Implemented PT-EAP protocol (RFC 7171)
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 11 May 2014 18:49:21 +0000 (20:49 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 12 May 2014 04:59:21 +0000 (06:59 +0200)
56 files changed:
conf/plugins/eap-tnc.opt
conf/plugins/eap-ttls.opt
src/libcharon/plugins/eap_tnc/eap_tnc.c
src/libcharon/plugins/eap_tnc/eap_tnc.h
src/libcharon/plugins/eap_tnc/eap_tnc_plugin.c
src/libcharon/plugins/eap_ttls/eap_ttls_server.c
src/libstrongswan/eap/eap.c
src/libstrongswan/eap/eap.h
src/libtls/tls_eap.c
src/libtls/tls_eap.h
testing/tests/tnc/tnccs-11-fhh/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-11-fhh/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-11-fhh/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius-block/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius-block/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius-pts/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius-pts/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-11-radius/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-11/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-11/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-11/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-block/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-block/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-block/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-client-retry/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-client-retry/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-client-retry/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-fhh/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-fhh/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-fhh/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os-pts/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os-pts/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-os/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-server-retry/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-server-retry/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-server-retry/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20-tls/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20-tls/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20-tls/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-20/hosts/carol/etc/strongswan.conf
testing/tests/tnc/tnccs-20/hosts/dave/etc/strongswan.conf
testing/tests/tnc/tnccs-20/hosts/moon/etc/strongswan.conf
testing/tests/tnc/tnccs-dynamic/hosts/moon/etc/strongswan.conf

index 8e060ce..5593152 100644 (file)
@@ -1,6 +1,6 @@
 charon.plugins.eap-tnc.max_message_count = 10
        Maximum number of processed EAP-TNC packets (0 = no limit).
 
-charon.plugins.eap-tnc.protocol = tnccs-1.1
+charon.plugins.eap-tnc.protocol = tnccs-2.0
        IF-TNCCS protocol version to be used (_tnccs-1.1_, _tnccs-2.0_,
        _tnccs-dynamic_).
index 21a6cb6..7dcee82 100644 (file)
@@ -16,5 +16,8 @@ charon.plugins.eap-ttls.phase2_piggyback = no
 charon.plugins.eap-ttls.phase2_tnc = no
        Start phase2 EAP TNC protocol after successful client authentication.
 
+charon.plugins.eap-ttls.phase2_tnc_method = pt
+       Phase2 EAP TNC transport protocol (_pt_ as IETF standard or legacy _tnc_)
+
 charon.plugins.eap-ttls.request_peer_auth = no
        Request peer authentication based on a client certificate.
index 2147c04..62d23d0 100644 (file)
@@ -47,6 +47,11 @@ struct private_eap_tnc_t {
        eap_tnc_t public;
 
        /**
+        * Inner EAP authentication type
+        */
+       eap_type_t type;
+
+       /**
         * Outer EAP authentication type
         */
        eap_type_t auth_type;
@@ -124,7 +129,7 @@ METHOD(eap_method_t, initiate, status_t,
        private_eap_tnc_t *this, eap_payload_t **out)
 {
        chunk_t data;
-       u_int32_t auth_type;
+       uint32_t auth_type;
 
        /* Determine TNC Client Authentication Type */
        switch (this->auth_type)
@@ -175,10 +180,10 @@ METHOD(eap_method_t, process, status_t,
 }
 
 METHOD(eap_method_t, get_type, eap_type_t,
-       private_eap_tnc_t *this, u_int32_t *vendor)
+       private_eap_tnc_t *this, uint32_t *vendor)
 {
        *vendor = 0;
-       return EAP_TNC;
+       return this->type;
 }
 
 METHOD(eap_method_t, get_msk, status_t,
@@ -192,14 +197,14 @@ METHOD(eap_method_t, get_msk, status_t,
        return FAILED;
 }
 
-METHOD(eap_method_t, get_identifier, u_int8_t,
+METHOD(eap_method_t, get_identifier, uint8_t,
        private_eap_tnc_t *this)
 {
        return this->tls_eap->get_identifier(this->tls_eap);
 }
 
