![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to tnccs_11.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libtnccs / plugins / tnccs_11|
Return to tnccs_11.c CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libtnccs / plugins / tnccs_11 |
1.1 misho 1: /*
2: * Copyright (C) 2010-2015 Andreas Steffen
3: * HSR Hochschule fuer Technik Rapperswil
4: *
5: * This program is free software; you can redistribute it and/or modify it
6: * under the terms of the GNU General Public License as published by the
7: * Free Software Foundation; either version 2 of the License, or (at your
8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9: *
10: * This program is distributed in the hope that it will be useful, but
11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13: * for more details.
14: */
15:
16: #include "tnccs_11.h"
17: #include "batch/tnccs_batch.h"
18: #include "messages/tnccs_msg.h"
19: #include "messages/imc_imv_msg.h"
20: #include "messages/tnccs_error_msg.h"
21: #include "messages/tnccs_preferred_language_msg.h"
22: #include "messages/tnccs_reason_strings_msg.h"
23: #include "messages/tnccs_recommendation_msg.h"
24:
25: #include <tncif_names.h>
26: #include <tncif_pa_subtypes.h>
27:
28: #include <tnc/tnc.h>
29: #include <tnc/imc/imc_manager.h>
30: #include <tnc/imv/imv_manager.h>
31: #include <tnc/tnccs/tnccs.h>
32: #include <tnc/tnccs/tnccs_manager.h>
33:
34: #include <utils/debug.h>
35: #include <threading/mutex.h>
36:
37: typedef struct private_tnccs_11_t private_tnccs_11_t;
38:
39: /**
40: * Private data of a tnccs_11_t object.
41: */
42: struct private_tnccs_11_t {
43:
44: /**
45: * Public tnccs_t interface.
46: */
47: tnccs_t public;
48:
49: /**
50: * TNCC if TRUE, TNCS if FALSE
51: */
52: bool is_server;
53:
54: /**
55: * Server identity
56: */
57: identification_t *server_id;
58:
59: /**
60: * Client identity
61: */
62: identification_t *peer_id;
63:
64: /**
65: * Server IP address
66: */
67: host_t *server_ip;
68:
69: /**
70: * Client IP address
71: */
72: host_t *peer_ip;
73:
74: /**
75: * Underlying TNC IF-T transport protocol
76: */
77: tnc_ift_type_t transport;
78:
79: /**
80: * Type of TNC client authentication
81: */
82: uint32_t auth_type;
83:
84: /**
85: * Connection ID assigned to this TNCCS connection
86: */
87: TNC_ConnectionID connection_id;
88:
89: /**
90: * Last TNCCS batch ID
91: */
92: int batch_id;
93:
94: /**
95: * TNCCS batch being constructed
96: */
97: tnccs_batch_t *batch;
98:
99: /**
100: * Maximum PA-TNC message size
101: */
102: size_t max_msg_len;
103:
104: /**
105: * Mutex locking the batch in construction
106: */
107: mutex_t *mutex;
108:
109: /**
110: * Flag set while processing
111: */
112: bool fatal_error;
113:
114: /**
115: * Flag set by TNCCS-Recommendation message
116: */
117: bool delete_state;
118:
119: /**
120: * SendMessage() by IMC/IMV only allowed if flag is set
121: */
122: bool send_msg;
123:
124: /**
125: * Flag set by IMC/IMV RequestHandshakeRetry() function
126: */
127: bool request_handshake_retry;
128:
129: /**
130: * Set of IMV recommendations (TNC Server only)
131: */
132: recommendations_t *recs;
133:
134: /**
