moved tnc_imv plugin to libtnccs thanks to recommendation callback function

author: Andreas Steffen <andreas.steffen@strongswan.org> 2013-08-08 19:43:43 +0200
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2013-08-15 23:34:22 +0200
commit: 12b3db500606bcbd6fd2986463a4b1f37586bdbb (patch)
tree: 1c88258c3c8230dd65cca43448b6858a14f58af6 /src
parent: 9d8c28e2f5b23e3f1008e8ba064403834683e35a (diff)
download: strongswan-12b3db500606bcbd6fd2986463a4b1f37586bdbb.tar.bz2
strongswan-12b3db500606bcbd6fd2986463a4b1f37586bdbb.tar.xz
26 files changed, 154 insertions, 120 deletions
diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am
index 65e344a70..9c7f67690 100644
--- a/src/libcharon/Makefile.am
+++ b/src/libcharon/Makefile.am
@@ -385,13 +385,6 @@ if MONOLITHIC
 endif
 endif
 
-if USE_TNC_IMV
-  SUBDIRS += plugins/tnc_imv
-if MONOLITHIC
-  libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la
-endif
-endif
-
 if USE_LIBTNCCS
 if MONOLITHIC
   # otherwise this library is linked to the respective plugins
diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c
index 839425d59..d14672e49 100644
--- a/src/libcharon/plugins/eap_tnc/eap_tnc.c
+++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c
@@ -22,6 +22,7 @@
 #include <daemon.h>
 
 #include <tncifimv.h>
+#include <tncif_names.h>
 
 /**
  * Maximum size of an EAP-TNC message
@@ -62,6 +63,63 @@ struct private_eap_tnc_t {
 
 };
 
+/**
+ * Callback function to get recommendation from TNCCS connection
+ */
+static bool enforce_recommendation(TNC_IMV_Action_Recommendation rec,
+								   TNC_IMV_Evaluation_Result eval)
+{
+	char *group;
+	identification_t *id;
+	ike_sa_t *ike_sa;
+	auth_cfg_t *auth;
+	bool no_access = FALSE;
+
+	DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
+		 TNC_IMV_Action_Recommendation_names, rec,
+		 TNC_IMV_Evaluation_Result_names, eval);
+
+	switch (rec)
+	{
+		case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+			group = "allow";
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+			group = "isolate";
+			break;
+		case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+		case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+		default:
+			group = "no access";
+			no_access = TRUE;
+			break;
+	}
+
+	ike_sa = charon->bus->get_sa(charon->bus);
+	if (!ike_sa)
+	{
+		DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA");
+		return FALSE;
+	}
+
+	id = ike_sa->get_other_id(ike_sa);
+	DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group);
+
+	if (no_access)
+	{
+		return FALSE;
+	}
+	else
+	{
+		auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+		id = identification_create_from_string(group);
+		auth->add(auth, AUTH_RULE_GROUP, id);
+		DBG1(DBG_TNC, "policy enforcement point added group membership '%s'",
+			 group);
+	}
+	return TRUE;
+}
+
 METHOD(eap_method_t, initiate, status_t,
 	private_eap_tnc_t *this, eap_payload_t **out)
 {
@@ -224,8 +282,9 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 		free(this);
 		return NULL;
 	}
-	this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
-											  server, peer, TNC_IFT_EAP_1_1);
+	this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type,
+						is_server, server, peer, TNC_IFT_EAP_1_1,
+						is_server ? enforce_recommendation : NULL);
 	this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls,
 								   EAP_TNC_MAX_MESSAGE_LEN,
 								   max_msg_count, FALSE);
diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
index 686df15c7..707b113e4 100644
--- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
+++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c
@@ -26,6 +26,9 @@
 
 #include <tnc/tnc.h>
 
+#include <tncifimv.h>
+#include <tncif_names.h>
+
 #include <daemon.h>
 #include <utils/debug.h>
 #include <pen/pen.h>
@@ -563,6 +566,19 @@ end:
 }
 
