Make access requestor IP address available to TNC server
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 19 Feb 2015 10:44:11 +0000 (11:44 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 8 Mar 2015 16:17:11 +0000 (17:17 +0100)
24 files changed:
src/libcharon/plugins/eap_tnc/eap_tnc.c
src/libcharon/plugins/tnc_pdp/tnc_pdp.c
src/libimcv/Makefile.am
src/libimcv/imv/imv_agent.c
src/libimcv/imv/imv_database.c
src/libimcv/imv/imv_policy_manager.c
src/libimcv/imv/imv_session.c
src/libimcv/imv/imv_session.h
src/libimcv/imv/imv_session_manager.c
src/libimcv/imv/imv_session_manager.h
src/libimcv/imv/tables-mysql.sql
src/libimcv/imv/tables.sql
src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c
src/libtnccs/plugins/tnccs_11/tnccs_11.c
src/libtnccs/plugins/tnccs_11/tnccs_11.h
src/libtnccs/plugins/tnccs_20/tnccs_20.c
src/libtnccs/plugins/tnccs_20/tnccs_20.h
src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c
src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h
src/libtnccs/tnc/tnccs/tnccs.h
src/libtnccs/tnc/tnccs/tnccs_manager.h
src/libtncif/tncif_names.c
src/libtncif/tncif_names.h
src/pt-tls-client/pt-tls-client.c

index 62d23d0..b1a6ff0 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -256,6 +256,8 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
        private_eap_tnc_t *this;
        int max_msg_count;
        char* protocol;
+       ike_sa_t *ike_sa;
+       host_t *server_ip, *peer_ip;
        tnccs_t *tnccs;
        tnccs_type_t tnccs_type;
 
@@ -302,8 +304,28 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
                free(this);
                return NULL;
        }
+
+       /* Determine IP addresses of server and peer */
+       ike_sa = charon->bus->get_sa(charon->bus);
+       if (!ike_sa)
+       {
+               DBG1(DBG_TNC, "%N constructor did not find IKE_SA",
+                                          eap_type_names, type);
+               return NULL;
+       }
+       if (is_server)
+       {
+               server_ip = ike_sa->get_my_host(ike_sa);
+               peer_ip = ike_sa->get_other_host(ike_sa);
+       }
+       else
+       {
+               peer_ip = ike_sa->get_my_host(ike_sa);
+               server_ip = ike_sa->get_other_host(ike_sa);
+       }
+
        tnccs = tnc->tnccs->create_instance(tnc->tnccs, tnccs_type,
-                                               is_server, server, peer,
+                                               is_server, server, peer, server_ip, peer_ip,
                                                (type == EAP_TNC) ? TNC_IFT_EAP_1_1 : TNC_IFT_EAP_2_0,
                                                is_server ? enforce_recommendation : NULL);
        if (!tnccs)
index 109c216..91456f8 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2013 Andreas Steffen
+ * Copyright (C) 2012-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -646,8 +646,8 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even
        int pt_tls_fd;
        struct sockaddr_storage addr;
        socklen_t addrlen = sizeof(addr);
-       identification_t *peer;
-       host_t *host;
+       identification_t *client_id;
+       host_t *server_ip, *client_ip;
        pt_tls_server_t *pt_tls;
        tnccs_t *tnccs;
        pt_tls_auth_t auth = PT_TLS_AUTH_TLS_OR_SASL;
@@ -658,17 +658,22 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even
                DBG1(DBG_TNC, "accepting PT-TLS stream failed: %s", strerror(errno));
                return FALSE;
        }
-       host = host_create_from_sockaddr((sockaddr_t*)&addr);
-       DBG1(DBG_TNC, "accepting PT-TLS stream from %H", host);
-       host->destroy(host);
+       client_ip = host_create_from_sockaddr((sockaddr_t*)&addr);
+       DBG1(DBG_TNC, "accepting PT-TLS stream from %H", client_ip);
+
+       /* Currently we do not determine the IP address of the server interface */
+       server_ip = host_create_any(client_ip->get_family(client_ip));
 
-       /* At this moment the peer identity is not known yet */
-       peer = identification_create_from_encoding(ID_ANY, chunk_empty),
+       /* At this moment the client identity is not known yet */
+       client_id = identification_create_from_encoding(ID_ANY, chunk_empty),
 
        tnccs = tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, TRUE,
-                                                                               this->server, peer, TNC_IFT_TLS_2_0,
+                                                                               this->server, client_id, server_ip,
+                                                                               client_ip, TNC_IFT_TLS_2_0,
                                                                                (tnccs_cb_t)get_recommendation);
-       peer->destroy(peer);
+       client_id->destroy(client_id);
+       server_ip->destroy(server_ip);
+       client_ip->destroy(client_ip);
 
        if (!tnccs)
        {
index d9a5cd5..a613827 100644 (file)
@@ -127,7 +127,8 @@ imv_policy_manager_SOURCES = \
        imv/imv_policy_manager.c \
        imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c
 imv_policy_manager_LDADD = \
-       $(top_builddir)/src/libstrongswan/libstrongswan.la
+       $(top_builddir)/src/libstrongswan/libstrongswan.la \
+       $(top_builddir)/src/libtncif/libtncif.la
 #imv/imv_policy_manager.o :    $(top_builddir)/config.status
 
 SUBDIRS = .
index 6b24f4b..d050862 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2014 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -412,14 +412,10 @@ METHOD(imv_agent_t, create_state, TNC_Result,
 {
        TNC_ConnectionID conn_id;
        char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL;
-       bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE, first = TRUE;
+       bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE;
        linked_list_t *ar_identities;
-       enumerator_t *enumerator;
-       tncif_identity_t *tnc_id;
        imv_session_t *session;
        uint32_t max_msg_len;
-       uint32_t ar_id_type = TNC_ID_UNKNOWN;
-       chunk_t ar_id_value = chunk_empty;
 
        conn_id = state->get_connection_id(state);
        if (find_connection(this, conn_id))
@@ -431,15 +427,24 @@ METHOD(imv_agent_t, create_state, TNC_Result,
        }
 
