diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/libimcv/ietf/ietf_attr_pa_tnc_error.c | 145 | ||||
| -rw-r--r-- | src/libimcv/ietf/ietf_attr_pa_tnc_error.h | 24 | ||||
| -rw-r--r-- | src/libimcv/imc/imc_agent.c | 56 | ||||
| -rw-r--r-- | src/libimcv/imc/imc_agent.h | 17 | ||||
| -rw-r--r-- | src/libimcv/imv/imv_agent.c | 58 | ||||
| -rw-r--r-- | src/libimcv/imv/imv_agent.h | 17 | ||||
| -rw-r--r-- | src/libimcv/pa_tnc/pa_tnc_msg.c | 41 | ||||
| -rw-r--r-- | src/libimcv/pa_tnc/pa_tnc_msg.h | 2 | ||||
| -rw-r--r-- | src/libimcv/plugins/imc_test/imc_test.c | 68 | ||||
| -rw-r--r-- | src/libimcv/plugins/imv_test/imv_test.c | 70 |
10 files changed, 446 insertions, 52 deletions
diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c index 5d0f9a278..9702f4187 100644 --- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.c +++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.c @@ -14,7 +14,9 @@ #include "ietf_attr_pa_tnc_error.h" +#include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> +#include <bio/bio_reader.h> #include <debug.h> ENUM(pa_tnc_error_code_names, PA_ERROR_RESERVED, @@ -42,8 +44,48 @@ typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -#define IETF_ATTR_PA_TNC_ERROR_HEADER_SIZE 12 -#define IETF_ATTR_PA_TNC_ERROR_RESERVED 0x00 +#define PA_ERROR_HEADER_SIZE 8 +#define PA_ERROR_RESERVED 0x00 + +/** + * All Error Types return the first 8 bytes of the erroneous PA-TNC message + * + * 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Version | Copy of Reserved | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Message Identifier | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define PA_ERROR_MSG_INFO_SIZE 8 + +/** + * "Version Not Supported" Error Code + * + * 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Max Version | Min Version | Reserved | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define PA_ERROR_VERSION_RESERVED 0x0000 + +/** + * "Attribute Type Not Supported" Error Code + * + * 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Flags | PA-TNC Attribute Vendor ID | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | PA-TNC Attribute Type | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define PA_ERROR_ATTR_INFO_SIZE 8 /** * Private data of an ietf_attr_pa_tnc_error_t object. @@ -86,9 +128,14 @@ struct private_ietf_attr_pa_tnc_error_t { u_int32_t error_code; /** - * PA-TNC message header + * First 8 bytes of erroneous PA-TNC message */ - chunk_t header; + chunk_t msg_info; + + /** + * First 8 bytes of unsupported PA-TNC attribute + */ + chunk_t attr_info; /** * Reference count @@ -131,11 +178,28 @@ METHOD(pa_tnc_attr_t, build, void, { bio_writer_t *writer; - writer = bio_writer_create(IETF_ATTR_PA_TNC_ERROR_HEADER_SIZE); - writer->write_uint8 (writer, IETF_ATTR_PA_TNC_ERROR_RESERVED); + writer = bio_writer_create(PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE); + writer->write_uint8 (writer, PA_ERROR_RESERVED); writer->write_uint24(writer, this->error_vendor_id); writer->write_uint32(writer, this->error_code); - writer->write_data (writer, this->header); + writer->write_data (writer, this->msg_info); + + switch (this->error_code) + { + case PA_ERROR_INVALID_PARAMETER: + break; + case PA_ERROR_VERSION_NOT_SUPPORTED: + writer->write_uint8 (writer, PA_TNC_VERSION); + writer->write_uint8 (writer, PA_TNC_VERSION); + writer->write_uint16(writer, PA_ERROR_VERSION_RESERVED); + break; + case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED: + writer->write_data(writer, this->attr_info); + break; + default: + break; + } + this->value = chunk_clone(writer->get_buf(writer)); writer->destroy(writer); } @@ -143,6 +207,38 @@ METHOD(pa_tnc_attr_t, build, void, METHOD(pa_tnc_attr_t, process, status_t, private_ietf_attr_pa_tnc_error_t *this) { + bio_reader_t *reader; + u_int8_t reserved; + + if (this->value.len < PA_ERROR_HEADER_SIZE + PA_ERROR_MSG_INFO_SIZE) + { + return FAILED; + } + reader = bio_reader_create(this->value); + reader->read_uint8 (reader, &reserved); + reader->read_uint24(reader, &this->error_vendor_id); + reader->read_uint32(reader, &this->error_code); + reader->read_data (reader, PA_ERROR_MSG_INFO_SIZE, &this->msg_info); + this->msg_info = chunk_clone(this->msg_info); + + switch (this->error_code) + { + case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED: + if (!reader->read_data(reader, PA_ERROR_ATTR_INFO_SIZE, + &this->attr_info)) + { + reader->destroy(reader); + DBG1(DBG_TNC, "insufficient data for unsupported attribute " + "information"); + return FAILED; + } + this->attr_info = chunk_clone(this->attr_info); + break; + default: + break; + } + reader->destroy(reader); + return SUCCESS; } @@ -158,7 +254,9 @@ METHOD(pa_tnc_attr_t, destroy, void, { if (ref_put(&this->ref)) { - free(this->header.ptr); + free(this->value.ptr); + free(this->msg_info.ptr); + free(this->attr_info.ptr); free(this); } } @@ -175,16 +273,35 @@ METHOD(ietf_attr_pa_tnc_error_t, get_error_code, u_int32_t, return this->error_code; } +METHOD(ietf_attr_pa_tnc_error_t, get_msg_info, chunk_t, + private_ietf_attr_pa_tnc_error_t *this) +{ + return this->msg_info; +} + +METHOD(ietf_attr_pa_tnc_error_t, get_attr_info, chunk_t, + private_ietf_attr_pa_tnc_error_t *this) +{ + return this->attr_info; +} + +METHOD(ietf_attr_pa_tnc_error_t, set_attr_info, void, + private_ietf_attr_pa_tnc_error_t *this, chunk_t attr_info) +{ + this->attr_info = chunk_clone(attr_info); +} + /** * Described in header. */ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_t vendor_id, u_int32_t error_code, - chunk_t header) + chunk_t msg_info) { private_ietf_attr_pa_tnc_error_t *this; - header.len = 8; + /* the first 8 bytes of the erroneous PA-TNC message are sent back */ + msg_info.len = PA_ERROR_MSG_INFO_SIZE; INIT(this, .public = { @@ -201,12 +318,15 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_t vendor_id, }, .get_vendor_id = _get_error_vendor_id, .get_error_code = _get_error_code, + .get_msg_info = _get_msg_info, + .get_attr_info = _get_attr_info, + .set_attr_info = _set_attr_info, }, .vendor_id = PEN_IETF, .type = IETF_ATTR_PA_TNC_ERROR, .error_vendor_id = vendor_id, .error_code = error_code, - .header = chunk_clone(header), + .msg_info = chunk_clone(msg_info), .ref = 1, ); @@ -233,6 +353,9 @@ pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_from_data(chunk_t data) }, .get_vendor_id = _get_error_vendor_id, .get_error_code = _get_error_code, + .get_msg_info = _get_msg_info, + .get_attr_info = _get_attr_info, + .set_attr_info = _set_attr_info, }, .vendor_id = PEN_IETF, .type = IETF_ATTR_PA_TNC_ERROR, diff --git a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h index d6641639e..7f0e0a90a 100644 --- a/src/libimcv/ietf/ietf_attr_pa_tnc_error.h +++ b/src/libimcv/ietf/ietf_attr_pa_tnc_error.h @@ -22,6 +22,7 @@ #define IETF_ATTR_PA_TNC_ERROR_H_ typedef struct ietf_attr_pa_tnc_error_t ietf_attr_pa_tnc_error_t; +typedef enum pa_tnc_error_code_t pa_tnc_error_code_t; #include "ietf_attr.h" #include "pa_tnc/pa_tnc_attr.h" @@ -65,7 +66,28 @@ struct ietf_attr_pa_tnc_error_t { * * @return error code */ - pen_t (*get_error_code)(ietf_attr_pa_tnc_error_t *this); + pa_tnc_error_code_t (*get_error_code)(ietf_attr_pa_tnc_error_t *this); + + /** + * Get first 8 bytes of erroneous PA-TNC message + * + * @return PA-TNC message info + */ + chunk_t (*get_msg_info)(ietf_attr_pa_tnc_error_t *this); + + /** + * Get first 8 bytes of unsupported PA-TNC attribute + * + * @return PA-TNC attribute info + */ + chunk_t (*get_attr_info)(ietf_attr_pa_tnc_error_t *this); + + /** + * Set first 8 bytes of unsupported PA-TNC attribute + * + * @param attr_info PA-TNC message info + */ + void (*set_attr_info)(ietf_attr_pa_tnc_error_t *this, chunk_t attr_info); }; /** diff --git a/src/libimcv/imc/imc_agent.c b/src/libimcv/imc/imc_agent.c index 68799c817..17c656d00 100644 --- a/src/libimcv/imc/imc_agent.c +++ b/src/libimcv/imc/imc_agent.c @@ -271,6 +271,61 @@ METHOD(imc_agent_t, send_message, TNC_Result, this->type); } +METHOD(imc_agent_t, receive_message, TNC_Result, + private_imc_agent_t *this, TNC_ConnectionID connection_id, chunk_t msg, + TNC_MessageType msg_type, pa_tnc_msg_t **pa_tnc_msg) +{ + pa_tnc_msg_t *pa_msg, *error_msg; + pa_tnc_attr_t *error_attr; + enumerator_t *enumerator; + TNC_Result result; + + DBG2(DBG_IMV, "IMC %u \"%s\" received message type 0x%08x for Connection ID %u", + this->id, this->name, msg_type, connection_id); + + *pa_tnc_msg = NULL; + pa_msg = pa_tnc_msg_create_from_data(msg); + + switch (pa_msg->process(pa_msg)) + { + case SUCCESS: + *pa_tnc_msg = pa_msg; + break; + case VERIFY_ERROR: + if (!this->send_message) + { + /* TNCC doen't have a SendMessage() function */ + return TNC_RESULT_FATAL; + } + + /* build error message */ + error_msg = pa_tnc_msg_create(); + enumerator = pa_msg->create_error_enumerator(pa_msg); + while (enumerator->enumerate(enumerator, &error_attr)) + { + error_msg->add_attribute(error_msg, + error_attr->get_ref(error_attr)); + } + enumerator->destroy(enumerator); + error_msg->build(error_msg); + + /* send error message */ + msg = error_msg->get_encoding(error_msg); + result = this->send_message(this->id, connection_id, + msg.ptr, msg.len, msg_type); + + /* clean up */ + error_msg->destroy(error_msg); + pa_msg->destroy(pa_msg); + return result; + case FAILED: + default: + pa_msg->destroy(pa_msg); + return TNC_RESULT_FATAL; + } + return TNC_RESULT_SUCCESS; +} + METHOD(imc_agent_t, destroy, void, private_imc_agent_t *this) { @@ -306,6 +361,7 @@ imc_agent_t *imc_agent_create(const char *name, .change_state = _change_state, .get_state = _get_state, .send_message = _send_message, + .receive_message = _receive_message, .destroy = _destroy, }, .name = name, diff --git a/src/libimcv/imc/imc_agent.h b/src/libimcv/imc/imc_agent.h index 7c7ef732b..f9d16fa50 100644 --- a/src/libimcv/imc/imc_agent.h +++ b/src/libimcv/imc/imc_agent.h @@ -22,6 +22,7 @@ #define IMC_AGENT_H_ #include "imc_state.h" +#include "pa_tnc/pa_tnc_msg.h" #include <tncifimc.h> #include <pen/pen.h> @@ -95,7 +96,7 @@ struct imc_agent_t { TNC_ConnectionID connection_id, imc_state_t **state); /** - * Call when an IMC-IMV message is to be sent + * Call when an PA-TNC message is to be sent * * @param connection_id network connection ID assigned by TNCC * @param msg message to send @@ -106,6 +107,20 @@ struct imc_agent_t { chunk_t msg); /** + * Call when a PA-TNC message was received + * + * @param connection_id network connection ID assigned by TNCC + * @param msg received unparsed message + * @param msg_type message type of the received message + * @param pa_tnc_message parsed PA-TNC message or NULL if an error occurred + * @return TNC result code + */ + TNC_Result (*receive_message)(imc_agent_t *this, + TNC_ConnectionID connection_id, chunk_t msg, + TNC_MessageType msg_type, + pa_tnc_msg_t **pa_tnc_msg); + + /** * Destroys an imc_agent_t object */ void (*destroy)(imc_agent_t *this); diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c index cca3ed4f4..72b0d43cf 100644 --- a/src/libimcv/imv/imv_agent.c +++ b/src/libimcv/imv/imv_agent.c @@ -319,6 +319,63 @@ METHOD(imv_agent_t, set_recommendation, TNC_Result, return this->provide_recommendation(this->id, connection_id, rec, eval); } +METHOD(imv_agent_t, receive_message, TNC_Result, + private_imv_agent_t *this, TNC_ConnectionID connection_id, chunk_t msg, + TNC_MessageType msg_type, pa_tnc_msg_t **pa_tnc_msg) +{ + pa_tnc_msg_t *pa_msg, *error_msg; + pa_tnc_attr_t *error_attr; + enumerator_t *enumerator; + TNC_Result result; + + DBG2(DBG_IMV, "IMV %u \"%s\" received message type 0x%08x for Connection ID %u", + this->id, this->name, msg_type, connection_id); + + *pa_tnc_msg = NULL; + pa_msg = pa_tnc_msg_create_from_data(msg); + + switch (pa_msg->process(pa_msg)) + { + case SUCCESS: + *pa_tnc_msg = pa_msg; + break; + case VERIFY_ERROR: + if (!this->send_message) + { + /* TNCS doen't have a SendMessage() function */ + return TNC_RESULT_FATAL; + } + + /* build error message */ + error_msg = pa_tnc_msg_create(); + enumerator = pa_msg->create_error_enumerator(pa_msg); + while (enumerator->enumerate(enumerator, &error_attr)) + { + error_msg->add_attribute(error_msg, + error_attr->get_ref(error_attr)); + } + enumerator->destroy(enumerator); + error_msg->build(error_msg); + + /* send error message */ + msg = error_msg->get_encoding(error_msg); + result = this->send_message(this->id, connection_id, + msg.ptr, msg.len, msg_type); + + /* clean up */ + error_msg->destroy(error_msg); + pa_msg->destroy(pa_msg); + return result; + case FAILED: + default: + pa_msg->destroy(pa_msg); + return set_recommendation(this, connection_id, + TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, + TNC_IMV_EVALUATION_RESULT_ERROR); + } + return TNC_RESULT_SUCCESS; +} + METHOD(imv_agent_t, provide_recommendation, TNC_Result, private_imv_agent_t *this, TNC_ConnectionID connection_id) { @@ -373,6 +430,7 @@ imv_agent_t *imv_agent_create(const char *name, .change_state = _change_state, .get_state = _get_state, .send_message = _send_message, + .receive_message = _receive_message, .set_recommendation = _set_recommendation, .provide_recommendation = _provide_recommendation, .destroy = _destroy, diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h index d0816b3ad..00e9c9d9f 100644 --- a/src/libimcv/imv/imv_agent.h +++ b/src/libimcv/imv/imv_agent.h @@ -22,6 +22,7 @@ #define IMV_AGENT_H_ #include "imv_state.h" +#include "pa_tnc/pa_tnc_msg.h" #include <tncifimv.h> #include <pen/pen.h> @@ -131,7 +132,7 @@ struct imv_agent_t { TNC_ConnectionID connection_id, imv_state_t **state); /** - * Call when an IMV-IMC message is to be sent + * Call when a PA-TNC message is to be sent * * @param connection_id network connection ID assigned by TNCS * @param msg message to send @@ -141,6 +142,20 @@ struct imv_agent_t { TNC_ConnectionID connection_id, chunk_t msg); /** + * Call when a PA-TNC message was received + * + * @param connection_id network connection ID assigned by TNCS + * @param msg received unparsed message + * @param msg_type message type of the received message + * @param pa_tnc_message parsed PA-TNC message or NULL if an error occurred + * @return TNC result code + */ + TNC_Result (*receive_message)(imv_agent_t *this, + TNC_ConnectionID connection_id, chunk_t