support of error_offset in PA-TNC INVALID PARAMETER error messages
authorAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 13 Jul 2011 20:18:32 +0000 (22:18 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Wed, 13 Jul 2011 20:18:32 +0000 (22:18 +0200)
src/libimcv/ietf/ietf_attr_pa_tnc_error.c
src/libimcv/ietf/ietf_attr_pa_tnc_error.h
src/libimcv/ietf/ietf_attr_port_filter.c
src/libimcv/ita/ita_attr_command.c
src/libimcv/pa_tnc/pa_tnc_attr.h
src/libimcv/pa_tnc/pa_tnc_msg.c
src/libimcv/plugins/imc_scanner/imc_scanner.c
src/libimcv/plugins/imc_test/imc_test.c
src/libimcv/plugins/imv_scanner/imv_scanner.c
src/libimcv/plugins/imv_test/imv_test.c

index 9702f41..cccb3ec 100644 (file)
@@ -32,7 +32,7 @@ typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t
 /**
  * PA-TNC Error Attribute Type  (see section 4.2.8 of RFC 5792)
  *
- *                        1                   2                   3
+ *                       1                   2                   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
@@ -50,7 +50,7 @@ typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t
 /**
  * All Error Types return the first 8 bytes of the erroneous PA-TNC message
  *
- *                        1                   2                   3
+ *                       1                   2                   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |    Version    |            Copy of Reserved                   |
@@ -62,9 +62,18 @@ typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t
 #define PA_ERROR_MSG_INFO_SIZE         8
 
 /**
+ * "Invalid Parameter" Error Code
+ *                       1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                             Offset                            |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+/**
  * "Version Not Supported" Error Code
  *
- *                        1                   2                   3
+ *                       1                   2                   3
  *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  *  |  Max Version  |  Min Version  |            Reserved           |
@@ -138,6 +147,11 @@ struct private_ietf_attr_pa_tnc_error_t {
        chunk_t attr_info;
 
        /**
+        * PA-TNC error offset
+        */
+       u_int32_t error_offset;
+
+       /**
         * Reference count
         */
        refcount_t ref;
@@ -187,6 +201,7 @@ METHOD(pa_tnc_attr_t, build, void,
        switch (this->error_code)
        {
                case PA_ERROR_INVALID_PARAMETER:
+                       writer->write_uint32(writer, this->error_offset);
                        break;
                case PA_ERROR_VERSION_NOT_SUPPORTED:
                        writer->write_uint8 (writer, PA_TNC_VERSION);
@@ -205,13 +220,16 @@ METHOD(pa_tnc_attr_t, build, void,
 }
 
 METHOD(pa_tnc_attr_t, process, status_t,
-       private_ietf_attr_pa_tnc_error_t *this)
+       private_ietf_attr_pa_tnc_error_t *this, u_int32_t *offset)
 {
        bio_reader_t *reader;
        u_int8_t reserved;
 
        if (this->value.len < PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE)
        {
+               DBG1(DBG_TNC, "insufficient data for PA-TNC error header and "
+                                         "error information");
+               *offset = 0;
                return FAILED;
        }
        reader = bio_reader_create(this->value);
@@ -223,6 +241,15 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
        switch (this->error_code)
        {
+               case PA_ERROR_INVALID_PARAMETER:
+                       if (!reader->read_uint32(reader, &this->error_offset))
+                       {
+                               reader->destroy(reader);
+                               DBG1(DBG_TNC, "insufficient data for error offset field");
+                               *offset = PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE;
+                               return FAILED;
+                       }
+                       break;
                case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
                        if (!reader->read_data(reader, PA_ERROR_ATTR_INFO_SIZE,
                                                                                   &this->attr_info))
@@ -230,6 +257,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
                                reader->destroy(reader);
                                DBG1(DBG_TNC, "insufficient data for unsupported attribute "
                                                          "information");
+                               *offset = PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE;
                                return FAILED;
                        }
                        this->attr_info = chunk_clone(this->attr_info);
@@ -291,6 +319,12 @@ METHOD(ietf_attr_pa_tnc_error_t, set_attr_info, void,
        this->attr_info = chunk_clone(attr_info);
 }
 
+METHOD(ietf_attr_pa_tnc_error_t, get_offset, u_int32_t,
+       private_ietf_attr_pa_tnc_error_t *this)
+{
+       return this->error_offset;
+}
+
 /**
  * Described in header.
  */
@@ -321,12 +355,58 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_t vendor_id,
                        .get_msg_info = _get_msg_info,
                        .get_attr_info = _get_attr_info,
                        .set_attr_info = _set_attr_info,
+                       .get_offset = _get_offset,
+               },
+               .vendor_id = PEN_IETF,
+               .type = IETF_ATTR_PA_TNC_ERROR,
+               .error_vendor_id = vendor_id,
+               .error_code = error_code,
+               .msg_info = chunk_clone(msg_info),
+               .ref = 1,
+       );
+
+       return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_with_offset(pen_t vendor_id,
+                                                                                                                u_int32_t error_code,
+                                                                                                                chunk_t msg_info,
+                                                                                                                u_int32_t error_offset)
+{
+       private_ietf_attr_pa_tnc_error_t *this;
+
+       /* the first 8 bytes of the erroneous PA-TNC message are sent back */
+       msg_info.len = PA_ERROR_MSG_INFO_SIZE;
+
+       INIT(this,
+               .public = {
+                       .pa_tnc_attribute = {
+                               .get_vendor_id = _get_vendor_id,
+                               .get_type = _get_type,
+                               .get_value = _get_value,
+                               .get_noskip_flag = _get_noskip_flag,
+                               .set_noskip_flag = _set_noskip_flag,
+                               .build = _build,
+                               .process = _process,
+                               .get_ref = _get_ref,
+                               .destroy = _destroy,
+                       },
+                       .get_vendor_id = _get_error_vendor_id,
+                       .get_error_code = _get_error_code,
+                       .get_msg_info = _get_msg_info,
+                       .get_attr_info = _get_attr_info,
+                       .set_attr_info = _set_attr_info,
+                       .get_offset = _get_offset,
                },
                .vendor_id = PEN_IETF,
                .type = IETF_ATTR_PA_TNC_ERROR,
                .error_vendor_id = vendor_id,
                .error_code = error_code,
                .msg_info = chunk_clone(msg_info),
+               .error_offset = error_offset,
                .ref = 1,
        );
 
@@ -356,6 +436,7 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_from_data(chunk_t data)
                        .get_msg_info = _get_msg_info,
                        .get_attr_info = _get_attr_info,
                        .set_attr_info = _set_attr_info,
+                       .get_offset = _get_offset,
                },
                .vendor_id = PEN_IETF,
                .type = IETF_ATTR_PA_TNC_ERROR,
index 7f0e0a9..945e06c 100644 (file)
@@ -88,6 +88,14 @@ struct ietf_attr_pa_tnc_error_t {
         * @param attr_info             PA-TNC message info
         */
        void (*set_attr_info)(ietf_attr_pa_tnc_error_t *this, chunk_t attr_info);
+
+       /**
+        * Get the PA-TNC error offset
+        *
+        * @return                              PA-TNC error offset
+        */
+       u_int32_t (*get_offset)(ietf_attr_pa_tnc_error_t *this);
+
 };
 
 /**
@@ -103,6 +111,20 @@ pa_tnc_attr_t* ietf_attr_pa_tnc_error_create(pen_t vendor_id,
                                                                                         chunk_t header);
 
 /**
+ * Creates an ietf_attr_pa_tnc_error_t object from an error code with offset
+ *
+ * @param vendor_id                    PA-TNC error code vendor ID
+ * @param error_code           PA-TNC error code
+ * @param header                       PA-TNC message header (first 8 bytes)
+ * @param error_offset         PA-TNC error offset in bytes
+ * 
+ */
+pa_tnc_attr_t* ietf_attr_pa_tnc_error_create_with_offset(pen_t vendor_id,
+                                                                                                                u_int32_t error_code,
+                                                                                                                chunk_t header,
+                                                                                                                u_int32_t error_offset);
+
+/**
  * Creates an ietf_attr_pa_tnc_error_t object from received data
  *
  * @param value                                unparsed attribute value
index 975aa46..c9b76dd 100644 (file)
@@ -137,7 +137,7 @@ METHOD(pa_tnc_attr_t, build, void,
 }
 
 METHOD(pa_tnc_attr_t, process, status_t,
-       private_ietf_attr_port_filter_t *this)
+       private_ietf_attr_port_filter_t *this, u_int32_t *offset)
 {
        bio_reader_t *reader;
        port_entry_t *entry;
@@ -145,6 +145,9 @@ METHOD(pa_tnc_attr_t, process, status_t,
 
        if (this->value.len % PORT_FILTER_ENTRY_SIZE)
        {
+               DBG1(DBG_TNC, "ietf port filter attribute value is not a multiple of %d",
+                        PORT_FILTER_ENTRY_SIZE);
+               *offset = 0;
                return FAILED;
        }
        reader = bio_reader_create(this->value);
index 69eb7b0..dae8e92 100644 (file)
@@ -99,7 +99,7 @@ METHOD(pa_tnc_attr_t, build, void,
 }
 
 METHOD(pa_tnc_attr_t, process, status_t,
-       private_ita_attr_command_t *this)
+       private_ita_attr_command_t *this, u_int32_t *offset)
 {
        this->command = malloc(this->value.len + 1);
        memcpy(this->command, this->value.ptr, this->value.len);
index 95a596c..45d83ae 100644 (file)
@@ -75,9 +75,10 @@ struct pa_tnc_attr_t {
        /**
         * Process the value of an PA-TNC attribute to extract its parameters
         *
+        * @param                                       relative error offset within attribute body
         * @return                                      result status
         */
-       status_t (*process)(pa_tnc_attr_t *this);
+       status_t (*process)(pa_tnc_attr_t *this, u_int32_t *offset);
 
        /**
         * Get a new reference to the PA-TNC attribute
index eb6c648..1b243c6 100644 (file)
@@ -173,7 +173,7 @@ METHOD(pa_tnc_msg_t, process, status_t,
        bio_reader_t *reader;
        pa_tnc_attr_t *error;
        u_int8_t version;
-       u_int32_t reserved;
+       u_int32_t reserved, offset, attr_offset;
 
        /* process message header */
        if (this->encoding.len < PA_TNC_HEADER_SIZE)
@@ -196,6 +196,9 @@ METHOD(pa_tnc_msg_t, process, status_t,
                goto err;
        }
        
+       /* offset of the first PA-TNC attribute in the PA-TNC message */
+       offset = PA_TNC_HEADER_SIZE;
+
        /* pre-process PA-TNC attributes */
        while (reader->remaining(reader) >= PA_TNC_ATTR_HEADER_SIZE)
        {
@@ -229,17 +232,18 @@ METHOD(pa_tnc_msg_t, process, status_t,
                {
                        DBG1(DBG_TNC, "%u bytes too small for PA-TNC attribute length",
                                                   length);
-                       error = ietf_attr_pa_tnc_error_create(PEN_IETF,
-                                               PA_ERROR_INVALID_PARAMETER, this->encoding);
+                       error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
+                                               PA_ERROR_INVALID_PARAMETER, this->encoding,
+                                               offset + PA_TNC_ATTR_INFO_SIZE);
                        goto err;
                }
-               length -= PA_TNC_ATTR_HEADER_SIZE;
 
-               if (!reader->read_data(reader, length , &value))
+               if (!reader->read_data(reader, length - PA_TNC_ATTR_HEADER_SIZE, &value))
                {
                        DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute value");
-                       error = ietf_attr_pa_tnc_error_create(PEN_IETF,
-                                               PA_ERROR_INVALID_PARAMETER, this->encoding);
+                       error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
+                                               PA_ERROR_INVALID_PARAMETER, this->encoding,
+                                               offset + PA_TNC_ATTR_INFO_SIZE);
                        goto err; 
                } 
                DBG3(DBG_TNC, "%B", &value);
@@ -259,17 +263,27 @@ METHOD(pa_tnc_msg_t, process, status_t,
                        else
                        {
                                DBG1(DBG_TNC, "skipping unsupported PA-TNC attribute");
+                               offset += length;
+                               continue;
                        }
                }
 
-               if (attr->process(attr) != SUCCESS)
+               if (attr->process(attr, &attr_offset) != SUCCESS)
                {
                        attr->destroy(attr);
-                       error = ietf_attr_pa_tnc_error_create(PEN_IETF,
-                                               PA_ERROR_INVALID_PARAMETER, this->encoding);
+                       if (vendor_id == PEN_IETF && type == IETF_ATTR_PA_TNC_ERROR)
+                       {
+                               /* error while processing a PA-TNC error attribute - abort */
+                               reader->destroy(reader);
+                               return FAILED;
+                       }
+                       error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
+                                               PA_ERROR_INVALID_PARAMETER, this->encoding,
+                                               offset + PA_TNC_ATTR_HEADER_SIZE + attr_offset);
                        goto err;
                }
                add_attribute(this, attr);
+               offset += length;
        }
 
