aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAndreas Steffen <andreas.steffen@strongswan.org>2015-03-27 20:56:34 +0100
committerAndreas Steffen <andreas.steffen@strongswan.org>2015-03-27 20:56:44 +0100
commit883c11caa03ea37e449ed839893f24cccf79badb (patch)
tree71e42ced24a6d74c0e46787f29bd486075a0ee9a
parentef5f96366ec28eb0f0dc168c19dd839369735084 (diff)
downloadstrongswan-883c11caa03ea37e449ed839893f24cccf79badb.tar.bz2
strongswan-883c11caa03ea37e449ed839893f24cccf79badb.tar.xz
Added tnc/tnccs-20-fail-init and tnc/tnccs-20-fail-resp scenarios
-rw-r--r--src/libtnccs/plugins/tnccs_20/Makefile.am1
-rw-r--r--src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c20
-rw-r--r--src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c92
-rw-r--r--src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h44
-rw-r--r--src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c5
-rw-r--r--src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h2
-rw-r--r--src/libtnccs/plugins/tnccs_20/tnccs_20_client.c11
-rw-r--r--src/libtnccs/plugins/tnccs_20/tnccs_20_server.c11
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/description.txt10
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/evaltest.dat10
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf34
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/posttest.dat6
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/pretest.dat12
-rw-r--r--testing/tests/tnc/tnccs-20-fail-init/test.conf26
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/description.txt9
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat5
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf23
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf15
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf34
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets6
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf28
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config3
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/posttest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/pretest.dat8
-rw-r--r--testing/tests/tnc/tnccs-20-fail-resp/test.conf26
38 files changed, 582 insertions, 8 deletions
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.am b/src/libtnccs/plugins/tnccs_20/Makefile.am
index 8321e85eb..7d1cdded1 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.am
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.am
@@ -31,6 +31,7 @@ libstrongswan_tnccs_20_la_SOURCES = \
messages/ietf/pb_reason_string_msg.h messages/ietf/pb_reason_string_msg.c \
messages/ietf/pb_remediation_parameters_msg.h messages/ietf/pb_remediation_parameters_msg.c \
messages/ita/pb_mutual_capability_msg.h messages/ita/pb_mutual_capability_msg.c \
+ messages/ita/pb_noskip_test_msg.h messages/ita/pb_noskip_test_msg.c \
messages/tcg/pb_pdp_referral_msg.h messages/tcg/pb_pdp_referral_msg.c \
state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c
diff --git a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c
index 2d02bf6e0..faad02b9b 100644
--- a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c
+++ b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c
@@ -179,6 +179,7 @@ METHOD(pb_tnc_batch_t, add_msg, bool,
METHOD(pb_tnc_batch_t, build, void,
private_pb_tnc_batch_t *this)
{
+ u_int8_t version;
u_int32_t msg_len;
chunk_t msg_value;
enumerator_t *enumerator;
@@ -187,9 +188,14 @@ METHOD(pb_tnc_batch_t, build, void,
pb_tnc_msg_info_t *msg_infos;
bio_writer_t *writer;
+ /* Set wrong PB-TNC version for testing purposes to force a PB-TNC error */
+ version = lib->settings->get_int(lib->settings,
+ "%s.plugins.tnccs-20.tests.pb_tnc_version",
+ PB_TNC_VERSION, lib->ns);
+
/* build PB-TNC batch header */
writer = bio_writer_create(this->batch_len);
- writer->write_uint8 (writer, PB_TNC_VERSION);
+ writer->write_uint8 (writer, version);
writer->write_uint8 (writer, this->is_server ?
PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE);
writer->write_uint16(writer, this->type);
@@ -310,7 +316,7 @@ METHOD(pb_tnc_batch_t, process_header, status_t,
fatal:
this->errors->insert_last(this->errors, msg);
- return VERIFY_ERROR;
+ return FAILED;
}
static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
@@ -385,12 +391,14 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
msg_type_names = pb_tnc_msg_type_names;
msg_infos = pb_tnc_msg_infos;
}
- else if (vendor_id == PEN_TCG && msg_type <= PB_TCG_MSG_ROOF)
+ else if (vendor_id == PEN_TCG && msg_type <= PB_TCG_MSG_ROOF &&
+ msg_type > PB_TCG_MSG_RESERVED)
{
msg_type_names = pb_tnc_tcg_msg_type_names;
msg_infos = pb_tnc_tcg_msg_infos;
}
- else if (vendor_id == PEN_ITA && msg_type <= PB_ITA_MSG_ROOF)
+ else if (vendor_id == PEN_ITA && msg_type <= PB_ITA_MSG_ROOF &&
+ msg_type > PB_ITA_MSG_NOSKIP_TEST)
{
msg_type_names = pb_tnc_ita_msg_type_names;
msg_infos = pb_tnc_ita_msg_infos;
@@ -408,7 +416,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
if (noskip_flag)
{
- DBG1(DBG_TNC, "reject PB-TNC message 0x%06x/0x%08x)",
+ DBG1(DBG_TNC, "reject PB-TNC message (0x%06x/0x%08x)",
vendor_id, msg_type);
msg = pb_error_msg_create_with_offset(TRUE, PEN_IETF,
PB_ERROR_UNSUPPORTED_MANDATORY_MSG, this->offset);
@@ -416,7 +424,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
}
else
{
- DBG1(DBG_TNC, "ignore PB-TNC message 0x%06x/0x%08x)",
+ DBG1(DBG_TNC, "ignore PB-TNC message (0x%06x/0x%08x)",
vendor_id, msg_type);
this->offset += msg_len;
return SUCCESS;
diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c
new file mode 100644
index 000000000..c95222e3a
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_noskip_test_msg.h"
+
+typedef struct private_pb_noskip_test_msg_t private_pb_noskip_test_msg_t;
+
+/**
+ * Private data of a pb_noskip_test_msg_t object.
+ *
+ */
+struct private_pb_noskip_test_msg_t {
+ /**
+ * Public pb_noskip_test_msg_t interface.
+ */
+ pb_noskip_test_msg_t public;
+
+ /**
+ * PB-TNC message type
+ */
+ pen_type_t type;
+
+ /**
+ * Encoded message
+ */
+ chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pen_type_t,
+ private_pb_noskip_test_msg_t *this)
+{
+ return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+ private_pb_noskip_test_msg_t *this)
+{
+ return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+ private_pb_noskip_test_msg_t *this)
+{
+ /* nothing to do since the message is empty */
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+ private_pb_noskip_test_msg_t *this, u_int32_t *offset)
+{
+ return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+ private_pb_noskip_test_msg_t *this)
+{
+ free(this);
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_noskip_test_msg_create(void)
+{
+ private_pb_noskip_test_msg_t *this;
+
+ INIT(this,
+ .public = {
+ .pb_interface = {
+ .get_type = _get_type,
+ .get_encoding = _get_encoding,
+ .build = _build,
+ .process = _process,
+ .destroy = _destroy,
+ },
+ },
+ .type = { PEN_ITA, PB_ITA_MSG_NOSKIP_TEST },
+ );
+
+ return &this->public.pb_interface;
+}
diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h
new file mode 100644
index 000000000..6325582da
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_noskip_test_msg pb_noskip_test_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_NOSKIP_TEST_MSG_H_
+#define PB_NOSKIP_TEST_MSG_H_
+
+typedef struct pb_noskip_test_msg_t pb_noskip_test_msg_t;
+
+#include "messages/pb_tnc_msg.h"
+
+/**
+ * Class representing the PB-Noskip-Test message type.
