140463b83ddcf7a59135819d316b27994775b6fd
[strongswan.git] / src / libimcv / pa_tnc / pa_tnc_msg.c
1 /*
2 * Copyright (C) 2011-2012 Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imcv.h"
17 #include "pa_tnc_msg.h"
18 #include "ietf/ietf_attr_pa_tnc_error.h"
19
20 #include <bio/bio_writer.h>
21 #include <bio/bio_reader.h>
22 #include <collections/linked_list.h>
23 #include <pen/pen.h>
24 #include <utils/debug.h>
25
26
27 typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
28
29 /**
30 * PA-TNC message header
31 *
32 * 1 2 3
33 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
34 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
35 * | Version | Reserved |
36 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
37 * | Message Identifier |
38 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
39 */
40
41 #define PA_TNC_HEADER_SIZE 8
42 #define PA_TNC_RESERVED 0x000000
43
44 /**
45 * PA-TNC attribute
46 *
47 * 1 2 3
48 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
49 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
50 * | Flags | PA-TNC Attribute Vendor ID |
51 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
52 * | PA-TNC Attribute Type |
53 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
54 * | PA-TNC Attribute Length |
55 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
56 * | Attribute Value (Variable Length) |
57 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
58 */
59
60 #define PA_TNC_ATTR_FLAG_NONE 0x00
61 #define PA_TNC_ATTR_FLAG_NOSKIP (1<<7)
62 #define PA_TNC_ATTR_HEADER_SIZE 12
63 #define PA_TNC_ATTR_INFO_SIZE 8
64
65 /**
66 * Private data of a pa_tnc_msg_t object.
67 *
68 */
69 struct private_pa_tnc_msg_t {
70
71 /**
72 * Public pa_tnc_msg_t interface.
73 */
74 pa_tnc_msg_t public;
75
76 /**
77 * List of PA-TNC attributes
78 */
79 linked_list_t *attributes;
80
81 /**
82 * linked list of PA-TNC error messages
83 */
84 linked_list_t *errors;
85
86 /**
87 * Message identifier
88 */
89 u_int32_t identifier;
90
91 /**
92 * Current PA-TNC Message size
93 */
94 size_t msg_len;
95
96 /**
97 * Maximum PA-TNC Message size
98 */
99 size_t max_msg_len;
100
101 /**
102 * Encoded message
103 */
104 chunk_t encoding;
105 };
106
107 METHOD(pa_tnc_msg_t, get_encoding, chunk_t,
108 private_pa_tnc_msg_t *this)
109 {
110 return this->encoding;
111 }
112
113 METHOD(pa_tnc_msg_t, add_attribute, bool,
114 private_pa_tnc_msg_t *this, pa_tnc_attr_t *attr)
115 {
116 chunk_t attr_value;
117 size_t attr_len;
118
119 attr->build(attr);
120 attr_value = attr->get_value(attr);
121 attr_len = PA_TNC_ATTR_HEADER_SIZE + attr_value.len;
122
123 if (this->max_msg_len && this->msg_len + attr_len > this->max_msg_len)
124 {
125 /* attribute just does not fit into this message */
126 return FALSE;
127 }
128 this->msg_len += attr_len;
129
130 this->attributes->insert_last(this->attributes, attr);
131 return TRUE;
132 }
133
134 METHOD(pa_tnc_msg_t, build, bool,
135 private_pa_tnc_msg_t *this)
136 {
137 bio_writer_t *writer;
138 enumerator_t *enumerator;
139 pa_tnc_attr_t *attr;
140 enum_name_t *pa_attr_names;
141 pen_type_t type;
142 u_int8_t flags;
143 chunk_t value;
144 nonce_gen_t *ng;
145
146 /* generate a nonce as a message identifier */
147 ng = lib->crypto->create_nonce_gen(lib->crypto);
148 if (!ng || !ng->get_nonce(ng, 4, (u_int8_t*)&this->identifier))
