diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2013-01-02 14:18:20 +0100 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2013-01-02 14:18:20 +0100 |
| commit | c1343b3278cdf99533b7902744d15969f9d6fdc1 (patch) | |
| tree | d5ed3dc5677a59260ec41cd39bb284d3e94c91b3 /src/libcharon/plugins/tnccs_20 | |
| parent | b34738ed08c2227300d554b139e2495ca5da97d6 (diff) | |
| download | vyos-strongswan-c1343b3278cdf99533b7902744d15969f9d6fdc1.tar.gz vyos-strongswan-c1343b3278cdf99533b7902744d15969f9d6fdc1.zip | |
Imported Upstream version 5.0.1
Diffstat (limited to 'src/libcharon/plugins/tnccs_20')
15 files changed, 302 insertions, 140 deletions
diff --git a/src/libcharon/plugins/tnccs_20/Makefile.am b/src/libcharon/plugins/tnccs_20/Makefile.am index ec17e6412..da924b412 100644 --- a/src/libcharon/plugins/tnccs_20/Makefile.am +++ b/src/libcharon/plugins/tnccs_20/Makefile.am @@ -1,6 +1,8 @@ INCLUDES = \ -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon \ + -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libtls \ -I$(top_srcdir)/src/libtncif \ -I$(top_srcdir)/src/libtnccs diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in index b0078f338..26d26dbd9 100644 --- a/src/libcharon/plugins/tnccs_20/Makefile.in +++ b/src/libcharon/plugins/tnccs_20/Makefile.in @@ -49,6 +49,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; @@ -92,7 +93,7 @@ libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) --tag=CC \ @MONOLITHIC_FALSE@am_libstrongswan_tnccs_20_la_rpath = -rpath \ @MONOLITHIC_FALSE@ $(plugindir) @MONOLITHIC_TRUE@am_libstrongswan_tnccs_20_la_rpath = -DEFAULT_INCLUDES = -I.@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f @@ -118,6 +119,7 @@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BFDLIB = @BFDLIB@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ @@ -212,11 +214,14 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ clearsilver_LIBS = @clearsilver_LIBS@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ -default_pkcs11 = @default_pkcs11@ +dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ @@ -233,11 +238,12 @@ imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ -libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ @@ -253,6 +259,7 @@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ @@ -262,7 +269,6 @@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ -pluto_plugins = @pluto_plugins@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ @@ -292,6 +298,8 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = \ -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libcharon \ + -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/libtls \ -I$(top_srcdir)/src/libtncif \ -I$(top_srcdir)/src/libtnccs diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c index c6a4bb599..2f932637a 100644 --- a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c +++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2010 Sansar Choinyanbuu - * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010-2012 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -96,6 +96,16 @@ struct private_pb_tnc_batch_t { pb_tnc_batch_type_t type; /** + * Current PB-TNC Batch size + */ + size_t batch_len; + + /** + * Maximum PB-TNC Batch size + */ + size_t max_batch_len; + + /** * linked list of PB-TNC messages */ linked_list_t *messages; @@ -128,42 +138,46 @@ METHOD(pb_tnc_batch_t, get_encoding, chunk_t, return this->encoding; } -METHOD(pb_tnc_batch_t, add_msg, void, +METHOD(pb_tnc_batch_t, add_msg, bool, private_pb_tnc_batch_t *this, pb_tnc_msg_t* msg) { + chunk_t msg_value; + size_t msg_len; + + msg->build(msg); + msg_value = msg->get_encoding(msg); + msg_len = PB_TNC_HEADER_SIZE + msg_value.len; + + if (this->batch_len + msg_len > this->max_batch_len) + { + /* message just does not fit into this batch */ + return FALSE; + } + this->batch_len += msg_len; + DBG2(DBG_TNC, "adding %N message", pb_tnc_msg_type_names, msg->get_type(msg)); this->messages->insert_last(this->messages, msg); + return