 METHOD(eap_method_t, set_identifier, void,
-       private_eap_tnc_t *this, u_int8_t identifier)
+       private_eap_tnc_t *this, uint8_t identifier)
 {
        this->tls_eap->set_identifier(this->tls_eap, identifier);
 }
@@ -214,7 +219,7 @@ METHOD(eap_method_t, destroy, void,
        private_eap_tnc_t *this)
 {
        chunk_t pdp_server;
-       u_int16_t pdp_port;
+       uint16_t pdp_port;
        tls_t *tls;
 
        pdp_server = this->tnccs->get_pdp_server(this->tnccs, &pdp_port);
@@ -245,13 +250,14 @@ METHOD(eap_inner_method_t, set_auth_type, void,
  * Generic private constructor
  */
 static eap_tnc_t *eap_tnc_create(identification_t *server,
-                                                                identification_t *peer, bool is_server)
+                                                                identification_t *peer, bool is_server,
+                                                                eap_type_t type)
 {
        private_eap_tnc_t *this;
        int max_msg_count;
        char* protocol;
        tnccs_t *tnccs;
-       tnccs_type_t type;
+       tnccs_type_t tnccs_type;
 
        INIT(this,
                .public = {
@@ -270,24 +276,25 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
                                .set_auth_type = _set_auth_type,
                        },
                },
+               .type = type,
        );
 
        max_msg_count = lib->settings->get_int(lib->settings,
                                                "%s.plugins.eap-tnc.max_message_count",
                                                EAP_TNC_MAX_MESSAGE_COUNT, lib->ns);
        protocol = lib->settings->get_str(lib->settings,
-                                               "%s.plugins.eap-tnc.protocol", "tnccs-1.1", lib->ns);
+                                               "%s.plugins.eap-tnc.protocol", "tnccs-2.0", lib->ns);
        if (strcaseeq(protocol, "tnccs-2.0"))
        {
-               type = TNCCS_2_0;
+               tnccs_type = TNCCS_2_0;
        }
        else if (strcaseeq(protocol, "tnccs-1.1"))
        {
-               type = TNCCS_1_1;
+               tnccs_type = TNCCS_1_1;
        }
        else if (strcaseeq(protocol, "tnccs-dynamic") && is_server)
        {
-               type = TNCCS_DYNAMIC;
+               tnccs_type = TNCCS_DYNAMIC;
        }
        else
        {
@@ -295,8 +302,9 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
                free(this);
                return NULL;
        }
-       tnccs = tnc->tnccs->create_instance(tnc->tnccs, type,
-                                               is_server, server, peer, TNC_IFT_EAP_1_1,
+       tnccs = tnc->tnccs->create_instance(tnc->tnccs, tnccs_type,
+                                               is_server, server, peer,
+                                               (type == EAP_TNC) ? TNC_IFT_EAP_1_1 : TNC_IFT_EAP_2_0,
                                                is_server ? enforce_recommendation : NULL);
        if (!tnccs)
        {
@@ -305,7 +313,7 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
                return NULL;
        }
        this->tnccs = tnccs->get_ref(tnccs);
-       this->tls_eap = tls_eap_create(EAP_TNC, &tnccs->tls,
+       this->tls_eap = tls_eap_create(type, &tnccs->tls,
                                                                   EAP_TNC_MAX_MESSAGE_LEN,
                                                                   max_msg_count, FALSE);
        if (!this->tls_eap)
@@ -319,11 +327,23 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 eap_tnc_t *eap_tnc_create_server(identification_t *server,
                                                                 identification_t *peer)
 {
-       return eap_tnc_create(server, peer, TRUE);
+       return eap_tnc_create(server, peer, TRUE, EAP_TNC);
 }
 
 eap_tnc_t *eap_tnc_create_peer(identification_t *server,
                                                           identification_t *peer)
 {
-       return eap_tnc_create(server, peer, FALSE);
+       return eap_tnc_create(server, peer, FALSE, EAP_TNC);
+}
+
+eap_tnc_t *eap_tnc_pt_create_server(identification_t *server,
+                                                                identification_t *peer)
+{
+       return eap_tnc_create(server, peer, TRUE, EAP_PT_EAP);
+}
+
+eap_tnc_t *eap_tnc_pt_create_peer(identification_t *server,
+                                                          identification_t *peer)
+{
+       return eap_tnc_create(server, peer, FALSE, EAP_PT_EAP);
 }
index 8c881f6..d7ea9f4 100644 (file)
@@ -26,7 +26,7 @@ typedef struct eap_tnc_t eap_tnc_t;
 #include <sa/eap/eap_inner_method.h>
 
 /**
- * Implementation of the eap_method_t interface using EAP-TNC.
+ * Implementation of the eap_method_t interface using EAP-TNC or PT-EAP.
  */
 struct eap_tnc_t {
 
@@ -43,7 +43,8 @@ struct eap_tnc_t {
  * @param peer         ID of the EAP client
  * @return                     eap_tnc_t object
  */
-eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *peer);
+eap_tnc_t *eap_tnc_create_server(identification_t *server,
+                                                                identification_t *peer);
 