149 {
150 DBG1(DBG_TNC, "failed to generate random PA-TNC message identifier");
151 DESTROY_IF(ng);
152 return FALSE;
153 }
154 ng->destroy(ng);
155 DBG1(DBG_TNC, "creating PA-TNC message with ID 0x%08x", this->identifier);
156
157 /* build message header */
158 writer = bio_writer_create(this->msg_len);
159 writer->write_uint8 (writer, PA_TNC_VERSION);
160 writer->write_uint24(writer, PA_TNC_RESERVED);
161 writer->write_uint32(writer, this->identifier);
162
163 /* append encoded value of PA-TNC attributes */
164 enumerator = this->attributes->create_enumerator(this->attributes);
165 while (enumerator->enumerate(enumerator, &attr))
166 {
167 type = attr->get_type(attr);
168 value = attr->get_value(attr);
169 flags = attr->get_noskip_flag(attr) ? PA_TNC_ATTR_FLAG_NOSKIP :
170 PA_TNC_ATTR_FLAG_NONE;
171
172 pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes,
173 type.vendor_id);
174 if (pa_attr_names)
175 {
176 DBG2(DBG_TNC, "creating PA-TNC attribute type '%N/%N' "
177 "0x%06x/0x%08x", pen_names, type.vendor_id,
178 pa_attr_names, type.type, type.vendor_id, type.type);
179 }
180 else
181 {
182 DBG2(DBG_TNC, "creating PA-TNC attribute type '%N' "
183 "0x%06x/0x%08x", pen_names, type.vendor_id,
184 type.vendor_id, type.type);
185 }
186 DBG3(DBG_TNC, "%B", &value);
187
188 writer->write_uint8 (writer, flags);
189 writer->write_uint24(writer, type.vendor_id);
190 writer->write_uint32(writer, type.type);
191 writer->write_uint32(writer, PA_TNC_ATTR_HEADER_SIZE + value.len);
192 writer->write_data (writer, value);
193 }
194 enumerator->destroy(enumerator);
195
196 free(this->encoding.ptr);
197 this->encoding = writer->extract_buf(writer);
198 writer->destroy(writer);
199
200 return TRUE;
201 }
202
203 METHOD(pa_tnc_msg_t, process, status_t,
204 private_pa_tnc_msg_t *this)
205 {
206 bio_reader_t *reader;
207 pa_tnc_attr_t *error;
208 u_int8_t version;
209 u_int32_t reserved, offset, attr_offset;
210 pen_type_t error_code = { PEN_IETF, PA_ERROR_INVALID_PARAMETER };
211
212 /* process message header */
213 if (this->encoding.len < PA_TNC_HEADER_SIZE)
214 {
215 DBG1(DBG_TNC, "%u bytes insufficient to parse PA-TNC message header",
216 this->encoding.len);
217 return FAILED;
218 }
219 reader = bio_reader_create(this->encoding);
220 reader->read_uint8 (reader, &version);
221 reader->read_uint24(reader, &reserved);
222 reader->read_uint32(reader, &this->identifier);
223 DBG1(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier);
224
225 if (version != PA_TNC_VERSION)
226 {
227 DBG1(DBG_TNC, "PA-TNC version %u not supported", version);
228 error_code = pen_type_create(PEN_IETF, PA_ERROR_VERSION_NOT_SUPPORTED);
229 error = ietf_attr_pa_tnc_error_create(error_code, this->encoding);
230 goto err;
231 }
232
233 /* offset of the first PA-TNC attribute in the PA-TNC message */
234 offset = PA_TNC_HEADER_SIZE;
235
236 /* pre-process PA-TNC attributes */
237 while (reader->remaining(reader) >= PA_TNC_ATTR_HEADER_SIZE)
238 {
239 pen_t vendor_id;
240 u_int8_t flags;
241 u_int32_t type, length;
242 chunk_t value, attr_info;
243 pa_tnc_attr_t *attr;
244 enum_name_t *pa_attr_names;
245 ietf_attr_pa_tnc_error_t *error_attr;
246
247 attr_info = reader->peek(reader);
248 attr_info.len = PA_TNC_ATTR_INFO_SIZE;
249 reader->read_uint8 (reader, &flags);
250 reader->read_uint24(reader, &vendor_id);
251 reader->read_uint32(reader, &type);
252 reader->read_uint32(reader, &length);
253
254 pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes,
255 vendor_id);
256 if (pa_attr_names)
257 {
258 DBG2(DBG_TNC, "processing PA-TNC attribute type '%N/%N' "
259 "0x%06x/0x%08x", pen_names, vendor_id,
260 pa_attr_names, type, vendor_id, type);
261 }
262 else
263 {
264 DBG2(DBG_TNC, "processing PA-TNC attribute type '%N' "
265 "0x%06x/0x%08x", pen_names, vendor_id,
266 vendor_id, type);
267 }
268
269 if (length < PA_TNC_ATTR_HEADER_SIZE)
270 {
271 DBG1(DBG_TNC, "%u bytes too small for PA-TNC attribute length",
272 length);
273 error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
274 this->encoding, offset + PA_TNC_ATTR_INFO_SIZE);
275 goto err;
276 }
277
278 if (!reader->read_data(reader, length - PA_TNC_ATTR_HEADER_SIZE, &value))
279 {
280 DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute value");
281 error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
282 this->encoding, offset + PA_TNC_ATTR_INFO_SIZE);
283 goto err;
284 }
285 DBG3(DBG_TNC, "%B", &value);
286
287 if (vendor_id == PEN_RESERVED)
288 {
289 error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
290 this->encoding, offset + 1);
291 goto err;
292 }
293 if (type == IETF_ATTR_RESERVED)
294 {
295 error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
296 this->encoding, offset + 4);
297 goto err;
298 }
299 attr = imcv_pa_tnc_attributes->create(imcv_pa_tnc_attributes,
300 vendor_id, type, value);
301 if (!attr)
302 {
303 if (flags & PA_TNC_ATTR_FLAG_NOSKIP)
304 {
305 DBG1(DBG_TNC, "unsupported PA-TNC attribute with NOSKIP flag");
306 error_code = pen_type_create(PEN_IETF,
307 PA_ERROR_ATTR_TYPE_NOT_SUPPORTED);
308 error = ietf_attr_pa_tnc_error_create(error_code,
309 this->encoding);
310 error_attr = (ietf_attr_pa_tnc_error_t*)error;
311 error_attr->set_attr_info(error_attr, attr_info);
312 goto err;
313 }
314 else
315 {
316 DBG1(DBG_TNC, "skipping unsupported PA-TNC attribute");
317 offset += length;
318 continue;
319 }
320 }
321
322 if (attr->process(attr, &attr_offset) != SUCCESS)
323 {
324 attr->destroy(attr);
325 if (vendor_id == PEN_IETF && type == IETF_ATTR_PA_TNC_ERROR)
326 {
327 /* error while processing a PA-TNC error attribute - abort */
328 reader->destroy(reader);
329 return FAILED;
330 }
331 error_code = pen_type_create(PEN_IETF,
332 PA_ERROR_INVALID_PARAMETER);
333 error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
334 this->encoding,
335 offset + PA_TNC_ATTR_HEADER_SIZE + attr_offset);
336 goto err;
337 }
338 this->attributes->insert_last(this->attributes, attr);
339 offset += length;
340 }
341
342 if (reader->remaining(reader) == 0)
343 {
344 reader->destroy(reader);
345 return SUCCESS;
346 }
347 DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute header");
348 error = ietf_attr_pa_tnc_error_create_with_offset(error_code,
349 this->encoding, offset);
350
351 err:
352 reader->destroy(reader);
353 this->errors->insert_last(this->errors, error);
354 return VERIFY_ERROR;
355 }
356
357 METHOD(pa_tnc_msg_t, process_ietf_std_errors, bool,
358 private_pa_tnc_msg_t *this)
359 {
360 enumerator_t *enumerator;
361 pa_tnc_attr_t *attr;
362 pen_type_t type;
363 bool fatal_error = FALSE;
364
365 enumerator = this->attributes->create_enumerator(this->attributes);
