nearly completed PA-TNC error handling

10 files changed, 446 insertions, 52 deletions

diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
index 5d0f9a278..9702f4187 100644
--- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
+++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c
@@ -14,7 +14,9 @@
 
 #include "ietf_attr_pa_tnc_error.h"
 
+#include <pa_tnc/pa_tnc_msg.h>
 #include <bio/bio_writer.h>
+#include <bio/bio_reader.h>
 #include <debug.h>
 
 ENUM(pa_tnc_error_code_names, PA_ERROR_RESERVED,
@@ -42,8 +44,48 @@ typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t
  *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
  */
 
-#define IETF_ATTR_PA_TNC_ERROR_HEADER_SIZE	12
-#define IETF_ATTR_PA_TNC_ERROR_RESERVED		0x00
+#define PA_ERROR_HEADER_SIZE		8
+#define PA_ERROR_RESERVED			0x00
+
+/**
+ * All Error Types return the first 8 bytes of the erroneous PA-TNC message
+ *
+ *                        1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |    Version    |            Copy of Reserved                   |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                       Message Identifier                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define PA_ERROR_MSG_INFO_SIZE		8
+
+/**
+ * "Version Not Supported" Error Code
+ *
+ *                        1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |  Max Version  |  Min Version  |            Reserved           |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+	
+#define PA_ERROR_VERSION_RESERVED	0x0000
+
+/**
+ * "Attribute Type Not Supported" Error Code
+ *
+ *                        1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |     Flags     |          PA-TNC Attribute Vendor ID           |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                     PA-TNC Attribute Type                     |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+#define PA_ERROR_ATTR_INFO_SIZE		8
 
 /**
  * Private data of an ietf_attr_pa_tnc_error_t object.
@@ -86,9 +128,14 @@ struct private_ietf_attr_pa_tnc_error_t {
 	u_int32_t error_code;
 
 	/**
-	 * PA-TNC message header
+	 * First 8 bytes of erroneous PA-TNC message
 	 */
-	chunk_t header;
+	chunk_t msg_info;
+
+	/**
+	 * First 8 bytes of unsupported PA-TNC attribute
+	 */
+	chunk_t attr_info;
 
 	/**
 	 * Reference count
@@ -131,11 +178,28 @@ METHOD(pa_tnc_attr_t, build, void,
 {
 	bio_writer_t *writer;
 
-	writer = bio_writer_create(IETF_ATTR_PA_TNC_ERROR_HEADER_SIZE);
-	writer->write_uint8 (writer, IETF_ATTR_PA_TNC_ERROR_RESERVED);
+	writer = bio_writer_create(PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE);
+	writer->write_uint8 (writer, PA_ERROR_RESERVED);
 	writer->write_uint24(writer, this->error_vendor_id);
 	writer->write_uint32(writer, this->error_code);
-	writer->write_data  (writer, this->header);
+	writer->write_data  (writer, this->msg_info);
+	
+	switch (this->error_code)
+	{
+		case PA_ERROR_INVALID_PARAMETER:
+			break;
+		case PA_ERROR_VERSION_NOT_SUPPORTED:
+			writer->write_uint8 (writer, PA_TNC_VERSION);
+			writer->write_uint8 (writer, PA_TNC_VERSION);
+			writer->write_uint16(writer, PA_ERROR_VERSION_RESERVED);
+			break;
+		case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
+			writer->write_data(writer, this->attr_info);
+			break;
+		default:
+			break;
+	}
+
 	this->value = chunk_clone(writer->get_buf(writer));
 	writer->destroy(writer);
 }
@@ -143,6 +207,38 @@ METHOD(pa_tnc_attr_t, build, void,
 METHOD(pa_tnc_attr_t, process, status_t,
 	private_ietf_attr_pa_tnc_error_t *this)
 {
+	bio_reader_t *reader;
+	u_int8_t reserved;
+
+	if (this->value.len < PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE)
+	{
+		return FAILED;
+	}
+	reader = bio_reader_create(this->value);
+	reader->read_uint8 (reader, &reserved);
+	reader->read_uint24(reader, &this->error_vendor_id);
+	reader->read_uint32(reader, &this->error_code);
+	reader->read_data  (reader, PA_ERROR_MSG_INFO_SIZE, &this->msg_info);
+	this->msg_info = chunk_clone(this->msg_info);
+
+	switch (this->error_code)
+	{
+		case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
+			if (!reader->read_data(reader, PA_ERROR_ATTR_INFO_SIZE,
+										   &this->attr_info))
+			{
+				reader->destroy(reader);
+				DBG1(DBG_TNC, "insufficient data for unsupported attribute "
+							  "information");
+				return FAILED;
+			}
+			this->attr_info = chunk_clone(this->attr_info);
+			break;
+		default:
+			break;
+	}
+	reader->destroy(reader);
+
 	return SUCCESS;	
 }
 