 /**
  * Creates the EAP method EAP-TNC acting as peer.
@@ -52,6 +53,27 @@ eap_tnc_t *eap_tnc_create_server(identification_t *server, identification_t *pee
  * @param peer         ID of the EAP client
  * @return                     eap_tnc_t object
  */
-eap_tnc_t *eap_tnc_create_peer(identification_t *server, identification_t *peer);
+eap_tnc_t *eap_tnc_create_peer(identification_t *server,
+                                                          identification_t *peer);
+
+/**
+ * Creates the EAP method PT-EAP acting as server.
+ *
+ * @param server       ID of the EAP server
+ * @param peer         ID of the EAP client
+ * @return                     eap_tnc_t object
+ */
+eap_tnc_t *eap_tnc_pt_create_server(identification_t *server,
+                                                                       identification_t *peer);
+
+/**
+ * Creates the EAP method PT-EAP acting as peer.
+ *
+ * @param server       ID of the EAP server
+ * @param peer         ID of the EAP client
+ * @return                     eap_tnc_t object
+ */
+eap_tnc_t *eap_tnc_pt_create_peer(identification_t *server,
+                                                                 identification_t *peer);
 
 #endif /** EAP_TNC_H_ @}*/
index 813a75f..d0f79fa 100644 (file)
@@ -36,6 +36,14 @@ METHOD(plugin_t, get_features, int,
                        PLUGIN_PROVIDE(EAP_PEER, EAP_TNC),
                                PLUGIN_DEPENDS(EAP_PEER, EAP_TTLS),
                                PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
+               PLUGIN_CALLBACK(eap_method_register, eap_tnc_pt_create_server),
+                       PLUGIN_PROVIDE(EAP_SERVER, EAP_PT_EAP),
+                               PLUGIN_DEPENDS(EAP_SERVER, EAP_TTLS),
+                               PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
+               PLUGIN_CALLBACK(eap_method_register, eap_tnc_pt_create_peer),
+                       PLUGIN_PROVIDE(EAP_PEER, EAP_PT_EAP),
+                               PLUGIN_DEPENDS(EAP_PEER, EAP_TTLS),
+                               PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
        };
        *features = f;
        return countof(f);
index 88c2b88..9d145ea 100644 (file)
@@ -1,6 +1,6 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
- * Copyright (C) 2010 HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2010-2014 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -107,22 +107,34 @@ static status_t start_phase2_auth(private_eap_ttls_server_t *this)
 }
 
 /**
- * If configured, start EAP-TNC protocol
+ * If configured, start PT-EAP or legacy EAP-TNC protocol
  */
 static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
                                                                 eap_type_t auth_type)
 {
        eap_inner_method_t *inner_method;
+       eap_type_t type;
+       char *eap_type_str;
 
        if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
                                                        "%s.plugins.eap-ttls.phase2_tnc", FALSE, lib->ns))
        {
-               DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, EAP_TNC);
-               this->method = charon->eap->create_instance(charon->eap, EAP_TNC,
+               eap_type_str = lib->settings->get_str(lib->settings,
+                                                       "%s.plugins.eap-ttls.phase2_tnc_method", "pt",
+                                                       lib->ns);
+               type = eap_type_from_string(eap_type_str);
+               if (type == 0)
+               {
+                       DBG1(DBG_IKE, "unrecognized phase2 EAP TNC method \"%s\"",
+                                                  eap_type_str);
+                       return FAILED;
+               }
+               DBG1(DBG_IKE, "phase2 method %N selected", eap_type_names, type);
+               this->method = charon->eap->create_instance(charon->eap, type,
                                                                        0, EAP_SERVER, this->server, this->peer);
                if (this->method == NULL)
                {
-                       DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
+                       DBG1(DBG_IKE, "%N method not available", eap_type_names, type);
                        return FAILED;
                }
                inner_method = (eap_inner_method_t *)this->method;
@@ -135,7 +147,7 @@ static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
                }
                else
                {
-                       DBG1(DBG_IKE, "%N method failed", eap_type_names, EAP_TNC);
+                       DBG1(DBG_IKE, "%N method failed", eap_type_names, type);
                        return FAILED;
                }
        }
@@ -151,7 +163,7 @@ METHOD(tls_application_t, process, status_t,
        eap_payload_t *in;
        eap_code_t code;
        eap_type_t type = EAP_NAK, received_type;
-       u_int32_t vendor, received_vendor;
+       uint32_t vendor, received_vendor;
 
