Added tnc/tnccs-20-fail-init and tnc/tnccs-20-fail-resp scenarios

author: Andreas Steffen <andreas.steffen@strongswan.org> 2015-03-27 20:56:34 +0100
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2015-03-27 20:56:44 +0100
commit: 883c11caa03ea37e449ed839893f24cccf79badb (patch)
tree: 71e42ced24a6d74c0e46787f29bd486075a0ee9a
parent: ef5f96366ec28eb0f0dc168c19dd839369735084 (diff)
download: strongswan-883c11caa03ea37e449ed839893f24cccf79badb.tar.bz2
strongswan-883c11caa03ea37e449ed839893f24cccf79badb.tar.xz
38 files changed, 582 insertions, 8 deletions
diff --git a/src/libtnccs/plugins/tnccs_20/Makefile.am b/src/libtnccs/plugins/tnccs_20/Makefile.am
index 8321e85eb..7d1cdded1 100644
--- a/src/libtnccs/plugins/tnccs_20/Makefile.am
+++ b/src/libtnccs/plugins/tnccs_20/Makefile.am
@@ -31,6 +31,7 @@ libstrongswan_tnccs_20_la_SOURCES = \
 	messages/ietf/pb_reason_string_msg.h messages/ietf/pb_reason_string_msg.c \
 	messages/ietf/pb_remediation_parameters_msg.h messages/ietf/pb_remediation_parameters_msg.c \
 	messages/ita/pb_mutual_capability_msg.h messages/ita/pb_mutual_capability_msg.c \
+	messages/ita/pb_noskip_test_msg.h messages/ita/pb_noskip_test_msg.c \
 	messages/tcg/pb_pdp_referral_msg.h messages/tcg/pb_pdp_referral_msg.c \
 	state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c
 
diff --git a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c
index 2d02bf6e0..faad02b9b 100644
--- a/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c
+++ b/src/libtnccs/plugins/tnccs_20/batch/pb_tnc_batch.c
@@ -179,6 +179,7 @@ METHOD(pb_tnc_batch_t, add_msg, bool,
 METHOD(pb_tnc_batch_t, build, void,
 	private_pb_tnc_batch_t *this)
 {
+	u_int8_t version;
 	u_int32_t msg_len;
 	chunk_t msg_value;
 	enumerator_t *enumerator;
@@ -187,9 +188,14 @@ METHOD(pb_tnc_batch_t, build, void,
 	pb_tnc_msg_info_t *msg_infos;
 	bio_writer_t *writer;
 
+	/* Set wrong PB-TNC version for testing purposes to force a PB-TNC error */
+	version = lib->settings->get_int(lib->settings,
+						"%s.plugins.tnccs-20.tests.pb_tnc_version",
+						 PB_TNC_VERSION, lib->ns);
+
 	/* build PB-TNC batch header */
 	writer = bio_writer_create(this->batch_len);
-	writer->write_uint8 (writer, PB_TNC_VERSION);
+	writer->write_uint8 (writer, version);
 	writer->write_uint8 (writer, this->is_server ?
 								 PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE);
 	writer->write_uint16(writer, this->type);
@@ -310,7 +316,7 @@ METHOD(pb_tnc_batch_t, process_header, status_t,
 
 fatal:
 	this->errors->insert_last(this->errors, msg);
-	return VERIFY_ERROR;
+	return FAILED;
 }
 