@@ -158,7 +254,9 @@ METHOD(pa_tnc_attr_t, destroy, void,
 {
 	if (ref_put(&this->ref))
 	{
-		free(this->header.ptr);
+		free(this->value.ptr);
+		free(this->msg_info.ptr);
+		free(this->attr_info.ptr);
 		free(this);
 	}
 }
@@ -175,16 +273,35 @@ METHOD(ietf_attr_pa_tnc_error_t, get_error_code, u_int32_t,
 	return this->error_code;
 }
 
+METHOD(ietf_attr_pa_tnc_error_t, get_msg_info, chunk_t,
+	private_ietf_attr_pa_tnc_error_t *this)
+{
+	return this->msg_info;
+}
+
+METHOD(ietf_attr_pa_tnc_error_t, get_attr_info, chunk_t,
+	private_ietf_attr_pa_tnc_error_t *this)
+{
+	return this->attr_info;
+}
+
+METHOD(ietf_attr_pa_tnc_error_t, set_attr_info, void,
+	private_ietf_attr_pa_tnc_error_t *this, chunk_t attr_info)
+{
+	this->attr_info = chunk_clone(attr_info);
+}
+
 /**
  * Described in header.
  */
 pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_t vendor_id,
 											 u_int32_t error_code,
-											 chunk_t header)
+											 chunk_t msg_info)
 {
 	private_ietf_attr_pa_tnc_error_t *this;
 
-	header.len = 8;
+	/* the first 8 bytes of the erroneous PA-TNC message are sent back */
+	msg_info.len = PA_ERROR_MSG_INFO_SIZE;
 
 	INIT(this,
 		.public = {
@@ -201,12 +318,15 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_t vendor_id,
 			},
 			.get_vendor_id = _get_error_vendor_id,
 			.get_error_code = _get_error_code,
+			.get_msg_info = _get_msg_info,
+			.get_attr_info = _get_attr_info,
+			.set_attr_info = _set_attr_info,
 		},
 		.vendor_id = PEN_IETF,
 		.type = IETF_ATTR_PA_TNC_ERROR,
 		.error_vendor_id = vendor_id,
 		.error_code = error_code,
-		.header = chunk_clone(header),
+		.msg_info = chunk_clone(msg_info),
 		.ref = 1,
 	);
 
@@ -233,6 +353,9 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_from_data(chunk_t data)
 			},
 			.get_vendor_id = _get_error_vendor_id,
 			.get_error_code = _get_error_code,
+			.get_msg_info = _get_msg_info,
+			.get_attr_info = _get_attr_info,
+			.set_attr_info = _set_attr_info,
 		},
 		.vendor_id = PEN_IETF,
 		.type = IETF_ATTR_PA_TNC_ERROR,
diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
index d6641639e..7f0e0a90a 100644
--- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
+++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h
@@ -22,6 +22,7 @@
 #define IETF_ATTR_PA_TNC_ERROR_H_
 
 typedef struct ietf_attr_pa_tnc_error_t ietf_attr_pa_tnc_error_t;
+typedef enum pa_tnc_error_code_t pa_tnc_error_code_t;
 