        /* Get and display attributes from TNCS via IF-IMV */
-       has_long = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_LONG_TYPES);
-       has_excl = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_EXCLUSIVE);
-       has_soh  = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_SOH);
-       tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL);
-       tnccs_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_VERSION);
-       t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL);
-       t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION);
-       max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
-       ar_identities = get_identity_attribute(this, conn_id, TNC_ATTRIBUTEID_AR_IDENTITIES);
+       has_long = get_bool_attribute(this, conn_id,
+                                                                       TNC_ATTRIBUTEID_HAS_LONG_TYPES);
+       has_excl = get_bool_attribute(this, conn_id,
+                                                                       TNC_ATTRIBUTEID_HAS_EXCLUSIVE);
+       has_soh  = get_bool_attribute(this, conn_id,
+                                                                       TNC_ATTRIBUTEID_HAS_SOH);
+       tnccs_p = get_str_attribute(this, conn_id,
+                                                                       TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL);
+       tnccs_v = get_str_attribute(this, conn_id,
+                                                                       TNC_ATTRIBUTEID_IFTNCCS_VERSION);
+       t_p = get_str_attribute(this, conn_id,
+                                                                       TNC_ATTRIBUTEID_IFT_PROTOCOL);
+       t_v = get_str_attribute(this, conn_id,
+                                                                       TNC_ATTRIBUTEID_IFT_VERSION);
+       max_msg_len = get_uint_attribute(this, conn_id,
+                                                                       TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE);
+       ar_identities = get_identity_attribute(this, conn_id,
+                                                                       TNC_ATTRIBUTEID_AR_IDENTITIES);
 
        state->set_flags(state, has_long, has_excl);
        state->set_max_msg_len(state, max_msg_len);
@@ -451,48 +456,9 @@ METHOD(imv_agent_t, create_state, TNC_Result,
        DBG2(DBG_IMV, "  over %s %s with maximum PA-TNC message size of %u bytes",
                                  t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len);
 
-       enumerator = ar_identities->create_enumerator(ar_identities);
-       while (enumerator->enumerate(enumerator, &tnc_id))
-       {
-               pen_type_t id_type, subject_type, auth_type;
-               uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type;
-               chunk_t id_value;
-
-               id_type = tnc_id->get_identity_type(tnc_id);
-               id_value = tnc_id->get_identity_value(tnc_id);
-               subject_type = tnc_id->get_subject_type(tnc_id);
-               auth_type = tnc_id->get_auth_type(tnc_id);
-
-               tcg_id_type =      (id_type.vendor_id == PEN_TCG) ?
-                                                       id_type.type : TNC_ID_UNKNOWN;
-               tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ?
-                                                       subject_type.type : TNC_SUBJECT_UNKNOWN;
-               tcg_auth_type =    (auth_type.vendor_id == PEN_TCG) ?
-                                                       auth_type.type : TNC_AUTH_UNKNOWN;
-
-
-               DBG2(DBG_IMV, "  %N AR identity '%.*s' authenticated by %N",
-                        TNC_Subject_names, tcg_subject_type,
-                        id_value.len, id_value.ptr,
-                        TNC_Authentication_names, tcg_auth_type);
-
-               /* keep the first access requestor ID */
-               if (first)
-               {
-                       ar_id_type = tcg_id_type;
-                       ar_id_value = id_value;
-                       first = FALSE;
-               }
-       }
-       enumerator->destroy(enumerator);
-
-       session = imcv_sessions->add_session(imcv_sessions, conn_id,
-                                                                                ar_id_type, ar_id_value);
+       session = imcv_sessions->add_session(imcv_sessions, conn_id, ar_identities);
        state->set_session(state, session);
 
-       /* clean up temporary variables */
-       ar_identities->destroy_offset(ar_identities,
-                                                  offsetof(tncif_identity_t, destroy));
        free(tnccs_p);
        free(tnccs_v);
        free(t_p);
index 0c4bb75..0a18cd7 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -22,6 +22,8 @@
 
 #include "imv_database.h"
 
+#include <tncif_identity.h>
+
 #include <utils/debug.h>
 #include <threading/mutex.h>
 
@@ -60,41 +62,14 @@ METHOD(imv_database_t, get_database, database_t*,
  */
 static bool create_session(private_imv_database_t *this, imv_session_t *session)
 {
-       enumerator_t *e;
+       enumerator_t *enumerator, *e;
        imv_os_info_t *os_info;
-       chunk_t device_id, ar_id_value;
+       chunk_t device_id;
+       tncif_identity_t *tnc_id;
        TNC_ConnectionID conn_id;
-       uint32_t ar_id_type;
        char *product, *device;
-       int session_id = 0, ar_id = 0, pid = 0, did = 0, trusted = 0, created;
-
-       ar_id_value = session->get_ar_id(session, &ar_id_type);
-       if (ar_id_value.len)
-       {
-               /* get primary key of AR identity if it exists */
-               e = this->db->query(this->db,
-                               "SELECT id FROM identities WHERE type = ? AND value = ?",
-                               DB_INT, ar_id_type, DB_BLOB, ar_id_value, DB_INT);
-               if (e)
-               {
-                       e->enumerate(e, &ar_id);
-                       e->destroy(e);
-               }
-
-               /* if AR identity has not been found - register it */
-               if (!ar_id)
-               {
-                       this->db->execute(this->db, &ar_id,
-                               "INSERT INTO identities (type, value) VALUES (?, ?)",
-                                DB_INT, ar_id_type, DB_BLOB, ar_id_value);
-               }
-
-               if (!ar_id)
-               {
-                       DBG1(DBG_IMV, "imv_db: registering access requestor failed");
-                       return FALSE;
-               }
-       }
+       int session_id = 0, pid = 0, did = 0, trusted = 0, created;
+       bool first = TRUE, success = TRUE;
 
        /* get product info string */
        os_info = session->get_os_info(session);
@@ -170,10 +145,9 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session)
        created = session->get_creation_time(session);
        conn_id = session->get_connection_id(session);
        this->db->execute(this->db, &session_id,
-                       "INSERT INTO sessions (time, connection, identity, product, device) "
-                       "VALUES (?, ?, ?, ?, ?)",
-                       DB_INT, created, DB_INT, conn_id, DB_INT, ar_id,
-                       DB_INT, pid, DB_INT, did);
+                       "INSERT INTO sessions (time, connection, product, device) "
+                       "VALUES (?, ?, ?, ?)",
+                       DB_INT, created, DB_INT, conn_id, DB_INT, pid, DB_INT, did);
 
        if (session_id)
        {
@@ -187,7 +161,68 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session)
        }
        session->set_session_id(session, session_id, pid, did);
 