 static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
@@ -385,12 +391,14 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 		msg_type_names = pb_tnc_msg_type_names;
 		msg_infos = pb_tnc_msg_infos;
 	}
-	else if (vendor_id == PEN_TCG && msg_type <= PB_TCG_MSG_ROOF)
+	else if (vendor_id == PEN_TCG && msg_type <= PB_TCG_MSG_ROOF &&
+									 msg_type >  PB_TCG_MSG_RESERVED)
 	{
 		msg_type_names = pb_tnc_tcg_msg_type_names;
 		msg_infos = pb_tnc_tcg_msg_infos;
 	}
-	else if (vendor_id == PEN_ITA && msg_type <= PB_ITA_MSG_ROOF)
+	else if (vendor_id == PEN_ITA && msg_type <= PB_ITA_MSG_ROOF &&
+									 msg_type >  PB_ITA_MSG_NOSKIP_TEST)
 	{
 		msg_type_names = pb_tnc_ita_msg_type_names;
 		msg_infos = pb_tnc_ita_msg_infos;
@@ -408,7 +416,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 
 		if (noskip_flag)
 		{
-			DBG1(DBG_TNC, "reject PB-TNC message 0x%06x/0x%08x)",
+			DBG1(DBG_TNC, "reject PB-TNC message (0x%06x/0x%08x)",
 						   vendor_id, msg_type);
 			msg = pb_error_msg_create_with_offset(TRUE, PEN_IETF,
 							PB_ERROR_UNSUPPORTED_MANDATORY_MSG, this->offset);
@@ -416,7 +424,7 @@ static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
 		}
 		else
 		{
-			DBG1(DBG_TNC, "ignore PB-TNC message 0x%06x/0x%08x)",
+			DBG1(DBG_TNC, "ignore PB-TNC message (0x%06x/0x%08x)",
 						   vendor_id, msg_type);
 			this->offset += msg_len;
 			return SUCCESS;
diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c
new file mode 100644
index 000000000..c95222e3a
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.c
@@ -0,0 +1,92 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "pb_noskip_test_msg.h"
+
+typedef struct private_pb_noskip_test_msg_t private_pb_noskip_test_msg_t;
+
+/**
+ * Private data of a pb_noskip_test_msg_t object.
+ *
+ */
+struct private_pb_noskip_test_msg_t {
+	/**
+	 * Public pb_noskip_test_msg_t interface.
+	 */
+	pb_noskip_test_msg_t public;
+
+	/**
+	 * PB-TNC message type
+	 */
+	pen_type_t type;
+
+	/**
+	 * Encoded message
+	 */
+	chunk_t encoding;
+};
+
+METHOD(pb_tnc_msg_t, get_type, pen_type_t,
+	private_pb_noskip_test_msg_t *this)
+{
+	return this->type;
+}
+
+METHOD(pb_tnc_msg_t, get_encoding, chunk_t,
+	private_pb_noskip_test_msg_t *this)
+{
+	return this->encoding;
+}
+
+METHOD(pb_tnc_msg_t, build, void,
+	private_pb_noskip_test_msg_t *this)
+{
+	/* nothing to do since the message is empty */
+}
+
+METHOD(pb_tnc_msg_t, process, status_t,
+	private_pb_noskip_test_msg_t *this, u_int32_t *offset)
+{
+	return SUCCESS;
+}
+
+METHOD(pb_tnc_msg_t, destroy, void,
+	private_pb_noskip_test_msg_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+pb_tnc_msg_t *pb_noskip_test_msg_create(void)
+{
+	private_pb_noskip_test_msg_t *this;
+
+	INIT(this,
+		.public = {
+			.pb_interface = {
+				.get_type = _get_type,
+				.get_encoding = _get_encoding,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+		},
+		.type = { PEN_ITA, PB_ITA_MSG_NOSKIP_TEST },
+	);
+
+	return &this->public.pb_interface;
+}
diff --git a/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h
new file mode 100644
index 000000000..6325582da
--- /dev/null
+++ b/src/libtnccs/plugins/tnccs_20/messages/ita/pb_noskip_test_msg.h
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) 2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup pb_noskip_test_msg pb_noskip_test_msg
+ * @{ @ingroup tnccs_20
+ */
+
+#ifndef PB_NOSKIP_TEST_MSG_H_
+#define PB_NOSKIP_TEST_MSG_H_
+
+typedef struct pb_noskip_test_msg_t pb_noskip_test_msg_t;
+
+#include "messages/pb_tnc_msg.h"
+
+/**
+ * Class representing the PB-Noskip-Test message type.
+ */
+struct pb_noskip_test_msg_t {
+
+	/**
+	 * PB-TNC Message interface
+	 */
+	pb_tnc_msg_t pb_interface;
+};
+
+/**
+ * Create a PB-Noskip-Test message from parameters
+ */
+pb_tnc_msg_t* pb_noskip_test_msg_create(void);
+
+#endif /** PB_NOSKIP_TEST_MSG_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c
index 9562dee92..b46c776e4 100644
--- a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c
+++ b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.c
@@ -43,8 +43,9 @@ ENUM(pb_tnc_tcg_msg_type_names, PB_TCG_MSG_PDP_REFERRAL,
 	"PB-PDP-Referral"
 );
 
