ADD_PLUGIN([tnc-ifmap], [c charon])
ADD_PLUGIN([tnc-pdp], [c charon])
ADD_PLUGIN([tnc-imc], [t charon])
-ADD_PLUGIN([tnc-imv], [c charon])
+ADD_PLUGIN([tnc-imv], [t charon])
ADD_PLUGIN([tnc-tnccs], [t charon])
ADD_PLUGIN([tnccs-20], [t charon])
ADD_PLUGIN([tnccs-11], [t charon])
src/libtnccs/Makefile
src/libtnccs/plugins/tnc_tnccs/Makefile
src/libtnccs/plugins/tnc_imc/Makefile
+ src/libtnccs/plugins/tnc_imv/Makefile
src/libtnccs/plugins/tnccs_11/Makefile
src/libtnccs/plugins/tnccs_20/Makefile
src/libtnccs/plugins/tnccs_dynamic/Makefile
src/libcharon/plugins/xauth_noauth/Makefile
src/libcharon/plugins/tnc_ifmap/Makefile
src/libcharon/plugins/tnc_pdp/Makefile
- src/libcharon/plugins/tnc_imv/Makefile
src/libcharon/plugins/socket_default/Makefile
src/libcharon/plugins/socket_dynamic/Makefile
src/libcharon/plugins/farp/Makefile
.BR charon.plugins.tnc-ifmap.username_password
Credentials of IF-MAP client of the form username:password
.TP
-.BR charon.plugins.tnc-imv.dlclose " [yes]"
-Unload IMV after use
-.TP
.BR charon.plugins.tnc-pdp.pt_tls.port " [271]"
PT-TLS server port the strongSwan PDP is listening on
.TP
.PP
.SS libtnccs plugins section
.TP
-.BR charon.plugins.tnccs-11.max_message_size " [45000]"
+.BR libtnccs.plugins.tnccs-11.max_message_size " [45000]"
Maximum size of a PA-TNC message (XML & Base64 encoding)
.TP
-.BR charon.plugins.tnccs-20.max_batch_size " [65522]"
+.BR libtnccs.plugins.tnccs-20.max_batch_size " [65522]"
Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529)
.TP
-.BR charon.plugins.tnccs-20.max_message_size " [65490]"
+.BR libtnccs.plugins.tnccs-20.max_message_size " [65490]"
Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497)
.TP
-.BR charon.plugins.tnc-imc.dlclose " [yes]"
+.BR libtnccs.plugins.tnc-imc.dlclose " [yes]"
Unload IMC after use
.TP
-.BR charon.plugins.tnc-imc.preferred_language " [en]"
+.BR libtnccs.plugins.tnc-imc.preferred_language " [en]"
Preferred language for TNC recommendations
+.TP
+.BR libtnccs.plugins.tnc-imv.dlclose " [yes]"
+Unload IMV after use
.SS libimcv section
.TP
.BR libimcv.assessment_result " [yes]"
endif
endif
-if USE_TNC_IMV
- SUBDIRS += plugins/tnc_imv
-if MONOLITHIC
- libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la
-endif
-endif
-
if USE_LIBTNCCS
if MONOLITHIC
# otherwise this library is linked to the respective plugins
#include <daemon.h>
#include <tncifimv.h>
+#include <tncif_names.h>
/**
* Maximum size of an EAP-TNC message
};
+/**
+ * Callback function to get recommendation from TNCCS connection
+ */
+static bool enforce_recommendation(TNC_IMV_Action_Recommendation rec,
+ TNC_IMV_Evaluation_Result eval)
+{
+ char *group;
+ identification_t *id;
+ ike_sa_t *ike_sa;
+ auth_cfg_t *auth;
+ bool no_access = FALSE;
+
+ DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
+ TNC_IMV_Action_Recommendation_names, rec,
+ TNC_IMV_Evaluation_Result_names, eval);
+
+ switch (rec)
+ {
+ case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
+ group = "allow";
+ break;
+ case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
+ group = "isolate";
+ break;
+ case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
+ case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
+ default:
+ group = "no access";
+ no_access = TRUE;
+ break;
+ }
+
+ ike_sa = charon->bus->get_sa(charon->bus);
+ if (!ike_sa)
+ {
+ DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA");
+ return FALSE;
+ }
+
+ id = ike_sa->get_other_id(ike_sa);
+ DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group);
+
+ if (no_access)
+ {
+ return FALSE;
+ }
+ else
+ {
+ auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
+ id = identification_create_from_string(group);
+ auth->add(auth, AUTH_RULE_GROUP, id);
+ DBG1(DBG_TNC, "policy enforcement point added group membership '%s'",
+ group);
+ }
+ return TRUE;
+}
+
METHOD(eap_method_t, initiate, status_t,
private_eap_tnc_t *this, eap_payload_t **out)
{
free(this);
return NULL;
}
