final cosmetics in PB-TNC debug output
[strongswan.git] / src / libcharon / plugins / tnccs_20 / batch / pb_tnc_batch.c
1 /*
2 * Copyright (C) 2010 Sansar Choinyanbuu
3 * Copyright (C) 2010 Andreas Steffen
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "pb_tnc_batch.h"
18 #include "messages/pb_error_msg.h"
19 #include "state_machine/pb_tnc_state_machine.h"
20
21 #include <debug.h>
22 #include <utils/linked_list.h>
23 #include <tls_writer.h>
24 #include <tls_reader.h>
25 #include <tnc/tnccs/tnccs.h>
26
27 ENUM(pb_tnc_batch_type_names, PB_BATCH_CDATA, PB_BATCH_CLOSE,
28 "CDATA",
29 "SDATA",
30 "RESULT",
31 "CRETRY",
32 "SRETRY",
33 "CLOSE"
34 );
35
36 typedef struct private_pb_tnc_batch_t private_pb_tnc_batch_t;
37
38 /**
39 * PB-Batch Header (see section 4.1 of RFC 5793)
40 *
41 * 0 1 2 3
42 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
43 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
44 * | Version |D| Reserved | B-Type|
45 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
46 * | Batch Length |
47 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
48 */
49
50 #define PB_TNC_BATCH_FLAG_NONE 0x00
51 #define PB_TNC_BATCH_FLAG_D (1<<7)
52 #define PB_TNC_BATCH_HEADER_SIZE 8
53
54 /**
55 * PB-TNC Message (see section 4.2 of RFC 5793)
56 *
57 * 0 1 2 3
58 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
59 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
60 * | Flags | PB-TNC Vendor ID |
61 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
62 * | PB-TNC Message Type |
63 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
64 * | PB-TNC Message Length |
65 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
66 * | PB-TNC Message Value (Variable Length) |
67 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
68 */
69
70 #define PB_TNC_FLAG_NONE 0x00
71 #define PB_TNC_FLAG_NOSKIP (1<<7)
72 #define PB_TNC_HEADER_SIZE 12
73
74 #define PB_TNC_RESERVED_MSG_TYPE 0xffffffff
75
76 /**
77 * Private data of a pb_tnc_batch_t object.
78 *
79 */
80 struct private_pb_tnc_batch_t {
81 /**
82 * Public pb_pa_msg_t interface.
83 */
84 pb_tnc_batch_t public;
85
86 /**
87 * TNCC if TRUE, TNCS if FALSE
88 */
89 bool is_server;
90
91 /**
92 * PB-TNC Batch type
93 */
94 pb_tnc_batch_type_t type;
95
96 /**
97 * linked list of PB-TNC messages
98 */
99 linked_list_t *messages;
100
101 /**
102 * linked list of PB-TNC error messages
103 */
104 linked_list_t *errors;
105
106 /**
107 * Encoded message
108 */
109 chunk_t encoding;
110
111 /**
112 * Offset into encoding (used for error reporting)
113 */
114 u_int32_t offset;
115 };
116
117 METHOD(pb_tnc_batch_t, get_type, pb_tnc_batch_type_t,
118 private_pb_tnc_batch_t *this)
119 {
120 return this->type;
121 }
122
123 METHOD(pb_tnc_batch_t, get_encoding, chunk_t,
124 private_pb_tnc_batch_t *this)
125 {
126 return this->encoding;
127 }
128
129 METHOD(pb_tnc_batch_t, add_msg, void,
130 private_pb_tnc_batch_t *this, pb_tnc_msg_t* msg)
131 {
132 DBG2(DBG_TNC, "adding %N message", pb_tnc_msg_type_names,
133 msg->get_type(msg));
134 this->messages->insert_last(this->messages, msg);
135 }
136
137 METHOD(pb_tnc_batch_t, build, void,
138 private_pb_tnc_batch_t *this)
139 {
140 u_int32_t batch_len, msg_len;
141 chunk_t msg_value;
142 enumerator_t *enumerator;
143 pb_tnc_msg_type_t msg_type;
144 pb_tnc_msg_t *msg;
145 tls_writer_t *writer;
146
147 /* compute total PB-TNC batch size by summing over all messages */
148 batch_len = PB_TNC_BATCH_HEADER_SIZE;
149 enumerator = this->messages->create_enumerator(this->messages);
150 while (enumerator->enumerate(enumerator, &msg))
151 {
152 msg->build(msg);
153 msg_value = msg->get_encoding(msg);
154 batch_len += PB_TNC_HEADER_SIZE + msg_value.len;
155 }
156 enumerator->destroy(enumerator);
157
158 /* build PB-TNC batch header */
159 writer = tls_writer_create(batch_len);
160 writer->write_uint8 (writer, PB_TNC_VERSION);
161 writer->write_uint8 (writer, this->is_server ?