        status = this->avp->process(this->avp, reader, &data);
        switch (status)
@@ -297,7 +309,7 @@ METHOD(tls_application_t, build, status_t,
        chunk_t data;
        eap_code_t code;
        eap_type_t type;
-       u_int32_t vendor;
+       uint32_t vendor;
 
        if (this->method == NULL && this->start_phase2 &&
                lib->settings->get_bool(lib->settings,
index c181c5d..64b5dbe 100644 (file)
@@ -57,7 +57,9 @@ ENUM_NEXT(eap_type_names, EAP_MSTLV, EAP_MSTLV, EAP_MSCHAPV2,
        "EAP_MSTLV");
 ENUM_NEXT(eap_type_names, EAP_TNC, EAP_TNC, EAP_MSTLV,
        "EAP_TNC");
-ENUM_NEXT(eap_type_names, EAP_EXPANDED, EAP_DYNAMIC, EAP_TNC,
+ENUM_NEXT(eap_type_names, EAP_PT_EAP, EAP_PT_EAP, EAP_TNC,
+       "EAP_PT_EAP");
+ENUM_NEXT(eap_type_names, EAP_EXPANDED, EAP_DYNAMIC, EAP_PT_EAP,
        "EAP_EXPANDED",
        "EAP_EXPERIMENTAL",
        "EAP_RADIUS",
@@ -86,7 +88,9 @@ ENUM_NEXT(eap_type_short_names, EAP_MSTLV, EAP_MSTLV, EAP_MSCHAPV2,
        "MSTLV");
 ENUM_NEXT(eap_type_short_names, EAP_TNC, EAP_TNC, EAP_MSTLV,
        "TNC");
-ENUM_NEXT(eap_type_short_names, EAP_EXPANDED, EAP_DYNAMIC, EAP_TNC,
+ENUM_NEXT(eap_type_short_names, EAP_PT_EAP, EAP_PT_EAP, EAP_TNC,
+       "PT");
+ENUM_NEXT(eap_type_short_names, EAP_EXPANDED, EAP_DYNAMIC, EAP_PT_EAP,
        "EXP",
        "XP",
        "RAD",
@@ -114,6 +118,7 @@ eap_type_t eap_type_from_string(char *name)
                {"peap",                EAP_PEAP},
                {"mschapv2",    EAP_MSCHAPV2},
                {"tnc",                 EAP_TNC},
+               {"pt",                  EAP_PT_EAP},
                {"dynamic",             EAP_DYNAMIC},
                {"radius",              EAP_RADIUS},
        };
@@ -136,7 +141,7 @@ eap_vendor_type_t *eap_vendor_type_from_string(char *str)
        enumerator_t *enumerator;
        eap_vendor_type_t *result = NULL;
        eap_type_t type = 0;
-       u_int32_t vendor = 0;
+       uint32_t vendor = 0;
        char *part, *end;
 
        /* parse EAP method string of the form: [eap-]type[-vendor] */
index 0e144b1..08d88ba 100644 (file)
@@ -67,6 +67,7 @@ enum eap_type_t {
        EAP_MSCHAPV2 = 26,
        EAP_MSTLV = 33,
        EAP_TNC = 38,
+       EAP_PT_EAP = 54,
        EAP_EXPANDED = 254,
        EAP_EXPERIMENTAL = 255,
        /** not a method, but an implementation providing different methods */
index 68cebb9..ebe5bc3 100644 (file)
@@ -47,7 +47,7 @@ struct private_tls_eap_t {
        /**
         * Current value of EAP identifier
         */
-       u_int8_t identifier;
+       uint8_t identifier;
 
        /**
         * TLS stack
@@ -60,6 +60,11 @@ struct private_tls_eap_t {
        bool is_server;
 
        /**
+        * Supported version of the EAP tunnel protocol
+        */
+       uint8_t supported_version;
+
+       /**
         * If FALSE include the total length of an EAP message
         * in the first fragment of fragmented messages only.
         * If TRUE also include the length in non-fragmented messages.
@@ -94,22 +99,24 @@ typedef enum {
        EAP_TLS_LENGTH = (1<<7),                /* shared with EAP-TTLS/TNC/PEAP */
        EAP_TLS_MORE_FRAGS = (1<<6),    /* shared with EAP-TTLS/TNC/PEAP */
        EAP_TLS_START = (1<<5),                 /* shared with EAP-TTLS/TNC/PEAP */
-       EAP_TTLS_VERSION = (0x07),              /* shared with EAP-TNC/PEAP      */
+       EAP_TTLS_VERSION = (0x07),              /* shared with EAP-TNC/PEAP/PT-EAP */
+       EAP_PT_START = (1<<7)                   /* PT-EAP only */
 } eap_tls_flags_t;
 