+ */
+struct pb_noskip_test_msg_t {
+
+ /**
+ * PB-TNC Message interface
+ */
+ pb_tnc_msg_t pb_interface;
+};
+
+/**
+ * Create a PB-Noskip-Test message from parameters
+ */
+pb_tnc_msg_t* pb_noskip_test_msg_create(void);
+
+#endif /** PB_NOSKIP_TEST_MSG_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c
index 9562dee92..b46c776e4 100644
--- a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c
+++ b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c
@@ -43,8 +43,9 @@ ENUM(pb_tnc_tcg_msg_type_names, PB_TCG_MSG_PDP_REFERRAL,
"PB-PDP-Referral"
);
-ENUM(pb_tnc_ita_msg_type_names, PB_ITA_MSG_MUTUAL_CAPABILITY,
+ENUM(pb_tnc_ita_msg_type_names, PB_ITA_MSG_NOSKIP_TEST,
PB_ITA_MSG_MUTUAL_CAPABILITY,
+ "PB-Noskip-Test",
"PB-Mutual-Capability"
);
@@ -65,7 +66,7 @@ pb_tnc_msg_info_t pb_tnc_tcg_msg_infos[] = {
};
pb_tnc_msg_info_t pb_tnc_ita_msg_infos[] = {
- { 0 }, /* dummy entry because pb_tnc_ita_msg_type_t starts with 1 */
+ { 12, TRUE, FALSE, TRUE },
{ 16, FALSE, FALSE, FALSE },
};
diff --git a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h
index 9a53b5e50..35b0b7c26 100644
--- a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h
+++ b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h
@@ -54,6 +54,7 @@ extern enum_name_t *pb_tnc_msg_type_names;
* PB-TNC Message Type defined in the TCG namespace
*/
enum pb_tnc_tcg_msg_type_t {
+ PB_TCG_MSG_RESERVED = 0,
PB_TCG_MSG_PDP_REFERRAL = 1,
PB_TCG_MSG_ROOF = 1
};
@@ -67,6 +68,7 @@ extern enum_name_t *pb_tnc_tcg_msg_type_names;
* PB-TNC Message Type defined in the ITA namespace
*/
enum pb_tnc_ita_msg_type_t {
+ PB_ITA_MSG_NOSKIP_TEST = 0,
PB_ITA_MSG_MUTUAL_CAPABILITY = 1,
PB_ITA_MSG_ROOF = 1
};
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c
index 80ae4b64e..4ba8221d0 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c
@@ -23,6 +23,7 @@
#include "messages/ietf/pb_reason_string_msg.h"
#include "messages/ietf/pb_language_preference_msg.h"
#include "messages/ita/pb_mutual_capability_msg.h"
+#include "messages/ita/pb_noskip_test_msg.h"
#include "messages/tcg/pb_pdp_referral_msg.h"
#include "state_machine/pb_tnc_state_machine.h"
@@ -674,6 +675,16 @@ METHOD(tnccs_20_handler_t, begin_handshake, void,
this->send_msg = TRUE;
tnc->imcs->begin_handshake(tnc->imcs, this->connection_id);
this->send_msg = FALSE;
+
+ /* Send a PB-Noskip-Test message for testing purposes */
+ if (lib->settings->get_bool(lib->settings,
+ "%s.plugins.tnccs-20.tests.pb_tnc_noskip", FALSE, lib->ns))
+ {
+ msg = pb_noskip_test_msg_create();
+ this->mutex->lock(this->mutex);
+ this->messages->insert_last(this->messages, msg);
+ this->mutex->unlock(this->mutex);
+ }
}
METHOD(tnccs_20_handler_t, get_send_flag, bool,
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c
index e6ac21ac1..038fc178b 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c
@@ -23,6 +23,7 @@
#include "messages/ietf/pb_reason_string_msg.h"
#include "messages/ietf/pb_language_preference_msg.h"
#include "messages/ita/pb_mutual_capability_msg.h"
+#include "messages/ita/pb_noskip_test_msg.h"
#include "messages/tcg/pb_pdp_referral_msg.h"
#include "state_machine/pb_tnc_state_machine.h"
@@ -547,6 +548,16 @@ METHOD(tnccs_20_handler_t, begin_handshake, void,
this->messages->insert_last(this->messages, msg);
this->mutex->unlock(this->mutex);
}
+
+ /* Send a PB-Noskip-Test message for testing purposes */
+ if (lib->settings->get_bool(lib->settings,
+ "%s.plugins.tnccs-20.tests.pb_tnc_noskip", FALSE, lib->ns))
+ {
+ msg = pb_noskip_test_msg_create();
+ this->mutex->lock(this->mutex);
+ this->messages->insert_last(this->messages, msg);
+ this->mutex->unlock(this->mutex);
+ }
}
METHOD(tnccs_20_handler_t, get_send_flag, bool,
diff --git a/testing/tests/tnc/tnccs-20-fail-init/description.txt b/testing/tests/tnc/tnccs-20-fail-init/description.txt
new file mode 100644
index 000000000..91fbbaad9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p/>
+Unfortunately <b>carol</b> sends her first PB-TNC batch with a wrong version number and
+<b>dave</b> sends a PB-TNC message not supported by <b>moon</b> with the NOSKIP flag set.