135: * Callback function to communicate recommendation (TNC Server only)
136: */
137: tnccs_cb_t callback;
138:
139: /**
140: * reference count
141: */
142: refcount_t ref;
143:
144: };
145:
146: METHOD(tnccs_t, send_msg, TNC_Result,
147: private_tnccs_11_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id,
148: TNC_UInt32 msg_flags,
149: TNC_BufferReference msg,
150: TNC_UInt32 msg_len,
151: TNC_VendorID msg_vid,
152: TNC_MessageSubtype msg_subtype)
153: {
154: tnccs_msg_t *tnccs_msg;
155: TNC_MessageType msg_type;
156: enum_name_t *pa_subtype_names;
157:
158: if (!this->send_msg)
159: {
160: DBG1(DBG_TNC, "%s %u not allowed to call SendMessage()",
161: this->is_server ? "IMV" : "IMC",
162: this->is_server ? imv_id : imc_id);
163: return TNC_RESULT_ILLEGAL_OPERATION;
164: }
165: if (msg_vid > TNC_VENDORID_ANY || msg_subtype > TNC_SUBTYPE_ANY)
166: {
167: return TNC_RESULT_NO_LONG_MESSAGE_TYPES;
168: }
169: msg_type = (msg_vid << 8) | msg_subtype;
170:
171: pa_subtype_names = get_pa_subtype_names(msg_vid);
172: if (pa_subtype_names)
173: {
174: DBG2(DBG_TNC, "creating IMC-IMV message type '%N/%N' 0x%06x/0x%02x",
175: pen_names, msg_vid, pa_subtype_names, msg_subtype,
176: msg_vid, msg_subtype);
177: }
178: else
179: {
180: DBG2(DBG_TNC, "creating IMC-IMV message type '%N' 0x%06x/0x%02x",
181: pen_names, msg_vid, msg_vid, msg_subtype);
182: }
183: tnccs_msg = imc_imv_msg_create(msg_type, chunk_create(msg, msg_len));
184:
185: /* adding an IMC-IMV Message to TNCCS batch */
186: this->mutex->lock(this->mutex);
187: if (!this->batch)
188: {
189: this->batch = tnccs_batch_create(this->is_server, ++this->batch_id);
190: }
191: this->batch->add_msg(this->batch, tnccs_msg);
192: this->mutex->unlock(this->mutex);
193: return TNC_RESULT_SUCCESS;
194: }
195:
196: /**
197: * Handle a single TNCCS message according to its type
198: */
199: static void handle_message(private_tnccs_11_t *this, tnccs_msg_t *msg)
200: {
201: switch (msg->get_type(msg))
202: {
203: case IMC_IMV_MSG:
204: {
205: imc_imv_msg_t *imc_imv_msg;
206: TNC_MessageType msg_type;
207: chunk_t msg_body;
208: uint32_t msg_vid, msg_subtype;
209: enum_name_t *pa_subtype_names;
210:
211: imc_imv_msg = (imc_imv_msg_t*)msg;
212: msg_type = imc_imv_msg->get_msg_type(imc_imv_msg);
213: msg_body = imc_imv_msg->get_msg_body(imc_imv_msg);
214: msg_vid = (msg_type >> 8) & TNC_VENDORID_ANY;
215: msg_subtype = msg_type & TNC_SUBTYPE_ANY;
216:
217: pa_subtype_names = get_pa_subtype_names(msg_vid);
218: if (pa_subtype_names)
219: {
220: DBG2(DBG_TNC, "handling IMC-IMV message type '%N/%N' 0x%06x/0x%02x",
221: pen_names, msg_vid, pa_subtype_names, msg_subtype,
222: msg_vid, msg_subtype);
223: }
224: else
225: {
226: DBG2(DBG_TNC, "handling IMC-IMV message type '%N' 0x%06x/0x%02x",
227: pen_names, msg_vid, msg_vid, msg_subtype);
228: }
229:
230: this->send_msg = TRUE;
231: if (this->is_server)
232: {
233: tnc->imvs->receive_message(tnc->imvs, this->connection_id,
234: FALSE, msg_body.ptr, msg_body.len,
235: msg_vid, msg_subtype, 0, TNC_IMVID_ANY);
236: }
237: else
238: {
239: tnc->imcs->receive_message(tnc->imcs, this->connection_id,
240: FALSE, msg_body.ptr, msg_body.len,
