determine underlying IF-T transport protocol

13 files changed, 231 insertions, 65 deletions

diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index 6d76710f5..a6c7d3073 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -173,10 +173,10 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 		return NULL;
 	}
 	tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
-										server, peer);
-	this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs,
-											 EAP_TNC_MAX_MESSAGE_LEN,
-											 max_msg_count, FALSE);
+										server, peer, TNC_IFT_EAP_1_1);
+	this->tls_eap = tls_eap_create(EAP_TNC, &tnccs->tls,
+								   EAP_TNC_MAX_MESSAGE_LEN,
+								   max_msg_count, FALSE);
 	if (!this->tls_eap)
 	{
 		free(this);
diff --git a/src/libcharon/plugins/tnc_imc/Makefile.am b/src/libcharon/plugins/tnc_imc/Makefile.am
index 5e2c30df9..eba280690 100644
--- a/src/libcharon/plugins/tnc_imc/Makefile.am
+++ b/src/libcharon/plugins/tnc_imc/Makefile.am
@@ -4,7 +4,8 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs
+	-I$(top_srcdir)/src/libtnccs \
+	-I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = -rdynamic
 
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am
index eca3b377b..90b3507ce 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.am
+++ b/src/libcharon/plugins/tnc_imv/Makefile.am
@@ -4,7 +4,8 @@ INCLUDES = \
 	-I$(top_srcdir)/src/libhydra \
 	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtncif \
-	-I$(top_srcdir)/src/libtnccs
+	-I$(top_srcdir)/src/libtnccs \
+	-I$(top_srcdir)/src/libtls
 
 AM_CFLAGS = -rdynamic
 
diff --git a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
index 8d3c8a9e1..482cc2abf 100644
--- a/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
+++ b/src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c
@@ -165,7 +165,8 @@ METHOD(tnccs_manager_t, remove_method, void,
 
 METHOD(tnccs_manager_t, create_instance, tnccs_t*,
 	private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server,
-	identification_t *server, identification_t *peer)
+	identification_t *server, identification_t *peer,
+	tnc_ift_type_t transport)
 {
 	enumerator_t *enumerator;
 	tnccs_entry_t *entry;
@@ -177,7 +178,7 @@ METHOD(tnccs_manager_t, create_instance, tnccs_t*,
 	{
 		if (type == entry->type)
 		{
-			protocol = entry->constructor(is_server, server, peer);
+			protocol = entry->constructor(is_server, server, peer, transport);
 			if (protocol)
 			{
 				break;
@@ -662,15 +663,52 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 					version = "1.0";
 					break;
 				default:
-				return TNC_RESULT_INVALID_PARAMETER;
+					return TNC_RESULT_INVALID_PARAMETER;
 			}
 			return str_attribute(buffer_len, buffer, value_len, version);
 		}
 		case TNC_ATTRIBUTEID_IFT_PROTOCOL:
-			return str_attribute(buffer_len, buffer, value_len,
-										 "IF-T for Tunneled EAP");
+		{
+			char *protocol;
+
+			switch (entry->tnccs->get_transport(entry->tnccs))
+			{
+				case TNC_IFT_EAP_1_0:
+				case TNC_IFT_EAP_1_1:
+				case TNC_IFT_EAP_2_0:
+					protocol = "IF-T for Tunneled EAP";
+					break;
+				case TNC_IFT_TLS_1_0:
+				case TNC_IFT_TLS_2_0:
+					protocol = "IF-T for TLS";
+					break;
+				default:
+					return TNC_RESULT_INVALID_PARAMETER;
+			}
+			return str_attribute(buffer_len, buffer, value_len, protocol);
+		}
  		case TNC_ATTRIBUTEID_IFT_VERSION:
-			return str_attribute(buffer_len, buffer, value_len, "1.1");
+		{
+			char *version;
+
+			switch (entry->tnccs->get_transport(entry->tnccs))
+			{
+				case TNC_IFT_EAP_1_0:
+				case TNC_IFT_TLS_1_0:
+					version = "1.0";
+					break;
+				case TNC_IFT_EAP_1_1:
+					version = "1.1";
+					break;
+				case TNC_IFT_EAP_2_0:
+				case TNC_IFT_TLS_2_0:
+					version = "2.0";
+					break;
+				default:
+					return TNC_RESULT_INVALID_PARAMETER;
+			}
+			return str_attribute(buffer_len, buffer, value_len, version);
+		}
 		case TNC_ATTRIBUTEID_AR_IDENTITIES:
 		{
 			linked_list_t *list;
@@ -681,7 +719,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 			TNC_Result result;
 
