scanner imc/imv pair uses IETF VPN PA-TNC message subtype

4 files changed, 109 insertions, 19 deletions

diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner.c b/src/libimcv/plugins/imc_scanner/imc_scanner.c
index 5c7985e52..8e843a2ce 100644
--- a/src/libimcv/plugins/imc_scanner/imc_scanner.c
+++ b/src/libimcv/plugins/imc_scanner/imc_scanner.c
@@ -18,6 +18,7 @@
 #include <imc/imc_agent.h>
 #include <imc/imc_msg.h>
 #include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
 #include <ietf/ietf_attr_port_filter.h>
 
 #include <tncif_pa_subtypes.h>
@@ -33,7 +34,7 @@
 static const char imc_name[] = "Scanner";
 
 static pen_type_t msg_types[] = {
-	{ PEN_ITA, PA_SUBTYPE_ITA_SCANNER }
+	{ PEN_IETF, PA_SUBTYPE_IETF_VPN }
 };
 
 static imc_agent_t *imc_scanner;
@@ -227,7 +228,10 @@ end:
 	return success;
 }
 
-static TNC_Result send_message(imc_msg_t *out_msg)
+/**
+ * Add IETF Port Filter attribute to the send queue
+ */
+static TNC_Result add_port_filter(imc_msg_t *msg)
 {
 	pa_tnc_attr_t *attr;
 	ietf_attr_port_filter_t *attr_port_filter;
@@ -240,10 +244,9 @@ static TNC_Result send_message(imc_msg_t *out_msg)
 		attr->destroy(attr);
 		return TNC_RESULT_FATAL;
 	}
-	out_msg->add_attribute(out_msg, attr);
+	msg->add_attribute(msg, attr);
 
-	/* send PA-TNC message with the excl flag not set */
-	return out_msg->send(out_msg, FALSE);
+	return TNC_RESULT_SUCCESS;
 }
 
 /**
@@ -254,7 +257,7 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 {
 	imc_state_t *state;
 	imc_msg_t *out_msg;
-	TNC_Result result;
+	TNC_Result result = TNC_RESULT_SUCCESS;
 
 	if (!imc_scanner)
 	{
@@ -265,17 +268,30 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
 	{
 		return TNC_RESULT_FATAL;
 	}
-	out_msg = imc_msg_create(imc_scanner, state, connection_id, imc_id,
-							 TNC_IMVID_ANY, msg_types[0]);
-	result = send_message(out_msg);
-	out_msg->destroy(out_msg);
+	if (lib->settings->get_bool(lib->settings,
+								"libimcv.plugins.imc-scanner.send_ports", TRUE))
+	{
+		out_msg = imc_msg_create(imc_scanner, state, connection_id, imc_id,
+								 TNC_IMVID_ANY, msg_types[0]);
+		result = add_port_filter(out_msg);
+		if (result == TNC_RESULT_SUCCESS)
+		{
+			/* send PA-TNC message with the excl flag not set */
+			result = out_msg->send(out_msg, FALSE);
+		}
+		out_msg->destroy(out_msg);
+	}
 
 	return result;
 }
 
 static TNC_Result receive_message(imc_msg_t *in_msg)
 {
-	TNC_Result result;
+	imc_msg_t *out_msg;
+	enumerator_t *enumerator;
+	pa_tnc_attr_t *attr;
+	pen_type_t attr_type;
+	TNC_Result result = TNC_RESULT_SUCCESS;
 	bool fatal_error = FALSE;
 
 	/* parse received PA-TNC message and handle local and remote errors */
@@ -284,7 +300,58 @@ static TNC_Result receive_message(imc_msg_t *in_msg)
 	{
 		return result;
 	}
-	return fatal_error ? TNC_RESULT_FATAL : TNC_RESULT_SUCCESS;
+	out_msg = imc_msg_create_as_reply(in_msg);
+
+	/* analyze PA-TNC attributes */
+	enumerator = in_msg->create_attribute_enumerator(in_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		attr_type = attr->get_type(attr);
+
+		if (attr_type.vendor_id != PEN_IETF)
+		{
+			continue;
+		}
+		if (attr_type.type == IETF_ATTR_ATTRIBUTE_REQUEST)
+		{
+			ietf_attr_attr_request_t *attr_cast;
+			pen_type_t *entry;
+			enumerator_t *e;
+
+			attr_cast = (ietf_attr_attr_request_t*)attr;
+
+			e = attr_cast->create_enumerator(attr_cast);
+			while (e->enumerate(e, &entry))
+			{
+				if (entry->vendor_id != PEN_IETF)
+				{
+					continue;
+				}
+				switch (entry->type)
+				{
+					case IETF_ATTR_PORT_FILTER:
+						result = add_port_filter(out_msg);
+						break;
+					default:
+						break;
+				}
+			}
+			e->destroy(e);
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	if (fatal_error)
+	{
+		result = TNC_RESULT_FATAL;
+	}
+	else if (result == TNC_RESULT_SUCCESS)
+	{
+		result = out_msg->send(out_msg, TRUE);
+	}
+	out_msg->destroy(out_msg);
+
+	return result;
 }
 