241: msg_vid, msg_subtype, 0, TNC_IMCID_ANY);
242: }
243: this->send_msg = FALSE;
244: break;
245: }
246: case TNCCS_MSG_RECOMMENDATION:
247: {
248: tnccs_recommendation_msg_t *rec_msg;
249: TNC_IMV_Action_Recommendation rec;
250: TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE;
251:
252: rec_msg = (tnccs_recommendation_msg_t*)msg;
253: rec = rec_msg->get_recommendation(rec_msg);
254: if (this->is_server)
255: {
256: DBG1(DBG_TNC, "ignoring NCCS-Recommendation message from "
257: " TNC client");
258: break;
259: }
260: DBG1(DBG_TNC, "TNC recommendation is '%N'",
261: TNC_IMV_Action_Recommendation_names, rec);
262: switch (rec)
263: {
264: case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
265: state = TNC_CONNECTION_STATE_ACCESS_ALLOWED;
266: break;
267: case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
268: state = TNC_CONNECTION_STATE_ACCESS_ISOLATED;
269: break;
270: case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
271: default:
272: state = TNC_CONNECTION_STATE_ACCESS_NONE;
273: }
274: tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
275: state);
276: this->delete_state = TRUE;
277: break;
278: }
279: case TNCCS_MSG_ERROR:
280: {
281: tnccs_error_msg_t *err_msg;
282: tnccs_error_type_t error_type;
283: char *error_msg;
284:
285: err_msg = (tnccs_error_msg_t*)msg;
286: error_msg = err_msg->get_message(err_msg, &error_type);
287: DBG1(DBG_TNC, "received '%N' TNCCS-Error: %s",
288: tnccs_error_type_names, error_type, error_msg);
289:
290: /* we assume that all errors are fatal */
291: this->fatal_error = TRUE;
292: break;
293: }
294: case TNCCS_MSG_PREFERRED_LANGUAGE:
295: {
296: tnccs_preferred_language_msg_t *lang_msg;
297: char *lang;
298:
299: lang_msg = (tnccs_preferred_language_msg_t*)msg;
300: lang = lang_msg->get_preferred_language(lang_msg);
301:
302: DBG2(DBG_TNC, "setting preferred language to '%s'", lang);
303: this->recs->set_preferred_language(this->recs,
304: chunk_create(lang, strlen(lang)));
305: break;
306: }
307: case TNCCS_MSG_REASON_STRINGS:
308: {
309: tnccs_reason_strings_msg_t *reason_msg;
310: chunk_t reason_string, reason_lang;
311:
312: reason_msg = (tnccs_reason_strings_msg_t*)msg;
313: reason_string = reason_msg->get_reason(reason_msg, &reason_lang);
314: DBG2(DBG_TNC, "reason string is '%.*s'", (int)reason_string.len,
315: reason_string.ptr);
316: DBG2(DBG_TNC, "language code is '%.*s'", (int)reason_lang.len,
317: reason_lang.ptr);
318: break;
319: }
320: default:
321: break;
322: }
323: }
324:
325: METHOD(tls_t, process, status_t,
326: private_tnccs_11_t *this, void *buf, size_t buflen)
327: {
328: chunk_t data;
329: tnccs_batch_t *batch;
330: tnccs_msg_t *msg;
331: enumerator_t *enumerator;
332: status_t status;
333:
334: if (this->is_server && !this->connection_id)
335: {
336: this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
337: TNCCS_1_1, (tnccs_t*)this, _send_msg,
338: &this->request_handshake_retry,
339: this->max_msg_len, &this->recs);
340: if (!this->connection_id)
341: {
342: return FAILED;
343: }
344: tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
345: TNC_CONNECTION_STATE_CREATE);
346: tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id,