 			list = linked_list_create();
-			tnccs = (tls_t*)entry->tnccs;
+			tnccs = &entry->tnccs->tls;
 			peer = tnccs->get_peer_id(tnccs);
 			if (peer)
 			{
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c
index 4720f797a..4a61bdef7 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11.c
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c
@@ -43,9 +43,9 @@ typedef struct private_tnccs_11_t private_tnccs_11_t;
 struct private_tnccs_11_t {
 
 	/**
-	 * Public tls_t interface.
+	 * Public tnccs_t interface.
 	 */
-	tls_t public;
+	tnccs_t public;
 
 	/**
 	 * TNCC if TRUE, TNCS if FALSE
@@ -63,6 +63,11 @@ struct private_tnccs_11_t {
 	identification_t *peer;
 
 	/**
+	 * Underlying TNC IF-T transport protocol
+	 */
+	tnc_ift_type_t transport;
+
+	/**
 	 * Connection ID assigned to this TNCCS connection
 	 */
 	TNC_ConnectionID connection_id;
@@ -557,29 +562,48 @@ METHOD(tls_t, destroy, void,
 	free(this);
 }
 
+METHOD(tnccs_t, get_transport, tnc_ift_type_t,
+	private_tnccs_11_t *this)
+{
+	return this->transport;
+}
+
+METHOD(tnccs_t, set_transport, void,
+	private_tnccs_11_t *this, tnc_ift_type_t transport)
+{
+	this->transport = transport;
+}
+
 /**
  * See header
  */
-tls_t *tnccs_11_create(bool is_server, identification_t *server,
-					   identification_t *peer)
+tnccs_t* tnccs_11_create(bool is_server,
+						 identification_t *server,
+						 identification_t *peer,
+						 tnc_ift_type_t transport)
 {
 	private_tnccs_11_t *this;
 
 	INIT(this,
 		.public = {
-			.process = _process,
-			.build = _build,
-			.is_server = _is_server,
-			.get_server_id = _get_server_id,
-			.get_peer_id = _get_peer_id,
-			.get_purpose = _get_purpose,
-			.is_complete = _is_complete,
-			.get_eap_msk = _get_eap_msk,
-			.destroy = _destroy,
+			.tls = {
+				.process = _process,
+				.build = _build,
+				.is_server = _is_server,
+				.get_server_id = _get_server_id,
+				.get_peer_id = _get_peer_id,
+				.get_purpose = _get_purpose,
+				.is_complete = _is_complete,
+				.get_eap_msk = _get_eap_msk,
+				.destroy = _destroy,
+			},
+			.get_transport = _get_transport,
+			.set_transport = _set_transport,
 		},
 		.is_server = is_server,
 		.server = server->clone(server),
 		.peer = peer->clone(peer),
+		.transport = transport,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.max_msg_len = lib->settings->get_int(lib->settings,
 								"%s.plugins.tnccs-11.max_message_size", 45000,
diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.h b/src/libcharon/plugins/tnccs_11/tnccs_11.h
index 79fccf9c7..531ebb611 100644
--- a/src/libcharon/plugins/tnccs_11/tnccs_11.h
+++ b/src/libcharon/plugins/tnccs_11/tnccs_11.h
@@ -23,7 +23,7 @@
 
