_t *session;
 
        switch (new_state)
        {
@@ -122,6 +126,35 @@ METHOD(imv_agent_if_t, notify_connection_change, TNC_Result,
                        return this->agent->create_state(this->agent, state);
                case TNC_CONNECTION_STATE_DELETE:
                        return this->agent->delete_state(this->agent, id);
+               case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+               case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+               case TNC_CONNECTION_STATE_ACCESS_NONE:
+                       if (this->agent->get_state(this->agent, id, &state) && imcv_db)
+                       {
+                               session = state->get_session(state);
+
+                               if (session->get_policy_started(session))
+                               {
+                                       switch (new_state)
+                                       {
+                                               case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+                                                       rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW;
+                                                       break;
+                                               case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+                                                       rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE;
+                                                       break;
+                                               case TNC_CONNECTION_STATE_ACCESS_NONE:
+                                               default:
+                                                       rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS;
+                                       }
+                                       imcv_db->add_recommendation(imcv_db, session, rec);
+                                       if (!imcv_db->policy_script(imcv_db, session, FALSE))
+                                       {
+                                               DBG1(DBG_IMV, "error in policy script stop");
+                                       }
+                               }
+                       }
+                       /* fall through to default state */
                default:
                        return this->agent->change_state(this->agent, id, new_state, NULL);
        }
@@ -135,7 +168,7 @@ static TNC_Result receive_msg(private_imv_attestation_agent_t *this,
 {
        imv_msg_t *out_msg;
        imv_session_t *session;
-       imv_os_info_t *os_info = NULL;
+       imv_os_info_t *os_info;
        enumerator_t *enumerator;
        pa_tnc_attr_t *attr;
        pen_type_t type;
@@ -189,12 +222,27 @@ static TNC_Result receive_msg(private_imv_attestation_agent_t *this,
                                case IETF_ATTR_PRODUCT_INFORMATION:
                                {
                                        ietf_attr_product_info_t *attr_cast;
+                                       pen_t vendor_id;
 
                                        state->set_action_flags(state,
                                                                                IMV_ATTESTATION_ATTR_PRODUCT_INFO);
                                        attr_cast = (ietf_attr_product_info_t*)attr;
-                                       os_name = attr_cast->get_info(attr_cast, NULL, NULL);
+                                       os_name = attr_cast->get_info(attr_cast, &vendor_id, NULL);
                                        os_info->set_name(os_info, os_name);
+
+                                       if (vendor_id != PEN_IETF)
+                                       {
+                                               DBG1(DBG_IMV, "operating system name is '%.*s' "
+                                                                         "from vendor %N", os_name.len, os_name.ptr,
+                                                                          pen_names, vendor_id);
+                                       }
+                                       else
+                                       {
+                                               DBG1(DBG_IMV, "operating system name is '%.*s'",
+                                                                          os_name.len, os_name.ptr);
+                                       }
+                                       break;
+
                                        break;
                                }
                                case IETF_ATTR_STRING_VERSION:
@@ -206,6 +254,32 @@ static TNC_Result receive_msg(private_imv_attestation_agent_t *this,
                                        attr_cast = (ietf_attr_string_version_t*)attr;
                                        os_version = attr_cast->get_version(attr_cast, NULL, NULL);
                                        os_info->set_version(os_info, os_version);
+
+                                       if (os_version.len)
+                                       {
+                                               DBG1(DBG_IMV, "operating system version is '%.*s'",
+                                                                          os_version.len, os_version.ptr);
+                                       }
+                                       break;
+                               }
+                               default:
+                                       break;
+                       }
+               }
+               else if (type.vendor_id == PEN_ITA)
+               {
+                       switch (type.type)
+                       {
+                               case ITA_ATTR_DEVICE_ID:
+                               {
+                                       chunk_t value;
+
+                                       state->set_action_flags(state,
+                                                                               IMV_ATTESTATION_ATTR_DEVICE_ID);
+
+                                       value = attr->get_value(attr);
+                                       DBG1(DBG_IMV, "device ID is %.*s", value.len, value.ptr);
+                                       session->set_device_id(session, value);
                                        break;
                                }
                                default:
@@ -289,7 +363,7 @@ METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
 /**
  * Build an IETF Attribute Request attribute for missing attributes
  */
-static pa_tnc_attr_t* build_attr_request(u_int32_t received)
+static pa_tnc_attr_t* build_attr_request(uint32_t received)
 {
        pa_tnc_attr_t *attr;
        ietf_attr_attr_request_t *attr_cast;
@@ -303,12 +377,11 @@ static pa_tnc_attr_t* build_attr_request(u_int32_t received)
                attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_PRODUCT_INFORMATION);
                attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION);
        }
-/*
        if (!(received & IMV_ATTESTATION_ATTR_DEVICE_ID))
        {
                attr_cast->add(attr_cast, PEN_ITA,  ITA_ATTR_DEVICE_ID);
        }
-*/
+
        return attr;
 }
 
