From: Andreas Steffen Date: Thu, 8 Aug 2013 17:43:43 +0000 (+0200) Subject: moved tnc_imv plugin to libtnccs thanks to recommendation callback function X-Git-Tag: 5.1.1dr1~23 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=12b3db5006;p=thirdparty%2Fstrongswan.git moved tnc_imv plugin to libtnccs thanks to recommendation callback function --- diff --git a/configure.ac b/configure.ac index fb91ddd827..7111922c56 100644 --- a/configure.ac +++ b/configure.ac @@ -1062,7 +1062,7 @@ ADD_PLUGIN([xauth-noauth], [c charon]) ADD_PLUGIN([tnc-ifmap], [c charon]) ADD_PLUGIN([tnc-pdp], [c charon]) ADD_PLUGIN([tnc-imc], [t charon]) -ADD_PLUGIN([tnc-imv], [c charon]) +ADD_PLUGIN([tnc-imv], [t charon]) ADD_PLUGIN([tnc-tnccs], [t charon]) ADD_PLUGIN([tnccs-20], [t charon]) ADD_PLUGIN([tnccs-11], [t charon]) @@ -1378,6 +1378,7 @@ AC_CONFIG_FILES([ src/libtnccs/Makefile src/libtnccs/plugins/tnc_tnccs/Makefile src/libtnccs/plugins/tnc_imc/Makefile + src/libtnccs/plugins/tnc_imv/Makefile src/libtnccs/plugins/tnccs_11/Makefile src/libtnccs/plugins/tnccs_20/Makefile src/libtnccs/plugins/tnccs_dynamic/Makefile @@ -1421,7 +1422,6 @@ AC_CONFIG_FILES([ src/libcharon/plugins/xauth_noauth/Makefile src/libcharon/plugins/tnc_ifmap/Makefile src/libcharon/plugins/tnc_pdp/Makefile - src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 6a3bbac30c..be8512d2d0 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -712,9 +712,6 @@ Path to X.509 certificate file of IF-MAP server .BR charon.plugins.tnc-ifmap.username_password Credentials of IF-MAP client of the form username:password .TP -.BR charon.plugins.tnc-imv.dlclose " [yes]" -Unload IMV after use -.TP .BR charon.plugins.tnc-pdp.pt_tls.port " [271]" PT-TLS server port the strongSwan PDP is listening on .TP @@ -880,20 +877,23 @@ TNC IMC/IMV configuration directory .PP .SS libtnccs plugins section .TP -.BR charon.plugins.tnccs-11.max_message_size " [45000]" +.BR libtnccs.plugins.tnccs-11.max_message_size " [45000]" Maximum size of a PA-TNC message (XML & Base64 encoding) .TP -.BR charon.plugins.tnccs-20.max_batch_size " [65522]" +.BR libtnccs.plugins.tnccs-20.max_batch_size " [65522]" Maximum size of a PB-TNC batch (upper limit via PT-EAP = 65529) .TP -.BR charon.plugins.tnccs-20.max_message_size " [65490]" +.BR libtnccs.plugins.tnccs-20.max_message_size " [65490]" Maximum size of a PA-TNC message (upper limit via PT-EAP = 65497) .TP -.BR charon.plugins.tnc-imc.dlclose " [yes]" +.BR libtnccs.plugins.tnc-imc.dlclose " [yes]" Unload IMC after use .TP -.BR charon.plugins.tnc-imc.preferred_language " [en]" +.BR libtnccs.plugins.tnc-imc.preferred_language " [en]" Preferred language for TNC recommendations +.TP +.BR libtnccs.plugins.tnc-imv.dlclose " [yes]" +Unload IMV after use .SS libimcv section .TP .BR libimcv.assessment_result " [yes]" diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 65e344a70f..9c7f67690f 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -385,13 +385,6 @@ if MONOLITHIC endif endif -if USE_TNC_IMV - SUBDIRS += plugins/tnc_imv -if MONOLITHIC - libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la -endif -endif - if USE_LIBTNCCS if MONOLITHIC # otherwise this library is linked to the respective plugins diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c index 839425d595..d14672e498 100644 --- a/src/libcharon/plugins/eap_tnc/eap_tnc.c +++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c @@ -22,6 +22,7 @@ #include #include +#include /** * Maximum size of an EAP-TNC message @@ -62,6 +63,63 @@ struct private_eap_tnc_t { }; +/** + * Callback function to get recommendation from TNCCS connection + */ +static bool enforce_recommendation(TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval) +{ + char *group; + identification_t *id; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + bool no_access = FALSE; + + DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'", + TNC_IMV_Action_Recommendation_names, rec, + TNC_IMV_Evaluation_Result_names, eval); + + switch (rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + group = "allow"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + group = "isolate"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + default: + group = "no access"; + no_access = TRUE; + break; + } + + ike_sa = charon->bus->get_sa(charon->bus); + if (!ike_sa) + { + DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA"); + return FALSE; + } + + id = ike_sa->get_other_id(ike_sa); + DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group); + + if (no_access) + { + return FALSE; + } + else + { + auth = ike_sa->get_auth_cfg(ike_sa, FALSE); + id = identification_create_from_string(group); + auth->add(auth, AUTH_RULE_GROUP, id); + DBG1(DBG_TNC, "policy enforcement point added group membership '%s'", + group); + } + return TRUE; +} + METHOD(eap_method_t, initiate, status_t, private_eap_tnc_t *this, eap_payload_t **out) { @@ -224,8 +282,9 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, free(this); return NULL; } - this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server, - server, peer, TNC_IFT_EAP_1_1); + this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, + is_server, server, peer, TNC_IFT_EAP_1_1, + is_server ? enforce_recommendation : NULL); this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls, EAP_TNC_MAX_MESSAGE_LEN, max_msg_count, FALSE); diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c index 686df15c7e..707b113e4f 100644 --- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c +++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c @@ -26,6 +26,9 @@ #include +#include +#include + #include #include #include @@ -562,6 +565,19 @@ end: } } +/** + * Callback function to get recommendation from TNCCS connection + */ +static bool get_recommendation(TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval) +{ + DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'", + TNC_IMV_Action_Recommendation_names, rec, + TNC_IMV_Evaluation_Result_names, eval); + + return TRUE; +} + /** * Get more data on a PT-TLS connection */ @@ -607,7 +623,8 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even peer = identification_create_from_encoding(ID_ANY, chunk_empty), tnccs = tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, TRUE, - this->server, peer, TNC_IFT_TLS_2_0); + this->server, peer, TNC_IFT_TLS_2_0, + (tnccs_cb_t)get_recommendation); peer->destroy(peer); if (!tnccs) diff --git a/src/libtnccs/Makefile.am b/src/libtnccs/Makefile.am index 8d618c3f8b..d1f8825dee 100644 --- a/src/libtnccs/Makefile.am +++ b/src/libtnccs/Makefile.am @@ -40,6 +40,13 @@ if MONOLITHIC endif endif +if USE_TNC_IMV + SUBDIRS += plugins/tnc_imv +if MONOLITHIC + libtnccs_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la +endif +endif + if USE_TNCCS_11 SUBDIRS += plugins/tnccs_11 if MONOLITHIC diff --git a/src/libtnccs/plugins/tnc_imc/tnc_imc.c b/src/libtnccs/plugins/tnc_imc/tnc_imc.c index cbecf14c7f..7c52ab384d 100644 --- a/src/libtnccs/plugins/tnc_imc/tnc_imc.c +++ b/src/libtnccs/plugins/tnc_imc/tnc_imc.c @@ -1,6 +1,5 @@ /* - * Copyright (C) 2006 Mike McCauley - * Copyright (C) 2010-2011 Andreas Steffen, + * Copyright (C) 2010-2013 Andreas Steffen, * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libtnccs/plugins/tnc_imv/Makefile.am similarity index 91% rename from src/libcharon/plugins/tnc_imv/Makefile.am rename to src/libtnccs/plugins/tnc_imv/Makefile.am index 49efe3be4e..0541d4c86f 100644 --- a/src/libcharon/plugins/tnc_imv/Makefile.am +++ b/src/libtnccs/plugins/tnc_imv/Makefile.am @@ -1,7 +1,5 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon \ -I$(top_srcdir)/src/libtncif \ -I$(top_srcdir)/src/libtnccs \ -I$(top_srcdir)/src/libtls diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.c b/src/libtnccs/plugins/tnc_imv/tnc_imv.c similarity index 98% rename from src/libcharon/plugins/tnc_imv/tnc_imv.c