 #include "ietf_attr.h"
 #include "pa_tnc/pa_tnc_attr.h"
@@ -65,7 +66,28 @@ struct ietf_attr_pa_tnc_error_t {
 	 *
 	 * @return				error code
 	 */
-	pen_t (*get_error_code)(ietf_attr_pa_tnc_error_t *this);
+	pa_tnc_error_code_t (*get_error_code)(ietf_attr_pa_tnc_error_t *this);
+
+	/**
+	 * Get first 8 bytes of erroneous PA-TNC message
+	 *
+	 * @return				PA-TNC message info
+	 */
+	chunk_t (*get_msg_info)(ietf_attr_pa_tnc_error_t *this);
+
+	/**
+	 * Get first 8 bytes of unsupported PA-TNC attribute
+	 *
+	 * @return				PA-TNC attribute info
+	 */
+	chunk_t (*get_attr_info)(ietf_attr_pa_tnc_error_t *this);
+
+	/**
+	 * Set first 8 bytes of unsupported PA-TNC attribute
+	 *
+	 * @param attr_info		PA-TNC message info
+	 */
+	void (*set_attr_info)(ietf_attr_pa_tnc_error_t *this, chunk_t attr_info);
 };
 
 /**
diff --git a/src/libimcv/imc/imc_agent.c b/src/libimcv/imc/imc_agent.c
index 68799c817..17c656d00 100644
--- a/src/libimcv/imc/imc_agent.c
+++ b/src/libimcv/imc/imc_agent.c
@@ -271,6 +271,61 @@ METHOD(imc_agent_t, send_message, TNC_Result,
 							  this->type);
 }
 
+METHOD(imc_agent_t, receive_message, TNC_Result,
+	private_imc_agent_t *this, TNC_ConnectionID connection_id, chunk_t msg,
+	TNC_MessageType msg_type, pa_tnc_msg_t **pa_tnc_msg)
+{
+	pa_tnc_msg_t *pa_msg, *error_msg;
+	pa_tnc_attr_t *error_attr;
+	enumerator_t *enumerator;
+	TNC_Result result;
+
+	DBG2(DBG_IMV, "IMC %u \"%s\" received message type 0x%08x for Connection ID %u",
+				   this->id, this->name, msg_type, connection_id);
+
+	*pa_tnc_msg = NULL;
+	pa_msg = pa_tnc_msg_create_from_data(msg);
+
+	switch (pa_msg->process(pa_msg))
+	{
+		case SUCCESS:
+			*pa_tnc_msg = pa_msg;
+			break;
+		case VERIFY_ERROR:
+			if (!this->send_message)
+			{
+				/* TNCC doen't have a SendMessage() function */
+				return TNC_RESULT_FATAL;
+			}
+
+			/* build error message */
+			error_msg = pa_tnc_msg_create();
+			enumerator = pa_msg->create_error_enumerator(pa_msg);
+			while (enumerator->enumerate(enumerator, &error_attr))
+			{
+				error_msg->add_attribute(error_msg,
+										 error_attr->get_ref(error_attr));
+			}
+			enumerator->destroy(enumerator);
+			error_msg->build(error_msg);
+
+			/* send error message */
+			msg = error_msg->get_encoding(error_msg);
+			result = this->send_message(this->id, connection_id,
+										msg.ptr, msg.len, msg_type);
+
+			/* clean up */
+			error_msg->destroy(error_msg);
+			pa_msg->destroy(pa_msg);
+			return result;
+		case FAILED:
+		default:
+			pa_msg->destroy(pa_msg);
+			return TNC_RESULT_FATAL;
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
 METHOD(imc_agent_t, destroy, void,
 	private_imc_agent_t *this)
 {
@@ -306,6 +361,7 @@ imc_agent_t *imc_agent_create(const char *name,
 			.change_state = _change_state,
 			.get_state = _get_state,
 			.send_message = _send_message,
+			.receive_message = _receive_message,
 			.destroy = _destroy,
 		},
 		.name = name,
diff --git a/src/libimcv/imc/imc_agent.h b/src/libimcv/imc/imc_agent.h
index 7c7ef732b..f9d16fa50 100644
--- a/src/libimcv/imc/imc_agent.h
+++ b/src/libimcv/imc/imc_agent.h
@@ -22,6 +22,7 @@
 #define IMC_AGENT_H_
 
