ADD_PLUGIN([tnc-ifmap], [c charon])
ADD_PLUGIN([tnc-pdp], [c charon])
ADD_PLUGIN([tnc-imc], [t charon])
-ADD_PLUGIN([tnc-imv], [c charon])
+ADD_PLUGIN([tnc-imv], [t charon])
ADD_PLUGIN([tnc-tnccs], [t charon])
ADD_PLUGIN([tnccs-20], [t charon])
ADD_PLUGIN([tnccs-11], [t charon])
src/libtnccs/Makefile
src/libtnccs/plugins/tnc_tnccs/Makefile
src/libtnccs/plugins/tnc_imc/Makefile
+ src/libtnccs/plugins/tnc_imv/Makefile
src/libtnccs/plugins/tnccs_11/Makefile
src/libtnccs/plugins/tnccs_20/Makefile
src/libtnccs/plugins/tnccs_dynamic/Makefile
src/libcharon/plugins/xauth_noauth/Makefile
src/libcharon/plugins/tnc_ifmap/Makefile
src/libcharon/plugins/tnc_pdp/Makefile
- src/libcharon/plugins/tnc_imv/Makefile
src/libcharon/plugins/socket_default/Makefile
src/libcharon/plugins/socket_dynamic/Makefile
src/libcharon/plugins/farp/Makefile
.BR charon.plugins.tnc-ifmap.username_password
Credentials of IF-MAP client of the form username:password
.TP
-.BR charon.plugins.tnc-imv.dlclose " [yes]"
-Unload IMV after use
-.TP
.BR charon.plugins.tnc-pdp.pt_tls.port " [271]"
PT-TLS server port the strongSwan PDP is listening on
.TP
.PP
.SS libtnccs plugins section
.TP
-.BR charon.plugins.tnccs-11.max_message_size " [45000]"
+.BR libtnccs.plugins.tnccs-11.max_message_size " [45000]"
Maximum size of a PA-TNC message (XML & Base64 encoding)
.TP
-.BR charon.plugins.tnccs-20.max_batch_size " [65522]"
+.BR libtnccs.plugins.tnccs-20.max_batch_size " [65522]"
Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
.TP
-.BR charon.plugins.tnccs-20.max_message_size " [65490]"
+.BR libtnccs.plugins.tnccs-20.max_message_size " [65490]"
Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
.TP
-.BR charon.plugins.tnc-imc.dlclose " [yes]"
+.BR libtnccs.plugins.tnc-imc.dlclose " [yes]"
Unload IMC after use
.TP
-.BR charon.plugins.tnc-imc.preferred_language " [en]"
+.BR libtnccs.plugins.tnc-imc.preferred_language " [en]"
Preferred language for TNC recommendations
+.TP
+.BR libtnccs.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use
.SS libimcv section
.TP
.BR libimcv.assessment_result " [yes]"
endif
endif
-if USE_TNC_IMV
- SUBDIRS += plugins/tnc_imv
-if MONOLITHIC
- libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la
-endif
-endif
-
if USE_LIBTNCCS
if MONOLITHIC
# otherwise this library is linked to the respective plugins
#include <daemon.h>
#include <tncifimv.h>
+#include <tncif_names.h>
/**
* Maximum size of an EAP-TNC message
};
+/**
+ * Callback function to get recommendation from TNCCS connection
+ */
+static bool enforce_recommendation(TNC_IMV_Action_Recommendation rec,
+ TNC_IMV_Evaluation_Result eval)
+{
+ char *group;
+ identification_t *id;
+ ike_sa_t *ike_sa;
+ auth_cfg_t *auth;
+ bool no_access = FALSE;
+
+ DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
+ TNC_IMV_Action_Recommendation_names, rec,
+ TNC_IMV_Evaluation_Result_names, eval);
+
+ switch (rec)
+ {
+ case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+ group = "allow";
+ break;
+ case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+ group = "isolate";
+ break;
+ case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+ case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+ default:
+ group = "no access";
+ no_access = TRUE;
+ break;
+ }
+
+ ike_sa = charon->bus->get_sa(charon->bus);
+ if (!ike_sa)
+ {
+ DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA");
+ return FALSE;
+ }
+
+ id = ike_sa->get_other_id(ike_sa);
+ DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group);
+
+ if (no_access)
+ {
+ return FALSE;
+ }
+ else
+ {
+ auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+ id = identification_create_from_string(group);
+ auth->add(auth, AUTH_RULE_GROUP, id);
+ DBG1(DBG_TNC, "policy enforcement point added group membership '%s'",
+ group);
+ }
+ return TRUE;
+}
+
METHOD(eap_method_t, initiate, status_t,
private_eap_tnc_t *this, eap_payload_t **out)
{
free(this);
return NULL;
}
- this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
- server, peer, TNC_IFT_EAP_1_1);
+ this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type,
+ is_server, server, peer, TNC_IFT_EAP_1_1,
+ is_server ? enforce_recommendation : NULL);
this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls,
EAP_TNC_MAX_MESSAGE_LEN,
max_msg_count, FALSE);
+++ /dev/null
-AM_CPPFLAGS = \
- -I$(top_srcdir)/src/libstrongswan \
- -I$(top_srcdir)/src/libhydra \
- -I$(top_srcdir)/src/libcharon \
- -I$(top_srcdir)/src/libtncif \
- -I$(top_srcdir)/src/libtnccs \
- -I$(top_srcdir)/src/libtls
-
-AM_CFLAGS = \
- -rdynamic
-
-if MONOLITHIC
-noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
-else
-plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
-libstrongswan_tnc_imv_la_LIBADD = \
- $(top_builddir)/src/libtncif/libtncif.la \
- $(top_builddir)/src/libtnccs/libtnccs.la
-endif
-
-libstrongswan_tnc_imv_la_SOURCES = \
- tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \
- tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \
- tnc_imv_recommendations.h tnc_imv_recommendations.c
-
-libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
+++ /dev/null
-/*
- * Copyright (C) 2006 Mike McCauley
- * Copyright (C) 2010-2011 Andreas Steffen,
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "tnc_imv.h"
-
-#include <dlfcn.h>
-
-#include <tncif_pa_subtypes.h>
-
-#include <utils/debug.h>
-#include <daemon.h>
-#include <library.h>
-#include <collections/linked_list.h>
-#include <threading/mutex.h>
-
-typedef struct private_tnc_imv_t private_tnc_imv_t;
-
-/**
- * Private data of an imv_t object.
- */
-struct private_tnc_imv_t {
-
- /**
- * Public members of imv_t.
- */
- imv_t public;
-
- /**
- * Name of loaded IMV
- */
- char *name;
-
- /**
- * Handle of loaded IMV
- */
- void *handle;
-
- /**
- * ID of loaded IMV
- */
- TNC_IMVID id;
-
- /**
- * List of additional IMV IDs
- */
- linked_list_t *additional_ids;
-
- /**
- * List of message types supported by IMV - Vendor ID part
- */
- TNC_VendorIDList supported_vids;
-
- /**
- * List of message types supported by IMV - Subtype part
- */
- TNC_MessageSubtypeList supported_subtypes;
-
- /**
- * Number of supported message types
- */
- TNC_UInt32 type_count;
-
- /**
- * mutex to lock the imv_t object
- */
- mutex_t *mutex;
-};
-
-METHOD(imv_t, set_id, void,
- private_tnc_imv_t *this, TNC_IMVID id)
-{
- this->id = id;
-}
-
-METHOD(imv_t, get_id, TNC_IMVID,
- private_tnc_imv_t *this)
-{
- return this->id;
-}
-
-METHOD(imv_t, add_id, void,
- private_tnc_imv_t *this, TNC_IMVID id)
-{
- TNC_IMVID *new_id;
-
- new_id = malloc_thing(TNC_IMVID);
- *new_id = id;
- this->additional_ids->insert_last(this->additional_ids, new_id);
-}
-
-METHOD(imv_t, has_id, bool,
- private_tnc_imv_t *this, TNC_IMVID id)
-{
- enumerator_t *enumerator;
- TNC_IMVID *additional_id;
- bool found = FALSE;
-
- /* check primary IMV ID */
- if (id == this->id)
- {
- return TRUE;
- }
-
- /* return if there are no additional IMV IDs */
- if (this->additional_ids->get_count(this->additional_ids) == 0)
- {
- return FALSE;
- }
-
- /* check additional IMV IDs */
- enumerator = this->additional_ids->create_enumerator(this->additional_ids);
- while (enumerator->enumerate(enumerator, &additional_id))
- {
- if (id == *additional_id)
- {
- found = TRUE;
- break;
- }
- }
- enumerator->destroy(enumerator);
-
- return found;
-}
-
-METHOD(imv_t, get_name, char*,
- private_tnc_imv_t *this)
-{
- return this->name;
-}
-
-METHOD(imv_t, set_message_types, void,
- private_tnc_imv_t *this, TNC_MessageTypeList supported_types,
- TNC_UInt32 type_count)
-{
- char buf[BUF_LEN];
- char *pos = buf;
- int len = sizeof(buf);
- int i, written;
- size_t size;
- TNC_VendorID vid;
- TNC_MessageSubtype subtype;
- enum_name_t *pa_subtype_names;
-
- /* lock the imv_t instance */
- this->mutex->lock(this->mutex);
-
- /* Free existing VendorID and MessageSubtype lists */
- free(this->supported_vids);
- this->supported_vids = NULL;
- free(this->supported_subtypes);
- this->supported_subtypes = NULL;
-
- /* Store the new MessageType list */
- this->type_count = type_count;
- if (type_count && supported_types)
- {
- size = type_count * sizeof(TNC_VendorID);
- this->supported_vids = malloc(size);
- size = type_count * sizeof(TNC_MessageSubtype);
- this->supported_subtypes = malloc(size);
-
- for (i = 0; i < type_count; i++)
- {
- vid = (supported_types[i] >> 8) & TNC_VENDORID_ANY;
- subtype = supported_types[i] & TNC_SUBTYPE_ANY;
-
- pa_subtype_names = get_pa_subtype_names(vid);
- if (pa_subtype_names)
- {
- written = snprintf(pos, len," '%N/%N' 0x%06x/0x%02x",
- pen_names, vid, pa_subtype_names, subtype,
- vid, subtype);
- }
- else
- {
- written = snprintf(pos, len," '%N' 0x%06x/0x%02x",
- pen_names, vid, vid, subtype);
- }
- if (written >= len)
- {
- break;
- }
- pos += written;
- len -= written;
-
- this->supported_vids[i] = vid;
- this->supported_subtypes[i] = subtype;
- }
- }
- *pos = '\0';
- DBG2(DBG_TNC, "IMV %u supports %u message type%s:%s",
- this->id, type_count, (type_count == 1) ? "":"s", buf);
-
- /* unlock the imv_t instance */
- this->mutex->unlock(this->mutex);
-}
-
-METHOD(imv_t, set_message_types_long, void,
- private_tnc_imv_t *this, TNC_VendorIDList supported_vids,
- TNC_MessageSubtypeList supported_subtypes, TNC_UInt32 type_count)
-{
- char buf[BUF_LEN];
- char *pos = buf;
- int len = sizeof(buf);
- int i, written;
- size_t size;
- TNC_VendorID vid;
- TNC_MessageSubtype subtype;
- enum_name_t *pa_subtype_names;
-
- /* lock the imv_t instance */
- this->mutex->lock(this->mutex);
-
- /* Free existing VendorID and MessageSubtype lists */
- free(this->supported_vids);
- this->supported_vids = NULL;
- free(this->supported_subtypes);
- this->supported_subtypes = NULL;
-
- /* Store the new MessageType list */
- this->type_count = type_count;
- if (type_count && supported_vids && supported_subtypes)
- {
- size = type_count * sizeof(TNC_VendorID);
- this->supported_vids = malloc(size);
- memcpy(this->supported_vids, supported_vids, size);
- size = type_count * sizeof(TNC_MessageSubtype);
- this->supported_subtypes = malloc(size);
- memcpy(this->supported_subtypes, supported_subtypes, size);
-
- for (i = 0; i < type_count; i++)
- {
- vid = supported_vids[i];
- subtype = supported_subtypes[i];
-
- pa_subtype_names = get_pa_subtype_names(vid);
- if (pa_subtype_names)
- {
- written = snprintf(pos, len," '%N/%N' 0x%06x/0x%08x",
- pen_names, vid, pa_subtype_names, subtype,
- vid, subtype);
- }
- else
- {
- written = snprintf(pos, len," '%N' 0x%06x/0x%08x",
- pen_names, vid, vid, subtype);
- }
- if (written >= len)
- {
- break;
- }
- pos += written;
- len -= written;
- }
- }
- *pos = '\0';
- DBG2(DBG_TNC, "IMV %u supports %u message type%s:%s",
- this->id, type_count, (type_count == 1) ? "":"s", buf);
-
- /* unlock the imv_t instance */
- this->mutex->unlock(this->mutex);
-}
-
-METHOD(imv_t, type_supported, bool,
- private_tnc_imv_t *this, TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype)
-{
- TNC_VendorID vid;
- TNC_MessageSubtype subtype;
- int i;
-
- for (i = 0; i < this->type_count; i++)
- {
- vid = this->supported_vids[i];
- subtype = this->supported_subtypes[i];
-
- if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
- (vid == msg_vid && (subtype == TNC_SUBTYPE_ANY ||
- subtype == msg_subtype)))
- {
- return TRUE;
- }
- }
- return FALSE;
-}
-
-METHOD(imv_t, destroy, void,
- private_tnc_imv_t *this)
-{
- if (this->handle && lib->settings->get_bool(lib->settings,
- "%s.plugins.tnc-imv.dlclose", TRUE, charon->name))
- {
- dlclose(this->handle);
- }
- this->mutex->destroy(this->mutex);
- this->additional_ids->destroy_function(this->additional_ids, free);
- free(this->supported_vids);
- free(this->supported_subtypes);
- free(this->name);
- free(this);
-}
-
-/**
- * Generic constructor.
- */
-static private_tnc_imv_t* tnc_imv_create_empty(char *name)
-{
- private_tnc_imv_t *this;
-
- INIT(this,
- .public = {
- .set_id = _set_id,
- .get_id = _get_id,
- .add_id = _add_id,
- .has_id = _has_id,
- .get_name = _get_name,
- .set_message_types = _set_message_types,
- .set_message_types_long = _set_message_types_long,
- .type_supported = _type_supported,
- .destroy = _destroy,
- },
- .name = strdup(name),
- .additional_ids = linked_list_create(),
- .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
- );
-
- return this;
-}
-
-/**
- * Described in header.
