projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
log PA-TNC attribute names
[strongswan.git] / src / libimcv / pa_tnc / pa_tnc_msg.c
1 /*
2 * Copyright (C) 2011 Andreas Steffen
3 *
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "pa_tnc_msg.h"
18 #include "ietf/ietf_attr.h"
19 #include "ietf/ietf_attr_pa_tnc_error.h"
20 #include "tcg/tcg_attr.h"
21 #include "ita/ita_attr.h"
22
23 #include <bio/bio_writer.h>
24 #include <bio/bio_reader.h>
25 #include <utils/linked_list.h>
26 #include <pen/pen.h>
27 #include <debug.h>
28
29
30 typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
31
32 /**
33 * PA-TNC message header
34 *
35 * 1 2 3
36 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
37 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
38 * | Version | Reserved |
39 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
40 * | Message Identifier |
41 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
42 */
43
44 #define PA_TNC_HEADER_SIZE 8
45 #define PA_TNC_RESERVED 0x000000
46
47 /**
48 * PA-TNC attribute
49 *
50 * 1 2 3
51 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
52 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
53 * | Flags | PA-TNC Attribute Vendor ID |
54 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
55 * | PA-TNC Attribute Type |
56 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
57 * | PA-TNC Attribute Length |
58 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
59 * | Attribute Value (Variable Length) |
60 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
61 */
62
63 #define PA_TNC_ATTR_FLAG_NONE 0x00
64 #define PA_TNC_ATTR_FLAG_NOSKIP (1<<7)
65 #define PA_TNC_ATTR_HEADER_SIZE 12
66 #define PA_TNC_ATTR_INFO_SIZE 8
67
68 /**
69 * Private data of a pa_tnc_msg_t object.
70 *
71 */
72 struct private_pa_tnc_msg_t {
73
74 /**
75 * Public pa_tnc_msg_t interface.
76 */
77 pa_tnc_msg_t public;
78
79 /**
80 * List of PA-TNC attributes
81 */
82 linked_list_t *attributes;
83
84 /**
85 * linked list of PA-TNC error messages
86 */
87 linked_list_t *errors;
88
89 /**
90 * Message identifier
91 */
92 u_int32_t identifier;
93
94 /**
95 * Encoded message
96 */
97 chunk_t encoding;
98 };
99
100 METHOD(pa_tnc_msg_t, get_encoding, chunk_t,
101 private_pa_tnc_msg_t *this)
102 {
103 return this->encoding;
104 }
105
106 METHOD(pa_tnc_msg_t, add_attribute, void,
107 private_pa_tnc_msg_t *this, pa_tnc_attr_t *attr)
108 {
109 this->attributes->insert_last(this->attributes, attr);
110 }
111
112 METHOD(pa_tnc_msg_t, build, void,
113 private_pa_tnc_msg_t *this)
114 {
115 bio_writer_t *writer;
116 enumerator_t *enumerator;
117 pa_tnc_attr_t *attr;
118 enum_name_t *pa_attr_names;
119 pen_t vendor_id;
120 u_int32_t type;
121 u_int8_t flags;
122 chunk_t value;
123 rng_t *rng;
124
125 /* create a random message identifier */
126 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
127 rng->get_bytes(rng, sizeof(this->identifier), (u_int8_t*)&this->identifier);
128 rng->destroy(rng);
129 DBG2(DBG_TNC, "creating PA-TNC message with ID 0x%08x", this->identifier);
130
131 /* build message header */
132 writer = bio_writer_create(PA_TNC_HEADER_SIZE);
133 writer->write_uint8 (writer, PA_TNC_VERSION);
134 writer->write_uint24(writer, PA_TNC_RESERVED);
135 writer->write_uint32(writer, this->identifier);
136
137 /* build and append encoding of PA-TNC attributes */
138 enumerator = this->attributes->create_enumerator(this->attributes);
139 while (enumerator->enumerate(enumerator, &attr))
