Introduced workitems to Scanner IMV
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 18 Jun 2013 17:13:21 +0000 (19:13 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 21 Jun 2013 21:25:24 +0000 (23:25 +0200)
src/libimcv/imv/data.sql
src/libimcv/imv/imv_workitem.c
src/libimcv/imv/imv_workitem.h
src/libimcv/plugins/imv_os/imv_os_agent.c
src/libimcv/plugins/imv_scanner/imv_scanner_agent.c
src/libimcv/plugins/imv_scanner/imv_scanner_state.c
src/libimcv/plugins/imv_scanner/imv_scanner_state.h

index 8b9ea50..dcc4e75 100644 (file)
@@ -689,7 +689,7 @@ INSERT INTO policies (                      /*  8 */
 INSERT INTO policies (                 /*  9 */
   type, name, rec_fail, rec_noresult
 ) VALUES (
-  12, 'No Open UDP Ports', 1, 1
+  13, 'No Open UDP Ports', 1, 1
 );
 
 INSERT INTO policies (                 /* 10 */
index 43af9bf..a61a826 100644 (file)
@@ -20,7 +20,7 @@
 
 typedef struct private_imv_workitem_t private_imv_workitem_t;
 
-ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_UDP_SCAN,
+ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_UDP_PORT_BLOCK,
        "PCKGS",
        "UNSRC",
        "FWDEN",
@@ -31,8 +31,10 @@ ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_UDP_SCAN,
        "DREFM",
        "DMEAS",
        "DMETA",
-       "TCPSC",
-       "UDPSC"
+       "TCPOP",
+       "TCPBL",
+       "UDPOP",
+       "UDPBL"
 );
 
 /**
index 80ce3f4..f6ca3ea 100644 (file)
@@ -30,18 +30,20 @@ typedef struct imv_workitem_t imv_workitem_t;
 typedef enum imv_workitem_type_t imv_workitem_type_t;
 
 enum imv_workitem_type_t {
-       IMV_WORKITEM_PACKAGES =       1,
-       IMV_WORKITEM_UNKNOWN_SOURCE = 2,
-       IMV_WORKITEM_FORWARDING =     3,
-       IMV_WORKITEM_DEFAULT_PWD =    4,
-       IMV_WORKITEM_FILE_REF_MEAS =  5,
-       IMV_WORKITEM_FILE_MEAS =      6,
-       IMV_WORKITEM_FILE_META =      7,
-       IMV_WORKITEM_DIR_REF_MEAS =   8,
-       IMV_WORKITEM_DIR_MEAS =       9,
-       IMV_WORKITEM_DIR_META =      10,
-       IMV_WORKITEM_TCP_SCAN =      11,
-       IMV_WORKITEM_UDP_SCAN =      12
+       IMV_WORKITEM_PACKAGES =        1,
+       IMV_WORKITEM_UNKNOWN_SOURCE =  2,
+       IMV_WORKITEM_FORWARDING =      3,
+       IMV_WORKITEM_DEFAULT_PWD =     4,
+       IMV_WORKITEM_FILE_REF_MEAS =   5,
+       IMV_WORKITEM_FILE_MEAS =       6,
+       IMV_WORKITEM_FILE_META =       7,
+       IMV_WORKITEM_DIR_REF_MEAS =    8,
+       IMV_WORKITEM_DIR_MEAS =        9,
+       IMV_WORKITEM_DIR_META =       10,
+       IMV_WORKITEM_TCP_PORT_OPEN =  11,
+       IMV_WORKITEM_TCP_PORT_BLOCK = 12,
+       IMV_WORKITEM_UDP_PORT_OPEN =  13,
+       IMV_WORKITEM_UDP_PORT_BLOCK = 14
 };
 
 extern enum_name_t *imv_workitem_type_names;
index b22bf70..d8affb9 100644 (file)
@@ -396,6 +396,7 @@ static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state,
 
        if (assessment)
        {
+               os_state->set_handshake_state(os_state, IMV_OS_STATE_END);
                result = out_msg->send_assessment(out_msg);
                out_msg->destroy(out_msg);
                if (result != TNC_RESULT_SUCCESS)
@@ -601,7 +602,6 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                                {
                                        continue;
                                }
-                               no_workitems = FALSE;
 
                                switch (workitem->get_type(workitem))
                                {
@@ -621,6 +621,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                                                continue;
                                }
                                workitem->set_imv_id(workitem, imv_id);
+                               no_workitems = FALSE;
                        }
                        enumerator->destroy(enumerator);
 
index 0415f52..6bf85c6 100644 (file)
@@ -16,6 +16,7 @@
 #include "imv_scanner_agent.h"
 #include "imv_scanner_state.h"
 