 /**
+ * Callback function to get recommendation from TNCCS connection
+ */
+static bool get_recommendation(TNC_IMV_Action_Recommendation rec,
+							   TNC_IMV_Evaluation_Result eval)
+{
+	DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
+		 TNC_IMV_Action_Recommendation_names, rec,
+		 TNC_IMV_Evaluation_Result_names, eval);
+
+	return TRUE;
+}
+
+/**
  * Get more data on a PT-TLS connection
  */
 static bool pt_tls_receive_more(pt_tls_server_t *this, int fd,
@@ -607,7 +623,8 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even
 	peer = identification_create_from_encoding(ID_ANY, chunk_empty),
 
 	tnccs = tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, TRUE,
-										this->server, peer, TNC_IFT_TLS_2_0);
+										this->server, peer, TNC_IFT_TLS_2_0,
+										(tnccs_cb_t)get_recommendation);
 	peer->destroy(peer);
 
 	if (!tnccs)
diff --git a/src/libtnccs/Makefile.am b/src/libtnccs/Makefile.am
index 8d618c3f8..d1f8825de 100644
--- a/src/libtnccs/Makefile.am
+++ b/src/libtnccs/Makefile.am
@@ -40,6 +40,13 @@ if MONOLITHIC
 endif
 endif
 
+if USE_TNC_IMV
+  SUBDIRS += plugins/tnc_imv
+if MONOLITHIC
+  libtnccs_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la
+endif
+endif
+
 if USE_TNCCS_11
   SUBDIRS += plugins/tnccs_11
 if MONOLITHIC
diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc.c b/src/libtnccs/plugins/tnc_imc/tnc_imc.c
index cbecf14c7..7c52ab384 100644
--- a/src/libtnccs/plugins/tnc_imc/tnc_imc.c
+++ b/src/libtnccs/plugins/tnc_imc/tnc_imc.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2006 Mike McCauley
- * Copyright (C) 2010-2011 Andreas Steffen,
+ * Copyright (C) 2010-2013 Andreas Steffen,
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libtnccs/plugins/tnc_imv/Makefile.am
index 49efe3be4..0541d4c86 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.am
+++ b/src/libtnccs/plugins/tnc_imv/Makefile.am
@@ -1,7 +1,5 @@
 AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libstrongswan \
-	-I$(top_srcdir)/src/libhydra \
-	-I$(top_srcdir)/src/libcharon \
 	-I$(top_srcdir)/src/libtncif \
 	-I$(top_srcdir)/src/libtnccs \
 	-I$(top_srcdir)/src/libtls
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.c b/src/libtnccs/plugins/tnc_imv/tnc_imv.c
index ef0387d70..ebf904513 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv.c
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2006 Mike McCauley
- * Copyright (C) 2010-2011 Andreas Steffen,
+ * Copyright (C) 2010-2013 Andreas Steffen,
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -21,7 +20,6 @@
 #include <tncif_pa_subtypes.h>
 
 #include <utils/debug.h>
-#include <daemon.h>
 #include <library.h>
 #include <collections/linked_list.h>
 #include <threading/mutex.h>
@@ -300,7 +298,7 @@ METHOD(imv_t, destroy, void,
 	private_tnc_imv_t *this)
 {
 	if (this->handle && lib->settings->get_bool(lib->settings,
-		"%s.plugins.tnc-imv.dlclose", TRUE, charon->name))
+				"libtnccs.plugins.tnc-imv.dlclose", TRUE))
 	{
 		dlclose(this->handle);
 	}
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.h b/src/libtnccs/plugins/tnc_imv/tnc_imv.h
index e7c7b8b4f..e7c7b8b4f 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv.h
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv.h
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_bind_function.c
index 36cdb7fbb..36cdb7fbb 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_bind_function.c
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c
index b950e3119..b4f131b5d 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2006 Mike McCauley
- * Copyright (C) 2010-2011 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -19,7 +18,6 @@
 #include "tnc_imv_recommendations.h"
 
 #include <tncifimv.h>
-#include <tncif_names.h>
 
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -28,7 +26,6 @@
 #include <errno.h>
 #include <fcntl.h>
 