@@ -327,7 +400,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
        TNC_IMVID imv_id;
        TNC_Result result = TNC_RESULT_SUCCESS;
        pts_t *pts;
-       u_int32_t actions;
+       uint32_t actions;
        enumerator_t *enumerator;
 
        if (!this->agent->get_state(this->agent, id, &state))
@@ -369,6 +442,29 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                state->set_action_flags(state, IMV_ATTESTATION_ATTR_REQ);
        }
 
+       if (!session->get_policy_started(session) &&
+               (actions & IMV_ATTESTATION_ATTR_PRODUCT_INFO) &&
+               (actions & IMV_ATTESTATION_ATTR_STRING_VERSION) &&
+               (actions & IMV_ATTESTATION_ATTR_DEVICE_ID))
+       {
+               if (imcv_db)
+               {
+                       /* start the policy script */
+                       if (!imcv_db->policy_script(imcv_db, session, TRUE))
+                       {
+                               DBG1(DBG_IMV, "error in policy script start");
+                       }
+               }
+               else
+               {
+                       DBG2(DBG_IMV, "no workitems available - no evaluation possible");
+                       state->set_recommendation(state,
+                                                                         TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+                                                                         TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+                       session->set_policy_started(session, TRUE);
+               }
+       }
+
        if (handshake_state == IMV_ATTESTATION_STATE_INIT)
        {
                pa_tnc_attr_t *attr;
@@ -399,10 +495,11 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
        }
 
        /* exit if we are not ready yet for PTS measurements */
-       if (!session->get_policy_started(session) || !(actions & IMV_ATTESTATION_ALGO))
+       if (!(actions & IMV_ATTESTATION_ALGO))
        {
                return TNC_RESULT_SUCCESS;
        }
+
        os_info = session->get_os_info(session);
        pts->set_platform_info(pts, os_info->get_info(os_info));
 
@@ -414,8 +511,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
        if (!(actions & IMV_ATTESTATION_FILE_MEAS))
        {
                bool is_dir, no_workitems = TRUE;
-               u_int32_t delimiter = SOLIDUS_UTF;
-               u_int16_t request_id;
+               uint32_t delimiter = SOLIDUS_UTF;
+               uint16_t request_id;
                pa_tnc_attr_t *attr;
                char *pathname;
 
index 5688a7d..a2beeec 100644 (file)
@@ -90,8 +90,8 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
                        enumerator_t *enumerator;
                        pts_comp_func_name_t *name;
                        chunk_t keyid;
-                       u_int8_t flags;
-                       u_int32_t depth;
+                       uint8_t flags;
+                       uint32_t depth;
                        bool first_component = TRUE;
 
                        attestation_state->set_handshake_state(attestation_state,
index 9249058..e10a6c0 100644 (file)
@@ -222,11 +222,10 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                        TNC_IMV_Evaluation_Result eval;
                        TNC_IMV_Action_Recommendation rec;
                        tcg_pts_attr_file_meas_t *attr_cast;
-                       u_int16_t request_id;
+                       uint16_t request_id;
                        int arg_int, file_count;
                        pts_meas_algorithms_t algo;
                        pts_file_meas_t *measurements;
-                       imv_session_t *session;
                        imv_workitem_t *workitem, *found = NULL;
                        imv_workitem_type_t type;
                        char result_str[BUF_LEN], *platform_info;
@@ -234,7 +233,6 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                        enumerator_t *enumerator;
 
                        eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
-                       session = state->get_session(state);
                        algo = pts->get_meas_algorithm(pts);
                        platform_info = pts->get_platform_info(pts);
                        attr_cast = (tcg_pts_attr_file_meas_t*)attr;
@@ -390,7 +388,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                        pts_comp_func_name_t *name;
                        pts_comp_evidence_t *evidence;
                        pts_component_t *comp;
-                       u_int32_t depth;
+                       uint32_t depth;
                        status_t status;
 
                        attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
@@ -415,11 +413,10 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                case TCG_PTS_SIMPLE_EVID_FINAL:
                {
                        tcg_pts_attr_simple_evid_final_t *attr_cast;
-                       u_int8_t flags;
+                       uint8_t flags;
                        pts_meas_algorithms_t comp_hash_algorithm;
                        chunk_t pcr_comp, tpm_quote_sig, evid_sig;
                        chunk_t pcr_composite, quote_info;
-                       imv_session_t *session;
                        imv_workitem_t *workitem;
                        enumerator_t *enumerator;
                        bool use_quote2, use_ver_info;
@@ -470,7 +467,6 @@ quote_error:
                                 */
                                attestation_state->finalize_components(attestation_state);
 