+#include <imcv.h>
 #include <imv/imv_agent.h>
 #include <imv/imv_msg.h>
 #include <ietf/ietf_attr.h>
@@ -38,86 +39,6 @@ static pen_type_t msg_types[] = {
 };
 
 /**
- * Flag set when corresponding attribute has been received
- */
-typedef enum imv_scanner_attr_t imv_scanner_attr_t;
-
-enum imv_scanner_attr_t {
-       IMV_SCANNER_ATTR_PORT_FILTER =         (1<<0)
-};
-
-typedef struct port_range_t port_range_t;
-
-struct port_range_t {
-       u_int16_t start, stop;
-};
-
-/**
- * Default port policy
- *
- * TRUE:  all server ports on the TNC client must be closed
- * FALSE: any server port on the TNC client is allowed to be open
- */
-static bool closed_port_policy = TRUE;
-
-/**
- * List of TCP and UDP port ranges
- *
- * TRUE:  server ports on the TNC client that are allowed to be open
- * FALSE: server ports on the TNC client that must be closed
- */
-static linked_list_t *tcp_ports, *udp_ports;
-
-/**
- * Get a TCP or UDP port list from strongswan.conf
- */
-static linked_list_t* get_port_list(char *label)
-{
-       char key[40], *value;
-       linked_list_t *list;
-       chunk_t port_list, port_item, port_start;
-       port_range_t *port_range;
-
-       list = linked_list_create();
-
-       snprintf(key, sizeof(key), "libimcv.plugins.imv-scanner.%s_ports", label);
-       value = lib->settings->get_str(lib->settings, key, NULL);
-       if (!value)
-       {
-               DBG1(DBG_IMV, "%s not defined", key);
-               return list;
-       }
-       port_list = chunk_create(value, strlen(value));
-       DBG2(DBG_IMV, "list of %s ports that %s:", label,
-                closed_port_policy ? "are allowed to be open" : "must be closed");
-
-       while (eat_whitespace(&port_list))
-       {
-               if (!extract_token(&port_item, ' ', &port_list))
-               {
-                       /* reached last port item */
-                       port_item = port_list;
-                       port_list = chunk_empty;
-               }
-               port_range = malloc_thing(port_range_t);
-               port_range->start = atoi(port_item.ptr);
-
-               if (extract_token(&port_start, '-', &port_item) && port_item.len)
-               {
-                       port_range->stop = atoi(port_item.ptr);
-               }
-               else
-               {
-                       port_range->stop = port_range->start;
-               }
-               DBG2(DBG_IMV, "%5u - %5u", port_range->start, port_range->stop);
-               list->insert_last(list, port_range);
-       }
-
-       return list;
-}
-
-/**
  * Private data of an imv_scanner_agent_t object.
  */
 struct private_imv_scanner_agent_t {
@@ -165,10 +86,12 @@ static TNC_Result receive_msg(private_imv_scanner_agent_t *this,
                                                          imv_state_t *state, imv_msg_t *in_msg)
 {
        imv_msg_t *out_msg;
+       imv_scanner_state_t *scanner_state;
        enumerator_t *enumerator;
        pa_tnc_attr_t *attr;
        pen_type_t type;
        TNC_Result result;
+       ietf_attr_port_filter_t *port_filter_attr;
        bool fatal_error = FALSE;
 
        /* parse received PA-TNC message and handle local and remote errors */
@@ -186,70 +109,9 @@ static TNC_Result receive_msg(private_imv_scanner_agent_t *this,
 
