From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Fri, 10 Dec 2010 16:04:11 +0000 (+0100)
Subject: do not accept results and recommendation messages from clients
X-Git-Tag: 4.5.1~392
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=af1e3ff567c496f026e2fb31a3bce9af0e5d4363;p=thirdparty%2Fstrongswan.git

do not accept results and recommendation messages from clients
---

diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
index 8e4c54ef42..8619d2ebc9 100644
--- a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
+++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c
@@ -382,7 +382,7 @@ static status_t process_tnc_message(private_pb_tnc_batch_t *this)
 			DBG1(DBG_TNC, "ignore PB-TNC Message with Vendor ID 0x%06x "
 						  " and type 0x%08x", vendor_id, msg_type);
 			this->offset += msg_len;
-			return INVALID_STATE;
+			return SUCCESS;
 		}
 	}
 
@@ -391,10 +391,23 @@ static status_t process_tnc_message(private_pb_tnc_batch_t *this)
 		 msg_type == PB_MSG_REMEDIATION_PARAMETERS) &&
 		 this->type != PB_BATCH_RESULT)
 	{
-		DBG1(DBG_TNC,"ignore %N Message not received within RESULT batch",
-					  pb_tnc_msg_type_names, msg_type);
-		this->offset += msg_len;
-		return INVALID_STATE;
+		if (this->is_server)
+		{
+			DBG1(DBG_TNC,"reject %N Message received from a PB-TNC Client",
+						  pb_tnc_msg_type_names, msg_type);
+			msg = pb_error_message_create(TRUE, IETF_VENDOR_ID,
+										  PB_ERROR_INVALID_PARAMETER);
+			err_msg = (pb_error_message_t*)msg;
+			err_msg->set_offset(err_msg, this->offset);
+			goto fatal;
+		}
+		else
+		{
+			DBG1(DBG_TNC,"ignore %N Message not received within RESULT batch",
+						  pb_tnc_msg_type_names, msg_type);
+			this->offset += msg_len;
+			return SUCCESS;
+		}
 	}
 
 	DBG2(DBG_TNC, "processing %N Message (%u bytes)", pb_tnc_msg_type_names,
@@ -425,7 +438,7 @@ METHOD(pb_tnc_batch_t, process, status_t,
 	status_t status;
 
 	status = process_batch_header(this, state_machine);
-	if (status == FAILED)
+	if (status != SUCCESS)
 	{
 		return FAILED;
 	}
@@ -433,13 +446,19 @@ METHOD(pb_tnc_batch_t, process, status_t,
 												this->type);
 	while (this->offset < this->encoding.len)
 	{
-		status = process_tnc_message(this);
-		if (status == FAILED)
+		switch (process_tnc_message(this))
 		{
-			return FAILED;
+			case FAILED:
+				return FAILED;
+			case VERIFY_ERROR:
+				status = VERIFY_ERROR;
+				break;
+			case SUCCESS:
+			default:
+				break;
 		}
 	}
-	return SUCCESS;
+	return status;
 }
 
 METHOD(pb_tnc_batch_t, create_msg_enumerator, enumerator_t*,