From cc546c3ce6a12165f4e73bd19d2cf4c0c192547c Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Sat, 14 May 2011 13:31:16 +0200 Subject: Restrict IMCs and IMVs to call SendMessage() --- src/libcharon/plugins/tnccs_11/tnccs_11.c | 21 ++++++++++++++++++++- src/libcharon/plugins/tnccs_20/tnccs_20.c | 24 +++++++++++++++++++++++- 2 files changed, 43 insertions(+), 2 deletions(-) (limited to 'src/libcharon/plugins') diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c index 033b73253..cd8cd3a43 100644 --- a/src/libcharon/plugins/tnccs_11/tnccs_11.c +++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c @@ -76,6 +76,11 @@ struct private_tnccs_11_t { */ bool delete_state; + /** + * SendMessage() by IMC/IMV only allowed if flag is set + */ + bool send_msg; + /** * Flag set by IMC/IMV RequestHandshakeRetry() function */ @@ -87,7 +92,7 @@ struct private_tnccs_11_t { recommendations_t *recs; }; -METHOD(tnccs_t, send_msg, void, +METHOD(tnccs_t, send_msg, TNC_Result, private_tnccs_11_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id, TNC_BufferReference msg, TNC_UInt32 msg_len, @@ -95,6 +100,13 @@ METHOD(tnccs_t, send_msg, void, { tnccs_msg_t *tnccs_msg; + if (!this->send_msg) + { + DBG1(DBG_TNC, "%s %u not allowed to call SendMessage()", + this->is_server ? "IMV" : "IMC", + this->is_server ? imv_id : imc_id); + return TNC_RESULT_ILLEGAL_OPERATION; + } tnccs_msg = imc_imv_msg_create(msg_type, chunk_create(msg, msg_len)); /* adding an IMC-IMV Message to TNCCS batch */ @@ -105,6 +117,7 @@ METHOD(tnccs_t, send_msg, void, } this->batch->add_msg(this->batch, tnccs_msg); this->mutex->unlock(this->mutex); + return TNC_RESULT_SUCCESS; } /** @@ -126,6 +139,7 @@ static void handle_message(private_tnccs_11_t *this, tnccs_msg_t *msg) DBG2(DBG_TNC, "handling IMC_IMV message type 0x%08x", msg_type); + this->send_msg = TRUE; if (this->is_server) { charon->imvs->receive_message(charon->imvs, @@ -136,6 +150,7 @@ static void handle_message(private_tnccs_11_t *this, tnccs_msg_t *msg) charon->imcs->receive_message(charon->imcs, this->connection_id, msg_body.ptr, msg_body.len,msg_type); } + this->send_msg = FALSE; break; } case TNCCS_MSG_RECOMMENDATION: @@ -286,6 +301,7 @@ METHOD(tls_t, process, status_t, return FAILED; } + this->send_msg = TRUE; if (this->is_server) { charon->imvs->batch_ending(charon->imvs, this->connection_id); @@ -294,6 +310,7 @@ METHOD(tls_t, process, status_t, { charon->imcs->batch_ending(charon->imcs, this->connection_id); } + this->send_msg = FALSE; } batch->destroy(batch); @@ -371,7 +388,9 @@ METHOD(tls_t, build, status_t, this->connection_id, TNC_CONNECTION_STATE_CREATE); charon->imcs->notify_connection_change(charon->imcs, this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE); + this->send_msg = TRUE; charon->imcs->begin_handshake(charon->imcs, this->connection_id); + this->send_msg = FALSE; } /* Do not allow any asynchronous IMCs or IMVs to add additional messages */ diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c index 636f52569..9e2081d46 100644 --- a/src/libcharon/plugins/tnccs_20/tnccs_20.c +++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c @@ -80,13 +80,18 @@ struct private_tnccs_20_t { */ bool request_handshake_retry; + /** + * SendMessage() by IMC/IMV only allowed if flag is set + */ + bool send_msg; + /** * Set of IMV recommendations (TNC Server only) */ recommendations_t *recs; }; -METHOD(tnccs_t, send_msg, void, +METHOD(tnccs_t, send_msg, TNC_Result, private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id, TNC_BufferReference msg, TNC_UInt32 msg_len, @@ -97,6 +102,14 @@ METHOD(tnccs_t, send_msg, void, pb_tnc_msg_t *pb_tnc_msg; pb_tnc_batch_type_t batch_type; + if (!this->send_msg) + { + DBG1(DBG_TNC, "%s %u not allowed to call SendMessage()", + this->is_server ? "IMV" : "IMC", + this->is_server ? imv_id : imc_id); + return TNC_RESULT_ILLEGAL_OPERATION; + } + msg_sub_type = msg_type & TNC_SUBTYPE_ANY; msg_vendor_id = (msg_type >> 8) & TNC_VENDORID_ANY; @@ -119,6 +132,7 @@ METHOD(tnccs_t, send_msg, void, pb_tnc_msg->destroy(pb_tnc_msg); } this->mutex->unlock(this->mutex); + return TNC_RESULT_SUCCESS; } /** @@ -145,6 +159,7 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) DBG2(DBG_TNC, "handling PB-PA message type 0x%08x", msg_type); + this->send_msg = TRUE; if (this->is_server) { charon->imvs->receive_message(charon->imvs, @@ -155,6 +170,7 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) charon->imcs->receive_message(charon->imcs, this->connection_id, msg_body.ptr, msg_body.len,msg_type); } + this->send_msg = FALSE; break; } case PB_MSG_ASSESSMENT_RESULT: @@ -358,7 +374,9 @@ METHOD(tls_t, process, status_t, /* Restart the measurements */ charon->imcs->notify_connection_change(charon->imcs, this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE); + this->send_msg = TRUE; charon->imcs->begin_handshake(charon->imcs, this->connection_id); + this->send_msg = FALSE; } enumerator = batch->create_msg_enumerator(batch); @@ -385,6 +403,7 @@ METHOD(tls_t, process, status_t, } } + this->send_msg = TRUE; if (this->is_server) { charon->imvs->batch_ending(charon->imvs, this->connection_id); @@ -393,6 +412,7 @@ METHOD(tls_t, process, status_t, { charon->imcs->batch_ending(charon->imcs, this->connection_id); } + this->send_msg = FALSE; } switch (status) @@ -501,7 +521,9 @@ METHOD(tls_t, build, status_t, this->connection_id, TNC_CONNECTION_STATE_CREATE); charon->imcs->notify_connection_change(charon->imcs, this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE); + this->send_msg = TRUE; charon->imcs->begin_handshake(charon->imcs, this->connection_id); + this->send_msg = FALSE; } state = this->state_machine->get_state(this->state_machine); -- cgit v1.2.3