projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
implemented the RFC 5792 PA-TNC protocol and an example IMC/IMV pair
[strongswan.git] / src / libimcv / pa_tnc / pa_tnc_msg.c
1 /*
2 * Copyright (C) 2011 Andreas Steffen
3 *
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "pa_tnc_msg.h"
18
19 #include <tls_writer.h>
20 #include <tls_reader.h>
21 #include <utils/linked_list.h>
22 #include <tnc/pen/pen.h>
23 #include <debug.h>
24
25
26 typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
27
28 /**
29 * PA-TNC message header
30 *
31 * 1 2 3
32 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
33 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
34 * | Version | Reserved |
35 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
36 * | Message Identifier |
37 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
38 */
39
40 #define PA_TNC_HEADER_SIZE 8
41 #define PA_TNC_VERSION 0x01
42 #define PA_TNC_RESERVED 0x000000
43
44 /**
45 * PA-TNC attribute
46 *
47 * 1 2 3
48 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
49 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
50 * | Flags | PA-TNC Attribute Vendor ID |
51 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
52 * | PA-TNC Attribute Type |
53 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
54 * | PA-TNC Attribute Length |
55 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
56 * | Attribute Value (Variable Length) |
57 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
58 */
59
60 #define PA_TNC_ATTR_FLAG_NONE 0x00
61 #define PA_TNC_ATTR_FLAG_NOSKIP (1<<7)
62 #define PA_TNC_ATTR_HEADER_SIZE 12
63
64 /**
65 * Private data of a pa_tnc_msg_t object.
66 *
67 */
68 struct private_pa_tnc_msg_t {
69
70 /**
71 * Public pa_tnc_msg_t interface.
72 */
73 pa_tnc_msg_t public;
74
75 /**
76 * List of PA-TNC attributes
77 */
78 linked_list_t *attributes;
79
80 /**
81 * Message identifier
82 */
83 u_int32_t identifier;
84
85 /**
86 * Encoded message
87 */
88 chunk_t encoding;
89 };
90
91 METHOD(pa_tnc_msg_t, get_encoding, chunk_t,
92 private_pa_tnc_msg_t *this)
93 {
94 return this->encoding;
95 }
96
97 METHOD(pa_tnc_msg_t, add_attribute, void,
98 private_pa_tnc_msg_t *this, pa_tnc_attr_t *attr)
99 {
100 this->attributes->insert_last(this->attributes, attr);
101 }
102
103 METHOD(pa_tnc_msg_t, build, void,
104 private_pa_tnc_msg_t *this)
105 {
106 tls_writer_t *writer;
107 enumerator_t *enumerator;
108 pa_tnc_attr_t *attr;
109 pen_t vendor_id;
110 u_int32_t type;
111 u_int8_t flags;
112 chunk_t value;
113 rng_t *rng;
114
115 /* create a random message identifier */
116 rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK);
117 rng->get_bytes(rng, sizeof(this->identifier), (u_int8_t*)&this->identifier);
118 rng->destroy(rng);
119 DBG2(DBG_TNC, "creating PA-TNC message with ID 0x%08x", this->identifier);
120
121 /* build message header */
122 writer = tls_writer_create(PA_TNC_HEADER_SIZE);
123 writer->write_uint8 (writer, PA_TNC_VERSION);
124 writer->write_uint24(writer, PA_TNC_RESERVED);
125 writer->write_uint32(writer, this->identifier);
126
127 /* build and append encoding of PA-TNC attributes */
128 enumerator = this->attributes->create_enumerator(this->attributes);
129 while (enumerator->enumerate(enumerator, &attr))
130 {
131 attr->build(attr);
132 vendor_id = attr->get_vendor_id(attr);
133 type = attr->get_type(attr);
134 value = attr->get_value(attr);
135 flags = attr->get_noskip_flag(attr) ? PA_TNC_ATTR_FLAG_NOSKIP :
136 PA_TNC_ATTR_FLAG_NONE;
137 DBG2(DBG_TNC, "creating PA-TNC attribute type 0x%06x(%N)/0x%08x",
138 vendor_id, pen_names, vendor_id, type);
139 DBG3(DBG_TNC, "%B", &value);
140
141 writer->write_uint8 (writer, flags);
142 writer->write_uint24(writer, vendor_id);
143 writer->write_uint32(writer, type);
144 writer->write_uint32(writer, PA_TNC_ATTR_HEADER_SIZE + value.len);
145 writer->write_data (writer, value);
146 }
147 enumerator->destroy(enumerator);
148
149 free(this->encoding.ptr);
150 this->encoding = chunk_clone(writer->get_buf(writer));
151 writer->destroy(writer);
152 }
153
154 METHOD(pa_tnc_msg_t, process, status_t,
155 private_pa_tnc_msg_t *this)
156 {
157 u_int8_t version;
158 u_int32_t reserved;
159 tls_reader_t *reader;
160 status_t status = FAILED;
161
162 reader = tls_reader_create(this->encoding);
163
164 /* process message header */
165 if (reader->remaining(reader) < PA_TNC_HEADER_SIZE)
166 {
167 DBG1(DBG_TNC, "%u bytes insufficient to parse PA-TNC message header",
168 this->encoding.len);
169 goto end;
170 }
171 reader->read_uint8 (reader, &version);
172 reader->read_uint24(reader, &reserved);
173 reader->read_uint32(reader, &this->identifier);
174
175 if (version != PA_TNC_VERSION)
176 {
177 DBG1(DBG_TNC, "PA-TNC version %u not supported", version);
178 goto end;
179 }
180 DBG2(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier);
181
182 /* pre-process PA-TNC attributes */
183 while (reader->remaining(reader) >= PA_TNC_ATTR_HEADER_SIZE)
184 {
185 pen_t vendor_id;
186 u_int8_t flags;
187 u_int32_t type, length;
188 chunk_t value;
189 pa_tnc_attr_t *attr;
190
191 reader->read_uint8 (reader, &flags);
192 reader->read_uint24(reader, &vendor_id);
193 reader->read_uint32(reader, &type);
194 reader->read_uint32(reader, &length);
195 DBG2(DBG_TNC, "processing PA-TNC attribute type 0x%06x(%N)/0x%08x",
196 vendor_id, pen_names, vendor_id, type);
197
198 if (length < PA_TNC_ATTR_HEADER_SIZE)
199 {
200 DBG1(DBG_TNC, "%u bytes too small for PA-TNC attribute length",
201 length);
202 goto end;
203 }
204 length -= PA_TNC_ATTR_HEADER_SIZE;
205
206 if (!reader->read_data(reader, length , &value))
207 {
208 DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute value");
209 goto end;
210 }
211 DBG3(DBG_TNC, "%B", &value);
212
213 attr = pa_tnc_attr_create_from_data(vendor_id, type, value);
214 if (!attr)
215 {
216 if (flags & PA_TNC_ATTR_FLAG_NOSKIP)
217 {
218 DBG1(DBG_TNC, "unsupported PA-TNC attribute with NOSKIP flag");
219 goto end;
220 }
221 else
222 {
223 DBG1(DBG_TNC, "skipping unsupported PA-TNC attribute");
224 }
225 }
226
227 if (attr->process(attr) != SUCCESS)
228 {
229 attr->destroy(attr);
230 goto end;
231 }
232 add_attribute(this, attr);
233 }
234
235 if (reader->remaining(reader) == 0)
236 {
237 status = SUCCESS;
238 }
239
240 end:
241 reader->destroy(reader);
242 return status;
243 }
244
245 METHOD(pa_tnc_msg_t, create_attribute_enumerator, enumerator_t*,
246 private_pa_tnc_msg_t *this)
247 {
248 return this->attributes->create_enumerator(this->attributes);
249 }
250
251 METHOD(pa_tnc_msg_t, destroy, void,
252 private_pa_tnc_msg_t *this)
253 {
254 this->attributes->destroy_offset(this->attributes,
255 offsetof(pa_tnc_attr_t, destroy));
256 free(this->encoding.ptr);
257 free(this);
258 }
259
260
261 /**
262 * See header
263 */
264 pa_tnc_msg_t *pa_tnc_msg_create_from_data(chunk_t data)
265 {
266 private_pa_tnc_msg_t *this;
267
268 INIT(this,
269 .public = {
270 .get_encoding = _get_encoding,
271 .add_attribute = _add_attribute,
272 .build = _build,
273 .process = _process,
274 .create_attribute_enumerator = _create_attribute_enumerator,
275 .destroy = _destroy,
276 },
277 .encoding = chunk_clone(data),
278 .attributes = linked_list_create(),
279 );
280
281 return &this->public;
282 }
283
284 /**
285 * See header
286 */
287 pa_tnc_msg_t *pa_tnc_msg_create(void)
288 {
289 return pa_tnc_msg_create_from_data(chunk_empty);
290 }
291
292
strongSwan - IPsec VPN