msg, + TNC_MessageType msg_type, + pa_tnc_msg_t **pa_tnc_msg); + + /** * Set Action Recommendation and Evaluation Result in the IMV state * # @param connection_id network connection ID assigned by TNCS diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c index 0eea4c311..eb6c648ca 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.c +++ b/src/libimcv/pa_tnc/pa_tnc_msg.c @@ -39,7 +39,6 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t; */ #define PA_TNC_HEADER_SIZE 8 -#define PA_TNC_VERSION 0x01 #define PA_TNC_RESERVED 0x000000 /** @@ -61,6 +60,7 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t; #define PA_TNC_ATTR_FLAG_NONE 0x00 #define PA_TNC_ATTR_FLAG_NOSKIP (1<<7) #define PA_TNC_ATTR_HEADER_SIZE 12 +#define PA_TNC_ATTR_INFO_SIZE 8 /** * Private data of a pa_tnc_msg_t object. @@ -140,8 +140,18 @@ METHOD(pa_tnc_msg_t, build, void, value = attr->get_value(attr); flags = attr->get_noskip_flag(attr) ? PA_TNC_ATTR_FLAG_NOSKIP : PA_TNC_ATTR_FLAG_NONE; - DBG2(DBG_TNC, "creating PA-TNC attribute type 0x%06x(%N)/0x%08x", - vendor_id, pen_names, vendor_id, type); + if (vendor_id == PEN_IETF) + { + DBG2(DBG_TNC, "creating PA-TNC attribute type '%N/%N' " + "0x%06x/0x%08x", pen_names, vendor_id, + ietf_attr_names, type, vendor_id, type); + } + else + { + DBG2(DBG_TNC, "creating PA-TNC attribute type '%N' " + "0x%06x/0x%08x", pen_names, vendor_id, + vendor_id, type); + } DBG3(DBG_TNC, "%B", &value); writer->write_uint8 (writer, flags); @@ -176,6 +186,7 @@ METHOD(pa_tnc_msg_t, process, status_t, reader->read_uint8 (reader, &version); reader->read_uint24(reader, &reserved); reader->read_uint32(reader, &this->identifier); + DBG2(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier); if (version != PA_TNC_VERSION) { @@ -184,7 +195,6 @@ METHOD(pa_tnc_msg_t, process, status_t, PA_ERROR_VERSION_NOT_SUPPORTED, this->encoding); goto err; } - DBG2(DBG_TNC, "processing PA-TNC message with ID 0x%08x", this->identifier); /* pre-process PA-TNC attributes */ while (reader->remaining(reader) >= PA_TNC_ATTR_HEADER_SIZE) @@ -192,15 +202,28 @@ METHOD(pa_tnc_msg_t, process, status_t, pen_t vendor_id; u_int8_t flags; u_int32_t type, length; - chunk_t value; + chunk_t value, attr_info; pa_tnc_attr_t *attr; + ietf_attr_pa_tnc_error_t *error_attr; + attr_info = reader->peek(reader); + attr_info.len = PA_TNC_ATTR_INFO_SIZE; reader->read_uint8 (reader, &flags); reader->read_uint24(reader, &vendor_id); reader->read_uint32(reader, &type); reader->read_uint32(reader, &length); - DBG2(DBG_TNC, "processing PA-TNC attribute type 0x%06x(%N)/0x%08x", - vendor_id, pen_names, vendor_id, type); + if (vendor_id == PEN_IETF) + { + DBG2(DBG_TNC, "processing PA-TNC attribute type '%N/%N' " + "0x%06x/0x%08x", pen_names, vendor_id, + ietf_attr_names, type, vendor_id, type); + } + else + { + DBG2(DBG_TNC, "processing PA-TNC attribute type '%N' " + "0x%06x/0x%08x", pen_names, vendor_id, + vendor_id, type); + } if (length < PA_TNC_ATTR_HEADER_SIZE) { @@ -229,6 +252,8 @@ METHOD(pa_tnc_msg_t, process, status_t, DBG1(DBG_TNC, "unsupported PA-TNC attribute with NOSKIP flag"); error = ietf_attr_pa_tnc_error_create(PEN_IETF, PA_ERROR_ATTR_TYPE_NOT_SUPPORTED, this->encoding); + error_attr = (ietf_attr_pa_tnc_error_t*)error; + error_attr->set_attr_info(error_attr, attr_info); goto err; } else @@ -268,7 +293,7 @@ METHOD(pa_tnc_msg_t, create_attribute_enumerator, enumerator_t*, METHOD(pa_tnc_msg_t, create_error_enumerator, enumerator_t*, private_pa_tnc_msg_t *this) { - return this->errors->create_enumerator(this->attributes); + return