rename to src/libtnccs/plugins/tnc_imv/tnc_imv.c index ef0387d701..ebf9045131 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv.c +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv.c @@ -1,6 +1,5 @@ /* - * Copyright (C) 2006 Mike McCauley - * Copyright (C) 2010-2011 Andreas Steffen, + * Copyright (C) 2010-2013 Andreas Steffen, * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -21,7 +20,6 @@ #include #include -#include #include #include #include @@ -300,7 +298,7 @@ METHOD(imv_t, destroy, void, private_tnc_imv_t *this) { if (this->handle && lib->settings->get_bool(lib->settings, - "%s.plugins.tnc-imv.dlclose", TRUE, charon->name)) + "libtnccs.plugins.tnc-imv.dlclose", TRUE)) { dlclose(this->handle); } diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.h b/src/libtnccs/plugins/tnc_imv/tnc_imv.h similarity index 100% rename from src/libcharon/plugins/tnc_imv/tnc_imv.h rename to src/libtnccs/plugins/tnc_imv/tnc_imv.h diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_bind_function.c similarity index 100% rename from src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c rename to src/libtnccs/plugins/tnc_imv/tnc_imv_bind_function.c diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c similarity index 88% rename from src/libcharon/plugins/tnc_imv/tnc_imv_manager.c rename to src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c index b950e3119b..b4f131b5dd 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c +++ b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.c @@ -1,6 +1,5 @@ /* - * Copyright (C) 2006 Mike McCauley - * Copyright (C) 2010-2011 Andreas Steffen + * Copyright (C) 2010-2013 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -19,7 +18,6 @@ #include "tnc_imv_recommendations.h" #include -#include #include #include @@ -28,7 +26,6 @@ #include #include -#include #include #include #include @@ -247,61 +244,6 @@ METHOD(imv_manager_t, create_recommendations, recommendations_t*, return tnc_imv_recommendations_create(this->imvs); } -METHOD(imv_manager_t, enforce_recommendation, bool, - private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec, - TNC_IMV_Evaluation_Result eval) -{ - char *group; - identification_t *id; - ike_sa_t *ike_sa; - auth_cfg_t *auth; - bool no_access = FALSE; - - DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'", - TNC_IMV_Action_Recommendation_names, rec, - TNC_IMV_Evaluation_Result_names, eval); - - switch (rec) - { - case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: - group = "allow"; - break; - case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: - group = "isolate"; - break; - case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: - case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: - default: - group = "no access"; - no_access = TRUE; - break; - } - - ike_sa = charon->bus->get_sa(charon->bus); - if (!ike_sa) - { - DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA"); - return FALSE; - } - - id = ike_sa->get_other_id(ike_sa); - DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group); - - if (no_access) - { - return FALSE; - } - else - { - auth = ike_sa->get_auth_cfg(ike_sa, FALSE); - id = identification_create_from_string(group); - auth->add(auth, AUTH_RULE_GROUP, id); - DBG1(DBG_TNC, "policy enforcement point added group membership '%s'", - group); - } - return TRUE; -} - METHOD(imv_manager_t, notify_connection_change, void, private_tnc_imv_manager_t *this, TNC_ConnectionID id, @@ -503,7 +445,6 @@ imv_manager_t* tnc_imv_manager_create(void) .reserve_id = _reserve_id, .get_recommendation_policy = _get_recommendation_policy, .create_recommendations = _create_recommendations, - .enforce_recommendation = _enforce_recommendation, .notify_connection_change = _notify_connection_change, .set_message_types = _set_message_types, .set_message_types_long = _set_message_types_long, @@ -520,8 +461,7 @@ imv_manager_t* tnc_imv_manager_create(void) policy = enum_from_name(recommendation_policy_names, lib->settings->get_str(lib->settings, - "%s.plugins.tnc-imv.recommendation_policy", "default", - charon->name)); + "libtnccs.plugins.tnc-imv.recommendation_policy", "default")); this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT; DBG1(DBG_TNC, "TNC recommendation policy is '%N'", recommendation_policy_names, this->policy); diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_manager.h similarity index 100% rename from src/libcharon/plugins/tnc_imv/tnc_imv_manager.h rename to src/libtnccs/plugins/tnc_imv/tnc_imv_manager.h diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.c similarity index 100% rename from src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c rename to src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.c diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h similarity index 100% rename from src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h rename to src/libtnccs/plugins/tnc_imv/tnc_imv_plugin.h diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.c similarity index 100% rename from src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c rename to src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.c diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h similarity index 100% rename from src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h rename to src/libtnccs/plugins/tnc_imv/tnc_imv_recommendations.h diff --git a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c index 60f6bc3c18..b8683f78c4 100644 --- a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c +++ b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c @@ -169,8 +169,8 @@ METHOD(tnccs_manager_t, remove_method, void, METHOD(tnccs_manager_t, create_instance, tnccs_t*, private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport) + identification_t *server, identification_t *peer, tnc_ift_type_t transport, + tnccs_cb_t cb) { enumerator_t *enumerator; tnccs_entry_t *entry; @@ -182,7 +182,7 @@ METHOD(tnccs_manager_t, create_instance, tnccs_t*, { if (type == entry->type) { - protocol = entry->constructor(is_server, server, peer, transport); + protocol = entry->constructor(is_server, server, peer, transport, cb); if (protocol) { break; diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.c b/src/libtnccs/plugins/tnccs_11/tnccs_11.c index b19a048fed..7155861672 100644 --- a/src/libtnccs/plugins/tnccs_11/tnccs_11.c +++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.c @@ -121,6 +121,11 @@ struct private_tnccs_11_t { */ recommendations_t *recs; + /** + * Callback function to communicate recommendation (TNC Server only) + */ + tnccs_cb_t callback; + }; METHOD(tnccs_t, send_msg, TNC_Result, @@ -540,7 +545,7 @@ METHOD(tls_t, is_complete, bool, if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval)) { - return tnc->imvs->enforce_recommendation(tnc->imvs, rec, eval); + return this->callback ? this->callback(rec, eval) : TRUE; } else { @@ -594,9 +599,8 @@ METHOD(tnccs_t, set_auth_type, void, * See header */ tnccs_t* tnccs_11_create(bool is_server, - identification_t *server, - identification_t *peer, - tnc_ift_type_t transport) + identification_t *server, identification_t *peer, + tnc_ift_type_t transport, tnccs_cb_t cb) { private_tnccs_11_t *this; @@ -622,6 +626,7 @@ tnccs_t* tnccs_11_create(bool is_server, .server = server->clone(server), .peer = peer->clone(peer), .transport = transport, + .callback = cb, .