                if (type.vendor_id == PEN_IETF && type.type == IETF_ATTR_PORT_FILTER)
                {
-                       imv_scanner_state_t *scanner_state;
-                       ietf_attr_port_filter_t *attr_port_filter;
-                       enumerator_t *enumerator;
-                       u_int8_t protocol;
-                       u_int16_t port;
-                       bool blocked, compliant = TRUE;
-
-                       state->set_action_flags(state, IMV_SCANNER_ATTR_PORT_FILTER);
                        scanner_state = (imv_scanner_state_t*)state;
-                       attr_port_filter = (ietf_attr_port_filter_t*)attr;
-
-                       enumerator = attr_port_filter->create_port_enumerator(attr_port_filter);
-                       while (enumerator->enumerate(enumerator, &blocked, &protocol, &port))
-                       {
-                               enumerator_t *e;
-                               port_range_t *port_range;
-                               bool passed, found = FALSE;
-                               char buf[20];
-
-                               if (blocked)
-                               {
-                                       /* ignore closed ports */
-                                       continue;
-                               }
-
-                               e = (protocol == IPPROTO_TCP) ?
-                                                       tcp_ports->create_enumerator(tcp_ports) :
-                                                       udp_ports->create_enumerator(udp_ports);
-                               while (e->enumerate(e, &port_range))
-                               {
-                                       if (port >= port_range->start && port <= port_range->stop)
-                                       {
-                                               found = TRUE;
-                                               break;
-                                       }
-                               }
-                               e->destroy(e);
-
-                               passed = (closed_port_policy == found);
-                               DBG2(DBG_IMV, "%s port %5u %s: %s",
-                                       (protocol == IPPROTO_TCP) ? "tcp" : "udp", port,
-                                        blocked ? "closed" : "open", passed ? "ok" : "fatal");
-                               if (!passed)
-                               {
-                                       compliant = FALSE;
-                                       snprintf(buf, sizeof(buf), "%s/%u",
-                                                       (protocol == IPPROTO_TCP) ? "tcp" : "udp", port);
-                                       scanner_state->add_violating_port(scanner_state, strdup(buf));
-                               }
-                       }
-                       enumerator->destroy(enumerator);
-
-                       if (compliant)
-                       {
-                               state->set_recommendation(state,
-                                                               TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
-                                                               TNC_IMV_EVALUATION_RESULT_COMPLIANT);
-                       }
-                       else
-                       {
-                               state->set_recommendation(state,
-                                                               TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
-                                                               TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
-                       }
+                       port_filter_attr = (ietf_attr_port_filter_t*)attr->get_ref(attr);
+                       scanner_state->set_port_filter_attr(scanner_state, port_filter_attr);
                }
        }
        enumerator->destroy(enumerator);
@@ -259,16 +121,17 @@ static TNC_Result receive_msg(private_imv_scanner_agent_t *this,
                state->set_recommendation(state,
                                                                TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
                                                                TNC_IMV_EVALUATION_RESULT_ERROR);
+               out_msg = imv_msg_create_as_reply(in_msg);
+               result = out_msg->send_assessment(out_msg);
+               out_msg->destroy(out_msg);
+               if (result != TNC_RESULT_SUCCESS)
+               {
+                       return result;
+               }
+               return this->agent->provide_recommendation(this->agent, state);
        }
 
-       out_msg = imv_msg_create_as_reply(in_msg);
-       result = out_msg->send_assessment(out_msg);
-       out_msg->destroy(out_msg);
-       if (result != TNC_RESULT_SUCCESS)
-       {
-               return result;
-       }  
-       return this->agent->provide_recommendation(this->agent, state);
+       return TNC_RESULT_SUCCESS;
 }
 
 METHOD(imv_agent_if_t, receive_message, TNC_Result,
@@ -312,33 +175,262 @@ METHOD(imv_agent_if_t, receive_message_long, TNC_Result,
 
 }
 
+typedef struct port_range_t port_range_t;
+
+struct port_range_t {
+       u_int16_t start, stop;
+};
+
+/**
+ * Parse a TCP or UDP port list from an argument string
+ */
+static linked_list_t* get_port_list(u_int8_t protocol_family,
+                                                                       bool closed_port_policy, char *arg_str)
+{
+       chunk_t port_list, port_item, port_start;
+       port_range_t *port_range;
+       linked_list_t *list;
+
+       list = linked_list_create();
+
+       port_list = chunk_from_str(arg_str);
+       DBG2(DBG_IMV, "list of %s ports that %s:",
+                (protocol_family == IPPROTO_TCP) ? "tcp" : "udp",
+                closed_port_policy ? "are allowed to be open" : "must be closed");
+
+       while (eat_whitespace(&port_list))
+       {
+               if (!extract_token(&port_item, ' ', &port_list))
+               {
+                       /* reached last port item */
+                       port_item = port_list;
+                       port_list = chunk_empty;
+               }
+               port_range = malloc_thing(port_range_t);
+               port_range->start = atoi(port_item.ptr);
+
+               if (extract_token(&port_start, '-', &port_item) && port_item.len)
+               {
+                       port_range->stop = atoi(port_item.ptr);
+               }
+               else
+               {
+                       port_range->stop = port_range->start;
+               }
+               DBG2(DBG_IMV, "%5u - %5u", port_range->start, port_range->stop);
+               list->insert_last(list, port_range);
+       }
+
+       return list;
+}
+
 METHOD(imv_agent_if_t, batch_ending, TNC_Result,
        private_imv_scanner_agent_t *this, TNC_ConnectionID id)
 {
-       imv_state_t *state;
        imv_msg_t *out_msg;
+       imv_state_t *state;
+       imv_session_t *session;
+       imv_workitem_t *workitem;
+       imv_scanner_state_t *scanner_state;
+       imv_scanner_handshake_state_t handshake_state;
        pa_tnc_attr_t *attr;
-       TNC_IMV_Action_Recommendation rec;
-       TNC_IMV_Evaluation_Result eval;
+       ietf_attr_port_filter_t *port_filter_attr;
+       TNC_IMVID imv_id;
        TNC_Result result = TNC_RESULT_SUCCESS;
+       bool no_workitems = TRUE;
+       enumerator_t *enumerator;
 
