diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-02-16 18:00:27 +0100 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-02-16 18:00:27 +0100 |
commit | 4d83c5b4a6bcbf6a6426d7ba79fac4494ab36329 (patch) | |
tree | 89f4416c6942a8fe9b6b2fde4555a8684feab1e4 /src/libtnccs/plugins | |
parent | 70934d94367d485cb599071671941b5d0c5c19fb (diff) | |
download | strongswan-4d83c5b4a6bcbf6a6426d7ba79fac4494ab36329.tar.bz2 strongswan-4d83c5b4a6bcbf6a6426d7ba79fac4494ab36329.tar.xz |
Fix of the mutual TNC measurement use case
If the IKEv2 initiator acting as a TNC server receives invalid TNC measurements
from the IKEv2 responder acting as a TNC clienti, the exchange of PB-TNC batches
is continued until the IKEv2 responder acting as a TNC server has also finished
its TNC measurements.
In the past if these measurements in the other direction were correct
the IKEv2 responder acting as EAP server declared the IKEv2 EAP authentication
successful and the IPsec connection was established even though the TNC
measurement verification on the EAP peer side failed.
The fix adds an "allow" group membership on each endpoint if the corresponding
TNC measurements of the peer are successful. By requiring a "allow" group
membership in the IKEv2 connection definition the IPsec connection succeeds
only if the TNC measurements on both sides are valid.
Diffstat (limited to 'src/libtnccs/plugins')
-rw-r--r-- | src/libtnccs/plugins/tnccs_20/tnccs_20.c | 38 |
1 files changed, 19 insertions, 19 deletions
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c index a1a95733f..35d297842 100644 --- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c @@ -126,6 +126,24 @@ struct private_tnccs_20_t { }; +METHOD(tls_t, is_complete, bool, + private_tnccs_20_t *this) +{ + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + tnccs_20_server_t *tnc_server; + + if (this->tnc_server) + { + tnc_server = (tnccs_20_server_t*)this->tnc_server; + if (tnc_server->have_recommendation(tnc_server, &rec, &eval)) + { + return this->callback ? this->callback(rec, eval) : TRUE; + } + } + return FALSE; +} + METHOD(tnccs_t, send_msg, TNC_Result, private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id, TNC_UInt32 msg_flags, @@ -269,6 +287,7 @@ METHOD(tls_t, process, status_t, /* Suppress a successful CLOSE batch coming from the TNC server */ if (status == SUCCESS) { + is_complete(this); status = NEED_MORE; } } @@ -359,25 +378,6 @@ METHOD(tls_t, get_purpose, tls_purpose_t, return TLS_PURPOSE_EAP_TNC; } -METHOD(tls_t, is_complete, bool, - private_tnccs_20_t *this) -{ - TNC_IMV_Action_Recommendation rec; - TNC_IMV_Evaluation_Result eval; - - if (this->tnc_server) - { - tnccs_20_server_t *tnc_server; - - tnc_server = (tnccs_20_server_t*)this->tnc_server; - if (tnc_server->have_recommendation(tnc_server, &rec, &eval)) - { - return this->callback ? this->callback(rec, eval) : TRUE; - } - } - return FALSE; -} - METHOD(tls_t, get_eap_msk, chunk_t, private_tnccs_20_t *this) { |