diff options
28 files changed, 164 insertions, 130 deletions
diff --git a/configure.ac b/configure.ac index fb91ddd82..7111922c5 100644 --- a/configure.ac +++ b/configure.ac @@ -1062,7 +1062,7 @@ ADD_PLUGIN([xauth-noauth], [c charon]) ADD_PLUGIN([tnc-ifmap], [c charon]) ADD_PLUGIN([tnc-pdp], [c charon]) ADD_PLUGIN([tnc-imc], [t charon]) -ADD_PLUGIN([tnc-imv], [c charon]) +ADD_PLUGIN([tnc-imv], [t charon]) ADD_PLUGIN([tnc-tnccs], [t charon]) ADD_PLUGIN([tnccs-20], [t charon]) ADD_PLUGIN([tnccs-11], [t charon]) @@ -1378,6 +1378,7 @@ AC_CONFIG_FILES([ src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile + src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile @@ -1421,7 +1422,6 @@ AC_CONFIG_FILES([ src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile - src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 6a3bbac30..be8512d2d 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -712,9 +712,6 @@ Path to X.509 certificate file of IF-MAP server .BR charon.plugins.tnc-ifmap.username_password Credentials of IF-MAP client of the form username:password .TP -.BR charon.plugins.tnc-imv.dlclose " [yes]" -Unload IMV after use -.TP .BR charon.plugins.tnc-pdp.pt_tls.port " [271]" PT-TLS server port the strongSwan PDP is listening on .TP @@ -880,20 +877,23 @@ TNC IMC/IMV configuration directory .PP .SS libtnccs plugins section .TP -.BR charon.plugins.tnccs-11.max_message_size " [45000]" +.BR libtnccs.plugins.tnccs-11.max_message_size " [45000]" Maximum size of a PA-TNC message (XML & Base64 encoding) .TP -.BR charon.plugins.tnccs-20.max_batch_size " [65522]" +.BR libtnccs.plugins.tnccs-20.max_batch_size " [65522]" Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529) .TP -.BR charon.plugins.tnccs-20.max_message_size " [65490]" +.BR libtnccs.plugins.tnccs-20.max_message_size " [65490]" Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497) .TP -.BR charon.plugins.tnc-imc.dlclose " [yes]" +.BR libtnccs.plugins.tnc-imc.dlclose " [yes]" Unload IMC after use .TP -.BR charon.plugins.tnc-imc.preferred_language " [en]" +.BR libtnccs.plugins.tnc-imc.preferred_language " [en]" Preferred language for TNC recommendations +.TP +.BR libtnccs.plugins.tnc-imv.dlclose " [yes]" +Unload IMV after use .SS libimcv section .TP .BR libimcv.assessment_result " [yes]" diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 65e344a70..9c7f67690 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -385,13 +385,6 @@ if MONOLITHIC endif endif -if USE_TNC_IMV - SUBDIRS += plugins/tnc_imv -if MONOLITHIC - libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la -endif -endif - if USE_LIBTNCCS if MONOLITHIC # otherwise this library is linked to the respective plugins diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c index 839425d59..d14672e49 100644 --- a/src/libcharon/plugins/eap_tnc/eap_tnc.c +++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c @@ -22,6 +22,7 @@ #include <daemon.h> #include <tncifimv.h> +#include <tncif_names.h> /** * Maximum size of an EAP-TNC message @@ -62,6 +63,63 @@ struct private_eap_tnc_t { }; +/** + * Callback function to get recommendation from TNCCS connection + */ +static bool enforce_recommendation(TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval) +{ + char *group; + identification_t *id; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + bool no_access = FALSE; + + DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'", + TNC_IMV_Action_Recommendation_names, rec, + TNC_IMV_Evaluation_Result_names, eval); + + switch (rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + group = "allow"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + group = "isolate"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + default: + group = "no access"; + no_access = TRUE; + break; + } + + ike_sa = charon->bus->get_sa(charon->bus); + if (!ike_sa) + { + DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA"); + return FALSE; + } + + id = ike_sa->get_other_id(ike_sa); + DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group); + + if (no_access) + { + return FALSE; + } + else + { + auth = ike_sa->get_auth_cfg(ike_sa, FALSE); + id = identification_create_from_string(group); + auth->add(auth, AUTH_RULE_GROUP, id); + DBG1(DBG_TNC, "policy enforcement point added group membership '%s'", + group); + } + return TRUE; +} + METHOD(eap_method_t, initiate, status_t, private_eap_tnc_t *this, eap_payload_t **out) { @@ -224,8 +282,9 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, free(this); return