- */
-imv_t* tnc_imv_create(char *name, char *path)
-{
- private_tnc_imv_t *this;
-
- this = tnc_imv_create_empty(name);
-
- this->handle = dlopen(path, RTLD_LAZY);
- if (!this->handle)
- {
- DBG1(DBG_TNC, "IMV \"%s\" failed to load: %s", name, dlerror());
- destroy(this);
- return NULL;
- }
-
- this->public.initialize = dlsym(this->handle, "TNC_IMV_Initialize");
- if (!this->public.initialize)
- {
- DBG1(DBG_TNC, "could not resolve TNC_IMV_Initialize in %s: %s\n",
- path, dlerror());
- destroy(this);
- return NULL;
- }
- this->public.notify_connection_change =
- dlsym(this->handle, "TNC_IMV_NotifyConnectionChange");
- this->public.solicit_recommendation =
- dlsym(this->handle, "TNC_IMV_SolicitRecommendation");
- if (!this->public.solicit_recommendation)
- {
- DBG1(DBG_TNC, "could not resolve TNC_IMV_SolicitRecommendation in %s: %s\n",
- path, dlerror());
- destroy(this);
- return NULL;
- }
- this->public.receive_message =
- dlsym(this->handle, "TNC_IMV_ReceiveMessage");
- this->public.receive_message_long =
- dlsym(this->handle, "TNC_IMV_ReceiveMessageLong");
- this->public.batch_ending =
- dlsym(this->handle, "TNC_IMV_BatchEnding");
- this->public.terminate =
- dlsym(this->handle, "TNC_IMV_Terminate");
- this->public.provide_bind_function =
- dlsym(this->handle, "TNC_IMV_ProvideBindFunction");
- if (!this->public.provide_bind_function)
- {
- DBG1(DBG_TNC, "could not resolve TNC_IMV_ProvideBindFunction in %s: %s\n",
- path, dlerror());
- destroy(this);
- return NULL;
- }
-
- return &this->public;
-}
-
-/**
- * Described in header.
- */
-imv_t* tnc_imv_create_from_functions(char *name,
- TNC_IMV_InitializePointer initialize,
- TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
- TNC_IMV_ReceiveMessagePointer receive_message,
- TNC_IMV_ReceiveMessageLongPointer receive_message_long,
- TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
- TNC_IMV_BatchEndingPointer batch_ending,
- TNC_IMV_TerminatePointer terminate,
- TNC_IMV_ProvideBindFunctionPointer provide_bind_function)
-{
- private_tnc_imv_t *this;
-
- this = tnc_imv_create_empty(name);
-
- this->public.initialize = initialize;
- this->public.notify_connection_change = notify_connection_change;
- this->public.receive_message = receive_message;
- this->public.receive_message_long = receive_message_long;
- this->public.solicit_recommendation = solicit_recommendation;
- this->public.batch_ending = batch_ending;
- this->public.terminate = terminate;
- this->public.provide_bind_function = provide_bind_function;
-
- return &this->public;
-}
+++ /dev/null
-/*
- * Copyright (C) 2010 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- *
- * @defgroup tnc_imv_t tnc_imv
- * @{ @ingroup tnc_imv
- */
-
-#ifndef TNC_IMV_H_
-#define TNC_IMV_H_
-
-#include <tnc/imv/imv.h>
-
-/**
- * Create an Integrity Measurement Verifier loaded from a library.
- *
- * @param name name of the IMV
- * @param filename path to the dynamic IMV library
- * @return instance of the imv_t interface
- */
-imv_t* tnc_imv_create(char *name, char *filename);
-
-/**
- * Create an Integrity Measurement Verifier from a set of IMV functions.
- *
- * @param name name of the IMV
- * @param initialize TNC_IMV_InitializePointer
- * @param notify_connection_change TNC_IMV_NotifyConnectionChangePointer
- * @param receive_message TNC_IMV_ReceiveMessagePointer
- * @param receive_message_long TNC_IMV_ReceiveMessageLongPointer
- * @param solicit_recommendation TNC_IMV_SolicitRecommendationPointer
- * @param batch_ending TNC_IMV_BatchEndingPointer
- * @param terminate TNC_IMV_TerminatePointer
- * @param provide_bind_function TNC_IMV_ProvideBindFunctionPointer
- * @return instance of the imv_t interface
- */
-imv_t* tnc_imv_create_from_functions(char *name,
- TNC_IMV_InitializePointer initialize,
- TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
- TNC_IMV_ReceiveMessagePointer receive_message,
- TNC_IMV_ReceiveMessageLongPointer receive_message_long,
- TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
- TNC_IMV_BatchEndingPointer batch_ending,
- TNC_IMV_TerminatePointer terminate,
- TNC_IMV_ProvideBindFunctionPointer provide_bind_function);
-
-#endif /** TNC_IMV_H_ @}*/
+++ /dev/null
-/*
- * Copyright (C) 2006 Mike McCauley
- * Copyright (C) 2010-2011 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <tnc/tnc.h>
-#include <tnc/imv/imv_manager.h>
-#include <tnc/tnccs/tnccs_manager.h>
-
-#include <utils/debug.h>
-
-/**
- * Called by the IMV to inform a TNCS about the set of message types the IMV
- * is able to receive
- */
-TNC_Result TNC_TNCS_ReportMessageTypes(TNC_IMVID imv_id,
- TNC_MessageTypeList supported_types,
- TNC_UInt32 type_count)
-{
- if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
- {
- DBG1(DBG_TNC, "ignoring ReportMessageTypes() from unregistered IMV %u",
- imv_id);
- return TNC_RESULT_INVALID_PARAMETER;
- }
- return tnc->imvs->set_message_types(tnc->imvs, imv_id, supported_types,
- type_count);
-}
-
-/**
- * Called by the IMV to inform a TNCS about the set of message types the IMV
- * is able to receive. This function supports long message types.
- */
-TNC_Result TNC_TNCS_ReportMessageTypesLong(TNC_IMVID imv_id,
- TNC_VendorIDList supported_vids,
- TNC_MessageSubtypeList supported_subtypes,
- TNC_UInt32 type_count)
-{
- if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
- {
- DBG1(DBG_TNC, "ignoring ReportMessageTypesLong() from unregistered IMV %u",
- imv_id);
- return TNC_RESULT_INVALID_PARAMETER;
- }
- return tnc->imvs->set_message_types_long(tnc->imvs, imv_id, supported_vids,
- supported_subtypes, type_count);
-}
-
-/**
- * Called by the IMV to ask a TNCS to retry an Integrity Check Handshake
- */
-TNC_Result TNC_TNCS_RequestHandshakeRetry(TNC_IMVID imv_id,
- TNC_ConnectionID connection_id,
- TNC_RetryReason reason)
-{
- if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
- {
- DBG1(DBG_TNC, "ignoring RequestHandshakeRetry() from unregistered IMV %u",
- imv_id);
- return TNC_RESULT_INVALID_PARAMETER;
- }
- return tnc->tnccs->request_handshake_retry(tnc->tnccs, FALSE, imv_id,
- connection_id, reason);
-}
-
-/**
- * Called by the IMV when an IMV-IMC message is to be sent
- */
-TNC_Result TNC_TNCS_SendMessage(TNC_IMVID imv_id,
- TNC_ConnectionID connection_id,
- TNC_BufferReference msg,
- TNC_UInt32 msg_len,
- TNC_MessageType msg_type)
-{
- TNC_VendorID msg_vid;
- TNC_MessageSubtype msg_subtype;
-
- if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
- {
- DBG1(DBG_TNC, "ignoring SendMessage() from unregistered IMV %u",
- imv_id);
- return TNC_RESULT_INVALID_PARAMETER;
- }
- msg_vid = (msg_type >> 8) & TNC_VENDORID_ANY;
- msg_subtype = msg_type & TNC_SUBTYPE_ANY;
-
- return tnc->tnccs->send_message(tnc->tnccs, TNC_IMCID_ANY, imv_id,
- connection_id, 0, msg, msg_len, msg_vid, msg_subtype);
-}
-
-/**
- * Called by the IMV when an IMV-IMC message is to be sent over IF-TNCCS 2.0
- */
-TNC_Result TNC_TNCS_SendMessageLong(TNC_IMVID imv_id,
- TNC_ConnectionID connection_id,
- TNC_UInt32 msg_flags,
- TNC_BufferReference msg,
- TNC_UInt32 msg_len,
- TNC_VendorID msg_vid,
- TNC_MessageSubtype msg_subtype,
- TNC_UInt32 imc_id)
-{
- if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
- {
- DBG1(DBG_TNC, "ignoring SendMessageLong() from unregistered IMV %u",
- imv_id);
- return TNC_RESULT_INVALID_PARAMETER;
- }
- return tnc->tnccs->send_message(tnc->tnccs, imc_id, imv_id, connection_id,
- msg_flags, msg, msg_len, msg_vid, msg_subtype);
-}
-
-/**
- * Called by the IMV to deliver its IMV Action Recommendation and IMV Evaluation
- * Result to the TNCS
- */
-TNC_Result TNC_TNCS_ProvideRecommendation(TNC_IMVID imv_id,
- TNC_ConnectionID connection_id,
- TNC_IMV_Action_Recommendation recommendation,
- TNC_IMV_Evaluation_Result evaluation)
-{
- if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
- {
- DBG1(DBG_TNC, "ignoring ProvideRecommendation() from unregistered IMV %u",
- imv_id);
- return TNC_RESULT_INVALID_PARAMETER;
- }
- return tnc->tnccs->provide_recommendation(tnc->tnccs, imv_id, connection_id,
- recommendation, evaluation);
-}
-
-/**
- * Called by the IMV to get the value of an attribute associated with a
- * connection or with the TNCS as a whole.
- */
-TNC_Result TNC_TNCS_GetAttribute(TNC_IMVID imv_id,
- TNC_ConnectionID connection_id,
- TNC_AttributeID attribute_id,
- TNC_UInt32 buffer_len,
- TNC_BufferReference buffer,
- TNC_UInt32 *out_value_len)
-{
- if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
- {
- DBG1(DBG_TNC, "ignoring GetAttribute() from unregistered IMV %u",
- imv_id);
- return TNC_RESULT_INVALID_PARAMETER;
- }
- return tnc->tnccs->get_attribute(tnc->tnccs, FALSE, imv_id, connection_id,
- attribute_id, buffer_len, buffer, out_value_len);
-}
-
-/**
- * Called by the IMV to set the value of an attribute associated with a
- * connection or with the TNCS as a whole.
- */
-TNC_Result TNC_TNCS_SetAttribute(TNC_IMVID imv_id,
- TNC_ConnectionID connection_id,
- TNC_AttributeID attribute_id,
- TNC_UInt32 buffer_len,
- TNC_BufferReference buffer)
-{
- if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
- {
- DBG1(DBG_TNC, "ignoring SetAttribute() from unregistered IMV %u",
- imv_id);
- return TNC_RESULT_INVALID_PARAMETER;
- }
- return tnc->tnccs->set_attribute(tnc->tnccs, FALSE, imv_id, connection_id,
- attribute_id, buffer_len, buffer);
-}
-
-/**
- * Called by the IMV when it wants to reserve an additional IMV ID for itself
- */
-TNC_Result TNC_TNCS_ReserveAdditionalIMVID(TNC_IMVID imv_id, TNC_UInt32 *new_id)
-{
- if (tnc->imvs->reserve_id(tnc->imvs, imv_id, new_id))
- {
- return TNC_RESULT_SUCCESS;
- }
- DBG1(DBG_TNC, "ignoring ReserveAdditionalIMVID() from unregistered IMV %u",
- imv_id);
- return TNC_RESULT_INVALID_PARAMETER;
-}
-
-/**
- * Called by the IMV when it needs a function pointer
- */
-TNC_Result TNC_TNCS_BindFunction(TNC_IMVID id,
- char *function_name,
- void **function_pointer)
-{
- if (streq(function_name, "TNC_TNCS_ReportMessageTypes"))
- {
- *function_pointer = (void*)TNC_TNCS_ReportMessageTypes;
- }
- else if (streq(function_name, "TNC_TNCS_ReportMessageTypesLong"))
- {
- *function_pointer = (void*)TNC_TNCS_ReportMessageTypesLong;
- }
- else if (streq(function_name, "TNC_TNCS_RequestHandshakeRetry"))
- {
- *function_pointer = (void*)TNC_TNCS_RequestHandshakeRetry;
- }
- else if (streq(function_name, "TNC_TNCS_SendMessage"))
- {
- *function_pointer = (void*)TNC_TNCS_SendMessage;
- }
- else if (streq(function_name, "TNC_TNCS_SendMessageLong"))
- {
- *function_pointer = (void*)TNC_TNCS_SendMessageLong;
- }
- else if (streq(function_name, "TNC_TNCS_ProvideRecommendation"))
- {
- *function_pointer = (void*)TNC_TNCS_ProvideRecommendation;
- }
- else if (streq(function_name, "TNC_TNCS_GetAttribute"))
- {
- *function_pointer = (void*)TNC_TNCS_GetAttribute;
- }
- else if (streq(function_name, "TNC_TNCS_SetAttribute"))
- {
- *function_pointer = (void*)TNC_TNCS_SetAttribute;
- }
- else if (streq(function_name, "TNC_TNCS_ReserveAdditionalIMVID"))
- {
- *function_pointer = (void*)TNC_TNCS_ReserveAdditionalIMVID;
- }
- else
- {
- return TNC_RESULT_INVALID_PARAMETER;
- }
- return TNC_RESULT_SUCCESS;
-}
+++ /dev/null
-/*
- * Copyright (C) 2006 Mike McCauley
- * Copyright (C) 2010-2011 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "tnc_imv_manager.h"
-#include "tnc_imv.h"
-#include "tnc_imv_recommendations.h"
-
-#include <tncifimv.h>
-#include <tncif_names.h>
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/mman.h>
-#include <unistd.h>
-#include <errno.h>
-#include <fcntl.h>
-
-#include <daemon.h>
-#include <utils/debug.h>
-#include <threading/rwlock.h>
-#include <threading/mutex.h>
-#include <collections/linked_list.h>
-
-typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t;
-
-/**
- * Private data of an imv_manager_t object.
- */
-struct private_tnc_imv_manager_t {
-
- /**
- * Public members of imv_manager_t.
