nearly completed PA-TNC error handling
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 5 Jun 2011 21:24:48 +0000 (23:24 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 5 Jun 2011 21:24:48 +0000 (23:24 +0200)
src/libimcv/ietf/ietf_attr_pa_tnc_error.c
src/libimcv/ietf/ietf_attr_pa_tnc_error.h
src/libimcv/imc/imc_agent.c
src/libimcv/imc/imc_agent.h
src/libimcv/imv/imv_agent.c
src/libimcv/imv/imv_agent.h
src/libimcv/pa_tnc/pa_tnc_msg.c
src/libimcv/pa_tnc/pa_tnc_msg.h
src/libimcv/plugins/imc_test/imc_test.c
src/libimcv/plugins/imv_test/imv_test.c

index 5d0f9a2..9702f41 100644 (file)
@@ -14,7 +14,9 @@
 
 #include "ietf_attr_pa_tnc_error.h"
 
+#include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
 #include <debug.h>
 
 ENUM(pa_tnc_error_code_names, PA_ERROR_RESERVED,
@@ -42,8 +44,48 @@ typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
 
-#define IETF_ATTR_PA_TNC_ERROR_HEADER_SIZE     12
-#define IETF_ATTR_PA_TNC_ERROR_RESERVED                0x00
+#define PA_ERROR_HEADER_SIZE           8
+#define PA_ERROR_RESERVED                      0x00
+
+/**
+ * All Error Types return the first 8 bytes of the erroneous PA-TNC message
+ *
+ *                        1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |    Version    |            Copy of Reserved                   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                       Message Identifier                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define PA_ERROR_MSG_INFO_SIZE         8
+
+/**
+ * "Version Not Supported" Error Code
+ *
+ *                        1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |  Max Version  |  Min Version  |            Reserved           |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+       
+#define PA_ERROR_VERSION_RESERVED      0x0000
+
+/**
+ * "Attribute Type Not Supported" Error Code
+ *
+ *                        1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |     Flags     |          PA-TNC Attribute Vendor ID           |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     PA-TNC Attribute Type                     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define PA_ERROR_ATTR_INFO_SIZE                8
 
 /**
  * Private data of an ietf_attr_pa_tnc_error_t object.
@@ -86,9 +128,14 @@ struct private_ietf_attr_pa_tnc_error_t {
        u_int32_t error_code;
 
        /**
-        * PA-TNC message header
+        * First 8 bytes of erroneous PA-TNC message
         */
-       chunk_t header;
+       chunk_t msg_info;
+
+       /**
+        * First 8 bytes of unsupported PA-TNC attribute
+        */
+       chunk_t attr_info;
 
        /**
         * Reference count
@@ -131,11 +178,28 @@ METHOD(pa_tnc_attr_t, build, void,
 {
        bio_writer_t *writer;
 
