Merge upstream version 4.5.2

6 files changed, 147 insertions, 74 deletions

diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am
index 13e8076cd..3ba283bb7 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.am
+++ b/src/libcharon/plugins/tnc_imv/Makefile.am
@@ -1,18 +1,9 @@
 
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-<<<<<<< HEAD
-	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
-
-AM_CFLAGS = -rdynamic
-
-libstrongswan_tnc_imv_la_LIBADD = -ltnc
-
-=======
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = -rdynamic
 
->>>>>>> upstream/4.5.1
 if MONOLITHIC
 noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
 else
@@ -20,13 +11,9 @@ plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
 endif
 
 libstrongswan_tnc_imv_la_SOURCES = \
-<<<<<<< HEAD
-	tnc_imv_plugin.h tnc_imv_plugin.c
-=======
 	tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \
 	tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \
 	tnc_imv_recommendations.h tnc_imv_recommendations.c
->>>>>>> upstream/4.5.1
 
 libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
 
diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in
index 10190313b..fb96150f4 100644
--- a/src/libcharon/plugins/tnc_imv/Makefile.in
+++ b/src/libcharon/plugins/tnc_imv/Makefile.in
@@ -74,15 +74,10 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__installdirs = "$(DESTDIR)$(plugindir)"
 LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES)
-<<<<<<< HEAD
-libstrongswan_tnc_imv_la_DEPENDENCIES =
-am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo
-=======
 libstrongswan_tnc_imv_la_LIBADD =
 am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo tnc_imv.lo \
 	tnc_imv_manager.lo tnc_imv_bind_function.lo \
 	tnc_imv_recommendations.lo
->>>>>>> upstream/4.5.1
 libstrongswan_tnc_imv_la_OBJECTS =  \
 	$(am_libstrongswan_tnc_imv_la_OBJECTS)
 libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -228,13 +223,7 @@ includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
-<<<<<<< HEAD
-ipsecgid = @ipsecgid@
 ipsecgroup = @ipsecgroup@
-ipsecuid = @ipsecuid@
-=======
-ipsecgroup = @ipsecgroup@
->>>>>>> upstream/4.5.1
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -255,6 +244,8 @@ nm_ca_dir = @nm_ca_dir@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
 p_plugins = @p_plugins@
+pcsclite_CFLAGS = @pcsclite_CFLAGS@
+pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
 piddir = @piddir@
 pki_plugins = @pki_plugins@
@@ -273,14 +264,12 @@ sbindir = @sbindir@
 scepclient_plugins = @scepclient_plugins@
 scripts_plugins = @scripts_plugins@
 sharedstatedir = @sharedstatedir@
-<<<<<<< HEAD
-=======
 soup_CFLAGS = @soup_CFLAGS@
 soup_LIBS = @soup_LIBS@
->>>>>>> upstream/4.5.1
 srcdir = @srcdir@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
+systemdsystemunitdir = @systemdsystemunitdir@
 target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
@@ -289,16 +278,6 @@ urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
 INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
-<<<<<<< HEAD
-	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
-
-AM_CFLAGS = -rdynamic
-libstrongswan_tnc_imv_la_LIBADD = -ltnc
-@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
-@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
-libstrongswan_tnc_imv_la_SOURCES = \
-	tnc_imv_plugin.h tnc_imv_plugin.c
-=======
 	-I$(top_srcdir)/src/libcharon
 
 AM_CFLAGS = -rdynamic
@@ -308,7 +287,6 @@ libstrongswan_tnc_imv_la_SOURCES = \
 	tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \
 	tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \
 	tnc_imv_recommendations.h tnc_imv_recommendations.c
->>>>>>> upstream/4.5.1
 
 libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
 all: all-am
@@ -394,15 +372,11 @@ mostlyclean-compile:
 distclean-compile:
 	-rm -f *.tab.c
 
-<<<<<<< HEAD
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_plugin.Plo@am__quote@
-=======
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_bind_function.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_manager.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_plugin.Plo@am__quote@
 @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_recommendations.Plo@am__quote@
->>>>>>> upstream/4.5.1
 
 .c.o:
 @am__fastdepCC_TRUE@	$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.c b/src/libcharon/plugins/tnc_imv/tnc_imv.c
index f88b645d6..fe628ee7e 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv.c
@@ -19,6 +19,7 @@
 
 #include <debug.h>
 #include <library.h>
+#include <threading/mutex.h>
 
 typedef struct private_tnc_imv_t private_tnc_imv_t;
 
