make TNC Access Requestor ID available to IMVs
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 3 Mar 2013 16:18:09 +0000 (17:18 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 3 Mar 2013 16:18:09 +0000 (17:18 +0100)
src/libimcv/imv/imv_agent.c
src/libimcv/imv/imv_agent.h
src/libimcv/plugins/imv_os/imv_os.c
src/libimcv/plugins/imv_os/imv_os_database.c
src/libimcv/plugins/imv_os/imv_os_database.h
src/libpts/plugins/imv_attestation/attest_db.c
src/libpts/plugins/imv_attestation/tables.sql
src/libstrongswan/utils/identification.c
src/libstrongswan/utils/identification.h

index 78e584d..2eec0ec 100644 (file)
@@ -73,6 +73,11 @@ struct private_imv_agent_t {
        rwlock_t *connection_lock;
 
        /**
+        * Access Requestor ID
+        */
+       identification_t *ar_id;
+
+       /**
         * Inform a TNCS about the set of message types the IMV is able to receive
         *
         * @param imv_id                        IMV ID assigned by TNCS
@@ -445,7 +450,6 @@ METHOD(imv_agent_t, create_state, TNC_Result,
                int tcg_id_type, tcg_subject_type, tcg_auth_type;
                chunk_t id_value;
                id_type_t ike_type;
-               identification_t *id;
 
                id_type = tnc_id->get_identity_type(tnc_id);
                id_value = tnc_id->get_identity_value(tnc_id);
@@ -468,12 +472,14 @@ METHOD(imv_agent_t, create_state, TNC_Result,
                                ike_type = ID_IPV6_ADDR;
                                break;
                        case TNC_ID_FQDN:
-                       case TNC_ID_USER_NAME:
                                ike_type = ID_FQDN;
                                break;
                        case TNC_ID_RFC822_ADDR:
                                ike_type = ID_RFC822_ADDR;
                                break;
+                       case TNC_ID_USER_NAME:
+                               ike_type = ID_USER_ID;
+                               break;
                        case TNC_ID_DER_ASN1_DN:
                                ike_type = ID_DER_ASN1_DN;
                                break;
@@ -486,11 +492,10 @@ METHOD(imv_agent_t, create_state, TNC_Result,
                                break;
                }
 
-               id = identification_create_from_encoding(ike_type, id_value);
-               DBG2(DBG_IMV, "%N identity '%Y' authenticated by %N",
-                                          TNC_Subject_names, tcg_subject_type, id,
-                                          TNC_Authentication_names, tcg_auth_type);
-               id->destroy(id);
+               this->ar_id = identification_create_from_encoding(ike_type, id_value);
+               DBG2(DBG_IMV, "  %N AR identity '%Y' authenticated by %N",
+                        TNC_Subject_names, tcg_subject_type, this->ar_id,
+                        TNC_Authentication_names, tcg_auth_type);
        }
        enumerator->destroy(enumerator);
 
@@ -593,6 +598,12 @@ METHOD(imv_agent_t, get_id, TNC_IMVID,
        return  this->id;
 }
 
+METHOD(imv_agent_t, get_ar_id, identification_t*,
+       private_imv_agent_t *this)
+{
+       return  this->ar_id;
+}
+
 METHOD(imv_agent_t, reserve_additional_ids, TNC_Result,
        private_imv_agent_t *this, int count)
 {
@@ -782,6 +793,7 @@ METHOD(imv_agent_t, destroy, void,
        private_imv_agent_t *this)
 {
        DBG1(DBG_IMV, "IMV %u \"%s\" terminated", this->id, this->name);
+       DESTROY_IF(this->ar_id);
        this->additional_ids->destroy(this->additional_ids);
        this->connections->destroy_offset(this->connections,
                                                                          offsetof(imv_state_t, destroy));
@@ -816,6 +828,7 @@ imv_agent_t *imv_agent_create(const char *name,
                        .get_state = _get_state,
                        .get_name = _get_name,
                        .get_id = _get_id,
+                       .get_ar_id = _get_ar_id,
                        .reserve_additional_ids = _reserve_additional_ids,
                        .count_additional_ids = _count_additional_ids,
                        .create_id_enumerator = _create_id_enumerator,
index 4d0716f..737caa1 100644 (file)
@@ -152,6 +152,13 @@ struct imv_agent_t {
        TNC_IMVID (*get_id)(imv_agent_t *this);
 
