added IETF standard error handling method
[strongswan.git] / src / libimcv / pa_tnc / pa_tnc_msg.c
1 /*
2 * Copyright (C) 2011 Andreas Steffen
3 *
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "imcv.h"
18 #include "pa_tnc_msg.h"
19 #include "ietf/ietf_attr_pa_tnc_error.h"
20
21 #include <bio/bio_writer.h>
22 #include <bio/bio_reader.h>
23 #include <utils/linked_list.h>
24 #include <pen/pen.h>
25 #include <debug.h>
26
27
28 typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
29
30 /**
31 * PA-TNC message header
32 *
33 * 1 2 3
34 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
35 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
36 * | Version | Reserved |
37 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
38 * | Message Identifier |
39 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
40 */
41
42 #define PA_TNC_HEADER_SIZE 8
43 #define PA_TNC_RESERVED 0x000000
44
45 /**
46 * PA-TNC attribute
47 *
48 * 1 2 3
49 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
50 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
51 * | Flags | PA-TNC Attribute Vendor ID |
52 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
53 * | PA-TNC Attribute Type |
54 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
55 * | PA-TNC Attribute Length |
56 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
57 * | Attribute Value (Variable Length) |
58 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
59 */
60
61 #define PA_TNC_ATTR_FLAG_NONE 0x00
62 #define PA_TNC_ATTR_FLAG_NOSKIP (1<<7)
63 #define PA_TNC_ATTR_HEADER_SIZE 12
64 #define PA_TNC_ATTR_INFO_SIZE 8
65
66 /**
67 * Private data of a pa_tnc_msg_t object.
68 *
69 */
70 struct private_pa_tnc_msg_t {
71
72 /**
73 * Public pa_tnc_msg_t interface.
74 */
75 pa_tnc_msg_t public;
76
77 /**
78 * List of PA-TNC attributes
79 */
80 linked_list_t *attributes;
81
82 /**
83 * linked list of PA-TNC error messages
84 */
85 linked_list_t *errors;
86
87 /**
88 * Message identifier
89 */
90 u_int32_t identifier;
91
92 /**
93 * Encoded message
94 */
95 chunk_t encoding;
96 };
97
98 METHOD(pa_tnc_msg_t, get_encoding, chunk_t,
99 private_pa_tnc_msg_t *this)
100 {
101 return this->encoding;
102 }
103
104 METHOD(pa_tnc_msg_t, add_attribute, void,
105 private_pa_tnc_msg_t *this, pa_tnc_attr_t *attr)
106 {
107 this->attributes->insert_last(this->attributes, attr);
108 }
109
110 METHOD(pa_tnc_msg_t, build, void,
111 private_pa_tnc_msg_t *this)
112 {
113 bio_writer_t *writer;
114 enumerator_t *enumerator;
115 pa_tnc_attr_t *attr;
116 enum_name_t *pa_attr_names;
117 pen_t vendor_id;
118 u_int32_t type;
119 u_int8_t flags;
120 chunk_t value;
121 rng_t *rng;
122
123 /* create a random message identifier */
124 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
125 rng->get_bytes(rng, sizeof(this->identifier), (u_int8_t*)&this->identifier);
126 rng->destroy(rng);
127 DBG2(DBG_TNC, "creating PA-TNC message with ID 0x%08x", this->identifier);
128
129 /* build message header */
130 writer = bio_writer_create(PA_TNC_HEADER_SIZE);
131 writer->write_uint8 (writer, PA_TNC_VERSION);
132 writer->write_uint24(writer, PA_TNC_RESERVED);
133 writer->write_uint32(writer, this->identifier);
134
135 /* build and append encoding of PA-TNC attributes */
136 enumerator = this->attributes->create_enumerator(this->attributes);
137 while (enumerator->enumerate(enumerator, &attr))
138 {
139 attr->build(attr);
140 vendor_id = attr->get_vendor_id(attr);
141 type = attr->get_type(attr);
142 value = attr->get_value(attr);
143 flags = attr->get_noskip_flag(attr) ? PA_TNC_ATTR_FLAG_NOSKIP :
144 PA_TNC_ATTR_FLAG_NONE;
145
146 pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes,
147 vendor_id);
148 if (pa_attr_names)
149 {
150 DBG2(DBG_TNC, "creating PA-TNC attribute type '%N/%N' "
151 "0x%06x/0x%08x", pen_names, vendor_id,
152 pa_attr_names, type, vendor_id, type);
153 }
154 else
155 {
156 DBG2(DBG_TNC, "creating PA-TNC attribute type '%N' "