-       writer = bio_writer_create(IETF_ATTR_PA_TNC_ERROR_HEADER_SIZE);
-       writer->write_uint8 (writer, IETF_ATTR_PA_TNC_ERROR_RESERVED);
+       writer = bio_writer_create(PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE);
+       writer->write_uint8 (writer, PA_ERROR_RESERVED);
        writer->write_uint24(writer, this->error_vendor_id);
        writer->write_uint32(writer, this->error_code);
-       writer->write_data  (writer, this->header);
+       writer->write_data  (writer, this->msg_info);
+       
+       switch (this->error_code)
+       {
+               case PA_ERROR_INVALID_PARAMETER:
+                       break;
+               case PA_ERROR_VERSION_NOT_SUPPORTED:
+                       writer->write_uint8 (writer, PA_TNC_VERSION);
+                       writer->write_uint8 (writer, PA_TNC_VERSION);
+                       writer->write_uint16(writer, PA_ERROR_VERSION_RESERVED);
+                       break;
+               case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
+                       writer->write_data(writer, this->attr_info);
+                       break;
+               default:
+                       break;
+       }
+
        this->value = chunk_clone(writer->get_buf(writer));
        writer->destroy(writer);
 }
@@ -143,6 +207,38 @@ METHOD(pa_tnc_attr_t, build, void,
 METHOD(pa_tnc_attr_t, process, status_t,
        private_ietf_attr_pa_tnc_error_t *this)
 {
+       bio_reader_t *reader;
+       u_int8_t reserved;
+
+       if (this->value.len < PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE)
+       {
+               return FAILED;
+       }
+       reader = bio_reader_create(this->value);
+       reader->read_uint8 (reader, &reserved);
+       reader->read_uint24(reader, &this->error_vendor_id);
+       reader->read_uint32(reader, &this->error_code);
+       reader->read_data  (reader, PA_ERROR_MSG_INFO_SIZE, &this->msg_info);
+       this->msg_info = chunk_clone(this->msg_info);
+
+       switch (this->error_code)
+       {
+               case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
+                       if (!reader->read_data(reader, PA_ERROR_ATTR_INFO_SIZE,
+                                                                                  &this->attr_info))
+                       {
+                               reader->destroy(reader);
+                               DBG1(DBG_TNC, "insufficient data for unsupported attribute "
+                                                         "information");
+                               return FAILED;
+                       }
+                       this->attr_info = chunk_clone(this->attr_info);
+                       break;
+               default:
+                       break;
+       }
+       reader->destroy(reader);
+
        return SUCCESS; 
 }
 
@@ -158,7 +254,9 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
        if (ref_put(&this->ref))
        {
-               free(this->header.ptr);
+               free(this->value.ptr);
+               free(this->msg_info.ptr);
+               free(this->attr_info.ptr);
                free(this);
        }
 }
@@ -175,16 +273,35 @@ METHOD(ietf_attr_pa_tnc_error_t, get_error_code, u_int32_t,
        return this->error_code;
 }
 
+METHOD(ietf_attr_pa_tnc_error_t, get_msg_info, chunk_t,
+       private_ietf_attr_pa_tnc_error_t *this)
+{
+       return this->msg_info;
+}
+
+METHOD(ietf_attr_pa_tnc_error_t, get_attr_info, chunk_t,
+       private_ietf_attr_pa_tnc_error_t *this)
+{
+       return this->attr_info;
+}
+
+METHOD(ietf_attr_pa_tnc_error_t, set_attr_info, void,
+       private_ietf_attr_pa_tnc_error_t *this, chunk_t attr_info)
+{
+       this->attr_info = chunk_clone(attr_info);
+}
+
 /**
  * Described in header.
  */
 pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_t vendor_id,
                                                                                         u_int32_t error_code,
-                                                                                        chunk_t header)
+                                                                                        chunk_t msg_info)
 {
        private_ietf_attr_pa_tnc_error_t *this;
 
-       header.len = 8;
+       /* the first 8 bytes of the erroneous PA-TNC message are sent back */
+       msg_info.len = PA_ERROR_MSG_INFO_SIZE;
 
        INIT(this,
                .public = {
@@ -201,12 +318,15 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_t vendor_id,
                        },
                        .get_vendor_id = _get_error_vendor_id,
                        .get_error_code = _get_error_code,
+                       .get_msg_info = _get_msg_info,
+                       .get_attr_info = _get_attr_info,
+                       .set_attr_info = _set_attr_info,
                },
                .vendor_id = PEN_IETF,
                .type = IETF_ATTR_PA_TNC_ERROR,
                .error_vendor_id = vendor_id,
                .error_code = error_code,
-               .header = chunk_clone(header),
+               .msg_info = chunk_clone(msg_info),
                .ref = 1,
        );
 