 #include <library.h>
 
-#include <tls.h>
+#include <tnc/tnccs/tnccs.h>
 
 /**
  * Create an instance of the TNC IF-TNCCS 1.1 protocol handler.
@@ -31,9 +31,12 @@
  * @param is_server		TRUE to act as TNC Server, FALSE for TNC Client
  * @param server		Server identity
  * @param peer			Client identity
+ * @param transport		Underlying IF-T transport protocol
  * @return				TNC_IF_TNCCS 1.1 protocol stack
  */
-tls_t *tnccs_11_create(bool is_server, identification_t *server,
-					   identification_t *peer);
+tnccs_t* tnccs_11_create(bool is_server,
+						 identification_t *server,
+						 identification_t *peer,
+						 tnc_ift_type_t transport);
 
 #endif /** TNCCS_11_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c
index fbbbebee6..4447ba2fd 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20.c
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c
@@ -48,9 +48,9 @@ typedef struct private_tnccs_20_t private_tnccs_20_t;
 struct private_tnccs_20_t {
 
 	/**
-	 * Public tls_t interface.
+	 * Public tnccs_t interface.
 	 */
-	tls_t public;
+	tnccs_t public;
 
 	/**
 	 * TNCC if TRUE, TNCS if FALSE
@@ -68,6 +68,11 @@ struct private_tnccs_20_t {
 	identification_t *peer;
 
 	/**
+	 * Underlying TNC IF-T transport protocol
+	 */
+	tnc_ift_type_t transport;
+
+	/**
 	 * PB-TNC State Machine
 	 */
 	pb_tnc_state_machine_t *state_machine;
@@ -823,29 +828,48 @@ METHOD(tls_t, destroy, void,
 	free(this);
 }
 
+METHOD(tnccs_t, get_transport, tnc_ift_type_t,
+	private_tnccs_20_t *this)
+{
+	return this->transport;
+}
+
+METHOD(tnccs_t, set_transport, void,
+	private_tnccs_20_t *this, tnc_ift_type_t transport)
+{
+	this->transport = transport;
+}
+
 /**
  * See header
  */
-tls_t *tnccs_20_create(bool is_server, identification_t *server,
-					   identification_t *peer)
+tnccs_t* tnccs_20_create(bool is_server,
+						 identification_t *server,
+						 identification_t *peer,
+						 tnc_ift_type_t transport)
 {
 	private_tnccs_20_t *this;
 
 	INIT(this,
 		.public = {
-			.process = _process,
-			.build = _build,
-			.is_server = _is_server,
-			.get_server_id = _get_server_id,
-			.get_peer_id = _get_peer_id,
-			.get_purpose = _get_purpose,
-			.is_complete = _is_complete,
-			.get_eap_msk = _get_eap_msk,
-			.destroy = _destroy,
+			.tls = {
+				.process = _process,
+				.build = _build,
+				.is_server = _is_server,
+				.get_server_id = _get_server_id,
+				.get_peer_id = _get_peer_id,
+				.get_purpose = _get_purpose,
+				.is_complete = _is_complete,
+				.get_eap_msk = _get_eap_msk,
+				.destroy = _destroy,
+			},
+			.get_transport = _get_transport,
+			.set_transport = _set_transport,
 		},
 		.is_server = is_server,
 		.server = server->clone(server),
 		.peer = peer->clone(peer),
+		.transport = transport,
 		.state_machine = pb_tnc_state_machine_create(is_server),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.messages = linked_list_create(),
diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.h b/src/libcharon/plugins/tnccs_20/tnccs_20.h
index d42ebf218..314935069 100644
--- a/src/libcharon/plugins/tnccs_20/tnccs_20.h
+++ b/src/libcharon/plugins/tnccs_20/tnccs_20.h
@@ -23,7 +23,7 @@
 
 #include <library.h>
 
-#include <tls.h>
+#include <tnc/tnccs/tnccs.h>
 
 /**
  * Create an instance of the TNC IF-TNCCS 2.0 protocol handler.
@@ -31,9 +31,12 @@
  * @param is_server		TRUE to act as TNC Server, FALSE for TNC Client
  * @param server		Server identity
  * @param peer			Client identity
+ * @param transport		Underlying IF-T transport protocol
  * @return				TNC_IF_TNCCS 2.0 protocol stack
  */
-tls_t *tnccs_20_create(bool is_server, identification_t *server,
-					   identification_t *peer);
+tnccs_t* tnccs_20_create(bool is_server,
+						 identification_t *server,
+						 identification_t *peer,
+						 tnc_ift_type_t transport);
 