- */
- imv_manager_t public;
-
- /**
- * Linked list of IMVs
- */
- linked_list_t *imvs;
-
- /**
- * Lock for IMV list
- */
- rwlock_t *lock;
-
- /**
- * Next IMV ID to be assigned
- */
- TNC_IMVID next_imv_id;
-
- /**
- * Mutex to access next IMV ID
- */
- mutex_t *id_mutex;
-
- /**
- * Policy defining how to derive final recommendation from individual ones
- */
- recommendation_policy_t policy;
-};
-
-METHOD(imv_manager_t, add, bool,
- private_tnc_imv_manager_t *this, imv_t *imv)
-{
- TNC_Version version;
- TNC_IMVID imv_id;
-
- this->id_mutex->lock(this->id_mutex);
- imv_id = this->next_imv_id++;
- this->id_mutex->unlock(this->id_mutex);
-
- imv->set_id(imv, imv_id);
- if (imv->initialize(imv_id, TNC_IFIMV_VERSION_1,
- TNC_IFIMV_VERSION_1, &version) != TNC_RESULT_SUCCESS)
- {
- DBG1(DBG_TNC, "IMV \"%s\" failed to initialize", imv->get_name(imv));
- return FALSE;
- }
- this->lock->write_lock(this->lock);
- this->imvs->insert_last(this->imvs, imv);
- this->lock->unlock(this->lock);
-
- if (imv->provide_bind_function(imv->get_id(imv),
- TNC_TNCS_BindFunction) != TNC_RESULT_SUCCESS)
- {
- if (imv->terminate)
- {
- imv->terminate(imv->get_id(imv));
- }
- DBG1(DBG_TNC, "IMV \"%s\" failed to obtain bind function",
- imv->get_name(imv));
- this->lock->write_lock(this->lock);
- this->imvs->remove_last(this->imvs, (void**)&imv);
- this->lock->unlock(this->lock);
- return FALSE;
- }
- return TRUE;
-}
-
-METHOD(imv_manager_t, remove_, imv_t*,
- private_tnc_imv_manager_t *this, TNC_IMVID id)
-{
- enumerator_t *enumerator;
- imv_t *imv, *removed_imv = NULL;
-
- this->lock->write_lock(this->lock);
- enumerator = this->imvs->create_enumerator(this->imvs);
- while (enumerator->enumerate(enumerator, &imv))
- {
- if (id == imv->get_id(imv))
- {
- this->imvs->remove_at(this->imvs, enumerator);
- removed_imv = imv;
- break;
- }
- }
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
-
- return removed_imv;
-}
-
-METHOD(imv_manager_t, load, bool,
- private_tnc_imv_manager_t *this, char *name, char *path)
-{
- imv_t *imv;
-
- imv = tnc_imv_create(name, path);
- if (!imv)
- {
- return FALSE;
- }
- if (!add(this, imv))
- {
- imv->destroy(imv);
- return FALSE;
- }
- DBG1(DBG_TNC, "IMV %u \"%s\" loaded from '%s'", imv->get_id(imv), name, path);
- return TRUE;
-}
-
-METHOD(imv_manager_t, load_from_functions, bool,
- private_tnc_imv_manager_t *this, char *name,
- TNC_IMV_InitializePointer initialize,
- TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
- TNC_IMV_ReceiveMessagePointer receive_message,
- TNC_IMV_ReceiveMessageLongPointer receive_message_long,
- TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
- TNC_IMV_BatchEndingPointer batch_ending,
- TNC_IMV_TerminatePointer terminate,
- TNC_IMV_ProvideBindFunctionPointer provide_bind_function)
-{
- imv_t *imv;
-
- imv = tnc_imv_create_from_functions(name,
- initialize,notify_connection_change,
- receive_message, receive_message_long,
- solicit_recommendation, batch_ending,
- terminate, provide_bind_function);
- if (!imv)
- {
- return FALSE;
- }
- if (!add(this, imv))
- {
- imv->destroy(imv);
- return FALSE;
- }
- DBG1(DBG_TNC, "IMV %u \"%s\" loaded", imv->get_id(imv), name);
- return TRUE;
-}
-
-METHOD(imv_manager_t, is_registered, bool,
- private_tnc_imv_manager_t *this, TNC_IMVID id)
-{
- enumerator_t *enumerator;
- imv_t *imv;
- bool found = FALSE;
-
- this->lock->read_lock(this->lock);
- enumerator = this->imvs->create_enumerator(this->imvs);
- while (enumerator->enumerate(enumerator, &imv))
- {
- if (imv->has_id(imv, id))
- {
- found = TRUE;
- break;
- }
- }
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
-
- return found;
-}
-
-METHOD(imv_manager_t, reserve_id, bool,
- private_tnc_imv_manager_t *this, TNC_IMVID id, TNC_UInt32 *new_id)
-{
- enumerator_t *enumerator;
- imv_t *imv;
- bool found = FALSE;
-
- this->lock->read_lock(this->lock);
- enumerator = this->imvs->create_enumerator(this->imvs);
- while (enumerator->enumerate(enumerator, &imv))
- {
- if (id == imv->get_id(imv))
- {
- found = TRUE;
- this->id_mutex->lock(this->id_mutex);
- *new_id = this->next_imv_id++;
- this->id_mutex->unlock(this->id_mutex);
- imv->add_id(imv, *new_id);
- DBG2(DBG_TNC, "additional ID %u reserved for IMV with primary ID %u",
- *new_id, id);
- break;
- }
- }
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
-
- return found;
-}
-
-METHOD(imv_manager_t, get_recommendation_policy, recommendation_policy_t,
- private_tnc_imv_manager_t *this)
-{
- return this->policy;
-}
-
-METHOD(imv_manager_t, create_recommendations, recommendations_t*,
- private_tnc_imv_manager_t *this)
-{
- return tnc_imv_recommendations_create(this->imvs);
-}
-
-METHOD(imv_manager_t, enforce_recommendation, bool,
- private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec,
- TNC_IMV_Evaluation_Result eval)
-{
- char *group;
- identification_t *id;
- ike_sa_t *ike_sa;
- auth_cfg_t *auth;
- bool no_access = FALSE;
-
- DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
- TNC_IMV_Action_Recommendation_names, rec,
- TNC_IMV_Evaluation_Result_names, eval);
-
- switch (rec)
- {
- case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
- group = "allow";
- break;
- case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
- group = "isolate";
- break;
- case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
- case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
- default:
- group = "no access";
- no_access = TRUE;
- break;
- }
-
- ike_sa = charon->bus->get_sa(charon->bus);
- if (!ike_sa)
- {
- DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA");
- return FALSE;
- }
-
- id = ike_sa->get_other_id(ike_sa);
- DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group);
-
- if (no_access)
- {
- return FALSE;
- }
- else
- {
- auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
- id = identification_create_from_string(group);
- auth->add(auth, AUTH_RULE_GROUP, id);
- DBG1(DBG_TNC, "policy enforcement point added group membership '%s'",
- group);
- }
- return TRUE;
-}
-
-
-METHOD(imv_manager_t, notify_connection_change, void,
- private_tnc_imv_manager_t *this, TNC_ConnectionID id,
- TNC_ConnectionState state)
-{
- enumerator_t *enumerator;
- imv_t *imv;
-
- this->lock->read_lock(this->lock);
- enumerator = this->imvs->create_enumerator(this->imvs);
- while (enumerator->enumerate(enumerator, &imv))
- {
- if (imv->notify_connection_change)
- {
- imv->notify_connection_change(imv->get_id(imv), id, state);
- }
- }
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
-}
-
-METHOD(imv_manager_t, set_message_types, TNC_Result,
- private_tnc_imv_manager_t *this, TNC_IMVID id,
- TNC_MessageTypeList supported_types,
- TNC_UInt32 type_count)
-{
- enumerator_t *enumerator;
- imv_t *imv;
- TNC_Result result = TNC_RESULT_FATAL;
-
- this->lock->read_lock(this->lock);
- enumerator = this->imvs->create_enumerator(this->imvs);
- while (enumerator->enumerate(enumerator, &imv))
- {
- if (id == imv->get_id(imv))
- {
- imv->set_message_types(imv, supported_types, type_count);
- result = TNC_RESULT_SUCCESS;
- break;
- }
- }
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
- return result;
-}
-
-METHOD(imv_manager_t, set_message_types_long, TNC_Result,
- private_tnc_imv_manager_t *this, TNC_IMVID id,
- TNC_VendorIDList supported_vids,
- TNC_MessageSubtypeList supported_subtypes,
- TNC_UInt32 type_count)
-{
- enumerator_t *enumerator;
- imv_t *imv;
- TNC_Result result = TNC_RESULT_FATAL;
-
- this->lock->read_lock(this->lock);
- enumerator = this->imvs->create_enumerator(this->imvs);
- while (enumerator->enumerate(enumerator, &imv))
- {
- if (id == imv->get_id(imv))
- {
- imv->set_message_types_long(imv, supported_vids, supported_subtypes,
- type_count);
- result = TNC_RESULT_SUCCESS;
- break;
- }
- }
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
- return result;
-}
-
-METHOD(imv_manager_t, solicit_recommendation, void,
- private_tnc_imv_manager_t *this, TNC_ConnectionID id)
-{
- enumerator_t *enumerator;
- imv_t *imv;
-
- this->lock->read_lock(this->lock);
- enumerator = this->imvs->create_enumerator(this->imvs);
- while (enumerator->enumerate(enumerator, &imv))
- {
- imv->solicit_recommendation(imv->get_id(imv), id);
- }
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
-}
-
-METHOD(imv_manager_t, receive_message, void,
- private_tnc_imv_manager_t *this, TNC_ConnectionID connection_id,
- bool excl,
- TNC_BufferReference msg,
- TNC_UInt32 msg_len,
- TNC_VendorID msg_vid,
- TNC_MessageSubtype msg_subtype,
- TNC_UInt32 src_imc_id,
- TNC_UInt32 dst_imv_id)
-{
- bool type_supported = FALSE;
- TNC_MessageType msg_type;
- TNC_UInt32 msg_flags;
- enumerator_t *enumerator;
- imv_t *imv;
-
- msg_type = (msg_vid << 8) | msg_subtype;
-
- this->lock->read_lock(this->lock);
- enumerator = this->imvs->create_enumerator(this->imvs);
- while (enumerator->enumerate(enumerator, &imv))
- {
- if (imv->type_supported(imv, msg_vid, msg_subtype) &&
- (!excl || (excl && imv->has_id(imv, dst_imv_id))))
- {
- if (imv->receive_message_long && src_imc_id)
- {
- type_supported = TRUE;
- msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
- imv->receive_message_long(imv->get_id(imv), connection_id,
- msg_flags, msg, msg_len, msg_vid, msg_subtype,
- src_imc_id, dst_imv_id);
-
- }
- else if (imv->receive_message && msg_vid <= TNC_VENDORID_ANY &&
- msg_subtype <= TNC_SUBTYPE_ANY)
- {
- type_supported = TRUE;
- msg_type = (msg_vid << 8) | msg_subtype;
- imv->receive_message(imv->get_id(imv), connection_id,
- msg, msg_len, msg_type);
- }
- }
- }
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
-
- if (!type_supported)
- {
- DBG2(DBG_TNC, "message type 0x%06x/0x%08x not supported by any IMV",
- msg_vid, msg_subtype);
- }
-}
-
-METHOD(imv_manager_t, batch_ending, void,
- private_tnc_imv_manager_t *this, TNC_ConnectionID id)
-{
- enumerator_t *enumerator;
- imv_t *imv;
-
- this->lock->read_lock(this->lock);
- enumerator = this->imvs->create_enumerator(this->imvs);
- while (enumerator->enumerate(enumerator, &imv))
- {
- if (imv->batch_ending)
- {
- imv->batch_ending(imv->get_id(imv), id);
- }
- }
- enumerator->destroy(enumerator);
- this->lock->unlock(this->lock);
-}
-
-METHOD(imv_manager_t, destroy, void,
- private_tnc_imv_manager_t *this)
-{
- imv_t *imv;
-
- while (this->imvs->remove_last(this->imvs, (void**)&imv) == SUCCESS)
- {
- if (imv->terminate &&
- imv->terminate(imv->get_id(imv)) != TNC_RESULT_SUCCESS)
- {
- DBG1(DBG_TNC, "IMV \"%s\" not terminated successfully",
- imv->get_name(imv));
- }
- imv->destroy(imv);
- }
- this->imvs->destroy(this->imvs);
- this->lock->destroy(this->lock);
- this->id_mutex->destroy(this->id_mutex);
- free(this);
-}
-
-/**
- * Described in header.
- */
-imv_manager_t* tnc_imv_manager_create(void)
-{
- private_tnc_imv_manager_t *this;
- recommendation_policy_t policy;
-
- INIT(this,
- .public = {
- .add = _add,
- .remove = _remove_, /* avoid name conflict with stdio.h */
- .load = _load,
- .load_from_functions = _load_from_functions,
- .is_registered = _is_registered,
- .reserve_id = _reserve_id,
- .get_recommendation_policy = _get_recommendation_policy,
- .create_recommendations = _create_recommendations,
- .enforce_recommendation = _enforce_recommendation,
- .notify_connection_change = _notify_connection_change,
- .set_message_types = _set_message_types,
- .set_message_types_long = _set_message_types_long,
- .solicit_recommendation = _solicit_recommendation,
- .receive_message = _receive_message,
- .batch_ending = _batch_ending,
- .destroy = _destroy,
- },
- .imvs = linked_list_create(),
- .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
- .id_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
- .next_imv_id = 1,
- );
-
- policy = enum_from_name(recommendation_policy_names,
- lib->settings->get_str(lib->settings,
- "%s.plugins.tnc-imv.recommendation_policy", "default",
- charon->name));
- this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT;
- DBG1(DBG_TNC, "TNC recommendation policy is '%N'",
- recommendation_policy_names, this->policy);
-
- return &this->public;
-}
+++ /dev/null
-/*
- * Copyright (C) 2010 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- *
- * @defgroup tnc_imv_manager tnc_imv_manager
- * @{ @ingroup tnc_imv
- */
-
-#ifndef TNC_IMV_MANAGER_H_
-#define TNC_IMV_MANAGER_H_
-
-#include <tnc/imv/imv_manager.h>
-
-/**
- * Create an IMV manager instance.