        /**
+        * Get Access Requestor ID
+        *
+        * return                                       Access Requestor ID
+        */
+       identification_t* (*get_ar_id)(imv_agent_t *this);
+
+       /**
         * Reserve additional IMV IDs from TNCS
         *
         * @param count                         number of additional IMV IDs to be assigned
index ecc6cfc..68b14ab 100644 (file)
@@ -390,7 +390,7 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
                device_id = os_state->get_device_id(os_state);
                if (os_db && device_id)
                {
-                       os_db->set_device_info(os_db, device_id,
+                       os_db->set_device_info(os_db, device_id, imv_os->get_ar_id(imv_os),
                                                os_state->get_info(os_state, NULL, NULL, NULL),
                                                count, count_update, count_blacklist, os_settings);
                }
index c6db995..730099a 100644 (file)
@@ -214,12 +214,14 @@ METHOD(imv_os_database_t, get_device_id, int,
 }
 
 METHOD(imv_os_database_t, set_device_info, void,
-       private_imv_os_database_t *this,  int device_id, char *os_info,
-       int count, int count_update, int count_blacklist, u_int flags)
+       private_imv_os_database_t *this,  int device_id, identification_t *ar_id,
+       char *os_info, int count, int count_update, int count_blacklist,
+       u_int flags)
 {
        enumerator_t *e;
        time_t last_time;
-       int pid = 0, last_pid = 0, last_count_update = 0, last_count_blacklist = 0;
+       int pid = 0, last_pid = 0, iid = 0, last_iid;
+       int last_count_update = 0, last_count_blacklist = 0;
        u_int last_flags;
        bool found = FALSE;
 
@@ -233,26 +235,47 @@ METHOD(imv_os_database_t, set_device_info, void,
                e->destroy(e);
        }
 
-       /* if OS ifo string has not been found - register it */
+       /* if OS info string has not been found - register it */
        if (!pid)
        {
                this->db->execute(this->db, &pid,
                        "INSERT INTO products (name) VALUES (?)", DB_TEXT, os_info);
        }
 
+       /* get primary key of AR identity if it exists */
+       e = this->db->query(this->db,
+                       "SELECT id FROM identities WHERE type = ? AND data = ?",
+                        DB_INT,  ar_id->get_type(ar_id),
+                        DB_BLOB, ar_id->get_encoding(ar_id), DB_INT);
+       if (e)
+       {
+               e->enumerate(e, &iid);
+               e->destroy(e);
+       }
+
+       /* if AR identity has not been found - register it */
+       if (!iid)
+       {
+               this->db->execute(this->db, &iid,
+                       "INSERT INTO identities (type, data) VALUES (?, ?)",
+                        DB_INT,  ar_id->get_type(ar_id),
+                        DB_BLOB, ar_id->get_encoding(ar_id));
+       }
+
        /* get latest device info record if it exists */
        e = this->db->query(this->db,
-                       "SELECT time, product, count_update, count_blacklist, flags "
+                       "SELECT time, ar_id, product, count_update, count_blacklist, flags "
                        "FROM device_infos WHERE device = ? ORDER BY time DESC",
-                        DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT);
+                        DB_INT, device_id, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_UINT);
        if (e)
        {
-               found = e->enumerate(e, &last_time, &last_pid, &last_count_update,
-                                                               &last_count_blacklist, &last_flags);
+               found = e->enumerate(e, &last_time, &last_iid, &last_pid,
+                                                               &last_count_update, &last_count_blacklist,
+                                                               &last_flags);
                e->destroy(e);
        }
        if (found && !last_count_update && !last_count_blacklist && !last_flags &&
-               pid == last_pid)
+               iid == last_iid && pid == last_pid)
        {
                /* update device info */
                this->db->execute(this->db, NULL,
@@ -266,9 +289,10 @@ METHOD(imv_os_database_t, set_device_info, void,
        {
                /* insert device info */
                this->db->execute(this->db, NULL,
-                       "INSERT INTO device_infos (device, time, product, count, "
-                       "count_update, count_blacklist, flags) VALUES (?, ?, ?, ?, ?, ?, ?)",
-                        DB_INT, device_id, DB_UINT, time(NULL), DB_INT, pid,
+                       "INSERT INTO device_infos (device, time, ar_id, product, count, "
+                       "count_update, count_blacklist, flags) "
+                       "VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
+                        DB_INT, device_id, DB_UINT, time(NULL), DB_INT, iid, DB_INT, pid,
                         DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist,
                         DB_UINT, flags);
        }
index b5e1b65..790467f 100644 (file)
@@ -52,13 +52,15 @@ struct imv_os_database_t {
        * Set health infos for a given  device
        *
        * @param device_id                              Device ID primary key
+       * @param ar_id                                  Access Requestor ID
        * @param os_info                                OS info string
        * @param count                                  Number of installed packages
        * @param count_update                   Number of packages to be updated
        * @param count_blacklist                Number of blacklisted packages
        * @param flags                                  Various flags, e.g. illegal OS settings
        */
-       void (*set_device_info)(imv_os_database_t *this, int device_id, char *os_info,
+       void (*set_device_info)(imv_os_database_t *this, int device_id,
+                                                       identification_t *ar_id, char *os_info,
                                                        int count, int count_update, int count_blacklist,
                                                        u_int flags);
 