-#include <daemon.h>
 #include <utils/debug.h>
 #include <threading/rwlock.h>
 #include <threading/mutex.h>
@@ -247,61 +244,6 @@ METHOD(imv_manager_t, create_recommendations, recommendations_t*,
 	return tnc_imv_recommendations_create(this->imvs);
 }
 
-METHOD(imv_manager_t, enforce_recommendation, bool,
-	private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec,
-									 TNC_IMV_Evaluation_Result eval)
-{
-	char *group;
-	identification_t *id;
-	ike_sa_t *ike_sa;
-	auth_cfg_t *auth;
-	bool no_access = FALSE;
-
-	DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
-		 TNC_IMV_Action_Recommendation_names, rec,
-		 TNC_IMV_Evaluation_Result_names, eval);
-
-	switch (rec)
-	{
-		case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
-			group = "allow";
-			break;
-		case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
-			group = "isolate";
-			break;
-		case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
-		case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
-		default:
-			group = "no access";
-			no_access = TRUE;
-			break;
-	}
-
-	ike_sa = charon->bus->get_sa(charon->bus);
-	if (!ike_sa)
-	{
-		DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA");
-		return FALSE;
-	}
-
-	id = ike_sa->get_other_id(ike_sa);
-	DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group);
-
-	if (no_access)
-	{
-		return FALSE;
-	}
-	else
-	{
-		auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
-		id = identification_create_from_string(group);
-		auth->add(auth, AUTH_RULE_GROUP, id);
-		DBG1(DBG_TNC, "policy enforcement point added group membership '%s'",
-			 group);
-	}
-	return TRUE;
-}
-
 
 METHOD(imv_manager_t, notify_connection_change, void,
 	private_tnc_imv_manager_t *this, TNC_ConnectionID id,
@@ -503,7 +445,6 @@ imv_manager_t* tnc_imv_manager_create(void)
 			.reserve_id = _reserve_id,
 			.get_recommendation_policy = _get_recommendation_policy,
 			.create_recommendations = _create_recommendations,
-			.enforce_recommendation = _enforce_recommendation,
 			.notify_connection_change = _notify_connection_change,
 			.set_message_types = _set_message_types,
 			.set_message_types_long = _set_message_types_long,
@@ -520,8 +461,7 @@ imv_manager_t* tnc_imv_manager_create(void)
 
 	policy = enum_from_name(recommendation_policy_names,
 				lib->settings->get_str(lib->settings,
-					"%s.plugins.tnc-imv.recommendation_policy", "default",
-					charon->name));
+					"libtnccs.plugins.tnc-imv.recommendation_policy", "default"));
 	this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT;
 	DBG1(DBG_TNC, "TNC recommendation policy is '%N'",
 				   recommendation_policy_names, this->policy);
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.h
index 2fe9e7ae3..2fe9e7ae3 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.h
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.c
index d06c2fcaf..d06c2fcaf 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.c
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h
index afeee2ea2..afeee2ea2 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.c
index a9dbb2b9f..a9dbb2b9f 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.c
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
index 66d03b2f8..66d03b2f8 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h
+++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h
diff --git a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c
index 60f6bc3c1..b8683f78c 100644
--- a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c
+++ b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c
@@ -169,8 +169,8 @@ METHOD(tnccs_manager_t, remove_method, void,
 
 METHOD(tnccs_manager_t, create_instance, tnccs_t*,
 	private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server,
-	identification_t *server, identification_t *peer,
-	tnc_ift_type_t transport)
+	identification_t *server, identification_t *peer, tnc_ift_type_t transport,
+	tnccs_cb_t cb)
 {
 	enumerator_t *enumerator;
 	tnccs_entry_t *entry;
@@ -182,7 +182,7 @@ METHOD(tnccs_manager_t, create_instance, tnccs_t*,
 	{
 		if (type == entry->type)
 		{
-			protocol = entry->constructor(is_server, server, peer, transport);
+			protocol = entry->constructor(is_server, server, peer, transport, cb);
 			if (protocol)
 			{
 				break;
diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.c b/src/libtnccs/plugins/tnccs_11/tnccs_11.c
index b19a048fe..715586167 100644
--- a/src/libtnccs/plugins/tnccs_11/tnccs_11.c
+++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.c
@@ -121,6 +121,11 @@ struct private_tnccs_11_t {
 	 */
 	recommendations_t *recs;
 