 #include "imc_state.h"
+#include "pa_tnc/pa_tnc_msg.h"
 
 #include <tncifimc.h>
 #include <pen/pen.h>
@@ -95,7 +96,7 @@ struct imc_agent_t {
 					  TNC_ConnectionID connection_id, imc_state_t **state);
 
 	/**
-	 * Call when an IMC-IMV message is to be sent
+	 * Call when an PA-TNC message is to be sent
 	 *
 	 * @param connection_id		network connection ID assigned by TNCC
 	 * @param msg				message to send
@@ -106,6 +107,20 @@ struct imc_agent_t {
 							   chunk_t msg);
 
 	/**
+	 * Call when a PA-TNC message was received
+	 *
+	 * @param connection_id		network connection ID assigned by TNCC
+	 * @param msg				received unparsed message
+	 * @param msg_type			message type of the received message
+	 * @param pa_tnc_message	parsed PA-TNC message or NULL if an error occurred
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive_message)(imc_agent_t *this,
+								  TNC_ConnectionID connection_id, chunk_t msg,
+								  TNC_MessageType msg_type,
+								  pa_tnc_msg_t **pa_tnc_msg);
+
+	/**
 	 * Destroys an imc_agent_t object
 	 */
 	void (*destroy)(imc_agent_t *this);
diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c
index cca3ed4f4..72b0d43cf 100644
--- a/src/libimcv/imv/imv_agent.c
+++ b/src/libimcv/imv/imv_agent.c
@@ -319,6 +319,63 @@ METHOD(imv_agent_t, set_recommendation, TNC_Result,
 	return this->provide_recommendation(this->id, connection_id, rec, eval);
 }
 
+METHOD(imv_agent_t, receive_message, TNC_Result,
+	private_imv_agent_t *this, TNC_ConnectionID connection_id, chunk_t msg,
+	TNC_MessageType msg_type, pa_tnc_msg_t **pa_tnc_msg)
+{
+	pa_tnc_msg_t *pa_msg, *error_msg;
+	pa_tnc_attr_t *error_attr;
+	enumerator_t *enumerator;
+	TNC_Result result;
+
+	DBG2(DBG_IMV, "IMV %u \"%s\" received message type 0x%08x for Connection ID %u",
+				   this->id, this->name, msg_type, connection_id);
+
+	*pa_tnc_msg = NULL;
+	pa_msg = pa_tnc_msg_create_from_data(msg);
+
+	switch (pa_msg->process(pa_msg))
+	{
+		case SUCCESS:
+			*pa_tnc_msg = pa_msg;
+			break;
+		case VERIFY_ERROR:
+			if (!this->send_message)
+			{
+				/* TNCS doen't have a SendMessage() function */
+				return TNC_RESULT_FATAL;
+			}
+
+			/* build error message */
+			error_msg = pa_tnc_msg_create();
+			enumerator = pa_msg->create_error_enumerator(pa_msg);
+			while (enumerator->enumerate(enumerator, &error_attr))
+			{
+				error_msg->add_attribute(error_msg,
+										 error_attr->get_ref(error_attr));
+			}
+			enumerator->destroy(enumerator);
+			error_msg->build(error_msg);
+
+			/* send error message */
+			msg = error_msg->get_encoding(error_msg);
+			result = this->send_message(this->id, connection_id,
+										msg.ptr, msg.len, msg_type);
+
+			/* clean up */
+			error_msg->destroy(error_msg);
+			pa_msg->destroy(pa_msg);
+			return result;
+		case FAILED:
+		default:
+			pa_msg->destroy(pa_msg);
+			return set_recommendation(this, connection_id,
+							TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+							TNC_IMV_EVALUATION_RESULT_ERROR);
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
 METHOD(imv_agent_t, provide_recommendation, TNC_Result,
 	private_imv_agent_t *this, TNC_ConnectionID connection_id)
 {
@@ -373,6 +430,7 @@ imv_agent_t *imv_agent_create(const char *name,
 			.change_state = _change_state,
 			.get_state = _get_state,
 			.send_message = _send_message,
+			.receive_message = _receive_message,
 			.set_recommendation = _set_recommendation,
 			.provide_recommendation = _provide_recommendation,
 			.destroy = _destroy,
diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h
index d0816b3ad..00e9c9d9f 100644
--- a/src/libimcv/imv/imv_agent.h
+++ b/src/libimcv/imv/imv_agent.h
@@ -22,6 +22,7 @@
 #define IMV_AGENT_H_
 