347: TNC_CONNECTION_STATE_HANDSHAKE);
348: }
349:
350: data = chunk_create(buf, buflen);
351: DBG1(DBG_TNC, "received TNCCS Batch (%u bytes) for Connection ID %u",
352: data.len, this->connection_id);
353: DBG3(DBG_TNC, "%.*s", (int)data.len, data.ptr);
354: batch = tnccs_batch_create_from_data(this->is_server, ++this->batch_id, data);
355: status = batch->process(batch);
356:
357: if (status == FAILED)
358: {
359: this->fatal_error = TRUE;
360: this->mutex->lock(this->mutex);
361: if (this->batch)
362: {
363: DBG1(DBG_TNC, "cancelling TNCCS batch");
364: this->batch->destroy(this->batch);
365: this->batch_id--;
366: }
367: this->batch = tnccs_batch_create(this->is_server, ++this->batch_id);
368:
369: /* add error messages to outbound batch */
370: enumerator = batch->create_error_enumerator(batch);
371: while (enumerator->enumerate(enumerator, &msg))
372: {
373: this->batch->add_msg(this->batch, msg->get_ref(msg));
374: }
375: enumerator->destroy(enumerator);
376: this->mutex->unlock(this->mutex);
377: }
378: else
379: {
380: enumerator = batch->create_msg_enumerator(batch);
381: while (enumerator->enumerate(enumerator, &msg))
382: {
383: handle_message(this, msg);
384: }
385: enumerator->destroy(enumerator);
386:
387: /* received any TNCCS-Error messages */
388: if (this->fatal_error)
389: {
390: DBG1(DBG_TNC, "a fatal TNCCS-Error occurred, terminating connection");
391: batch->destroy(batch);
392: return FAILED;
393: }
394:
395: this->send_msg = TRUE;
396: if (this->is_server)
397: {
398: tnc->imvs->batch_ending(tnc->imvs, this->connection_id);
399: }
400: else
401: {
402: tnc->imcs->batch_ending(tnc->imcs, this->connection_id);
403: }
404: this->send_msg = FALSE;
405: }
406: batch->destroy(batch);
407:
408: return NEED_MORE;
409: }
410:
411: /**
412: * Add a recommendation message if a final recommendation is available
413: */
414: static void check_and_build_recommendation(private_tnccs_11_t *this)
415: {
416: TNC_IMV_Action_Recommendation rec;
417: TNC_IMV_Evaluation_Result eval;
418: TNC_IMVID id;
419: chunk_t reason, language;
420: enumerator_t *enumerator;
421: tnccs_msg_t *msg;
422:
423: if (!this->recs->have_recommendation(this->recs, &rec, &eval))
424: {
425: tnc->imvs->solicit_recommendation(tnc->imvs, this->connection_id);
426: }
427: if (this->recs->have_recommendation(this->recs, &rec, &eval))
428: {
429: if (!this->batch)
430: {
431: this->batch = tnccs_batch_create(this->is_server, ++this->batch_id);
432: }
433:
434: msg = tnccs_recommendation_msg_create(rec);
435: this->batch->add_msg(this->batch, msg);
436:
437: /* currently we just send the first Reason String */
438: enumerator = this->recs->create_reason_enumerator(this->recs);
439: if (enumerator->enumerate(enumerator, &id, &reason, &language))
440: {
441: msg = tnccs_reason_strings_msg_create(reason, language);
442: this->batch->add_msg(this->batch, msg);
443: }
444: enumerator->destroy(enumerator);
445:
446: /* we have reached the final state */
447: this->delete_state = TRUE;
448: }
449: }
450:
451: METHOD(tls_t, build, status_t,
452: private_tnccs_11_t *this, void *buf, size_t *buflen, size_t *msglen)
453: {
454: status_t status;