-       return TRUE;
+       enumerator = session->create_ar_identities_enumerator(session);
+       while (enumerator->enumerate(enumerator, &tnc_id))
+       {
+               pen_type_t ar_id_type;
+               chunk_t ar_id_value;
+               int ar_id = 0, si_id = 0;
+
+               ar_id_type = tnc_id->get_identity_type(tnc_id);
+               ar_id_value = tnc_id->get_identity_value(tnc_id);
+
+               if (ar_id_type.vendor_id != PEN_TCG || ar_id_value.len == 0)
+               {
+                       continue;
+               }
+
+               /* get primary key of AR identity if it exists */
+               e = this->db->query(this->db,
+                               "SELECT id FROM identities WHERE type = ? AND value = ?",
+                               DB_INT, ar_id_type.type, DB_BLOB, ar_id_value, DB_INT);
+               if (e)
+               {
+                       e->enumerate(e, &ar_id);
+                       e->destroy(e);
+               }
+
+               /* if AR identity has not been found - register it */
+               if (!ar_id)
+               {
+                       this->db->execute(this->db, &ar_id,
+                               "INSERT INTO identities (type, value) VALUES (?, ?)",
+                                DB_INT, ar_id_type.type, DB_BLOB, ar_id_value);
+               }
+               if (!ar_id)
+               {
+                       DBG1(DBG_IMV, "imv_db: registering access requestor failed");
+                       success = FALSE;
+                       break;
+               }
+
+               this->db->execute(this->db, &si_id,
+                               "INSERT INTO sessions_identities (session_id, identity_id) "
+                               "VALUES (?, ?)",
+                                DB_INT, session_id, DB_INT, ar_id);
+
+               if (!si_id)
+               {
+                       DBG1(DBG_IMV, "imv_db: assigning identity to session failed");
+                       success = FALSE;
+                       break;
+               }
+
+               if (first)
+               {
+                       this->db->execute(this->db, NULL,
+                               "UPDATE sessions SET identity = ? WHERE id = ?",
+                                DB_INT, ar_id, DB_INT, session_id);
+                       first = FALSE;
+               }
+       }
+       enumerator->destroy(enumerator);
+
+       return success;
 }
 
 static bool add_workitems(private_imv_database_t *this, imv_session_t *session)
index 50f7f2e..9f7e4e8 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -19,6 +19,8 @@
 #include <library.h>
 #include <utils/debug.h>
 
+#include <tncif_names.h>
+
 #include <stdlib.h>
 #include <stdio.h>
 #include <time.h>
@@ -251,9 +253,12 @@ static bool policy_start(database_t *db, int session_id)
 static bool policy_stop(database_t *db, int session_id)
 {
        enumerator_t *e;
-       int rec, policy;
-       char *result;
+       int rec, policy, final_rec, id_type;
+       chunk_t id_value;
+       char *result, *ip_address = NULL;
+       bool success = TRUE;
 
+       /* store all workitem results for this session in the results table */
        e = db->query(db,
                        "SELECT w.rec_final, w.result, e.policy FROM workitems AS w "
                        "JOIN enforcements AS e ON w.enforcement = e.id "
@@ -270,9 +275,68 @@ static bool policy_stop(database_t *db, int session_id)
                }
                e->destroy(e);
        }
-       return db->execute(db, NULL,
-                               "DELETE FROM workitems WHERE session = ?",
-                               DB_UINT, session_id) >= 0;
+       else
+       {
+               success = FALSE;
+       }
+
+       /* delete all workitems for this session from the database */
+       if (db->execute(db, NULL,
+                                       "DELETE FROM workitems WHERE session = ?",
+                                       DB_UINT, session_id) < 0)
+       {
+               success = FALSE;
+       }
+
+       final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+
+       /* retrieve the final recommendation for this session */
+       e = db->query(db,
+                       "SELECT rec FROM sessions WHERE id = ?",
+                        DB_INT, session_id, DB_INT);
+       if (e)
+       {
+               if (!e->enumerate(e, &final_rec))
+               {
+                       success = FALSE;
+               }
+               e->destroy(e);
+       }
+       else
+       {
+               success = FALSE;
+       }
+
+       /* retrieve client IP address for this session */
+       e = db->query(db,
+                       "SELECT i.type, i.value FROM identities AS i "
+                       "JOIN sessions_identities AS si ON si.identity_id = i.id "
+                       "WHERE si.session_id = ? AND (i.type = ? OR i.type = ?)",
+                        DB_INT, session_id, DB_INT, TNC_ID_IPV4_ADDR, DB_INT,
+                        TNC_ID_IPV6_ADDR, DB_INT, DB_BLOB);
+       if (e)
+       {
+               if (e->enumerate(e, &id_type, &id_value))
+               {
+                       ip_address = strndup(id_value.ptr, id_value.len);
+               }
+               else
+               {
+                       success = FALSE;
+               }
+               e->destroy(e);
+       }
+       else
+       {
+               success = FALSE;
+       }
+
+       fprintf(stderr, "recommendation for access requestor %s is %N\n",
+                       ip_address ? ip_address : "0.0.0.0",
+                       TNC_IMV_Action_Recommendation_names, final_rec);
+       free(ip_address);
+
+       return success;
 }
 
 int main(int argc, char *argv[])
index 1f0d8cf..bc6b5a8 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,6 +15,8 @@
 
 #include "imv_session.h"
 
+#include <tncif_identity.h>
+
 #include <utils/debug.h>
 
 typedef struct private_imv_session_t private_imv_session_t;
@@ -55,14 +57,9 @@ struct private_imv_session_t {
        time_t created;
 
        /**
-        * Access Requestor ID type
-        */
-       uint32_t ar_id_type;
-
-       /**
-        * Access Requestor ID value
+        * List of Access Requestor identities
         */
-       chunk_t ar_id_value;
+       linked_list_t *ar_identities;
 
        /**
         * OS information
@@ -130,14 +127,10 @@ METHOD(imv_session_t, get_creation_time, time_t,
        return this->created;
 }
 
-METHOD(imv_session_t, get_ar_id, chunk_t,
-       private_imv_session_t *this, uint32_t *ar_id_type)
+METHOD(imv_session_t, create_ar_identities_enumerator, enumerator_t*,
+       private_imv_session_t *this)
 {
-       if (ar_id_type)
-       {
-               *ar_id_type = this->ar_id_type;
-       }
-       return this->ar_id_value;
+       return this->ar_identities->create_enumerator(this->ar_identities);
 }
 