 #endif /** TNCCS_20_H_ @}*/
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
index 4b04d6920..49f421e9b 100644
--- a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c
@@ -27,9 +27,9 @@ typedef struct private_tnccs_dynamic_t private_tnccs_dynamic_t;
 struct private_tnccs_dynamic_t {
 
 	/**
-	 * Public tls_t interface.
+	 * Public tnccs_t interface.
 	 */
-	tls_t public;
+	tnccs_t public;
 
 	/**
 	 * Server identity
@@ -45,6 +45,12 @@ struct private_tnccs_dynamic_t {
 	 * Detected TNC IF-TNCCS stack
 	 */
 	tls_t *tls;
+
+	/**
+	 * Underlying TNC IF-T transport protocol
+	 */
+	tnc_ift_type_t transport;
+
 };
 
 /**
@@ -87,7 +93,7 @@ METHOD(tls_t, process, status_t,
 		DBG1(DBG_TNC, "%N protocol detected dynamically",
 					   tnccs_type_names, type);
 		this->tls = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
-													this->server, this->peer);
+									this->server, this->peer, this->transport);
 		if (!this->tls)
 		{
 			DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
@@ -148,28 +154,47 @@ METHOD(tls_t, destroy, void,
 	free(this);
 }
 
+METHOD(tnccs_t, get_transport, tnc_ift_type_t,
+	private_tnccs_dynamic_t *this)
+{
+	return this->transport;
+}
+
+METHOD(tnccs_t, set_transport, void,
+	private_tnccs_dynamic_t *this, tnc_ift_type_t transport)
+{
+	this->transport = transport;
+}
+
 /**
  * See header
  */
-tls_t *tnccs_dynamic_create(bool is_server, identification_t *server,
-							identification_t *peer)
+tnccs_t* tnccs_dynamic_create(bool is_server,
+							  identification_t *server,
+							  identification_t *peer,
+							  tnc_ift_type_t transport)
 {
 	private_tnccs_dynamic_t *this;
 
 	INIT(this,
 		.public = {
-			.process = _process,
-			.build = _build,
-			.is_server = _is_server,
-			.get_server_id = _get_server_id,
-			.get_peer_id = _get_peer_id,
-			.get_purpose = _get_purpose,
-			.is_complete = _is_complete,
-			.get_eap_msk = _get_eap_msk,
-			.destroy = _destroy,
+			.tls = {
+				.process = _process,
+				.build = _build,
+				.is_server = _is_server,
+				.get_server_id = _get_server_id,
+				.get_peer_id = _get_peer_id,
+				.get_purpose = _get_purpose,
+				.is_complete = _is_complete,
+				.get_eap_msk = _get_eap_msk,
+				.destroy = _destroy,
+			},
+			.get_transport = _get_transport,
+			.set_transport = _set_transport,
 		},
 		.server = server->clone(server),
 		.peer = peer->clone(peer),
+		.transport = transport,
 	);
 
 	return &this->public;
diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
index 383ebfcfa..e4cff74b8 100644
--- a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
+++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h
@@ -23,7 +23,7 @@
 
 #include <library.h>
 
-#include <tls.h>
+#include <tnc/tnccs/tnccs.h>
 
 /**
  * Create an instance of a dynamic TNC IF-TNCCS protocol handler.
@@ -31,9 +31,12 @@
  * @param is_server		TRUE to act as TNC Server, FALSE for TNC Client
  * @param server		Server identity
  * @param peer			Client identity
+ * @param transport		Underlying IF-T transport protocol
  * @return				dynamic TNC IF-TNCCS protocol stack
  */
-tls_t *tnccs_dynamic_create(bool is_server, identification_t *server,
-							identification_t *peer);
+tnccs_t* tnccs_dynamic_create(bool is_server,
+							  identification_t *server,
+							  identification_t *peer,
+							  tnc_ift_type_t transport);
 
 #endif /** TNCCS_DYNAMIC_H_ @}*/
diff --git a/src/libtnccs/Makefile.am b/src/libtnccs/Makefile.am
index 449d32d92..c6492d8d3 100644
--- a/src/libtnccs/Makefile.am
+++ b/src/libtnccs/Makefile.am
@@ -1,5 +1,8 @@
 
-INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif
+INCLUDES = \
+	-I$(top_srcdir)/src/libstrongswan \
+	-I$(top_srcdir)/src/libtncif \
+	-I$(top_srcdir)/src/libtls
 
 ipseclib_LTLIBRARIES = libtnccs.la
 
diff --git a/src/libtnccs/tnc/tnccs/tnccs.h b/src/libtnccs/tnc/tnccs/tnccs.h
index 530562e7f..3c7249fb0 100644
--- a/src/libtnccs/tnc/tnccs/tnccs.h
+++ b/src/libtnccs/tnc/tnccs/tnccs.h
@@ -26,6 +26,7 @@
 
 typedef struct tnccs_t tnccs_t;
 typedef enum tnccs_type_t tnccs_type_t;
+typedef enum tnc_ift_type_t tnc_ift_type_t;
 
 #include <tncif.h>
 #include <tncifimc.h>
@@ -34,6 +35,8 @@ typedef enum tnccs_type_t tnccs_type_t;
 #include <library.h>
 #include <plugins/plugin.h>
 
+#include <tls.h>
+
 /**
  * Type of TNC Client/Server protocol
  */
@@ -46,21 +49,57 @@ enum tnccs_type_t {
 };
 
 /**
+ * Type of TNC Transport protocol
+ */
+enum tnc_ift_type_t {
+	TNC_IFT_UNKNOWN,
+	TNC_IFT_EAP_1_0,
+	TNC_IFT_EAP_1_1,
+	TNC_IFT_EAP_2_0,
+	TNC_IFT_TLS_1_0,
+	TNC_IFT_TLS_2_0
+};
+
+/**
  * enum names for tnccs_type_t.
  */
 extern enum_name_t *tnccs_type_names;
 
 /**
+ * TNCCS public interface
+ */
+struct tnccs_t {
+
+	/**
+	 * Implements tls_t
+	 */
+	tls_t tls;
+
+	/**
+	 * Get underlying TNC IF-T transport protocol
+	 */
+	tnc_ift_type_t (*get_transport)(tnccs_t *this);
+
+	/**
+	 * Set underlying TNC IF-T transport protocol
+	 */
+	void (*set_transport)(tnccs_t *this, tnc_ift_type_t transport);
+
+};
+
+/**
  * Constructor definition for a pluggable TNCCS protocol implementation.
  *
  * @param is_server		TRUE if TNC Server, FALSE if TNC Client
  * @param server		Server identity
  * @param peer			Client identity
+ * @param transport		Underlying TNC IF-T transport protocol used
  * @return				implementation of the tnccs_t interface
  */
 typedef tnccs_t *(*tnccs_constructor_t)(bool is_server,
 										identification_t *server,
-										identification_t *peer);
+										identification_t *peer,
+										tnc_ift_type_t transport);
 
 /**
  * Callback function adding a message to a TNCCS batch
diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.h b/src/libtnccs/tnc/tnccs/tnccs_manager.h
index 812f40a29..4ab9d7e18 100644
--- a/src/libtnccs/tnc/tnccs/tnccs_manager.h
+++ b/src/libtnccs/tnc/tnccs/tnccs_manager.h
@@ -58,11 +58,13 @@ struct tnccs_manager_t {
 	 * @param is_server	  TRUE if TNC Server, FALSE if TNC Client
 	 * @param server	  Server identity
 	 * @param peer		  Client identity
+	 * @param transport	  Underlying TNC IF-T transport protocol used
 	 * @return			  TNCCS protocol instance, NULL if no constructor found
 	 */
 	tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
 								bool is_server, identification_t *server,
-								identification_t *peer);
+								identification_t *peer,
+								tnc_ift_type_t transport);
 
 	/**
 	 * Create a TNCCS connection and assign a unique connection ID as well a