enforce_recommendation inserts TNC group membership rules for IKE_SA

diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
index 00060bb..c5de572 100644 (file)
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
@@ -19,8 +19,7 @@
 #include <tnc/tncifimv.h>
 
 #include <debug.h>
 #include <tnc/tncifimv.h>
 
 #include <debug.h>

-#include <library.h>
-#include <utils/linked_list.h>
+#include <daemon.h>

 
 typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t;
 
 
 typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t;
 


@@ -98,6 +97,42 @@ METHOD(imv_manager_t, get_count, int,
        return this->imvs->get_count(this->imvs);
 }
 
        return this->imvs->get_count(this->imvs);
 }
 

+METHOD(imv_manager_t, enforce_recommendation, bool,
+       private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec)
+{
+       char *group;
+       identification_t *id;
+       ike_sa_t *ike_sa;
+       auth_cfg_t *auth;
+
+       switch (rec)
+       {
+               case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+                       DBG1(DBG_TNC, "TNC recommendation is allow");
+                       group = "allow";
+                       break;  
+               case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+                       DBG1(DBG_TNC, "TNC recommendation is isolate");
+                       group = "isolate";
+                       break;
+               case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+               case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+               default:
+                       DBG1(DBG_TNC, "TNC recommendation is none");
+                       return FALSE;
+       }
+       ike_sa = charon->bus->get_sa(charon->bus);
+       if (ike_sa)
+       {
+               auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+               id = identification_create_from_string(group);
+               auth->add(auth, AUTH_RULE_GROUP, id);
+               DBG1(DBG_TNC, "TNC added group membership '%s'", group);
+       }
+       return TRUE;
+}
+
+

 METHOD(imv_manager_t, notify_connection_change, void,
        private_tnc_imv_manager_t *this, TNC_ConnectionID id,
                                                                         TNC_ConnectionState state)
 METHOD(imv_manager_t, notify_connection_change, void,
        private_tnc_imv_manager_t *this, TNC_ConnectionID id,
                                                                         TNC_ConnectionState state)


@@ -222,6 +257,7 @@ imv_manager_t* tnc_imv_manager_create(void)
                        .add = _add,
                        .remove = _remove_, /* avoid name conflict with stdio.h */
                        .get_count = _get_count,
                        .add = _add,
                        .remove = _remove_, /* avoid name conflict with stdio.h */
                        .get_count = _get_count,

+                       .enforce_recommendation = _enforce_recommendation,

                        .notify_connection_change = _notify_connection_change,
                        .set_message_types = _set_message_types,
                        .solicit_recommendation = _solicit_recommendation,
                        .notify_connection_change = _notify_connection_change,
                        .set_message_types = _set_message_types,
                        .solicit_recommendation = _solicit_recommendation,

diff --git a/src/libcharon/tnc/imv/imv_manager.h b/src/libcharon/tnc/imv/imv_manager.h
index 1482361..0e83193 100644 (file)
--- a/src/libcharon/tnc/imv/imv_manager.h
+++ b/src/libcharon/tnc/imv/imv_manager.h
@@ -56,6 +56,16 @@ struct imv_manager_t {
        int (*get_count)(imv_manager_t *this);
 
        /**
        int (*get_count)(imv_manager_t *this);
 
        /**

+        * Enforce the TNC recommendation on the IKE_SA by either inserting an
+        * allow|isolate group membership rule (TRUE) or by blocking access (FALSE)
+        *
+        * @param void                          TNC action recommendation
+        * @return                                      TRUE for allow|isolate, FALSE for none
+        */
+       bool (*enforce_recommendation)(imv_manager_t *this,
+                                                                  TNC_IMV_Action_Recommendation rec);
+
+       /**

         * Notify all IMV instances
         *
         * @param state                 communicate the state a connection has reached
         * Notify all IMV instances
         *
         * @param state                 communicate the state a connection has reached