@@ -233,6 +353,9 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_from_data(chunk_t data)
                        },
                        .get_vendor_id = _get_error_vendor_id,
                        .get_error_code = _get_error_code,
+                       .get_msg_info = _get_msg_info,
+                       .get_attr_info = _get_attr_info,
+                       .set_attr_info = _set_attr_info,
                },
                .vendor_id = PEN_IETF,
                .type = IETF_ATTR_PA_TNC_ERROR,
index d664163..7f0e0a9 100644 (file)
@@ -22,6 +22,7 @@
 #define IETF_ATTR_PA_TNC_ERROR_H_
 
 typedef struct ietf_attr_pa_tnc_error_t ietf_attr_pa_tnc_error_t;
+typedef enum pa_tnc_error_code_t pa_tnc_error_code_t;
 
 #include "ietf_attr.h"
 #include "pa_tnc/pa_tnc_attr.h"
@@ -65,7 +66,28 @@ struct ietf_attr_pa_tnc_error_t {
         *
         * @return                              error code
         */
-       pen_t (*get_error_code)(ietf_attr_pa_tnc_error_t *this);
+       pa_tnc_error_code_t (*get_error_code)(ietf_attr_pa_tnc_error_t *this);
+
+       /**
+        * Get first 8 bytes of erroneous PA-TNC message
+        *
+        * @return                              PA-TNC message info
+        */
+       chunk_t (*get_msg_info)(ietf_attr_pa_tnc_error_t *this);
+
+       /**
+        * Get first 8 bytes of unsupported PA-TNC attribute
+        *
+        * @return                              PA-TNC attribute info
+        */
+       chunk_t (*get_attr_info)(ietf_attr_pa_tnc_error_t *this);
+
+       /**
+        * Set first 8 bytes of unsupported PA-TNC attribute
+        *
+        * @param attr_info             PA-TNC message info
+        */
+       void (*set_attr_info)(ietf_attr_pa_tnc_error_t *this, chunk_t attr_info);
 };
 
 /**
index 68799c8..17c656d 100644 (file)
@@ -271,6 +271,61 @@ METHOD(imc_agent_t, send_message, TNC_Result,
                                                          this->type);
 }
 
+METHOD(imc_agent_t, receive_message, TNC_Result,
+       private_imc_agent_t *this, TNC_ConnectionID connection_id, chunk_t msg,
+       TNC_MessageType msg_type, pa_tnc_msg_t **pa_tnc_msg)
+{
+       pa_tnc_msg_t *pa_msg, *error_msg;
+       pa_tnc_attr_t *error_attr;
+       enumerator_t *enumerator;
+       TNC_Result result;
+
+       DBG2(DBG_IMV, "IMC %u \"%s\" received message type 0x%08x for Connection ID %u",
+                                  this->id, this->name, msg_type, connection_id);
+
+       *pa_tnc_msg = NULL;
+       pa_msg = pa_tnc_msg_create_from_data(msg);
+
+       switch (pa_msg->process(pa_msg))
+       {
+               case SUCCESS:
+                       *pa_tnc_msg = pa_msg;
+                       break;
+               case VERIFY_ERROR:
+                       if (!this->send_message)
+                       {
+                               /* TNCC doen't have a SendMessage() function */
+                               return TNC_RESULT_FATAL;
+                       }
+
+                       /* build error message */
+                       error_msg = pa_tnc_msg_create();
+                       enumerator = pa_msg->create_error_enumerator(pa_msg);
+                       while (enumerator->enumerate(enumerator, &error_attr))
+                       {
+                               error_msg->add_attribute(error_msg,
+                                                                                error_attr->get_ref(error_attr));
+                       }
+                       enumerator->destroy(enumerator);
+                       error_msg->build(error_msg);
+
+                       /* send error message */
+                       msg = error_msg->get_encoding(error_msg);
+                       result = this->send_message(this->id, connection_id,
+                                                                               msg.ptr, msg.len, msg_type);
+
+                       /* clean up */
+                       error_msg->destroy(error_msg);
+                       pa_msg->destroy(pa_msg);
+                       return result;
+               case FAILED:
+               default:
+                       pa_msg->destroy(pa_msg);
+                       return TNC_RESULT_FATAL;
+       }
+       return TNC_RESULT_SUCCESS;
+}
+
 METHOD(imc_agent_t, destroy, void,
        private_imc_agent_t *this)
 {
@@ -306,6 +361,7 @@ imc_agent_t *imc_agent_create(const char *name,
                        .change_state = _change_state,
                        .get_state = _get_state,
                        .send_message = _send_message,
+                       .receive_message = _receive_message,
                        .destroy = _destroy,
                },
                .name = name,
index 7c7ef73..f9d16fa 100644 (file)
@@ -22,6 +22,7 @@
 #define IMC_AGENT_H_
 