NULL; } - this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server, - server, peer, TNC_IFT_EAP_1_1); + this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, + is_server, server, peer, TNC_IFT_EAP_1_1, + is_server ? enforce_recommendation : NULL); this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls, EAP_TNC_MAX_MESSAGE_LEN, max_msg_count, FALSE); diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c index 686df15c7..707b113e4 100644 --- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c +++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c @@ -26,6 +26,9 @@ #include <tnc/tnc.h> +#include <tncifimv.h> +#include <tncif_names.h> + #include <daemon.h> #include <utils/debug.h> #include <pen/pen.h> @@ -563,6 +566,19 @@ end: } /** + * Callback function to get recommendation from TNCCS connection + */ +static bool get_recommendation(TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval) +{ + DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'", + TNC_IMV_Action_Recommendation_names, rec, + TNC_IMV_Evaluation_Result_names, eval); + + return TRUE; +} + +/** * Get more data on a PT-TLS connection */ static bool pt_tls_receive_more(pt_tls_server_t *this, int fd, @@ -607,7 +623,8 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even peer = identification_create_from_encoding(ID_ANY, chunk_empty), tnccs = tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, TRUE, - this->server, peer, TNC_IFT_TLS_2_0); + this->server, peer, TNC_IFT_TLS_2_0, + (tnccs_cb_t)get_recommendation); peer->destroy(peer); if (!tnccs) diff --git a/src/libtnccs/Makefile.am b/src/libtnccs/Makefile.am index 8d618c3f8..d1f8825de 100644 --- a/src/libtnccs/Makefile.am +++ b/src/libtnccs/Makefile.am @@ -40,6 +40,13 @@ if MONOLITHIC endif endif +if USE_TNC_IMV + SUBDIRS += plugins/tnc_imv +if MONOLITHIC + libtnccs_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la +endif +endif + if USE_TNCCS_11 SUBDIRS += plugins/tnccs_11 if MONOLITHIC diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc.c b/src/libtnccs/plugins/tnc_imc/tnc_imc.c index cbecf14c7..7c52ab384 100644 --- a/src/libtnccs/plugins/tnc_imc/tnc_imc.c +++ b/src/libtnccs/plugins/tnc_imc/tnc_imc.c @@ -1,6 +1,5 @@ /* - * Copyright (C) 2006 Mike McCauley - * Copyright (C) 2010-2011 Andreas Steffen, + * Copyright (C) 2010-2013 Andreas Steffen, * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libtnccs/plugins/tnc_imv/Makefile.am index 49efe3be4..0541d4c86 100644 --- a/src/libcharon/plugins/tnc_imv/Makefile.am +++ b/src/libtnccs/plugins/tnc_imv/Makefile.am @@ -1,7 +1,5 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon \ -I$(top_srcdir)/src/libtncif \ -I$(top_srcdir)/src/libtnccs \ -I$(top_srcdir)/src/libtls diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.c b/src/libtnccs/plugins/tnc_imv/tnc_imv.c index ef0387d70..ebf904513 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv.c +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv.c @@ -1,6 +1,5 @@ /* - * Copyright (C) 2006 Mike McCauley - * Copyright (C) 2010-2011 Andreas Steffen, + * Copyright (C) 2010-2013 Andreas Steffen, * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -21,7 +20,6 @@ #include <tncif_pa_subtypes.h> #include <utils/debug.h> -#include <daemon.h> #include <library.h> #include <collections/linked_list.h> #include <threading/mutex.h> @@ -300,7 +298,7 @@ METHOD(imv_t, destroy, void, private_tnc_imv_t *this) { if (this->handle && lib->settings->get_bool(lib->settings, - "%s.plugins.tnc-imv.dlclose", TRUE, charon->name)) + "libtnccs.plugins.tnc-imv.dlclose", TRUE)) { dlclose(this->handle); } diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.h b/src/libtnccs/plugins/tnc_imv/tnc_imv.h index e7c7b8b4f..e7c7b8b4f 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv.h +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv.h diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_bind_function.c index 36cdb7fbb..36cdb7fbb 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_bind_function.c diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c index b950e3119..b4f131b5d 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c @@ -1,6 +1,5 @@ /* - * Copyright (C) 2006 Mike McCauley - * Copyright (C) 2010-2011 Andreas Steffen + * Copyright (C) 2010-2013 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -19,7 +18,6 @@ #include "tnc_imv_recommendations.h" #include <tncifimv.h> -#include <tncif_names.h> #include <sys/types.h> #include <sys/stat.h> @@ -28,7 +26,6 @@ #include <errno.h> #include <fcntl.h> -#include <daemon.h> #include <utils/debug.h> #include <threading/rwlock.h> #include <threading/mutex.h> @@ -247,61 +244,6 @@ METHOD(imv_manager_t, create_recommendations, recommendations_t*, return tnc_imv_recommendations_create(this->imvs); } -METHOD(imv_manager_t, enforce_recommendation, bool, - private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec, - TNC_IMV_Evaluation_Result eval) -{ - char *group; - identification_t *id; - ike_sa_t *ike_sa; - auth_cfg_t *auth; - bool no_access = FALSE; - - DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'", - TNC_IMV_Action_Recommendation_names, rec, - TNC_IMV_Evaluation_Result_names, eval); - - switch (rec) - { - case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: - group = "allow"; - break; - case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: - group = "isolate"; - break; - case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: - case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: - default: - group = "no access"; - no_access = TRUE; - break; - } - - ike_sa = charon->bus->get_sa(charon->bus); - if (!ike_sa) - { - DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA"); - return FALSE; - } - - id = ike_sa->get_other_id(ike_sa); - DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group); - - if (no_access) - { - return FALSE; - } - else - { - auth = ike_sa->get_auth_cfg(ike_sa, FALSE); - id = identification_create_from_string(group); - auth->add(auth, AUTH_RULE_GROUP, id); - DBG1(DBG_TNC, "policy enforcement point added group membership '%s'", - group); - } - return TRUE; -} - METHOD(imv_manager_t, notify_connection_change, void, private_tnc_imv_manager_t *this, TNC_ConnectionID id, @@ -503,7 +445,6 @@ imv_manager_t* tnc_imv_manager_create(void) .reserve_id = _reserve_id, .get_recommendation_policy = _get_recommendation_policy, .create_recommendations = _create_recommendations, - .enforce_recommendation = _enforce_recommendation, .notify_connection_change = _notify_connection_change, .set_message_types = _set_message_types, .set_message_types_long = _set_message_types_long, @@ -520,8 +461,7 @@ imv_manager_t* tnc_imv_manager_create(void) policy = enum_from_name(recommendation_policy_names, lib->settings->get_str(lib->settings, - "%s.plugins.tnc-imv.recommendation_policy", "default", - charon->name)); + "libtnccs.plugins.tnc-imv.recommendation_policy", "default")); this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT; DBG1(DBG_TNC, "TNC recommendation policy is '%N'", recommendation_policy_names, this->policy); diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.h index 2fe9e7ae3..2fe9e7ae3 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.h diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.c index d06c2fcaf..d06c2fcaf 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.c diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h index afeee2ea2..afeee2ea2 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.c index a9dbb2b9f..a9dbb2b9f 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.c diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h index 66d03b2f8..66d03b2f8 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h diff --git a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c index 60f6bc3c1..b8683f78c 100644 --- a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c +++ b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c @@ -169,8 +169,8 @@ METHOD(tnccs_manager_t, remove_method, void, METHOD(tnccs_manager_t, create_instance, tnccs_t*, private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport) + identification_t *server, identification_t *peer, tnc_ift_type_t transport, + tnccs_cb_t cb) { enumerator_t *enumerator; tnccs_entry_t *entry; @@ -182,7 +182,7 @@ METHOD(tnccs_manager_t, create_instance, tnccs_t*, { if (type == entry->type) { - protocol = entry->constructor(is_server, server, peer, transport); + protocol = entry->constructor(is_server, server, peer, transport, cb); if (protocol) { break; diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.c b/src/libtnccs/plugins/tnccs_11/tnccs_11.c index b19a048fe..715586167 100644 --- a/src/libtnccs/plugins/tnccs_11/tnccs_11.c +++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.c @@ -121,6 +121,11 @@ struct private_tnccs_11_t { */ recommendations_t *recs; + /** + * Callback function to communicate recommendation (TNC Server only) + */ + tnccs_cb_t callback; + }; METHOD(tnccs_t, send_msg, TNC_Result, @@ -540,7 +545,7 @@ METHOD(tls_t, is_complete, bool, if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval)) { - return tnc->imvs->enforce_recommendation(tnc->imvs, rec, eval); + return this->callback ? this->callback(rec, eval) : TRUE; } else { @@ -594,9 +599,8 @@ METHOD(tnccs_t, set_auth_type, void, * See header */ tnccs_t* tnccs_11_create(bool is_server, - identification_t *server, - identification_t *peer, - tnc_ift_type_t transport) + identification_t *server, identification_t *peer, + tnc_ift_type_t transport, tnccs_cb_t cb) { private_tnccs_11_t *this; @@ -622,6 +626,7 @@ tnccs_t* tnccs_11_create(bool is_server, .server = server->clone(server), .peer = peer->clone(peer), .transport = transport, + .callback = cb, .