-ENUM(pb_tnc_ita_msg_type_names, PB_ITA_MSG_MUTUAL_CAPABILITY,
+ENUM(pb_tnc_ita_msg_type_names, PB_ITA_MSG_NOSKIP_TEST,
 								PB_ITA_MSG_MUTUAL_CAPABILITY,
+	"PB-Noskip-Test",
 	"PB-Mutual-Capability"
 );
 
@@ -65,7 +66,7 @@ pb_tnc_msg_info_t pb_tnc_tcg_msg_infos[] = {
 };
 
 pb_tnc_msg_info_t pb_tnc_ita_msg_infos[] = {
-	{ 0 }, /* dummy entry because pb_tnc_ita_msg_type_t starts with 1 */
+	{ 12, TRUE,  FALSE,  TRUE  },
 	{ 16, FALSE, FALSE,  FALSE },
 };
 
diff --git a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h
index 9a53b5e50..35b0b7c26 100644
--- a/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h
+++ b/src/libtnccs/plugins/tnccs_20/messages/pb_tnc_msg.h
@@ -54,6 +54,7 @@ extern enum_name_t *pb_tnc_msg_type_names;
  * PB-TNC Message Type defined in the TCG namespace
  */
 enum pb_tnc_tcg_msg_type_t {
+	PB_TCG_MSG_RESERVED =				0,
 	PB_TCG_MSG_PDP_REFERRAL =			1,
 	PB_TCG_MSG_ROOF =					1
 };
@@ -67,6 +68,7 @@ extern enum_name_t *pb_tnc_tcg_msg_type_names;
  * PB-TNC Message Type defined in the ITA namespace
  */
 enum pb_tnc_ita_msg_type_t {
+	PB_ITA_MSG_NOSKIP_TEST =			0,
 	PB_ITA_MSG_MUTUAL_CAPABILITY =		1,
 	PB_ITA_MSG_ROOF =					1
 };
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c
index 80ae4b64e..4ba8221d0 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_client.c
@@ -23,6 +23,7 @@
 #include "messages/ietf/pb_reason_string_msg.h"
 #include "messages/ietf/pb_language_preference_msg.h"
 #include "messages/ita/pb_mutual_capability_msg.h"
+#include "messages/ita/pb_noskip_test_msg.h"
 #include "messages/tcg/pb_pdp_referral_msg.h"
 #include "state_machine/pb_tnc_state_machine.h"
 
@@ -674,6 +675,16 @@ METHOD(tnccs_20_handler_t, begin_handshake, void,
 	this->send_msg = TRUE;
 	tnc->imcs->begin_handshake(tnc->imcs, this->connection_id);
 	this->send_msg = FALSE;
+
+	/* Send a PB-Noskip-Test message for testing purposes */
+	if (lib->settings->get_bool(lib->settings,
+				"%s.plugins.tnccs-20.tests.pb_tnc_noskip", FALSE, lib->ns))
+	{
+		msg = pb_noskip_test_msg_create();
+		this->mutex->lock(this->mutex);
+		this->messages->insert_last(this->messages, msg);
+		this->mutex->unlock(this->mutex);
+	}
 }
 
