diff options
| -rw-r--r-- | man/strongswan.conf.5.in | 6 | ||||
| -rw-r--r-- | src/libimcv/plugins/imc_scanner/imc_scanner.c | 91 | ||||
| -rw-r--r-- | src/libimcv/plugins/imv_scanner/imv_scanner.c | 29 | ||||
| -rw-r--r-- | src/libtncif/tncif_pa_subtypes.c | 7 | ||||
| -rw-r--r-- | src/libtncif/tncif_pa_subtypes.h | 1 |
5 files changed, 115 insertions, 19 deletions
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 1ffc38e04..a36889cc3 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -811,6 +811,12 @@ Preferred measurement hash algorithm .BR libimcv.plugins.imv-attestation.min_nonce_len " [0]" DH minimum nonce length .TP +.BR libimcv.plugins.imc-os.send_info " [yes]" +Send operating system info without being prompted +.TP +.BR libimcv.plugins.imc-scanner.send_ports " [yes]" +Send open listening ports without being prompted +.TP .BR libimcv.plugins.imv-scanner.closed_port_policy " [yes]" By default all ports must be closed (yes) or can be open (no) .TP diff --git a/src/libimcv/plugins/imc_scanner/imc_scanner.c b/src/libimcv/plugins/imc_scanner/imc_scanner.c index 5c7985e52..8e843a2ce 100644 --- a/src/libimcv/plugins/imc_scanner/imc_scanner.c +++ b/src/libimcv/plugins/imc_scanner/imc_scanner.c @@ -18,6 +18,7 @@ #include <imc/imc_agent.h> #include <imc/imc_msg.h> #include <ietf/ietf_attr.h> +#include <ietf/ietf_attr_attr_request.h> #include <ietf/ietf_attr_port_filter.h> #include <tncif_pa_subtypes.h> @@ -33,7 +34,7 @@ static const char imc_name[] = "Scanner"; static pen_type_t msg_types[] = { - { PEN_ITA, PA_SUBTYPE_ITA_SCANNER } + { PEN_IETF, PA_SUBTYPE_IETF_VPN } }; static imc_agent_t *imc_scanner; @@ -227,7 +228,10 @@ end: return success; } -static TNC_Result send_message(imc_msg_t *out_msg) +/** + * Add IETF Port Filter attribute to the send queue + */ +static TNC_Result add_port_filter(imc_msg_t *msg) { pa_tnc_attr_t *attr; ietf_attr_port_filter_t *attr_port_filter; @@ -240,10 +244,9 @@ static TNC_Result send_message(imc_msg_t *out_msg) attr->destroy(attr); return TNC_RESULT_FATAL; } - out_msg->add_attribute(out_msg, attr); + msg->add_attribute(msg, attr); - /* send PA-TNC message with the excl flag not set */ - return out_msg->send(out_msg, FALSE); + return TNC_RESULT_SUCCESS; } /** @@ -254,7 +257,7 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id, { imc_state_t *state; imc_msg_t *out_msg; - TNC_Result result; + TNC_Result result = TNC_RESULT_SUCCESS; if (!imc_scanner) { @@ -265,17 +268,30 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id, { return TNC_RESULT_FATAL; } - out_msg = imc_msg_create(imc_scanner, state, connection_id, imc_id, - TNC_IMVID_ANY, msg_types[0]); - result = send_message(out_msg); - out_msg->destroy(out_msg); + if (lib->settings->get_bool(lib->settings, + "libimcv.plugins.imc-scanner.send_ports", TRUE)) + { + out_msg = imc_msg_create(imc_scanner, state, connection_id, imc_id, + TNC_IMVID_ANY, msg_types[0]); + result = add_port_filter(out_msg); + if (result == TNC_RESULT_SUCCESS) + { + /* send PA-TNC message with the excl flag not set */ + result = out_msg->send(out_msg, FALSE); + } + out_msg->destroy(out_msg); + } return result; } static TNC_Result receive_message(imc_msg_t *in_msg) { - TNC_Result result; + imc_msg_t *out_msg; + enumerator_t *enumerator; + pa_tnc_attr_t *attr; + pen_type_t attr_type; + TNC_Result result = TNC_RESULT_SUCCESS; bool fatal_error = FALSE; /* parse received PA-TNC message and handle local and remote errors */ @@ -284,7 +300,58 @@ static TNC_Result receive_message(imc_msg_t *in_msg) { return result; } - return fatal_error ? TNC_RESULT_FATAL : TNC_RESULT_SUCCESS; + out_msg = imc_msg_create_as_reply(in_msg); + + /* analyze PA-TNC attributes */ + enumerator = in_msg->create_attribute_enumerator(in_msg); + while (enumerator->enumerate(enumerator, &attr)) + { + attr_type = attr->get_type(attr); + + if (attr_type.vendor_id != PEN_IETF) + { + continue; + } + if (attr_type.type == IETF_ATTR_ATTRIBUTE_REQUEST) + { + ietf_attr_attr_request_t *attr_cast; + pen_type_t *entry; + enumerator_t *e; + + attr_cast = (ietf_attr_attr_request_t*)attr; + + e = attr_cast->create_enumerator(attr_cast); + while (e->enumerate(e, &entry)) + { + if (entry->vendor_id != PEN_IETF) + { + continue; + } + switch (entry->type) + { + case IETF_ATTR_PORT_FILTER: + result = add_port_filter(out_msg); + break; + default: + break; + } + } + e->destroy(e); + } + } + enumerator->destroy(enumerator); + + if (fatal_error) + { + result = TNC_RESULT_FATAL; + } + else if (result == TNC_RESULT_SUCCESS) + { + result = out_msg->send(out_msg, TRUE); + } + out_msg->destroy(out_msg); + + return result; } /** diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner.c b/src/libimcv/plugins/imv_scanner/imv_scanner.c index 1705d3008..96ad5c68b 100644 --- a/src/libimcv/plugins/imv_scanner/imv_scanner.c +++ b/src/libimcv/plugins/imv_scanner/imv_scanner.c @@ -18,6 +18,7 @@ #include <imv/imv_agent.h> #include <imv/imv_msg.h> #include <ietf/ietf_attr.h> +#include <ietf/ietf_attr_attr_request.h> #include <ietf/ietf_attr_pa_tnc_error.h> #include <ietf/ietf_attr_port_filter.h> @@ -34,7 +35,7 @@ static const char imv_name[] = "Scanner"; static pen_type_t msg_types[] = { - { PEN_ITA, PA_SUBTYPE_ITA_SCANNER } + { PEN_IETF, PA_SUBTYPE_IETF_VPN } }; static imv_agent_t *imv_scanner; @@ -385,12 +386,36 @@ TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id, TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id, TNC_ConnectionID connection_id) { + imv_state_t *state; + imv_msg_t *out_msg; + pa_tnc_attr_t *attr; + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + TNC_Result result = TNC_RESULT_SUCCESS; + if (!imv_scanner) { DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); return TNC_RESULT_NOT_INITIALIZED; } - return TNC_RESULT_SUCCESS; + if (!imv_scanner->get_state(imv_scanner, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + state->get_recommendation(state, &rec, &eval); + if (rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION) + { + out_msg = imv_msg_create(imv_scanner, state, connection_id, imv_id, + TNC_IMCID_ANY, msg_types[0]); + attr = ietf_attr_attr_request_create(PEN_IETF, IETF_ATTR_PORT_FILTER); + out_msg->add_attribute(out_msg, attr); + + /* send PA-TNC message with excl flag not set */ + result = out_msg->send(out_msg, FALSE); + out_msg->destroy(out_msg); + + } + return result; } /** diff --git a/src/libtncif/tncif_pa_subtypes.c b/src/libtncif/tncif_pa_subtypes.c index d15a1c864..135be3c31 100644 --- a/src/libtncif/tncif_pa_subtypes.c +++ b/src/libtncif/tncif_pa_subtypes.c @@ -61,12 +61,11 @@ ENUM_NEXT(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY, PA_SUBTYPE_FHH_ANY, ); ENUM_END(pa_subtype_fhh_names, PA_SUBTYPE_FHH_ANY); -ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_SCANNER, - "Test", - "Scanner" +ENUM_BEGIN(pa_subtype_ita_names, PA_SUBTYPE_ITA_TEST, PA_SUBTYPE_ITA_TEST, + "Test" ); ENUM_NEXT(pa_subtype_ita_names, PA_SUBTYPE_ITA_ANY, PA_SUBTYPE_ITA_ANY, - PA_SUBTYPE_ITA_SCANNER, + PA_SUBTYPE_ITA_TEST, "ANY" ); ENUM_END(pa_subtype_ita_names, PA_SUBTYPE_ITA_ANY); diff --git a/src/libtncif/tncif_pa_subtypes.h b/src/libtncif/tncif_pa_subtypes.h index 0be495bfc..2dc4c9220 100644 --- a/src/libtncif/tncif_pa_subtypes.h +++ b/src/libtncif/tncif_pa_subtypes.h @@ -84,7 +84,6 @@ extern enum_name_t *pa_subtype_fhh_names; */ enum pa_subtype_ita_t { PA_SUBTYPE_ITA_TEST = 0x01, - PA_SUBTYPE_ITA_SCANNER = 0x02, PA_SUBTYPE_ITA_ANY = 0xff }; |