140 {
141 attr->build(attr);
142 vendor_id = attr->get_vendor_id(attr);
143 type = attr->get_type(attr);
144 value = attr->get_value(attr);
145 flags = attr->get_noskip_flag(attr) ? PA_TNC_ATTR_FLAG_NOSKIP :
146 PA_TNC_ATTR_FLAG_NONE;
147
148 pa_attr_names = get_pa_attr_names(vendor_id);
149 if (pa_attr_names)
150 {
151 DBG2(DBG_TNC, "creating PA-TNC attribute type '%N/%N' "
152 "0x%06x/0x%08x", pen_names, vendor_id,
153 pa_attr_names, type, vendor_id, type);
154 }
155 else
156 {
157 DBG2(DBG_TNC, "creating PA-TNC attribute type '%N' "
158 "0x%06x/0x%08x", pen_names, vendor_id,
159 vendor_id, type);
160 }
161 DBG3(DBG_TNC, "%B", &value);
162
163 writer->write_uint8 (writer, flags);
164 writer->write_uint24(writer, vendor_id);
165 writer->write_uint32(writer, type);
166 writer->write_uint32(writer, PA_TNC_ATTR_HEADER_SIZE + value.len);
167 writer->write_data (writer, value);
168 }
169 enumerator->destroy(enumerator);
170
171 free(this->encoding.ptr);
172 this->encoding = chunk_clone(writer->get_buf(writer));
173 writer->destroy(writer);
174 }
175
176 METHOD(pa_tnc_msg_t, process, status_t,
177 private_pa_tnc_msg_t *this)
178 {
179 bio_reader_t *reader;
180 pa_tnc_attr_t *error;
181 u_int8_t version;
182 u_int32_t reserved, offset, attr_offset;
183
184 /* process message header */
185 if (this->encoding.len < PA_TNC_HEADER_SIZE)
186 {
187 DBG1(DBG_TNC, "%u bytes insufficient to parse PA-TNC message header",
188 this->encoding.len);
189 return FAILED;
190 }
191 reader = bio_reader_create(this->encoding);
192 reader->read_uint8 (reader, &version);
193 reader->read_uint24(reader, &reserved);
194 reader->read_uint32(reader, &this->identifier);
195 DBG2(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier);
196
197 if (version != PA_TNC_VERSION)
198 {
199 DBG1(DBG_TNC, "PA-TNC version %u not supported", version);
200 error = ietf_attr_pa_tnc_error_create(PEN_IETF,
201 PA_ERROR_VERSION_NOT_SUPPORTED, this->encoding);
202 goto err;
203 }
204
205 /* offset of the first PA-TNC attribute in the PA-TNC message */
206 offset = PA_TNC_HEADER_SIZE;
207
208 /* pre-process PA-TNC attributes */
209 while (reader->remaining(reader) >= PA_TNC_ATTR_HEADER_SIZE)
210 {
211 pen_t vendor_id;
212 u_int8_t flags;
213 u_int32_t type, length;
214 chunk_t value, attr_info;
215 pa_tnc_attr_t *attr;
216 enum_name_t *pa_attr_names;
217 ietf_attr_pa_tnc_error_t *error_attr;
218
219 attr_info = reader->peek(reader);
220 attr_info.len = PA_TNC_ATTR_INFO_SIZE;
221 reader->read_uint8 (reader, &flags);
222 reader->read_uint24(reader, &vendor_id);
223 reader->read_uint32(reader, &type);
224 reader->read_uint32(reader, &length);
225
226 pa_attr_names = get_pa_attr_names(vendor_id);
227 if (pa_attr_names)
228 {
229 DBG2(DBG_TNC, "processing PA-TNC attribute type '%N/%N' "
230 "0x%06x/0x%08x", pen_names, vendor_id,
231 pa_attr_names, type, vendor_id, type);
232 }
233 else
234 {
235 DBG2(DBG_TNC, "processing PA-TNC attribute type '%N' "
236 "0x%06x/0x%08x", pen_names, vendor_id,
237 vendor_id, type);
238 }
239
240 if (length < PA_TNC_ATTR_HEADER_SIZE)
241 {
242 DBG1(DBG_TNC, "%u bytes too small for PA-TNC attribute length",
243 length);
244 error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
245 PA_ERROR_INVALID_PARAMETER, this->encoding,
246 offset + PA_TNC_ATTR_INFO_SIZE);
247 goto err;
248 }
249
250 if (!reader->read_data(reader, length - PA_TNC_ATTR_HEADER_SIZE, &value))
251 {