455:
456: /* Initialize the connection */
457: if (!this->is_server && !this->connection_id)
458: {
459: tnccs_msg_t *msg;
460: char *pref_lang;
461:
462: this->connection_id = tnc->tnccs->create_connection(tnc->tnccs,
463: TNCCS_1_1, (tnccs_t*)this, _send_msg,
464: &this->request_handshake_retry,
465: this->max_msg_len, NULL);
466: if (!this->connection_id)
467: {
468: return FAILED;
469: }
470:
471: /* Create TNCCS-PreferredLanguage message */
472: pref_lang = tnc->imcs->get_preferred_language(tnc->imcs);
473: msg = tnccs_preferred_language_msg_create(pref_lang);
474: this->mutex->lock(this->mutex);
475: this->batch = tnccs_batch_create(this->is_server, ++this->batch_id);
476: this->batch->add_msg(this->batch, msg);
477: this->mutex->unlock(this->mutex);
478:
479: tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
480: TNC_CONNECTION_STATE_CREATE);
481: tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id,
482: TNC_CONNECTION_STATE_HANDSHAKE);
483: this->send_msg = TRUE;
484: tnc->imcs->begin_handshake(tnc->imcs, this->connection_id);
485: this->send_msg = FALSE;
486: }
487:
488: /* Do not allow any asynchronous IMCs or IMVs to add additional messages */
489: this->mutex->lock(this->mutex);
490:
491: if (this->recs && !this->delete_state &&
492: (!this->batch || this->fatal_error))
493: {
494: check_and_build_recommendation(this);
495: }
496:
497: if (this->batch)
498: {
499: chunk_t data;
500:
501: this->batch->build(this->batch);
502: data = this->batch->get_encoding(this->batch);
503: DBG1(DBG_TNC, "sending TNCCS Batch (%d bytes) for Connection ID %u",
504: data.len, this->connection_id);
505: DBG3(DBG_TNC, "%.*s", (int)data.len, data.ptr);
506: *msglen = 0;
507:
508: if (data.len > *buflen)
509: {
510: DBG1(DBG_TNC, "fragmentation of TNCCS batch not supported yet");
511: }
512: else
513: {
514: *buflen = data.len;
515: }
516: memcpy(buf, data.ptr, *buflen);
517: this->batch->destroy(this->batch);
518: this->batch = NULL;
519: status = ALREADY_DONE;
520: }
521: else
522: {
523: DBG1(DBG_TNC, "no TNCCS Batch to send");
524: status = INVALID_STATE;
525: }
526: this->mutex->unlock(this->mutex);
527:
528: return status;
529: }
530:
531: METHOD(tls_t, is_server, bool,
532: private_tnccs_11_t *this)
533: {
534: return this->is_server;
535: }
536:
537: METHOD(tls_t, get_server_id, identification_t*,
538: private_tnccs_11_t *this)
539: {
540: return this->server_id;
541: }
542:
543: METHOD(tls_t, set_peer_id, void,
544: private_tnccs_11_t *this, identification_t *id)
545: {
546: DESTROY_IF(this->peer_id);
547: this->peer_id = id->clone(id);
548: }
549:
550: METHOD(tls_t, get_peer_id, identification_t*,
551: private_tnccs_11_t *this)
552: {
553: return this->peer_id;
554: }
555:
556: METHOD(tls_t, get_purpose, tls_purpose_t,
557: private_tnccs_11_t *this)
558: {
559: return TLS_PURPOSE_EAP_TNC;
560: }
561:
562: METHOD(tls_t, is_complete, bool,
563: private_tnccs_11_t *this)
564: {
565: TNC_IMV_Action_Recommendation rec;
566: TNC_IMV_Evaluation_Result eval;
567:
568: if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
569: {
570: return this->callback ? this->callback(rec, eval) : TRUE;
571: }
572: else