-#define EAP_TTLS_SUPPORTED_VERSION     0
-#define EAP_TNC_SUPPORTED_VERSION      1
-#define EAP_PEAP_SUPPORTED_VERSION     0
+#define EAP_TTLS_SUPPORTED_VERSION             0
+#define EAP_TNC_SUPPORTED_VERSION              1
+#define EAP_PEAP_SUPPORTED_VERSION             0
+#define EAP_PT_EAP_SUPPORTED_VERSION   1
 
 /**
  * EAP-TLS/TTLS packet format
  */
 typedef struct __attribute__((packed)) {
-       u_int8_t code;
-       u_int8_t identifier;
-       u_int16_t length;
-       u_int8_t type;
-       u_int8_t flags;
+       uint8_t code;
+       uint8_t identifier;
+       uint16_t length;
+       uint8_t type;
+       uint8_t flags;
 } eap_tls_packet_t;
 
 METHOD(tls_eap_t, initiate, status_t,
@@ -120,18 +127,18 @@ METHOD(tls_eap_t, initiate, status_t,
                eap_tls_packet_t pkt = {
                        .type = this->type,
                        .code = EAP_REQUEST,
-                       .flags = EAP_TLS_START,
+                       .flags = this->supported_version
                };
                switch (this->type)
                {
+                       case EAP_TLS:
                        case EAP_TTLS:
-                               pkt.flags |= EAP_TTLS_SUPPORTED_VERSION;
-                               break;
                        case EAP_TNC:
-                               pkt.flags |= EAP_TNC_SUPPORTED_VERSION;
-                               break;
                        case EAP_PEAP:
-                               pkt.flags |= EAP_PEAP_SUPPORTED_VERSION;
+                               pkt.flags |= EAP_TLS_START;
+                               break;
+                       case EAP_PT_EAP:
+                               pkt.flags |= EAP_PT_START;
                                break;
                        default:
                                break;
@@ -153,13 +160,25 @@ METHOD(tls_eap_t, initiate, status_t,
  */
 static status_t process_pkt(private_tls_eap_t *this, eap_tls_packet_t *pkt)
 {
-       u_int16_t pkt_len;
-       u_int32_t msg_len;
+       uint8_t version;
+       uint16_t pkt_len;
+       uint32_t msg_len;
        size_t msg_len_offset = 0;
 
+       /* EAP-TLS doesn't have a version field */
+       if (this->type != EAP_TLS)
+       {
+               version = pkt->flags & EAP_TTLS_VERSION;
+               if (version != this->supported_version)
+               {
+                       DBG1(DBG_TLS, "received %N packet with unsupported version v%u",
+                       eap_type_names, this->type, version);
+                       return FAILED;
+               }
+       }
        pkt_len = untoh16(&pkt->length);
 
-       if (pkt->flags & EAP_TLS_LENGTH)
+       if (this->type != EAP_PT_EAP && (pkt->flags & EAP_TLS_LENGTH))
        {
                if (pkt_len < sizeof(eap_tls_packet_t) + sizeof(msg_len))
                {
@@ -200,27 +219,12 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
        pkt->code = this->is_server ? EAP_REQUEST : EAP_RESPONSE;
        pkt->identifier = this->identifier;
        pkt->type = this->type;
-       pkt->flags = 0;
-
-       switch (this->type)
-       {
-               case EAP_TTLS:
-                       pkt->flags |= EAP_TTLS_SUPPORTED_VERSION;
-                       break;
-               case EAP_TNC:
-                       pkt->flags |= EAP_TNC_SUPPORTED_VERSION;
-                       break;
-               case EAP_PEAP:
-                       pkt->flags |= EAP_PEAP_SUPPORTED_VERSION;
-                       break;
-               default:
-                       break;
-       }
+       pkt->flags = this->supported_version;
 
        if (this->first_fragment)
        {
-               len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(u_int32_t);
-               msg_len_offset = sizeof(u_int32_t);
+               len = sizeof(buf) - sizeof(eap_tls_packet_t) - sizeof(uint32_t);
+               msg_len_offset = sizeof(uint32_t);
        }
        else
        {
@@ -251,7 +255,7 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
                                }
                                kind = "packet";
                        }
-                       else if (this->type != EAP_TNC)
+                       else if (this->type != EAP_TNC && this->type != EAP_PT_EAP)
                        {
                                this->first_fragment = TRUE;
                                kind = "final fragment";
@@ -269,14 +273,14 @@ static status_t build_pkt(private_tls_eap_t *this, chunk_t *out)
                if (pkt->flags & EAP_TLS_LENGTH)
                {
                        htoun32(pkt + 1, reclen);
-                       len += sizeof(u_int32_t);
+                       len += sizeof(uint32_t);
                        pkt->flags |= EAP_TLS_LENGTH;
                }
                else
                {
                        /* get rid of the reserved length field */
                        memmove(buf + sizeof(eap_tls_packet_t),
-                                       buf + sizeof(eap_tls_packet_t) + sizeof(u_int32_t), len);
+                                       buf + sizeof(eap_tls_packet_t) + sizeof(uint32_t), len);
                }
        }
        len += sizeof(eap_tls_packet_t);
@@ -352,10 +356,11 @@ METHOD(tls_eap_t, process, status_t,
        }
        DBG3(DBG_TLS, "%N payload %B", eap_type_names, this->type, &in);
 
-       if (pkt->flags & EAP_TLS_START)
+       if ((this->type == EAP_PT_EAP && (pkt->flags & EAP_PT_START)) ||
+        (pkt->flags & EAP_TLS_START))
        {
                if (this->type == EAP_TTLS || this->type == EAP_TNC ||
-                       this->type == EAP_PEAP)
+                       this->type == EAP_PEAP || this->type == EAP_PT_EAP)
                {
                        DBG1(DBG_TLS, "%N version is v%u", eap_type_names, this->type,
                                 pkt->flags & EAP_TTLS_VERSION);
@@ -409,14 +414,14 @@ METHOD(tls_eap_t, get_msk, chunk_t,
        return this->tls->get_eap_msk(this->tls);
 }
 
-METHOD(tls_eap_t, get_identifier, u_int8_t,
+METHOD(tls_eap_t, get_identifier, uint8_t,
        private_tls_eap_t *this)
 {
        return this->identifier;
 }
 
 METHOD(tls_eap_t, set_identifier, void,
-       private_tls_eap_t *this, u_int8_t identifier)
+       private_tls_eap_t *this, uint8_t identifier)
 {
        this->identifier = identifier;
 }
@@ -452,13 +457,31 @@ tls_eap_t *tls_eap_create(eap_type_t type, tls_t *tls, size_t frag_size,
                },
                .type = type,
                .is_server = tls->is_server(tls),
-               .first_fragment = (type != EAP_TNC),
+               .first_fragment = (type != EAP_TNC && type != EAP_PT_EAP),
                .frag_size = frag_size,
                .max_msg_count = max_msg_count,
                .include_length = include_length,
                .tls = tls,
        );
 
+       switch (type)
+       {
+               case EAP_TTLS:
+                       this->supported_version = EAP_TTLS_SUPPORTED_VERSION;
+                       break;
+               case EAP_TNC:
+                       this->supported_version = EAP_TNC_SUPPORTED_VERSION;
+                       break;
+               case EAP_PEAP:
+                       this->supported_version = EAP_PEAP_SUPPORTED_VERSION;
+                       break;
+               case EAP_PT_EAP:
+                       this->supported_version = EAP_PT_EAP_SUPPORTED_VERSION;
+                       break;
+               default:
+                       break;
+       }
+
        if (this->is_server)
        {
                do
index c7da832..f3fbba0 100644 (file)
@@ -66,7 +66,7 @@ struct tls_eap_t {
         *
         * @return                              identifier
         */
-       u_int8_t (*get_identifier)(tls_eap_t *this);
+       uint8_t (*get_identifier)(tls_eap_t *this);
 
        /**
         * Set the EAP identifier to a deterministic value, overwriting
@@ -74,7 +74,7 @@ struct tls_eap_t {
         *
         * @param identifier    EAP identifier
         */
-       void (*set_identifier) (tls_eap_t *this, u_int8_t identifier);
+       void (*set_identifier) (tls_eap_t *this, uint8_t identifier);
 