157 "0x%06x/0x%08x", pen_names, vendor_id,
158 vendor_id, type);
159 }
160 DBG3(DBG_TNC, "%B", &value);
161
162 writer->write_uint8 (writer, flags);
163 writer->write_uint24(writer, vendor_id);
164 writer->write_uint32(writer, type);
165 writer->write_uint32(writer, PA_TNC_ATTR_HEADER_SIZE + value.len);
166 writer->write_data (writer, value);
167 }
168 enumerator->destroy(enumerator);
169
170 free(this->encoding.ptr);
171 this->encoding = chunk_clone(writer->get_buf(writer));
172 writer->destroy(writer);
173 }
174
175 METHOD(pa_tnc_msg_t, process, status_t,
176 private_pa_tnc_msg_t *this)
177 {
178 bio_reader_t *reader;
179 pa_tnc_attr_t *error;
180 u_int8_t version;
181 u_int32_t reserved, offset, attr_offset;
182
183 /* process message header */
184 if (this->encoding.len < PA_TNC_HEADER_SIZE)
185 {
186 DBG1(DBG_TNC, "%u bytes insufficient to parse PA-TNC message header",
187 this->encoding.len);
188 return FAILED;
189 }
190 reader = bio_reader_create(this->encoding);
191 reader->read_uint8 (reader, &version);
192 reader->read_uint24(reader, &reserved);
193 reader->read_uint32(reader, &this->identifier);
194 DBG2(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier);
195
196 if (version != PA_TNC_VERSION)
197 {
198 DBG1(DBG_TNC, "PA-TNC version %u not supported", version);
199 error = ietf_attr_pa_tnc_error_create(PEN_IETF,
200 PA_ERROR_VERSION_NOT_SUPPORTED, this->encoding);
201 goto err;
202 }
203
204 /* offset of the first PA-TNC attribute in the PA-TNC message */
205 offset = PA_TNC_HEADER_SIZE;
206
207 /* pre-process PA-TNC attributes */
208 while (reader->remaining(reader) >= PA_TNC_ATTR_HEADER_SIZE)
209 {
210 pen_t vendor_id;
211 u_int8_t flags;
212 u_int32_t type, length;
213 chunk_t value, attr_info;
214 pa_tnc_attr_t *attr;
215 enum_name_t *pa_attr_names;
216 ietf_attr_pa_tnc_error_t *error_attr;
217
218 attr_info = reader->peek(reader);
219 attr_info.len = PA_TNC_ATTR_INFO_SIZE;
220 reader->read_uint8 (reader, &flags);
221 reader->read_uint24(reader, &vendor_id);
222 reader->read_uint32(reader, &type);
223 reader->read_uint32(reader, &length);
224
225 pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes,
226 vendor_id);
227 if (pa_attr_names)
228 {
229 DBG2(DBG_TNC, "processing PA-TNC attribute type '%N/%N' "
230 "0x%06x/0x%08x", pen_names, vendor_id,
231 pa_attr_names, type, vendor_id, type);
232 }
233 else
234 {
235 DBG2(DBG_TNC, "processing PA-TNC attribute type '%N' "
236 "0x%06x/0x%08x", pen_names, vendor_id,
237 vendor_id, type);
238 }
239
240 if (length < PA_TNC_ATTR_HEADER_SIZE)
241 {
242 DBG1(DBG_TNC, "%u bytes too small for PA-TNC attribute length",
243 length);
244 error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
245 PA_ERROR_INVALID_PARAMETER, this->encoding,
246 offset + PA_TNC_ATTR_INFO_SIZE);
247 goto err;
248 }
249
250 if (!reader->read_data(reader, length - PA_TNC_ATTR_HEADER_SIZE, &value))
251 {
252 DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute value");
253 error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
254 PA_ERROR_INVALID_PARAMETER, this->encoding,
255 offset + PA_TNC_ATTR_INFO_SIZE);
256 goto err;
257 }
258 DBG3(DBG_TNC, "%B", &value);
259
260 attr = imcv_pa_tnc_attributes->create(imcv_pa_tnc_attributes,
261 vendor_id, type, value);
262 if (!attr)
263 {
264 if (flags & PA_TNC_ATTR_FLAG_NOSKIP)
265 {
266 DBG1(DBG_TNC, "unsupported PA-TNC attribute with NOSKIP flag");
267 error = ietf_attr_pa_tnc_error_create(PEN_IETF,
268 PA_ERROR_ATTR_TYPE_NOT_SUPPORTED, this->encoding);
269 error_attr = (ietf_attr_pa_tnc_error_t*)error;
270 error_attr->set_attr_info(error_attr, attr_info);
271 goto err;
272 }
273 else
274 {
275 DBG1(DBG_TNC, "skipping unsupported PA-TNC attribute");
276 offset += length;
277 continue;
278 }
279 }
280
281 if (attr->process(attr, &attr_offset) != SUCCESS)
282 {
283 attr->destroy(attr);
284 if (vendor_id == PEN_IETF && type == IETF_ATTR_PA_TNC_ERROR)
285 {
286 /* error while processing a PA-TNC error attribute - abort */