- */
-imv_manager_t *tnc_imv_manager_create();
-
-#endif /** TNC_IMV_MANAGER_H_ @}*/
+++ /dev/null
-/*
- * Copyright (C) 2010-2011 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "tnc_imv_plugin.h"
-#include "tnc_imv_manager.h"
-
-#include <tnc/tnc.h>
-
-
-typedef struct private_tnc_imv_plugin_t private_tnc_imv_plugin_t;
-
-/**
- * Private data of a tnc_imv_plugin_t object.
- */
-struct private_tnc_imv_plugin_t {
-
- /**
- * Public interface.
- */
- tnc_imv_plugin_t public;
-
-};
-
-
-METHOD(plugin_t, get_name, char*,
- tnc_imv_plugin_t *this)
-{
- return "tnc-imv";
-}
-
-METHOD(plugin_t, get_features, int,
- private_tnc_imv_plugin_t *this, plugin_feature_t *features[])
-{
- static plugin_feature_t f[] = {
- PLUGIN_CALLBACK(tnc_manager_register, tnc_imv_manager_create),
- PLUGIN_PROVIDE(CUSTOM, "imv-manager"),
- PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
- PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
- PLUGIN_SDEPEND(CERT_DECODE, CERT_TRUSTED_PUBKEY),
- PLUGIN_SDEPEND(DATABASE, DB_ANY),
- };
- *features = f;
- return countof(f);
-}
-
-METHOD(plugin_t, destroy, void,
- private_tnc_imv_plugin_t *this)
-{
- free(this);
-}
-
-/*
- * see header file
- */
-plugin_t *tnc_imv_plugin_create()
-{
- private_tnc_imv_plugin_t *this;
-
- INIT(this,
- .public = {
- .plugin = {
- .get_name = _get_name,
- .get_features = _get_features,
- .destroy = _destroy,
- },
- },
- );
-
- return &this->public.plugin;
-}
-
+++ /dev/null
-/*
- * Copyright (C) 2010 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- * @defgroup tnc_imv tnc_imv
- * @ingroup cplugins
- *
- * @defgroup tnc_imv_plugin tnc_imv_plugin
- * @{ @ingroup tnc_imv
- */
-
-#ifndef TNC_IMV_PLUGIN_H_
-#define TNC_IMV_PLUGIN_H_
-
-#include <plugins/plugin.h>
-
-typedef struct tnc_imv_plugin_t tnc_imv_plugin_t;
-
-/**
- * TNC IMV plugin
- */
-struct tnc_imv_plugin_t {
-
- /**
- * implements plugin interface
- */
- plugin_t plugin;
-};
-
-#endif /** TNC_IMV_PLUGIN_H_ @}*/
+++ /dev/null
-/*
- * Copyright (C) 2010-2012 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include <tncifimv.h>
-#include <tncif_names.h>
-#include <tncif_policy.h>
-
-#include <tnc/tnc.h>
-#include <tnc/imv/imv.h>
-#include <tnc/imv/imv_manager.h>
-#include <tnc/imv/imv_recommendations.h>
-
-#include <utils/debug.h>
-#include <collections/linked_list.h>
-
-typedef struct private_tnc_imv_recommendations_t private_tnc_imv_recommendations_t;
-typedef struct recommendation_entry_t recommendation_entry_t;
-
-/**
- * Recommendation entry
- */
-struct recommendation_entry_t {
-
- /**
- * IMV ID
- */
- TNC_IMVID id;
-
- /**
- * Received a recommendation message from this IMV?
- */
- bool have_recommendation;
-
- /**
- * Action Recommendation provided by IMV instance
- */
- TNC_IMV_Action_Recommendation rec;
-
- /**
- * Evaluation Result provided by IMV instance
- */
- TNC_IMV_Evaluation_Result eval;
-
- /**
- * Reason string provided by IMV instance
- */
- chunk_t reason;
-
- /**
- * Reason language provided by IMV instance
- */
- chunk_t reason_language;
-};
-
-/**
- * Private data of a recommendations_t object.
- */
-struct private_tnc_imv_recommendations_t {
-
- /**
- * Public members of recommendations_t.
- */
- recommendations_t public;
-
- /**
- * list of recommendations and evaluations provided by IMVs
- */
- linked_list_t *recs;
-
- /**
- * Preferred language for remediation messages
- */
- chunk_t preferred_language;
-};
-
-METHOD(recommendations_t, provide_recommendation, TNC_Result,
- private_tnc_imv_recommendations_t* this, TNC_IMVID id,
- TNC_IMV_Action_Recommendation rec,
- TNC_IMV_Evaluation_Result eval)
-{
- enumerator_t *enumerator;
- recommendation_entry_t *entry;
- bool found = FALSE;
-
- DBG2(DBG_TNC, "IMV %u provides recommendation '%N' and evaluation '%N'", id,
- TNC_IMV_Action_Recommendation_names, rec,
- TNC_IMV_Evaluation_Result_names, eval);
-
- enumerator = this->recs->create_enumerator(this->recs);
- while (enumerator->enumerate(enumerator, &entry))
- {
- if (entry->id == id)
- {
- found = TRUE;
- entry->have_recommendation = TRUE;
- entry->rec = rec;
- entry->eval = eval;
- break;
- }
- }
- enumerator->destroy(enumerator);
- return found ? TNC_RESULT_SUCCESS : TNC_RESULT_FATAL;
-}
-
-METHOD(recommendations_t, have_recommendation, bool,
- private_tnc_imv_recommendations_t *this, TNC_IMV_Action_Recommendation *rec,
- TNC_IMV_Evaluation_Result *eval)
-{
- enumerator_t *enumerator;
- recommendation_entry_t *entry;
- recommendation_policy_t policy;
- TNC_IMV_Action_Recommendation final_rec;
- TNC_IMV_Evaluation_Result final_eval;
- bool first = TRUE, incomplete = FALSE;
-
- final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
- final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
- if (rec && eval)
- {
- *rec = final_rec;
- *eval = final_eval;
- }
-
- if (this->recs->get_count(this->recs) == 0)
- {
- DBG1(DBG_TNC, "there are no IMVs to make a recommendation");
- return TRUE;
- }
- policy = tnc->imvs->get_recommendation_policy(tnc->imvs);
-
- enumerator = this->recs->create_enumerator(this->recs);
- while (enumerator->enumerate(enumerator, &entry))
- {
- if (!entry->have_recommendation)
- {
- incomplete = TRUE;
- break;
- }
- if (first)
- {
- final_rec = entry->rec;
- final_eval = entry->eval;
- first = FALSE;
- continue;
- }
- switch (policy)
- {
- case RECOMMENDATION_POLICY_DEFAULT:
- final_rec = tncif_policy_update_recommendation(final_rec,
- entry->rec);
- final_eval = tncif_policy_update_evaluation(final_eval,
- entry->eval);
- break;
-
- case RECOMMENDATION_POLICY_ALL:
- if (entry->rec != final_rec)
- {
- final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
- }
- if (entry->eval != final_eval)
- {
- final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
- }
- break;
-
- case RECOMMENDATION_POLICY_ANY:
- switch (entry->rec)
- {
- case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
- final_rec = entry->rec;
- break;
- case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
- if (final_rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
- {
- final_rec = entry->rec;
- };
- break;
- case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
- if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
- {
- final_rec = entry->rec;
- };
- break;
- case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
- break;
- }
- switch (entry->eval)
- {
- case TNC_IMV_EVALUATION_RESULT_COMPLIANT:
- final_eval = entry->eval;
- break;
- case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
- if (final_eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT)
- {
- final_eval = entry->eval;
- }
- break;
- case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
- if (final_eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT &&
- final_eval != TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR)
- {
- final_eval = entry->eval;
- }
- break;
- case TNC_IMV_EVALUATION_RESULT_ERROR:
- if (final_eval == TNC_IMV_EVALUATION_RESULT_DONT_KNOW)
- {
- final_eval = entry->eval;
- }
- break;
- case TNC_IMV_EVALUATION_RESULT_DONT_KNOW:
- break;
- }
- }
- }
- enumerator->destroy(enumerator);
-
- if (incomplete)
- {
- return FALSE;
- }
- if (rec && eval)
- {
- *rec = final_rec;
- *eval = final_eval;
- }
- return TRUE;
-}
-
-METHOD(recommendations_t, clear_recommendation, void,
- private_tnc_imv_recommendations_t *this)
-{
- enumerator_t *enumerator;
- recommendation_entry_t *entry;
-
- enumerator = this->recs->create_enumerator(this->recs);
- while (enumerator->enumerate(enumerator, &entry))
- {
- entry->have_recommendation = FALSE;
- entry->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
- entry->eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
- chunk_clear(&entry->reason);
- chunk_clear(&entry->reason_language);
- }
- enumerator->destroy(enumerator);
-}
-
-METHOD(recommendations_t, get_preferred_language, chunk_t,
- private_tnc_imv_recommendations_t *this)
-{
- return this->preferred_language;
-}
-
-METHOD(recommendations_t, set_preferred_language, void,
- private_tnc_imv_recommendations_t *this, chunk_t pref_lang)
-{
- free(this->preferred_language.ptr);
- this->preferred_language = chunk_clone(pref_lang);
-}
-
-METHOD(recommendations_t, set_reason_string, TNC_Result,
- private_tnc_imv_recommendations_t *this, TNC_IMVID id, chunk_t reason)
-{
- enumerator_t *enumerator;
- recommendation_entry_t *entry;
- bool found = FALSE;
-
- DBG2(DBG_TNC, "IMV %u is setting reason string to '%.*s'",
- id, (int)reason.len, reason.ptr);
-
- enumerator = this->recs->create_enumerator(this->recs);
- while (enumerator->enumerate(enumerator, &entry))
- {
- if (entry->id == id)
- {
- found = TRUE;
- free(entry->reason.ptr);
- entry->reason = chunk_clone(reason);
- break;
- }
- }
- enumerator->destroy(enumerator);
- return found ? TNC_RESULT_SUCCESS : TNC_RESULT_INVALID_PARAMETER;
-}
-
-METHOD(recommendations_t, set_reason_language, TNC_Result,
- private_tnc_imv_recommendations_t *this, TNC_IMVID id, chunk_t reason_lang)
-{
- enumerator_t *enumerator;
- recommendation_entry_t *entry;
- bool found = FALSE;
-
- DBG2(DBG_TNC, "IMV %u is setting reason language to '%.*s'",
- id, (int)reason_lang.len, reason_lang.ptr);
-
- enumerator = this->recs->create_enumerator(this->recs);
- while (enumerator->enumerate(enumerator, &entry))
- {
- if (entry->id == id)
- {
- found = TRUE;
- free(entry->reason_language.ptr);
- entry->reason_language = chunk_clone(reason_lang);
- break;
- }
- }
- enumerator->destroy(enumerator);
- return found ? TNC_RESULT_SUCCESS : TNC_RESULT_INVALID_PARAMETER;
-}
-
-/**
- * Enumerate reason and reason_language, not recommendation entries
- */
-static bool reason_filter(void *null, recommendation_entry_t **entry,
- TNC_IMVID *id, void *i2, chunk_t *reason, void *i3,
- chunk_t *reason_language)
-{
- if ((*entry)->reason.len)
- {
- *id = (*entry)->id;
- *reason = (*entry)->reason;
- *reason_language = (*entry)->reason_language;
- return TRUE;
- }
- else
- {
- return FALSE;
- }
-}
-
-METHOD(recommendations_t, create_reason_enumerator, enumerator_t*,
- private_tnc_imv_recommendations_t *this)
-{
- return enumerator_create_filter(this->recs->create_enumerator(this->recs),
- (void*)reason_filter, NULL, NULL);
-}
-
-METHOD(recommendations_t, destroy, void,
- private_tnc_imv_recommendations_t *this)
-{
- recommendation_entry_t *entry;
-
- while (this->recs->remove_last(this->recs, (void**)&entry) == SUCCESS)
- {
- free(entry->reason.ptr);
- free(entry->reason_language.ptr);
- free(entry);
- }
- this->recs->destroy(this->recs);
- free(this->preferred_language.ptr);
- free(this);
-}
-
-/**
- * Described in header.
- */
-recommendations_t* tnc_imv_recommendations_create(linked_list_t *imv_list)
-{
- private_tnc_imv_recommendations_t *this;
- recommendation_entry_t *entry;
- enumerator_t *enumerator;
- imv_t *imv;
-
- INIT(this,
- .public = {
- .provide_recommendation = _provide_recommendation,
- .have_recommendation = _have_recommendation,
- .clear_recommendation = _clear_recommendation,
- .get_preferred_language = _get_preferred_language,
- .set_preferred_language = _set_preferred_language,
- .set_reason_string = _set_reason_string,
- .set_reason_language = _set_reason_language,
- .create_reason_enumerator = _create_reason_enumerator,
- .destroy = _destroy,
- },
- .recs = linked_list_create(),
- );
-
- enumerator = imv_list->create_enumerator(imv_list);
- while (enumerator->enumerate(enumerator, &imv))
- {
- entry = malloc_thing(recommendation_entry_t);
- entry->id = imv->get_id(imv);
- entry->have_recommendation = FALSE;
- entry->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
- entry->eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
- entry->reason = chunk_empty;
- entry->reason_language = chunk_empty;
- this->recs->insert_last(this->recs, entry);
- }
- enumerator->destroy(enumerator);
-
- return &this->public;
-}
+++ /dev/null
-/*
- * Copyright (C) 2010 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-/**
- *
- * @defgroup tnc_imv_manager tnc_imv_manager
- * @{ @ingroup tnc_imv
- */
-
-#ifndef TNC_IMV_RECOMMENDATIONS_H_
-#define TNC_IMV_RECOMMENDATIONS_H_
-
-#include <tnc/imv/imv_recommendations.h>
-#include <collections/linked_list.h>
-
-/**
- * Create an IMV empty recommendations instance
- */
-recommendations_t *tnc_imv_recommendations_create();
-
-#endif /** TNC_IMV_RECOMMENDATIONS_H_ @}*/
#include <tnc/tnc.h>
+#include <tncifimv.h>
+#include <tncif_names.h>
+
#include <daemon.h>
#include <utils/debug.h>
#include <pen/pen.h>
}
/**
+ * Callback function to get recommendation from TNCCS connection
+ */
+static bool get_recommendation(TNC_IMV_Action_Recommendation rec,
+ TNC_IMV_Evaluation_Result eval)
+{
+ DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
+ TNC_IMV_Action_Recommendation_names, rec,
+ TNC_IMV_Evaluation_Result_names, eval);
+
+ return TRUE;
+}
+
+/**
* Get more data on a PT-TLS connection
*/
static bool pt_tls_receive_more(pt_tls_server_t *this, int fd,
peer = identification_create_from_encoding(ID_ANY, chunk_empty),
tnccs = tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, TRUE,
- this->server, peer, TNC_IFT_TLS_2_0);
+ this->server, peer, TNC_IFT_TLS_2_0,
+ (tnccs_cb_t)get_recommendation);
peer->destroy(peer);
if (!tnccs)
endif
endif
+if USE_TNC_IMV
+ SUBDIRS += plugins/tnc_imv
+if MONOLITHIC
+ libtnccs_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la
+endif
+endif
+
if USE_TNCCS_11
SUBDIRS += plugins/tnccs_11
if MONOLITHIC
/*
- * Copyright (C) 2006 Mike McCauley
- * Copyright (C) 2010-2011 Andreas Steffen,
+ * Copyright (C) 2010-2013 Andreas Steffen,
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
--- /dev/null
+AM_CPPFLAGS = \
+ -I$(top_srcdir)/src/libstrongswan \
+ -I$(top_srcdir)/src/libtncif \
+ -I$(top_srcdir)/src/libtnccs \
+ -I$(top_srcdir)/src/libtls
+
+AM_CFLAGS = \
+ -rdynamic
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
+libstrongswan_tnc_imv_la_LIBADD = \
+ $(top_builddir)/src/libtncif/libtncif.la \
+ $(top_builddir)/src/libtnccs/libtnccs.la
+endif
+
+libstrongswan_tnc_imv_la_SOURCES = \
+ tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \
+ tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \
+ tnc_imv_recommendations.h tnc_imv_recommendations.c
+
+libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
--- /dev/null
+/*
+ * Copyright (C) 2010-2013 Andreas Steffen,
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imv.h"
+
+#include <dlfcn.h>
+
+#include <tncif_pa_subtypes.h>
+
+#include <utils/debug.h>
+#include <library.h>
+#include <collections/linked_list.h>
+#include <threading/mutex.h>
+
+typedef struct private_tnc_imv_t private_tnc_imv_t;
+
+/**
+ * Private data of an imv_t object.