-                               session = state->get_session(state);
                                enumerator = session->create_workitem_enumerator(session);
                                while (enumerator->enumerate(enumerator, &workitem))
                                {
@@ -479,7 +475,7 @@ quote_error:
                                                TNC_IMV_Action_Recommendation rec;
                                                TNC_IMV_Evaluation_Result eval;
                                                char *result_str;
-                                               u_int32_t error;
+                                               uint32_t error;
 
                                                error = attestation_state->get_measurement_error(
                                                                                                                attestation_state);
index 28ad849..253b8f6 100644 (file)
@@ -409,7 +409,7 @@ METHOD(imv_attestation_state_t, create_component, pts_component_t*,
 /**
  * Enumerate file measurement entries
  */
-static bool entry_filter(void *null, func_comp_t **entry, u_int8_t *flags,
+static bool entry_filter(void *null, func_comp_t **entry, uint8_t *flags,
                                                 void *i2, uint32_t *depth,
                                                 void *i3, pts_comp_func_name_t **comp_name)
 {
index 2019a56..49cdee3 100644 (file)
@@ -42,8 +42,8 @@ typedef enum imv_meas_error_t imv_meas_error_t;
 enum imv_attestation_flag_t {
        IMV_ATTESTATION_ATTR_PRODUCT_INFO =   (1<<0),
        IMV_ATTESTATION_ATTR_STRING_VERSION = (1<<1),
-       IMV_ATTESTATION_ATTR_MUST =           (1<<2)-1,
        IMV_ATTESTATION_ATTR_DEVICE_ID =      (1<<2),
+       IMV_ATTESTATION_ATTR_MUST =           (1<<3)-1,
        IMV_ATTESTATION_ATTR_REQ =            (1<<3),
        IMV_ATTESTATION_ALGO =                (1<<4),
        IMV_ATTESTATION_FILE_MEAS =           (1<<5),
@@ -118,7 +118,7 @@ struct imv_attestation_state_t {
         */
        pts_component_t* (*create_component)(imv_attestation_state_t *this,
                                                                                 pts_comp_func_name_t *name,
-                                                                                u_int32_t depth,
+                                                                                uint32_t depth,
                                                                                 pts_database_t *pts_db);
 
        /**
@@ -148,7 +148,7 @@ struct imv_attestation_state_t {
         *
         * @return                                      Measurement error flags
         */
-       u_int32_t (*get_measurement_error)(imv_attestation_state_t *this);
+       uint32_t (*get_measurement_error)(imv_attestation_state_t *this);
 
        /**
         * Call if a measurement error is encountered
@@ -156,7 +156,7 @@ struct imv_attestation_state_t {
         * @param error                         Measurement error type
         */
        void (*set_measurement_error)(imv_attestation_state_t *this,
-                                                                 u_int32_t error);
+                                                                 uint32_t error);
 