 METHOD(imv_session_t, get_os_info, imv_os_info_t*,
@@ -256,7 +249,8 @@ METHOD(imv_session_t, destroy, void,
                this->workitems->destroy_offset(this->workitems,
                                                                 offsetof(imv_workitem_t, destroy));
                this->os_info->destroy(this->os_info);
-               free(this->ar_id_value.ptr);
+               this->ar_identities->destroy_offset(this->ar_identities,
+                                                                        offsetof(tncif_identity_t, destroy));
                free(this->device_id.ptr);
                free(this);
        }
@@ -266,7 +260,7 @@ METHOD(imv_session_t, destroy, void,
  * See header
  */
 imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
-                                                                 uint32_t ar_id_type, chunk_t ar_id_value)
+                                                                 linked_list_t *ar_identities)
 {
        private_imv_session_t *this;
 
@@ -276,7 +270,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
                        .get_session_id = _get_session_id,
                        .get_connection_id = _get_connection_id,
                        .get_creation_time = _get_creation_time,
-                       .get_ar_id = _get_ar_id,
+                       .create_ar_identities_enumerator = _create_ar_identities_enumerator,
                        .get_os_info = _get_os_info,
                        .set_device_id = _set_device_id,
                        .get_device_id = _get_device_id,
@@ -293,8 +287,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created,
                },
                .conn_id = conn_id,
                .created = created,
-               .ar_id_type = ar_id_type,
-               .ar_id_value = chunk_clone(ar_id_value),
+               .ar_identities = ar_identities,
                .os_info = imv_os_info_create(),
                .workitems = linked_list_create(),
                .ref = 1,
index 42b9118..107716f 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -70,12 +70,11 @@ struct imv_session_t {
        time_t (*get_creation_time)(imv_session_t *this);
 
        /**
-        * Get Access Requestor ID
+        * Get list of Access Requestor identities
         *
-        * @param id_type               Access Requestor TCG Standard ID Type
-        * @return                              Access Requestor TCG Standard ID Value
+        * @return                              List of Access Requestor identities
         */
-       chunk_t (*get_ar_id)(imv_session_t *this, uint32_t *id_type);
+       enumerator_t* (*create_ar_identities_enumerator)(imv_session_t *this);
 
        /**
         * Get OS Information
@@ -172,10 +171,9 @@ struct imv_session_t {
  *
  * @param id                           Associated Connection ID
  * @param created                      Session creation time
- * @param ar_id_type           Access Requestor ID type
- * @param ar_id_value          Access Requestor ID value
+ * @param ar_identities                List of Access Requestor identities
  */
 imv_session_t* imv_session_create(TNC_ConnectionID id, time_t created,
-                                                                 uint32_t ar_id_type, chunk_t ar_id_value);
+                                                                 linked_list_t *ar_identities);
 
 #endif /**  IMV_SESSION_H_ @}*/
index 0fb8de4..c976029 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -15,6 +15,9 @@
 
 #include "imv_session_manager.h"
 
+#include <tncif_names.h>
+#include <tncif_identity.h>
+
 #include <threading/mutex.h>
 
 typedef struct private_imv_session_manager_t private_imv_session_manager_t;
@@ -43,9 +46,10 @@ struct private_imv_session_manager_t {
 
 METHOD(imv_session_manager_t, add_session, imv_session_t*,
        private_imv_session_manager_t *this, TNC_ConnectionID conn_id,
-       uint32_t ar_id_type, chunk_t ar_id_value)
+       linked_list_t *ar_identities)
 {
        enumerator_t *enumerator;
+       tncif_identity_t *tnc_id;
        imv_session_t *current, *session = NULL;
        time_t created;
 
@@ -66,13 +70,43 @@ METHOD(imv_session_manager_t, add_session, imv_session_t*,
        /* session already exists */
        if (session)
        {
+               ar_identities->destroy_offset(ar_identities,
+                                                          offsetof(tncif_identity_t, destroy));
                this->mutex->unlock(this->mutex);
                return session->get_ref(session);
        }
 
+       /* Output list of Access Requestor identities */
+       enumerator = ar_identities->create_enumerator(ar_identities);
+       while (enumerator->enumerate(enumerator, &tnc_id))
+       {
+               pen_type_t id_type, subject_type, auth_type;
+               uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type;
+               chunk_t id_value;
+
+               id_type = tnc_id->get_identity_type(tnc_id);
+               id_value = tnc_id->get_identity_value(tnc_id);
+               subject_type = tnc_id->get_subject_type(tnc_id);
+               auth_type = tnc_id->get_auth_type(tnc_id);
+
+               tcg_id_type = (subject_type.vendor_id == PEN_TCG) ?
+                                                       id_type.type : TNC_SUBJECT_UNKNOWN;
+               tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ?
+                                                       subject_type.type : TNC_SUBJECT_UNKNOWN;
+               tcg_auth_type =    (auth_type.vendor_id == PEN_TCG) ?
+                                                       auth_type.type : TNC_AUTH_UNKNOWN;
+
+               DBG2(DBG_IMV, "  %N AR identity '%.*s' of type %N authenticated by %N",
+                        TNC_Subject_names, tcg_subject_type,
+                        id_value.len, id_value.ptr,
+                        TNC_Identity_names, tcg_id_type,
+                        TNC_Authentication_names, tcg_auth_type);
+       }
+       enumerator->destroy(enumerator);
+
        /* create a new session entry */
        created = time(NULL);
-       session = imv_session_create(conn_id, created, ar_id_type, ar_id_value);
+       session = imv_session_create(conn_id, created, ar_identities);
        this->sessions->insert_last(this->sessions, session);
 
        this->mutex->unlock(this->mutex);
index 8a733ac..cfae23b 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Andreas Steffen
+ * Copyright (C) 2014-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -39,13 +39,12 @@ struct imv_session_manager_t {
         * Create or get a session associated with a TNCCS connection
         *
         * @param conn_id               TNCCS Connection ID
-        * @param ar_id_type    Access Requestor identity type
-        * @param ar_id_value   Access Requestor identity value
+        * @param ar_identities List of Access Requestor identities
         * @return                              Session associated with TNCCS Connection
         */
         imv_session_t* (*add_session)(imv_session_manager_t *this,
                                                                   TNC_ConnectionID conn_id,
-                                                                  uint32_t ar_id_type, chunk_t ar_id_value);
+                                                                  linked_list_t *ar_identities);
 
        /**
         * Remove a session
index 47ee41c..cf50742 100644 (file)
@@ -99,6 +99,14 @@ CREATE TABLE `sessions` (
   `rec` INTEGER DEFAULT 3
 );
 
+DROP TABLE IF EXISTS `sessions_identities`;
+CREATE TABLE `sessions_identities` (
+  `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
+  `session_id` INTEGER NOT NULL REFERENCES `sessions`(`id`),
+  `identity_id` INTEGER NOT NULL REFERENCES `identities`(`id`),
+  UNIQUE (`session_id`, `identity_id`)
+);
+
 DROP TABLE IF EXISTS `workitems`;
 CREATE TABLE `workitems` (
   `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT,
index f732489..5c2a656 100644 (file)
@@ -104,6 +104,14 @@ CREATE TABLE sessions (
   rec INTEGER DEFAULT 3
 );
 
+DROP TABLE IF EXISTS sessions_identities;
+CREATE TABLE sessions_identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  session_id INTEGER NOT NULL REFERENCES sessions(id),
+  identity_id INTEGER NOT NULL REFERENCES identities(id),
+  UNIQUE (session_id, identity_id)
+);
+
 DROP TABLE IF EXISTS workitems;
 CREATE TABLE workitems (
   id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
index b8683f7..30e5052 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -169,8 +169,8 @@ METHOD(tnccs_manager_t, remove_method, void,
 
 METHOD(tnccs_manager_t, create_instance, tnccs_t*,
        private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server,
-       identification_t *server, identification_t *peer, tnc_ift_type_t transport,
-       tnccs_cb_t cb)
+       identification_t *server_id, identification_t *peer_id, host_t *server_ip,
+       host_t *peer_ip, tnc_ift_type_t transport, tnccs_cb_t cb)
 {
        enumerator_t *enumerator;
        tnccs_entry_t *entry;
@@ -182,7 +182,8 @@ METHOD(tnccs_manager_t, create_instance, tnccs_t*,
        {
                if (type == entry->type)
                {
-                       protocol = entry->constructor(is_server, server, peer, transport, cb);
+                       protocol = entry->constructor(is_server, server_id, peer_id,
+                                                                                 server_ip, peer_ip, transport, cb);
                        if (protocol)
                        {
                                break;
@@ -716,7 +717,8 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
                case TNC_ATTRIBUTEID_AR_IDENTITIES:
                {
                        linked_list_t *list;
-                       identification_t *peer;
+                       identification_t *peer_id;
+                       host_t *peer_ip;
                        tnccs_t *tnccs;
                        tncif_identity_t *tnc_id;
                        u_int32_t id_type, subject_type;
@@ -726,10 +728,11 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 
                        list = linked_list_create();
                        tnccs = entry->tnccs;
-                       peer = tnccs->tls.get_peer_id(&tnccs->tls);
-                       if (peer)
+
+                       peer_id = tnccs->tls.get_peer_id(&tnccs->tls);
+                       if (peer_id)
                        {
-                               switch (peer->get_type(peer))
+                               switch (peer_id->get_type(peer_id))
                                {
                                        case ID_IPV4_ADDR:
                                                id_type = TNC_ID_IPV4_ADDR;
@@ -756,7 +759,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
                                                subject_type = TNC_SUBJECT_UNKNOWN;
                                }
                                if (id_type != TNC_ID_UNKNOWN &&
-                                       asprintf(&id_str, "%Y", peer) >= 0)
+                                       asprintf(&id_str, "%Y", peer_id) >= 0)
                                {
                                        id_value = chunk_from_str(id_str);
                                        tnc_id = tncif_identity_create(
@@ -767,6 +770,33 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
                                        list->insert_last(list, tnc_id);
                                }
                        }
+
+                       peer_ip = tnccs->get_peer_ip(tnccs);
+                       if (peer_ip)
+                       {
+                               switch (peer_ip->get_family(peer_ip))
+                               {
+                                       case AF_INET:
+                                               id_type = TNC_ID_IPV4_ADDR;
+                                               break;
+                                       case AF_INET6:
+                                               id_type = TNC_ID_IPV6_ADDR;
+                                               break;
+                                       default:
+                                               id_type = TNC_ID_UNKNOWN;
+                               }
+
+                               if (id_type != TNC_ID_UNKNOWN &&
+                                       asprintf(&id_str, "%H", peer_ip) >= 0)
+                               {
+                                       id_value = chunk_from_str(id_str);
+                                       tnc_id = tncif_identity_create(
+                                                               pen_type_create(PEN_TCG, id_type), id_value,
+                                                               pen_type_create(PEN_TCG, TNC_SUBJECT_MACHINE),
+                                                               pen_type_create(PEN_TCG, TNC_AUTH_UNKNOWN));
+                                       list->insert_last(list, tnc_id);
+                               }
+                       }
                        result = identity_attribute(buffer_len, buffer, value_len, list);
                        list->destroy_offset(list, offsetof(tncif_identity_t, destroy));
                        return result;
index 28c5e52..0918a2b 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -54,12 +54,22 @@ struct private_tnccs_11_t {
        /**
         * Server identity
         */
-       identification_t *server;
+       identification_t *server_id;
 
        /**
         * Client identity
         */
-       identification_t *peer;
+       identification_t *peer_id;
+
+       /**
+        * Server IP address
+        */
+       host_t *server_ip;
+
+       /**
+        * Client IP address
+        */
+       host_t *peer_ip;
 
        /**
         * Underlying TNC IF-T transport protocol
@@ -527,20 +537,20 @@ METHOD(tls_t, is_server, bool,
 METHOD(tls_t, get_server_id, identification_t*,
        private_tnccs_11_t *this)
 {
-       return this->server;
+       return this->server_id;
 }
 
 METHOD(tls_t, set_peer_id, void,
        private_tnccs_11_t *this, identification_t *id)
 {
-       DESTROY_IF(this->peer);
-       this->peer = id->clone(id);
+       DESTROY_IF(this->peer_id);
+       this->peer_id = id->clone(id);
 }
 
 METHOD(tls_t, get_peer_id, identification_t*,
        private_tnccs_11_t *this)
 {
-       return this->peer;
+       return this->peer_id;
 }
 
 METHOD(tls_t, get_purpose, tls_purpose_t,
@@ -578,14 +588,28 @@ METHOD(tls_t, destroy, void,
        {
                tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
                                                                                                  this->is_server);
-               this->server->destroy(this->server);
-               this->peer->destroy(this->peer);
+               this->server_id->destroy(this->server_id);
+               this->peer_id->destroy(this->peer_id);
+               this->server_ip->destroy(this->server_ip);
+               this->peer_ip->destroy(this->peer_ip);
                this->mutex->destroy(this->mutex);
                DESTROY_IF(this->batch);
                free(this);
        }
 }
 
+METHOD(tnccs_t, get_server_ip, host_t*,
+       private_tnccs_11_t *this)
+{
+       return this->server_ip;
+}
+
+METHOD(tnccs_t, get_peer_ip, host_t*,
+       private_tnccs_11_t *this)
+{
+       return this->peer_ip;
+}
+
 METHOD(tnccs_t, get_transport, tnc_ift_type_t,
        private_tnccs_11_t *this)
 {
@@ -628,9 +652,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*,
 /**
  * See header
  */
-tnccs_t* tnccs_11_create(bool is_server,
-                                                identification_t *server, identification_t *peer,
-                                                tnc_ift_type_t transport, tnccs_cb_t cb)
+tnccs_t* tnccs_11_create(bool is_server, identification_t *server_id,
+                                                identification_t *peer_id, host_t *server_ip,
+                                                host_t *peer_ip, tnc_ift_type_t transport,
+                                                tnccs_cb_t cb)
 {
        private_tnccs_11_t *this;
 
@@ -648,6 +673,8 @@ tnccs_t* tnccs_11_create(bool is_server,
                                .get_eap_msk = _get_eap_msk,
                                .destroy = _destroy,
                        },
+                       .get_server_ip = _get_server_ip,
+                       .get_peer_ip = _get_peer_ip,
                        .get_transport = _get_transport,
                        .set_transport = _set_transport,
                        .get_auth_type = _get_auth_type,
@@ -656,8 +683,10 @@ tnccs_t* tnccs_11_create(bool is_server,
                        .get_ref = _get_ref,
                },
                .is_server = is_server,
-               .server = server->clone(server),
-               .peer = peer->clone(peer),
+               .server_id = server_id->clone(server_id),
+               .peer_id = peer_id->clone(peer_id),
+               .server_ip = server_ip->clone(server_ip),
+               .peer_ip = peer_ip->clone(peer_ip),
                .transport = transport,
                .callback = cb,
                .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
index e805df8..60d5518 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * Create an instance of the TNC IF-TNCCS 1.1 protocol handler.
  *
  * @param is_server            TRUE to act as TNC Server, FALSE for TNC Client
- * @param server               Server identity
- * @param peer                 Client identity
+ * @param server_id            Server identity
+ * @param peer_id              Client identity
+ * @param server_ip            Server IP address
+ * @param peer_ip              Client IP address
  * @param transport            Underlying IF-T transport protocol
  * @param cb                   Callback function if TNC Server, NULL if TNC Client
  * @return                             TNC_IF_TNCCS 1.1 protocol stack
  */
-tnccs_t* tnccs_11_create(bool is_server,
-                                                identification_t *server, identification_t *peer,
-                                                tnc_ift_type_t transport, tnccs_cb_t cb);
+tnccs_t* tnccs_11_create(bool is_server, identification_t *server_id,
+                                                identification_t *peer_id, host_t *server_ip,
+                                                host_t *peer_ip, tnc_ift_type_t transport,
+                                                tnccs_cb_t cb);
 
 #endif /** TNCCS_11_H_ @}*/
index dc4da51..9977714 100644 (file)
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010 Sansar Choinyanbuu
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -60,12 +60,22 @@ struct private_tnccs_20_t {
        /**
         * Server identity
         */
-       identification_t *server;
+       identification_t *server_id;
 
        /**
         * Client identity
         */
-       identification_t *peer;
+       identification_t *peer_id;
+
+       /**
+        * Server IP address
+        */
+       host_t *server_ip;
+
+       /**
+        * Client IP address
+        */
+       host_t *peer_ip;
 
        /**
         * Underlying TNC IF-T transport protocol
@@ -923,20 +933,20 @@ METHOD(tls_t, is_server, bool,
 METHOD(tls_t, get_server_id, identification_t*,
        private_tnccs_20_t *this)
 {
-       return this->server;
+       return this->server_id;
 }
 
 METHOD(tls_t, set_peer_id, void,
        private_tnccs_20_t *this, identification_t *id)
 {
-       DESTROY_IF(this->peer);
-       this->peer = id->clone(id);
+       DESTROY_IF(this->peer_id);
+       this->peer_id = id->clone(id);
 }
 
 METHOD(tls_t, get_peer_id, identification_t*,
        private_tnccs_20_t *this)
 {
-       return this->peer;
+       return this->peer_id;
 }
 
 METHOD(tls_t, get_purpose, tls_purpose_t,
@@ -974,8 +984,10 @@ METHOD(tls_t, destroy, void,
        {
                tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
                                                                                                  this->is_server);
-               this->server->destroy(this->server);
-               this->peer->destroy(this->peer);
+               this->server_id->destroy(this->server_id);
+               this->peer_id->destroy(this->peer_id);
+               this->server_ip->destroy(this->server_ip);
+               this->peer_ip->destroy(this->peer_ip);
                this->state_machine->destroy(this->state_machine);
                this->mutex->destroy(this->mutex);
                this->messages->destroy_offset(this->messages,
@@ -985,6 +997,18 @@ METHOD(tls_t, destroy, void,
        }
 }
 
+METHOD(tnccs_t, get_server_ip, host_t*,
+       private_tnccs_20_t *this)
+{
+       return this->server_ip;
+}
+
+METHOD(tnccs_t, get_peer_ip, host_t*,
+       private_tnccs_20_t *this)
+{
+       return this->peer_ip;
+}
+
 METHOD(tnccs_t, get_transport, tnc_ift_type_t,
        private_tnccs_20_t *this)
 {
@@ -1027,9 +1051,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*,
 /**
  * See header
  */
-tnccs_t* tnccs_20_create(bool is_server,
-                                                identification_t *server, identification_t *peer,
-                                                tnc_ift_type_t transport, tnccs_cb_t cb)
+tnccs_t* tnccs_20_create(bool is_server, identification_t *server_id,
+                                                identification_t *peer_id, host_t *server_ip,
+                                                host_t *peer_ip, tnc_ift_type_t transport,
+                                                tnccs_cb_t cb)
 {
        private_tnccs_20_t *this;
        size_t max_batch_size, default_max_batch_size;
@@ -1079,6 +1104,8 @@ tnccs_t* tnccs_20_create(bool is_server,
                                .get_eap_msk = _get_eap_msk,
                                .destroy = _destroy,
                        },
+                       .get_server_ip = _get_server_ip,
+                       .get_peer_ip = _get_peer_ip,
                        .get_transport = _get_transport,
                        .set_transport = _set_transport,
                        .get_auth_type = _get_auth_type,
@@ -1087,8 +1114,10 @@ tnccs_t* tnccs_20_create(bool is_server,
                        .get_ref = _get_ref,
                },
                .is_server = is_server,
-               .server = server->clone(server),
-               .peer = peer->clone(peer),
+               .server_id = server_id->clone(server_id),
+               .peer_id = peer_id->clone(peer_id),
+               .server_ip = server_ip->clone(server_ip),
+               .peer_ip = peer_ip->clone(peer_ip),
                .transport = transport,
                .callback = cb,
                .state_machine = pb_tnc_state_machine_create(is_server),
index 2857b14..010cbec 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * Create an instance of the TNC IF-TNCCS 2.0 protocol handler.
  *
  * @param is_server            TRUE to act as TNC Server, FALSE for TNC Client
- * @param server               Server identity
- * @param peer                 Client identity
+ * @param server_id            Server identity
+ * @param peer_id              Client identity
+ * @param server_ip            Server IP address
+ * @param peer_ip              Client IP address
  * @param transport            Underlying IF-T transport protocol
  * @param cb                   Callback function if TNC Server, NULL if TNC Client
  * @return                             TNC_IF_TNCCS 2.0 protocol stack
  */
-tnccs_t* tnccs_20_create(bool is_server,
-                                                identification_t *server, identification_t *peer,
-                                                tnc_ift_type_t transport, tnccs_cb_t cb);
+tnccs_t* tnccs_20_create(bool is_server, identification_t *server_id,
+                                                identification_t *peer_id, host_t *server_ip,
+                                                host_t *peer_ip, tnc_ift_type_t transport,
+                                                tnccs_cb_t cb);
 
 #endif /** TNCCS_20_H_ @}*/
index e08236e..44b804f 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2013 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -34,12 +34,22 @@ struct private_tnccs_dynamic_t {
        /**
         * Server identity
         */
-       identification_t *server;
+       identification_t *server_id;
 
        /**
         * Client identity
         */
-       identification_t *peer;
+       identification_t *peer_id;
+
+       /**
+        * Server IP address
+        */
+       host_t *server_ip;
+
+       /**
+        * Client IP address
+        */
+       host_t *peer_ip;
 
        /**
         * Detected TNC IF-TNCCS stack
@@ -109,8 +119,8 @@ METHOD(tls_t, process, status_t,
                DBG1(DBG_TNC, "%N protocol detected dynamically",
                                           tnccs_type_names, type);
                tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
-                                                       this->server, this->peer, this->transport,
-                                                       this->callback);
+                                                       this->server_id, this->peer_id, this->server_ip,
+                                                       this->peer_ip, this->transport, this->callback);
                if (!tnccs)
                {
                        DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
@@ -137,14 +147,14 @@ METHOD(tls_t, is_server, bool,
 METHOD(tls_t, get_server_id, identification_t*,
        private_tnccs_dynamic_t *this)
 {
-       return this->server;
+       return this->server_id;
 }
 
 METHOD(tls_t, set_peer_id, void,
        private_tnccs_dynamic_t *this, identification_t *id)
 {
-       DESTROY_IF(this->peer);
-       this->peer = id->clone(id);
+       DESTROY_IF(this->peer_id);
+       this->peer_id = id->clone(id);
        if (this->tls)
        {
                this->tls->set_peer_id(this->tls, id);
@@ -154,7 +164,7 @@ METHOD(tls_t, set_peer_id, void,
 METHOD(tls_t, get_peer_id, identification_t*,
        private_tnccs_dynamic_t *this)
 {
-       return this->peer;
+       return this->peer_id;
 }
 
 METHOD(tls_t, get_purpose, tls_purpose_t,
@@ -181,12 +191,26 @@ METHOD(tls_t, destroy, void,
        if (ref_put(&this->ref))
        {
                DESTROY_IF(this->tls);
-               this->server->destroy(this->server);
-               this->peer->destroy(this->peer);
+               this->server_id->destroy(this->server_id);
+               this->peer_id->destroy(this->peer_id);
+               this->server_ip->destroy(this->server_ip);
+               this->peer_ip->destroy(this->peer_ip);
                free(this);
        }
 }
 
+METHOD(tnccs_t, get_server_ip, host_t*,
+       private_tnccs_dynamic_t *this)
+{
+       return this->server_ip;
+}
+
+METHOD(tnccs_t, get_peer_ip, host_t*,
+       private_tnccs_dynamic_t *this)
+{
+       return this->peer_ip;
+}
+
 METHOD(tnccs_t, get_transport, tnc_ift_type_t,
        private_tnccs_dynamic_t *this)
 {
@@ -229,9 +253,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*,
 /**
  * See header
  */
-tnccs_t* tnccs_dynamic_create(bool is_server,
-                                                         identification_t *server, identification_t *peer,
-                                                         tnc_ift_type_t transport, tnccs_cb_t cb)
+tnccs_t* tnccs_dynamic_create(bool is_server, identification_t *server_id,
+                                                         identification_t *peer_id, host_t *server_ip,
+                                                         host_t *peer_ip, tnc_ift_type_t transport,
+                                                         tnccs_cb_t cb)
 {
        private_tnccs_dynamic_t *this;
 
@@ -249,6 +274,8 @@ tnccs_t* tnccs_dynamic_create(bool is_server,
                                .get_eap_msk = _get_eap_msk,
                                .destroy = _destroy,
                        },
+                       .get_server_ip = _get_server_ip,
+                       .get_peer_ip = _get_peer_ip,
                        .get_transport = _get_transport,
                        .set_transport = _set_transport,
                        .get_auth_type = _get_auth_type,
@@ -256,8 +283,10 @@ tnccs_t* tnccs_dynamic_create(bool is_server,
                        .get_pdp_server = _get_pdp_server,
                        .get_ref = _get_ref,
                },
-               .server = server->clone(server),
-               .peer = peer->clone(peer),
+               .server_id = server_id->clone(server_id),
+               .peer_id = peer_id->clone(peer_id),
+               .server_ip = server_ip->clone(server_ip),
+               .peer_ip = peer_ip->clone(peer_ip),
                .transport = transport,
                .callback = cb,
                .ref = 1,
index cbdc80b..2e11417 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2013 Andreas Steffen
+ * Copyright (C) 2011-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * Create an instance of a dynamic TNC IF-TNCCS protocol handler.
  *
  * @param is_server            TRUE to act as TNC Server, FALSE for TNC Client
- * @param server               Server identity
- * @param peer                 Client identity
+ * @param server_id            Server identity
+ * @param peer_id              Client identity
+ * @param server_ip            Server IP address
+ * @param peer_ip              Client IP address
  * @param transport            Underlying IF-T transport protocol
  * @param cb                   Callback function if TNC Server, NULL if TNC Client
  * @return                             dynamic TNC IF-TNCCS protocol stack
  */
-tnccs_t* tnccs_dynamic_create(bool is_server,
-                                                         identification_t *server, identification_t *peer,
-                                                         tnc_ift_type_t transport, tnccs_cb_t cb);
+tnccs_t* tnccs_dynamic_create(bool is_server, identification_t *server_id,
+                                                         identification_t *peer_id, host_t *server_ip,
+                                                         host_t *peer_ip, tnc_ift_type_t transport,
+                                                         tnccs_cb_t cb);
 