 METHOD(tnccs_20_handler_t, get_send_flag, bool,
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c
index e6ac21ac1..038fc178b 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20_server.c
@@ -23,6 +23,7 @@
 #include "messages/ietf/pb_reason_string_msg.h"
 #include "messages/ietf/pb_language_preference_msg.h"
 #include "messages/ita/pb_mutual_capability_msg.h"
+#include "messages/ita/pb_noskip_test_msg.h"
 #include "messages/tcg/pb_pdp_referral_msg.h"
 #include "state_machine/pb_tnc_state_machine.h"
 
@@ -547,6 +548,16 @@ METHOD(tnccs_20_handler_t, begin_handshake, void,
 		this->messages->insert_last(this->messages, msg);
 		this->mutex->unlock(this->mutex);
 	}
+
+	/* Send a PB-Noskip-Test message for testing purposes */
+	if (lib->settings->get_bool(lib->settings,
+				"%s.plugins.tnccs-20.tests.pb_tnc_noskip", FALSE, lib->ns))
+	{
+		msg = pb_noskip_test_msg_create();
+		this->mutex->lock(this->mutex);
+		this->messages->insert_last(this->messages, msg);
+		this->mutex->unlock(this->mutex);
+	}
 }
 
 METHOD(tnccs_20_handler_t, get_send_flag, bool,
diff --git a/testing/tests/tnc/tnccs-20-fail-init/description.txt b/testing/tests/tnc/tnccs-20-fail-init/description.txt
new file mode 100644
index 000000000..91fbbaad9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/description.txt
@@ -0,0 +1,10 @@
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the clients doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p/>
+Unfortunately <b>carol</b> sends her first PB-TNC batch with a wrong version number and
+<b>dave</b> sends a PB-TNC message not supported by <b>moon</b> with the NOSKIP flag set.
+Therefore both connection setups fail due to fatal PB-TNC errors.
diff --git a/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat
new file mode 100644
index 000000000..4cbf60ff7
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/evaltest.dat
@@ -0,0 +1,10 @@
+moon:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES
+carol::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES
+carol::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+moon:: cat /var/log/daemon.log::reject PB-TNC message (0x00902a/0x00000000)::YES
+dave:: cat /var/log/daemon.log::received fatal PB-TNC error.*Unsupported Mandatory Message::YES
+dave::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES
+dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..fcd224651
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+
+  multiple_authentication = no
+
+  plugins {
+    tnccs-20 {
+      tests {
+        pb_tnc_version = 3
+      }
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
new file mode 100644
index 000000000..504408488
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftid=dave@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
new file mode 100644
index 000000000..5496df7ad
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
new file mode 100644
index 000000000..76f413722
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/strongswan.conf
@@ -0,0 +1,26 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
+  multiple_authentication = no
+
+  plugins {
+    tnc-imc {
+      preferred_language = ru, pl  , de
+    }
+    tnccs-20 {
+      tests {
+        pb_tnc_noskip = yes 
+      }
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = isolate
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imv 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..9c13fcb67
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,23 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+
+  multiple_authentication = no
+
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imv-test {
+      rounds = 1
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..61b141062
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-init/posttest.dat b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
new file mode 100644
index 000000000..b757d8b15
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/posttest.dat
@@ -0,0 +1,6 @@
+carol::ipsec stop
+dave::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fail-init/pretest.dat b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
new file mode 100644
index 000000000..38c651328
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/pretest.dat
@@ -0,0 +1,12 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start 
+dave::ipsec start
+carol::sleep 1
+carol::ipsec up home
+dave::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-fail-init/test.conf b/testing/tests/tnc/tnccs-20-fail-init/test.conf
new file mode 100644
index 000000000..3c8e3996f
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-init/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/description.txt b/testing/tests/tnc/tnccs-20-fail-resp/description.txt
new file mode 100644
index 000000000..0aa07193c
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/description.txt
@@ -0,0 +1,9 @@
+The roadwarrior <b>carol</b> sets up a connection to gateway <b>moon</b>
