*/
rwlock_t *connection_lock;
+ /**
+ * Access Requestor ID
+ */
+ identification_t *ar_id;
+
/**
* Inform a TNCS about the set of message types the IMV is able to receive
*
int tcg_id_type, tcg_subject_type, tcg_auth_type;
chunk_t id_value;
id_type_t ike_type;
- identification_t *id;
id_type = tnc_id->get_identity_type(tnc_id);
id_value = tnc_id->get_identity_value(tnc_id);
ike_type = ID_IPV6_ADDR;
break;
case TNC_ID_FQDN:
- case TNC_ID_USER_NAME:
ike_type = ID_FQDN;
break;
case TNC_ID_RFC822_ADDR:
ike_type = ID_RFC822_ADDR;
break;
+ case TNC_ID_USER_NAME:
+ ike_type = ID_USER_ID;
+ break;
case TNC_ID_DER_ASN1_DN:
ike_type = ID_DER_ASN1_DN;
break;
break;
}
- id = identification_create_from_encoding(ike_type, id_value);
- DBG2(DBG_IMV, "%N identity '%Y' authenticated by %N",
- TNC_Subject_names, tcg_subject_type, id,
- TNC_Authentication_names, tcg_auth_type);
- id->destroy(id);
+ this->ar_id = identification_create_from_encoding(ike_type, id_value);
+ DBG2(DBG_IMV, " %N AR identity '%Y' authenticated by %N",
+ TNC_Subject_names, tcg_subject_type, this->ar_id,
+ TNC_Authentication_names, tcg_auth_type);
}
enumerator->destroy(enumerator);
return this->id;
}
+METHOD(imv_agent_t, get_ar_id, identification_t*,
+ private_imv_agent_t *this)
+{
+ return this->ar_id;
+}
+
METHOD(imv_agent_t, reserve_additional_ids, TNC_Result,
private_imv_agent_t *this, int count)
{
private_imv_agent_t *this)
{
DBG1(DBG_IMV, "IMV %u \"%s\" terminated", this->id, this->name);
+ DESTROY_IF(this->ar_id);
this->additional_ids->destroy(this->additional_ids);
this->connections->destroy_offset(this->connections,
offsetof(imv_state_t, destroy));
.get_state = _get_state,
.get_name = _get_name,
.get_id = _get_id,
+ .get_ar_id = _get_ar_id,
.reserve_additional_ids = _reserve_additional_ids,
.count_additional_ids = _count_additional_ids,
.create_id_enumerator = _create_id_enumerator,
*/
TNC_IMVID (*get_id)(imv_agent_t *this);
+ /**
+ * Get Access Requestor ID
+ *
+ * return Access Requestor ID
+ */
+ identification_t* (*get_ar_id)(imv_agent_t *this);
+
/**
* Reserve additional IMV IDs from TNCS
*
device_id = os_state->get_device_id(os_state);
if (os_db && device_id)
{
- os_db->set_device_info(os_db, device_id,
+ os_db->set_device_info(os_db, device_id, imv_os->get_ar_id(imv_os),
os_state->get_info(os_state, NULL, NULL, NULL),
count, count_update, count_blacklist, os_settings);
}
}
METHOD(imv_os_database_t, set_device_info, void,
- private_imv_os_database_t *this, int device_id, char *os_info,
- int count, int count_update, int count_blacklist, u_int flags)
+ private_imv_os_database_t *this, int device_id, identification_t *ar_id,
+ char *os_info, int count, int count_update, int count_blacklist,
+ u_int flags)
{
enumerator_t *e;
time_t last_time;
- int pid = 0, last_pid = 0, last_count_update = 0, last_count_blacklist = 0;
+ int pid = 0, last_pid = 0, iid = 0, last_iid;
+ int last_count_update = 0, last_count_blacklist = 0;
u_int last_flags;
bool found = FALSE;
e->destroy(e);
}
- /* if OS ifo string has not been found - register it */
+ /* if OS info string has not been found - register it */
if (!pid)
{
this->db->execute(this->db, &pid,
"INSERT INTO products (name) VALUES (?)", DB_TEXT, os_info);
}
+ /* get primary key of AR identity if it exists */
+ e = this->db->query(this->db,