 #include "imc_state.h"
+#include "pa_tnc/pa_tnc_msg.h"
 
 #include <tncifimc.h>
 #include <pen/pen.h>
@@ -95,7 +96,7 @@ struct imc_agent_t {
                                          TNC_ConnectionID connection_id, imc_state_t **state);
 
        /**
-        * Call when an IMC-IMV message is to be sent
+        * Call when an PA-TNC message is to be sent
         *
         * @param connection_id         network connection ID assigned by TNCC
         * @param msg                           message to send
@@ -106,6 +107,20 @@ struct imc_agent_t {
                                                           chunk_t msg);
 
        /**
+        * Call when a PA-TNC message was received
+        *
+        * @param connection_id         network connection ID assigned by TNCC
+        * @param msg                           received unparsed message
+        * @param msg_type                      message type of the received message
+        * @param pa_tnc_message        parsed PA-TNC message or NULL if an error occurred
+        * @return                                      TNC result code
+        */
+       TNC_Result (*receive_message)(imc_agent_t *this,
+                                                                 TNC_ConnectionID connection_id, chunk_t msg,
+                                                                 TNC_MessageType msg_type,
+                                                                 pa_tnc_msg_t **pa_tnc_msg);
+
+       /**
         * Destroys an imc_agent_t object
         */
        void (*destroy)(imc_agent_t *this);
index cca3ed4..72b0d43 100644 (file)
@@ -319,6 +319,63 @@ METHOD(imv_agent_t, set_recommendation, TNC_Result,
        return this->provide_recommendation(this->id, connection_id, rec, eval);
 }
 
+METHOD(imv_agent_t, receive_message, TNC_Result,
+       private_imv_agent_t *this, TNC_ConnectionID connection_id, chunk_t msg,
+       TNC_MessageType msg_type, pa_tnc_msg_t **pa_tnc_msg)
+{
+       pa_tnc_msg_t *pa_msg, *error_msg;
+       pa_tnc_attr_t *error_attr;
+       enumerator_t *enumerator;
+       TNC_Result result;
+
+       DBG2(DBG_IMV, "IMV %u \"%s\" received message type 0x%08x for Connection ID %u",
+                                  this->id, this->name, msg_type, connection_id);
+
+       *pa_tnc_msg = NULL;
+       pa_msg = pa_tnc_msg_create_from_data(msg);
+
+       switch (pa_msg->process(pa_msg))
+       {
+               case SUCCESS:
+                       *pa_tnc_msg = pa_msg;
+                       break;
+               case VERIFY_ERROR:
+                       if (!this->send_message)
+                       {
+                               /* TNCS doen't have a SendMessage() function */
+                               return TNC_RESULT_FATAL;
+                       }
+
+                       /* build error message */
+                       error_msg = pa_tnc_msg_create();
+                       enumerator = pa_msg->create_error_enumerator(pa_msg);
+                       while (enumerator->enumerate(enumerator, &error_attr))
+                       {
+                               error_msg->add_attribute(error_msg,
+                                                                                error_attr->get_ref(error_attr));
+                       }
+                       enumerator->destroy(enumerator);
+                       error_msg->build(error_msg);
+
+                       /* send error message */
+                       msg = error_msg->get_encoding(error_msg);
+                       result = this->send_message(this->id, connection_id,
+                                                                               msg.ptr, msg.len, msg_type);
+
+                       /* clean up */
+                       error_msg->destroy(error_msg);
+                       pa_msg->destroy(pa_msg);
+                       return result;
+               case FAILED:
+               default:
+                       pa_msg->destroy(pa_msg);
+                       return set_recommendation(this, connection_id,
+                                                       TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+                                                       TNC_IMV_EVALUATION_RESULT_ERROR);
+       }
+       return TNC_RESULT_SUCCESS;
+}
+
 METHOD(imv_agent_t, provide_recommendation, TNC_Result,
        private_imv_agent_t *this, TNC_ConnectionID connection_id)
 {
@@ -373,6 +430,7 @@ imv_agent_t *imv_agent_create(const char *name,
                        .change_state = _change_state,
                        .get_state = _get_state,
                        .send_message = _send_message,
+                       .receive_message = _receive_message,
                        .set_recommendation = _set_recommendation,
                        .provide_recommendation = _provide_recommendation,
                        .destroy = _destroy,
index d0816b3..00e9c9d 100644 (file)
@@ -22,6 +22,7 @@
 #define IMV_AGENT_H_
 