 #include "imv_state.h"
+#include "pa_tnc/pa_tnc_msg.h"
 
 #include <tncifimv.h>
 #include <pen/pen.h>
@@ -131,7 +132,7 @@ struct imv_agent_t {
 					  TNC_ConnectionID connection_id, imv_state_t **state);
 
 	/**
-	 * Call when an IMV-IMC message is to be sent
+	 * Call when a PA-TNC message is to be sent
 	 *
 	 * @param connection_id		network connection ID assigned by TNCS
 	 * @param msg				message to send
@@ -141,6 +142,20 @@ struct imv_agent_t {
 							   TNC_ConnectionID connection_id, chunk_t msg);
 
 	/**
+	 * Call when a PA-TNC message was received
+	 *
+	 * @param connection_id		network connection ID assigned by TNCS
+	 * @param msg				received unparsed message
+	 * @param msg_type			message type of the received message
+	 * @param pa_tnc_message	parsed PA-TNC message or NULL if an error occurred
+	 * @return					TNC result code
+	 */
+	TNC_Result (*receive_message)(imv_agent_t *this,
+								  TNC_ConnectionID connection_id, chunk_t msg,
+								  TNC_MessageType msg_type,
+								  pa_tnc_msg_t **pa_tnc_msg);
+
+	/**
 	 * Set Action Recommendation and Evaluation Result in the IMV state
 	 *
 	 # @param connection_id		network connection ID assigned by TNCS
diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c
index 0eea4c311..eb6c648ca 100644
--- a/src/libimcv/pa_tnc/pa_tnc_msg.c
+++ b/src/libimcv/pa_tnc/pa_tnc_msg.c
@@ -39,7 +39,6 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
  */
 
 #define PA_TNC_HEADER_SIZE	8
-#define PA_TNC_VERSION		0x01
 #define PA_TNC_RESERVED		0x000000
 
 /**
@@ -61,6 +60,7 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t;
 #define PA_TNC_ATTR_FLAG_NONE			0x00
 #define PA_TNC_ATTR_FLAG_NOSKIP			(1<<7)
 #define PA_TNC_ATTR_HEADER_SIZE			12
+#define PA_TNC_ATTR_INFO_SIZE			8
 
 /**
  * Private data of a pa_tnc_msg_t object.
@@ -140,8 +140,18 @@ METHOD(pa_tnc_msg_t, build, void,
 		value = attr->get_value(attr);
 		flags = attr->get_noskip_flag(attr) ? PA_TNC_ATTR_FLAG_NOSKIP :
 											  PA_TNC_ATTR_FLAG_NONE;
-		DBG2(DBG_TNC, "creating PA-TNC attribute type 0x%06x(%N)/0x%08x",
-					   vendor_id, pen_names, vendor_id, type);
+		if (vendor_id == PEN_IETF)
+		{
+			DBG2(DBG_TNC, "creating PA-TNC attribute type '%N/%N' "
+						  "0x%06x/0x%08x", pen_names, vendor_id,
+						  ietf_attr_names, type, vendor_id, type);
+		}
+		else
+		{
+			DBG2(DBG_TNC, "creating PA-TNC attribute type '%N' "
+						  "0x%06x/0x%08x", pen_names, vendor_id,
+						   vendor_id, type);
+		}
 		DBG3(DBG_TNC, "%B", &value);
 