252 DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute value");
253 error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
254 PA_ERROR_INVALID_PARAMETER, this->encoding,
255 offset + PA_TNC_ATTR_INFO_SIZE);
256 goto err;
257 }
258 DBG3(DBG_TNC, "%B", &value);
259
260 attr = pa_tnc_attr_create_from_data(vendor_id, type, value);
261 if (!attr)
262 {
263 if (flags & PA_TNC_ATTR_FLAG_NOSKIP)
264 {
265 DBG1(DBG_TNC, "unsupported PA-TNC attribute with NOSKIP flag");
266 error = ietf_attr_pa_tnc_error_create(PEN_IETF,
267 PA_ERROR_ATTR_TYPE_NOT_SUPPORTED, this->encoding);
268 error_attr = (ietf_attr_pa_tnc_error_t*)error;
269 error_attr->set_attr_info(error_attr, attr_info);
270 goto err;
271 }
272 else
273 {
274 DBG1(DBG_TNC, "skipping unsupported PA-TNC attribute");
275 offset += length;
276 continue;
277 }
278 }
279
280 if (attr->process(attr, &attr_offset) != SUCCESS)
281 {
282 attr->destroy(attr);
283 if (vendor_id == PEN_IETF && type == IETF_ATTR_PA_TNC_ERROR)
284 {
285 /* error while processing a PA-TNC error attribute - abort */
286 reader->destroy(reader);
287 return FAILED;
288 }
289 error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
290 PA_ERROR_INVALID_PARAMETER, this->encoding,
291 offset + PA_TNC_ATTR_HEADER_SIZE + attr_offset);
292 goto err;
293 }
294 add_attribute(this, attr);
295 offset += length;
296 }
297
298 if (reader->remaining(reader) == 0)
299 {
300 reader->destroy(reader);
301 return SUCCESS;
302 }
303 DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute header");
304 error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
305 PA_ERROR_INVALID_PARAMETER, this->encoding, offset);
306
307 err:
308 reader->destroy(reader);
309 this->errors->insert_last(this->errors, error);
310 return VERIFY_ERROR;
311 }
312
313 METHOD(pa_tnc_msg_t, create_attribute_enumerator, enumerator_t*,
314 private_pa_tnc_msg_t *this)
315 {
316 return this->attributes->create_enumerator(this->attributes);
317 }
318
319 METHOD(pa_tnc_msg_t, create_error_enumerator, enumerator_t*,
320 private_pa_tnc_msg_t *this)
321 {
322 return this->errors->create_enumerator(this->errors);
323 }
324
325 METHOD(pa_tnc_msg_t, destroy, void,
326 private_pa_tnc_msg_t *this)
327 {
328 this->attributes->destroy_offset(this->attributes,
329 offsetof(pa_tnc_attr_t, destroy));
330 this->errors->destroy_offset(this->errors,
331 offsetof(pa_tnc_attr_t, destroy));
332 free(this->encoding.ptr);
333 free(this);
334 }
335
336 /**
337 * See header
338 */
339 pa_tnc_msg_t *pa_tnc_msg_create_from_data(chunk_t data)
340 {
341 private_pa_tnc_msg_t *this;
342
343 INIT(this,
344 .public = {
345 .get_encoding = _get_encoding,
346 .add_attribute = _add_attribute,
347 .build = _build,
348 .process = _process,
349 .create_attribute_enumerator = _create_attribute_enumerator,
350 .create_error_enumerator = _create_error_enumerator,
351 .destroy = _destroy,
352 },
353 .encoding = chunk_clone(data),
354 .attributes = linked_list_create(),
355 .errors = linked_list_create(),
356 );
357
358 return &this->public;
359 }
360
361 /**
362 * See header
363 */
364 pa_tnc_msg_t *pa_tnc_msg_create(void)
365 {
366 return pa_tnc_msg_create_from_data(chunk_empty);
367 }
368
369 /**
370 * See header
371 */
372 enum_name_t* get_pa_attr_names(pen_t pen)
373 {
374 switch (pen)
375 {
376 case PEN_IETF:
377 return ietf_attr_names;
378 case PEN_TCG:
379 return tcg_attr_names;
380 case PEN_ITA:
381 return ita_attr_names;
382 default:
383 return NULL;
384 }
385 }
386
strongSwan - IPsec VPN