 #include "imv_state.h"
+#include "pa_tnc/pa_tnc_msg.h"
 
 #include <tncifimv.h>
 #include <pen/pen.h>
@@ -131,7 +132,7 @@ struct imv_agent_t {
                                          TNC_ConnectionID connection_id, imv_state_t **state);
 
        /**
-        * Call when an IMV-IMC message is to be sent
+        * Call when a PA-TNC message is to be sent
         *
         * @param connection_id         network connection ID assigned by TNCS
         * @param msg                           message to send
@@ -141,6 +142,20 @@ struct imv_agent_t {
                                                           TNC_ConnectionID connection_id, chunk_t msg);
 
        /**
+        * Call when a PA-TNC message was received
+        *
+        * @param connection_id         network connection ID assigned by TNCS
+        * @param msg                           received unparsed message
+        * @param msg_type                      message type of the received message
+        * @param pa_tnc_message        parsed PA-TNC message or NULL if an error occurred
+        * @return                                      TNC result code
+        */
+       TNC_Result (*receive_message)(imv_agent_t *this,
+                                                                 TNC_ConnectionID connection_id, chunk_t msg,
+                                                                 TNC_MessageType msg_type,
+                                                                 pa_tnc_msg_t **pa_tnc_msg);
+
+       /**
         * Set Action Recommendation and Evaluation Result in the IMV state
         *
         # @param connection_id         network connection ID assigned by TNCS
index 0eea4c3..eb6c648 100644 (file)
@@ -39,7 +39,6 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
  */
 
 #define PA_TNC_HEADER_SIZE     8
-#define PA_TNC_VERSION         0x01
 #define PA_TNC_RESERVED                0x000000
 
 /**
@@ -61,6 +60,7 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
 #define PA_TNC_ATTR_FLAG_NONE                  0x00
 #define PA_TNC_ATTR_FLAG_NOSKIP                        (1<<7)
 #define PA_TNC_ATTR_HEADER_SIZE                        12
+#define PA_TNC_ATTR_INFO_SIZE                  8
 
 /**
  * Private data of a pa_tnc_msg_t object.
@@ -140,8 +140,18 @@ METHOD(pa_tnc_msg_t, build, void,
                value = attr->get_value(attr);
                flags = attr->get_noskip_flag(attr) ? PA_TNC_ATTR_FLAG_NOSKIP :
                                                                                          PA_TNC_ATTR_FLAG_NONE;
-               DBG2(DBG_TNC, "creating PA-TNC attribute type 0x%06x(%N)/0x%08x",
-                                          vendor_id, pen_names, vendor_id, type);
+               if (vendor_id == PEN_IETF)
+               {
+                       DBG2(DBG_TNC, "creating PA-TNC attribute type '%N/%N' "
+                                                 "0x%06x/0x%08x", pen_names, vendor_id,
+                                                 ietf_attr_names, type, vendor_id, type);
+               }
+               else
+               {
+                       DBG2(DBG_TNC, "creating PA-TNC attribute type '%N' "
+                                                 "0x%06x/0x%08x", pen_names, vendor_id,
+                                                  vendor_id, type);
+               }
                DBG3(DBG_TNC, "%B", &value);
 