366 while (enumerator->enumerate(enumerator, &attr))
367 {
368 type = attr->get_type(attr);
369
370 if (type.vendor_id == PEN_IETF && type.type == IETF_ATTR_PA_TNC_ERROR)
371 {
372 ietf_attr_pa_tnc_error_t *error_attr;
373 pen_type_t error_code;
374 chunk_t msg_info, attr_info;
375 u_int32_t offset;
376
377 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
378 error_code = error_attr->get_error_code(error_attr);
379 msg_info = error_attr->get_msg_info(error_attr);
380
381 /* skip errors from non-IETF namespaces */
382 if (error_code.vendor_id != PEN_IETF)
383 {
384 continue;
385 }
386 DBG1(DBG_TNC, "received PA-TNC error '%N' concerning message "
387 "0x%08x/0x%08x", pa_tnc_error_code_names, error_code.type,
388 untoh32(msg_info.ptr), untoh32(msg_info.ptr + 4));
389
390 switch (error_code.type)
391 {
392 case PA_ERROR_INVALID_PARAMETER:
393 offset = error_attr->get_offset(error_attr);
394 DBG1(DBG_TNC, " occurred at offset of %u bytes", offset);
395 break;
396 case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
397 attr_info = error_attr->get_attr_info(error_attr);
398 DBG1(DBG_TNC, " unsupported attribute %#B", &attr_info);
399 break;
400 default:
401 break;
402 }
403 fatal_error = TRUE;
404 }
405 }
406 enumerator->destroy(enumerator);
407
408 return fatal_error;
409 }
410
411 METHOD(pa_tnc_msg_t, create_attribute_enumerator, enumerator_t*,
412 private_pa_tnc_msg_t *this)
413 {
414 return this->attributes->create_enumerator(this->attributes);
415 }
416
417 METHOD(pa_tnc_msg_t, create_error_enumerator, enumerator_t*,
418 private_pa_tnc_msg_t *this)
419 {
420 return this->errors->create_enumerator(this->errors);
421 }
422
423 METHOD(pa_tnc_msg_t, destroy, void,
424 private_pa_tnc_msg_t *this)
425 {
426 this->attributes->destroy_offset(this->attributes,
427 offsetof(pa_tnc_attr_t, destroy));
428 this->errors->destroy_offset(this->errors,
429 offsetof(pa_tnc_attr_t, destroy));
430 free(this->encoding.ptr);
431 free(this);
432 }
433
434 /**
435 * See header
436 */
437 pa_tnc_msg_t *pa_tnc_msg_create(size_t max_msg_len)
438 {
439 private_pa_tnc_msg_t *this;
440
441 INIT(this,
442 .public = {
443 .get_encoding = _get_encoding,
444 .add_attribute = _add_attribute,
445 .build = _build,
446 .process = _process,
447 .process_ietf_std_errors = _process_ietf_std_errors,
448 .create_attribute_enumerator = _create_attribute_enumerator,
449 .create_error_enumerator = _create_error_enumerator,
450 .destroy = _destroy,
451 },
452 .attributes = linked_list_create(),
453 .errors = linked_list_create(),
454 .msg_len = PA_TNC_HEADER_SIZE,
455 .max_msg_len = max_msg_len,
456 );
457
458 return &this->public;
459 }
460
461 /**
462 * See header
463 */
464 pa_tnc_msg_t *pa_tnc_msg_create_from_data(chunk_t data)
465 {
466 private_pa_tnc_msg_t *this;
467
468 INIT(this,
469 .public = {
470 .get_encoding = _get_encoding,
471 .add_attribute = _add_attribute,
472 .build = _build,
473 .process = _process,
474 .process_ietf_std_errors = _process_ietf_std_errors,
475 .create_attribute_enumerator = _create_attribute_enumerator,
476 .create_error_enumerator = _create_error_enumerator,
477 .destroy = _destroy,
478 },
479 .encoding = chunk_clone(data),
480 .attributes = linked_list_create(),
481 .errors = linked_list_create(),
482 );
483
484 return &this->public;
485 }
486