+	/**
+	 * Callback function to communicate recommendation (TNC Server only)
+	 */
+	tnccs_cb_t callback;
+
 };
 
 METHOD(tnccs_t, send_msg, TNC_Result,
@@ -540,7 +545,7 @@ METHOD(tls_t, is_complete, bool,
 
 	if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
 	{
-		return tnc->imvs->enforce_recommendation(tnc->imvs, rec, eval);
+		return this->callback ? this->callback(rec, eval) : TRUE;
 	}
 	else
 	{
@@ -594,9 +599,8 @@ METHOD(tnccs_t, set_auth_type, void,
  * See header
  */
 tnccs_t* tnccs_11_create(bool is_server,
-						 identification_t *server,
-						 identification_t *peer,
-						 tnc_ift_type_t transport)
+						 identification_t *server, identification_t *peer,
+						 tnc_ift_type_t transport, tnccs_cb_t cb)
 {
 	private_tnccs_11_t *this;
 
@@ -622,6 +626,7 @@ tnccs_t* tnccs_11_create(bool is_server,
 		.server = server->clone(server),
 		.peer = peer->clone(peer),
 		.transport = transport,
+		.callback = cb,
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.max_msg_len = lib->settings->get_int(lib->settings,
 							"libtnccs.plugins.tnccs-11.max_message_size", 45000),
diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.h b/src/libtnccs/plugins/tnccs_11/tnccs_11.h
index 531ebb611..e805df8bb 100644
--- a/src/libtnccs/plugins/tnccs_11/tnccs_11.h
+++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.h
@@ -32,11 +32,11 @@
  * @param server		Server identity
  * @param peer			Client identity
  * @param transport		Underlying IF-T transport protocol
+ * @param cb			Callback function if TNC Server, NULL if TNC Client
  * @return				TNC_IF_TNCCS 1.1 protocol stack
  */
 tnccs_t* tnccs_11_create(bool is_server,
-						 identification_t *server,
-						 identification_t *peer,
-						 tnc_ift_type_t transport);
+						 identification_t *server, identification_t *peer,
+						 tnc_ift_type_t transport, tnccs_cb_t cb);
 
 #endif /** TNCCS_11_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
index 09900ade9..e5117e829 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c
@@ -131,6 +131,16 @@ struct private_tnccs_20_t {
 	 */
 	recommendations_t *recs;
 
+	/**
+	 * Callback function to communicate recommendation (TNC Server only)
+	 */
+	tnccs_cb_t callback;
+
+	/**
+	 * Data to pass to callback function (TNC Server only)
+	 */
+	void *cb_data;
+
 };
 
 /**
@@ -844,7 +854,7 @@ METHOD(tls_t, is_complete, bool,
 
 	if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
 	{
-		return tnc->imvs->enforce_recommendation(tnc->imvs, rec, eval);
+		return this->callback ? this->callback(rec, eval) : TRUE;
 	}
 	else
 	{
@@ -900,9 +910,8 @@ METHOD(tnccs_t, set_auth_type, void,
  * See header
  */
 tnccs_t* tnccs_20_create(bool is_server,
-						 identification_t *server,
-						 identification_t *peer,
-						 tnc_ift_type_t transport)
+						 identification_t *server, identification_t *peer,
+						 tnc_ift_type_t transport, tnccs_cb_t cb)
 {
 	private_tnccs_20_t *this;
 