162 PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE);
163 writer->write_uint16(writer, this->type);
164 writer->write_uint32(writer, batch_len);
165
166 /* build PB-TNC messages */
167 enumerator = this->messages->create_enumerator(this->messages);
168 while (enumerator->enumerate(enumerator, &msg))
169 {
170 u_int8_t flags = PB_TNC_FLAG_NONE;
171
172 /* build PB-TNC message */
173 msg_value = msg->get_encoding(msg);
174 msg_len = PB_TNC_HEADER_SIZE + msg_value.len;
175 msg_type = msg->get_type(msg);
176 if (pb_tnc_msg_infos[msg_type].has_noskip_flag)
177 {
178 flags |= PB_TNC_FLAG_NOSKIP;
179 }
180 writer->write_uint8 (writer, flags);
181 writer->write_uint24(writer, IETF_VENDOR_ID);
182 writer->write_uint32(writer, msg_type);
183 writer->write_uint32(writer, msg_len);
184 writer->write_data (writer, msg_value);
185 }
186 enumerator->destroy(enumerator);
187
188 this->encoding = chunk_clone(writer->get_buf(writer));
189 writer->destroy(writer);
190 }
191
192 static status_t process_batch_header(private_pb_tnc_batch_t *this,
193 pb_tnc_state_machine_t *state_machine)
194 {
195 tls_reader_t *reader;
196 pb_tnc_msg_t *msg;
197 pb_error_msg_t *err_msg;
198 u_int8_t version, flags, reserved, type;
199 u_int32_t batch_len;
200 bool directionality;
201
202 if (this->encoding.len < PB_TNC_BATCH_HEADER_SIZE)
203 {
204 DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC batch header",
205 this->encoding.len);
206 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
207 PB_ERROR_INVALID_PARAMETER, 0);
208 goto fatal;
209 }
210
211 reader = tls_reader_create(this->encoding);
212 reader->read_uint8 (reader, &version);
213 reader->read_uint8 (reader, &flags);
214 reader->read_uint8 (reader, &reserved);
215 reader->read_uint8 (reader, &type);
216 reader->read_uint32(reader, &batch_len);
217 reader->destroy(reader);
218
219 /* Version */
220 if (version != PB_TNC_VERSION)
221 {
222 DBG1(DBG_TNC, "unsupported TNCCS batch version 0x%01x", version);
223 msg = pb_error_msg_create(TRUE, IETF_VENDOR_ID,
224 PB_ERROR_VERSION_NOT_SUPPORTED);
225 err_msg = (pb_error_msg_t*)msg;
226 err_msg->set_bad_version(err_msg, version);
227 goto fatal;
228 }
229
230 /* Directionality */
231 directionality = (flags & PB_TNC_BATCH_FLAG_D) != PB_TNC_BATCH_FLAG_NONE;
232 if (directionality == this->is_server)
233 {
234 DBG1(DBG_TNC, "wrong Directionality: batch is from a PB %s",
235 directionality ? "server" : "client");
236 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
237 PB_ERROR_INVALID_PARAMETER, 1);
238 goto fatal;
239 }
240
241 /* Batch Type */
242 this->type = type & 0x0F;
243 if (this->type > PB_BATCH_ROOF)
244 {
245 DBG1(DBG_TNC, "unknown PB-TNC batch type: %d", this->type);
246 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
247 PB_ERROR_INVALID_PARAMETER, 3);
248 goto fatal;
249 }
250
251 if (!state_machine->receive_batch(state_machine, this->type))
252 {
253 DBG1(DBG_TNC, "unexpected PB-TNC batch type: %N",
254 pb_tnc_batch_type_names, this->type);
255 msg = pb_error_msg_create(TRUE, IETF_VENDOR_ID,
256 PB_ERROR_UNEXPECTED_BATCH_TYPE);
257 goto fatal;
258 }
259
260 /* Batch Length */
261 if (this->encoding.len != batch_len)
262 {
263 DBG1(DBG_TNC, "%u bytes of data is not equal to batch length of %u bytes",
264 this->encoding.len, batch_len);
265 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
266 PB_ERROR_INVALID_PARAMETER, 4);
267 goto fatal;
268 }
269
270 this->offset = PB_TNC_BATCH_HEADER_SIZE;
271 return SUCCESS;
272
273 fatal:
274 this->errors->insert_last(this->errors, msg);
275 return FAILED;
276 }
277
278 static status_t process_tnc_msg(private_pb_tnc_batch_t *this)
279 {
280 tls_reader_t *reader;