this->errors->create_enumerator(this->errors); } METHOD(pa_tnc_msg_t, destroy, void, diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.h b/src/libimcv/pa_tnc/pa_tnc_msg.h index b64060055..bff954678 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.h +++ b/src/libimcv/pa_tnc/pa_tnc_msg.h @@ -23,6 +23,8 @@ typedef struct pa_tnc_msg_t pa_tnc_msg_t; +#define PA_TNC_VERSION 0x01 + #include "pa_tnc_attr.h" #include <library.h> diff --git a/src/libimcv/plugins/imc_test/imc_test.c b/src/libimcv/plugins/imc_test/imc_test.c index 3f7ee3525..e89008f87 100644 --- a/src/libimcv/plugins/imc_test/imc_test.c +++ b/src/libimcv/plugins/imc_test/imc_test.c @@ -16,6 +16,8 @@ #include <imc/imc_agent.h> #include <pa_tnc/pa_tnc_msg.h> +#include <ietf/ietf_attr.h> +#include <ietf/ietf_attr_pa_tnc_error.h> #include <ita/ita_attr_command.h> #include <pen/pen.h> @@ -129,7 +131,10 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, TNC_MessageType msg_type) { pa_tnc_msg_t *pa_tnc_msg; - status_t status; + pa_tnc_attr_t *attr; + enumerator_t *enumerator; + TNC_Result result; + bool fatal_error = FALSE; if (!imc_test) { @@ -137,19 +142,60 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, return TNC_RESULT_NOT_INITIALIZED; } - /* process received message */ - DBG2(DBG_IMC, "IMC %u \"%s\" received message type 0x%08x for Connection ID %u", - imc_id, imc_name, msg_type, connection_id); - pa_tnc_msg = pa_tnc_msg_create_from_data(chunk_create(msg, msg_len)); - status = pa_tnc_msg->process(pa_tnc_msg); - pa_tnc_msg->destroy(pa_tnc_msg); - if (status != SUCCESS) + /* parse received PA-TNC message and automatically handle any errors */ + result = imc_test->receive_message(imc_test, connection_id, + chunk_create(msg, msg_len), msg_type, + &pa_tnc_msg); + + /* no parsed PA-TNC attributes available if an error occurred */ + if (!pa_tnc_msg) { - return TNC_RESULT_FATAL; + return result; } - /* always return the same response */ - return send_message(connection_id); + /* analyze PA-TNC attributes */ + enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg); + while (enumerator->enumerate(enumerator, &attr)) + { + if (attr->get_vendor_id(attr) == PEN_IETF && + attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR) + { + ietf_attr_pa_tnc_error_t *error_attr; + pa_tnc_error_code_t error_code; + chunk_t msg_info, attr_info; + + error_attr = (ietf_attr_pa_tnc_error_t*)attr; + error_code = error_attr->get_error_code(error_attr); + msg_info = error_attr->get_msg_info(error_attr); + + DBG1(DBG_IMC, "received PA-TNC error '%N' concerning message %#B", + pa_tnc_error_code_names, error_code, &msg_info); + switch (error_code) + { + case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED: + attr_info = error_attr->get_attr_info(error_attr); + DBG1(DBG_IMC, " unsupported attribute %#B", &attr_info); + break; + default: + break; + } + fatal_error = TRUE; + } + else if (attr->get_vendor_id(attr) == PEN_ITA && + attr->get_type(attr) == ITA_ATTR_COMMAND) + { + ita_attr_command_t *ita_attr; + char *command; + + ita_attr = (ita_attr_command_t*)attr; + command = ita_attr->get_command(ita_attr); + } + } + enumerator->destroy(enumerator); + pa_tnc_msg->destroy(pa_tnc_msg); + + /* if no error occurred then always return the same response */ + return fatal_error ? TNC_RESULT_FATAL : send_message(connection_id); } /** diff --git a/src/libimcv/plugins/imv_test/imv_test.c b/src/libimcv/plugins/imv_test/imv_test.c index 7e1f05901..ca798bb66 100644 --- a/src/libimcv/plugins/imv_test/imv_test.c +++ b/src/libimcv/plugins/imv_test/imv_test.c @@ -16,6 +16,8 @@ #include <imv/imv_agent.h> #include <pa_tnc/pa_tnc_msg.h> +#include <ietf/ietf_attr.h> +#include <ietf/ietf_attr_pa_tnc_error.h> #include <ita/ita_attr_command.h> #include <pen/pen.h> @@ -127,8 +129,9 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, pa_tnc_attr_t *attr; imv_state_t *state; imv_test_state_t *imv_test_state; - TNC_Result result = TNC_RESULT_SUCCESS; enumerator_t *enumerator; + TNC_Result result; + bool fatal_error = FALSE; if (!imv_test) { @@ -136,29 +139,53 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, return TNC_RESULT_NOT_INITIALIZED; } - /* process received message */ - DBG2(DBG_IMV, "IMV %u \"%s\" received message type 0x%08x for Connection ID %u", - imv_id, imv_name, msg_type, connection_id); - pa_tnc_msg = pa_tnc_msg_create_from_data(chunk_create(msg, msg_len)); - - if (pa_tnc_msg->process(pa_tnc_msg) != SUCCESS) + /* get current IMV state */ + if (!imv_test->get_state(imv_test, connection_id, &state)) { - pa_tnc_msg->destroy(pa_tnc_msg); return TNC_RESULT_FATAL; } - /* get current IMV state */ - if (!imv_test->get_state(imv_test, connection_id, &state)) + /* parse received PA-TNC message and automatically handle any errors */ + result = imv_test->receive_message(imv_test, connection_id, + chunk_create(msg, msg_len), msg_type, + &pa_tnc_msg); + + /* no parsed PA-TNC attributes available if an error occurred */ + if (!pa_tnc_msg) { - pa_tnc_msg->destroy(pa_tnc_msg); - return TNC_RESULT_FATAL; + return result; } + /* analyze PA-TNC attributes */ enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg); while (enumerator->enumerate(enumerator, &attr)) { - if (attr->get_vendor_id(attr) == PEN_ITA && - attr->get_type(attr) == ITA_ATTR_COMMAND) + if (attr->get_vendor_id(attr) == PEN_IETF && + attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR) + { + ietf_attr_pa_tnc_error_t *error_attr; + pa_tnc_error_code_t error_code; + chunk_t msg_info, attr_info; + + error_attr = (ietf_attr_pa_tnc_error_t*)attr; + error_code = error_attr->get_error_code(error_attr); + msg_info = error_attr->get_msg_info(error_attr); + + DBG1(DBG_IMV, "received PA-TNC error '%N' concerning message %#B", + pa_tnc_error_code_names, error_code, &msg_info); + switch (error_code) + { + case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED: + attr_info = error_attr->get_attr_info(error_attr); + DBG1(DBG_IMV, " unsupported attribute %#B", &attr_info); + break; + default: + break; + } + fatal_error = TRUE; + } + else if (attr->get_vendor_id(attr) == PEN_ITA && + attr->get_type(attr) == ITA_ATTR_COMMAND) { ita_attr_command_t *ita_attr; char *command; @@ -178,7 +205,7 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, TNC_IMV_ACTION_RECOMMENDATION_ISOLATE, TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR); } - else if (streq(command, "none")) + else if (streq(command, "block") || streq(command, "none")) { state->set_recommendation(state, TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS, @@ -186,17 +213,22 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, } else { - result = TNC_RESULT_FATAL; + DBG1(DBG_IMV, "unsupported ITA Command '%s'", command); + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, + TNC_IMV_EVALUATION_RESULT_ERROR); } - break; } } enumerator->destroy(enumerator); pa_tnc_msg->destroy(pa_tnc_msg); - if (result != TNC_RESULT_SUCCESS) + if (fatal_error) { - return result; + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, + TNC_IMV_EVALUATION_RESULT_ERROR); + return imv_test->provide_recommendation(imv_test, connection_id); } /* repeat the measurement ? */ |