+ "SELECT id FROM identities WHERE type = ? AND data = ?",
+ DB_INT, ar_id->get_type(ar_id),
+ DB_BLOB, ar_id->get_encoding(ar_id), DB_INT);
+ if (e)
+ {
+ e->enumerate(e, &iid);
+ e->destroy(e);
+ }
+
+ /* if AR identity has not been found - register it */
+ if (!iid)
+ {
+ this->db->execute(this->db, &iid,
+ "INSERT INTO identities (type, data) VALUES (?, ?)",
+ DB_INT, ar_id->get_type(ar_id),
+ DB_BLOB, ar_id->get_encoding(ar_id));
+ }
+
/* get latest device info record if it exists */
e = this->db->query(this->db,
- "SELECT time, product, count_update, count_blacklist, flags "
+ "SELECT time, ar_id, product, count_update, count_blacklist, flags "
"FROM device_infos WHERE device = ? ORDER BY time DESC",
- DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT);
+ DB_INT, device_id, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_UINT);
if (e)
{
- found = e->enumerate(e, &last_time, &last_pid, &last_count_update,
- &last_count_blacklist, &last_flags);
+ found = e->enumerate(e, &last_time, &last_iid, &last_pid,
+ &last_count_update, &last_count_blacklist,
+ &last_flags);
e->destroy(e);
}
if (found && !last_count_update && !last_count_blacklist && !last_flags &&
- pid == last_pid)
+ iid == last_iid && pid == last_pid)
{
/* update device info */
this->db->execute(this->db, NULL,
{
/* insert device info */
this->db->execute(this->db, NULL,
- "INSERT INTO device_infos (device, time, product, count, "
- "count_update, count_blacklist, flags) VALUES (?, ?, ?, ?, ?, ?, ?)",
- DB_INT, device_id, DB_UINT, time(NULL), DB_INT, pid,
+ "INSERT INTO device_infos (device, time, ar_id, product, count, "
+ "count_update, count_blacklist, flags) "
+ "VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
+ DB_INT, device_id, DB_UINT, time(NULL), DB_INT, iid, DB_INT, pid,
DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist,
DB_UINT, flags);
}
* Set health infos for a given device
*
* @param device_id Device ID primary key
+ * @param ar_id Access Requestor ID
* @param os_info OS info string
* @param count Number of installed packages
* @param count_update Number of packages to be updated
* @param count_blacklist Number of blacklisted packages
* @param flags Various flags, e.g. illegal OS settings
*/
- void (*set_device_info)(imv_os_database_t *this, int device_id, char *os_info,
+ void (*set_device_info)(imv_os_database_t *this, int device_id,
+ identification_t *ar_id, char *os_info,
int count, int count_update, int count_blacklist,
u_int flags);
METHOD(attest_db_t, list_devices, void,
private_attest_db_t *this)
{
- enumerator_t *e;
- chunk_t value;
+ enumerator_t *e, *e_ar;
+ chunk_t value, ar_data;
char *product;
time_t timestamp;
- int id, last_id = 0, device_count = 0;
+ int id, last_id = 0, iid = 0, last_iid = 0, device_count = 0;
int count, count_update, count_blacklist;
+ id_type_t ar_type;
+ identification_t *ar_id = NULL;
u_int tstamp, flags = 0;
e = this->db->query(this->db,
"SELECT d.id, d.value, i.time, i.count, i.count_update, "
- "i.count_blacklist, i.flags, p.name FROM devices AS d "
+ "i.count_blacklist, i.flags, i.ar_id, p.name FROM devices AS d "
"JOIN device_infos AS i ON d.id = i.device "
"JOIN products AS p ON p.id = i.product "
"ORDER BY d.value, i.time DESC",
- DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT);
+ DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT,
+ DB_INT, DB_TEXT);
if (e)
{
while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update,
- &count_blacklist, &flags, &product))
+ &count_blacklist, &flags, &iid, &product))
{
if (id != last_id)
{
last_id = id;
}
timestamp = tstamp;
- printf(" %T, %4d, %3d, %3d, %1u, '%s'\n", ×tamp, this->utc,
+ printf(" %T, %4d, %3d, %3d, %1u, '%s'", ×tamp, this->utc,
count, count_update, count_blacklist, flags, product);
+ if (iid)
+ {
+ if (iid != last_iid)
+ {
+ DESTROY_IF(ar_id);
+ ar_id = NULL;
+
+ e_ar = this->db->query(this->db,
+ "SELECT type, data FROM identities "
+ "WHERE id = ?", DB_INT, iid, DB_INT, DB_BLOB);
+ if (e_ar->enumerate(e_ar, &ar_type, &ar_data))
+ {
+ ar_id = identification_create_from_encoding(ar_type,
+ ar_data);
+ }
+ e_ar->destroy(e_ar);
+ }
+ if (ar_id)
+ {
+ printf(" %Y", ar_id);
+ }
+ }
+ printf("\n");
}
e->destroy(e);
+ DESTROY_IF(ar_id);
+
printf("%d device%s found\n", device_count,
(device_count == 1) ? "" : "s");
}
DROP TABLE IF EXISTS device_infos;
CREATE TABLE device_infos (
+ id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
device INTEGER NOT NULL,
time INTEGER NOT NULL,
+ ar_id INTEGER DEFAULT 0,
product INTEGER DEFAULT 0,
count INTEGER DEFAULT 0,
count_update INTEGER DEFAULT 0,
count_blacklist INTEGER DEFAULT 0,
- flags INTEGER DEFAULT 0,
- PRIMARY KEY (device, time)
+ flags INTEGER DEFAULT 0
);
+DROP TABLE IF EXISTS identities;
+CREATE TABLE identities (
+ id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+ type INTEGER NOT NULL,
+ data BLOB NOT NULL,
+ UNIQUE (type, data)
+);
"ID_DER_ASN1_DN",
"ID_DER_ASN1_GN",
"ID_KEY_ID");
-ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
+ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_USER_ID, ID_KEY_ID,
"ID_DER_ASN1_GN_URI",
- "ID_MYID");
-ENUM_END(id_type_names, ID_MYID);
+ "ID_USER_ID");
+ENUM_END(id_type_names, ID_USER_ID);
/**
* coding of X.501 distinguished name
case ID_FQDN:
case ID_RFC822_ADDR:
case ID_DER_ASN1_GN_URI:
+ case ID_USER_ID:
chunk_printable(this->encoded, &proper, '?');
snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr);
chunk_free(&proper);
snprintf(buf, sizeof(buf), "%#B", &this->encoded);
}
break;
- case ID_MYID:
- snprintf(buf, sizeof(buf), "%%myid");
- break;
default:
snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
break;
break;
case ID_FQDN:
case ID_RFC822_ADDR:
+ case ID_USER_ID:
this->public.matches = _matches_string;
this->public.equals = _equals_strcasecmp;
this->public.contains_wildcards = _contains_wildcards_memchr;
{
char buf[data.len + 1];
- /* use string constructor */
- snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
- return identification_create_from_string(buf);
+ if (is_asn1(data))
+ {
+ return identification_create_from_encoding(ID_DER_ASN1_DN, data);
+ }
+ else
+ {
+ /* use string constructor */
+ snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
+ return identification_create_from_string(buf);
+ }
}
/*
ID_KEY_ID = 11,
/**
- * private type which represents a GeneralName of type URI
+ * Private ID type which represents a GeneralName of type URI
*/
ID_DER_ASN1_GN_URI = 201,
/**
- * Private ID used by the pluto daemon for opportunistic encryption
+ * Private ID type which represents a user ID
*/
- ID_MYID = 203,
+ ID_USER_ID = 202
};
/**
projects / thirdparty / strongswan.git / commitdiff