287 reader->destroy(reader);
288 return FAILED;
289 }
290 error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
291 PA_ERROR_INVALID_PARAMETER, this->encoding,
292 offset + PA_TNC_ATTR_HEADER_SIZE + attr_offset);
293 goto err;
294 }
295 add_attribute(this, attr);
296 offset += length;
297 }
298
299 if (reader->remaining(reader) == 0)
300 {
301 reader->destroy(reader);
302 return SUCCESS;
303 }
304 DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute header");
305 error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
306 PA_ERROR_INVALID_PARAMETER, this->encoding, offset);
307
308 err:
309 reader->destroy(reader);
310 this->errors->insert_last(this->errors, error);
311 return VERIFY_ERROR;
312 }
313
314 METHOD(pa_tnc_msg_t, process_ietf_std_errors, bool,
315 private_pa_tnc_msg_t *this)
316 {
317 enumerator_t *enumerator;
318 pa_tnc_attr_t *attr;
319 bool fatal_error = FALSE;
320
321 enumerator = this->attributes->create_enumerator(this->attributes);
322 while (enumerator->enumerate(enumerator, &attr))
323 {
324 if (attr->get_vendor_id(attr) == PEN_IETF &&
325 attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
326 {
327 ietf_attr_pa_tnc_error_t *error_attr;
328 pen_t error_vendor_id;
329 pa_tnc_error_code_t error_code;
330 chunk_t msg_info, attr_info;
331 u_int32_t offset;
332
333 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
334 error_vendor_id = error_attr->get_vendor_id(error_attr);
335 error_code = error_attr->get_error_code(error_attr);
336 msg_info = error_attr->get_msg_info(error_attr);
337
338 /* skip errors from non-IETF namespaces */
339 if (error_vendor_id != PEN_IETF)
340 {
341 continue;
342 }
343 DBG1(DBG_IMC, "received PA-TNC error '%N' concerning message "
344 "0x%08x/0x%08x", pa_tnc_error_code_names, error_code,
345 untoh32(msg_info.ptr), untoh32(msg_info.ptr + 4));
346
347 switch (error_code)
348 {
349 case PA_ERROR_INVALID_PARAMETER:
350 offset = error_attr->get_offset(error_attr);
351 DBG1(DBG_IMC, " occurred at offset of %u bytes", offset);
352 break;
353 case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
354 attr_info = error_attr->get_attr_info(error_attr);
355 DBG1(DBG_IMC, " unsupported attribute %#B", &attr_info);
356 break;
357 default:
358 break;
359 }
360
361 /* remove the processed IETF standard error attribute */
362 this->attributes->remove_at(this->attributes, enumerator);
363 fatal_error = TRUE;
364 }
365 }
366 enumerator->destroy(enumerator);
367
368 return fatal_error;
369 }
370
371 METHOD(pa_tnc_msg_t, create_attribute_enumerator, enumerator_t*,
372 private_pa_tnc_msg_t *this)
373 {
374 return this->attributes->create_enumerator(this->attributes);
375 }
376
377 METHOD(pa_tnc_msg_t, create_error_enumerator, enumerator_t*,
378 private_pa_tnc_msg_t *this)
379 {
380 return this->errors->create_enumerator(this->errors);
381 }
382
383 METHOD(pa_tnc_msg_t, destroy, void,
384 private_pa_tnc_msg_t *this)
385 {
386 this->attributes->destroy_offset(this->attributes,
387 offsetof(pa_tnc_attr_t, destroy));
388 this->errors->destroy_offset(this->errors,
389 offsetof(pa_tnc_attr_t, destroy));
390 free(this->encoding.ptr);
391 free(this);
392 }
393
394 /**
395 * See header
396 */
397 pa_tnc_msg_t *pa_tnc_msg_create_from_data(chunk_t data)
398 {
399 private_pa_tnc_msg_t *this;
400
401 INIT(this,
402 .public = {
403 .get_encoding = _get_encoding,
404 .add_attribute = _add_attribute,
405 .build = _build,
406 .process = _process,
407 .process_ietf_std_errors = _process_ietf_std_errors,
408 .create_attribute_enumerator = _create_attribute_enumerator,
409 .create_error_enumerator = _create_error_enumerator,
410 .destroy = _destroy,
411 },
412 .encoding = chunk_clone(data),
413 .attributes = linked_list_create(),
414 .errors = linked_list_create(),
415 );
416
417 return &this->public;
418 }
419
420 /**
421 * See header
422 */
423 pa_tnc_msg_t *pa_tnc_msg_create(void)
424 {
425 return pa_tnc_msg_create_from_data(chunk_empty);
426 }
427