@@ -928,6 +937,7 @@ tnccs_t* tnccs_20_create(bool is_server,
 		.server = server->clone(server),
 		.peer = peer->clone(peer),
 		.transport = transport,
+		.callback = cb,
 		.state_machine = pb_tnc_state_machine_create(is_server),
 		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 		.messages = linked_list_create(),
diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.h b/src/libtnccs/plugins/tnccs_20/tnccs_20.h
index 314935069..2857b1408 100644
--- a/src/libtnccs/plugins/tnccs_20/tnccs_20.h
+++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.h
@@ -32,11 +32,11 @@
  * @param server		Server identity
  * @param peer			Client identity
  * @param transport		Underlying IF-T transport protocol
+ * @param cb			Callback function if TNC Server, NULL if TNC Client
  * @return				TNC_IF_TNCCS 2.0 protocol stack
  */
 tnccs_t* tnccs_20_create(bool is_server,
-						 identification_t *server,
-						 identification_t *peer,
-						 tnc_ift_type_t transport);
+						 identification_t *server, identification_t *peer,
+						 tnc_ift_type_t transport, tnccs_cb_t cb);
 
 #endif /** TNCCS_20_H_ @}*/
diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c
index d4fc6a6f7..bc3112686 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c
+++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c
@@ -56,6 +56,11 @@ struct private_tnccs_dynamic_t {
 	 */
 	u_int32_t auth_type;
 
+	/**
+	 * Callback function to communicate recommendation (TNC Server only)
+	 */
+	tnccs_cb_t callback;
+
 };
 
 /**
@@ -99,7 +104,8 @@ METHOD(tls_t, process, status_t,
 		DBG1(DBG_TNC, "%N protocol detected dynamically",
 					   tnccs_type_names, type);
 		tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
-							this->server, this->peer, this->transport);
+							this->server, this->peer, this->transport,
+							this->callback);
 		if (!tnccs)
 		{
 			DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
@@ -190,9 +196,8 @@ METHOD(tnccs_t, set_auth_type, void,
  * See header
  */
 tnccs_t* tnccs_dynamic_create(bool is_server,
-							  identification_t *server,
-							  identification_t *peer,
-							  tnc_ift_type_t transport)
+							  identification_t *server, identification_t *peer,
+							  tnc_ift_type_t transport, tnccs_cb_t cb)
 {
 	private_tnccs_dynamic_t *this;
 
@@ -217,6 +222,7 @@ tnccs_t* tnccs_dynamic_create(bool is_server,
 		.server = server->clone(server),
 		.peer = peer->clone(peer),
 		.transport = transport,
+		.callback = cb,
 	);
 
 	return &this->public;
diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h
index e4cff74b8..cbdc80b83 100644
--- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h
+++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h
@@ -32,11 +32,11 @@
  * @param server		Server identity
  * @param peer			Client identity
  * @param transport		Underlying IF-T transport protocol
+ * @param cb			Callback function if TNC Server, NULL if TNC Client
  * @return				dynamic TNC IF-TNCCS protocol stack
  */
 tnccs_t* tnccs_dynamic_create(bool is_server,
-							  identification_t *server,
-							  identification_t *peer,
-							  tnc_ift_type_t transport);
+							  identification_t *server, identification_t *peer,
+							  tnc_ift_type_t transport, tnccs_cb_t cb);
 
 #endif /** TNCCS_DYNAMIC_H_ @}*/
diff --git a/src/libtnccs/tnc/imv/imv_manager.h b/src/libtnccs/tnc/imv/imv_manager.h
index 7772b7e08..b72eb8bf7 100644
--- a/src/libtnccs/tnc/imv/imv_manager.h
+++ b/src/libtnccs/tnc/imv/imv_manager.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -114,18 +114,6 @@ struct imv_manager_t {
 	recommendations_t* (*create_recommendations)(imv_manager_t *this);
 