281 pb_tnc_msg_t *pb_tnc_msg, *msg;
282 u_int8_t flags;
283 u_int32_t vendor_id, msg_type, msg_len, offset;
284 chunk_t data, msg_value;
285 bool noskip_flag;
286 status_t status;
287
288 data = chunk_skip(this->encoding, this->offset);
289
290 if (data.len < PB_TNC_HEADER_SIZE)
291 {
292 DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC message header",
293 data.len);
294 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
295 PB_ERROR_INVALID_PARAMETER, this->offset);
296 goto fatal;
297 }
298
299 reader = tls_reader_create(data);
300 reader->read_uint8 (reader, &flags);
301 reader->read_uint24(reader, &vendor_id);
302 reader->read_uint32(reader, &msg_type);
303 reader->read_uint32(reader, &msg_len);
304 reader->destroy(reader);
305
306 noskip_flag = (flags & PB_TNC_FLAG_NOSKIP) != PB_TNC_FLAG_NONE;
307
308 if (msg_len > data.len)
309 {
310 DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC message", data.len);
311 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
312 PB_ERROR_INVALID_PARAMETER, this->offset + 8);
313 goto fatal;
314 }
315
316 if (vendor_id == RESERVED_VENDOR_ID)
317 {
318 DBG1(DBG_TNC, "Vendor ID 0x%06x is reserved", RESERVED_VENDOR_ID);
319 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
320 PB_ERROR_INVALID_PARAMETER, this->offset + 1);
321 goto fatal;
322
323 }
324
325 if (msg_type == PB_TNC_RESERVED_MSG_TYPE)
326 {
327 DBG1(DBG_TNC, "PB-TNC message Type 0x%08x is reserved",
328 PB_TNC_RESERVED_MSG_TYPE);
329 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
330 PB_ERROR_INVALID_PARAMETER, this->offset + 4);
331 goto fatal;
332 }
333
334
335 if (vendor_id != IETF_VENDOR_ID || msg_type > PB_MSG_ROOF)
336 {
337 if (msg_len < PB_TNC_HEADER_SIZE)
338 {
339 DBG1(DBG_TNC, "%u bytes too small for PB-TNC message length",
340 msg_len);
341 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
342 PB_ERROR_INVALID_PARAMETER, this->offset + 8);
343 goto fatal;
344 }
345
346 if (noskip_flag)
347 {
348 DBG1(DBG_TNC, "reject PB-TNC message (Vendor ID 0x%06x / "
349 "Type 0x%08x)", vendor_id, msg_type);
350 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
351 PB_ERROR_UNSUPPORTED_MANDATORY_MSG, this->offset);
352 goto fatal;
353 }
354 else
355 {
356 DBG1(DBG_TNC, "ignore PB-TNC message (Vendor ID 0x%06x / "
357 "Type 0x%08x)", vendor_id, msg_type);
358 this->offset += msg_len;
359 return SUCCESS;
360 }
361 }
362 else
363 {
364 if (pb_tnc_msg_infos[msg_type].has_noskip_flag != TRUE_OR_FALSE &&
365 pb_tnc_msg_infos[msg_type].has_noskip_flag != noskip_flag)
366 {
367 DBG1(DBG_TNC, "%N message must%s have NOSKIP flag set",
368 pb_tnc_msg_type_names, msg_type,
369 pb_tnc_msg_infos[msg_type].has_noskip_flag ? "" : " not");
370 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
371 PB_ERROR_INVALID_PARAMETER, this->offset);
372 goto fatal;
373 }
374
375 if (msg_len < pb_tnc_msg_infos[msg_type].min_size ||
376 (pb_tnc_msg_infos[msg_type].exact_size &&
377 msg_len != pb_tnc_msg_infos[msg_type].min_size))
378 {
379 DBG1(DBG_TNC, "%N message length must be %s %u bytes but is %u bytes",
380 pb_tnc_msg_type_names, msg_type,
381 pb_tnc_msg_infos[msg_type].exact_size ? "exactly" : "at least",
382 pb_tnc_msg_infos[msg_type].min_size, msg_len);
383 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
384 PB_ERROR_INVALID_PARAMETER, this->offset);
385 goto fatal;
386 }
387 }
388
389 if (pb_tnc_msg_infos[msg_type].in_result_batch &&
390 this->type != PB_BATCH_RESULT)
391 {
392 if (this->is_server)
393 {
394 DBG1(DBG_TNC,"reject %N message received from a PB-TNC client",
395 pb_tnc_msg_type_names, msg_type);
396 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