                writer->write_uint8 (writer, flags);
@@ -176,6 +186,7 @@ METHOD(pa_tnc_msg_t, process, status_t,
        reader->read_uint8 (reader, &version);
        reader->read_uint24(reader, &reserved);
        reader->read_uint32(reader, &this->identifier);
+       DBG2(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier);
 
        if (version != PA_TNC_VERSION)
        {
@@ -184,7 +195,6 @@ METHOD(pa_tnc_msg_t, process, status_t,
                                        PA_ERROR_VERSION_NOT_SUPPORTED, this->encoding);
                goto err;
        }
-       DBG2(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier);
        
        /* pre-process PA-TNC attributes */
        while (reader->remaining(reader) >= PA_TNC_ATTR_HEADER_SIZE)
@@ -192,15 +202,28 @@ METHOD(pa_tnc_msg_t, process, status_t,
                pen_t vendor_id;
                u_int8_t flags;
                u_int32_t type, length;
-               chunk_t value;
+               chunk_t value, attr_info;
                pa_tnc_attr_t *attr;
+               ietf_attr_pa_tnc_error_t *error_attr;
 
+               attr_info = reader->peek(reader);
+               attr_info.len = PA_TNC_ATTR_INFO_SIZE;
                reader->read_uint8 (reader, &flags);
                reader->read_uint24(reader, &vendor_id);
                reader->read_uint32(reader, &type);
                reader->read_uint32(reader, &length);
-               DBG2(DBG_TNC, "processing PA-TNC attribute type 0x%06x(%N)/0x%08x",
-                                          vendor_id, pen_names, vendor_id, type);
+               if (vendor_id == PEN_IETF)
+               {
+                       DBG2(DBG_TNC, "processing PA-TNC attribute type '%N/%N' "
+                                                 "0x%06x/0x%08x", pen_names, vendor_id,
+                                                 ietf_attr_names, type, vendor_id, type);
+               }
+               else
+               {
+                       DBG2(DBG_TNC, "processing PA-TNC attribute type '%N' "
+                                                 "0x%06x/0x%08x", pen_names, vendor_id,
+                                                  vendor_id, type);
+               }
 
                if (length < PA_TNC_ATTR_HEADER_SIZE)
                {
@@ -229,6 +252,8 @@ METHOD(pa_tnc_msg_t, process, status_t,
                                DBG1(DBG_TNC, "unsupported PA-TNC attribute with NOSKIP flag");
                                error = ietf_attr_pa_tnc_error_create(PEN_IETF,
                                                        PA_ERROR_ATTR_TYPE_NOT_SUPPORTED, this->encoding);
+                               error_attr = (ietf_attr_pa_tnc_error_t*)error;
+                               error_attr->set_attr_info(error_attr, attr_info);
                                goto err;
                        }
                        else
@@ -268,7 +293,7 @@ METHOD(pa_tnc_msg_t, create_attribute_enumerator, enumerator_t*,
 METHOD(pa_tnc_msg_t, create_error_enumerator, enumerator_t*,
        private_pa_tnc_msg_t *this)
 {
-       return this->errors->create_enumerator(this->attributes);
+       return this->errors->create_enumerator(this->errors);
 }
 
 METHOD(pa_tnc_msg_t, destroy, void,
index b640600..bff9546 100644 (file)
@@ -23,6 +23,8 @@
 
 typedef struct pa_tnc_msg_t pa_tnc_msg_t;
 
+#define PA_TNC_VERSION         0x01
+
 #include "pa_tnc_attr.h"
 
