aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/libcharon/plugins/tnc_imv/tnc_imv_manager.c40
-rw-r--r--src/libcharon/tnc/imv/imv_manager.h10
2 files changed, 48 insertions, 2 deletions
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
index 00060bbce..c5de5720a 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
@@ -19,8 +19,7 @@
#include <tnc/tncifimv.h>
#include <debug.h>
-#include <library.h>
-#include <utils/linked_list.h>
+#include <daemon.h>
typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t;
@@ -98,6 +97,42 @@ METHOD(imv_manager_t, get_count, int,
return this->imvs->get_count(this->imvs);
}
+METHOD(imv_manager_t, enforce_recommendation, bool,
+ private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec)
+{
+ char *group;
+ identification_t *id;
+ ike_sa_t *ike_sa;
+ auth_cfg_t *auth;
+
+ switch (rec)
+ {
+ case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+ DBG1(DBG_TNC, "TNC recommendation is allow");
+ group = "allow";
+ break;
+ case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+ DBG1(DBG_TNC, "TNC recommendation is isolate");
+ group = "isolate";
+ break;
+ case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+ case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+ default:
+ DBG1(DBG_TNC, "TNC recommendation is none");
+ return FALSE;
+ }
+ ike_sa = charon->bus->get_sa(charon->bus);
+ if (ike_sa)
+ {
+ auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+ id = identification_create_from_string(group);
+ auth->add(auth, AUTH_RULE_GROUP, id);
+ DBG1(DBG_TNC, "TNC added group membership '%s'", group);
+ }
+ return TRUE;
+}
+
+
METHOD(imv_manager_t, notify_connection_change, void,
private_tnc_imv_manager_t *this, TNC_ConnectionID id,
TNC_ConnectionState state)
@@ -222,6 +257,7 @@ imv_manager_t* tnc_imv_manager_create(void)
.add = _add,
.remove = _remove_, /* avoid name conflict with stdio.h */
.get_count = _get_count,
+ .enforce_recommendation = _enforce_recommendation,
.notify_connection_change = _notify_connection_change,
.set_message_types = _set_message_types,
.solicit_recommendation = _solicit_recommendation,
diff --git a/src/libcharon/tnc/imv/imv_manager.h b/src/libcharon/tnc/imv/imv_manager.h
index 148236145..0e8319396 100644
--- a/src/libcharon/tnc/imv/imv_manager.h
+++ b/src/libcharon/tnc/imv/imv_manager.h
@@ -56,6 +56,16 @@ struct imv_manager_t {
int (*get_count)(imv_manager_t *this);
/**
+ * Enforce the TNC recommendation on the IKE_SA by either inserting an
+ * allow|isolate group membership rule (TRUE) or by blocking access (FALSE)
+ *
+ * @param void TNC action recommendation
+ * @return TRUE for allow|isolate, FALSE for none
+ */
+ bool (*enforce_recommendation)(imv_manager_t *this,
+ TNC_IMV_Action_Recommendation rec);
+
+ /**
* Notify all IMV instances
*
* @param state communicate the state a connection has reached
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-19 13:39:03 +0000