397 PB_ERROR_INVALID_PARAMETER, this->offset);
398 goto fatal;
399 }
400 else
401 {
402 DBG1(DBG_TNC,"ignore %N message not received within RESULT batch",
403 pb_tnc_msg_type_names, msg_type);
404 this->offset += msg_len;
405 return SUCCESS;
406 }
407 }
408
409 DBG2(DBG_TNC, "processing %N message (%u bytes)", pb_tnc_msg_type_names,
410 msg_type, msg_len);
411 data.len = msg_len;
412 msg_value = chunk_skip(data, PB_TNC_HEADER_SIZE);
413 pb_tnc_msg = pb_tnc_msg_create_from_data(msg_type, msg_value);
414
415 status = pb_tnc_msg->process(pb_tnc_msg, &offset);
416 if (status == FAILED || status == VERIFY_ERROR)
417 {
418 msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID,
419 PB_ERROR_INVALID_PARAMETER, this->offset);
420 this->errors->insert_last(this->errors, msg);
421 }
422 if (status == FAILED)
423 {
424 pb_tnc_msg->destroy(pb_tnc_msg);
425 return FAILED;
426 }
427 this->messages->insert_last(this->messages, pb_tnc_msg);
428 this->offset += msg_len;
429 return status;
430
431 fatal:
432 this->errors->insert_last(this->errors, msg);
433 return FAILED;
434 }
435
436 METHOD(pb_tnc_batch_t, process, status_t,
437 private_pb_tnc_batch_t *this, pb_tnc_state_machine_t *state_machine)
438 {
439 status_t status;
440
441 status = process_batch_header(this, state_machine);
442 if (status != SUCCESS)
443 {
444 return FAILED;
445 }
446 DBG1(DBG_TNC, "processing PB-TNC %N batch", pb_tnc_batch_type_names,
447 this->type);
448 while (this->offset < this->encoding.len)
449 {
450 switch (process_tnc_msg(this))
451 {
452 case FAILED:
453 return FAILED;
454 case VERIFY_ERROR:
455 status = VERIFY_ERROR;
456 break;
457 case SUCCESS:
458 default:
459 break;
460 }
461 }
462 return status;
463 }
464
465 METHOD(pb_tnc_batch_t, create_msg_enumerator, enumerator_t*,
466 private_pb_tnc_batch_t *this)
467 {
468 return this->messages->create_enumerator(this->messages);
469 }
470
471 METHOD(pb_tnc_batch_t, create_error_enumerator, enumerator_t*,
472 private_pb_tnc_batch_t *this)
473 {
474 return this->errors->create_enumerator(this->errors);
475 }
476
477 METHOD(pb_tnc_batch_t, destroy, void,
478 private_pb_tnc_batch_t *this)
479 {
480 this->messages->destroy_offset(this->messages,
481 offsetof(pb_tnc_msg_t, destroy));
482 this->errors->destroy_offset(this->errors,
483 offsetof(pb_tnc_msg_t, destroy));
484 free(this->encoding.ptr);
485 free(this);
486 }
487
488 /**
489 * See header
490 */
491 pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type)
492 {
493 private_pb_tnc_batch_t *this;
494
495 INIT(this,
496 .public = {
497 .get_type = _get_type,
498 .get_encoding = _get_encoding,
499 .add_msg = _add_msg,
500 .build = _build,
501 .process = _process,
502 .create_msg_enumerator = _create_msg_enumerator,
503 .create_error_enumerator = _create_error_enumerator,
504 .destroy = _destroy,
505 },
506 .is_server = is_server,
507 .type = type,
508 .messages = linked_list_create(),
509 .errors = linked_list_create(),
510 );
511
512 DBG2(DBG_TNC, "creating PB-TNC %N batch", pb_tnc_batch_type_names, type);
513
514 return &this->public;
515 }
516
517 /**
518 * See header
519 */
520 pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data)
521 {
522 private_pb_tnc_batch_t *this;
523
524 INIT(this,
525 .public = {
526 .get_type = _get_type,
527 .get_encoding = _get_encoding,
528 .add_msg = _add_msg,
529 .build = _build,
530 .process = _process,
531 .create_msg_enumerator = _create_msg_enumerator,
532 .create_error_enumerator = _create_error_enumerator,
533 .destroy = _destroy,
534 },
535 .is_server = is_server,
536 .messages = linked_list_create(),
537 .errors = linked_list_create(),
538 .encoding = chunk_clone(data),
539 );
540
541 return &this->public;
542 }
543