 #include <library.h>
index 3f7ee35..e89008f 100644 (file)
@@ -16,6 +16,8 @@
 
 #include <imc/imc_agent.h>
 #include <pa_tnc/pa_tnc_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ita/ita_attr_command.h>
 
 #include <pen/pen.h>
@@ -129,7 +131,10 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
                                                                  TNC_MessageType msg_type)
 {
        pa_tnc_msg_t *pa_tnc_msg;
-       status_t status;
+       pa_tnc_attr_t *attr;
+       enumerator_t *enumerator;
+       TNC_Result result;
+       bool fatal_error = FALSE;
 
        if (!imc_test)
        {
@@ -137,19 +142,60 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
                return TNC_RESULT_NOT_INITIALIZED;
        }
 
-       /* process received message */
-       DBG2(DBG_IMC, "IMC %u \"%s\" received message type 0x%08x for Connection ID %u",
-                                  imc_id, imc_name, msg_type, connection_id);
-       pa_tnc_msg = pa_tnc_msg_create_from_data(chunk_create(msg, msg_len));
-       status = pa_tnc_msg->process(pa_tnc_msg);
-       pa_tnc_msg->destroy(pa_tnc_msg);
-       if (status != SUCCESS)
+       /* parse received PA-TNC message and automatically handle any errors */ 
+       result = imc_test->receive_message(imc_test, connection_id,
+                                                                          chunk_create(msg, msg_len), msg_type,
+                                                                          &pa_tnc_msg);
+
+       /* no parsed PA-TNC attributes available if an error occurred */
+       if (!pa_tnc_msg)
        {
-               return TNC_RESULT_FATAL;
+               return result;
        }
 
-       /* always return the same response */
-       return send_message(connection_id);
+       /* analyze PA-TNC attributes */
+       enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+       while (enumerator->enumerate(enumerator, &attr))
+       {
+               if (attr->get_vendor_id(attr) == PEN_IETF &&
+                       attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
+               {
+                       ietf_attr_pa_tnc_error_t *error_attr;
+                       pa_tnc_error_code_t error_code;
+                       chunk_t msg_info, attr_info;
+
+                       error_attr = (ietf_attr_pa_tnc_error_t*)attr;
+                       error_code = error_attr->get_error_code(error_attr);
+                       msg_info = error_attr->get_msg_info(error_attr);
+
+                       DBG1(DBG_IMC, "received PA-TNC error '%N' concerning message %#B",
+                                pa_tnc_error_code_names, error_code, &msg_info);
+                       switch (error_code)
+                       {
+                               case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
+                                       attr_info = error_attr->get_attr_info(error_attr);
+                                       DBG1(DBG_IMC, "  unsupported attribute %#B", &attr_info);
+                                       break;
+                               default:
+                                       break;
+                       }
+                       fatal_error = TRUE;
+               }
+               else if (attr->get_vendor_id(attr) == PEN_ITA &&
+                                attr->get_type(attr) == ITA_ATTR_COMMAND)
+               {
+                       ita_attr_command_t *ita_attr;
+                       char *command;
+       
+                       ita_attr = (ita_attr_command_t*)attr;
+                       command = ita_attr->get_command(ita_attr);
+               }
+       }
+       enumerator->destroy(enumerator);
+       pa_tnc_msg->destroy(pa_tnc_msg);
+
+       /* if no error occurred then always return the same response */
+       return fatal_error ? TNC_RESULT_FATAL : send_message(connection_id);
 }
 
 /**
index 7e1f059..ca798bb 100644 (file)
@@ -16,6 +16,8 @@
 
 #include <imv/imv_agent.h>
 #include <pa_tnc/pa_tnc_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ita/ita_attr_command.h>
 
 #include <pen/pen.h>
@@ -127,8 +129,9 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
        pa_tnc_attr_t *attr;
        imv_state_t *state;
        imv_test_state_t *imv_test_state;
-       TNC_Result result = TNC_RESULT_SUCCESS;
        enumerator_t *enumerator;
+       TNC_Result result;
+       bool fatal_error = FALSE;
 
        if (!imv_test)
        {
@@ -136,29 +139,53 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
                return TNC_RESULT_NOT_INITIALIZED;
        }
 