        if (!this->agent->get_state(this->agent, id, &state))
        {
                return TNC_RESULT_FATAL;
        }
-       state->get_recommendation(state, &rec, &eval);
-       if (rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
+       scanner_state = (imv_scanner_state_t*)state;
+       handshake_state = scanner_state->get_handshake_state(scanner_state);
+       port_filter_attr = scanner_state->get_port_filter_attr(scanner_state);
+       session = state->get_session(state);
+       imv_id = this->agent->get_id(this->agent);
+
+       if (handshake_state == IMV_SCANNER_STATE_END)
        {
-               out_msg = imv_msg_create(this->agent, state, id,
-                                                                this->agent->get_id(this->agent),
-                                                                TNC_IMCID_ANY, msg_types[0]);
-               attr = ietf_attr_attr_request_create(PEN_IETF, IETF_ATTR_PORT_FILTER);
-               out_msg->add_attribute(out_msg, attr);
+               return TNC_RESULT_SUCCESS;
+       }
 
-               /* send PA-TNC message with excl flag not set */
+       if (!session)
+       {
+               DBG2(DBG_IMV, "no workitems available - no evaluation possible");
+               state->set_recommendation(state,
+                                                       TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+                                                       TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+               scanner_state->set_handshake_state(scanner_state,
+                                                       IMV_SCANNER_STATE_END);
+               return TNC_RESULT_SUCCESS;
+       }
+
+       /* create an empty out message - we might need it */
+       out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY,
+                                                        msg_types[0]);
+
+       if (handshake_state == IMV_SCANNER_STATE_INIT)
+       {
+               enumerator = session->create_workitem_enumerator(session);
+               if (enumerator)
+               {
+                       while (enumerator->enumerate(enumerator, &workitem))
+                       {
+                               if (workitem->get_imv_id(workitem) != TNC_IMVID_ANY)
+                               {
+                                       continue;
+                               }
+
+                               switch (workitem->get_type(workitem))
+                               {
+                                       case IMV_WORKITEM_TCP_PORT_OPEN:
+                                       case IMV_WORKITEM_TCP_PORT_BLOCK:
+                                       case IMV_WORKITEM_UDP_PORT_OPEN:
+                                       case IMV_WORKITEM_UDP_PORT_BLOCK:
+                                               if (!port_filter_attr &&
+                                                       handshake_state != IMV_SCANNER_STATE_ATTR_REQ)
+                                               {
+                                                       attr = ietf_attr_attr_request_create(PEN_IETF,
+                                                                                       IETF_ATTR_PORT_FILTER);
+                                                       out_msg->add_attribute(out_msg, attr);
+                                                       handshake_state = IMV_SCANNER_STATE_ATTR_REQ;
+                                               }
+                                               break;
+                                       default:
+                                               continue;
+                               }
+                               workitem->set_imv_id(workitem, imv_id);
+                               no_workitems = FALSE;
+                       }
+                       enumerator->destroy(enumerator);
+
+                       if (no_workitems)
+                       {
+                               DBG2(DBG_IMV, "IMV %d has no workitems - "
+                                                         "no evaluation requested", imv_id);
+                               state->set_recommendation(state,
+                                                               TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+                                                               TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
+                       }
+                       handshake_state = IMV_SCANNER_STATE_WORKITEMS;
+                       scanner_state->set_handshake_state(scanner_state, handshake_state);
+               }
+       }
+
+       if (handshake_state == IMV_SCANNER_STATE_WORKITEMS && port_filter_attr)
+       {
+               TNC_IMV_Evaluation_Result eval;
+               TNC_IMV_Action_Recommendation rec;
+               u_int8_t protocol_family, protocol;
+               u_int16_t port;
+               bool closed_port_policy, blocked;
+               linked_list_t *port_list;
+               enumerator_t *e1, *e2;
+
+               enumerator = session->create_workitem_enumerator(session);
+               while (enumerator->enumerate(enumerator, &workitem))
+               {
+                       if (workitem->get_imv_id(workitem) != imv_id)
+                       {
+                               continue;
+                       }
+                       eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+
+                       switch (workitem->get_type(workitem))
+                       {
+                               case IMV_WORKITEM_TCP_PORT_OPEN:
+                                       protocol_family = IPPROTO_TCP;
+                                       closed_port_policy = TRUE;
+                                       break;
+                               case IMV_WORKITEM_TCP_PORT_BLOCK:
+                                       protocol_family = IPPROTO_TCP;
+                                       closed_port_policy = FALSE;
+                                       break;
+                               case IMV_WORKITEM_UDP_PORT_OPEN:
+                                       protocol_family = IPPROTO_UDP;
+                                       closed_port_policy = TRUE;
+                                       break;
+                               case IMV_WORKITEM_UDP_PORT_BLOCK:
+                                       protocol_family = IPPROTO_UDP;
+                                       closed_port_policy = FALSE;
+                                       break;
+                               default:
+                                       continue;
+                       }
+                       port_list = get_port_list(protocol_family, closed_port_policy,
+                                                                         workitem->get_arg_str(workitem));
+
+                       e1 = port_filter_attr->create_port_enumerator(port_filter_attr);
+                       while (e1->enumerate(e1, &blocked, &protocol, &port))
+                       {
+                               port_range_t *port_range;
+                               bool passed, found = FALSE;
+                               char buf[20];
+
+                               if (blocked)
+                               {
+                                       /* ignore closed ports */
+                                       continue;
+                               }
+
+                               e2 = port_list->create_enumerator(port_list);
+                               while (e2->enumerate(e2, &port_range))
+                               {
+                                       if (port >= port_range->start && port <= port_range->stop)
+                                       {
+                                               found = TRUE;
+                                               break;
+                                       }
+                               }
+                               e2->destroy(e2);
+
+                               passed = (closed_port_policy == found);
+                               DBG2(DBG_IMV, "%s port %5u open: %s",
+                                       (protocol == IPPROTO_TCP) ? "tcp" : "udp", port,
+                                        passed ? "ok" : "fatal");
+                               if (!passed)
+                               {
+                                       eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR;
+                                       snprintf(buf, sizeof(buf), "%s/%u",
+                                                       (protocol == IPPROTO_TCP) ? "tcp" : "udp", port);
+                                       scanner_state->add_violating_port(scanner_state, strdup(buf));
+                               }
+                       }
+                       e1->destroy(e1);
+
+                       port_list->destroy(port_list);
+
+                       session->remove_workitem(session, enumerator);
+                       rec = workitem->set_result(workitem, "", eval);
+                       state->update_recommendation(state, rec, eval);
+                       imcv_db->finalize_workitem(imcv_db, workitem);
+                       workitem->destroy(workitem);
+               }
+               enumerator->destroy(enumerator);
+
+               /* finalized all workitems ? */
+               if (session->get_workitem_count(session, imv_id) == 0)
+               {
+                       scanner_state->set_handshake_state(scanner_state,
+                                                                                          IMV_SCANNER_STATE_END);
+                       result = out_msg->send_assessment(out_msg);
+                       out_msg->destroy(out_msg);
+                       if (result != TNC_RESULT_SUCCESS)
+                       {
+                               return result;
+                       }
+                       return this->agent->provide_recommendation(this->agent, state);
+               }
+       }
+
+       /* send non-empty PA-TNC message with excl flag not set */
+       if (out_msg->get_attribute_count(out_msg))
+       {
                result = out_msg->send(out_msg, FALSE);
-               out_msg->destroy(out_msg);
        }
+       out_msg->destroy(out_msg);
+
        return result;
 }
 
@@ -357,8 +449,6 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
 METHOD(imv_agent_if_t, destroy, void,
        private_imv_scanner_agent_t *this)
 {
-       tcp_ports->destroy_function(tcp_ports, free);
-       udp_ports->destroy_function(udp_ports, free);
        this->agent->destroy(this->agent);
        free(this);
 }
@@ -392,16 +482,6 @@ imv_agent_if_t *imv_scanner_agent_create(const char *name, TNC_IMVID id,
                .agent = agent,
        );
 
-       /* set the default port policy to closed (TRUE) or open (FALSE) */
-       closed_port_policy = lib->settings->get_bool(lib->settings,
-                                               "libimcv.plugins.imv-scanner.closed_port_policy", TRUE);
-       DBG2(DBG_IMV, "default port policy is %s ports",
-                                               closed_port_policy ? "closed" : "open");
-
-       /* get the list of open|closed ports */
-       tcp_ports = get_port_list("tcp");
-       udp_ports = get_port_list("udp");
-
        return &this->public;
 }
 
index 83a5e58..eeb7045 100644 (file)
@@ -96,6 +96,11 @@ struct private_imv_scanner_state_t {
        imv_scanner_handshake_state_t handshake_state;
 
        /**
+        * Copy of the received IEEE Port Filter attribute
+        */
+        ietf_attr_port_filter_t *port_filter_attr;
+
+       /**
         * List with ports that should be closed
         */
         linked_list_t *violating_ports;
@@ -317,6 +322,7 @@ METHOD(imv_state_t, destroy, void,
        DESTROY_IF(this->session);
        DESTROY_IF(this->reason_string);
        DESTROY_IF(this->remediation_string);
+       DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute);
        this->violating_ports->destroy_function(this->violating_ports, free);
        free(this->ar_id_value.ptr);
        free(this);
@@ -334,6 +340,19 @@ METHOD(imv_scanner_state_t, get_handshake_state, imv_scanner_handshake_state_t,
        return this->handshake_state;
 }
 
+METHOD(imv_scanner_state_t, set_port_filter_attr, void,
+       private_imv_scanner_state_t *this, ietf_attr_port_filter_t *attr)
+{
+       DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute);
+       this->port_filter_attr = attr;
+}
+
+METHOD(imv_scanner_state_t, get_port_filter_attr, ietf_attr_port_filter_t*,
+       private_imv_scanner_state_t *this)
+{
+       return this->port_filter_attr;
+}
+
 METHOD(imv_scanner_state_t, add_violating_port, void,
        private_imv_scanner_state_t *this, char *port)
 {
@@ -372,6 +391,8 @@ imv_state_t *imv_scanner_state_create(TNC_ConnectionID connection_id)
                        },
                        .set_handshake_state = _set_handshake_state,
                        .get_handshake_state = _get_handshake_state,
+                       .set_port_filter_attr = _set_port_filter_attr,
+                       .get_port_filter_attr = _get_port_filter_attr,
                        .add_violating_port = _add_violating_port,
                },
                .state = TNC_CONNECTION_STATE_CREATE,
index 634448d..7f147f8 100644 (file)
@@ -25,6 +25,8 @@
 #define IMV_SCANNER_STATE_H_
 
 #include <imv/imv_state.h>
+#include <ietf/ietf_attr_port_filter.h>
+
 #include <library.h>
 
 typedef struct imv_scanner_state_t imv_scanner_state_t;
@@ -35,8 +37,9 @@ typedef enum imv_scanner_handshake_state_t imv_scanner_handshake_state_t;
  */
 enum imv_scanner_handshake_state_t {
        IMV_SCANNER_STATE_INIT,
-       IMV_SCANNER_STATE_POLICY_START,
-       IMV_SCANNER_STATE_WORKITEMS
+       IMV_SCANNER_STATE_ATTR_REQ,
+       IMV_SCANNER_STATE_WORKITEMS,
+       IMV_SCANNER_STATE_END
 };
 
 /**
@@ -65,6 +68,21 @@ struct imv_scanner_state_t {
        imv_scanner_handshake_state_t (*get_handshake_state)(imv_scanner_state_t *this);
 
        /**
+        * Store an IETF Port Filter attribute for later evaluation
+        *
+        * @param attr                          IETF Port Filter attribute
+        */
+       void (*set_port_filter_attr)(imv_scanner_state_t *this,
+                                                                ietf_attr_port_filter_t *attr);
+
+       /**
+        * Get the stored IETF Port Filter attribute
+        *
+        * @return                                      IETF Port Filter attribute
+        */
+       ietf_attr_port_filter_t* (*get_port_filter_attr)(imv_scanner_state_t *this);
+
+       /**
         * add a violating TCP or UDP port
         */
        void (*add_violating_port)(imv_scanner_state_t *this, char *port);