TRUE; } METHOD(pb_tnc_batch_t, build, void, private_pb_tnc_batch_t *this) { - u_int32_t batch_len, msg_len; + u_int32_t msg_len; chunk_t msg_value; enumerator_t *enumerator; pb_tnc_msg_type_t msg_type; pb_tnc_msg_t *msg; bio_writer_t *writer; - /* compute total PB-TNC batch size by summing over all messages */ - batch_len = PB_TNC_BATCH_HEADER_SIZE; - enumerator = this->messages->create_enumerator(this->messages); - while (enumerator->enumerate(enumerator, &msg)) - { - msg->build(msg); - msg_value = msg->get_encoding(msg); - batch_len += PB_TNC_HEADER_SIZE + msg_value.len; - } - enumerator->destroy(enumerator); - /* build PB-TNC batch header */ - writer = bio_writer_create(batch_len); + writer = bio_writer_create(this->batch_len); writer->write_uint8 (writer, PB_TNC_VERSION); writer->write_uint8 (writer, this->is_server ? PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE); writer->write_uint16(writer, this->type); - writer->write_uint32(writer, batch_len); + writer->write_uint32(writer, this->batch_len); /* build PB-TNC messages */ enumerator = this->messages->create_enumerator(this->messages); @@ -221,7 +235,7 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this, /* Version */ if (version != PB_TNC_VERSION) { - DBG1(DBG_TNC, "unsupported TNCCS batch version 0x%01x", version); + DBG1(DBG_TNC, "unsupported TNCCS batch version 0x%02x", version); msg = pb_error_msg_create(TRUE, PEN_IETF, PB_ERROR_VERSION_NOT_SUPPORTED); err_msg = (pb_error_msg_t*)msg; @@ -258,6 +272,8 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this, PB_ERROR_UNEXPECTED_BATCH_TYPE); goto fatal; } + DBG1(DBG_TNC, "processing PB-TNC %N batch", pb_tnc_batch_type_names, + this->type); /* Batch Length */ if (this->encoding.len != batch_len) @@ -270,6 +286,13 @@ static status_t process_batch_header(private_pb_tnc_batch_t *this, } this->offset = PB_TNC_BATCH_HEADER_SIZE; + + /* Register an empty CDATA batch with the state machine */ + if (this->type == PB_BATCH_CDATA) + { + state_machine->set_empty_cdata(state_machine, + this->offset == this->encoding.len); + } return SUCCESS; fatal: @@ -445,8 +468,7 @@ METHOD(pb_tnc_batch_t, process, status_t, { return FAILED; } - DBG1(DBG_TNC, "processing PB-TNC %N batch", pb_tnc_batch_type_names, - this->type); + while (this->offset < this->encoding.len) { switch (process_tnc_msg(this)) @@ -490,7 +512,8 @@ METHOD(pb_tnc_batch_t, destroy, void, /** * See header */ -pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type) +pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type, + size_t max_batch_len) { private_pb_tnc_batch_t *this; @@ -507,6 +530,8 @@ pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type) }, .is_server = is_server, .type = type, + .max_batch_len = max_batch_len, + .batch_len = PB_TNC_BATCH_HEADER_SIZE, .messages = linked_list_create(), .errors = linked_list_create(), ); diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h index 17e5fff4c..60cef7735 100644 --- a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h +++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010-2012 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ typedef struct pb_tnc_batch_t pb_tnc_batch_t; * PB-TNC Batch Types as defined in section 4.1 of RFC 5793 */ enum pb_tnc_batch_type_t { + PB_BATCH_NONE = 0, /* for internal use only */ PB_BATCH_CDATA = 1, PB_BATCH_SDATA = 2, PB_BATCH_RESULT = 3, @@ -70,8 +71,9 @@ struct pb_tnc_batch_t { * Add a PB-TNC Message * * @param msg PB-TNC message to be addedd + * @return TRUE if message fit into batch and was added */ - void (*add_msg)(pb_tnc_batch_t *this, pb_tnc_msg_t* msg); + bool (*add_msg)(pb_tnc_batch_t *this, pb_tnc_msg_t* msg); /** * Build the PB-TNC Batch @@ -112,8 +114,10 @@ struct pb_tnc_batch_t { * * @param is_server TRUE if server, FALSE if client * @param type PB-TNC batch type + * @param max_batch_len maximum size the PB-TNC batch */ -pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type); +pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type, + size_t