-       /* process received message */
-       DBG2(DBG_IMV, "IMV %u \"%s\" received message type 0x%08x for Connection ID %u",
-                                  imv_id, imv_name, msg_type, connection_id);
-       pa_tnc_msg = pa_tnc_msg_create_from_data(chunk_create(msg, msg_len));
-
-       if (pa_tnc_msg->process(pa_tnc_msg) != SUCCESS)
+       /* get current IMV state */
+       if (!imv_test->get_state(imv_test, connection_id, &state))
        {
-               pa_tnc_msg->destroy(pa_tnc_msg);
                return TNC_RESULT_FATAL;
        }
 
-       /* get current IMV state */
-       if (!imv_test->get_state(imv_test, connection_id, &state))
+       /* parse received PA-TNC message and automatically handle any errors */ 
+       result = imv_test->receive_message(imv_test, connection_id,
+                                                                          chunk_create(msg, msg_len), msg_type,
+                                                                          &pa_tnc_msg);
+
+       /* no parsed PA-TNC attributes available if an error occurred */
+       if (!pa_tnc_msg)
        {
-               pa_tnc_msg->destroy(pa_tnc_msg);
-               return TNC_RESULT_FATAL;
+               return result;
        }
 
+       /* analyze PA-TNC attributes */
        enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
        while (enumerator->enumerate(enumerator, &attr))
        {
-               if (attr->get_vendor_id(attr) == PEN_ITA &&
-                       attr->get_type(attr) == ITA_ATTR_COMMAND)
+               if (attr->get_vendor_id(attr) == PEN_IETF &&
+                       attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
+               {
+                       ietf_attr_pa_tnc_error_t *error_attr;
+                       pa_tnc_error_code_t error_code;
+                       chunk_t msg_info, attr_info;
+
+                       error_attr = (ietf_attr_pa_tnc_error_t*)attr;
+                       error_code = error_attr->get_error_code(error_attr);
+                       msg_info = error_attr->get_msg_info(error_attr);
+
+                       DBG1(DBG_IMV, "received PA-TNC error '%N' concerning message %#B",
+                                pa_tnc_error_code_names, error_code, &msg_info);
+                       switch (error_code)
+                       {
+                               case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
+                                       attr_info = error_attr->get_attr_info(error_attr);
+                                       DBG1(DBG_IMV, "  unsupported attribute %#B", &attr_info);
+                                       break;
+                               default:
+                                       break;
+                       }
+                       fatal_error = TRUE;
+               }
+               else if (attr->get_vendor_id(attr) == PEN_ITA &&
+                                attr->get_type(attr) == ITA_ATTR_COMMAND)
                {
                        ita_attr_command_t *ita_attr;
                        char *command;
@@ -178,7 +205,7 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
                                                                TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
                                                                TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);                    
                        }
-                       else if (streq(command, "none"))
+                       else if (streq(command, "block") || streq(command, "none"))
                        {
                                state->set_recommendation(state,
                                                                TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
@@ -186,17 +213,22 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
                        }
                        else
                        {
-                               result = TNC_RESULT_FATAL;
+                               DBG1(DBG_IMV, "unsupported ITA Command '%s'", command);
+                               state->set_recommendation(state,
+                                                               TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+                                                               TNC_IMV_EVALUATION_RESULT_ERROR);                         
                        }
-                       break;
                }               
        }
        enumerator->destroy(enumerator);
        pa_tnc_msg->destroy(pa_tnc_msg);
 
-       if (result != TNC_RESULT_SUCCESS)
+       if (fatal_error)
        {
-               return result;
+               state->set_recommendation(state,
+                                                               TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+                                                               TNC_IMV_EVALUATION_RESULT_ERROR);                         
+               return imv_test->provide_recommendation(imv_test, connection_id);
        }
 
        /* repeat the measurement ? */