- this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
- server, peer, TNC_IFT_EAP_1_1);
+ this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type,
+ is_server, server, peer, TNC_IFT_EAP_1_1,
+ is_server ? enforce_recommendation : NULL);
this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls,
EAP_TNC_MAX_MESSAGE_LEN,
max_msg_count, FALSE);
#include <tnc/tnc.h>
+#include <tncifimv.h>
+#include <tncif_names.h>
+
#include <daemon.h>
#include <utils/debug.h>
#include <pen/pen.h>
}
}
+/**
+ * Callback function to get recommendation from TNCCS connection
+ */
+static bool get_recommendation(TNC_IMV_Action_Recommendation rec,
+ TNC_IMV_Evaluation_Result eval)
+{
+ DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
+ TNC_IMV_Action_Recommendation_names, rec,
+ TNC_IMV_Evaluation_Result_names, eval);
+
+ return TRUE;
+}
+
/**
* Get more data on a PT-TLS connection
*/
peer = identification_create_from_encoding(ID_ANY, chunk_empty),
tnccs = tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, TRUE,
- this->server, peer, TNC_IFT_TLS_2_0);
+ this->server, peer, TNC_IFT_TLS_2_0,
+ (tnccs_cb_t)get_recommendation);
peer->destroy(peer);
if (!tnccs)
endif
endif
+if USE_TNC_IMV
+ SUBDIRS += plugins/tnc_imv
+if MONOLITHIC
+ libtnccs_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la
+endif
+endif
+
if USE_TNCCS_11
SUBDIRS += plugins/tnccs_11
if MONOLITHIC
/*
- * Copyright (C) 2006 Mike McCauley
- * Copyright (C) 2010-2011 Andreas Steffen,
+ * Copyright (C) 2010-2013 Andreas Steffen,
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
AM_CPPFLAGS = \
-I$(top_srcdir)/src/libstrongswan \
- -I$(top_srcdir)/src/libhydra \
- -I$(top_srcdir)/src/libcharon \
-I$(top_srcdir)/src/libtncif \
-I$(top_srcdir)/src/libtnccs \
-I$(top_srcdir)/src/libtls
/*
- * Copyright (C) 2006 Mike McCauley
- * Copyright (C) 2010-2011 Andreas Steffen,
+ * Copyright (C) 2010-2013 Andreas Steffen,
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
#include <tncif_pa_subtypes.h>
#include <utils/debug.h>
-#include <daemon.h>
#include <library.h>
#include <collections/linked_list.h>
#include <threading/mutex.h>
private_tnc_imv_t *this)
{
if (this->handle && lib->settings->get_bool(lib->settings,
- "%s.plugins.tnc-imv.dlclose", TRUE, charon->name))
+ "libtnccs.plugins.tnc-imv.dlclose", TRUE))
{
dlclose(this->handle);
}
/*
- * Copyright (C) 2006 Mike McCauley
- * Copyright (C) 2010-2011 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
#include "tnc_imv_recommendations.h"
#include <tncifimv.h>
-#include <tncif_names.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <errno.h>
#include <fcntl.h>
-#include <daemon.h>
#include <utils/debug.h>
#include <threading/rwlock.h>
#include <threading/mutex.h>
return tnc_imv_recommendations_create(this->imvs);
}
-METHOD(imv_manager_t, enforce_recommendation, bool,
- private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec,
- TNC_IMV_Evaluation_Result eval)
-{
- char *group;
- identification_t *id;
- ike_sa_t *ike_sa;
- auth_cfg_t *auth;
- bool no_access = FALSE;
-
- DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
- TNC_IMV_Action_Recommendation_names, rec,
- TNC_IMV_Evaluation_Result_names, eval);
-
- switch (rec)
- {
- case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
- group = "allow";
- break;
- case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
- group = "isolate";
- break;
- case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
- case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
- default:
- group = "no access";
- no_access = TRUE;
- break;
- }
-
- ike_sa = charon->bus->get_sa(charon->bus);
- if (!ike_sa)
- {
- DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA");
- return FALSE;
- }
-
- id = ike_sa->get_other_id(ike_sa);
- DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group);
-
- if (no_access)
- {
- return FALSE;
- }
- else
- {
- auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
- id = identification_create_from_string(group);