 		writer->write_uint8 (writer, flags);
@@ -176,6 +186,7 @@ METHOD(pa_tnc_msg_t, process, status_t,
 	reader->read_uint8 (reader, &version);
 	reader->read_uint24(reader, &reserved);
 	reader->read_uint32(reader, &this->identifier);
+	DBG2(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier);
 
 	if (version != PA_TNC_VERSION)
 	{
@@ -184,7 +195,6 @@ METHOD(pa_tnc_msg_t, process, status_t,
 					PA_ERROR_VERSION_NOT_SUPPORTED, this->encoding);
 		goto err;
 	}
-	DBG2(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier);
 	
 	/* pre-process PA-TNC attributes */
 	while (reader->remaining(reader) >= PA_TNC_ATTR_HEADER_SIZE)
@@ -192,15 +202,28 @@ METHOD(pa_tnc_msg_t, process, status_t,
 		pen_t vendor_id;
 		u_int8_t flags;
 		u_int32_t type, length;
-		chunk_t value;
+		chunk_t value, attr_info;
 		pa_tnc_attr_t *attr;
+		ietf_attr_pa_tnc_error_t *error_attr;
 
+		attr_info = reader->peek(reader);
+		attr_info.len = PA_TNC_ATTR_INFO_SIZE;
 		reader->read_uint8 (reader, &flags);
 		reader->read_uint24(reader, &vendor_id);
 		reader->read_uint32(reader, &type);
 		reader->read_uint32(reader, &length);
-		DBG2(DBG_TNC, "processing PA-TNC attribute type 0x%06x(%N)/0x%08x",
-					   vendor_id, pen_names, vendor_id, type);
+		if (vendor_id == PEN_IETF)
+		{
+			DBG2(DBG_TNC, "processing PA-TNC attribute type '%N/%N' "
+						  "0x%06x/0x%08x", pen_names, vendor_id,
+						  ietf_attr_names, type, vendor_id, type);
+		}
+		else
+		{
+			DBG2(DBG_TNC, "processing PA-TNC attribute type '%N' "
+						  "0x%06x/0x%08x", pen_names, vendor_id,
+						   vendor_id, type);
+		}
 
 		if (length < PA_TNC_ATTR_HEADER_SIZE)
 		{
@@ -229,6 +252,8 @@ METHOD(pa_tnc_msg_t, process, status_t,
 				DBG1(DBG_TNC, "unsupported PA-TNC attribute with NOSKIP flag");
 				error = ietf_attr_pa_tnc_error_create(PEN_IETF,
 							PA_ERROR_ATTR_TYPE_NOT_SUPPORTED, this->encoding);
+				error_attr = (ietf_attr_pa_tnc_error_t*)error;
+				error_attr->set_attr_info(error_attr, attr_info);
 				goto err;
 			}
 			else
@@ -268,7 +293,7 @@ METHOD(pa_tnc_msg_t, create_attribute_enumerator, enumerator_t*,
 METHOD(pa_tnc_msg_t, create_error_enumerator, enumerator_t*,
 	private_pa_tnc_msg_t *this)
 {
-	return this->errors->create_enumerator(this->attributes);
+	return this->errors->create_enumerator(this->errors);
 }
 
 METHOD(pa_tnc_msg_t, destroy, void,
diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.h b/src/libimcv/pa_tnc/pa_tnc_msg.h
index b64060055..bff954678 100644
--- a/src/libimcv/pa_tnc/pa_tnc_msg.h
+++ b/src/libimcv/pa_tnc/pa_tnc_msg.h
@@ -23,6 +23,8 @@
 
 typedef struct pa_tnc_msg_t pa_tnc_msg_t;
 
+#define PA_TNC_VERSION		0x01
+
 #include "pa_tnc_attr.h"
 
 #include <library.h>
diff --git a/src/libimcv/plugins/imc_test/imc_test.c b/src/libimcv/plugins/imc_test/imc_test.c
index 3f7ee3525..e89008f87 100644
--- a/src/libimcv/plugins/imc_test/imc_test.c
+++ b/src/libimcv/plugins/imc_test/imc_test.c
@@ -16,6 +16,8 @@
 
