From b19ef52d51d51a8ca46779936ba1f7381f980e0d Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Mon, 17 Aug 2015 17:37:52 +0200 Subject: [PATCH] Added reason string support to HCD IMV --- src/libimcv/plugins/imv_hcd/imv_hcd_agent.c | 40 +++++++++++++++++++++++++ src/libimcv/plugins/imv_hcd/imv_hcd_state.c | 39 +++++++++++++++++++++++- testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat | 17 ++++++----- 3 files changed, 88 insertions(+), 8 deletions(-) diff --git a/src/libimcv/plugins/imv_hcd/imv_hcd_agent.c b/src/libimcv/plugins/imv_hcd/imv_hcd_agent.c index 8cfa4d1..e15eeb1 100644 --- a/src/libimcv/plugins/imv_hcd/imv_hcd_agent.c +++ b/src/libimcv/plugins/imv_hcd/imv_hcd_agent.c @@ -591,11 +591,51 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result, private_imv_hcd_agent_t *this, TNC_ConnectionID id) { imv_state_t *state; + imv_hcd_state_t* hcd_state; + imv_hcd_handshake_state_t handshake_state; + enum_name_t *pa_subtype_names; + bool missing = FALSE; + uint32_t received; + int i; if (!this->agent->get_state(this->agent, id, &state)) { return TNC_RESULT_FATAL; } + hcd_state = (imv_hcd_state_t*)state; + handshake_state = hcd_state->get_handshake_state(hcd_state); + + if (handshake_state == IMV_HCD_STATE_ATTR_REQ) + { + pa_subtype_names = get_pa_subtype_names(PEN_PWG); + + for (i = 1; i < countof(msg_types); i++) + { + hcd_state->set_subtype(hcd_state, msg_types[i].type); + received = state->get_action_flags(state); + if ((received & IMV_HCD_ATTR_MUST) != IMV_HCD_ATTR_MUST) + { + DBG1(DBG_IMV, "missing attributes for PA subtype %N/%N", + pen_names, PEN_PWG, pa_subtype_names, msg_types[i].type); + missing = TRUE; + } + } + + if (missing) + { + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS , + TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR); + } + else + { + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_ALLOW , + TNC_IMV_EVALUATION_RESULT_COMPLIANT); + } + } + hcd_state->set_handshake_state(hcd_state, IMV_HCD_STATE_END); + return this->agent->provide_recommendation(this->agent, state); } diff --git a/src/libimcv/plugins/imv_hcd/imv_hcd_state.c b/src/libimcv/plugins/imv_hcd/imv_hcd_state.c index 48614a6..bfe6dd6 100644 --- a/src/libimcv/plugins/imv_hcd/imv_hcd_state.c +++ b/src/libimcv/plugins/imv_hcd/imv_hcd_state.c @@ -14,6 +14,8 @@ */ #include "imv_hcd_state.h" +#include "imv/imv_lang_string.h" +#include "imv/imv_reason_string.h" #include @@ -97,6 +99,27 @@ struct private_imv_hcd_state_t { */ imv_hcd_handshake_state_t handshake_state; + /** + * TNC Reason String + */ + imv_reason_string_t *reason_string; + +}; + +/** + * Supported languages + */ +static char* languages[] = { "en", "de", "fr", "pl" }; + +/** + * Reason strings for "Port Filter" + */ +static imv_lang_string_t reasons[] = { + { "en", "Mandatory HCD attributes are missing" }, + { "de", "Obligatorische HCD Attribute fehlen" }, + { "fr", "Il manque des attributes HCD obligatoires" }, + { "pl", "Brakuje atrybutów obowiązkowych" }, + { NULL, NULL } }; METHOD(imv_state_t, get_connection_id, TNC_ConnectionID, @@ -200,7 +223,20 @@ METHOD(imv_state_t, get_reason_string, bool, private_imv_hcd_state_t *this, enumerator_t *language_enumerator, chunk_t *reason_string, char **reason_language) { - return FALSE; + if (this->rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION) + { + return FALSE; + } + *reason_language = imv_lang_string_select_lang(language_enumerator, + languages, countof(languages)); + + /* Instantiate a TNC Reason String object */ + DESTROY_IF(this->reason_string); + this->reason_string = imv_reason_string_create(*reason_language, "\n"); + this->reason_string->add_reason(this->reason_string, reasons); + *reason_string = this->reason_string->get_encoding(this->reason_string); + + return TRUE; } METHOD(imv_state_t, get_remediation_instructions, bool, @@ -214,6 +250,7 @@ METHOD(imv_state_t, destroy, void, private_imv_hcd_state_t *this) { DESTROY_IF(this->session); + DESTROY_IF(this->reason_string); this->contracts->destroy(this->contracts); free(this); } diff --git a/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat index ad23ee1..1293e98 100644 --- a/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat @@ -1,16 +1,19 @@ -dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES -dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES -dave:: cat /var/log/daemon.log::PB-TNC assessment result is.*don.*t know::YES -dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES -dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES -carol:: cat /var/log/daemon.log::PB-TNC assessment result is.*don.*t know::YES +carol:: cat /var/log/daemon.log::PB-TNC assessment result is.*non-compliant major::YES carol:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES +carol:: cat /var/log/daemon.log::reason string is.*Mandatory HCD attributes are missing::YES carol:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES +dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES +dave:: cat /var/log/daemon.log::PB-TNC assessment result is.*non-compliant major::YES +dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES +dave:: cat /var/log/daemon.log::reason string is.*Mandatory HCD attributes are missing::YES +dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by certificate::YES alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by certificate::YES -alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES alice::cat /var/log/daemon.log::policy enforced on peer.*carol@strongswan.org.*is.*no access::YES +alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES + -- 2.7.4