index 91e9766..5885e26 100644 (file)
@@ -804,26 +804,29 @@ METHOD(attest_db_t, list_components, void,
 METHOD(attest_db_t, list_devices, void,
        private_attest_db_t *this)
 {
-       enumerator_t *e;
-       chunk_t value;
+       enumerator_t *e, *e_ar;
+       chunk_t value, ar_data;
        char *product;
        time_t timestamp;
-       int id, last_id = 0, device_count = 0;
+       int id, last_id = 0, iid = 0, last_iid = 0, device_count = 0;
        int count, count_update, count_blacklist;
+       id_type_t ar_type;
+       identification_t *ar_id = NULL;
        u_int tstamp, flags = 0;
 
        e = this->db->query(this->db,
                        "SELECT d.id, d.value, i.time, i.count, i.count_update, "
-                       "i.count_blacklist, i.flags, p.name FROM devices AS d "
+                       "i.count_blacklist, i.flags, i.ar_id, p.name FROM devices AS d "
                        "JOIN device_infos AS i ON d.id = i.device "
                        "JOIN products AS p ON p.id = i.product "
                        "ORDER BY d.value, i.time DESC",
-                        DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT);
+                        DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT,
+                        DB_INT, DB_TEXT);
 
        if (e)
        {
                while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update,
-                                                          &count_blacklist, &flags, &product))
+                                                          &count_blacklist, &flags, &iid, &product))
                {
                        if (id != last_id)
                        {
@@ -832,10 +835,35 @@ METHOD(attest_db_t, list_devices, void,
                                last_id = id;
                        }
                        timestamp = tstamp;
-                       printf("      %T, %4d, %3d, %3d, %1u, '%s'\n", &timestamp, this->utc,
+                       printf("      %T, %4d, %3d, %3d, %1u, '%s'", &timestamp, this->utc,
                                   count, count_update, count_blacklist, flags, product);
+                       if (iid)
+                       {
+                               if (iid != last_iid)
+                               {
+                                       DESTROY_IF(ar_id);
+                                       ar_id = NULL;
+
+                                       e_ar = this->db->query(this->db,
+                                                               "SELECT type, data FROM identities "
+                                                               "WHERE id = ?", DB_INT, iid, DB_INT, DB_BLOB);
+                                       if (e_ar->enumerate(e_ar, &ar_type, &ar_data))
+                                       {
+                                               ar_id = identification_create_from_encoding(ar_type,
+                                                                                                                                       ar_data);
+                                       }
+                                       e_ar->destroy(e_ar);
+                               }
+                               if (ar_id)
+                               {
+                                       printf(" %Y", ar_id);
+                               }
+                       }
+                       printf("\n");
                }
                e->destroy(e);
+               DESTROY_IF(ar_id);
+
                printf("%d device%s found\n", device_count,
                                                                         (device_count == 1) ? "" : "s");
        }
index 8a79ea7..0c038d3 100644 (file)
@@ -126,13 +126,21 @@ CREATE INDEX devices_value ON devices (
 