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .max_msg_len = lib->settings->get_int(lib->settings, "libtnccs.plugins.tnccs-11.max_message_size", 45000), diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.h b/src/libtnccs/plugins/tnccs_11/tnccs_11.h index 531ebb611..e805df8bb 100644 --- a/src/libtnccs/plugins/tnccs_11/tnccs_11.h +++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.h @@ -32,11 +32,11 @@ * @param server Server identity * @param peer Client identity * @param transport Underlying IF-T transport protocol + * @param cb Callback function if TNC Server, NULL if TNC Client * @return TNC_IF_TNCCS 1.1 protocol stack */ tnccs_t* tnccs_11_create(bool is_server, - identification_t *server, - identification_t *peer, - tnc_ift_type_t transport); + identification_t *server, identification_t *peer, + tnc_ift_type_t transport, tnccs_cb_t cb); #endif /** TNCCS_11_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c index 09900ade9..e5117e829 100644 --- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c @@ -131,6 +131,16 @@ struct private_tnccs_20_t { */ recommendations_t *recs; + /** + * Callback function to communicate recommendation (TNC Server only) + */ + tnccs_cb_t callback; + + /** + * Data to pass to callback function (TNC Server only) + */ + void *cb_data; + }; /** @@ -844,7 +854,7 @@ METHOD(tls_t, is_complete, bool, if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval)) { - return tnc->imvs->enforce_recommendation(tnc->imvs, rec, eval); + return this->callback ? this->callback(rec, eval) : TRUE; } else { @@ -900,9 +910,8 @@ METHOD(tnccs_t, set_auth_type, void, * See header */ tnccs_t* tnccs_20_create(bool is_server, - identification_t *server, - identification_t *peer, - tnc_ift_type_t transport) + identification_t *server, identification_t *peer, + tnc_ift_type_t transport, tnccs_cb_t cb) { private_tnccs_20_t *this; @@ -928,6 +937,7 @@ tnccs_t* tnccs_20_create(bool is_server, .server = server->clone(server), .peer = peer->clone(peer), .transport = transport, + .callback = cb, .state_machine = pb_tnc_state_machine_create(is_server), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .messages = linked_list_create(), diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.h b/src/libtnccs/plugins/tnccs_20/tnccs_20.h index 314935069..2857b1408 100644 --- a/src/libtnccs/plugins/tnccs_20/tnccs_20.h +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.h @@ -32,11 +32,11 @@ * @param server Server identity * @param peer Client identity * @param transport Underlying IF-T transport protocol + * @param cb Callback function if TNC Server, NULL if TNC Client * @return TNC_IF_TNCCS 2.0 protocol stack */ tnccs_t* tnccs_20_create(bool is_server, - identification_t *server, - identification_t *peer, - tnc_ift_type_t transport); + identification_t *server, identification_t *peer, + tnc_ift_type_t transport, tnccs_cb_t cb); #endif /** TNCCS_20_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c index d4fc6a6f7..bc3112686 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c +++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c @@ -56,6 +56,11 @@ struct private_tnccs_dynamic_t { */ u_int32_t auth_type; + /** + * Callback function to communicate recommendation (TNC Server only) + */ + tnccs_cb_t callback; + }; /** @@ -99,7 +104,8 @@ METHOD(tls_t, process, status_t, DBG1(DBG_TNC, "%N protocol detected dynamically", tnccs_type_names, type); tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE, - this->server, this->peer, this->transport); + this->server, this->peer, this->transport, + this->callback); if (!tnccs) { DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type); @@ -190,9 +196,8 @@ METHOD(tnccs_t, set_auth_type, void, * See header */ tnccs_t* tnccs_dynamic_create(bool is_server, - identification_t *server, - identification_t *peer, - tnc_ift_type_t transport) + identification_t *server, identification_t *peer, + tnc_ift_type_t transport, tnccs_cb_t cb) { private_tnccs_dynamic_t *this; @@ -217,6 +222,7 @@ tnccs_t* tnccs_dynamic_create(bool is_server, .server = server->clone(server), .peer = peer->clone(peer), .transport = transport, + .callback = cb, ); return &this->public; diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h index e4cff74b8..cbdc80b83 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h +++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h @@ -32,11 +32,11 @@ * @param server Server identity * @param peer Client identity * @param transport Underlying IF-T transport protocol + * @param cb Callback function if TNC Server, NULL if TNC Client * @return dynamic TNC IF-TNCCS protocol stack */ tnccs_t* tnccs_dynamic_create(bool is_server, - identification_t *server, - identification_t *peer, - tnc_ift_type_t transport); + identification_t *server, identification_t *peer, + tnc_ift_type_t transport, tnccs_cb_t cb); #endif /** TNCCS_DYNAMIC_H_ @}*/ diff --git a/src/libtnccs/tnc/imv/imv_manager.h b/src/libtnccs/tnc/imv/imv_manager.h index 7772b7e08..b72eb8bf7 100644 --- a/src/libtnccs/tnc/imv/imv_manager.h +++ b/src/libtnccs/tnc/imv/imv_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010-2013 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -114,18 +114,6 @@ struct imv_manager_t { recommendations_t* (*create_recommendations)(imv_manager_t *this); /** - * Enforce the TNC recommendation on the IKE_SA by either inserting an - * allow|isolate group membership rule (TRUE) or by blocking access (FALSE) - * - * @param rec TNC action recommendation - * @param eval TNC evaluation result - * @return TRUE for allow|isolate, FALSE for none - */ - bool (*enforce_recommendation)(imv_manager_t *this, - TNC_IMV_Action_Recommendation rec, - TNC_IMV_Evaluation_Result eval); - - /** * Notify all IMV instances * * @param state communicate the state a connection has reached diff --git a/src/libtnccs/tnc/tnccs/tnccs.h b/src/libtnccs/tnc/tnccs/tnccs.h index fd3e5cabb..b1ac0906c 100644 --- a/src/libtnccs/tnc/tnccs/tnccs.h +++ b/src/libtnccs/tnc/tnccs/tnccs.h @@ -38,6 +38,17 @@ typedef enum tnc_ift_type_t tnc_ift_type_t; #include <tls.h> /** + * Callback function to communicate action recommendation and evaluation result + * generated by TNC server + * + * @param rec TNC Action Recommendation + * @param eval TNC Evaluation Result + * @return TRUE to terminate TNCCS connection, FALSE to keep it + */ +typedef bool (*tnccs_cb_t)(TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval); + +/** * Type of TNC Client/Server protocol */ enum tnccs_type_t { @@ -112,12 +123,14 @@ struct tnccs_t { * @param server Server identity * @param peer Client identity * @param transport Underlying TNC IF-T transport protocol used + * @param cb Callback function if TNC Server, NULL if TNC Client * @return implementation of the tnccs_t interface */ typedef tnccs_t *(*tnccs_constructor_t)(bool is_server, identification_t *server, identification_t *peer, - tnc_ift_type_t transport); + tnc_ift_type_t transport, + tnccs_cb_t cb); /** * Callback function adding a message to a TNCCS batch diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.h b/src/libtnccs/tnc/tnccs/tnccs_manager.h index 4ab9d7e18..791336ee1 100644 --- a/src/libtnccs/tnc/tnccs/tnccs_manager.h +++ b/src/libtnccs/tnc/tnccs/tnccs_manager.h @@ -59,12 +59,13 @@ struct tnccs_manager_t { * @param server Server identity * @param peer Client identity * @param transport Underlying TNC IF-T transport protocol used + * @param cb Callback function if TNC Server, NULL if TNC Client * @return TNCCS protocol instance, NULL if no constructor found */ tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type, bool is_server, identification_t *server, identification_t *peer, - tnc_ift_type_t transport); + tnc_ift_type_t transport, tnccs_cb_t cb); /** * Create a TNCCS connection and assign a unique connection ID as well a diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c index 2b104f8d5..09b42b6fe 100644 --- a/src/pt-tls-client/pt-tls-client.c +++ b/src/pt-tls-client/pt-tls-client.c @@ -59,7 +59,7 @@ static int client(char *address, u_int16_t port, char *identity) server = identification_create_from_string(address); client = identification_create_from_string(identity); tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE, - server, client, TNC_IFT_TLS_2_0); + server, client, TNC_IFT_TLS_2_0, NULL); if (!tnccs) { fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS); |