+ */
+struct private_tnc_imv_t {
+
+ /**
+ * Public members of imv_t.
+ */
+ imv_t public;
+
+ /**
+ * Name of loaded IMV
+ */
+ char *name;
+
+ /**
+ * Handle of loaded IMV
+ */
+ void *handle;
+
+ /**
+ * ID of loaded IMV
+ */
+ TNC_IMVID id;
+
+ /**
+ * List of additional IMV IDs
+ */
+ linked_list_t *additional_ids;
+
+ /**
+ * List of message types supported by IMV - Vendor ID part
+ */
+ TNC_VendorIDList supported_vids;
+
+ /**
+ * List of message types supported by IMV - Subtype part
+ */
+ TNC_MessageSubtypeList supported_subtypes;
+
+ /**
+ * Number of supported message types
+ */
+ TNC_UInt32 type_count;
+
+ /**
+ * mutex to lock the imv_t object
+ */
+ mutex_t *mutex;
+};
+
+METHOD(imv_t, set_id, void,
+ private_tnc_imv_t *this, TNC_IMVID id)
+{
+ this->id = id;
+}
+
+METHOD(imv_t, get_id, TNC_IMVID,
+ private_tnc_imv_t *this)
+{
+ return this->id;
+}
+
+METHOD(imv_t, add_id, void,
+ private_tnc_imv_t *this, TNC_IMVID id)
+{
+ TNC_IMVID *new_id;
+
+ new_id = malloc_thing(TNC_IMVID);
+ *new_id = id;
+ this->additional_ids->insert_last(this->additional_ids, new_id);
+}
+
+METHOD(imv_t, has_id, bool,
+ private_tnc_imv_t *this, TNC_IMVID id)
+{
+ enumerator_t *enumerator;
+ TNC_IMVID *additional_id;
+ bool found = FALSE;
+
+ /* check primary IMV ID */
+ if (id == this->id)
+ {
+ return TRUE;
+ }
+
+ /* return if there are no additional IMV IDs */
+ if (this->additional_ids->get_count(this->additional_ids) == 0)
+ {
+ return FALSE;
+ }
+
+ /* check additional IMV IDs */
+ enumerator = this->additional_ids->create_enumerator(this->additional_ids);
+ while (enumerator->enumerate(enumerator, &additional_id))
+ {
+ if (id == *additional_id)
+ {
+ found = TRUE;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ return found;
+}
+
+METHOD(imv_t, get_name, char*,
+ private_tnc_imv_t *this)
+{
+ return this->name;
+}
+
+METHOD(imv_t, set_message_types, void,
+ private_tnc_imv_t *this, TNC_MessageTypeList supported_types,
+ TNC_UInt32 type_count)
+{
+ char buf[BUF_LEN];
+ char *pos = buf;
+ int len = sizeof(buf);
+ int i, written;
+ size_t size;
+ TNC_VendorID vid;
+ TNC_MessageSubtype subtype;
+ enum_name_t *pa_subtype_names;
+
+ /* lock the imv_t instance */
+ this->mutex->lock(this->mutex);
+
+ /* Free existing VendorID and MessageSubtype lists */
+ free(this->supported_vids);
+ this->supported_vids = NULL;
+ free(this->supported_subtypes);
+ this->supported_subtypes = NULL;
+
+ /* Store the new MessageType list */
+ this->type_count = type_count;
+ if (type_count && supported_types)
+ {
+ size = type_count * sizeof(TNC_VendorID);
+ this->supported_vids = malloc(size);
+ size = type_count * sizeof(TNC_MessageSubtype);
+ this->supported_subtypes = malloc(size);
+
+ for (i = 0; i < type_count; i++)
+ {
+ vid = (supported_types[i] >> 8) & TNC_VENDORID_ANY;
+ subtype = supported_types[i] & TNC_SUBTYPE_ANY;
+
+ pa_subtype_names = get_pa_subtype_names(vid);
+ if (pa_subtype_names)
+ {
+ written = snprintf(pos, len," '%N/%N' 0x%06x/0x%02x",
+ pen_names, vid, pa_subtype_names, subtype,
+ vid, subtype);
+ }
+ else
+ {
+ written = snprintf(pos, len," '%N' 0x%06x/0x%02x",
+ pen_names, vid, vid, subtype);
+ }
+ if (written >= len)
+ {
+ break;
+ }
+ pos += written;
+ len -= written;
+
+ this->supported_vids[i] = vid;
+ this->supported_subtypes[i] = subtype;
+ }
+ }
+ *pos = '\0';
+ DBG2(DBG_TNC, "IMV %u supports %u message type%s:%s",
+ this->id, type_count, (type_count == 1) ? "":"s", buf);
+
+ /* unlock the imv_t instance */
+ this->mutex->unlock(this->mutex);
+}
+
+METHOD(imv_t, set_message_types_long, void,
+ private_tnc_imv_t *this, TNC_VendorIDList supported_vids,
+ TNC_MessageSubtypeList supported_subtypes, TNC_UInt32 type_count)
+{
+ char buf[BUF_LEN];
+ char *pos = buf;
+ int len = sizeof(buf);
+ int i, written;
+ size_t size;
+ TNC_VendorID vid;
+ TNC_MessageSubtype subtype;
+ enum_name_t *pa_subtype_names;
+
+ /* lock the imv_t instance */
+ this->mutex->lock(this->mutex);
+
+ /* Free existing VendorID and MessageSubtype lists */
+ free(this->supported_vids);
+ this->supported_vids = NULL;
+ free(this->supported_subtypes);
+ this->supported_subtypes = NULL;
+
+ /* Store the new MessageType list */
+ this->type_count = type_count;
+ if (type_count && supported_vids && supported_subtypes)
+ {
+ size = type_count * sizeof(TNC_VendorID);
+ this->supported_vids = malloc(size);
+ memcpy(this->supported_vids, supported_vids, size);
+ size = type_count * sizeof(TNC_MessageSubtype);
+ this->supported_subtypes = malloc(size);
+ memcpy(this->supported_subtypes, supported_subtypes, size);
+
+ for (i = 0; i < type_count; i++)
+ {
+ vid = supported_vids[i];
+ subtype = supported_subtypes[i];
+
+ pa_subtype_names = get_pa_subtype_names(vid);
+ if (pa_subtype_names)
+ {
+ written = snprintf(pos, len," '%N/%N' 0x%06x/0x%08x",
+ pen_names, vid, pa_subtype_names, subtype,
+ vid, subtype);
+ }
+ else
+ {
+ written = snprintf(pos, len," '%N' 0x%06x/0x%08x",
+ pen_names, vid, vid, subtype);
+ }
+ if (written >= len)
+ {
+ break;
+ }
+ pos += written;
+ len -= written;
+ }
+ }
+ *pos = '\0';
+ DBG2(DBG_TNC, "IMV %u supports %u message type%s:%s",
+ this->id, type_count, (type_count == 1) ? "":"s", buf);
+
+ /* unlock the imv_t instance */
+ this->mutex->unlock(this->mutex);
+}
+
+METHOD(imv_t, type_supported, bool,
+ private_tnc_imv_t *this, TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype)
+{
+ TNC_VendorID vid;
+ TNC_MessageSubtype subtype;
+ int i;
+
+ for (i = 0; i < this->type_count; i++)
+ {
+ vid = this->supported_vids[i];
+ subtype = this->supported_subtypes[i];
+
+ if ((vid == TNC_VENDORID_ANY && subtype == TNC_SUBTYPE_ANY) ||
+ (vid == msg_vid && (subtype == TNC_SUBTYPE_ANY ||
+ subtype == msg_subtype)))
+ {
+ return TRUE;
+ }
+ }
+ return FALSE;
+}
+
+METHOD(imv_t, destroy, void,
+ private_tnc_imv_t *this)
+{
+ if (this->handle && lib->settings->get_bool(lib->settings,
+ "libtnccs.plugins.tnc-imv.dlclose", TRUE))
+ {
+ dlclose(this->handle);
+ }
+ this->mutex->destroy(this->mutex);
+ this->additional_ids->destroy_function(this->additional_ids, free);
+ free(this->supported_vids);
+ free(this->supported_subtypes);
+ free(this->name);
+ free(this);
+}
+
+/**
+ * Generic constructor.
+ */
+static private_tnc_imv_t* tnc_imv_create_empty(char *name)
+{
+ private_tnc_imv_t *this;
+
+ INIT(this,
+ .public = {
+ .set_id = _set_id,
+ .get_id = _get_id,
+ .add_id = _add_id,
+ .has_id = _has_id,
+ .get_name = _get_name,
+ .set_message_types = _set_message_types,
+ .set_message_types_long = _set_message_types_long,
+ .type_supported = _type_supported,
+ .destroy = _destroy,
+ },
+ .name = strdup(name),
+ .additional_ids = linked_list_create(),
+ .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ );
+
+ return this;
+}
+
+/**
+ * Described in header.
+ */
+imv_t* tnc_imv_create(char *name, char *path)
+{
+ private_tnc_imv_t *this;
+
+ this = tnc_imv_create_empty(name);
+
+ this->handle = dlopen(path, RTLD_LAZY);
+ if (!this->handle)
+ {
+ DBG1(DBG_TNC, "IMV \"%s\" failed to load: %s", name, dlerror());
+ destroy(this);
+ return NULL;
+ }
+
+ this->public.initialize = dlsym(this->handle, "TNC_IMV_Initialize");
+ if (!this->public.initialize)
+ {
+ DBG1(DBG_TNC, "could not resolve TNC_IMV_Initialize in %s: %s\n",
+ path, dlerror());
+ destroy(this);
+ return NULL;
+ }
+ this->public.notify_connection_change =
+ dlsym(this->handle, "TNC_IMV_NotifyConnectionChange");
+ this->public.solicit_recommendation =
+ dlsym(this->handle, "TNC_IMV_SolicitRecommendation");
+ if (!this->public.solicit_recommendation)
+ {
+ DBG1(DBG_TNC, "could not resolve TNC_IMV_SolicitRecommendation in %s: %s\n",
+ path, dlerror());
+ destroy(this);
+ return NULL;
+ }
+ this->public.receive_message =
+ dlsym(this->handle, "TNC_IMV_ReceiveMessage");
+ this->public.receive_message_long =
+ dlsym(this->handle, "TNC_IMV_ReceiveMessageLong");
+ this->public.batch_ending =
+ dlsym(this->handle, "TNC_IMV_BatchEnding");
+ this->public.terminate =
+ dlsym(this->handle, "TNC_IMV_Terminate");
+ this->public.provide_bind_function =
+ dlsym(this->handle, "TNC_IMV_ProvideBindFunction");
+ if (!this->public.provide_bind_function)
+ {
+ DBG1(DBG_TNC, "could not resolve TNC_IMV_ProvideBindFunction in %s: %s\n",
+ path, dlerror());
+ destroy(this);
+ return NULL;
+ }
+
+ return &this->public;
+}
+
+/**
+ * Described in header.
+ */
+imv_t* tnc_imv_create_from_functions(char *name,
+ TNC_IMV_InitializePointer initialize,
+ TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+ TNC_IMV_ReceiveMessagePointer receive_message,
+ TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+ TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+ TNC_IMV_BatchEndingPointer batch_ending,
+ TNC_IMV_TerminatePointer terminate,
+ TNC_IMV_ProvideBindFunctionPointer provide_bind_function)
+{
+ private_tnc_imv_t *this;
+
+ this = tnc_imv_create_empty(name);
+
+ this->public.initialize = initialize;
+ this->public.notify_connection_change = notify_connection_change;
+ this->public.receive_message = receive_message;
+ this->public.receive_message_long = receive_message_long;
+ this->public.solicit_recommendation = solicit_recommendation;
+ this->public.batch_ending = batch_ending;
+ this->public.terminate = terminate;
+ this->public.provide_bind_function = provide_bind_function;
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup tnc_imv_t tnc_imv
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_H_
+#define TNC_IMV_H_
+
+#include <tnc/imv/imv.h>
+
+/**
+ * Create an Integrity Measurement Verifier loaded from a library.
+ *
+ * @param name name of the IMV
+ * @param filename path to the dynamic IMV library
+ * @return instance of the imv_t interface
+ */
+imv_t* tnc_imv_create(char *name, char *filename);
+
+/**
+ * Create an Integrity Measurement Verifier from a set of IMV functions.