+using EAP-TTLS authentication only with the gateway presenting a server certificate and
+the client doing EAP-MD5 password-based authentication.
+In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
+health of <b>carol</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p/>
+Unfortunately <b>moon</b> sends his first PB-TNC batch with a wrong version number .
+Therefore the connection setup fails due to a fatal PB-TNC error.
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat
new file mode 100644
index 000000000..df4bdc857
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/evaltest.dat
@@ -0,0 +1,5 @@
+carol:: cat /var/log/daemon.log::unsupported TNCCS batch version 0x03::YES
+moon::cat /var/log/daemon.log::received fatal PB-TNC error.*Version Not Supported.*caused by bad version 0x03::YES
+moon::cat /var/log/daemon.log::EAP_PT_EAP method failed::YES
+moon:: cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer carol@strongswan.org::YES
+carol::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
new file mode 100644
index 000000000..e2bf349d9
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.conf
@@ -0,0 +1,23 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightauth=any
+	rightsendcert=never
+	rightsubnet=10.1.0.0/16
+	auto=add
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
new file mode 100644
index 000000000..74942afda
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+carol@strongswan.org : EAP "Ar3etTnp"
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
new file mode 100644
index 000000000..ed6d6f718
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/strongswan.conf
@@ -0,0 +1,15 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
+
+  multiple_authentication = no
+}
+
+libimcv {
+  plugins {
+    imc-test {
+      command = allow
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config
new file mode 100644
index 000000000..bfa666761
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/carol/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Test"	/usr/local/lib/ipsec/imcvs/imc-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..e21ef0d14
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,34 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 3, imv 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=eap-ttls
+	leftfirewall=yes
+	rightauth=eap-ttls
+	rightid=*@strongswan.org
+	rightsendcert=never
+	right=%any
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..2e277ccb0
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,6 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem
+
+carol@strongswan.org : EAP "Ar3etTnp"
+dave@strongswan.org  : EAP "W7R0g3do"
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..626731f58
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,28 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown
+
+  multiple_authentication = no
+
+  plugins {
+    eap-ttls {
+      phase2_method = md5
+      phase2_piggyback = yes
+      phase2_tnc = yes
+    }
+    tnccs-20 {
+      tests {
+        pb_tnc_version = 3
+      }
+    }
+  }
+}
+
+libimcv {
+  plugins {
+    imv-test {
+      rounds = 1
+    }
+  }
+}
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config
new file mode 100644
index 000000000..61b141062
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/hosts/moon/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client 
+
+IMV "Test"	/usr/local/lib/ipsec/imcvs/imv-test.so
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
new file mode 100644
index 000000000..80ce1a125
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/posttest.dat
@@ -0,0 +1,4 @@
+carol::ipsec stop
+moon::ipsec stop
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
new file mode 100644
index 000000000..6947c4bdf
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/pretest.dat
@@ -0,0 +1,8 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+moon::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+moon::ipsec start
+carol::ipsec start 
+carol::sleep 1
+carol::ipsec up home
diff --git a/testing/tests/tnc/tnccs-20-fail-resp/test.conf b/testing/tests/tnc/tnccs-20-fail-resp/test.conf
new file mode 100644
index 000000000..e8430743e
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-fail-resp/test.conf
@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="moon carol winnetou"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-m-c-w.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS=""
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+
author	Andreas Steffen <andreas.steffen@strongswan.org>	2015-03-27 20:56:34 +0100
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2015-03-27 20:56:44 +0100
commit	883c11caa03ea37e449ed839893f24cccf79badb (patch)
tree	71e42ced24a6d74c0e46787f29bd486075a0ee9a
parent	ef5f96366ec28eb0f0dc168c19dd839369735084 (diff)
download	strongswan-883c11caa03ea37e449ed839893f24cccf79badb.tar.bz2 strongswan-883c11caa03ea37e449ed839893f24cccf79badb.tar.xz