 /**
diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner.c b/src/libimcv/plugins/imv_scanner/imv_scanner.c
index 1705d3008..96ad5c68b 100644
--- a/src/libimcv/plugins/imv_scanner/imv_scanner.c
+++ b/src/libimcv/plugins/imv_scanner/imv_scanner.c
@@ -18,6 +18,7 @@
 #include <imv/imv_agent.h>
 #include <imv/imv_msg.h>
 #include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_attr_request.h>
 #include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ietf/ietf_attr_port_filter.h>
 
@@ -34,7 +35,7 @@
 static const char imv_name[] = "Scanner";
 
 static pen_type_t msg_types[] = {
-	{ PEN_ITA, PA_SUBTYPE_ITA_SCANNER }
+	{ PEN_IETF, PA_SUBTYPE_IETF_VPN }
 };
 
 static imv_agent_t *imv_scanner;
@@ -385,12 +386,36 @@ TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
 							   TNC_ConnectionID connection_id)
 {
+	imv_state_t *state;
+	imv_msg_t *out_msg;
+	pa_tnc_attr_t *attr;
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+
 	if (!imv_scanner)
 	{
 		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
-	return TNC_RESULT_SUCCESS;
+	if (!imv_scanner->get_state(imv_scanner, connection_id, &state))
+	{
+		return TNC_RESULT_FATAL;
+	}
+	state->get_recommendation(state, &rec, &eval);
+	if (rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
+	{
+		out_msg = imv_msg_create(imv_scanner, state, connection_id, imv_id,
+								 TNC_IMCID_ANY, msg_types[0]);
+		attr = ietf_attr_attr_request_create(PEN_IETF, IETF_ATTR_PORT_FILTER);
+		out_msg->add_attribute(out_msg, attr);
+
+		/* send PA-TNC message with excl flag not set */
+		result = out_msg->send(out_msg, FALSE);
+		out_msg->destroy(out_msg);
+
+	}
+	return result;
 }
 
 /**
diff --git a/src/libtncif/tncif_pa_subtypes.c b/src/libtncif/tncif_pa_subtypes.c
index d15a1c864..135be3c31 100644
--- a/src/libtncif/tncif_pa_subtypes.c
+++ b/src/libtncif/tncif_pa_subtypes.c
@@ -61,12 +61,11 @@ ENUM_NEXT(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY, PA_SUBTYPE_FHH_ANY,
 );
 ENUM_END(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY);
 
-ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_SCANNER,
-	"Test",
-	"Scanner"
+ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_TEST,
+	"Test"
 );
 ENUM_NEXT(pa_subtype_ita_names, PA_SUBTYPE_ITA_ANY, PA_SUBTYPE_ITA_ANY,
-								PA_SUBTYPE_ITA_SCANNER,
+								PA_SUBTYPE_ITA_TEST,
 	"ANY"
 );
 ENUM_END(pa_subtype_ita_names, PA_SUBTYPE_ITA_ANY);
diff --git a/src/libtncif/tncif_pa_subtypes.h b/src/libtncif/tncif_pa_subtypes.h
index 0be495bfc..2dc4c9220 100644
--- a/src/libtncif/tncif_pa_subtypes.h
+++ b/src/libtncif/tncif_pa_subtypes.h
@@ -84,7 +84,6 @@ extern enum_name_t *pa_subtype_fhh_names;
  */
  enum pa_subtype_ita_t {
 	PA_SUBTYPE_ITA_TEST =				0x01,
-	PA_SUBTYPE_ITA_SCANNER =			0x02,
 	PA_SUBTYPE_ITA_ANY =				0xff
 };