 #include <imc/imc_agent.h>
 #include <pa_tnc/pa_tnc_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ita/ita_attr_command.h>
 
 #include <pen/pen.h>
@@ -129,7 +131,10 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 								  TNC_MessageType msg_type)
 {
 	pa_tnc_msg_t *pa_tnc_msg;
-	status_t status;
+	pa_tnc_attr_t *attr;
+	enumerator_t *enumerator;
+	TNC_Result result;
+	bool fatal_error = FALSE;
 
 	if (!imc_test)
 	{
@@ -137,19 +142,60 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
 
-	/* process received message */
-	DBG2(DBG_IMC, "IMC %u \"%s\" received message type 0x%08x for Connection ID %u",
-				   imc_id, imc_name, msg_type, connection_id);
-	pa_tnc_msg = pa_tnc_msg_create_from_data(chunk_create(msg, msg_len));
-	status = pa_tnc_msg->process(pa_tnc_msg);
- 	pa_tnc_msg->destroy(pa_tnc_msg);
-	if (status != SUCCESS)
+	/* parse received PA-TNC message and automatically handle any errors */ 
+	result = imc_test->receive_message(imc_test, connection_id,
+									   chunk_create(msg, msg_len), msg_type,
+									   &pa_tnc_msg);
+
+	/* no parsed PA-TNC attributes available if an error occurred */
+	if (!pa_tnc_msg)
 	{
-		return TNC_RESULT_FATAL;
+		return result;
 	}
 
-	/* always return the same response */
-	return send_message(connection_id);
+	/* analyze PA-TNC attributes */
+	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		if (attr->get_vendor_id(attr) == PEN_IETF &&
+			attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
+		{
+			ietf_attr_pa_tnc_error_t *error_attr;
+			pa_tnc_error_code_t error_code;
+			chunk_t msg_info, attr_info;
+
+			error_attr = (ietf_attr_pa_tnc_error_t*)attr;
+			error_code = error_attr->get_error_code(error_attr);
+			msg_info = error_attr->get_msg_info(error_attr);
+
+			DBG1(DBG_IMC, "received PA-TNC error '%N' concerning message %#B",
+				 pa_tnc_error_code_names, error_code, &msg_info);
+			switch (error_code)
+			{
+				case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
+					attr_info = error_attr->get_attr_info(error_attr);
+					DBG1(DBG_IMC, "  unsupported attribute %#B", &attr_info);
+					break;
+				default:
+					break;
+			}
+			fatal_error = TRUE;
+		}
+		else if (attr->get_vendor_id(attr) == PEN_ITA &&
+				 attr->get_type(attr) == ITA_ATTR_COMMAND)
+		{
+			ita_attr_command_t *ita_attr;
+			char *command;
+	
+			ita_attr = (ita_attr_command_t*)attr;
+			command = ita_attr->get_command(ita_attr);
+		}
+	}
+	enumerator->destroy(enumerator);
+	pa_tnc_msg->destroy(pa_tnc_msg);
+
+	/* if no error occurred then always return the same response */
+	return fatal_error ? TNC_RESULT_FATAL : send_message(connection_id);
 }
 
 /**
diff --git a/src/libimcv/plugins/imv_test/imv_test.c b/src/libimcv/plugins/imv_test/imv_test.c
index 7e1f05901..ca798bb66 100644
--- a/src/libimcv/plugins/imv_test/imv_test.c
+++ b/src/libimcv/plugins/imv_test/imv_test.c
@@ -16,6 +16,8 @@
 
 #include <imv/imv_agent.h>
 #include <pa_tnc/pa_tnc_msg.h>
+#include <ietf/ietf_attr.h>
+#include <ietf/ietf_attr_pa_tnc_error.h>
 #include <ita/ita_attr_command.h>
 