@@ -61,6 +62,11 @@ struct private_tnc_imv_t {
 	 * Number of supported message types
 	 */
 	TNC_UInt32 type_count;
+
+	/**
+	 * mutex to lock the imv_t object
+	 */
+	mutex_t *mutex;
 };
 
 METHOD(imv_t, set_id, void,
@@ -85,6 +91,14 @@ METHOD(imv_t, set_message_types, void,
 	private_tnc_imv_t *this, TNC_MessageTypeList supported_types,
 							 TNC_UInt32 type_count)
 {
+	char buf[512];
+	char *pos = buf;
+	int len = sizeof(buf);
+	int written;
+
+	/* lock the imv_t instance */
+	this->mutex->lock(this->mutex);
+
 	/* Free an existing MessageType list */
 	free(this->supported_types);
 	this->supported_types = NULL;
@@ -95,10 +109,27 @@ METHOD(imv_t, set_message_types, void,
 	{
 		size_t size = type_count * sizeof(TNC_MessageType);
 
+		int i;
+
+		for (i = 0; i < type_count; i++)
+		{
+			written = snprintf(pos, len, " 0x%08x", supported_types[i]);
+			if (written >= len)
+			{
+				break;
+			}
+			pos += written;
+			len -= written;
+		}
 		this->supported_types = malloc(size);
 		memcpy(this->supported_types, supported_types, size);
 	}
-	DBG2(DBG_TNC, "IMV %u supports %u message types", this->id, type_count);
+	*pos = '\0';
+	DBG2(DBG_TNC, "IMV %u supports %u message types:%s",
+				  this->id, type_count, buf);
+
+	/* lock the imv_t instance */
+	this->mutex->unlock(this->mutex);
 }
 
 METHOD(imv_t, type_supported, bool,
@@ -132,6 +163,7 @@ METHOD(imv_t, destroy, void,
 	private_tnc_imv_t *this)
 {
 	dlclose(this->handle);
+	this->mutex->destroy(this->mutex);
 	free(this->supported_types);
 	free(this->name);
 	free(this->path);
@@ -156,6 +188,7 @@ imv_t* tnc_imv_create(char *name, char *path)
 		},
 		.name = name,
 		.path = path,
+		.mutex = mutex_create(MUTEX_TYPE_DEFAULT),
 	);
 