- auth->add(auth, AUTH_RULE_GROUP, id);
- DBG1(DBG_TNC, "policy enforcement point added group membership '%s'",
- group);
- }
- return TRUE;
-}
-
METHOD(imv_manager_t, notify_connection_change, void,
private_tnc_imv_manager_t *this, TNC_ConnectionID id,
.reserve_id = _reserve_id,
.get_recommendation_policy = _get_recommendation_policy,
.create_recommendations = _create_recommendations,
- .enforce_recommendation = _enforce_recommendation,
.notify_connection_change = _notify_connection_change,
.set_message_types = _set_message_types,
.set_message_types_long = _set_message_types_long,
policy = enum_from_name(recommendation_policy_names,
lib->settings->get_str(lib->settings,
- "%s.plugins.tnc-imv.recommendation_policy", "default",
- charon->name));
+ "libtnccs.plugins.tnc-imv.recommendation_policy", "default"));
this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT;
DBG1(DBG_TNC, "TNC recommendation policy is '%N'",
recommendation_policy_names, this->policy);
METHOD(tnccs_manager_t, create_instance, tnccs_t*,
private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server,
- identification_t *server, identification_t *peer,
- tnc_ift_type_t transport)
+ identification_t *server, identification_t *peer, tnc_ift_type_t transport,
+ tnccs_cb_t cb)
{
enumerator_t *enumerator;
tnccs_entry_t *entry;
{
if (type == entry->type)
{
- protocol = entry->constructor(is_server, server, peer, transport);
+ protocol = entry->constructor(is_server, server, peer, transport, cb);
if (protocol)
{
break;
*/
recommendations_t *recs;
+ /**
+ * Callback function to communicate recommendation (TNC Server only)
+ */
+ tnccs_cb_t callback;
+
};
METHOD(tnccs_t, send_msg, TNC_Result,
if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
{
- return tnc->imvs->enforce_recommendation(tnc->imvs, rec, eval);
+ return this->callback ? this->callback(rec, eval) : TRUE;
}
else
{
* See header
*/
tnccs_t* tnccs_11_create(bool is_server,
- identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport)
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport, tnccs_cb_t cb)
{
private_tnccs_11_t *this;
.server = server->clone(server),
.peer = peer->clone(peer),
.transport = transport,
+ .callback = cb,
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
.max_msg_len = lib->settings->get_int(lib->settings,
"libtnccs.plugins.tnccs-11.max_message_size", 45000),
* @param server Server identity
* @param peer Client identity
* @param transport Underlying IF-T transport protocol
+ * @param cb Callback function if TNC Server, NULL if TNC Client
* @return TNC_IF_TNCCS 1.1 protocol stack
*/
tnccs_t* tnccs_11_create(bool is_server,
- identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport);
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport, tnccs_cb_t cb);
#endif /** TNCCS_11_H_ @}*/
*/
recommendations_t *recs;
+ /**
+ * Callback function to communicate recommendation (TNC Server only)
+ */
+ tnccs_cb_t callback;
+
+ /**
+ * Data to pass to callback function (TNC Server only)
+ */
+ void *cb_data;
+
};
/**
if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
{
- return tnc->imvs->enforce_recommendation(tnc->imvs, rec, eval);
+ return this->callback ? this->callback(rec, eval) : TRUE;
}
else
{
* See header
*/
tnccs_t* tnccs_20_create(bool is_server,
- identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport)
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport, tnccs_cb_t cb)
{
private_tnccs_20_t *this;
.server = server->clone(server),
.peer = peer->clone(peer),
.transport = transport,
+ .callback = cb,
.state_machine = pb_tnc_state_machine_create(is_server),
.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
.messages = linked_list_create(),
* @param server Server identity
* @param peer Client identity
* @param transport Underlying IF-T transport protocol
+ * @param cb Callback function if TNC Server, NULL if TNC Client
* @return TNC_IF_TNCCS 2.0 protocol stack
*/
tnccs_t* tnccs_20_create(bool is_server,
- identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport);
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport, tnccs_cb_t cb);
#endif /** TNCCS_20_H_ @}*/
*/
u_int32_t auth_type;
+ /**
+ * Callback function to communicate recommendation (TNC Server only)
+ */
+ tnccs_cb_t callback;
+
};
/**
DBG1(DBG_TNC, "%N protocol detected dynamically",
tnccs_type_names, type);
tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
- this->server, this->peer, this->transport);
+ this->server, this->peer, this->transport,
+ this->callback);
if (!tnccs)
{
DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
* See header
*/
tnccs_t* tnccs_dynamic_create(bool is_server,
- identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport)
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport, tnccs_cb_t cb)
{
private_tnccs_dynamic_t *this;
.server = server->clone(server),
.peer = peer->clone(peer),
.transport = transport,
+ .callback = cb,
);
return &this->public;
* @param server Server identity
* @param peer Client identity
* @param transport Underlying IF-T transport protocol
+ * @param cb Callback function if TNC Server, NULL if TNC Client
* @return dynamic TNC IF-TNCCS protocol stack
*/
tnccs_t* tnccs_dynamic_create(bool is_server,
- identification_t *server,
- identification_t *peer,
- tnc_ift_type_t transport);
+ identification_t *server, identification_t *peer,
+ tnc_ift_type_t transport, tnccs_cb_t cb);
#endif /** TNCCS_DYNAMIC_H_ @}*/
/*
- * Copyright (C) 2010 Andreas Steffen
+ * Copyright (C) 2010-2013 Andreas Steffen
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
*/
recommendations_t* (*create_recommendations)(imv_manager_t *this);
- /**
- * Enforce the TNC recommendation on the IKE_SA by either inserting an
- * allow|isolate group membership rule (TRUE) or by blocking access (FALSE)
- *
- * @param rec TNC action recommendation
- * @param eval TNC evaluation result
- * @return TRUE for allow|isolate, FALSE for none
- */
- bool (*enforce_recommendation)(imv_manager_t *this,
- TNC_IMV_Action_Recommendation rec,
- TNC_IMV_Evaluation_Result eval);
-
/**
* Notify all IMV instances
*
#include <tls.h>
+/**
+ * Callback function to communicate action recommendation and evaluation result
+ * generated by TNC server
+ *
+ * @param rec TNC Action Recommendation
+ * @param eval TNC Evaluation Result
+ * @return TRUE to terminate TNCCS connection, FALSE to keep it
+ */
+typedef bool (*tnccs_cb_t)(TNC_IMV_Action_Recommendation rec,
+ TNC_IMV_Evaluation_Result eval);
+
/**
* Type of TNC Client/Server protocol
*/
* @param server Server identity
* @param peer Client identity
* @param transport Underlying TNC IF-T transport protocol used
+ * @param cb Callback function if TNC Server, NULL if TNC Client
* @return implementation of the tnccs_t interface
*/
typedef tnccs_t *(*tnccs_constructor_t)(bool is_server,
identification_t *server,
identification_t *peer,
- tnc_ift_type_t transport);
+ tnc_ift_type_t transport,
+ tnccs_cb_t cb);
/**
* Callback function adding a message to a TNCCS batch
* @param server Server identity
* @param peer Client identity
* @param transport Underlying TNC IF-T transport protocol used
+ * @param cb Callback function if TNC Server, NULL if TNC Client
* @return TNCCS protocol instance, NULL if no constructor found
*/
tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type,
bool is_server, identification_t *server,
identification_t *peer,
- tnc_ift_type_t transport);
+ tnc_ift_type_t transport, tnccs_cb_t cb);
/**
* Create a TNCCS connection and assign a unique connection ID as well a
server = identification_create_from_string(address);
client = identification_create_from_string(identity);
tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE,
- server, client, TNC_IFT_TLS_2_0);
+ server, client, TNC_IFT_TLS_2_0, NULL);
if (!tnccs)
{
fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS);
projects / thirdparty / strongswan.git / commitdiff