 #endif /** TNCCS_DYNAMIC_H_ @}*/
index eefd556..6e3290d 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -87,6 +87,20 @@ struct tnccs_t {
        tls_t tls;
 
        /**
+        * Get server IP address
+        *
+        * @return                              Server IP address
+        */
+       host_t* (*get_server_ip)(tnccs_t *this);
+
+       /**
+        * Get peer IP address
+        *
+        * @return                              Peer IP address
+        */
+       host_t* (*get_peer_ip)(tnccs_t *this);
+
+       /**
         * Get underlying TNC IF-T transport protocol
         *
         * @return                              TNC IF-T transport protocol
@@ -135,15 +149,19 @@ struct tnccs_t {
  * Constructor definition for a pluggable TNCCS protocol implementation.
  *
  * @param is_server            TRUE if TNC Server, FALSE if TNC Client
- * @param server               Server identity
- * @param peer                 Client identity
+ * @param server_id            Server identity
+ * @param peer_id              Client identity
+ * @param server_ip            Server IP address
+ * @param peer_ip              Client IP address
  * @param transport            Underlying TNC IF-T transport protocol used
  * @param cb                   Callback function if TNC Server, NULL if TNC Client
  * @return                             implementation of the tnccs_t interface
  */
 typedef tnccs_t *(*tnccs_constructor_t)(bool is_server,
-                                                                               identification_t *server,
-                                                                               identification_t *peer,
+                                                                               identification_t *server_id,
+                                                                               identification_t *peer_id,
+                                                                               host_t *server_ip,
+                                                                               host_t *peer_ip,
                                                                                tnc_ift_type_t transport,
                                                                                tnccs_cb_t cb);
 
index 791336e..b5c85f3 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010-2013 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -56,16 +56,19 @@ struct tnccs_manager_t {
         *
         * @param type            type of the TNCCS protocol
         * @param is_server       TRUE if TNC Server, FALSE if TNC Client
-        * @param server          Server identity
-        * @param peer            Client identity
+        * @param server_id       Server identity
+        * @param peer_id         Client identity
+        * @param server_ip       Server IP address
+        * @param peer_ip         Client IP address
         * @param transport       Underlying TNC IF-T transport protocol used
         * @param cb              Callback function if TNC Server, NULL if TNC Client
         * @return                        TNCCS protocol instance, NULL if no constructor found
         */
        tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
-                                                               bool is_server, identification_t *server,
-                                                               identification_t *peer,
-                                                               tnc_ift_type_t transport, tnccs_cb_t cb);
+                                                               bool is_server, identification_t *server_id,
+                                                               identification_t *peer_id, host_t *server_ip,
+                                                               host_t *peer_ip, tnc_ift_type_t transport,
+                                                               tnccs_cb_t cb);
 
        /**
         * Create a TNCCS connection and assign a unique connection ID as well a
index ac948c8..b348c54 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2015 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -46,6 +46,18 @@ ENUM(TNC_IMV_Evaluation_Result_names,
        "don't know"
 );
 
+ENUM(TNC_Identity_names,
+       TNC_ID_UNKNOWN,
+       TNC_ID_X500_DN,
+       "unknown",
+       "IPv4 address",
+       "IPv6 address",
+       "FQDN",
+       "email address",
+       "username",
+       "X.500 DN"
+);
+
 ENUM(TNC_Subject_names,
        TNC_SUBJECT_UNKNOWN,
        TNC_SUBJECT_USER,
index 75458f9..64dd14f 100644 (file)
@@ -1,5 +1,6 @@
 /*
- * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ * Copyright (C) 2011-2015 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
@@ -30,6 +31,7 @@
 extern enum_name_t *TNC_Connection_State_names;
 extern enum_name_t *TNC_IMV_Action_Recommendation_names;
 extern enum_name_t *TNC_IMV_Evaluation_Result_names;
+extern enum_name_t *TNC_Identity_names;
 extern enum_name_t *TNC_Subject_names;
 extern enum_name_t *TNC_Authentication_names;
 
index a8d45b5..bf26e3a 100644 (file)
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2010-2013 Martin Willi, revosec AG
- * Copyright (C) 2013-2014 Andreas Steffen
+ * Copyright (C) 2013-2015 Andreas Steffen
  * HSR Hochschule für Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -54,32 +54,44 @@ static int client(char *address, u_int16_t port, char *identity)
 {
        pt_tls_client_t *assessment;
        tls_t *tnccs;
-       identification_t *server, *client;
-       host_t *host;
+       identification_t *server_id, *client_id;
+       host_t *server_ip, *client_ip;
        status_t status;
 
-       host = host_create_from_dns(address, AF_UNSPEC, port);
-       if (!host)
+       server_ip = host_create_from_dns(address, AF_UNSPEC, port);
+       if (!server_ip)
        {
                return 1;
        }
-       server = identification_create_from_string(address);
-       client = identification_create_from_string(identity);
+
+       client_ip = host_create_any(server_ip->get_family(server_ip));
+       if (!client_ip)
+       {
+               server_ip->destroy(server_ip);
+               return 1;
+       }
+       server_id = identification_create_from_string(address);
+       client_id = identification_create_from_string(identity);
+
        tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE,
-                                                               server, client, TNC_IFT_TLS_2_0, NULL);
+                                                               server_id, client_id, server_ip, client_ip,
+                                                               TNC_IFT_TLS_2_0, NULL);
+       client_ip->destroy(client_ip);
+
        if (!tnccs)
        {
                fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS);
-               host->destroy(host);
-               server->destroy(server);
-               client->destroy(client);
+               server_ip->destroy(server_ip);
+               server_id->destroy(server_id);
+               client_id->destroy(client_id);
                return 1;
        }
-       assessment = pt_tls_client_create(host, server, client);
+       assessment = pt_tls_client_create(server_ip, server_id, client_id);
        status = assessment->run_assessment(assessment, (tnccs_t*)tnccs);
        assessment->destroy(assessment);
        tnccs->destroy(tnccs);
-       return status;
+
+       return (status != SUCCESS);
 }