 	this->handle = dlopen(path, RTLD_LAZY);
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
index 0ea52f08e..0ed00b001 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c
@@ -28,6 +28,12 @@ TNC_Result TNC_TNCS_ReportMessageTypes(TNC_IMVID imv_id,
 									   TNC_MessageTypeList supported_types,
 									   TNC_UInt32 type_count)
 {
+	if (!charon->imvs->is_registered(charon->imvs, imv_id))
+	{
+		DBG1(DBG_TNC, "ignoring ReportMessageTypes() from unregistered IMV %u",
+					   imv_id);
+		return TNC_RESULT_INVALID_PARAMETER;
+	}
 	return charon->imvs->set_message_types(charon->imvs, imv_id,
 										   supported_types, type_count);
 }
@@ -39,6 +45,12 @@ TNC_Result TNC_TNCS_RequestHandshakeRetry(TNC_IMVID imv_id,
 										  TNC_ConnectionID connection_id,
 										  TNC_RetryReason reason)
 {
+	if (!charon->imvs->is_registered(charon->imvs, imv_id))
+	{
+		DBG1(DBG_TNC, "ignoring RequestHandshakeRetry() from unregistered IMV %u",
+					   imv_id);
+		return TNC_RESULT_INVALID_PARAMETER;
+	}
 	return charon->tnccs->request_handshake_retry(charon->tnccs, FALSE, imv_id,
 												  connection_id, reason);
 }
@@ -52,6 +64,12 @@ TNC_Result TNC_TNCS_SendMessage(TNC_IMVID imv_id,
 								TNC_UInt32 msg_len,
 								TNC_MessageType msg_type)
 {
+	if (!charon->imvs->is_registered(charon->imvs, imv_id))
+	{
+		DBG1(DBG_TNC, "ignoring SendMessage() from unregistered IMV %u",
+					   imv_id);
+		return TNC_RESULT_INVALID_PARAMETER;
+	}
 	return charon->tnccs->send_message(charon->tnccs, TNC_IMCID_ANY, imv_id,
 									   connection_id, msg, msg_len, msg_type);
 }
@@ -65,6 +83,12 @@ TNC_Result TNC_TNCS_ProvideRecommendation(TNC_IMVID imv_id,
 								TNC_IMV_Action_Recommendation recommendation,
 								TNC_IMV_Evaluation_Result evaluation)
 {
+	if (!charon->imvs->is_registered(charon->imvs, imv_id))
+	{
+		DBG1(DBG_TNC, "ignoring ProvideRecommendation() from unregistered IMV %u",
+					   imv_id);
+		return TNC_RESULT_INVALID_PARAMETER;
+	}
 	return charon->tnccs->provide_recommendation(charon->tnccs, imv_id,
 							connection_id, recommendation, evaluation);
 }
@@ -80,6 +104,12 @@ TNC_Result TNC_TNCS_GetAttribute(TNC_IMVID imv_id,
 								 TNC_BufferReference buffer,
 								 TNC_UInt32 *out_value_len)
 {
+	if (!charon->imvs->is_registered(charon->imvs, imv_id))
+	{
+		DBG1(DBG_TNC, "ignoring GetAttribute() from unregistered IMV %u",
+					   imv_id);
+		return TNC_RESULT_INVALID_PARAMETER;
+	}
 	return charon->tnccs->get_attribute(charon->tnccs, imv_id, connection_id,
 							attribute_id, buffer_len, buffer, out_value_len);
 }
@@ -94,6 +124,12 @@ TNC_Result TNC_TNCS_SetAttribute(TNC_IMVID imv_id,
 								 TNC_UInt32 buffer_len,
 								 TNC_BufferReference buffer)
 {
+	if (!charon->imvs->is_registered(charon->imvs, imv_id))
+	{
+		DBG1(DBG_TNC, "ignoring SetAttribute() from unregistered IMV %u",
+					   imv_id);
+		return TNC_RESULT_INVALID_PARAMETER;
+	}
 	return charon->tnccs->set_attribute(charon->tnccs, imv_id, connection_id,
 										attribute_id, buffer_len, buffer);
 }
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
index 559de86d0..579ab06ff 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
@@ -84,7 +84,7 @@ METHOD(imv_manager_t, remove_, imv_t*,
 	private_tnc_imv_manager_t *this, TNC_IMVID id)
 {
 	enumerator_t *enumerator;
-	imv_t *imv;
+	imv_t *imv, *removed_imv = NULL;
 
 	enumerator = this->imvs->create_enumerator(this->imvs);
 	while (enumerator->enumerate(enumerator, &imv))
@@ -92,11 +92,34 @@ METHOD(imv_manager_t, remove_, imv_t*,
 		if (id == imv->get_id(imv))
 		{
 			this->imvs->remove_at(this->imvs, enumerator);
-			return imv;
+			removed_imv = imv;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+
+	return removed_imv;
+}
+
+METHOD(imv_manager_t, is_registered, bool,
+	private_tnc_imv_manager_t *this, TNC_IMVID id)
+{
+	enumerator_t *enumerator;
+	imv_t *imv;
+	bool found = FALSE;
+
+	enumerator = this->imvs->create_enumerator(this->imvs);
+	while (enumerator->enumerate(enumerator, &imv))
+	{
+		if (id == imv->get_id(imv))
+		{
+			found = TRUE;
+			break;
 		}
 	}
 	enumerator->destroy(enumerator);
-	return NULL;
+
+	return found;
 }
 
 METHOD(imv_manager_t, get_recommendation_policy, recommendation_policy_t,
@@ -112,36 +135,56 @@ METHOD(imv_manager_t, create_recommendations, recommendations_t*,
 }
 
 METHOD(imv_manager_t, enforce_recommendation, bool,
-	private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec)
+	private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec,
+									 TNC_IMV_Evaluation_Result eval)
 {
 	char *group;
 	identification_t *id;
 	ike_sa_t *ike_sa;
 	auth_cfg_t *auth;
+	bool no_access = FALSE;
+
+	DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
+		 TNC_IMV_Action_Recommendation_names, rec,
+		 TNC_IMV_Evaluation_Result_names, eval);
 
 	switch (rec)
 	{
 		case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
-			DBG1(DBG_TNC, "TNC recommendation is allow");
 			group = "allow";
 			break;
 		case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
-			DBG1(DBG_TNC, "TNC recommendation is isolate");
 			group = "isolate";
 			break;
 		case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
 		case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
 		default:
-			DBG1(DBG_TNC, "TNC recommendation is none");
-			return FALSE;
+			group = "no access";
+			no_access = TRUE;
+			break;
 	}
+
 	ike_sa = charon->bus->get_sa(charon->bus);
-	if (ike_sa)
+	if (!ike_sa)
+	{
+		DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA");
+		return FALSE;
+	}
+
+	id = ike_sa->get_other_id(ike_sa);
+	DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group);
+
+	if (no_access)
 	{
+		return FALSE;
+	}
+	else
+	{	
 		auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
 		id = identification_create_from_string(group);
 		auth->add(auth, AUTH_RULE_GROUP, id);
-		DBG1(DBG_TNC, "TNC added group membership '%s'", group);
+		DBG1(DBG_TNC, "policy enforcement point added group membership '%s'",
+			 group);
 	}
 	return TRUE;
 }
@@ -208,6 +251,7 @@ METHOD(imv_manager_t, receive_message, void,
 									 TNC_UInt32 message_len,
 									 TNC_MessageType message_type)
 {
+	bool type_supported = FALSE;
 	enumerator_t *enumerator;
 	imv_t *imv;
 
@@ -216,11 +260,16 @@ METHOD(imv_manager_t, receive_message, void,
 	{
 		if (imv->receive_message && imv->type_supported(imv, message_type))
 		{
+			type_supported = TRUE;
 			imv->receive_message(imv->get_id(imv), connection_id,
 								 message, message_len, message_type);
 		}
 	}
 	enumerator->destroy(enumerator);
+	if (!type_supported)
+	{
+		DBG2(DBG_TNC, "message type 0x%08x not supported by any IMV", message_type);
+	}
 }
 
 METHOD(imv_manager_t, batch_ending, void,
@@ -271,6 +320,7 @@ imv_manager_t* tnc_imv_manager_create(void)
 		.public = {
 			.add = _add,
 			.remove = _remove_, /* avoid name conflict with stdio.h */
+			.is_registered = _is_registered,
 			.get_recommendation_policy = _get_recommendation_policy,
 			.create_recommendations = _create_recommendations,
 			.enforce_recommendation = _enforce_recommendation,
diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
index 24fde3797..45cf95c1b 100644
--- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
+++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c
@@ -14,12 +14,6 @@
  */
 
 #include "tnc_imv_plugin.h"
-<<<<<<< HEAD
-
-#include <libtnctncs.h>
-
-#include <daemon.h>
-=======
 #include "tnc_imv_manager.h"
 #include "tnc_imv.h"
 
@@ -136,6 +130,12 @@ static bool load_imvs(char *filename)
 		}
 		if (!charon->imvs->add(charon->imvs, imv))
 		{
+			if (imv->terminate &&
+				imv->terminate(imv->get_id(imv)) != TNC_RESULT_SUCCESS)
+			{
+				DBG1(DBG_TNC, "IMV \"%s\" not terminated successfully",
+							   imv->get_name(imv));
+			}
 			imv->destroy(imv);
 			return FALSE;
 		}
@@ -146,16 +146,17 @@ static bool load_imvs(char *filename)
 	close(fd);
 	return TRUE;
 }
->>>>>>> upstream/4.5.1
+
+METHOD(plugin_t, get_name, char*,
+	tnc_imv_plugin_t *this)
+{
+	return "tnc-imv";
+}
 
 METHOD(plugin_t, destroy, void,
 	tnc_imv_plugin_t *this)
 {
-<<<<<<< HEAD
-	libtnc_tncs_Terminate();
-=======
 	charon->imvs->destroy(charon->imvs);
->>>>>>> upstream/4.5.1
 	free(this);
 }
 
@@ -169,21 +170,14 @@ plugin_t *tnc_imv_plugin_create()
 
 	INIT(this,
 		.plugin = {
+			.get_name = _get_name,
+			.reload = (void*)return_false,
 			.destroy = _destroy,
 		},
 	);
 
 	tnc_config = lib->settings->get_str(lib->settings,
 					"charon.plugins.tnc-imv.tnc_config", "/etc/tnc_config");
-<<<<<<< HEAD
-	if (libtnc_tncs_Initialize(tnc_config) != TNC_RESULT_SUCCESS)
-	{
-		free(this);
-		DBG1(DBG_TNC, "TNC IMV initialization failed");
-		return NULL;
-	}
-
-=======
 
 	/* Create IMV manager */
 	charon->imvs = tnc_imv_manager_create();
@@ -196,7 +190,6 @@ plugin_t *tnc_imv_plugin_create()
 		free(this);
 		return NULL;
 	}
->>>>>>> upstream/4.5.1
 	return &this->plugin;
 }