        /**
         * Returns a concatenation of File Measurement reason strings
diff --git a/testing/tests/tnc/tnccs-20-os-pts/description.txt b/testing/tests/tnc/tnccs-20-os-pts/description.txt
new file mode 100644 (file)
index 0000000..0ade4ba
--- /dev/null
@@ -0,0 +1,22 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS and Attestation IMCs
+exchange PA-TNC attributes with the OS and Attestation IMVs via the <b>IF-M 1.0</b> measurement
+protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
+<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
+to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
+<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference
+measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
+measure a couple of individual files and the files in the <b>/bin</b> directory as
+well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
+<p>
+<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is
+enabled. Based on these assessments which are communicated to the IMCs using the
+<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b>
+to the "rw-allow" and "rw-isolate" subnets, respectively.
+</p>
diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat
new file mode 100644 (file)
index 0000000..5eb9440
--- /dev/null
@@ -0,0 +1,20 @@
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
+moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
+moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..d17473d
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn home
+       left=PH_IP_CAROL
+       leftid=carol@strongswan.org
+       leftauth=eap
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightauth=any
+       rightsendcert=never
+       rightsubnet=10.1.0.0/16
+       auto=add
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..74942af
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..e604683
--- /dev/null
@@ -0,0 +1,19 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = yes
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/tnc_config
new file mode 100644 (file)
index 0000000..15dc93a
--- /dev/null
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..d459bfc
--- /dev/null
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tnc 3, imc 3, pts 3"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn home
+       left=PH_IP_DAVE
+       leftid=dave@strongswan.org
+       leftauth=eap
+       leftfirewall=yes
+       right=PH_IP_MOON
+       rightid=@moon.strongswan.org
+       rightauth=any
+       rightsendcert=never
+       rightsubnet=10.1.0.0/16
+       auto=add
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..5496df7
--- /dev/null
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..3236a18
--- /dev/null
@@ -0,0 +1,22 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+  multiple_authentication=no
+  plugins {
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+    tnc-imc {
+      preferred_language = de
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-os {
+      push_info = no
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/tnc_config
new file mode 100644 (file)
index 0000000..15dc93a
--- /dev/null
@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"          /usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.conf
new file mode 100644 (file)
index 0000000..bc8b2d8
--- /dev/null
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+       charondebug="tnc 3, imv 3, pts 3"
+
+conn %default
+       ikelifetime=60m
+       keylife=20m
+       rekeymargin=3m
+       keyingtries=1
+       keyexchange=ikev2
+
+conn rw-allow
+       rightgroups=allow
+       leftsubnet=10.1.0.0/28
+       also=rw-eap
+       auto=add
+
+conn rw-isolate
+       rightgroups=isolate
+       leftsubnet=10.1.0.16/28
+       also=rw-eap
+       auto=add
+
+conn rw-eap
+       left=PH_IP_MOON
+       leftcert=moonCert.pem
+       leftid=@moon.strongswan.org
+       leftauth=eap-ttls
+       leftfirewall=yes
+       rightauth=eap-ttls
+       rightid=*@strongswan.org
+       rightsendcert=never
+       right=%any
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/ipsec.secrets
new file mode 100644 (file)
index 0000000..2e277cc
--- /dev/null
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql
new file mode 100644 (file)
index 0000000..2bb7e79
--- /dev/null
@@ -0,0 +1,29 @@
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created  
+) VALUES (
+  'aabbccddeeff11223344556677889900', 28, 1372330615
+);
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  16, 2, 0
+);
+
+DELETE FROM enforcements WHERE id = 1;
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf
new file mode 100644 (file)
index 0000000..0298a51
--- /dev/null
@@ -0,0 +1,32 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
+  multiple_authentication=no
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    eap-tnc {
+      protocol = tnccs-2.0
+    }
+  }
+}
+
+libimcv {
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+  plugins {
+    imv-attestation {
+      hash_algorithm = sha1
+    }
+  }
+}
+
+attest {
+  load = random nonce openssl sqlite
+  database = sqlite:///etc/pts/config.db
+}
+
diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/tnc_config
new file mode 100644 (file)
index 0000000..6507baa
--- /dev/null
@@ -0,0 +1,4 @@
+#IMV configuration file for strongSwan client 
+
+IMV "OS"          /usr/local/lib/ipsec/imcvs/imv-os.so
+IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
diff --git a/testing/tests/tnc/tnccs-20-os-pts/posttest.dat b/testing/tests/tnc/tnccs-20-os-pts/posttest.dat
new file mode 100644 (file)
index 0000000..48514d6
--- /dev/null
@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
+carol::echo 1 > /proc/sys/net/ipv4/ip_forward
+moon::rm /etc/pts/config.db
diff --git a/testing/tests/tnc/tnccs-20-os-pts/pretest.dat b/testing/tests/tnc/tnccs-20-os-pts/pretest.dat
new file mode 100644 (file)
index 0000000..49ea041
--- /dev/null
@@ -0,0 +1,18 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+dave::ipsec start
+carol::ipsec start
+dave::sleep 1
+dave::ipsec up home
+carol::ipsec up home
+carol::sleep 1
+moon::ipsec attest --sessions
+moon::ipsec attest --devices
diff --git a/testing/tests/tnc/tnccs-20-os-pts/test.conf b/testing/tests/tnc/tnccs-20-os-pts/test.conf
new file mode 100644 (file)
index 0000000..a8a05af
--- /dev/null
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
index e78a700..0a4716c 100644 (file)
@@ -3,9 +3,9 @@ using EAP-TTLS authentication only with the gateway presenting a server certific
 the clients doing EAP-MD5 password-based authentication.
 In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
 state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
-client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
-is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
-exchange PA-TNC attributes.
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS and Attestation IMCs
+exchange PA-TNC attributes with the OS IMV via the <b>IF-M 1.0</b> measurement protocol
+defined by <b>RFC 5792 PA-TNC</b>.
 <p>
 <b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
 <em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
index 5eb9440..fd8bba4 100644 (file)
@@ -2,19 +2,19 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'
 carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
 carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
 dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
 dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/28::YES
 moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
 moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
-moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
 moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
 moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.200/32::YES
 carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
 carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
index 6507baa..4865036 100644 (file)
@@ -1,4 +1,3 @@
 #IMV configuration file for strongSwan client 
 
-IMV "OS"          /usr/local/lib/ipsec/imcvs/imv-os.so
 IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so