        /**
         * Destroy a tls_eap_t.
index 73646f8..2f104f5 100644 (file)
@@ -2,5 +2,12 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
   multiple_authentication=no
+
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
 }
index 73646f8..2f104f5 100644 (file)
@@ -2,5 +2,12 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
   multiple_authentication=no
+
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
 }
index 3975f09..51425ac 100644 (file)
@@ -2,12 +2,18 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
     eap-ttls {
       phase2_method = md5
       phase2_piggyback = yes
       phase2_tnc = yes
+      phase2_tnc_method = tnc
+    }
+    eap-tnc {
+      protocol = tnccs-1.1
     }
   }
 }
index 4cc205c..4c77038 100644 (file)
@@ -2,7 +2,14 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
   multiple_authentication=no
+
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
 }
 
 libimcv {
index ac46959..df385d5 100644 (file)
@@ -2,7 +2,14 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
   multiple_authentication=no
+
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
 }
 
 libimcv {
index 56c6b9f..4eeff49 100644 (file)
@@ -2,7 +2,14 @@
 
 charon {
   load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
   multiple_authentication=no
+
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
 }
 
 libimcv {
index 145ad9d..7c27dbd 100644 (file)
@@ -2,7 +2,14 @@
 
 charon {
   load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
   multiple_authentication=no
+
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
 }
 
 libimcv {
index 4cc205c..4c77038 100644 (file)
@@ -2,7 +2,14 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
   multiple_authentication=no
+
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
 }
 
 libimcv {
index 5dbee55..5424f4c 100644 (file)
@@ -2,7 +2,14 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
   multiple_authentication=no
+
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
 }
 
 libimcv {
index 4cc205c..4c77038 100644 (file)
@@ -2,7 +2,14 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
   multiple_authentication=no
+
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
 }
 
 libimcv {
index 5dbee55..5424f4c 100644 (file)
@@ -2,7 +2,14 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-11 updown
+
   multiple_authentication=no
+
+  plugins {
+    eap-tnc {
+      protocol = tnccs-1.1
+    }
+  }
 }
 
 libimcv {
index 2fe4cf0..3037d00 100644 (file)
@@ -2,12 +2,18 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-11 tnc-imv updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
     eap-ttls {
       phase2_method = md5
       phase2_piggyback = yes
       phase2_tnc = yes
+      phase2_tnc_method = tnc
+    }
+    eap-tnc {
+      protocol = tnccs-1.1
     }
   }
 }
index ced332c..20c0928 100644 (file)
@@ -2,11 +2,10 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
     tnc-imc {
       preferred_language = de, en
     }
index 70a1b07..64a25b4 100644 (file)
@@ -2,11 +2,10 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
   multiple_authentication=no
+
   plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
     tnc-imc {
       preferred_language = ru, fr, en
     }
index 59dce18..7ee2ead 100644 (file)
@@ -2,16 +2,15 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
     eap-ttls {
       phase2_method = md5
       phase2_piggyback = yes
       phase2_tnc = yes
     }
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
     tnc-imv {
       recommendation_policy = all
     }
index f202bbf..c0e5e94 100644 (file)
@@ -2,12 +2,8 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
+
+  multiple_authentication = no
 }
 
 libimcv {
index 996169a..4c31a78 100644 (file)
@@ -2,11 +2,10 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
     tnc-imc {
       preferred_language = ru , de, en
     }
index 3e6bc65..46c7367 100644 (file)
@@ -2,16 +2,15 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
     eap-ttls {
       phase2_method = md5
       phase2_piggyback = yes
       phase2_tnc = yes
     }
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
   }
 }
 
index 18e7157..d71893a 100644 (file)
@@ -2,10 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
+
+  multiple_authentication = no
 }
index 18e7157..d71893a 100644 (file)
@@ -2,10 +2,6 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
+
+  multiple_authentication = no
 }
index 602979c..7681388 100644 (file)
@@ -2,15 +2,14 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
     eap-ttls {
       phase2_method = md5
       phase2_piggyback = yes
       phase2_tnc = yes
     }
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
   }
 }
index e604683..f64fe6a 100644 (file)
@@ -2,12 +2,8 @@
 
 charon {
   load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
+
+  multiple_authentication = no
 }
 
 libimcv {
index 3236a18..075919a 100644 (file)
@@ -2,11 +2,10 @@
 
 charon {
   load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
     tnc-imc {
       preferred_language = de
     }
index 0298a51..e81908f 100644 (file)
@@ -2,16 +2,15 @@
 
 charon {
   load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
     eap-ttls {
       phase2_method = md5
       phase2_piggyback = yes
       phase2_tnc = yes
     }
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
   }
 }
 
index 34941e5..4f5993e 100644 (file)
@@ -2,12 +2,8 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
+
+  multiple_authentication = no
 }
 
 libimcv {
index 49f778f..4ed358d 100644 (file)
@@ -2,11 +2,10 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
     tnc-imc {
       preferred_language = de
     }
index 3e017e9..ed81c17 100644 (file)
@@ -2,16 +2,15 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
     eap-ttls {
       phase2_method = md5
       phase2_piggyback = yes
       phase2_tnc = yes
     }
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
   }
 }
 
index 61bf86f..1237d23 100644 (file)
@@ -2,6 +2,7 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+
   plugins {
     eap-ttls {
       phase2_method = md5
@@ -10,7 +11,6 @@ charon {
       max_message_count = 0
     }
     eap-tnc {
-      protocol = tnccs-2.0
       max_message_count = 20
     }
     tnc-pdp {
index be6c0ad..eeb8e42 100644 (file)
@@ -8,7 +8,6 @@ charon {
       max_message_count = 0
     }
     eap-tnc {
-      protocol = tnccs-2.0
       max_message_count = 20
     }
     tnccs-20 {
index aefbfde..c9cbad9 100644 (file)
@@ -8,7 +8,6 @@ charon {
       max_message_count = 0
     }
     eap-tnc {
-      protocol = tnccs-2.0
       max_message_count = 20
     }
     tnccs-20 {
index 72bf2c7..53bb9df 100644 (file)
@@ -2,12 +2,8 @@
 
 charon {
   load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
+
+  multiple_authentication = no
 }
 
 libimcv {
index 6f71994..25c27be 100644 (file)
@@ -2,11 +2,10 @@
 
 charon {
   load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
     tnc-imc {
       preferred_language = de
     }
index e76598b..07d620c 100644 (file)
@@ -2,16 +2,15 @@
 
 charon {
   load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
     eap-ttls {
       phase2_method = md5
       phase2_piggyback = yes
       phase2_tnc = yes
     }
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
   }
 }
 
index e604683..f64fe6a 100644 (file)
@@ -2,12 +2,8 @@
 
 charon {
   load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
+
+  multiple_authentication = no
 }
 
 libimcv {
index 3236a18..79c79b8 100644 (file)
@@ -2,11 +2,9 @@
 
 charon {
   load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
+
+  multiple_authentication = no
   plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
     tnc-imc {
       preferred_language = de
     }
index 0298a51..e81908f 100644 (file)
@@ -2,16 +2,15 @@
 
 charon {
   load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
     eap-ttls {
       phase2_method = md5
       phase2_piggyback = yes
       phase2_tnc = yes
     }
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
   }
 }
 
index 6f145ab..5e661c3 100644 (file)
@@ -2,12 +2,8 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
+
+  multiple_authentication = no
 }
 
 libimcv {
index fce9499..6b86fe8 100644 (file)
@@ -2,11 +2,10 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
     tnc-imc {
       preferred_language = ru , de, en
     }
index 3e6bc65..46c7367 100644 (file)
@@ -2,16 +2,15 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
     eap-ttls {
       phase2_method = md5
       phase2_piggyback = yes
       phase2_tnc = yes
     }
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
   }
 }
 
index ada13a3..1cf2f0e 100644 (file)
@@ -2,12 +2,8 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
+
+  multiple_authentication = no
 }
 
 libimcv {
index 0870ca6..0e63eab 100644 (file)
@@ -2,12 +2,8 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
+
+  multiple_authentication = no
 }
 
 libimcv {
index bc1d421..1a4dc85 100644 (file)
@@ -2,25 +2,14 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-tnccs tnccs-20 tnc-imv updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
     eap-ttls {
       request_peer_auth = yes
       phase2_piggyback = yes
       phase2_tnc = yes
     }
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
-}
-
-libimcv {
-  plugins {
-    imv-scanner {
-      closed_port_policy = no
-      tcp_ports = 80 443
-      udp_ports =
-    }
   }
 }
index 6d8c10e..292bfa5 100644 (file)
@@ -2,12 +2,8 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
-  multiple_authentication=no
-  plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
-  }
+
+  multiple_authentication = no
 }
 
 libimcv {
index 1e5f50b..75f6d73 100644 (file)
@@ -2,11 +2,10 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
     tnc-imc {
       preferred_language = ru, pl  , de
     }
index 1a0cc20..94e1ee9 100644 (file)
@@ -2,16 +2,15 @@
 
 charon {
   load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
-  multiple_authentication=no
+
+  multiple_authentication = no
+
   plugins {
     eap-ttls {
       phase2_method = md5
       phase2_piggyback = yes
       phase2_tnc = yes
     }
-    eap-tnc {
-      protocol = tnccs-2.0
-    }
   }
 }
 
index 0b1cf10..0d547cb 100644 (file)
@@ -11,6 +11,7 @@ charon {
       phase2_method = md5
       phase2_piggyback = yes
       phase2_tnc = yes
+      phase2_tnc_method = tnc
     }
     eap-tnc {
       protocol = tnccs-dynamic