 DROP TABLE IF EXISTS device_infos;
 CREATE TABLE device_infos (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
   device INTEGER NOT NULL,
   time INTEGER NOT NULL,
+  ar_id INTEGER DEFAULT 0,
   product INTEGER DEFAULT 0,
   count INTEGER DEFAULT 0,
   count_update INTEGER DEFAULT 0,
   count_blacklist INTEGER DEFAULT 0,
-  flags INTEGER DEFAULT 0,
-  PRIMARY KEY (device, time)
+  flags INTEGER DEFAULT 0
 );
 
+DROP TABLE IF EXISTS identities;
+CREATE TABLE identities (
+  id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+  type INTEGER NOT NULL,
+  data BLOB NOT NULL,
+  UNIQUE (type, data)
+);
index 2669c2d..4176320 100644 (file)
@@ -49,10 +49,10 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
        "ID_DER_ASN1_DN",
        "ID_DER_ASN1_GN",
        "ID_KEY_ID");
-ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
+ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_USER_ID, ID_KEY_ID,
        "ID_DER_ASN1_GN_URI",
-       "ID_MYID");
-ENUM_END(id_type_names, ID_MYID);
+       "ID_USER_ID");
+ENUM_END(id_type_names, ID_USER_ID);
 
 /**
  * coding of X.501 distinguished name
@@ -790,6 +790,7 @@ int identification_printf_hook(printf_hook_data_t *data,
                case ID_FQDN:
                case ID_RFC822_ADDR:
                case ID_DER_ASN1_GN_URI:
+               case ID_USER_ID:
                        chunk_printable(this->encoded, &proper, '?');
                        snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr);
                        chunk_free(&proper);
@@ -812,9 +813,6 @@ int identification_printf_hook(printf_hook_data_t *data,
                                snprintf(buf, sizeof(buf), "%#B", &this->encoded);
                        }
                        break;
-               case ID_MYID:
-                       snprintf(buf, sizeof(buf), "%%myid");
-                       break;
                default:
                        snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
                        break;
@@ -873,6 +871,7 @@ static private_identification_t *identification_create(id_type_t type)
                        break;
                case ID_FQDN:
                case ID_RFC822_ADDR:
+               case ID_USER_ID:
                        this->public.matches = _matches_string;
                        this->public.equals = _equals_strcasecmp;
                        this->public.contains_wildcards = _contains_wildcards_memchr;
@@ -1023,9 +1022,16 @@ identification_t * identification_create_from_data(chunk_t data)
 {
        char buf[data.len + 1];
 
-       /* use string constructor */
-       snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
-       return identification_create_from_string(buf);
+       if (is_asn1(data))
+       {
+               return identification_create_from_encoding(ID_DER_ASN1_DN, data);
+       }
+       else
+       {
+               /* use string constructor */
+               snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
+               return identification_create_from_string(buf);
+       }
 }
 
 /*
index cdf2291..00d7407 100644 (file)
@@ -126,14 +126,14 @@ enum id_type_t {
        ID_KEY_ID = 11,
 
        /**
-        * private type which represents a GeneralName of type URI
+        * Private ID type which represents a GeneralName of type URI
         */
        ID_DER_ASN1_GN_URI = 201,
 
        /**
-        * Private ID used by the pluto daemon for opportunistic encryption
+        * Private ID type which represents a user ID
         */
-       ID_MYID = 203,
+       ID_USER_ID = 202
 };
 
 /**