diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2013-03-03 17:18:09 +0100 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2013-03-03 17:18:09 +0100 |
commit | c88104aa25da002eb98345a97a70ee8bd43b0803 (patch) | |
tree | 93110a1712e9c1a23f03af27dba45eb273dd02dd | |
parent | 1fc609fed32c02467e7ea47f9f5538f51adff099 (diff) | |
download | strongswan-c88104aa25da002eb98345a97a70ee8bd43b0803.tar.bz2 strongswan-c88104aa25da002eb98345a97a70ee8bd43b0803.tar.xz |
make TNC Access Requestor ID available to IMVs
-rw-r--r-- | src/libimcv/imv/imv_agent.c | 27 | ||||
-rw-r--r-- | src/libimcv/imv/imv_agent.h | 7 | ||||
-rw-r--r-- | src/libimcv/plugins/imv_os/imv_os.c | 2 | ||||
-rw-r--r-- | src/libimcv/plugins/imv_os/imv_os_database.c | 48 | ||||
-rw-r--r-- | src/libimcv/plugins/imv_os/imv_os_database.h | 4 | ||||
-rw-r--r-- | src/libpts/plugins/imv_attestation/attest_db.c | 42 | ||||
-rw-r--r-- | src/libpts/plugins/imv_attestation/tables.sql | 12 | ||||
-rw-r--r-- | src/libstrongswan/utils/identification.c | 24 | ||||
-rw-r--r-- | src/libstrongswan/utils/identification.h | 6 |
9 files changed, 130 insertions, 42 deletions
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c index 78e584dfb..2eec0ecde 100644 --- a/src/libimcv/imv/imv_agent.c +++ b/src/libimcv/imv/imv_agent.c @@ -73,6 +73,11 @@ struct private_imv_agent_t { rwlock_t *connection_lock; /** + * Access Requestor ID + */ + identification_t *ar_id; + + /** * Inform a TNCS about the set of message types the IMV is able to receive * * @param imv_id IMV ID assigned by TNCS @@ -445,7 +450,6 @@ METHOD(imv_agent_t, create_state, TNC_Result, int tcg_id_type, tcg_subject_type, tcg_auth_type; chunk_t id_value; id_type_t ike_type; - identification_t *id; id_type = tnc_id->get_identity_type(tnc_id); id_value = tnc_id->get_identity_value(tnc_id); @@ -468,12 +472,14 @@ METHOD(imv_agent_t, create_state, TNC_Result, ike_type = ID_IPV6_ADDR; break; case TNC_ID_FQDN: - case TNC_ID_USER_NAME: ike_type = ID_FQDN; break; case TNC_ID_RFC822_ADDR: ike_type = ID_RFC822_ADDR; break; + case TNC_ID_USER_NAME: + ike_type = ID_USER_ID; + break; case TNC_ID_DER_ASN1_DN: ike_type = ID_DER_ASN1_DN; break; @@ -486,11 +492,10 @@ METHOD(imv_agent_t, create_state, TNC_Result, break; } - id = identification_create_from_encoding(ike_type, id_value); - DBG2(DBG_IMV, "%N identity '%Y' authenticated by %N", - TNC_Subject_names, tcg_subject_type, id, - TNC_Authentication_names, tcg_auth_type); - id->destroy(id); + this->ar_id = identification_create_from_encoding(ike_type, id_value); + DBG2(DBG_IMV, " %N AR identity '%Y' authenticated by %N", + TNC_Subject_names, tcg_subject_type, this->ar_id, + TNC_Authentication_names, tcg_auth_type); } enumerator->destroy(enumerator); @@ -593,6 +598,12 @@ METHOD(imv_agent_t, get_id, TNC_IMVID, return this->id; } +METHOD(imv_agent_t, get_ar_id, identification_t*, + private_imv_agent_t *this) +{ + return this->ar_id; +} + METHOD(imv_agent_t, reserve_additional_ids, TNC_Result, private_imv_agent_t *this, int count) { @@ -782,6 +793,7 @@ METHOD(imv_agent_t, destroy, void, private_imv_agent_t *this) { DBG1(DBG_IMV, "IMV %u \"%s\" terminated", this->id, this->name); + DESTROY_IF(this->ar_id); this->additional_ids->destroy(this->additional_ids); this->connections->destroy_offset(this->connections, offsetof(imv_state_t, destroy)); @@ -816,6 +828,7 @@ imv_agent_t *imv_agent_create(const char *name, .get_state = _get_state, .get_name = _get_name, .get_id = _get_id, + .get_ar_id = _get_ar_id, .reserve_additional_ids = _reserve_additional_ids, .count_additional_ids = _count_additional_ids, .create_id_enumerator = _create_id_enumerator, diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h index 4d0716f90..737caa173 100644 --- a/src/libimcv/imv/imv_agent.h +++ b/src/libimcv/imv/imv_agent.h @@ -152,6 +152,13 @@ struct imv_agent_t { TNC_IMVID (*get_id)(imv_agent_t *this); /** + * Get Access Requestor ID + * + * return Access Requestor ID + */ + identification_t* (*get_ar_id)(imv_agent_t *this); + + /** * Reserve additional IMV IDs from TNCS * * @param count number of additional IMV IDs to be assigned diff --git a/src/libimcv/plugins/imv_os/imv_os.c b/src/libimcv/plugins/imv_os/imv_os.c index ecc6cfc4f..68b14abfb 100644 --- a/src/libimcv/plugins/imv_os/imv_os.c +++ b/src/libimcv/plugins/imv_os/imv_os.c @@ -390,7 +390,7 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg) device_id = os_state->get_device_id(os_state); if (os_db && device_id) { - os_db->set_device_info(os_db, device_id, + os_db->set_device_info(os_db, device_id, imv_os->get_ar_id(imv_os), os_state->get_info(os_state, NULL, NULL, NULL), count, count_update, count_blacklist, os_settings); } diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c index c6db9953f..730099af4 100644 --- a/src/libimcv/plugins/imv_os/imv_os_database.c +++ b/src/libimcv/plugins/imv_os/imv_os_database.c @@ -214,12 +214,14 @@ METHOD(imv_os_database_t, get_device_id, int, } METHOD(imv_os_database_t, set_device_info, void, - private_imv_os_database_t *this, int device_id, char *os_info, - int count, int count_update, int count_blacklist, u_int flags) + private_imv_os_database_t *this, int device_id, identification_t *ar_id, + char *os_info, int count, int count_update, int count_blacklist, + u_int flags) { enumerator_t *e; time_t last_time; - int pid = 0, last_pid = 0, last_count_update = 0, last_count_blacklist = 0; + int pid = 0, last_pid = 0, iid = 0, last_iid; + int last_count_update = 0, last_count_blacklist = 0; u_int last_flags; bool found = FALSE; @@ -233,26 +235,47 @@ METHOD(imv_os_database_t, set_device_info, void, e->destroy(e); } - /* if OS ifo string has not been found - register it */ + /* if OS info string has not been found - register it */ if (!pid) { this->db->execute(this->db, &pid, "INSERT INTO products (name) VALUES (?)", DB_TEXT, os_info); } + /* get primary key of AR identity if it exists */ + e = this->db->query(this->db, + "SELECT id FROM identities WHERE type = ? AND data = ?", + DB_INT, ar_id->get_type(ar_id), + DB_BLOB, ar_id->get_encoding(ar_id), DB_INT); + if (e) + { + e->enumerate(e, &iid); + e->destroy(e); + } + + /* if AR identity has not been found - register it */ + if (!iid) + { + this->db->execute(this->db, &iid, + "INSERT INTO identities (type, data) VALUES (?, ?)", + DB_INT, ar_id->get_type(ar_id), + DB_BLOB, ar_id->get_encoding(ar_id)); + } + /* get latest device info record if it exists */ e = this->db->query(this->db, - "SELECT time, product, count_update, count_blacklist, flags " + "SELECT time, ar_id, product, count_update, count_blacklist, flags " "FROM device_infos WHERE device = ? ORDER BY time DESC", - DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT); + DB_INT, device_id, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_UINT); if (e) { - found = e->enumerate(e, &last_time, &last_pid, &last_count_update, - &last_count_blacklist, &last_flags); + found = e->enumerate(e, &last_time, &last_iid, &last_pid, + &last_count_update, &last_count_blacklist, + &last_flags); e->destroy(e); } if (found && !last_count_update && !last_count_blacklist && !last_flags && - pid == last_pid) + iid == last_iid && pid == last_pid) { /* update device info */ this->db->execute(this->db, NULL, @@ -266,9 +289,10 @@ METHOD(imv_os_database_t, set_device_info, void, { /* insert device info */ this->db->execute(this->db, NULL, - "INSERT INTO device_infos (device, time, product, count, " - "count_update, count_blacklist, flags) VALUES (?, ?, ?, ?, ?, ?, ?)", - DB_INT, device_id, DB_UINT, time(NULL), DB_INT, pid, + "INSERT INTO device_infos (device, time, ar_id, product, count, " + "count_update, count_blacklist, flags) " + "VALUES (?, ?, ?, ?, ?, ?, ?, ?)", + DB_INT, device_id, DB_UINT, time(NULL), DB_INT, iid, DB_INT, pid, DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist, DB_UINT, flags); } diff --git a/src/libimcv/plugins/imv_os/imv_os_database.h b/src/libimcv/plugins/imv_os/imv_os_database.h index b5e1b6583..790467f33 100644 --- a/src/libimcv/plugins/imv_os/imv_os_database.h +++ b/src/libimcv/plugins/imv_os/imv_os_database.h @@ -52,13 +52,15 @@ struct imv_os_database_t { * Set health infos for a given device * * @param device_id Device ID primary key + * @param ar_id Access Requestor ID * @param os_info OS info string * @param count Number of installed packages * @param count_update Number of packages to be updated * @param count_blacklist Number of blacklisted packages * @param flags Various flags, e.g. illegal OS settings */ - void (*set_device_info)(imv_os_database_t *this, int device_id, char *os_info, + void (*set_device_info)(imv_os_database_t *this, int device_id, + identification_t *ar_id, char *os_info, int count, int count_update, int count_blacklist, u_int flags); diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c index 91e9766d0..5885e26a1 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ b/src/libpts/plugins/imv_attestation/attest_db.c @@ -804,26 +804,29 @@ METHOD(attest_db_t, list_components, void, METHOD(attest_db_t, list_devices, void, private_attest_db_t *this) { - enumerator_t *e; - chunk_t value; + enumerator_t *e, *e_ar; + chunk_t value, ar_data; char *product; time_t timestamp; - int id, last_id = 0, device_count = 0; + int id, last_id = 0, iid = 0, last_iid = 0, device_count = 0; int count, count_update, count_blacklist; + id_type_t ar_type; + identification_t *ar_id = NULL; u_int tstamp, flags = 0; e = this->db->query(this->db, "SELECT d.id, d.value, i.time, i.count, i.count_update, " - "i.count_blacklist, i.flags, p.name FROM devices AS d " + "i.count_blacklist, i.flags, i.ar_id, p.name FROM devices AS d " "JOIN device_infos AS i ON d.id = i.device " "JOIN products AS p ON p.id = i.product " "ORDER BY d.value, i.time DESC", - DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT); + DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, + DB_INT, DB_TEXT); if (e) { while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update, - &count_blacklist, &flags, &product)) + &count_blacklist, &flags, &iid, &product)) { if (id != last_id) { @@ -832,10 +835,35 @@ METHOD(attest_db_t, list_devices, void, last_id = id; } timestamp = tstamp; - printf(" %T, %4d, %3d, %3d, %1u, '%s'\n", ×tamp, this->utc, + printf(" %T, %4d, %3d, %3d, %1u, '%s'", ×tamp, this->utc, count, count_update, count_blacklist, flags, product); + if (iid) + { + if (iid != last_iid) + { + DESTROY_IF(ar_id); + ar_id = NULL; + + e_ar = this->db->query(this->db, + "SELECT type, data FROM identities " + "WHERE id = ?", DB_INT, iid, DB_INT, DB_BLOB); + if (e_ar->enumerate(e_ar, &ar_type, &ar_data)) + { + ar_id = identification_create_from_encoding(ar_type, + ar_data); + } + e_ar->destroy(e_ar); + } + if (ar_id) + { + printf(" %Y", ar_id); + } + } + printf("\n"); } e->destroy(e); + DESTROY_IF(ar_id); + printf("%d device%s found\n", device_count, (device_count == 1) ? "" : "s"); } diff --git a/src/libpts/plugins/imv_attestation/tables.sql b/src/libpts/plugins/imv_attestation/tables.sql index 8a79ea7cf..0c038d365 100644 --- a/src/libpts/plugins/imv_attestation/tables.sql +++ b/src/libpts/plugins/imv_attestation/tables.sql @@ -126,13 +126,21 @@ CREATE INDEX devices_value ON devices ( DROP TABLE IF EXISTS device_infos; CREATE TABLE device_infos ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, device INTEGER NOT NULL, time INTEGER NOT NULL, + ar_id INTEGER DEFAULT 0, product INTEGER DEFAULT 0, count INTEGER DEFAULT 0, count_update INTEGER DEFAULT 0, count_blacklist INTEGER DEFAULT 0, - flags INTEGER DEFAULT 0, - PRIMARY KEY (device, time) + flags INTEGER DEFAULT 0 ); +DROP TABLE IF EXISTS identities; +CREATE TABLE identities ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + type INTEGER NOT NULL, + data BLOB NOT NULL, + UNIQUE (type, data) +); diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 2669c2da6..4176320dc 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -49,10 +49,10 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID, "ID_DER_ASN1_DN", "ID_DER_ASN1_GN", "ID_KEY_ID"); -ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID, +ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_USER_ID, ID_KEY_ID, "ID_DER_ASN1_GN_URI", - "ID_MYID"); -ENUM_END(id_type_names, ID_MYID); + "ID_USER_ID"); +ENUM_END(id_type_names, ID_USER_ID); /** * coding of X.501 distinguished name @@ -790,6 +790,7 @@ int identification_printf_hook(printf_hook_data_t *data, case ID_FQDN: case ID_RFC822_ADDR: case ID_DER_ASN1_GN_URI: + case ID_USER_ID: chunk_printable(this->encoded, &proper, '?'); snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr); chunk_free(&proper); @@ -812,9 +813,6 @@ int identification_printf_hook(printf_hook_data_t *data, snprintf(buf, sizeof(buf), "%#B", &this->encoded); } break; - case ID_MYID: - snprintf(buf, sizeof(buf), "%%myid"); - break; default: snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type); break; @@ -873,6 +871,7 @@ static private_identification_t *identification_create(id_type_t type) break; case ID_FQDN: case ID_RFC822_ADDR: + case ID_USER_ID: this->public.matches = _matches_string; this->public.equals = _equals_strcasecmp; this->public.contains_wildcards = _contains_wildcards_memchr; @@ -1023,9 +1022,16 @@ identification_t * identification_create_from_data(chunk_t data) { char buf[data.len + 1]; - /* use string constructor */ - snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr); - return identification_create_from_string(buf); + if (is_asn1(data)) + { + return identification_create_from_encoding(ID_DER_ASN1_DN, data); + } + else + { + /* use string constructor */ + snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr); + return identification_create_from_string(buf); + } } /* diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h index cdf229127..00d740765 100644 --- a/src/libstrongswan/utils/identification.h +++ b/src/libstrongswan/utils/identification.h @@ -126,14 +126,14 @@ enum id_type_t { ID_KEY_ID = 11, /** - * private type which represents a GeneralName of type URI + * Private ID type which represents a GeneralName of type URI */ ID_DER_ASN1_GN_URI = 201, /** - * Private ID used by the pluto daemon for opportunistic encryption + * Private ID type which represents a user ID */ - ID_MYID = 203, + ID_USER_ID = 202 }; /** |