 	/**
-	 * Enforce the TNC recommendation on the IKE_SA by either inserting an
-	 * allow|isolate group membership rule (TRUE) or by blocking access (FALSE)
-	 *
-	 * @param rec				TNC action recommendation
-	 * @param eval				TNC evaluation result
-	 * @return					TRUE for allow|isolate, FALSE for none
-	 */
-	bool (*enforce_recommendation)(imv_manager_t *this,
-								   TNC_IMV_Action_Recommendation rec,
-								   TNC_IMV_Evaluation_Result eval);
-
-	/**
 	 * Notify all IMV instances
 	 *
 	 * @param state			communicate the state a connection has reached
diff --git a/src/libtnccs/tnc/tnccs/tnccs.h b/src/libtnccs/tnc/tnccs/tnccs.h
index fd3e5cabb..b1ac0906c 100644
--- a/src/libtnccs/tnc/tnccs/tnccs.h
+++ b/src/libtnccs/tnc/tnccs/tnccs.h
@@ -38,6 +38,17 @@ typedef enum tnc_ift_type_t tnc_ift_type_t;
 #include <tls.h>
 
 /**
+ * Callback function to communicate action recommendation and evaluation result
+ * generated by TNC server
+ *
+ * @param rec		TNC Action Recommendation
+ * @param eval		TNC Evaluation Result
+ * @return			TRUE to terminate TNCCS connection, FALSE to keep it
+ */
+typedef bool (*tnccs_cb_t)(TNC_IMV_Action_Recommendation rec,
+						   TNC_IMV_Evaluation_Result eval);
+
+/**
  * Type of TNC Client/Server protocol
  */
 enum tnccs_type_t {
@@ -112,12 +123,14 @@ struct tnccs_t {
  * @param server		Server identity
  * @param peer			Client identity
  * @param transport		Underlying TNC IF-T transport protocol used
+ * @param cb			Callback function if TNC Server, NULL if TNC Client
  * @return				implementation of the tnccs_t interface
  */
 typedef tnccs_t *(*tnccs_constructor_t)(bool is_server,
 										identification_t *server,
 										identification_t *peer,
-										tnc_ift_type_t transport);
+										tnc_ift_type_t transport,
+										tnccs_cb_t cb);
 
 /**
  * Callback function adding a message to a TNCCS batch
diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.h b/src/libtnccs/tnc/tnccs/tnccs_manager.h
index 4ab9d7e18..791336ee1 100644
--- a/src/libtnccs/tnc/tnccs/tnccs_manager.h
+++ b/src/libtnccs/tnc/tnccs/tnccs_manager.h
@@ -59,12 +59,13 @@ struct tnccs_manager_t {
 	 * @param server	  Server identity
 	 * @param peer		  Client identity
 	 * @param transport	  Underlying TNC IF-T transport protocol used
+	 * @param cb		  Callback function if TNC Server, NULL if TNC Client
 	 * @return			  TNCCS protocol instance, NULL if no constructor found
 	 */
 	tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
 								bool is_server, identification_t *server,
 								identification_t *peer,
-								tnc_ift_type_t transport);
+								tnc_ift_type_t transport, tnccs_cb_t cb);
 
 	/**
 	 * Create a TNCCS connection and assign a unique connection ID as well a
diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c
index 2b104f8d5..09b42b6fe 100644
--- a/src/pt-tls-client/pt-tls-client.c
+++ b/src/pt-tls-client/pt-tls-client.c
@@ -59,7 +59,7 @@ static int client(char *address, u_int16_t port, char *identity)
 	server = identification_create_from_string(address);
 	client = identification_create_from_string(identity);
 	tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE,
-												server, client, TNC_IFT_TLS_2_0);
+								server, client, TNC_IFT_TLS_2_0, NULL);
 	if (!tnccs)
 	{
 		fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS);
author	Andreas Steffen <andreas.steffen@strongswan.org>	2013-08-08 19:43:43 +0200
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2013-08-15 23:34:22 +0200
commit	12b3db500606bcbd6fd2986463a4b1f37586bdbb (patch)
tree	1c88258c3c8230dd65cca43448b6858a14f58af6 /src
parent	9d8c28e2f5b23e3f1008e8ba064403834683e35a (diff)
download	strongswan-12b3db500606bcbd6fd2986463a4b1f37586bdbb.tar.bz2 strongswan-12b3db500606bcbd6fd2986463a4b1f37586bdbb.tar.xz