+ *
+ * @param name name of the IMV
+ * @param initialize TNC_IMV_InitializePointer
+ * @param notify_connection_change TNC_IMV_NotifyConnectionChangePointer
+ * @param receive_message TNC_IMV_ReceiveMessagePointer
+ * @param receive_message_long TNC_IMV_ReceiveMessageLongPointer
+ * @param solicit_recommendation TNC_IMV_SolicitRecommendationPointer
+ * @param batch_ending TNC_IMV_BatchEndingPointer
+ * @param terminate TNC_IMV_TerminatePointer
+ * @param provide_bind_function TNC_IMV_ProvideBindFunctionPointer
+ * @return instance of the imv_t interface
+ */
+imv_t* tnc_imv_create_from_functions(char *name,
+ TNC_IMV_InitializePointer initialize,
+ TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+ TNC_IMV_ReceiveMessagePointer receive_message,
+ TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+ TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+ TNC_IMV_BatchEndingPointer batch_ending,
+ TNC_IMV_TerminatePointer terminate,
+ TNC_IMV_ProvideBindFunctionPointer provide_bind_function);
+
+#endif /** TNC_IMV_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2006 Mike McCauley
+ * Copyright (C) 2010-2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <tnc/tnc.h>
+#include <tnc/imv/imv_manager.h>
+#include <tnc/tnccs/tnccs_manager.h>
+
+#include <utils/debug.h>
+
+/**
+ * Called by the IMV to inform a TNCS about the set of message types the IMV
+ * is able to receive
+ */
+TNC_Result TNC_TNCS_ReportMessageTypes(TNC_IMVID imv_id,
+ TNC_MessageTypeList supported_types,
+ TNC_UInt32 type_count)
+{
+ if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring ReportMessageTypes() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
+ return tnc->imvs->set_message_types(tnc->imvs, imv_id, supported_types,
+ type_count);
+}
+
+/**
+ * Called by the IMV to inform a TNCS about the set of message types the IMV
+ * is able to receive. This function supports long message types.
+ */
+TNC_Result TNC_TNCS_ReportMessageTypesLong(TNC_IMVID imv_id,
+ TNC_VendorIDList supported_vids,
+ TNC_MessageSubtypeList supported_subtypes,
+ TNC_UInt32 type_count)
+{
+ if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring ReportMessageTypesLong() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
+ return tnc->imvs->set_message_types_long(tnc->imvs, imv_id, supported_vids,
+ supported_subtypes, type_count);
+}
+
+/**
+ * Called by the IMV to ask a TNCS to retry an Integrity Check Handshake
+ */
+TNC_Result TNC_TNCS_RequestHandshakeRetry(TNC_IMVID imv_id,
+ TNC_ConnectionID connection_id,
+ TNC_RetryReason reason)
+{
+ if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring RequestHandshakeRetry() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
+ return tnc->tnccs->request_handshake_retry(tnc->tnccs, FALSE, imv_id,
+ connection_id, reason);
+}
+
+/**
+ * Called by the IMV when an IMV-IMC message is to be sent
+ */
+TNC_Result TNC_TNCS_SendMessage(TNC_IMVID imv_id,
+ TNC_ConnectionID connection_id,
+ TNC_BufferReference msg,
+ TNC_UInt32 msg_len,
+ TNC_MessageType msg_type)
+{
+ TNC_VendorID msg_vid;
+ TNC_MessageSubtype msg_subtype;
+
+ if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring SendMessage() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
+ msg_vid = (msg_type >> 8) & TNC_VENDORID_ANY;
+ msg_subtype = msg_type & TNC_SUBTYPE_ANY;
+
+ return tnc->tnccs->send_message(tnc->tnccs, TNC_IMCID_ANY, imv_id,
+ connection_id, 0, msg, msg_len, msg_vid, msg_subtype);
+}
+
+/**
+ * Called by the IMV when an IMV-IMC message is to be sent over IF-TNCCS 2.0
+ */
+TNC_Result TNC_TNCS_SendMessageLong(TNC_IMVID imv_id,
+ TNC_ConnectionID connection_id,
+ TNC_UInt32 msg_flags,
+ TNC_BufferReference msg,
+ TNC_UInt32 msg_len,
+ TNC_VendorID msg_vid,
+ TNC_MessageSubtype msg_subtype,
+ TNC_UInt32 imc_id)
+{
+ if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring SendMessageLong() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
+ return tnc->tnccs->send_message(tnc->tnccs, imc_id, imv_id, connection_id,
+ msg_flags, msg, msg_len, msg_vid, msg_subtype);
+}
+
+/**
+ * Called by the IMV to deliver its IMV Action Recommendation and IMV Evaluation
+ * Result to the TNCS
+ */
+TNC_Result TNC_TNCS_ProvideRecommendation(TNC_IMVID imv_id,
+ TNC_ConnectionID connection_id,
+ TNC_IMV_Action_Recommendation recommendation,
+ TNC_IMV_Evaluation_Result evaluation)
+{
+ if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring ProvideRecommendation() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
+ return tnc->tnccs->provide_recommendation(tnc->tnccs, imv_id, connection_id,
+ recommendation, evaluation);
+}
+
+/**
+ * Called by the IMV to get the value of an attribute associated with a
+ * connection or with the TNCS as a whole.
+ */
+TNC_Result TNC_TNCS_GetAttribute(TNC_IMVID imv_id,
+ TNC_ConnectionID connection_id,
+ TNC_AttributeID attribute_id,
+ TNC_UInt32 buffer_len,
+ TNC_BufferReference buffer,
+ TNC_UInt32 *out_value_len)
+{
+ if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring GetAttribute() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
+ return tnc->tnccs->get_attribute(tnc->tnccs, FALSE, imv_id, connection_id,
+ attribute_id, buffer_len, buffer, out_value_len);
+}
+
+/**
+ * Called by the IMV to set the value of an attribute associated with a
+ * connection or with the TNCS as a whole.
+ */
+TNC_Result TNC_TNCS_SetAttribute(TNC_IMVID imv_id,
+ TNC_ConnectionID connection_id,
+ TNC_AttributeID attribute_id,
+ TNC_UInt32 buffer_len,
+ TNC_BufferReference buffer)
+{
+ if (!tnc->imvs->is_registered(tnc->imvs, imv_id))
+ {
+ DBG1(DBG_TNC, "ignoring SetAttribute() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
+ return tnc->tnccs->set_attribute(tnc->tnccs, FALSE, imv_id, connection_id,
+ attribute_id, buffer_len, buffer);
+}
+
+/**
+ * Called by the IMV when it wants to reserve an additional IMV ID for itself
+ */
+TNC_Result TNC_TNCS_ReserveAdditionalIMVID(TNC_IMVID imv_id, TNC_UInt32 *new_id)
+{
+ if (tnc->imvs->reserve_id(tnc->imvs, imv_id, new_id))
+ {
+ return TNC_RESULT_SUCCESS;
+ }
+ DBG1(DBG_TNC, "ignoring ReserveAdditionalIMVID() from unregistered IMV %u",
+ imv_id);
+ return TNC_RESULT_INVALID_PARAMETER;
+}
+
+/**
+ * Called by the IMV when it needs a function pointer
+ */
+TNC_Result TNC_TNCS_BindFunction(TNC_IMVID id,
+ char *function_name,
+ void **function_pointer)
+{
+ if (streq(function_name, "TNC_TNCS_ReportMessageTypes"))
+ {
+ *function_pointer = (void*)TNC_TNCS_ReportMessageTypes;
+ }
+ else if (streq(function_name, "TNC_TNCS_ReportMessageTypesLong"))
+ {
+ *function_pointer = (void*)TNC_TNCS_ReportMessageTypesLong;
+ }
+ else if (streq(function_name, "TNC_TNCS_RequestHandshakeRetry"))
+ {
+ *function_pointer = (void*)TNC_TNCS_RequestHandshakeRetry;
+ }
+ else if (streq(function_name, "TNC_TNCS_SendMessage"))
+ {
+ *function_pointer = (void*)TNC_TNCS_SendMessage;
+ }
+ else if (streq(function_name, "TNC_TNCS_SendMessageLong"))
+ {
+ *function_pointer = (void*)TNC_TNCS_SendMessageLong;
+ }
+ else if (streq(function_name, "TNC_TNCS_ProvideRecommendation"))
+ {
+ *function_pointer = (void*)TNC_TNCS_ProvideRecommendation;
+ }
+ else if (streq(function_name, "TNC_TNCS_GetAttribute"))
+ {
+ *function_pointer = (void*)TNC_TNCS_GetAttribute;
+ }
+ else if (streq(function_name, "TNC_TNCS_SetAttribute"))
+ {
+ *function_pointer = (void*)TNC_TNCS_SetAttribute;
+ }
+ else if (streq(function_name, "TNC_TNCS_ReserveAdditionalIMVID"))
+ {
+ *function_pointer = (void*)TNC_TNCS_ReserveAdditionalIMVID;
+ }
+ else
+ {
+ return TNC_RESULT_INVALID_PARAMETER;
+ }
+ return TNC_RESULT_SUCCESS;
+}
--- /dev/null
+/*
+ * Copyright (C) 2010-2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imv_manager.h"
+#include "tnc_imv.h"
+#include "tnc_imv_recommendations.h"
+
+#include <tncifimv.h>
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/mman.h>
+#include <unistd.h>
+#include <errno.h>
+#include <fcntl.h>
+
+#include <utils/debug.h>
+#include <threading/rwlock.h>
+#include <threading/mutex.h>
+#include <collections/linked_list.h>
+
+typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t;
+
+/**
+ * Private data of an imv_manager_t object.
+ */
+struct private_tnc_imv_manager_t {
+
+ /**
+ * Public members of imv_manager_t.
+ */
+ imv_manager_t public;
+
+ /**
+ * Linked list of IMVs
+ */
+ linked_list_t *imvs;
+
+ /**
+ * Lock for IMV list
+ */
+ rwlock_t *lock;
+
+ /**
+ * Next IMV ID to be assigned
+ */
+ TNC_IMVID next_imv_id;
+
+ /**
+ * Mutex to access next IMV ID
+ */
+ mutex_t *id_mutex;
+
+ /**
+ * Policy defining how to derive final recommendation from individual ones
+ */
+ recommendation_policy_t policy;
+};
+
+METHOD(imv_manager_t, add, bool,
+ private_tnc_imv_manager_t *this, imv_t *imv)
+{
+ TNC_Version version;
+ TNC_IMVID imv_id;
+
+ this->id_mutex->lock(this->id_mutex);
+ imv_id = this->next_imv_id++;
+ this->id_mutex->unlock(this->id_mutex);
+
+ imv->set_id(imv, imv_id);
+ if (imv->initialize(imv_id, TNC_IFIMV_VERSION_1,
+ TNC_IFIMV_VERSION_1, &version) != TNC_RESULT_SUCCESS)
+ {
+ DBG1(DBG_TNC, "IMV \"%s\" failed to initialize", imv->get_name(imv));
+ return FALSE;
+ }
+ this->lock->write_lock(this->lock);
+ this->imvs->insert_last(this->imvs, imv);
+ this->lock->unlock(this->lock);
+
+ if (imv->provide_bind_function(imv->get_id(imv),
+ TNC_TNCS_BindFunction) != TNC_RESULT_SUCCESS)
+ {
+ if (imv->terminate)
+ {
+ imv->terminate(imv->get_id(imv));
+ }
+ DBG1(DBG_TNC, "IMV \"%s\" failed to obtain bind function",
+ imv->get_name(imv));
+ this->lock->write_lock(this->lock);
+ this->imvs->remove_last(this->imvs, (void**)&imv);
+ this->lock->unlock(this->lock);
+ return FALSE;
+ }
+ return TRUE;
+}
+
+METHOD(imv_manager_t, remove_, imv_t*,
+ private_tnc_imv_manager_t *this, TNC_IMVID id)
+{
+ enumerator_t *enumerator;
+ imv_t *imv, *removed_imv = NULL;
+
+ this->lock->write_lock(this->lock);
+ enumerator = this->imvs->create_enumerator(this->imvs);
+ while (enumerator->enumerate(enumerator, &imv))
+ {
+ if (id == imv->get_id(imv))
+ {
+ this->imvs->remove_at(this->imvs, enumerator);
+ removed_imv = imv;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+
+ return removed_imv;
+}
+
+METHOD(imv_manager_t, load, bool,
+ private_tnc_imv_manager_t *this, char *name, char *path)
+{
+ imv_t *imv;
+
+ imv = tnc_imv_create(name, path);
+ if (!imv)
+ {
+ return FALSE;
+ }
+ if (!add(this, imv))
+ {
+ imv->destroy(imv);
+ return FALSE;
+ }
+ DBG1(DBG_TNC, "IMV %u \"%s\" loaded from '%s'", imv->get_id(imv), name, path);
+ return TRUE;
+}
+
+METHOD(imv_manager_t, load_from_functions, bool,
+ private_tnc_imv_manager_t *this, char *name,
+ TNC_IMV_InitializePointer initialize,
+ TNC_IMV_NotifyConnectionChangePointer notify_connection_change,
+ TNC_IMV_ReceiveMessagePointer receive_message,
+ TNC_IMV_ReceiveMessageLongPointer receive_message_long,
+ TNC_IMV_SolicitRecommendationPointer solicit_recommendation,
+ TNC_IMV_BatchEndingPointer batch_ending,
+ TNC_IMV_TerminatePointer terminate,
+ TNC_IMV_ProvideBindFunctionPointer provide_bind_function)
+{
+ imv_t *imv;
+