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .max_msg_len = lib->settings->get_int(lib->settings, "libtnccs.plugins.tnccs-11.max_message_size", 45000), diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.h b/src/libtnccs/plugins/tnccs_11/tnccs_11.h index 531ebb6110..e805df8bb2 100644 --- a/src/libtnccs/plugins/tnccs_11/tnccs_11.h +++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.h @@ -32,11 +32,11 @@ * @param server Server identity * @param peer Client identity * @param transport Underlying IF-T transport protocol + * @param cb Callback function if TNC Server, NULL if TNC Client * @return TNC_IF_TNCCS 1.1 protocol stack */ tnccs_t* tnccs_11_create(bool is_server, - identification_t *server, - identification_t *peer, - tnc_ift_type_t transport); + identification_t *server, identification_t *peer, + tnc_ift_type_t transport, tnccs_cb_t cb); #endif /** TNCCS_11_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c index 09900ade96..e5117e8295 100644 --- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c @@ -131,6 +131,16 @@ struct private_tnccs_20_t { */ recommendations_t *recs; + /** + * Callback function to communicate recommendation (TNC Server only) + */ + tnccs_cb_t callback; + + /** + * Data to pass to callback function (TNC Server only) + */ + void *cb_data; + }; /** @@ -844,7 +854,7 @@ METHOD(tls_t, is_complete, bool, if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval)) { - return tnc->imvs->enforce_recommendation(tnc->imvs, rec, eval); + return this->callback ? this->callback(rec, eval) : TRUE; } else { @@ -900,9 +910,8 @@ METHOD(tnccs_t, set_auth_type, void, * See header */ tnccs_t* tnccs_20_create(bool is_server, - identification_t *server, - identification_t *peer, - tnc_ift_type_t transport) + identification_t *server, identification_t *peer, + tnc_ift_type_t transport, tnccs_cb_t cb) { private_tnccs_20_t *this; @@ -928,6 +937,7 @@ tnccs_t* tnccs_20_create(bool is_server, .server = server->clone(server), .peer = peer->clone(peer), .transport = transport, + .callback = cb, .state_machine = pb_tnc_state_machine_create(is_server), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), .messages = linked_list_create(), diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.h b/src/libtnccs/plugins/tnccs_20/tnccs_20.h index 3149350691..2857b1408c 100644 --- a/src/libtnccs/plugins/tnccs_20/tnccs_20.h +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.h @@ -32,11 +32,11 @@ * @param server Server identity * @param peer Client identity * @param transport Underlying IF-T transport protocol + * @param cb Callback function if TNC Server, NULL if TNC Client * @return TNC_IF_TNCCS 2.0 protocol stack */ tnccs_t* tnccs_20_create(bool is_server, - identification_t *server, - identification_t *peer, - tnc_ift_type_t transport); + identification_t *server, identification_t *peer, + tnc_ift_type_t transport, tnccs_cb_t cb); #endif /** TNCCS_20_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c index d4fc6a6f71..bc31126862 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c +++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c @@ -56,6 +56,11 @@ struct private_tnccs_dynamic_t { */ u_int32_t auth_type; + /** + * Callback function to communicate recommendation (TNC Server only) + */ + tnccs_cb_t callback; + }; /** @@ -99,7 +104,8 @@ METHOD(tls_t, process, status_t, DBG1(DBG_TNC, "%N protocol detected dynamically", tnccs_type_names, type); tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE, - this->server, this->peer, this->transport); + this->server, this->peer, this->transport, + this->callback); if (!tnccs) { DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type); @@ -190,9 +196,8 @@ METHOD(tnccs_t, set_auth_type, void, * See header */ tnccs_t* tnccs_dynamic_create(bool is_server, - identification_t *server, - identification_t *peer, - tnc_ift_type_t transport) + identification_t *server, identification_t *peer, + tnc_ift_type_t transport, tnccs_cb_t cb) { private_tnccs_dynamic_t *this; @@ -217,6 +222,7 @@ tnccs_t* tnccs_dynamic_create(bool is_server, .server = server->clone(server), .peer = peer->clone(peer), .transport = transport, + .callback = cb, ); return &this->public; diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h index e4cff74b84..cbdc80b836 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h +++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h @@ -32,11 +32,11 @@ * @param server Server identity * @param peer Client identity * @param transport Underlying IF-T transport protocol + * @param cb Callback function if TNC Server, NULL if TNC Client * @return dynamic TNC IF-TNCCS protocol stack */ tnccs_t* tnccs_dynamic_create(bool is_server, - identification_t *server, - identification_t *peer, - tnc_ift_type_t transport); + identification_t *server, identification_t *peer, + tnc_ift_type_t transport, tnccs_cb_t cb); #endif /** TNCCS_DYNAMIC_H_ @}*/ diff --git a/src/libtnccs/tnc/imv/imv_manager.h b/src/libtnccs/tnc/imv/imv_manager.h index 7772b7e08b..b72eb8bf77 100644 --- a/src/libtnccs/tnc/imv/imv_manager.h +++ b/src/libtnccs/tnc/imv/imv_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010-2013 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -113,18 +113,6 @@ struct imv_manager_t { */ recommendations_t* (*create_recommendations)(imv_manager_t *this); - /** - * Enforce the TNC recommendation on the IKE_SA by either inserting an - * allow|isolate group membership rule (TRUE) or by blocking access (FALSE) - * - * @param rec TNC action recommendation - * @param eval TNC evaluation result - * @return TRUE for allow|isolate, FALSE for none - */ - bool (*enforce_recommendation)(imv_manager_t *this, - TNC_IMV_Action_Recommendation rec, - TNC_IMV_Evaluation_Result eval); - /** * Notify all IMV instances * diff --git a/src/libtnccs/tnc/tnccs/tnccs.h b/src/libtnccs/tnc/tnccs/tnccs.h index fd3e5cabbf..b1ac0906cf 100644 --- a/src/libtnccs/tnc/tnccs/tnccs.h +++ b/src/libtnccs/tnc/tnccs/tnccs.h @@ -37,6 +37,17 @@ typedef enum tnc_ift_type_t tnc_ift_type_t; #include +/** + * Callback function to communicate action recommendation and evaluation result + * generated by TNC server + * + * @param rec TNC Action Recommendation + * @param eval TNC Evaluation Result + * @return TRUE to terminate TNCCS connection, FALSE to keep it + */ +typedef bool (*tnccs_cb_t)(TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval); + /** * Type of TNC Client/Server protocol */ @@ -112,12 +123,14 @@ struct tnccs_t { * @param server Server identity * @param peer Client identity * @param transport Underlying TNC IF-T transport protocol used + * @param cb Callback function if TNC Server, NULL if TNC Client * @return implementation of the tnccs_t interface */ typedef tnccs_t *(*tnccs_constructor_t)(bool is_server, identification_t *server, identification_t *peer, - tnc_ift_type_t transport); + tnc_ift_type_t transport, + tnccs_cb_t cb); /** * Callback function adding a message to a TNCCS batch diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.h b/src/libtnccs/tnc/tnccs/tnccs_manager.h index 4ab9d7e188..791336ee10 100644 --- a/src/libtnccs/tnc/tnccs/tnccs_manager.h +++ b/src/libtnccs/tnc/tnccs/tnccs_manager.h @@ -59,12 +59,13 @@ struct tnccs_manager_t { * @param server Server identity * @param peer Client identity * @param transport Underlying TNC IF-T transport protocol used + * @param cb Callback function if TNC Server, NULL if TNC Client * @return TNCCS protocol instance, NULL if no constructor found */ tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type, bool is_server, identification_t *server, identification_t *peer, - tnc_ift_type_t transport); + tnc_ift_type_t transport, tnccs_cb_t cb); /** * Create a TNCCS connection and assign a unique connection ID as well a diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c index 2b104f8d55..09b42b6fee 100644 --- a/src/pt-tls-client/pt-tls-client.c +++ b/src/pt-tls-client/pt-tls-client.c @@ -59,7 +59,7 @@ static int client(char *address, u_int16_t port, char *identity) server = identification_create_from_string(address); client = identification_create_from_string(identity); tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE, - server, client, TNC_IFT_TLS_2_0); + server, client, TNC_IFT_TLS_2_0, NULL); if (!tnccs) { fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS);