Added reason string support to HCD IMV
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 17 Aug 2015 15:37:52 +0000 (17:37 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 18 Aug 2015 19:25:39 +0000 (21:25 +0200)
src/libimcv/plugins/imv_hcd/imv_hcd_agent.c
src/libimcv/plugins/imv_hcd/imv_hcd_state.c
testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat

index 8cfa4d1..e15eeb1 100644 (file)
@@ -591,11 +591,51 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
        private_imv_hcd_agent_t *this, TNC_ConnectionID id)
 {
        imv_state_t *state;
+       imv_hcd_state_t* hcd_state;
+       imv_hcd_handshake_state_t handshake_state;
+       enum_name_t *pa_subtype_names;
+       bool missing = FALSE;
+       uint32_t received;
+       int i;
 
        if (!this->agent->get_state(this->agent, id, &state))
        {
                return TNC_RESULT_FATAL;
        }
+       hcd_state = (imv_hcd_state_t*)state;
+       handshake_state = hcd_state->get_handshake_state(hcd_state);
+
+       if (handshake_state == IMV_HCD_STATE_ATTR_REQ)
+       {
+               pa_subtype_names = get_pa_subtype_names(PEN_PWG);
+
+               for (i = 1; i < countof(msg_types); i++)
+               {
+                       hcd_state->set_subtype(hcd_state, msg_types[i].type);
+                       received = state->get_action_flags(state);
+                       if ((received & IMV_HCD_ATTR_MUST) != IMV_HCD_ATTR_MUST)
+                       {
+                               DBG1(DBG_IMV, "missing attributes for PA subtype %N/%N",
+                                        pen_names, PEN_PWG, pa_subtype_names, msg_types[i].type);
+                               missing = TRUE;
+                       }
+               }
+
+               if (missing)
+               {
+                       state->set_recommendation(state,
+                                                       TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS ,
+                                                       TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
+               }
+               else
+               {
+                       state->set_recommendation(state,
+                                                       TNC_IMV_ACTION_RECOMMENDATION_ALLOW ,
+                                                       TNC_IMV_EVALUATION_RESULT_COMPLIANT);
+               }
+       }
+       hcd_state->set_handshake_state(hcd_state, IMV_HCD_STATE_END);
+
        return this->agent->provide_recommendation(this->agent, state);
 }
 
index 48614a6..bfe6dd6 100644 (file)
@@ -14,6 +14,8 @@
  */
 
 #include "imv_hcd_state.h"
+#include "imv/imv_lang_string.h"
+#include "imv/imv_reason_string.h"
 
 #include <tncif_policy.h>
 
@@ -97,6 +99,27 @@ struct private_imv_hcd_state_t {
         */
        imv_hcd_handshake_state_t handshake_state;
 
+       /**
+        * TNC Reason String
+        */
+       imv_reason_string_t *reason_string;
+
+};
+
+/**
+ * Supported languages
+ */
+static char* languages[] = { "en", "de", "fr", "pl" };
+
+/**
+ * Reason strings for "Port Filter"
+ */
+static imv_lang_string_t reasons[] = {
+       { "en", "Mandatory HCD attributes are missing" },
+       { "de", "Obligatorische HCD Attribute fehlen" },
+       { "fr", "Il manque des attributes HCD obligatoires" },
+       { "pl", "Brakuje atrybutów obowiązkowych" },
+       { NULL, NULL }
 };
 
 METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
@@ -200,7 +223,20 @@ METHOD(imv_state_t, get_reason_string, bool,
        private_imv_hcd_state_t *this, enumerator_t *language_enumerator,
        chunk_t *reason_string, char **reason_language)
 {
-       return FALSE;
+       if (this->rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
+       {
+               return FALSE;
+       }
+       *reason_language = imv_lang_string_select_lang(language_enumerator,
+                                                                                         languages, countof(languages));
+
+       /* Instantiate a TNC Reason String object */
+       DESTROY_IF(this->reason_string);
+       this->reason_string = imv_reason_string_create(*reason_language, "\n");
+       this->reason_string->add_reason(this->reason_string, reasons);
+       *reason_string = this->reason_string->get_encoding(this->reason_string);
+
+       return TRUE;
 }
 
 METHOD(imv_state_t, get_remediation_instructions, bool,
@@ -214,6 +250,7 @@ METHOD(imv_state_t, destroy, void,
        private_imv_hcd_state_t *this)
 {
        DESTROY_IF(this->session);
+       DESTROY_IF(this->reason_string);
        this->contracts->destroy(this->contracts);
        free(this);
 }
index ad23ee1..1293e98 100644 (file)
@@ -1,16 +1,19 @@
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
-dave:: cat /var/log/daemon.log::PB-TNC assessment result is.*don.*t know::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES
-dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
-carol:: cat /var/log/daemon.log::PB-TNC assessment result is.*don.*t know::YES
+carol:: cat /var/log/daemon.log::PB-TNC assessment result is.*non-compliant major::YES
 carol:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES
+carol:: cat /var/log/daemon.log::reason string is.*Mandatory HCD attributes are missing::YES
 carol:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
+dave:: cat /var/log/daemon.log::PB-TNC assessment result is.*non-compliant major::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES
+dave:: cat /var/log/daemon.log::reason string is.*Mandatory HCD attributes are missing::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by certificate::YES
 alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by certificate::YES
-alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES
 alice::cat /var/log/daemon.log::policy enforced on peer.*carol@strongswan.org.*is.*no access::YES
+alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
+