+ imv = tnc_imv_create_from_functions(name,
+ initialize,notify_connection_change,
+ receive_message, receive_message_long,
+ solicit_recommendation, batch_ending,
+ terminate, provide_bind_function);
+ if (!imv)
+ {
+ return FALSE;
+ }
+ if (!add(this, imv))
+ {
+ imv->destroy(imv);
+ return FALSE;
+ }
+ DBG1(DBG_TNC, "IMV %u \"%s\" loaded", imv->get_id(imv), name);
+ return TRUE;
+}
+
+METHOD(imv_manager_t, is_registered, bool,
+ private_tnc_imv_manager_t *this, TNC_IMVID id)
+{
+ enumerator_t *enumerator;
+ imv_t *imv;
+ bool found = FALSE;
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->imvs->create_enumerator(this->imvs);
+ while (enumerator->enumerate(enumerator, &imv))
+ {
+ if (imv->has_id(imv, id))
+ {
+ found = TRUE;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+
+ return found;
+}
+
+METHOD(imv_manager_t, reserve_id, bool,
+ private_tnc_imv_manager_t *this, TNC_IMVID id, TNC_UInt32 *new_id)
+{
+ enumerator_t *enumerator;
+ imv_t *imv;
+ bool found = FALSE;
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->imvs->create_enumerator(this->imvs);
+ while (enumerator->enumerate(enumerator, &imv))
+ {
+ if (id == imv->get_id(imv))
+ {
+ found = TRUE;
+ this->id_mutex->lock(this->id_mutex);
+ *new_id = this->next_imv_id++;
+ this->id_mutex->unlock(this->id_mutex);
+ imv->add_id(imv, *new_id);
+ DBG2(DBG_TNC, "additional ID %u reserved for IMV with primary ID %u",
+ *new_id, id);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+
+ return found;
+}
+
+METHOD(imv_manager_t, get_recommendation_policy, recommendation_policy_t,
+ private_tnc_imv_manager_t *this)
+{
+ return this->policy;
+}
+
+METHOD(imv_manager_t, create_recommendations, recommendations_t*,
+ private_tnc_imv_manager_t *this)
+{
+ return tnc_imv_recommendations_create(this->imvs);
+}
+
+
+METHOD(imv_manager_t, notify_connection_change, void,
+ private_tnc_imv_manager_t *this, TNC_ConnectionID id,
+ TNC_ConnectionState state)
+{
+ enumerator_t *enumerator;
+ imv_t *imv;
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->imvs->create_enumerator(this->imvs);
+ while (enumerator->enumerate(enumerator, &imv))
+ {
+ if (imv->notify_connection_change)
+ {
+ imv->notify_connection_change(imv->get_id(imv), id, state);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+}
+
+METHOD(imv_manager_t, set_message_types, TNC_Result,
+ private_tnc_imv_manager_t *this, TNC_IMVID id,
+ TNC_MessageTypeList supported_types,
+ TNC_UInt32 type_count)
+{
+ enumerator_t *enumerator;
+ imv_t *imv;
+ TNC_Result result = TNC_RESULT_FATAL;
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->imvs->create_enumerator(this->imvs);
+ while (enumerator->enumerate(enumerator, &imv))
+ {
+ if (id == imv->get_id(imv))
+ {
+ imv->set_message_types(imv, supported_types, type_count);
+ result = TNC_RESULT_SUCCESS;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+ return result;
+}
+
+METHOD(imv_manager_t, set_message_types_long, TNC_Result,
+ private_tnc_imv_manager_t *this, TNC_IMVID id,
+ TNC_VendorIDList supported_vids,
+ TNC_MessageSubtypeList supported_subtypes,
+ TNC_UInt32 type_count)
+{
+ enumerator_t *enumerator;
+ imv_t *imv;
+ TNC_Result result = TNC_RESULT_FATAL;
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->imvs->create_enumerator(this->imvs);
+ while (enumerator->enumerate(enumerator, &imv))
+ {
+ if (id == imv->get_id(imv))
+ {
+ imv->set_message_types_long(imv, supported_vids, supported_subtypes,
+ type_count);
+ result = TNC_RESULT_SUCCESS;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+ return result;
+}
+
+METHOD(imv_manager_t, solicit_recommendation, void,
+ private_tnc_imv_manager_t *this, TNC_ConnectionID id)
+{
+ enumerator_t *enumerator;
+ imv_t *imv;
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->imvs->create_enumerator(this->imvs);
+ while (enumerator->enumerate(enumerator, &imv))
+ {
+ imv->solicit_recommendation(imv->get_id(imv), id);
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+}
+
+METHOD(imv_manager_t, receive_message, void,
+ private_tnc_imv_manager_t *this, TNC_ConnectionID connection_id,
+ bool excl,
+ TNC_BufferReference msg,
+ TNC_UInt32 msg_len,
+ TNC_VendorID msg_vid,
+ TNC_MessageSubtype msg_subtype,
+ TNC_UInt32 src_imc_id,
+ TNC_UInt32 dst_imv_id)
+{
+ bool type_supported = FALSE;
+ TNC_MessageType msg_type;
+ TNC_UInt32 msg_flags;
+ enumerator_t *enumerator;
+ imv_t *imv;
+
+ msg_type = (msg_vid << 8) | msg_subtype;
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->imvs->create_enumerator(this->imvs);
+ while (enumerator->enumerate(enumerator, &imv))
+ {
+ if (imv->type_supported(imv, msg_vid, msg_subtype) &&
+ (!excl || (excl && imv->has_id(imv, dst_imv_id))))
+ {
+ if (imv->receive_message_long && src_imc_id)
+ {
+ type_supported = TRUE;
+ msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0;
+ imv->receive_message_long(imv->get_id(imv), connection_id,
+ msg_flags, msg, msg_len, msg_vid, msg_subtype,
+ src_imc_id, dst_imv_id);
+
+ }
+ else if (imv->receive_message && msg_vid <= TNC_VENDORID_ANY &&
+ msg_subtype <= TNC_SUBTYPE_ANY)
+ {
+ type_supported = TRUE;
+ msg_type = (msg_vid << 8) | msg_subtype;
+ imv->receive_message(imv->get_id(imv), connection_id,
+ msg, msg_len, msg_type);
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+
+ if (!type_supported)
+ {
+ DBG2(DBG_TNC, "message type 0x%06x/0x%08x not supported by any IMV",
+ msg_vid, msg_subtype);
+ }
+}
+
+METHOD(imv_manager_t, batch_ending, void,
+ private_tnc_imv_manager_t *this, TNC_ConnectionID id)
+{
+ enumerator_t *enumerator;
+ imv_t *imv;
+
+ this->lock->read_lock(this->lock);
+ enumerator = this->imvs->create_enumerator(this->imvs);
+ while (enumerator->enumerate(enumerator, &imv))
+ {
+ if (imv->batch_ending)
+ {
+ imv->batch_ending(imv->get_id(imv), id);
+ }
+ }
+ enumerator->destroy(enumerator);
+ this->lock->unlock(this->lock);
+}
+
+METHOD(imv_manager_t, destroy, void,
+ private_tnc_imv_manager_t *this)
+{
+ imv_t *imv;
+
+ while (this->imvs->remove_last(this->imvs, (void**)&imv) == SUCCESS)
+ {
+ if (imv->terminate &&
+ imv->terminate(imv->get_id(imv)) != TNC_RESULT_SUCCESS)
+ {
+ DBG1(DBG_TNC, "IMV \"%s\" not terminated successfully",
+ imv->get_name(imv));
+ }
+ imv->destroy(imv);
+ }
+ this->imvs->destroy(this->imvs);
+ this->lock->destroy(this->lock);
+ this->id_mutex->destroy(this->id_mutex);
+ free(this);
+}
+
+/**
+ * Described in header.
+ */
+imv_manager_t* tnc_imv_manager_create(void)
+{
+ private_tnc_imv_manager_t *this;
+ recommendation_policy_t policy;
+
+ INIT(this,
+ .public = {
+ .add = _add,
+ .remove = _remove_, /* avoid name conflict with stdio.h */
+ .load = _load,
+ .load_from_functions = _load_from_functions,
+ .is_registered = _is_registered,
+ .reserve_id = _reserve_id,
+ .get_recommendation_policy = _get_recommendation_policy,
+ .create_recommendations = _create_recommendations,
+ .notify_connection_change = _notify_connection_change,
+ .set_message_types = _set_message_types,
+ .set_message_types_long = _set_message_types_long,
+ .solicit_recommendation = _solicit_recommendation,
+ .receive_message = _receive_message,
+ .batch_ending = _batch_ending,
+ .destroy = _destroy,
+ },
+ .imvs = linked_list_create(),
+ .lock = rwlock_create(RWLOCK_TYPE_DEFAULT),
+ .id_mutex = mutex_create(MUTEX_TYPE_DEFAULT),
+ .next_imv_id = 1,
+ );
+
+ policy = enum_from_name(recommendation_policy_names,
+ lib->settings->get_str(lib->settings,
+ "libtnccs.plugins.tnc-imv.recommendation_policy", "default"));
+ this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT;
+ DBG1(DBG_TNC, "TNC recommendation policy is '%N'",
+ recommendation_policy_names, this->policy);
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup tnc_imv_manager tnc_imv_manager
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_MANAGER_H_
+#define TNC_IMV_MANAGER_H_
+
+#include <tnc/imv/imv_manager.h>
+
+/**
+ * Create an IMV manager instance.
+ */
+imv_manager_t *tnc_imv_manager_create();
+
+#endif /** TNC_IMV_MANAGER_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2010-2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imv_plugin.h"
+#include "tnc_imv_manager.h"
+
+#include <tnc/tnc.h>
+
+
+typedef struct private_tnc_imv_plugin_t private_tnc_imv_plugin_t;
+
+/**
+ * Private data of a tnc_imv_plugin_t object.
+ */
+struct private_tnc_imv_plugin_t {
+
+ /**
+ * Public interface.
+ */
+ tnc_imv_plugin_t public;
+
+};
+
+
+METHOD(plugin_t, get_name, char*,
+ tnc_imv_plugin_t *this)
+{
+ return "tnc-imv";
+}
+
+METHOD(plugin_t, get_features, int,
+ private_tnc_imv_plugin_t *this, plugin_feature_t *features[])
+{
+ static plugin_feature_t f[] = {
+ PLUGIN_CALLBACK(tnc_manager_register, tnc_imv_manager_create),
+ PLUGIN_PROVIDE(CUSTOM, "imv-manager"),
+ PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
+ PLUGIN_SDEPEND(CERT_DECODE, CERT_X509),
+ PLUGIN_SDEPEND(CERT_DECODE, CERT_TRUSTED_PUBKEY),
+ PLUGIN_SDEPEND(DATABASE, DB_ANY),
+ };
+ *features = f;
+ return countof(f);
+}
+
+METHOD(plugin_t, destroy, void,
+ private_tnc_imv_plugin_t *this)
+{
+ free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnc_imv_plugin_create()
+{
+ private_tnc_imv_plugin_t *this;
+
+ INIT(this,
+ .public = {
+ .plugin = {
+ .get_name = _get_name,
+ .get_features = _get_features,
+ .destroy = _destroy,
+ },
+ },
+ );
+
+ return &this->public.plugin;
+}
+
--- /dev/null
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_imv tnc_imv
+ * @ingroup cplugins
+ *
+ * @defgroup tnc_imv_plugin tnc_imv_plugin
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_PLUGIN_H_
+#define TNC_IMV_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tnc_imv_plugin_t tnc_imv_plugin_t;
+
+/**
+ * TNC IMV plugin
+ */
+struct tnc_imv_plugin_t {
+
+ /**
+ * implements plugin interface
+ */
+ plugin_t plugin;
+};
+
+#endif /** TNC_IMV_PLUGIN_H_ @}*/
--- /dev/null
+/*
+ * Copyright (C) 2010-2012 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#include <tncifimv.h>
+#include <tncif_names.h>
+#include <tncif_policy.h>
+
+#include <tnc/tnc.h>
+#include <tnc/imv/imv.h>
+#include <tnc/imv/imv_manager.h>
+#include <tnc/imv/imv_recommendations.h>
+
+#include <utils/debug.h>
+#include <collections/linked_list.h>
+
+typedef struct private_tnc_imv_recommendations_t private_tnc_imv_recommendations_t;
+typedef struct recommendation_entry_t recommendation_entry_t;
+
+/**
+ * Recommendation entry
+ */
+struct recommendation_entry_t {
+
+ /**
+ * IMV ID
+ */
+ TNC_IMVID id;
+
+ /**
+ * Received a recommendation message from this IMV?
+ */
+ bool have_recommendation;
+
+ /**
+ * Action Recommendation provided by IMV instance
+ */
+ TNC_IMV_Action_Recommendation rec;
+
+ /**
+ * Evaluation Result provided by IMV instance
+ */
+ TNC_IMV_Evaluation_Result eval;
+
+ /**
+ * Reason string provided by IMV instance
+ */
+ chunk_t reason;
+
+ /**
+ * Reason language provided by IMV instance
+ */
+ chunk_t reason_language;
+};
+
+/**
+ * Private data of a recommendations_t object.
+ */
+struct private_tnc_imv_recommendations_t {
+
+ /**
+ * Public members of recommendations_t.