+Therefore both connection setups fail due to fatal PB-TNC errors.
diff --git a/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat
new file mode 100644
index 000000000..4cbf60ff7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat
@@ -0,0 +1,10 @@
+moon:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES
+carol::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES
+carol::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::reject PB-TNC message (0x00902a/0x00000000)::YES
+dave:: cat /var/log/daemon.log::received fatal PB-TNC error.*Unsupported Mandatory Message::YES
+dave::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=any
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..fcd224651
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ tnccs-20 {
+ tests {
+ pb_tnc_version = 3
+ }
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..504408488
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_DAVE
+ leftid=dave@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=moon.strongswan.org
+ rightauth=any
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..76f413722
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ tnc-imc {
+ preferred_language = ru, pl , de
+ }
+ tnccs-20 {
+ tests {
+ pb_tnc_noskip = yes
+ }
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = isolate
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imv 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-allow
+ rightgroups=allow
+ leftsubnet=10.1.0.0/28
+ also=rw-eap
+ auto=add
+
+conn rw-isolate
+ rightgroups=isolate
+ leftsubnet=10.1.0.16/28
+ also=rw-eap
+ auto=add
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9c13fcb67
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ phase2_piggyback = yes
+ phase2_tnc = yes
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..61b141062
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client
+
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
new file mode 100644
index 000000000..b757d8b15
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
new file mode 100644
index 000000000..38c651328
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-fail-init/test.conf b/testing/tests/tnc/tnccs-20-fail-init/test.conf
new file mode 100644
index 000000000..3c8e3996f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/description.txt b/testing/tests/tnc/tnccs-20-fail-resp/description.txt
new file mode 100644
index 000000000..0aa07193c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/description.txt
@@ -0,0 +1,9 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the client doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p/>
+Unfortunately <b>moon</b> sends his first PB-TNC batch with a wrong version number .
+Therefore the connection setup fails due to a fatal PB-TNC error.
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat
new file mode 100644
index 000000000..df4bdc857
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat
@@ -0,0 +1,5 @@
+carol:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES
+moon::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES
+moon::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imc 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn home
+ left=PH_IP_CAROL
+ leftid=carol@strongswan.org
+ leftauth=eap
+ leftfirewall=yes
+ right=PH_IP_MOON
+ rightid=@moon.strongswan.org
+ rightauth=any
+ rightsendcert=never
+ rightsubnet=10.1.0.0/16
+ auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ed6d6f718
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+
+ multiple_authentication = no
+}
+
+libimcv {
+ plugins {
+ imc-test {
+ command = allow
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client
+
+IMC "Test" /usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+ charondebug="tnc 3, imv 3"
+
+conn %default
+ ikelifetime=60m
+ keylife=20m
+ rekeymargin=3m
+ keyingtries=1
+ keyexchange=ikev2
+
+conn rw-allow
+ rightgroups=allow
+ leftsubnet=10.1.0.0/28
+ also=rw-eap
+ auto=add
+
+conn rw-isolate
+ rightgroups=isolate
+ leftsubnet=10.1.0.16/28
+ also=rw-eap
+ auto=add
+
+conn rw-eap
+ left=PH_IP_MOON
+ leftcert=moonCert.pem
+ leftid=@moon.strongswan.org
+ leftauth=eap-ttls
+ leftfirewall=yes
+ rightauth=eap-ttls
+ rightid=*@strongswan.org
+ rightsendcert=never
+ right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..626731f58
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+
+ multiple_authentication = no
+
+ plugins {
+ eap-ttls {
+ phase2_method = md5
+ phase2_piggyback = yes
+ phase2_tnc = yes
+ }
+ tnccs-20 {
+ tests {
+ pb_tnc_version = 3
+ }
+ }
+ }
+}
+
+libimcv {
+ plugins {
+ imv-test {
+ rounds = 1
+ }
+ }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..61b141062
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client
+
+IMV "Test" /usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
new file mode 100644
index 000000000..80ce1a125
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
@@ -0,0 +1,4 @@
+carol::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
new file mode 100644
index 000000000..6947c4bdf
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/test.conf b/testing/tests/tnc/tnccs-20-fail-resp/test.conf
new file mode 100644
index 000000000..e8430743e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+