max_batch_len); /** * Create an unprocessed PB-TNC Batch from data diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c index fa3deddf6..974db4d70 100644 --- a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c +++ b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c @@ -82,11 +82,13 @@ METHOD(pb_tnc_msg_t, build, void, { bio_writer_t *writer; - /* build message */ + if (this->encoding.ptr) + { + return; + } writer = bio_writer_create(ACCESS_RECOMMENDATION_MSG_SIZE); writer->write_uint16(writer, ACCESS_RECOMMENDATION_RESERVED); writer->write_uint16(writer, this->recommendation); - free(this->encoding.ptr); this->encoding = writer->get_buf(writer); this->encoding = chunk_clone(this->encoding); writer->destroy(writer); @@ -98,7 +100,6 @@ METHOD(pb_tnc_msg_t, process, status_t, bio_reader_t *reader; u_int16_t reserved; - /* process message */ reader = bio_reader_create(this->encoding); reader->read_uint16(reader, &reserved); reader->read_uint16(reader, &this->recommendation); diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c index 0d558c0d4..ee06575b4 100644 --- a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c +++ b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c @@ -78,10 +78,12 @@ METHOD(pb_tnc_msg_t, build, void, { bio_writer_t *writer; - /* build message */ + if (this->encoding.ptr) + { + return; + } writer = bio_writer_create(ASSESSMENT_RESULT_MSG_SIZE); writer->write_uint32(writer, this->assessment_result); - free(this->encoding.ptr); this->encoding = writer->get_buf(writer); this->encoding = chunk_clone(this->encoding); writer->destroy(writer); @@ -92,7 +94,6 @@ METHOD(pb_tnc_msg_t, process, status_t, { bio_reader_t *reader; - /* process message */ reader = bio_reader_create(this->encoding); reader->read_uint32(reader, &this->assessment_result); reader->destroy(reader); diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c index 03e3cec92..457d3da21 100644 --- a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c +++ b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c @@ -120,6 +120,11 @@ METHOD(pb_tnc_msg_t, build, void, { bio_writer_t *writer; + if (this->encoding.ptr) + { + return; + } + /* build message header */ writer = bio_writer_create(ERROR_HEADER_SIZE); writer->write_uint8 (writer, this->fatal ? @@ -142,8 +147,6 @@ METHOD(pb_tnc_msg_t, build, void, /* Error Offset */ writer->write_uint32(writer, this->error_offset); } - - free(this->encoding.ptr); this->encoding = writer->get_buf(writer); this->encoding = chunk_clone(this->encoding); writer->destroy(writer); diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c index 297cc8df7..46df54486 100644 --- a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c +++ b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c @@ -75,6 +75,10 @@ METHOD(pb_tnc_msg_t, get_encoding, chunk_t, METHOD(pb_tnc_msg_t, build, void, private_pb_language_preference_msg_t *this) { + if (this->encoding.ptr) + { + return; + } this->encoding = chunk_cat("cc", chunk_create(PB_LANG_PREFIX, PB_LANG_PREFIX_LEN), this->language_preference); diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c index 1c4913e5e..bbad9bf55 100644 --- a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c +++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c @@ -68,14 +68,9 @@ struct private_pb_pa_msg_t { bool excl; /** - * PA Message Vendor ID + * Vendor-specific PA Subtype */ - u_int32_t vendor_id; - - /** - * PA Subtype - */ - u_int32_t subtype; + pen_type_t subtype; /** * Posture Validator Identifier @@ -116,17 +111,21 @@ METHOD(pb_tnc_msg_t, build, void, chunk_t msg_header; bio_writer_t *writer; + if (this->encoding.ptr) + { + return; + } + /* build message header */ writer = bio_writer_create(64); writer->write_uint8 (writer, this->excl ? PA_FLAG_EXCL : PA_FLAG_NONE); - writer->write_uint24(writer, this->vendor_id); - writer->write_uint32(writer, this->subtype); + writer->write_uint24(writer, this->subtype.vendor_id); + writer->write_uint32(writer, this->subtype.type); writer->write_uint16(writer, this->collector_id); writer->write_uint16(writer, this->validator_id); msg_header = writer->get_buf(writer); /* create encoding by concatenating message header and message body */ - free(this->encoding.ptr); this->encoding = chunk_cat("cc", msg_header, this->msg_body); writer->destroy(writer); } @@ -141,8 +140,8 @@ METHOD(pb_tnc_msg_t, process, status_t, /* process message header */ reader = bio_reader_create(this->encoding); reader->read_uint8 (reader, &flags); - reader->read_uint24(reader, &this->vendor_id); - reader->read_uint32(reader, &this->subtype); + reader->read_uint24(reader, &this->subtype.vendor_id); + reader->read_uint32(reader, &this->subtype.type); reader->read_uint16(reader, &this->collector_id); reader->read_uint16(reader, &this->validator_id); this->excl = ((flags & PA_FLAG_EXCL) != PA_FLAG_NONE); @@ -156,14 +155,14 @@ METHOD(pb_tnc_msg_t, process, status_t, } reader->destroy(reader); - if (this->vendor_id == PEN_RESERVED) + if (this->subtype.vendor_id == PEN_RESERVED) { DBG1(DBG_TNC, "Vendor ID 0x%06x is reserved", PEN_RESERVED); *offset = 1; return FAILED; } - if (this->subtype == PA_RESERVED_SUBTYPE) + if (this->subtype.type == PA_RESERVED_SUBTYPE) { DBG1(DBG_TNC, "PA Subtype 0x%08x is reserved", PA_RESERVED_SUBTYPE); *offset = 4; @@ -180,11 +179,10 @@ METHOD(pb_tnc_msg_t, destroy, void, free(this); } -METHOD(pb_pa_msg_t, get_vendor_id, u_int32_t, - private_pb_pa_msg_t *this, u_int32_t *subtype) +METHOD(pb_pa_msg_t, get_subtype, pen_type_t, + private_pb_pa_msg_t *this) { - *subtype = this->subtype; - return this->vendor_id; + return this->subtype; } METHOD(pb_pa_msg_t, get_collector_id, u_int16_t, @@ -226,7 +224,7 @@ pb_tnc_msg_t *pb_pa_msg_create_from_data(chunk_t data) .process = _process, .destroy = _destroy, }, - .get_vendor_id = _get_vendor_id, + .get_subtype = _get_subtype, .get_collector_id = _get_collector_id, .get_validator_id = _get_validator_id, .get_body = _get_body, @@ -257,15 +255,14 @@ pb_tnc_msg_t *pb_pa_msg_create(u_int32_t vendor_id, u_int32_t subtype, .process = _process, .destroy = _destroy, }, - .get_vendor_id = _get_vendor_id, + .get_subtype= _get_subtype, .get_collector_id = _get_collector_id, .get_validator_id = _get_validator_id, .get_body = _get_body, .get_exclusive_flag = _get_exclusive_flag, }, .type = PB_MSG_PA, - .vendor_id = vendor_id, - .subtype = subtype, + .subtype = { vendor_id, subtype }, .collector_id = collector_id, .validator_id = validator_id, .excl = excl, diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h index d9db9a1ce..5c9b7c0bf 100644 --- a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h +++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h @@ -25,6 +25,8 @@ typedef struct pb_pa_msg_t pb_pa_msg_t; #include "pb_tnc_msg.h" +#include <pen/pen.h> + /** * Class representing the PB-PA message type. */ @@ -38,10 +40,9 @@ struct pb_pa_msg_t { /** * Get PA Message Vendor ID and Subtype * - * @param subtype PA Subtype - * @return PA Message Vendor ID + * @return Vendor-specific PA Subtype */ - u_int32_t (*get_vendor_id)(pb_pa_msg_t *this, u_int32_t *subtype); + pen_type_t (*get_subtype)(pb_pa_msg_t *this); /** * Get Posture Collector ID diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c index 181ecf61b..511b45402 100644 --- a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c +++ b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c @@ -83,12 +83,14 @@ METHOD(pb_tnc_msg_t, build, void, { bio_writer_t *writer; - /* build message */ + if (this->encoding.ptr) + { + return; + } writer = bio_writer_create(64); writer->write_data32(writer, this->reason_string); writer->write_data8 (writer, this->language_code); - free(this->encoding.ptr); this->encoding = writer->get_buf(writer); this->encoding = chunk_clone(this->encoding); writer->destroy(writer); @@ -99,7 +101,6 @@ METHOD(pb_tnc_msg_t, process, status_t, { bio_reader_t *reader; - /* process message */ reader = bio_reader_create(this->encoding); if (!reader->read_data32(reader, &this->reason_string)) { diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c index d213db313..c853f03a3 100644 --- a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c +++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c @@ -108,14 +108,16 @@ METHOD(pb_tnc_msg_t, build, void, { bio_writer_t *writer; - /* build message */ + if (this->encoding.ptr) + { + return; + } writer = bio_writer_create(64); writer->write_uint32(writer, this->vendor_id); writer->write_uint32(writer, this->parameters_type); writer->write_data32(writer, this->remediation_string); writer->write_data8 (writer, this->language_code); - free(this->encoding.ptr); this->encoding = writer->get_buf(writer); this->encoding = chunk_clone(this->encoding); writer->destroy(writer); diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c index f0cf14ac1..5e95131a8 100644 --- a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c +++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c @@ -71,6 +71,11 @@ struct private_pb_tnc_state_machine_t { bool is_server; /** + * Informs whether last received PB-TNC CDATA Batch was empty + */ + bool empty_cdata; + + /** * Current PB-TNC state */ pb_tnc_state_t state; @@ -265,6 +270,22 @@ METHOD(pb_tnc_state_machine_t, send_batch, bool, return TRUE; } +METHOD(pb_tnc_state_machine_t, get_empty_cdata, bool, + private_pb_tnc_state_machine_t *this) +{ + return this->empty_cdata; +} + +METHOD(pb_tnc_state_machine_t, set_empty_cdata, void, + private_pb_tnc_state_machine_t *this, bool empty) +{ + if (empty) + { + DBG2(DBG_TNC, "received empty PB-TNC CDATA batch"); + } + this->empty_cdata = empty; +} + METHOD(pb_tnc_state_machine_t, destroy, void, private_pb_tnc_state_machine_t *this) { @@ -283,6 +304,8 @@ pb_tnc_state_machine_t* pb_tnc_state_machine_create(bool is_server) .get_state = _get_state, .receive_batch = _receive_batch, .send_batch = _send_batch, + .get_empty_cdata = _get_empty_cdata, + .set_empty_cdata = _set_empty_cdata, .destroy = _destroy, }, .is_server = is_server, diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h index 8076b6ded..aa317041e 100644 --- a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h +++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h @@ -73,6 +73,20 @@ struct pb_tnc_state_machine_t { bool (*send_batch)(pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type); /** + * Informs whether the last received PB-TNC CDATA Batch was empty + * + * @result TRUE if last received PB-TNC CDATA Batch was empty + */ + bool (*get_empty_cdata)(pb_tnc_state_machine_t *this); + + /** + * Store information whether the received PB-TNC CDATA Batch was empty + * + * @param empty set to TRUE if received PB-TNC CDATA Batch was empty + */ + void (*set_empty_cdata)(pb_tnc_state_machine_t *this, bool empty); + + /** * Destroys a pb_tnc_state_machine_t object. */ void (*destroy)(pb_tnc_state_machine_t *this); diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c index 606fc529b..44e1d278f 100644 --- a/src/libcharon/plugins/tnccs_20/tnccs_20.c +++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2010 Sansar Choinyanbuu - * Copyright (C) 2010-2011 Andreas Steffen + * Copyright (C) 2010-2012 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -35,7 +35,9 @@ #include <tnc/imv/imv_manager.h> #include <debug.h> +#include <daemon.h> #include <threading/mutex.h> +#include <utils/linked_list.h> #include <pen/pen.h> typedef struct private_tnccs_20_t private_tnccs_20_t; @@ -66,9 +68,24 @@ struct private_tnccs_20_t { TNC_ConnectionID connection_id; /** - * PB-TNC batch being constructed + * PB-TNC messages to be sent */ - pb_tnc_batch_t *batch; + linked_list_t *messages; + + /** + * Type of PB-TNC batch being constructed + */ + pb_tnc_batch_type_t batch_type; + + /** + * Maximum PB-TNC batch size + */ + size_t max_batch_len; + + /** + * Maximum PA-TNC message size + */ + size_t max_msg_len; /** * Mutex locking the batch in construction @@ -97,6 +114,30 @@ struct private_tnccs_20_t { }; +/** + * If the batch type changes then delete all accumulated PB-TNC messages + */ +void change_batch_type(private_tnccs_20_t *this, pb_tnc_batch_type_t batch_type) +{ + pb_tnc_msg_t *msg; + + if (batch_type != this->batch_type) + { + if (this->batch_type != PB_BATCH_NONE) + { + DBG1(DBG_TNC, "cancelling PB-TNC %N batch", + pb_tnc_batch_type_names, this->batch_type); + + while (this->messages->remove_last(this->messages, + (void**)&msg) == SUCCESS) + { + msg->destroy(msg); + } + } + this->batch_type = batch_type; + } +} + METHOD(tnccs_t, send_msg, TNC_Result, private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id, TNC_UInt32 msg_flags, @@ -138,13 +179,13 @@ METHOD(tnccs_t, send_msg, TNC_Result, /* adding PA message to SDATA or CDATA batch only */ batch_type = this->is_server ? PB_BATCH_SDATA : PB_BATCH_CDATA; this->mutex->lock(this->mutex); - if (!this->batch) + if (this->batch_type == PB_BATCH_NONE) { - this->batch = pb_tnc_batch_create(this->is_server, batch_type); + this->batch_type = batch_type; } - if (this->batch->get_type(this->batch) == batch_type) + if (this->batch_type == batch_type) { - this->batch->add_msg(this->batch, pb_tnc_msg); + this->messages->insert_last(this->messages, pb_tnc_msg); } else { @@ -167,30 +208,31 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) case PB_MSG_PA: { pb_pa_msg_t *pa_msg; - u_int32_t msg_vid, msg_subtype; + pen_type_t msg_subtype; u_int16_t imc_id, imv_id; chunk_t msg_body; bool excl; enum_name_t *pa_subtype_names; pa_msg = (pb_pa_msg_t*)msg; - msg_vid = pa_msg->get_vendor_id(pa_msg, &msg_subtype); + msg_subtype = pa_msg->get_subtype(pa_msg); msg_body = pa_msg->get_body(pa_msg); imc_id = pa_msg->get_collector_id(pa_msg); imv_id = pa_msg->get_validator_id(pa_msg); excl = pa_msg->get_exclusive_flag(pa_msg); - pa_subtype_names = get_pa_subtype_names(msg_vid); + pa_subtype_names = get_pa_subtype_names(msg_subtype.vendor_id); if (pa_subtype_names) { DBG2(DBG_TNC, "handling PB-PA message type '%N/%N' 0x%06x/0x%08x", - pen_names, msg_vid, pa_subtype_names, msg_subtype, - msg_vid, msg_subtype); + pen_names, msg_subtype.vendor_id, pa_subtype_names, + msg_subtype.type, msg_subtype.vendor_id, msg_subtype.type); } else { DBG2(DBG_TNC, "handling PB-PA message type '%N' 0x%06x/0x%08x", - pen_names, msg_vid, msg_vid, msg_subtype); + pen_names, msg_subtype.vendor_id, msg_subtype.vendor_id, + msg_subtype.type); } this->send_msg = TRUE; @@ -198,13 +240,15 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) { tnc->imvs->receive_message(tnc->imvs, this->connection_id, excl, msg_body.ptr, msg_body.len, - msg_vid, msg_subtype, imc_id, imv_id); + msg_subtype.vendor_id, + msg_subtype.type, imc_id, imv_id); } else { tnc->imcs->receive_message(tnc->imcs, this->connection_id, excl, msg_body.ptr, msg_body.len, - msg_vid, msg_subtype, imv_id, imc_id); + msg_subtype.vendor_id, + msg_subtype.type, imv_id, imc_id); } this->send_msg = FALSE; break; @@ -313,7 +357,7 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) lang = lang_msg->get_language_preference(lang_msg); DBG2(DBG_TNC, "setting language preference to '%.*s'", - lang.len, lang.ptr); + (int)lang.len, lang.ptr); this->recs->set_preferred_language(this->recs, lang); break; } @@ -325,9 +369,9 @@ static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) reason_msg = (pb_reason_string_msg_t*)msg; reason_string = reason_msg->get_reason_string(reason_msg); language_code = reason_msg->get_language_code(reason_msg); - DBG2(DBG_TNC, "reason string is '%.*s'", reason_string.len, + DBG2(DBG_TNC, "reason string is '%.*s'", (int)reason_string.len, reason_string.ptr); - DBG2(DBG_TNC, "language code is '%.*s'", language_code.len, + DBG2(DBG_TNC, "language code is '%.*s'", (int)language_code.len, language_code.ptr); break; } @@ -344,23 +388,20 @@ static void build_retry_batch(private_tnccs_20_t *this) pb_tnc_batch_type_t batch_retry_type; batch_retry_type = this->is_server ? PB_BATCH_SRETRY : PB_BATCH_CRETRY; - if (this->batch) + if (this->batch_type == batch_retry_type) { - if (this->batch->get_type(this->batch) == batch_retry_type) - { - /* retry batch has already been created */ - return; - } - DBG1(DBG_TNC, "cancelling PB-TNC %N batch", - pb_tnc_batch_type_names, this->batch->get_type(this->batch)); - this->batch->destroy(this->batch); - } + /* retry batch has already been selected */ + return; + } + + change_batch_type(this, batch_retry_type); + if (this->is_server) { + this->recs->clear_recommendation(this->recs); tnc->imvs->notify_connection_change(tnc->imvs, this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE); } - this->batch = pb_tnc_batch_create(this->is_server, batch_retry_type); } METHOD(tls_t, process, status_t, @@ -375,8 +416,9 @@ METHOD(tls_t, process, status_t, if (this->is_server && !this->connection_id) { this->connection_id = tnc->tnccs->create_connection(tnc->tnccs, - TNCCS_2_0, (tnccs_t*)this, _send_msg, - &this->request_handshake_retry, &this->recs); + TNCCS_2_0, (tnccs_t*)this, _send_msg, + &this->request_handshake_retry, + this->max_msg_len, &this->recs); if (!this->connection_id) { return FAILED; @@ -461,13 +503,7 @@ METHOD(tls_t, process, status_t, case FAILED: this->fatal_error = TRUE; this->mutex->lock(this->mutex); - if (this->batch) - { - DBG1(DBG_TNC, "cancelling PB-TNC %N batch", - pb_tnc_batch_type_names, this->batch->get_type(this->batch)); - this->batch->destroy(this->batch); - } - this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CLOSE); + change_batch_type(this, PB_BATCH_CLOSE); this->mutex->unlock(this->mutex); /* fall through to add error messages to outbound batch */ case VERIFY_ERROR: @@ -475,7 +511,7 @@ METHOD(tls_t, process, status_t, while (enumerator->enumerate(enumerator, &msg)) { this->mutex->lock(this->mutex); - this->batch->add_msg(this->batch, msg->get_ref(msg)); + this->messages->insert_last(this->messages, msg->get_ref(msg)); this->mutex->unlock(this->mutex); } enumerator->destroy(enumerator); @@ -508,10 +544,10 @@ static void check_and_build_recommendation(private_tnccs_20_t *this) } if (this->recs->have_recommendation(this->recs, &rec, &eval)) { - this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_RESULT); + this->batch_type = PB_BATCH_RESULT; msg = pb_assessment_result_msg_create(eval); - this->batch->add_msg(this->batch, msg); + this->messages->insert_last(this->messages, msg); /** * Map IMV Action Recommendation codes to PB Access Recommendation codes @@ -530,16 +566,15 @@ static void check_and_build_recommendation(private_tnccs_20_t *this) pb_rec = PB_REC_ACCESS_DENIED; } msg = pb_access_recommendation_msg_create(pb_rec); - this->batch->add_msg(this->batch, msg); + this->messages->insert_last(this->messages, msg); enumerator = this->recs->create_reason_enumerator(this->recs); while (enumerator->enumerate(enumerator, &id, &reason, &language)) { msg = pb_reason_string_msg_create(reason, language); - this->batch->add_msg(this->batch, msg); + this->messages->insert_last(this->messages, msg); } enumerator->destroy(enumerator); - this->recs->clear_reasons(this->recs); } } @@ -557,7 +592,8 @@ METHOD(tls_t, build, status_t, this->connection_id = tnc->tnccs->create_connection(tnc->tnccs, TNCCS_2_0, (tnccs_t*)this, _send_msg, - &this->request_handshake_retry, NULL); + &this->request_handshake_retry, + this->max_msg_len, NULL); if (!this->connection_id) { return FAILED; @@ -568,8 +604,8 @@ METHOD(tls_t, build, status_t, msg = pb_language_preference_msg_create(chunk_create(pref_lang, strlen(pref_lang))); this->mutex->lock(this->mutex); - this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CDATA); - this->batch->add_msg(this->batch, msg); + this->batch_type = PB_BATCH_CDATA; + this->messages->insert_last(this->messages, msg); this->mutex->unlock(this->mutex); tnc->imcs->notify_connection_change(tnc->imcs, this->connection_id, @@ -583,7 +619,7 @@ METHOD(tls_t, build, status_t, state = this->state_machine->get_state(this->state_machine); - if (this->is_server && this->fatal_error && state == PB_STATE_END) + if (this->fatal_error && state == PB_STATE_END) { DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection"); return FAILED; @@ -603,66 +639,98 @@ METHOD(tls_t, build, status_t, this->request_handshake_retry = FALSE; } - if (!this->batch) + if (this->is_server && state == PB_STATE_SERVER_WORKING && + this->recs->have_recommendation(this->recs, NULL, NULL)) { - if (this->is_server) + check_and_build_recommendation(this); + } + + if (this->batch_type == PB_BATCH_NONE) + { + if (this->is_server && state == PB_STATE_SERVER_WORKING) { - if (state == PB_STATE_SERVER_WORKING) + if (this->state_machine->get_empty_cdata(this->state_machine)) { check_and_build_recommendation(this); } + else + { + DBG2(DBG_TNC, "no recommendation available yet, " + "sending empty PB-TNC SDATA batch"); + this->batch_type = PB_BATCH_SDATA; + } } else - { + { /** - * if the DECIDED state has been reached and no CRETRY is under way - * or if a CLOSE batch with error messages has been received, + * In the DECIDED state and if no CRETRY is under way, * a PB-TNC client replies with an empty CLOSE batch. */ - if (state == PB_STATE_DECIDED || state == PB_STATE_END) + if (state == PB_STATE_DECIDED) { - this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CLOSE); + this->batch_type = PB_BATCH_CLOSE; } } } - if (this->batch) + if (this->batch_type != PB_BATCH_NONE) { - pb_tnc_batch_type_t batch_type; + pb_tnc_batch_t *batch; + pb_tnc_msg_t *msg; chunk_t data; + int msg_count; + enumerator_t *enumerator; - batch_type = this->batch->get_type(this->batch); - - if (this->state_machine->send_batch(this->state_machine, batch_type)) + if (this->state_machine->send_batch(this->state_machine, this->batch_type)) { - this->batch->build(this->batch); - data = this->batch->get_encoding(this->batch); + batch = pb_tnc_batch_create(this->is_server, this->batch_type, + min(this->max_batch_len, *buflen)); + + enumerator = this->messages->create_enumerator(this->messages); + while (enumerator->enumerate(enumerator, &msg)) + { + if (batch->add_msg(batch, msg)) + { + this->messages->remove_at(this->messages, enumerator); + } + else + { + break; + } + } + enumerator->destroy(enumerator); + + batch->build(batch); + data = batch->get_encoding(batch); DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u", - pb_tnc_batch_type_names, batch_type, data.len, + pb_tnc_batch_type_names, this->batch_type, data.len, this->connection_id); DBG3(DBG_TNC, "%B", &data); - *msglen = data.len; - if (data.len > *buflen) + *buflen = data.len; + *msglen = 0; + memcpy(buf, data.ptr, *buflen); + batch->destroy(batch); + + msg_count = this->messages->get_count(this->messages); + if (msg_count) { - DBG1(DBG_TNC, "fragmentation of PB-TNC batch not supported yet"); + DBG2(DBG_TNC, "queued %d PB-TNC message%s for next %N batch", + msg_count, (msg_count == 1) ? "" : "s", + pb_tnc_batch_type_names, this->batch_type); } else { - *buflen = data.len; + this->batch_type = PB_BATCH_NONE; } - memcpy(buf, data.ptr, *buflen); + status = ALREADY_DONE; } else { - DBG1(DBG_TNC, "cancelling unexpected PB-TNC batch type: %N", - pb_tnc_batch_type_names, batch_type); + change_batch_type(this, PB_BATCH_NONE); status = INVALID_STATE; } - - this->batch->destroy(this->batch); - this->batch = NULL; } else { @@ -715,7 +783,8 @@ METHOD(tls_t, destroy, void, this->is_server); this->state_machine->destroy(this->state_machine); this->mutex->destroy(this->mutex); - DESTROY_IF(this->batch); + this->messages->destroy_offset(this->messages, + offsetof(pb_tnc_msg_t, destroy)); free(this); } @@ -739,6 +808,13 @@ tls_t *tnccs_20_create(bool is_server) .is_server = is_server, .state_machine = pb_tnc_state_machine_create(is_server), .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .messages = linked_list_create(), + .max_batch_len = lib->settings->get_int(lib->settings, + "%s.plugins.tnccs-20.max_batch_size", 65522, + charon->name), + .max_msg_len = lib->settings->get_int(lib->settings, + "%s.plugins.tnccs-20.max_message_size", 65490, + charon->name), ); return &this->public; |