573: {
574: return FALSE;
575: }
576: }
577:
578: METHOD(tls_t, get_eap_msk, chunk_t,
579: private_tnccs_11_t *this)
580: {
581: return chunk_empty;
582: }
583:
584: METHOD(tls_t, destroy, void,
585: private_tnccs_11_t *this)
586: {
587: if (ref_put(&this->ref))
588: {
589: tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id,
590: this->is_server);
591: this->server_id->destroy(this->server_id);
592: this->peer_id->destroy(this->peer_id);
593: this->server_ip->destroy(this->server_ip);
594: this->peer_ip->destroy(this->peer_ip);
595: this->mutex->destroy(this->mutex);
596: DESTROY_IF(this->batch);
597: free(this);
598: }
599: }
600:
601: METHOD(tnccs_t, get_server_ip, host_t*,
602: private_tnccs_11_t *this)
603: {
604: return this->server_ip;
605: }
606:
607: METHOD(tnccs_t, get_peer_ip, host_t*,
608: private_tnccs_11_t *this)
609: {
610: return this->peer_ip;
611: }
612:
613: METHOD(tnccs_t, get_transport, tnc_ift_type_t,
614: private_tnccs_11_t *this)
615: {
616: return this->transport;
617: }
618:
619: METHOD(tnccs_t, set_transport, void,
620: private_tnccs_11_t *this, tnc_ift_type_t transport)
621: {
622: this->transport = transport;
623: }
624:
625: METHOD(tnccs_t, get_auth_type, uint32_t,
626: private_tnccs_11_t *this)
627: {
628: return this->auth_type;
629: }
630:
631: METHOD(tnccs_t, set_auth_type, void,
632: private_tnccs_11_t *this, uint32_t auth_type)
633: {
634: this->auth_type = auth_type;
635: }
636:
637: METHOD(tnccs_t, get_pdp_server, chunk_t,
638: private_tnccs_11_t *this, uint16_t *port)
639: {
640: *port = 0;
641:
642: return chunk_empty;
643: }
644:
645: METHOD(tnccs_t, get_ref, tnccs_t*,
646: private_tnccs_11_t *this)
647: {
648: ref_get(&this->ref);
649: return &this->public;
650: }
651:
652: /**
653: * See header
654: */
655: tnccs_t* tnccs_11_create(bool is_server, identification_t *server_id,
656: identification_t *peer_id, host_t *server_ip,
657: host_t *peer_ip, tnc_ift_type_t transport,
658: tnccs_cb_t cb)
659: {
660: private_tnccs_11_t *this;
661:
662: INIT(this,
663: .public = {
664: .tls = {
665: .process = _process,
666: .build = _build,
667: .is_server = _is_server,
668: .get_server_id = _get_server_id,
669: .set_peer_id = _set_peer_id,
670: .get_peer_id = _get_peer_id,
671: .get_purpose = _get_purpose,
672: .is_complete = _is_complete,
673: .get_eap_msk = _get_eap_msk,
674: .destroy = _destroy,
675: },
676: .get_server_ip = _get_server_ip,
677: .get_peer_ip = _get_peer_ip,
678: .get_transport = _get_transport,
679: .set_transport = _set_transport,
680: .get_auth_type = _get_auth_type,
681: .set_auth_type = _set_auth_type,
682: .get_pdp_server = _get_pdp_server,
683: .get_ref = _get_ref,
684: },
685: .is_server = is_server,
686: .server_id = server_id->clone(server_id),
687: .peer_id = peer_id->clone(peer_id),
688: .server_ip = server_ip->clone(server_ip),
689: .peer_ip = peer_ip->clone(peer_ip),
690: .transport = transport,
691: .callback = cb,
692: .mutex = mutex_create(MUTEX_TYPE_DEFAULT),
693: .max_msg_len = lib->settings->get_int(lib->settings,
694: "%s.plugins.tnccs-11.max_message_size", 45000, lib->ns),
695: .ref = 1,
696: );
697:
698: return &this->public;
699: }