diff options
Diffstat (limited to 'testing')
83 files changed, 1113 insertions, 73 deletions
diff --git a/testing/do-tests b/testing/do-tests index becb7f181..cf1bd2d84 100755 --- a/testing/do-tests +++ b/testing/do-tests @@ -653,7 +653,7 @@ do for host in $IPSECHOSTS do eval HOSTLOGIN=root@\$ipv4_${host} - ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv' \ + ssh $SSHCONF $HOSTLOGIN "grep -E 'charon|last message repeated|imcv|pt-tls-client' \ /var/log/auth.log" >> $TESTRESULTDIR/${host}.auth.log done diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts index 75a8fdd2a..bcb766aa1 100644 --- a/testing/hosts/default/etc/hosts +++ b/testing/hosts/default/etc/hosts @@ -12,7 +12,7 @@ 10.1.0.254 uml1.strongswan.org uml1 10.2.0.254 uml1.strongswan.org uml2 -10.1.0.10 alice.strongswan.org alice aaa.strongswan.org +10.1.0.10 alice.strongswan.org alice aaa.strongswan.org tnc.strongswan.org 10.1.0.20 venus.strongswan.org venus 10.1.0.30 carol2.strongswan.org carol2 10.1.0.40 dave2.strongswan.org dave2 diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage index 549bbc77b..956fc93ca 100755 --- a/testing/scripts/build-baseimage +++ b/testing/scripts/build-baseimage @@ -18,7 +18,8 @@ INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev,ca-certificates,unzip -INC=$INC,python,python-setuptools +INC=$INC,python,python-setuptools,python-dev,python-pip +INC=$INC,libjson0-dev,libxslt1-dev,libapache2-mod-wsgi SERVICES="apache2 dbus isc-dhcp-server slapd bind9" INC=$INC,${SERVICES// /,} diff --git a/testing/scripts/build-guestimages b/testing/scripts/build-guestimages index f7fb1f85c..b84536adf 100755 --- a/testing/scripts/build-guestimages +++ b/testing/scripts/build-guestimages @@ -48,7 +48,17 @@ do execute "cp -rf $HOSTSDIR/default/* $LOOPDIR" 0 execute_chroot "ldconfig" 0 - if [ "$host" = "winnetou" ] + if [ "$host" = "alice" ] + then + execute "mkdir $LOOPDIR/var/log/apache2/tnc" 0 + execute "mkdir $LOOPDIR/etc/strongTNC" 0 + execute "mkdir $LOOPDIR/etc/pts" 0 + execute_chroot "chgrp www-data /etc/strongTNC" 0 + execute_chroot "chmod g+w /etc/strongTNC" 0 + execute_chroot "chgrp www-data /etc/pts" 0 + execute_chroot "chmod g+w /etc/pts" 0 + fi + if [ "$host" = "winnetou" ] then execute "mkdir $LOOPDIR/var/log/apache2/ocsp" 0 execute "cp -rf $DIR/../images $LOOPDIR/var/www/" 0 diff --git a/testing/scripts/recipes/015_strongTNC.mk b/testing/scripts/recipes/015_strongTNC.mk new file mode 100644 index 000000000..6746b9145 --- /dev/null +++ b/testing/scripts/recipes/015_strongTNC.mk @@ -0,0 +1,17 @@ +#!/usr/bin/make + +PKG = strongTNC +ZIP = $(PKG)-master.zip +SRC = https://github.com/strongswan/$(PKG)/archive/master.zip + +all: install + +$(ZIP): + wget --ca-directory=/usr/share/ca-certificates/mozilla/ $(SRC) -O $(ZIP) + +$(PKG)-master: $(ZIP) + unzip -u $(ZIP) + +install: $(PKG)-master + cd $(PKG)-master && pip install -r requirements.txt + cp -r $(PKG)-master /var/www/tnc && chgrp -R www-data /var/www/tnc diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat index 505a4d079..9a477bd04 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat @@ -1,21 +1,28 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES -carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES +dave:: cat /var/log/daemon.log::collected 372 SWID tags::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES -moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES -moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES +carol::cat /var/log/daemon.log::collected 373 SWID tag IDs::YES +carol::cat /var/log/daemon.log::collected 1 SWID tag::YES +carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES +alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and 372 SWID tags::YES +alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES +alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 9: allow - received inventory of 373 SWID tag IDs and 1 SWID tag::YES moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES -moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES +moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default new file mode 100644 index 000000000..f6bf635f4 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default @@ -0,0 +1,24 @@ +WSGIPythonPath /var/www/tnc + +<VirtualHost *:80> + ServerName tnc.strongswan.org + ServerAlias tnc + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/tnc + + <Directory /var/www/tnc/config> + <Files wsgi.py> + Order deny,allow + Allow from all + </Files> + </Directory> + + WSGIScriptAlias / /var/www/tnc/config/wsgi.py + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + + ErrorLog ${APACHE_LOG_DIR}/tnc/error.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined +</VirtualHost> diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db Binary files differnew file mode 100644 index 000000000..3866bfab0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini new file mode 100644 index 000000000..5d12736eb --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini @@ -0,0 +1,19 @@ +[debug] +DEBUG=1 +TEMPLATE_DEBUG=1 +DEBUG_TOOLBAR=0 + +[db] +DJANGO_DB_URL=sqlite:////etc/strongTNC/django.db +STRONGTNC_DB_URL = sqlite:////etc/pts/config.db + +[localization] +LANGUAGE_CODE=en-us +TIME_ZONE=Europe/Zurich + +[admins] +Your Name: alice@strongswan.org + +[security] +SECRET_KEY=strongSwan + diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf index 1237d233b..a60f1dead 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf @@ -11,7 +11,7 @@ charon { max_message_count = 0 } eap-tnc { - max_message_count = 20 + max_message_count = 0 } tnc-pdp { server = aaa.strongswan.org @@ -26,4 +26,10 @@ libimcv { debug_level = 3 database = sqlite:///etc/pts/config.db policy_script = ipsec imv_policy_manager + + plugins { + imv-swid { + rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + } + } } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf index eeb8e42ab..c040f0997 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf @@ -8,7 +8,7 @@ charon { max_message_count = 0 } eap-tnc { - max_message_count = 20 + max_message_count = 0 } tnccs-20 { max_batch_size = 32754 @@ -16,4 +16,3 @@ charon { } } } - diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf index c9cbad966..cd9efeecb 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf @@ -8,7 +8,7 @@ charon { max_message_count = 0 } eap-tnc { - max_message_count = 20 + max_message_count = 0 } tnccs-20 { max_batch_size = 32754 @@ -23,6 +23,7 @@ libimcv { push_info = no } imc-swid { + swid_directory = /usr/share swid_pretty = no } } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat index 916e433c0..1e5c3f8cd 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/posttest.dat @@ -2,6 +2,7 @@ moon::ipsec stop carol::ipsec stop dave::ipsec stop alice::ipsec stop +alice::service apache2 stop alice::rm /etc/pts/config.db moon::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat index 6709b8905..6c7477786 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/pretest.dat @@ -8,11 +8,13 @@ carol::echo 0 > /proc/sys/net/ipv4/ip_forward dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db +alice::service apache2 start alice::ipsec start moon::ipsec start -carol::ipsec start dave::ipsec start +carol::ipsec start carol::sleep 1 -carol::ipsec up home dave::ipsec up home -dave::sleep 1 +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat index 4be71afb0..9327f51bf 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat @@ -1,12 +1,19 @@ -alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES -alice:: cat /var/log/daemon.log::SASL PLAIN authentication successful::YES -alice:: cat /var/log/daemon.log::SASL client identity is.*carol::YES -alice:: cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES -alice:: cat /var/log/daemon.log::received SWID tag ID inventory for request 6 at eid 1 of epoch::YES -alice:: cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES -alice:: cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES -alice:: cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES -alice:: cat /var/log/daemon.log::certificate status is good::YES -alice:: cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES -alice:: cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES -alice:: cat /var/log/daemon.log::received SWID tag inventory for request 11 at eid 1 of epoch::YES +dave:: cat /var/log/auth.log::sending TLS CertificateVerify handshake::YES +dave:: cat /var/log/auth.log::collected 372 SWID tags::YES +carol::cat /var/log/auth.log::received SASL Success result::YES +carol::cat /var/log/auth.log::collected 373 SWID tag IDs::YES +carol::cat /var/log/auth.log::collected 1 SWID tag::YES +alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES +alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES +alice::cat /var/log/daemon.log::certificate status is good::YES +alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES +alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES +alice::cat /var/log/daemon.log::received SWID tag inventory with 372 items for request 3 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES +alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES +alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES +alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES +alice::cat /var/log/daemon.log::received SWID tag ID inventory with 373 items for request 9 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::1 SWID tag target::YES +alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default new file mode 100644 index 000000000..f6bf635f4 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default @@ -0,0 +1,24 @@ +WSGIPythonPath /var/www/tnc + +<VirtualHost *:80> + ServerName tnc.strongswan.org + ServerAlias tnc + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/tnc + + <Directory /var/www/tnc/config> + <Files wsgi.py> + Order deny,allow + Allow from all + </Files> + </Directory> + + WSGIScriptAlias / /var/www/tnc/config/wsgi.py + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + + ErrorLog ${APACHE_LOG_DIR}/tnc/error.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined +</VirtualHost> diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules index 5b275392b..1586214d8 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules @@ -5,6 +5,10 @@ -P OUTPUT DROP -P FORWARD DROP +# open loopback interface +-A INPUT -i lo -j ACCEPT +-A OUTPUT -o lo -j ACCEPT + # allow PT-TLS -A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT -A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db Binary files differnew file mode 100644 index 000000000..3866bfab0 --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini new file mode 100644 index 000000000..5d12736eb --- /dev/null +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini @@ -0,0 +1,19 @@ +[debug] +DEBUG=1 +TEMPLATE_DEBUG=1 +DEBUG_TOOLBAR=0 + +[db] +DJANGO_DB_URL=sqlite:////etc/strongTNC/django.db +STRONGTNC_DB_URL = sqlite:////etc/pts/config.db + +[localization] +LANGUAGE_CODE=en-us +TIME_ZONE=Europe/Zurich + +[admins] +Your Name: alice@strongswan.org + +[security] +SECRET_KEY=strongSwan + diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf index 21961d4b1..eb807b189 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -13,16 +13,17 @@ charon { } } -libtnccs { - plugins { - tnccs-20 { - max_batch_size = 131056 - max_message_size = 131024 - } - } +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 } libimcv { database = sqlite:///etc/pts/config.db policy_script = ipsec imv_policy_manager + + plugins { + imv-swid { + rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + } + } } diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options index f04e9472a..d485e9bf7 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options @@ -2,4 +2,5 @@ --client carol --secret "Ar3etTnp" --cert /etc/ipsec.d/cacerts/strongswanCert.pem ---debug 2 +--quiet +--debug 2 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf index 685a65250..29fdf0235 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf @@ -1,25 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file -libimcv { - plugins { - imc-os { - push_info = yes - } - imc-swid { - #swid_directory = /usr/share - } - } -} - -libtnccs { - plugins { - tnccs-20 { - max_batch_size = 131056 - max_message_size = 131024 - } - } -} - libtls { suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 } diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options index 46821ec73..ca3ca3aa1 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options @@ -3,4 +3,5 @@ --key /etc/ipsec.d/private/daveKey.pem --cert /etc/ipsec.d/certs/daveCert.pem --cert /etc/ipsec.d/cacerts/strongswanCert.pem +--quiet --debug 2 diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf index 4996d0307..0a7f048bf 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf @@ -6,20 +6,12 @@ libimcv { push_info = no } imc-swid { + swid_directory = /usr/share swid_pretty = yes } } } -libtnccs { - plugins { - tnccs-20 { - max_batch_size = 131056 - max_message_size = 131024 - } - } -} - libtls { suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 } diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat index c98df8671..b7da857a7 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/posttest.dat @@ -2,6 +2,7 @@ carol::ip route del 10.1.0.0/16 via 192.168.0.1 dave::ip route del 10.1.0.0/16 via 192.168.0.1 winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 alice::ipsec stop +alice::service apache2 stop alice::rm /etc/pts/config.db alice::iptables-restore < /etc/iptables.flush carol::iptables-restore < /etc/iptables.flush diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat index 97ff0c1ec..0918909fa 100644 --- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/pretest.dat @@ -8,12 +8,15 @@ dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id dave::cat /etc/tnc_config alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db +alice::service apache2 start alice::ipsec start +alice::sleep 1 winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 -carol::ip route add 10.1.0.0/16 via 192.168.0.1 -carol::cat /etc/pts/options -carol::ipsec pt-tls-client --optionsfrom /etc/pts/options dave::ip route add 10.1.0.0/16 via 192.168.0.1 dave::cat /etc/pts/options dave::ipsec pt-tls-client --optionsfrom /etc/pts/options -dave::sleep 1 +carol::ip route add 10.1.0.0/16 via 192.168.0.1 +carol::cat /etc/pts/options +carol::ipsec pt-tls-client --optionsfrom /etc/pts/options +carol::sleep 1 diff --git a/testing/tnccs-20-pdp-eap/description.txt b/testing/tnccs-20-pdp-eap/description.txt new file mode 100644 index 000000000..a178211e1 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/description.txt @@ -0,0 +1,12 @@ +The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to the policy enforcement +point <b>moon</b>. At the outset the gateway authenticates itself to the clients by sending an IKEv2 +<b>RSA signature</b> accompanied by a certificate. <b>carol</b> and <b>dave</b> then set up an +<b>EAP-TTLS</b> tunnel each via gateway <b>moon</b> to the policy decision point <b>alice</b> +authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak +client authentication based on <b>EAP-MD5</b>. In a next step the EAP-TNC protocol is used within +the EAP-TTLS tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b> +client-server interface defined by <b>RFC 5793 PB-TNC</b>. The communication between IMCs and IMVs +is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>. +<p> +<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the clients +are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tnccs-20-pdp-eap/evaltest.dat b/testing/tnccs-20-pdp-eap/evaltest.dat new file mode 100644 index 000000000..9a477bd04 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/evaltest.dat @@ -0,0 +1,29 @@ +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES +dave:: cat /var/log/daemon.log::collected 372 SWID tags::YES +dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES +dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES +carol::cat /var/log/daemon.log::collected 373 SWID tag IDs::YES +carol::cat /var/log/daemon.log::collected 1 SWID tag::YES +carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES +alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and 372 SWID tags::YES +alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES +alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 9: allow - received inventory of 373 SWID tag IDs and 1 SWID tag::YES +moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES +moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES +moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES +moon:: cat /var/log/daemon.log::RADIUS authentication of 'carol' successful::YES +moon:: cat /var/log/daemon.log::authentication of '192.168.0.100' with EAP successful::YES +moon:: ipsec statusall 2>/dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +moon:: ipsec statusall 2>/dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO +dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES +dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default b/testing/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default new file mode 100644 index 000000000..f6bf635f4 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/default @@ -0,0 +1,24 @@ +WSGIPythonPath /var/www/tnc + +<VirtualHost *:80> + ServerName tnc.strongswan.org + ServerAlias tnc + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/tnc + + <Directory /var/www/tnc/config> + <Files wsgi.py> + Order deny,allow + Allow from all + </Files> + </Directory> + + WSGIScriptAlias / /var/www/tnc/config/wsgi.py + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + + ErrorLog ${APACHE_LOG_DIR}/tnc/error.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined +</VirtualHost> diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf b/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..f2e611952 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.conf @@ -0,0 +1,9 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imv 3" + +conn aaa + leftcert=aaaCert.pem + leftid=aaa.strongswan.org + auto=add diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem new file mode 100644 index 000000000..6aeb0c0b1 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R +RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm +Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W +Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF +AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni +wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg +EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y +Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa +yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp +iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2 +bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d +HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr +EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4 +v42sww== +-----END CERTIFICATE----- diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem new file mode 100644 index 000000000..da8cdb051 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx +bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh +9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ +/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp +NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR +BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds +Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi +NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV +IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3 +Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI +aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X +YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq +b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If +/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN +P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X +V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t +cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c +PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m +a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo +NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b +xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/ +J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5 +YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ +SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu +EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b +-----END RSA PRIVATE KEY----- diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets b/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..11d45cd14 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA aaaKey.pem + +carol : EAP "Ar3etTnp" +dave : EAP "W7R0g3do" diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql b/testing/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql new file mode 100644 index 000000000..8adc45915 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/alice/etc/pts/data1.sql @@ -0,0 +1,61 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 42, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +/* Identities */ + +INSERT INTO identities ( + type, value +) VALUES ( /* dave@strongswan.org */ + 5, X'64617665' +); + +/* Sessions */ + +INSERT INTO sessions ( + time, connection, identity, device, product, rec +) VALUES ( + NOW, 1, 1, 1, 42, 0 +); + +/* Results */ + +INSERT INTO results ( + session, policy, rec, result +) VALUES ( + 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' +); + +/* Enforcements */ + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 17, 2, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 18, 10, 86400 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db b/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db Binary files differnew file mode 100644 index 000000000..3866bfab0 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/django.db diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini b/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini new file mode 100644 index 000000000..5d12736eb --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongTNC/settings.ini @@ -0,0 +1,19 @@ +[debug] +DEBUG=1 +TEMPLATE_DEBUG=1 +DEBUG_TOOLBAR=0 + +[db] +DJANGO_DB_URL=sqlite:////etc/strongTNC/django.db +STRONGTNC_DB_URL = sqlite:////etc/pts/config.db + +[localization] +LANGUAGE_CODE=en-us +TIME_ZONE=Europe/Zurich + +[admins] +Your Name: alice@strongswan.org + +[security] +SECRET_KEY=strongSwan + diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..a60f1dead --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf @@ -0,0 +1,35 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + max_message_count = 0 + } + eap-tnc { + max_message_count = 0 + } + tnc-pdp { + server = aaa.strongswan.org + radius { + secret = gv6URkSs + } + } + } +} + +libimcv { + debug_level = 3 + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + + plugins { + imv-swid { + rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + } + } +} diff --git a/testing/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config b/testing/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..ebe88bc99 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so +IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so diff --git a/testing/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf b/testing/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..6e6430e4d --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + eap_identity=carol + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets b/testing/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..23d79cf2e --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol : EAP "Ar3etTnp" diff --git a/testing/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf b/testing/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c040f0997 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/carol/etc/strongswan.conf @@ -0,0 +1,18 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + + plugins { + eap-ttls { + max_message_count = 0 + } + eap-tnc { + max_message_count = 0 + } + tnccs-20 { + max_batch_size = 32754 + max_message_size = 32722 + } + } +} diff --git a/testing/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config b/testing/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a954883a4 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf b/testing/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..4846af279 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tnc 2, imc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + eap_identity=dave + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets b/testing/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..02e0c9963 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave : EAP "W7R0g3do" diff --git a/testing/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..cd9efeecb --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf @@ -0,0 +1,30 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown + + plugins { + eap-ttls { + max_message_count = 0 + } + eap-tnc { + max_message_count = 0 + } + tnccs-20 { + max_batch_size = 32754 + max_message_size = 32722 + } + } +} + +libimcv { + plugins { + imc-os { + push_info = no + } + imc-swid { + swid_directory = /usr/share + swid_pretty = no + } + } +} diff --git a/testing/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config b/testing/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a954883a4 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf b/testing/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..02ada5665 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.conf @@ -0,0 +1,33 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightsendcert=never + right=%any + eap_identity=%any diff --git a/testing/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets b/testing/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules b/testing/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules new file mode 100644 index 000000000..1eb755354 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/moon/etc/iptables.rules @@ -0,0 +1,32 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow esp +-A INPUT -i eth0 -p 50 -j ACCEPT +-A OUTPUT -o eth0 -p 50 -j ACCEPT + +# allow IKE +-A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + +# allow MobIKE +-A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT +-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + +# allow RADIUS protocol with alice +-A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT +-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + +COMMIT diff --git a/testing/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf b/testing/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..d32951866 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/hosts/moon/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + #server = PH_IP6_ALICE + server = PH_IP_ALICE + filter_id = yes + } + } +} diff --git a/testing/tnccs-20-pdp-eap/posttest.dat b/testing/tnccs-20-pdp-eap/posttest.dat new file mode 100644 index 000000000..1e5c3f8cd --- /dev/null +++ b/testing/tnccs-20-pdp-eap/posttest.dat @@ -0,0 +1,9 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::ipsec stop +alice::service apache2 stop +alice::rm /etc/pts/config.db +moon::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tnccs-20-pdp-eap/pretest.dat b/testing/tnccs-20-pdp-eap/pretest.dat new file mode 100644 index 000000000..6c7477786 --- /dev/null +++ b/testing/tnccs-20-pdp-eap/pretest.dat @@ -0,0 +1,20 @@ +moon::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql +alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db +alice::service apache2 start +alice::ipsec start +moon::ipsec start +dave::ipsec start +carol::ipsec start +carol::sleep 1 +dave::ipsec up home +carol::ipsec up home +carol::sleep 1 diff --git a/testing/tnccs-20-pdp-eap/test.conf b/testing/tnccs-20-pdp-eap/test.conf new file mode 100644 index 000000000..c4ca1a19f --- /dev/null +++ b/testing/tnccs-20-pdp-eap/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave alice" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tnccs-20-pdp-pt-tls/description.txt b/testing/tnccs-20-pdp-pt-tls/description.txt new file mode 100644 index 000000000..45a77e900 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/description.txt @@ -0,0 +1,9 @@ +The PT-TLS (RFC 6876) clients <b>carol</b> and <b>dave</b> set up a connection each to the policy decision +point (PDP) <b>alice</b>. <b>carol</b> uses password-based SASL PLAIN client authentication during the +<b>PT-TLS negotiation phase</b> and <b>dave</b> uses certificate-based TLS client authentication during the +<b>TLS setup phase</b>. +<p/> +During the ensuing <b>PT-TLS data transport phase</b> the <b>OS</b> and <b>SWID</b> IMC/IMV pairs +loaded by the PT-TLS clients and PDP, respectively, exchange PA-TNC (RFC 5792) messages +embedded in PB-TNC (RFC 5793) batches. The <b>SWID</b> IMC on <b>carol</b> is requested to deliver +a concise <b>SWID Tag ID Inventory</b> whereas <b>dave</b> must send a full <b>SWID Tag Inventory</b>. diff --git a/testing/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tnccs-20-pdp-pt-tls/evaltest.dat new file mode 100644 index 000000000..a9457ec2e --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/evaltest.dat @@ -0,0 +1,19 @@ +dave:: cat/var/log/auth.log::received SASL Success result::YES +dave:: cat /var/log/auth.log::collected 372 SWID tags::YES +carol::cat/var/log/auth.log::received SASL Success result::YES +carol::cat /var/log/auth.log::collected 373 SWID tag IDs::YES +carol::cat /var/log/auth.log::collected 1 SWID tag::YES +alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_DAVE::YES +alice::cat /var/log/daemon.log::checking certificate status of.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org::YES +alice::cat /var/log/daemon.log::certificate status is good::YES +alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES +alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES +alice::cat /var/log/daemon.log::received SWID tag inventory with 372 items for request 3 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES +alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES +alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES +alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES +alice::cat /var/log/daemon.log::received SWID tag ID inventory with 373 items for request 9 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::1 SWID tag target::YES +alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES +alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default new file mode 100644 index 000000000..f6bf635f4 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/default @@ -0,0 +1,24 @@ +WSGIPythonPath /var/www/tnc + +<VirtualHost *:80> + ServerName tnc.strongswan.org + ServerAlias tnc + ServerAdmin webmaster@localhost + + DocumentRoot /var/www/tnc + + <Directory /var/www/tnc/config> + <Files wsgi.py> + Order deny,allow + Allow from all + </Files> + </Directory> + + WSGIScriptAlias / /var/www/tnc/config/wsgi.py + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + + ErrorLog ${APACHE_LOG_DIR}/tnc/error.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined +</VirtualHost> diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf new file mode 100644 index 000000000..7b2118f7e --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.conf @@ -0,0 +1,9 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + charondebug="tls 2, tnc 2, imv 3" + +conn aaa + leftcert=aaaCert.pem + leftid=aaa.strongswan.org + auto=add diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem new file mode 100644 index 000000000..6aeb0c0b1 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/certs/aaaCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z +dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R +RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm +Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W +Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF +AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni +wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg +EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD +AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd +p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT +EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB +ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB +BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y +Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa +yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp +iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2 +bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d +HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr +EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4 +v42sww== +-----END CERTIFICATE----- diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem new file mode 100644 index 000000000..da8cdb051 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.d/private/aaaKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx +bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh +9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ +/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp +NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR +BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds +Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi +NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV +IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3 +Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI +aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X +YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq +b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If +/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN +P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X +V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t +cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c +PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m +a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo +NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b +xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/ +J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5 +YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ +SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu +EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b +-----END RSA PRIVATE KEY----- diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..11d45cd14 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA aaaKey.pem + +carol : EAP "Ar3etTnp" +dave : EAP "W7R0g3do" diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules new file mode 100644 index 000000000..1586214d8 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules @@ -0,0 +1,24 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# open loopback interface +-A INPUT -i lo -j ACCEPT +-A OUTPUT -o lo -j ACCEPT + +# allow PT-TLS +-A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql new file mode 100644 index 000000000..14f9d7de6 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/pts/data1.sql @@ -0,0 +1,61 @@ +/* Devices */ + +INSERT INTO devices ( /* 1 */ + value, product, created +) VALUES ( + 'aabbccddeeff11223344556677889900', 42, 1372330615 +); + +/* Groups Members */ + +INSERT INTO groups_members ( + group_id, device_id +) VALUES ( + 10, 1 +); + +/* Identities */ + +INSERT INTO identities ( + type, value +) VALUES ( /* dave@strongswan.org */ + 4, X'64617665407374726f6e677377616e2e6f7267' +); + +/* Sessions */ + +INSERT INTO sessions ( + time, connection, identity, device, product, rec +) VALUES ( + NOW, 1, 1, 1, 42, 0 +); + +/* Results */ + +INSERT INTO results ( + session, policy, rec, result +) VALUES ( + 1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found' +); + +/* Enforcements */ + +INSERT INTO enforcements ( + policy, group_id, max_age, rec_fail, rec_noresult +) VALUES ( + 3, 10, 0, 2, 2 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 17, 2, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 18, 10, 86400 +); + +DELETE FROM enforcements WHERE id = 1; diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db Binary files differnew file mode 100644 index 000000000..3866bfab0 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/django.db diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini new file mode 100644 index 000000000..5d12736eb --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongTNC/settings.ini @@ -0,0 +1,19 @@ +[debug] +DEBUG=1 +TEMPLATE_DEBUG=1 +DEBUG_TOOLBAR=0 + +[db] +DJANGO_DB_URL=sqlite:////etc/strongTNC/django.db +STRONGTNC_DB_URL = sqlite:////etc/pts/config.db + +[localization] +LANGUAGE_CODE=en-us +TIME_ZONE=Europe/Zurich + +[admins] +Your Name: alice@strongswan.org + +[security] +SECRET_KEY=strongSwan + diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..eb807b189 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf @@ -0,0 +1,29 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 nonce x509 revocation constraints openssl socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite + + plugins { + tnc-pdp { + server = aaa.strongswan.org + radius { + secret = gv6URkSs + } + } + } +} + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +} + +libimcv { + database = sqlite:///etc/pts/config.db + policy_script = ipsec imv_policy_manager + + plugins { + imv-swid { + rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + } + } +} diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..ebe88bc99 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/alice/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan client + +IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so +IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..4a41e7ed9 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# the PT-TLS client reads its configuration via the command line diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..d2f6378b8 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# the PT-TLS client loads its secrets via the command line diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql new file mode 100644 index 000000000..805c8bfd9 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from the command line */ +/* credentials are read from the command line */ diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules new file mode 100644 index 000000000..d01d0a3c9 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/iptables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow PT-TLS +-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT +-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options new file mode 100644 index 000000000..d485e9bf7 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/pts/options @@ -0,0 +1,6 @@ +--connect aaa.strongswan.org +--client carol +--secret "Ar3etTnp" +--cert /etc/ipsec.d/cacerts/strongswanCert.pem +--quiet +--debug 2 diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..29fdf0235 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/strongswan.conf @@ -0,0 +1,9 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +} + +pt-tls-client { + load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 +} diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..f40174e57 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..4a41e7ed9 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.conf @@ -0,0 +1,3 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +# the PT-TLS client reads its configuration via the command line diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..d2f6378b8 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# the PT-TLS client loads its secrets via the command line diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql new file mode 100644 index 000000000..805c8bfd9 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/ipsec.sql @@ -0,0 +1,4 @@ +/* strongSwan SQLite database */ + +/* configuration is read from the command line */ +/* credentials are read from the command line */ diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules new file mode 100644 index 000000000..d01d0a3c9 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/iptables.rules @@ -0,0 +1,20 @@ +*filter + +# default policy is DROP +-P INPUT DROP +-P OUTPUT DROP +-P FORWARD DROP + +# allow PT-TLS +-A INPUT -i eth0 -s 10.1.0.10 -p tcp --sport 271 -j ACCEPT +-A OUTPUT -o eth0 -d 10.1.0.10 -p tcp --dport 271 -j ACCEPT + +# allow ssh +-A INPUT -p tcp --dport 22 -j ACCEPT +-A OUTPUT -p tcp --sport 22 -j ACCEPT + +# allow crl fetch from winnetou +-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT +-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT + +COMMIT diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options new file mode 100644 index 000000000..ca3ca3aa1 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/pts/options @@ -0,0 +1,7 @@ +--connect aaa.strongswan.org +--client dave@strongswan.org +--key /etc/ipsec.d/private/daveKey.pem +--cert /etc/ipsec.d/certs/daveCert.pem +--cert /etc/ipsec.d/cacerts/strongswanCert.pem +--quiet +--debug 2 diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..0a7f048bf --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/strongswan.conf @@ -0,0 +1,21 @@ +# /etc/strongswan.conf - strongSwan configuration file + +libimcv { + plugins { + imc-os { + push_info = no + } + imc-swid { + swid_directory = /usr/share + swid_pretty = yes + } + } +} + +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +} + +pt-tls-client { + load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 +} diff --git a/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..f40174e57 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so +IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so diff --git a/testing/tnccs-20-pdp-pt-tls/posttest.dat b/testing/tnccs-20-pdp-pt-tls/posttest.dat new file mode 100644 index 000000000..b7da857a7 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/posttest.dat @@ -0,0 +1,9 @@ +carol::ip route del 10.1.0.0/16 via 192.168.0.1 +dave::ip route del 10.1.0.0/16 via 192.168.0.1 +winnetou::ip route del 10.1.0.0/16 via 192.168.0.1 +alice::ipsec stop +alice::service apache2 stop +alice::rm /etc/pts/config.db +alice::iptables-restore < /etc/iptables.flush +carol::iptables-restore < /etc/iptables.flush +dave::iptables-restore < /etc/iptables.flush diff --git a/testing/tnccs-20-pdp-pt-tls/pretest.dat b/testing/tnccs-20-pdp-pt-tls/pretest.dat new file mode 100644 index 000000000..0918909fa --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/pretest.dat @@ -0,0 +1,22 @@ +alice::iptables-restore < /etc/iptables.rules +carol::iptables-restore < /etc/iptables.rules +dave::iptables-restore < /etc/iptables.rules +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +carol::echo 0 > /proc/sys/net/ipv4/ip_forward +dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id +dave::cat /etc/tnc_config +alice::sed -i "s/NOW/`date +%s`/g" /etc/pts/data1.sql +alice::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db +alice::chgrp www-data /etc/pts/config.db; chmod g+w /etc/pts/config.db +alice::service apache2 start +alice::ipsec start +alice::sleep 1 +winnetou::ip route add 10.1.0.0/16 via 192.168.0.1 +dave::ip route add 10.1.0.0/16 via 192.168.0.1 +dave::cat /etc/pts/options +dave::ipsec pt-tls-client --optionsfrom /etc/pts/options +carol::ip route add 10.1.0.0/16 via 192.168.0.1 +carol::cat /etc/pts/options +carol::ipsec pt-tls-client --optionsfrom /etc/pts/options +carol::sleep 1 diff --git a/testing/tnccs-20-pdp-pt-tls/test.conf b/testing/tnccs-20-pdp-pt-tls/test.conf new file mode 100644 index 000000000..0887e4d09 --- /dev/null +++ b/testing/tnccs-20-pdp-pt-tls/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# guest instances used for this test + +# All guest instances that are required for this test +# +VIRTHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# Guest instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# Guest instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="carol dave alice" + +# Guest instances on which FreeRadius is started +# +RADIUSHOSTS= + |