        if (reader->remaining(reader) == 0)
@@ -277,6 +291,9 @@ METHOD(pa_tnc_msg_t, process, status_t,
                reader->destroy(reader);
                return SUCCESS;
        }
+       DBG1(DBG_TNC, "insufficient bytes for PA-TNC attribute header");
+       error = ietf_attr_pa_tnc_error_create_with_offset(PEN_IETF,
+                               PA_ERROR_INVALID_PARAMETER, this->encoding, offset);
 
 err:
        reader->destroy(reader);
index 6a5ba5e..ecf758b 100644 (file)
@@ -297,6 +297,7 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
                ietf_attr_pa_tnc_error_t *error_attr;
                pa_tnc_error_code_t error_code;
                chunk_t msg_info, attr_info;
+               u_int32_t offset;
 
                if (attr->get_vendor_id(attr) != PEN_IETF &&
                        attr->get_type(attr) != IETF_ATTR_PA_TNC_ERROR)
@@ -312,6 +313,10 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 
                switch (error_code)
                {
+                       case PA_ERROR_INVALID_PARAMETER:
+                               offset = error_attr->get_offset(error_attr);
+                               DBG1(DBG_IMC, "  occurred at offset of %u bytes", offset);
+                               break;
                        case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
                                attr_info = error_attr->get_attr_info(error_attr);
                                DBG1(DBG_IMC, "  unsupported attribute %#B", &attr_info);
index 8cbfa90..06cc076 100644 (file)
@@ -219,6 +219,7 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
                        ietf_attr_pa_tnc_error_t *error_attr;
                        pa_tnc_error_code_t error_code;
                        chunk_t msg_info, attr_info;
+                       u_int32_t offset;
 
                        error_attr = (ietf_attr_pa_tnc_error_t*)attr;
                        error_code = error_attr->get_error_code(error_attr);
@@ -228,6 +229,10 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
                                 pa_tnc_error_code_names, error_code, &msg_info);
                        switch (error_code)
                        {
+                               case PA_ERROR_INVALID_PARAMETER:
+                                       offset = error_attr->get_offset(error_attr);
+                                       DBG1(DBG_IMC, "  occurred at offset of %u bytes", offset);
+                                       break;
                                case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
                                        attr_info = error_attr->get_attr_info(error_attr);
                                        DBG1(DBG_IMC, "  unsupported attribute %#B", &attr_info);
index f9d0616..5561e67 100644 (file)
@@ -228,6 +228,7 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
                        ietf_attr_pa_tnc_error_t *error_attr;
                        pa_tnc_error_code_t error_code;
                        chunk_t msg_info, attr_info;
+                       u_int32_t offset;
 
                        error_attr = (ietf_attr_pa_tnc_error_t*)attr;
                        error_code = error_attr->get_error_code(error_attr);
@@ -237,6 +238,10 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 
                        switch (error_code)
                        {
+                               case PA_ERROR_INVALID_PARAMETER:
+                                       offset = error_attr->get_offset(error_attr);
+                                       DBG1(DBG_IMV, "  occurred at offset of %u bytes", offset);
+                                       break;
                                case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
                                        attr_info = error_attr->get_attr_info(error_attr);
                                        DBG1(DBG_IMV, "  unsupported attribute %#B", &attr_info);
index 22163ae..ecc5dd9 100644 (file)
@@ -174,6 +174,7 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
                        ietf_attr_pa_tnc_error_t *error_attr;
                        pa_tnc_error_code_t error_code;
                        chunk_t msg_info, attr_info;
+                       u_int32_t offset;
 
                        error_attr = (ietf_attr_pa_tnc_error_t*)attr;
                        error_code = error_attr->get_error_code(error_attr);
@@ -183,6 +184,10 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
                                 pa_tnc_error_code_names, error_code, &msg_info);
                        switch (error_code)
                        {
+                               case PA_ERROR_INVALID_PARAMETER:
+                                       offset = error_attr->get_offset(error_attr);
+                                       DBG1(DBG_IMV, "  occurred at offset of %u bytes", offset);
+                                       break;
                                case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
                                        attr_info = error_attr->get_attr_info(error_attr);
                                        DBG1(DBG_IMV, "  unsupported attribute %#B", &attr_info);