 #include <pen/pen.h>
@@ -127,8 +129,9 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 	pa_tnc_attr_t *attr;
 	imv_state_t *state;
 	imv_test_state_t *imv_test_state;
-	TNC_Result result = TNC_RESULT_SUCCESS;
 	enumerator_t *enumerator;
+	TNC_Result result;
+	bool fatal_error = FALSE;
 
 	if (!imv_test)
 	{
@@ -136,29 +139,53 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 		return TNC_RESULT_NOT_INITIALIZED;
 	}
 
-	/* process received message */
-	DBG2(DBG_IMV, "IMV %u \"%s\" received message type 0x%08x for Connection ID %u",
-				   imv_id, imv_name, msg_type, connection_id);
-	pa_tnc_msg = pa_tnc_msg_create_from_data(chunk_create(msg, msg_len));
-
-	if (pa_tnc_msg->process(pa_tnc_msg) != SUCCESS)
+	/* get current IMV state */
+	if (!imv_test->get_state(imv_test, connection_id, &state))
 	{
- 		pa_tnc_msg->destroy(pa_tnc_msg);
 		return TNC_RESULT_FATAL;
 	}
 
-	/* get current IMV state */
-	if (!imv_test->get_state(imv_test, connection_id, &state))
+	/* parse received PA-TNC message and automatically handle any errors */ 
+	result = imv_test->receive_message(imv_test, connection_id,
+									   chunk_create(msg, msg_len), msg_type,
+									   &pa_tnc_msg);
+
+	/* no parsed PA-TNC attributes available if an error occurred */
+	if (!pa_tnc_msg)
 	{
-		pa_tnc_msg->destroy(pa_tnc_msg);
-		return TNC_RESULT_FATAL;
+		return result;
 	}
 
+	/* analyze PA-TNC attributes */
 	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
 	while (enumerator->enumerate(enumerator, &attr))
 	{
-		if (attr->get_vendor_id(attr) == PEN_ITA &&
-			attr->get_type(attr) == ITA_ATTR_COMMAND)
+		if (attr->get_vendor_id(attr) == PEN_IETF &&
+			attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
+		{
+			ietf_attr_pa_tnc_error_t *error_attr;
+			pa_tnc_error_code_t error_code;
+			chunk_t msg_info, attr_info;
+
+			error_attr = (ietf_attr_pa_tnc_error_t*)attr;
+			error_code = error_attr->get_error_code(error_attr);
+			msg_info = error_attr->get_msg_info(error_attr);
+
+			DBG1(DBG_IMV, "received PA-TNC error '%N' concerning message %#B",
+				 pa_tnc_error_code_names, error_code, &msg_info);
+			switch (error_code)
+			{
+				case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
+					attr_info = error_attr->get_attr_info(error_attr);
+					DBG1(DBG_IMV, "  unsupported attribute %#B", &attr_info);
+					break;
+				default:
+					break;
+			}
+			fatal_error = TRUE;
+		}
+		else if (attr->get_vendor_id(attr) == PEN_ITA &&
+				 attr->get_type(attr) == ITA_ATTR_COMMAND)
 		{
 			ita_attr_command_t *ita_attr;
 			char *command;
@@ -178,7 +205,7 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
 								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);			  
 			}
-			else if (streq(command, "none"))
+			else if (streq(command, "block") || streq(command, "none"))
 			{
 				state->set_recommendation(state,
 								TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
@@ -186,17 +213,22 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
 			}
 			else
 			{
-				result = TNC_RESULT_FATAL;
+				DBG1(DBG_IMV, "unsupported ITA Command '%s'", command);
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);			  
 			}
-			break;
 		}		
 	}
 	enumerator->destroy(enumerator);
 	pa_tnc_msg->destroy(pa_tnc_msg);
 
-	if (result != TNC_RESULT_SUCCESS)
+	if (fatal_error)
 	{
-		return result;
+		state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+								TNC_IMV_EVALUATION_RESULT_ERROR);			  
+		return imv_test->provide_recommendation(imv_test, connection_id);
 	}
 
 	/* repeat the measurement ? */