+ */
+ recommendations_t public;
+
+ /**
+ * list of recommendations and evaluations provided by IMVs
+ */
+ linked_list_t *recs;
+
+ /**
+ * Preferred language for remediation messages
+ */
+ chunk_t preferred_language;
+};
+
+METHOD(recommendations_t, provide_recommendation, TNC_Result,
+ private_tnc_imv_recommendations_t* this, TNC_IMVID id,
+ TNC_IMV_Action_Recommendation rec,
+ TNC_IMV_Evaluation_Result eval)
+{
+ enumerator_t *enumerator;
+ recommendation_entry_t *entry;
+ bool found = FALSE;
+
+ DBG2(DBG_TNC, "IMV %u provides recommendation '%N' and evaluation '%N'", id,
+ TNC_IMV_Action_Recommendation_names, rec,
+ TNC_IMV_Evaluation_Result_names, eval);
+
+ enumerator = this->recs->create_enumerator(this->recs);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->id == id)
+ {
+ found = TRUE;
+ entry->have_recommendation = TRUE;
+ entry->rec = rec;
+ entry->eval = eval;
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return found ? TNC_RESULT_SUCCESS : TNC_RESULT_FATAL;
+}
+
+METHOD(recommendations_t, have_recommendation, bool,
+ private_tnc_imv_recommendations_t *this, TNC_IMV_Action_Recommendation *rec,
+ TNC_IMV_Evaluation_Result *eval)
+{
+ enumerator_t *enumerator;
+ recommendation_entry_t *entry;
+ recommendation_policy_t policy;
+ TNC_IMV_Action_Recommendation final_rec;
+ TNC_IMV_Evaluation_Result final_eval;
+ bool first = TRUE, incomplete = FALSE;
+
+ final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+ final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+ if (rec && eval)
+ {
+ *rec = final_rec;
+ *eval = final_eval;
+ }
+
+ if (this->recs->get_count(this->recs) == 0)
+ {
+ DBG1(DBG_TNC, "there are no IMVs to make a recommendation");
+ return TRUE;
+ }
+ policy = tnc->imvs->get_recommendation_policy(tnc->imvs);
+
+ enumerator = this->recs->create_enumerator(this->recs);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (!entry->have_recommendation)
+ {
+ incomplete = TRUE;
+ break;
+ }
+ if (first)
+ {
+ final_rec = entry->rec;
+ final_eval = entry->eval;
+ first = FALSE;
+ continue;
+ }
+ switch (policy)
+ {
+ case RECOMMENDATION_POLICY_DEFAULT:
+ final_rec = tncif_policy_update_recommendation(final_rec,
+ entry->rec);
+ final_eval = tncif_policy_update_evaluation(final_eval,
+ entry->eval);
+ break;
+
+ case RECOMMENDATION_POLICY_ALL:
+ if (entry->rec != final_rec)
+ {
+ final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+ }
+ if (entry->eval != final_eval)
+ {
+ final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+ }
+ break;
+
+ case RECOMMENDATION_POLICY_ANY:
+ switch (entry->rec)
+ {
+ case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+ final_rec = entry->rec;
+ break;
+ case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+ if (final_rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW)
+ {
+ final_rec = entry->rec;
+ };
+ break;
+ case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+ if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
+ {
+ final_rec = entry->rec;
+ };
+ break;
+ case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+ break;
+ }
+ switch (entry->eval)
+ {
+ case TNC_IMV_EVALUATION_RESULT_COMPLIANT:
+ final_eval = entry->eval;
+ break;
+ case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR:
+ if (final_eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT)
+ {
+ final_eval = entry->eval;
+ }
+ break;
+ case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR:
+ if (final_eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT &&
+ final_eval != TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR)
+ {
+ final_eval = entry->eval;
+ }
+ break;
+ case TNC_IMV_EVALUATION_RESULT_ERROR:
+ if (final_eval == TNC_IMV_EVALUATION_RESULT_DONT_KNOW)
+ {
+ final_eval = entry->eval;
+ }
+ break;
+ case TNC_IMV_EVALUATION_RESULT_DONT_KNOW:
+ break;
+ }
+ }
+ }
+ enumerator->destroy(enumerator);
+
+ if (incomplete)
+ {
+ return FALSE;
+ }
+ if (rec && eval)
+ {
+ *rec = final_rec;
+ *eval = final_eval;
+ }
+ return TRUE;
+}
+
+METHOD(recommendations_t, clear_recommendation, void,
+ private_tnc_imv_recommendations_t *this)
+{
+ enumerator_t *enumerator;
+ recommendation_entry_t *entry;
+
+ enumerator = this->recs->create_enumerator(this->recs);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ entry->have_recommendation = FALSE;
+ entry->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+ entry->eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+ chunk_clear(&entry->reason);
+ chunk_clear(&entry->reason_language);
+ }
+ enumerator->destroy(enumerator);
+}
+
+METHOD(recommendations_t, get_preferred_language, chunk_t,
+ private_tnc_imv_recommendations_t *this)
+{
+ return this->preferred_language;
+}
+
+METHOD(recommendations_t, set_preferred_language, void,
+ private_tnc_imv_recommendations_t *this, chunk_t pref_lang)
+{
+ free(this->preferred_language.ptr);
+ this->preferred_language = chunk_clone(pref_lang);
+}
+
+METHOD(recommendations_t, set_reason_string, TNC_Result,
+ private_tnc_imv_recommendations_t *this, TNC_IMVID id, chunk_t reason)
+{
+ enumerator_t *enumerator;
+ recommendation_entry_t *entry;
+ bool found = FALSE;
+
+ DBG2(DBG_TNC, "IMV %u is setting reason string to '%.*s'",
+ id, (int)reason.len, reason.ptr);
+
+ enumerator = this->recs->create_enumerator(this->recs);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->id == id)
+ {
+ found = TRUE;
+ free(entry->reason.ptr);
+ entry->reason = chunk_clone(reason);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return found ? TNC_RESULT_SUCCESS : TNC_RESULT_INVALID_PARAMETER;
+}
+
+METHOD(recommendations_t, set_reason_language, TNC_Result,
+ private_tnc_imv_recommendations_t *this, TNC_IMVID id, chunk_t reason_lang)
+{
+ enumerator_t *enumerator;
+ recommendation_entry_t *entry;
+ bool found = FALSE;
+
+ DBG2(DBG_TNC, "IMV %u is setting reason language to '%.*s'",
+ id, (int)reason_lang.len, reason_lang.ptr);
+
+ enumerator = this->recs->create_enumerator(this->recs);
+ while (enumerator->enumerate(enumerator, &entry))
+ {
+ if (entry->id == id)
+ {
+ found = TRUE;
+ free(entry->reason_language.ptr);
+ entry->reason_language = chunk_clone(reason_lang);
+ break;
+ }
+ }
+ enumerator->destroy(enumerator);
+ return found ? TNC_RESULT_SUCCESS : TNC_RESULT_INVALID_PARAMETER;
+}
+
+/**
+ * Enumerate reason and reason_language, not recommendation entries
+ */
+static bool reason_filter(void *null, recommendation_entry_t **entry,
+ TNC_IMVID *id, void *i2, chunk_t *reason, void *i3,
+ chunk_t *reason_language)
+{
+ if ((*entry)->reason.len)
+ {
+ *id = (*entry)->id;
+ *reason = (*entry)->reason;
+ *reason_language = (*entry)->reason_language;
+ return TRUE;
+ }
+ else
+ {
+ return FALSE;
+ }
+}
+
+METHOD(recommendations_t, create_reason_enumerator, enumerator_t*,
+ private_tnc_imv_recommendations_t *this)
+{
+ return enumerator_create_filter(this->recs->create_enumerator(this->recs),
+ (void*)reason_filter, NULL, NULL);
+}
+
+METHOD(recommendations_t, destroy, void,
+ private_tnc_imv_recommendations_t *this)
+{
+ recommendation_entry_t *entry;
+
+ while (this->recs->remove_last(this->recs, (void**)&entry) == SUCCESS)
+ {
+ free(entry->reason.ptr);
+ free(entry->reason_language.ptr);
+ free(entry);
+ }
+ this->recs->destroy(this->recs);
+ free(this->preferred_language.ptr);
+ free(this);
+}
+
+/**
+ * Described in header.
+ */
+recommendations_t* tnc_imv_recommendations_create(linked_list_t *imv_list)
+{
+ private_tnc_imv_recommendations_t *this;
+ recommendation_entry_t *entry;
+ enumerator_t *enumerator;
+ imv_t *imv;
+
+ INIT(this,
+ .public = {
+ .provide_recommendation = _provide_recommendation,
+ .have_recommendation = _have_recommendation,
+ .clear_recommendation = _clear_recommendation,
+ .get_preferred_language = _get_preferred_language,
+ .set_preferred_language = _set_preferred_language,
+ .set_reason_string = _set_reason_string,
+ .set_reason_language = _set_reason_language,
+ .create_reason_enumerator = _create_reason_enumerator,
+ .destroy = _destroy,
+ },
+ .recs = linked_list_create(),
+ );
+
+ enumerator = imv_list->create_enumerator(imv_list);
+ while (enumerator->enumerate(enumerator, &imv))
+ {
+ entry = malloc_thing(recommendation_entry_t);
+ entry->id = imv->get_id(imv);
+ entry->have_recommendation = FALSE;
+ entry->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION;
+ entry->eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW;
+ entry->reason = chunk_empty;
+ entry->reason_language = chunk_empty;
+ this->recs->insert_last(this->recs, entry);
+ }
+ enumerator->destroy(enumerator);
+
+ return &this->public;
+}
--- /dev/null
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup tnc_imv_manager tnc_imv_manager
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_RECOMMENDATIONS_H_
+#define TNC_IMV_RECOMMENDATIONS_H_
+
+#include <tnc/imv/imv_recommendations.h>
+#include <collections/linked_list.h>
+
+/**
+ * Create an IMV empty recommendations instance
+ */
+recommendations_t *tnc_imv_recommendations_create();
+
+#endif /** TNC_IMV_RECOMMENDATIONS_H_ @}*/
METHOD(tnccs_manager_t, create_instance, tnccs_t*,
private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server,
- identification_t *server, identification_t *peer,
- tnc_ift_type_t transport)
+ identification_t *server, identification_t *peer, tnc_ift_type_t transport,
+ tnccs_cb_t cb)
{
enumerator_t *enumerator;
tnccs_entry_t *entry;
{
if (type == entry->type)
{
- protocol = entry->constructor(is_server, server, peer, transport);
+ protocol = entry->constructor(is_server, server, peer, transport, cb);
if (protocol)
{
break;
*/
recommendations_t *recs;
+ /**
+ * Callback function to communicate recommendation (TNC Server only)
+ */
+ tnccs_cb_t callback;
+
};
METHOD(tnccs_t, send_msg, TNC_Result,
if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
{
- return tnc->imvs->enforce_recommendation(tnc->imvs, rec, eval);
+ return this->callback ? this->callback(rec, eval) : TRUE;
}
else
{
* See header
*/
tnccs_t* tnccs_11_create(bool is_server,
- identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport)
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport, tnccs_cb_t cb)
{
private_tnccs_11_t *this;
.server = server->clone(server),
.peer = peer->clone(peer),
.transport = transport,
+ .callback = cb,
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
.max_msg_len = lib->settings->get_int(lib->settings,
"libtnccs.plugins.tnccs-11.max_message_size", 45000),
* @param server Server identity
* @param peer Client identity
* @param transport Underlying IF-T transport protocol
+ * @param cb Callback function if TNC Server, NULL if TNC Client
* @return TNC_IF_TNCCS 1.1 protocol stack
*/
tnccs_t* tnccs_11_create(bool is_server,
- identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport);
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport, tnccs_cb_t cb);
#endif /** TNCCS_11_H_ @}*/
*/
recommendations_t *recs;
+ /**
+ * Callback function to communicate recommendation (TNC Server only)
+ */
+ tnccs_cb_t callback;
+
+ /**
+ * Data to pass to callback function (TNC Server only)
+ */
+ void *cb_data;
+
};
/**
if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
{
- return tnc->imvs->enforce_recommendation(tnc->imvs, rec, eval);
+ return this->callback ? this->callback(rec, eval) : TRUE;
}
else
{
* See header
*/
tnccs_t* tnccs_20_create(bool is_server,
- identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport)
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport, tnccs_cb_t cb)
{
private_tnccs_20_t *this;
.server = server->clone(server),
.peer = peer->clone(peer),
.transport = transport,
+ .callback = cb,
.state_machine = pb_tnc_state_machine_create(is_server),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
.messages = linked_list_create(),
* @param server Server identity
* @param peer Client identity
* @param transport Underlying IF-T transport protocol
+ * @param cb Callback function if TNC Server, NULL if TNC Client
* @return TNC_IF_TNCCS 2.0 protocol stack
*/
tnccs_t* tnccs_20_create(bool is_server,
- identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport);
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport, tnccs_cb_t cb);
#endif /** TNCCS_20_H_ @}*/
*/
u_int32_t auth_type;
+ /**
+ * Callback function to communicate recommendation (TNC Server only)
+ */
+ tnccs_cb_t callback;
+
};
/**
DBG1(DBG_TNC, "%N protocol detected dynamically",
tnccs_type_names, type);
tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
- this->server, this->peer, this->transport);
+ this->server, this->peer, this->transport,
+ this->callback);
if (!tnccs)
{
DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
* See header
*/
tnccs_t* tnccs_dynamic_create(bool is_server,
- identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport)
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport, tnccs_cb_t cb)
{
private_tnccs_dynamic_t *this;
.server = server->clone(server),
.peer = peer->clone(peer),
.transport = transport,
+ .callback = cb,
);
return &this->public;
* @param server Server identity
* @param peer Client identity
* @param transport Underlying IF-T transport protocol
+ * @param cb Callback function if TNC Server, NULL if TNC Client
* @return dynamic TNC IF-TNCCS protocol stack
*/
tnccs_t* tnccs_dynamic_create(bool is_server,
- identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport);
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport, tnccs_cb_t cb);
#endif /** TNCCS_DYNAMIC_H_ @}*/
/*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
recommendations_t* (*create_recommendations)(imv_manager_t *this);
/**
- * Enforce the TNC recommendation on the IKE_SA by either inserting an
- * allow|isolate group membership rule (TRUE) or by blocking access (FALSE)
- *
- * @param rec TNC action recommendation
- * @param eval TNC evaluation result
- * @return TRUE for allow|isolate, FALSE for none
- */
- bool (*enforce_recommendation)(imv_manager_t *this,
- TNC_IMV_Action_Recommendation rec,
- TNC_IMV_Evaluation_Result eval);
-
- /**
* Notify all IMV instances
*
* @param state communicate the state a connection has reached
#include <tls.h>
/**
+ * Callback function to communicate action recommendation and evaluation result
+ * generated by TNC server
+ *
+ * @param rec TNC Action Recommendation
+ * @param eval TNC Evaluation Result
+ * @return TRUE to terminate TNCCS connection, FALSE to keep it
+ */
+typedef bool (*tnccs_cb_t)(TNC_IMV_Action_Recommendation rec,
+ TNC_IMV_Evaluation_Result eval);
+
+/**
* Type of TNC Client/Server protocol
*/
enum tnccs_type_t {
* @param server Server identity
* @param peer Client identity
* @param transport Underlying TNC IF-T transport protocol used
+ * @param cb Callback function if TNC Server, NULL if TNC Client
* @return implementation of the tnccs_t interface
*/
typedef tnccs_t *(*tnccs_constructor_t)(bool is_server,
identification_t *server,
identification_t *peer,
- tnc_ift_type_t transport);
+ tnc_ift_type_t transport,
+ tnccs_cb_t cb);
/**
* Callback function adding a message to a TNCCS batch
* @param server Server identity
* @param peer Client identity
* @param transport Underlying TNC IF-T transport protocol used
+ * @param cb Callback function if TNC Server, NULL if TNC Client
* @return TNCCS protocol instance, NULL if no constructor found
*/
tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
bool is_server, identification_t *server,
identification_t *peer,
- tnc_ift_type_t transport);
+ tnc_ift_type_t transport, tnccs_cb_t cb);
/**
* Create a TNCCS connection and assign a unique connection ID as well a
server = identification_create_from_string(address);
client = identification_create_from_string(identity);
tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE,
- server, client, TNC_IFT_TLS_2_0);
+ server, client, TNC_IFT_TLS_2_0, NULL);
if (!tnccs)
{
fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS);