diff options
Diffstat (limited to 'src/libimcv/imv')
25 files changed, 4655 insertions, 347 deletions
diff --git a/src/libimcv/imv/_imv_policy b/src/libimcv/imv/_imv_policy new file mode 100755 index 000000000..68a963c27 --- /dev/null +++ b/src/libimcv/imv/_imv_policy @@ -0,0 +1,39 @@ +#! /bin/sh +# default TNC policy command script +# +# Copyright 2013 Andreas Steffen +# HSR Hochschule fuer Technik Rapperswil +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. +# +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the "libimcv.policy_script = " option in strongswan.conf +# to make strongSwan use yours instead of this default one. + +# Environment variables that this script gets +# +# TNC_SESSION_ID +# unique session ID used as a reference by the policy +# manager. +# +case "$1" in +start) + echo "start session $TNC_SESSION_ID" + ;; +stop) + echo "stop session $TNC_SESSION_ID" + ;; +*) echo "$0: unknown command '$1'" + exit 1 + ;; +esac diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql new file mode 100644 index 000000000..35fd65753 --- /dev/null +++ b/src/libimcv/imv/data.sql @@ -0,0 +1,846 @@ +/* Products */ + +INSERT INTO products ( /* 1 */ + name +) VALUES ( + 'Debian 6.0 i686' +); + +INSERT INTO products ( /* 2 */ + name +) VALUES ( + 'Debian 6.0 x86_64' +); + +INSERT INTO products ( /* 3 */ + name +) VALUES ( + 'Debian 7.0 i686' +); + +INSERT INTO products ( /* 4 */ + name +) VALUES ( + 'Debian 7.0 x86_64' +); + +INSERT INTO products ( /* 5 */ + name +) VALUES ( + 'Debian 8.0 i686' +); + +INSERT INTO products ( /* 6 */ + name +) VALUES ( + 'Debian 8.0 x86_64' +); + +INSERT INTO products ( /* 7 */ + name +) VALUES ( + 'Ubuntu 10.04 i686' +); + +INSERT INTO products ( /* 8 */ + name +) VALUES ( + 'Ubuntu 10.04 x86_64' +); + +INSERT INTO products ( /* 9 */ + name +) VALUES ( + 'Ubuntu 10.10 i686' +); + +INSERT INTO products ( /* 10 */ + name +) VALUES ( + 'Ubuntu 10.10 x86_64' +); + +INSERT INTO products ( /* 11 */ + name +) VALUES ( + 'Ubuntu 11.04 i686' +); + +INSERT INTO products ( /* 12 */ + name +) VALUES ( + 'Ubuntu 11.04 x86_64' +); + +INSERT INTO products ( /* 13 */ + name +) VALUES ( + 'Ubuntu 11.10 i686' +); + +INSERT INTO products ( /* 14 */ + name +) VALUES ( + 'Ubuntu 11.10 x86_64' +); + +INSERT INTO products ( /* 15 */ + name +) VALUES ( + 'Ubuntu 12.04 i686' +); + +INSERT INTO products ( /* 16 */ + name +) VALUES ( + 'Ubuntu 12.04 x86_64' +); + +INSERT INTO products ( /* 17 */ + name +) VALUES ( + 'Ubuntu 12.10 i686' +); + +INSERT INTO products ( /* 18 */ + name +) VALUES ( + 'Ubuntu 12.10 x86_64' +); + +INSERT INTO products ( /* 19 */ + name +) VALUES ( + 'Ubuntu 13.04 i686' +); + +INSERT INTO products ( /* 20 */ + name +) VALUES ( + 'Ubuntu 13.04 x86_64' +); + +INSERT INTO products ( /* 21 */ + name +) VALUES ( + 'Android 4.1.1' +); + +INSERT INTO products ( /* 22 */ + name +) VALUES ( + 'Android 4.2.1' +); + +/* Directories */ + +INSERT INTO directories ( /* 1 */ + path +) VALUES ( + '/bin' +); + +INSERT INTO directories ( /* 2 */ + path +) VALUES ( + '/etc' +); + +INSERT INTO directories ( /* 3 */ + path +) VALUES ( + '/lib' +); + +INSERT INTO directories ( /* 4 */ + path +) VALUES ( + '/lib/i386-linux-gnu' +); + +INSERT INTO directories ( /* 5 */ + path +) VALUES ( + '/lib/x86_64-linux-gnu' +); + +INSERT INTO directories ( /* 6 */ + path +) VALUES ( + '/lib/xtables' +); + +INSERT INTO directories ( /* 7 */ + path +) VALUES ( + '/sbin' +); + +INSERT INTO directories ( /* 8 */ + path +) VALUES ( + '/usr/bin' +); + +INSERT INTO directories ( /* 9 */ + path +) VALUES ( + '/usr/lib' +); + +INSERT INTO directories ( /* 10 */ + path +) VALUES ( + '/usr/lib/i386-linux-gnu' +); + +INSERT INTO directories ( /* 11 */ + path +) VALUES ( + '/usr/lib/x86_64-linux-gnu' +); + +INSERT INTO directories ( /* 12 */ + path +) VALUES ( + '/usr/sbin' +); + +INSERT INTO directories ( /* 13 */ + path +) VALUES ( + '/system/bin' +); + +INSERT INTO directories ( /* 14 */ + path +) VALUES ( + '/system/lib' +); + +/* Files */ + +INSERT INTO files ( /* 1 */ + name, dir +) VALUES ( + 'libcrypto.so.1.0.0', 5 +); + +INSERT INTO files ( /* 2 */ + name, dir +) VALUES ( + 'libcrypto.so.1.0.0', 11 +); + +INSERT INTO files ( /* 3 */ + name, dir +) VALUES ( + 'libssl.so.1.0.0', 5 +); + +INSERT INTO files ( /* 4 */ + name, dir +) VALUES ( + 'libssl.so.1.0.0', 11 +); + +INSERT INTO files ( /* 5 */ + name, dir +) VALUES ( + 'openssl', 8 +); + +INSERT INTO files ( /* 6 */ + name, dir +) VALUES ( + 'tnc_config', 2 +); + +/* Algorithms */ + +INSERT INTO algorithms ( + id, name +) VALUES ( + 65536, 'SHA1-IMA' +); + +INSERT INTO algorithms ( + id, name +) VALUES ( + 32768, 'SHA1' +); + +INSERT INTO algorithms ( + id, name +) VALUES ( + 16384, 'SHA256' +); + +INSERT INTO algorithms ( + id, name +) VALUES ( + 8192, 'SHA384' +); + +/* File Hashes */ + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 2, 32768, X'6c6f8e12f6cbfba612e780374c4cdcd40f20968a' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 2, 16384, X'dbcecd19d59310183cf5c31ddee29e8d7bec64d3f9583aad074330a1b3024b07' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 2, 8192, X'197c5385e5853003188833d4f991136c1b0875fa416a60b1159f64e57e457b3184762c884a802a2bda194c058e3bd953' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 4, 32768, X'3ad204f99eb7262efab79cfca02628870ea76361' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 4, 16384, X'3a2170aad92fdd58b55e0e199822bc873cf587b2d1eb1ed7ed8dcea97ae86376' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 4, 8192, X'f778076baa876b5e4b502494a3db081fb09dd870dee6991d54104a74b7e009c58fe261db5ffd13c11e08ef0cefcfa59f' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 5, 32768, X'ecd9c7076cc0572724c7a67db7f19c2831e0445f' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 5, 16384, X'28f3ea5afd34444c8232ea75003131e294a0c9b847de300e4b205d38c1a41305' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 4, 5, 8192, X'51921a8b9322f2d3f06d55002ff40a79da67e70cb563b2a50977642d603dfac2ccbb68b3d32a8bb350769b75d6254208' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 1, 32768, X'd9309b9e45928239d7a7b18711e690792632cce4' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 1, 16384, X'dbfa1856d278d8707c4989b30dd065b4bcd309908f0f2e6e66ff2aa83ff93f59' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 1, 8192, X'fb8d027f03bb5ebb47741ed247eb9e174127b714d20229885feb37e0979aeb14a1b74020cded891d680441093625729c' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 3, 32768, X'3715f2f94016a91fab5bbc503f0f1d43c5a9fc2b' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 3, 16384, X'c03a5296b5decb87b01517f9927a8b2349dfb29ff9f5ba084f994c155ca5d4be' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 3, 8192, X'b8bc345f56115235cc6091f61e312ce43ea54a5b99e7295002ae7b415fd35e06ec4c731ab70ad00d784bb53a318a2fa0' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 5, 32768, X'e59602f4edf24c1b36199588886d06665d4adcd7' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 5, 16384, X'090e1b77bda7fe665e498c6b5e09dbb7ddc5cfe57f213de48f4fb6736484f500' +); + +INSERT INTO file_hashes ( + product, file, algo, hash +) VALUES ( + 18, 5, 8192, X'7cbdb4612a13443dba910ecdef5161f2213e52c9b4a2eef14bcee5d287e9df931cd022e9e9715518ad9c9b6e3384a668' +); + +/* Packages */ + +INSERT INTO packages ( /* 1 */ + name +) VALUES ( + 'libssl-dev' +); + +INSERT INTO packages ( /* 2 */ + name +) VALUES ( + 'libssl1.0.0' +); + +INSERT INTO packages ( /* 3 */ + name +) VALUES ( + 'libssl1.0.0-dbg' +); + +INSERT INTO packages ( /* 4 */ + name +) VALUES ( + 'openssl' +); + +/* Versions */ + +INSERT INTO versions ( + package, product, release, time +) VALUES ( + 1, 4, '1.0.1e-2', 1366531494 +); + +INSERT INTO versions ( + package, product, release, time +) VALUES ( + 2, 4, '1.0.1e-2', 1366531494 +); + +INSERT INTO versions ( + package, product, release, time +) VALUES ( + 3, 4, '1.0.1e-2', 1366531494 +); + +INSERT INTO versions ( + package, product, release, time +) VALUES ( + 4, 4, '1.0.1e-2', 1366531494 +); + +/* Components */ + +INSERT INTO components ( + vendor_id, name, qualifier +) VALUES ( + 36906, 1, 33 /* ITA TGRUB */ +); + +INSERT INTO components ( + vendor_id, name, qualifier +) VALUES ( + 36906, 2, 33 /* ITA TBOOT */ +); + +INSERT INTO components ( + vendor_id, name, qualifier +) VALUES ( + 36906, 3, 33 /* ITA IMA - Trusted Platform */ +); + +INSERT INTO components ( + vendor_id, name, qualifier +) VALUES ( + 36906, 3, 34 /* ITA IMA - Operating System */ +); + +/* Groups */ + +INSERT INTO groups ( /* 1 */ + name +) VALUES ( + 'Default' +); + +INSERT INTO groups ( /* 2 */ + name, parent +) VALUES ( + 'Linux', 1 +); + +INSERT INTO groups ( /* 3 */ + name, parent +) VALUES ( + 'Android', 1 +); + +INSERT INTO groups ( /* 4 */ + name, parent +) VALUES ( + 'Debian i686', 2 +); + +INSERT INTO groups ( /* 5 */ + name, parent +) VALUES ( + 'Debian x86_64', 2 +); + +INSERT INTO groups ( /* 6 */ + name, parent +) VALUES ( + 'Ubuntu i686', 2 +); + +INSERT INTO groups ( /* 7 */ + name, parent +) VALUES ( + 'Ubuntu x86_64', 2 +); + +INSERT INTO groups ( /* 8 */ + name +) VALUES ( + 'Reference' +); + +INSERT INTO groups ( /* 9 */ + name, parent +) VALUES ( + 'Ref. Android', 8 +); + +INSERT INTO groups ( /* 10 */ + name, parent +) VALUES ( + 'Ref. Linux', 8 +); + +/* Default Product Groups */ + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 1 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 3 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 5 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 2 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 4 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 6 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 7 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 9 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 11 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 13 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 15 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 17 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 6, 19 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 8 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 10 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 12 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 14 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 16 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 18 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 7, 20 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 3, 21 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 3, 22 +); + +/* Policies */ + +INSERT INTO policies ( /* 1 */ + type, name, rec_fail, rec_noresult +) VALUES ( + 1, 'Installed Packages', 2, 2 +); + +INSERT INTO policies ( /* 2 */ + type, name, rec_fail, rec_noresult +) VALUES ( + 2, 'Unknown Source', 2, 2 +); + +INSERT INTO policies ( /* 3 */ + type, name, rec_fail, rec_noresult +) VALUES ( + 3, 'IP Forwarding Enabled', 1, 1 +); + +INSERT INTO policies ( /* 4 */ + type, name, rec_fail, rec_noresult +) VALUES ( + 4, 'Default Factory Password Enabled', 1, 1 +); + +INSERT INTO policies ( /* 5 */ + type, name, file, rec_fail, rec_noresult +) VALUES ( + 6, 'Measure /lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 1, 2, 2 +); + +INSERT INTO policies ( /* 6 */ + type, name, file, rec_fail, rec_noresult +) VALUES ( + 6, 'Measure /lib/x86_64-linux-gnu/libssl.so.1.0.0', 3, 2, 2 +); + +INSERT INTO policies ( /* 7 */ + type, name, file, rec_fail, rec_noresult +) VALUES ( + 6, 'Measure /usr/bin/openssl', 5, 2, 2 +); + +INSERT INTO policies ( /* 8 */ + type, name, rec_fail, rec_noresult +) VALUES ( + 11, 'No Open TCP Ports', 1, 1 +); + +INSERT INTO policies ( /* 9 */ + type, name, argument, rec_fail, rec_noresult +) VALUES ( + 13, 'Open UDP Ports', '500 4500 10000-65000', 1, 1 +); + +INSERT INTO policies ( /* 10 */ + type, name, file, rec_fail, rec_noresult +) VALUES ( + 7, 'Metadata of /etc/tnc_config', 6, 0, 0 +); + +INSERT INTO policies ( /* 11 */ + type, name, dir, rec_fail, rec_noresult +) VALUES ( + 8, 'Get /bin', 1, 0, 0 +); + +INSERT INTO policies ( /* 12 */ + type, name, file, rec_fail, rec_noresult +) VALUES ( + 6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0', 2, 2, 2 +); + +INSERT INTO policies ( /* 13 */ + type, name, file, rec_fail, rec_noresult +) VALUES ( + 6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0', 4, 2, 2 +); + +INSERT INTO policies ( /* 14 */ + type, name, dir, rec_fail, rec_noresult +) VALUES ( + 8, 'Get /system/bin', 13, 0, 0 +); + +INSERT INTO policies ( /* 15 */ + type, name, dir, rec_fail, rec_noresult +) VALUES ( + 8, 'Get /system/lib', 14, 0, 0 +); + +/* Enforcements */ + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 1, 1, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 2, 3, 0 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 3, 2, 0 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 5, 7, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 6, 7, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 7, 2, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 8, 1, 60 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 9, 1, 60 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 10, 2, 60 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 11, 10, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 12, 5, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 13, 5, 86400 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 14, 9, 0 +); + +INSERT INTO enforcements ( + policy, group_id, max_age +) VALUES ( + 15, 9, 0 +); + diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c index 56131c547..435c25a3c 100644 --- a/src/libimcv/imv/imv_agent.c +++ b/src/libimcv/imv/imv_agent.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * Copyright (C) 2011-2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -14,11 +15,16 @@ #include "imcv.h" #include "imv_agent.h" +#include "imv_session.h" + +#include "ietf/ietf_attr_assess_result.h" #include <tncif_names.h> +#include <tncif_identity.h> -#include <debug.h> -#include <utils/linked_list.h> +#include <utils/debug.h> +#include <collections/linked_list.h> +#include <bio/bio_reader.h> #include <threading/rwlock.h> typedef struct private_imv_agent_t private_imv_agent_t; @@ -39,14 +45,14 @@ struct private_imv_agent_t { const char *name; /** - * message vendor ID of IMV + * message types registered by IMV */ - TNC_VendorID vendor_id; + pen_type_t *supported_types; /** - * message subtype of IMV + * number of message types registered by IMV */ - TNC_MessageSubtype subtype; + u_int32_t type_count; /** * ID of IMV as assigned by TNCS @@ -95,44 +101,6 @@ struct private_imv_agent_t { TNC_UInt32 type_count); /** - * Call when an IMV-IMC message is to be sent - * - * @param imv_id IMV ID assigned by TNCS - * @param connection_id network connection ID assigned by TNCS - * @param msg message to send - * @param msg_len message length in bytes - * @param msg_type message type - * @return TNC result code - */ - TNC_Result (*send_message)(TNC_IMVID imv_id, - TNC_ConnectionID connection_id, - TNC_BufferReference msg, - TNC_UInt32 msg_len, - TNC_MessageType msg_type); - - /** - * Call when an IMV-IMC message is to be sent with long message types - * - * @param imv_id IMV ID assigned by TNCS - * @param connection_id network connection ID assigned by TNCS - * @param msg_flags message flags - * @param msg message to send - * @param msg_len message length in bytes - * @param msg_vid message vendor ID - * @param msg_subtype message subtype - * @param dst_imc_id destination IMC ID - * @return TNC result code - */ - TNC_Result (*send_message_long)(TNC_IMVID imv_id, - TNC_ConnectionID connection_id, - TNC_UInt32 msg_flags, - TNC_BufferReference msg, - TNC_UInt32 msg_len, - TNC_VendorID msg_vid, - TNC_MessageSubtype msg_subtype, - TNC_UInt32 dst_imc_id); - - /** * Deliver IMV Action Recommendation and IMV Evaluation Results to the TNCS * * @param imv_id IMV ID assigned by TNCS @@ -218,14 +186,14 @@ METHOD(imv_agent_t, bind_functions, TNC_Result, this->public.request_handshake_retry = NULL; } if (bind_function(this->id, "TNC_TNCS_SendMessage", - (void**)&this->send_message) != TNC_RESULT_SUCCESS) + (void**)&this->public.send_message) != TNC_RESULT_SUCCESS) { - this->send_message = NULL; + this->public.send_message = NULL; } if (bind_function(this->id, "TNC_TNCS_SendMessageLong", - (void**)&this->send_message_long) != TNC_RESULT_SUCCESS) + (void**)&this->public.send_message_long) != TNC_RESULT_SUCCESS) { - this->send_message_long = NULL; + this->public.send_message_long = NULL; } if (bind_function(this->id, "TNC_TNCS_ProvideRecommendation", (void**)&this->provide_recommendation) != TNC_RESULT_SUCCESS) @@ -247,22 +215,40 @@ METHOD(imv_agent_t, bind_functions, TNC_Result, { this->reserve_additional_id = NULL; } - DBG2(DBG_IMV, "IMV %u \"%s\" provided with bind function", - this->id, this->name); if (this->report_message_types_long) { - this->report_message_types_long(this->id, &this->vendor_id, - &this->subtype, 1); + TNC_VendorIDList vendor_id_list; + TNC_MessageSubtypeList subtype_list; + int i; + + vendor_id_list = malloc(this->type_count * sizeof(TNC_UInt32)); + subtype_list = malloc(this->type_count * sizeof(TNC_UInt32)); + + for (i = 0; i < this->type_count; i++) + { + vendor_id_list[i] = this->supported_types[i].vendor_id; + subtype_list[i] = this->supported_types[i].type; + } + this->report_message_types_long(this->id, vendor_id_list, subtype_list, + this->type_count); + free(vendor_id_list); + free(subtype_list); } - else if (this->report_message_types && - this->vendor_id <= TNC_VENDORID_ANY && - this->subtype <= TNC_SUBTYPE_ANY) + else if (this->report_message_types) { - TNC_MessageType type; + TNC_MessageTypeList type_list; + int i; + + type_list = malloc(this->type_count * sizeof(TNC_UInt32)); - type = (this->vendor_id << 8) | this->subtype; - this->report_message_types(this->id, &type, 1); + for (i = 0; i < this->type_count; i++) + { + type_list[i] = (this->supported_types[i].vendor_id << 8) | + (this->supported_types[i].type & 0xff); + } + this->report_message_types(this->id, type_list, this->type_count); + free(type_list); } return TNC_RESULT_SUCCESS; } @@ -299,6 +285,7 @@ static bool delete_connection(private_imv_agent_t *this, TNC_ConnectionID id) { enumerator_t *enumerator; imv_state_t *state; + imv_session_t *session; bool found = FALSE; this->connection_lock->write_lock(this->connection_lock); @@ -308,6 +295,11 @@ static bool delete_connection(private_imv_agent_t *this, TNC_ConnectionID id) if (id == state->get_connection_id(state)) { found = TRUE; + session = state->get_session(state); + if (session) + { + imcv_db->remove_session(imcv_db, session); + } state->destroy(state); this->connections->remove_at(this->connections, enumerator); break; @@ -351,12 +343,81 @@ static char* get_str_attribute(private_imv_agent_t *this, TNC_ConnectionID id, return NULL; } +/** + * Read an UInt32 attribute + */ +static u_int32_t get_uint_attribute(private_imv_agent_t *this, TNC_ConnectionID id, + TNC_AttributeID attribute_id) +{ + TNC_UInt32 len; + char buf[4]; + + if (this->get_attribute && + this->get_attribute(this->id, id, attribute_id, 4, buf, &len) == + TNC_RESULT_SUCCESS && len == 4) + { + return untoh32(buf); + } + return 0; + } + +/** + * Read a TNC identity attribute + */ +static linked_list_t* get_identity_attribute(private_imv_agent_t *this, + TNC_ConnectionID id, + TNC_AttributeID attribute_id) +{ + TNC_UInt32 len; + char buf[2048]; + u_int32_t count; + tncif_identity_t *tnc_id; + bio_reader_t *reader; + linked_list_t *list; + + list = linked_list_create(); + + if (!this->get_attribute || + this->get_attribute(this->id, id, attribute_id, sizeof(buf), buf, &len) + != TNC_RESULT_SUCCESS || len > sizeof(buf)) + { + return list; + } + + reader = bio_reader_create(chunk_create(buf, len)); + if (!reader->read_uint32(reader, &count)) + { + goto end; + } + while (count--) + { + tnc_id = tncif_identity_create_empty(); + if (!tnc_id->process(tnc_id, reader)) + { + tnc_id->destroy(tnc_id); + goto end; + } + list->insert_last(list, tnc_id); + } + +end: + reader->destroy(reader); + return list; + } + METHOD(imv_agent_t, create_state, TNC_Result, private_imv_agent_t *this, imv_state_t *state) { TNC_ConnectionID conn_id; char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL; - bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE; + bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE, first = TRUE; + linked_list_t *ar_identities; + enumerator_t *enumerator; + tncif_identity_t *tnc_id; + imv_session_t *session; + u_int32_t max_msg_len; + u_int32_t ar_id_type = TNC_ID_UNKNOWN; + chunk_t ar_id_value = chunk_empty; conn_id = state->get_connection_id(state); if (find_connection(this, conn_id)) @@ -371,18 +432,74 @@ METHOD(imv_agent_t, create_state, TNC_Result, has_long = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_LONG_TYPES); has_excl = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_EXCLUSIVE); has_soh = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_SOH); - tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL); + tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL); tnccs_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_VERSION); t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL); t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION); + max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE); + ar_identities = get_identity_attribute(this, conn_id, TNC_ATTRIBUTEID_AR_IDENTITIES); state->set_flags(state, has_long, has_excl); + state->set_max_msg_len(state, max_msg_len); + + DBG2(DBG_IMV, "IMV %u \"%s\" created a state for %s %s Connection ID %u: " + "%slong %sexcl %ssoh", this->id, this->name, + tnccs_p ? tnccs_p:"?", tnccs_v ? tnccs_v:"?", conn_id, + has_long ? "+":"-", has_excl ? "+":"-", has_soh ? "+":"-"); + DBG2(DBG_IMV, " over %s %s with maximum PA-TNC message size of %u bytes", + t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len); + + enumerator = ar_identities->create_enumerator(ar_identities); + while (enumerator->enumerate(enumerator, &tnc_id)) + { + pen_type_t id_type, subject_type, auth_type; + u_int32_t tcg_id_type, tcg_subject_type, tcg_auth_type; + chunk_t id_value; + + id_type = tnc_id->get_identity_type(tnc_id); + id_value = tnc_id->get_identity_value(tnc_id); + subject_type = tnc_id->get_subject_type(tnc_id); + auth_type = tnc_id->get_auth_type(tnc_id); + + tcg_id_type = (id_type.vendor_id == PEN_TCG) ? + id_type.type : TNC_ID_UNKNOWN; + tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ? + subject_type.type : TNC_SUBJECT_UNKNOWN; + tcg_auth_type = (auth_type.vendor_id == PEN_TCG) ? + auth_type.type : TNC_AUTH_UNKNOWN; + + + DBG2(DBG_IMV, " %N AR identity '%.*s' authenticated by %N", + TNC_Subject_names, tcg_subject_type, + id_value.len, id_value.ptr, + TNC_Authentication_names, tcg_auth_type); - DBG2(DBG_IMV, "IMV %u \"%s\" created a state for Connection ID %u: " - "%s %s with %slong %sexcl %ssoh over %s %s", - this->id, this->name, conn_id, tnccs_p ? tnccs_p:"?", - tnccs_v ? tnccs_v:"?", has_long ? "+":"-", has_excl ? "+":"-", - has_soh ? "+":"-", t_p ? t_p:"?", t_v ? t_v :"?"); + if (first) + { + ar_id_type = tcg_id_type; + ar_id_value = id_value; + state->set_ar_id(state, ar_id_type, ar_id_value); + first = FALSE; + } + } + enumerator->destroy(enumerator); + + if (imcv_db) + { + session = imcv_db->add_session(imcv_db, conn_id, ar_id_type, ar_id_value); + if (session) + { + DBG2(DBG_IMV, " assigned session ID %d", + session->get_session_id(session)); + state->set_session(state, session); + } + else + { + DBG1(DBG_IMV, " no session ID assigned"); + } + } + ar_identities->destroy_offset(ar_identities, + offsetof(tncif_identity_t, destroy)); free(tnccs_p); free(tnccs_v); free(t_p); @@ -449,7 +566,7 @@ METHOD(imv_agent_t, change_state, TNC_Result, DBG1(DBG_IMV, "IMV %u \"%s\" was notified of unknown state %u " "for Connection ID %u", this->id, this->name, new_state, connection_id); - return TNC_RESULT_INVALID_PARAMETER; + return TNC_RESULT_INVALID_PARAMETER; } return TNC_RESULT_SUCCESS; } @@ -468,220 +585,16 @@ METHOD(imv_agent_t, get_state, bool, return TRUE; } -METHOD(imv_agent_t, send_message, TNC_Result, - private_imv_agent_t *this, TNC_ConnectionID connection_id, bool excl, - TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id, chunk_t msg) -{ - TNC_MessageType type; - TNC_UInt32 msg_flags; - imv_state_t *state; - - state = find_connection(this, connection_id); - if (!state) - { - DBG1(DBG_IMV, "IMV %u \"%s\" has no state for Connection ID %u", - this->id, this->name, connection_id); - return TNC_RESULT_FATAL; - } - - if (state->has_long(state) && this->send_message_long) - { - if (!src_imv_id) - { - src_imv_id = this->id; - } - msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0; - - return this->send_message_long(src_imv_id, connection_id, msg_flags, - msg.ptr, msg.len, this->vendor_id, - this->subtype, dst_imc_id); - } - if (this->send_message) - { - type = (this->vendor_id << 8) | this->subtype; - - return this->send_message(this->id, connection_id, msg.ptr, msg.len, - type); - } - return TNC_RESULT_FATAL; -} - -METHOD(imv_agent_t, set_recommendation, TNC_Result, - private_imv_agent_t *this, TNC_ConnectionID connection_id, - TNC_IMV_Action_Recommendation rec, - TNC_IMV_Evaluation_Result eval) +METHOD(imv_agent_t, get_name, const char*, + private_imv_agent_t *this) { - imv_state_t *state; - - state = find_connection(this, connection_id); - if (!state) - { - DBG1(DBG_IMV, "IMV %u \"%s\" has no state for Connection ID %u", - this->id, this->name, connection_id); - return TNC_RESULT_FATAL; - } - - state->set_recommendation(state, rec, eval); - return this->provide_recommendation(this->id, connection_id, rec, eval); + return this->name; } -METHOD(imv_agent_t, receive_message, TNC_Result, - private_imv_agent_t *this, imv_state_t *state, chunk_t msg, - TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype, - TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id, pa_tnc_msg_t **pa_tnc_msg) -{ - pa_tnc_msg_t *pa_msg, *error_msg; - pa_tnc_attr_t *error_attr; - enumerator_t *enumerator; - TNC_MessageType msg_type; - TNC_UInt32 msg_flags, src_imv_id, dst_imc_id; - TNC_ConnectionID connection_id; - TNC_Result result; - - connection_id = state->get_connection_id(state); - - if (state->has_long(state)) - { - if (dst_imv_id != TNC_IMVID_ANY) - { - DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u " - "from IMC %u to IMV %u", this->id, this->name, - connection_id, src_imc_id, dst_imv_id); - } - else - { - DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u " - "from IMC %u", this->id, this->name, connection_id, - src_imc_id); - } - } - else - { - DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u", - this->id, this->name, connection_id); - } - - *pa_tnc_msg = NULL; - pa_msg = pa_tnc_msg_create_from_data(msg); - - switch (pa_msg->process(pa_msg)) - { - case SUCCESS: - *pa_tnc_msg = pa_msg; - break; - case VERIFY_ERROR: - /* build error message */ - error_msg = pa_tnc_msg_create(); - enumerator = pa_msg->create_error_enumerator(pa_msg); - while (enumerator->enumerate(enumerator, &error_attr)) - { - error_msg->add_attribute(error_msg, - error_attr->get_ref(error_attr)); - } - enumerator->destroy(enumerator); - error_msg->build(error_msg); - - /* send error message */ - msg = error_msg->get_encoding(error_msg); - - if (state->has_long(state) && this->send_message_long) - { - if (state->has_excl(state)) - { - msg_flags = TNC_MESSAGE_FLAGS_EXCLUSIVE; - dst_imc_id = src_imc_id; - } - else - { - msg_flags = 0; - dst_imc_id = TNC_IMCID_ANY; - } - src_imv_id = (dst_imv_id == TNC_IMVID_ANY) ? this->id - : dst_imv_id; - - result = this->send_message_long(src_imv_id, connection_id, - msg_flags, msg.ptr, msg.len, msg_vid, - msg_subtype, dst_imc_id); - } - else if (this->send_message) - { - msg_type = (msg_vid << 8) | msg_subtype; - - result = this->send_message(this->id, connection_id, - msg.ptr, msg.len, msg_type); - } - else - { - result = TNC_RESULT_FATAL; - } - - /* clean up */ - error_msg->destroy(error_msg); - pa_msg->destroy(pa_msg); - return result; - case FAILED: - default: - pa_msg->destroy(pa_msg); - state->set_recommendation(state, - TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, - TNC_IMV_EVALUATION_RESULT_ERROR); - return this->provide_recommendation(this->id, connection_id, - TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, - TNC_IMV_EVALUATION_RESULT_ERROR); - } - return TNC_RESULT_SUCCESS; -} - -METHOD(imv_agent_t, provide_recommendation, TNC_Result, - private_imv_agent_t *this, TNC_ConnectionID connection_id) +METHOD(imv_agent_t, get_id, TNC_IMVID, + private_imv_agent_t *this) { - imv_state_t *state; - TNC_IMV_Action_Recommendation rec; - TNC_IMV_Evaluation_Result eval; - TNC_UInt32 lang_len; - char buf[BUF_LEN]; - chunk_t pref_lang = { buf, 0 }, reason_string, reason_lang; - - state = find_connection(this, connection_id); - if (!state) - { - DBG1(DBG_IMV, "IMV %u \"%s\" has no state for Connection ID %u", - this->id, this->name, connection_id); - return TNC_RESULT_FATAL; - } - state->get_recommendation(state, &rec, &eval); - - - /* send a reason string if action recommendation is not allow */ - if (rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW) - { - /* check if there a preferred language has been requested */ - if (this->get_attribute && - this->get_attribute(this->id, connection_id, - TNC_ATTRIBUTEID_PREFERRED_LANGUAGE, BUF_LEN, - buf, &lang_len) == TNC_RESULT_SUCCESS && - lang_len <= BUF_LEN) - { - pref_lang.len = lang_len; - DBG2(DBG_IMV, "preferred language is '%.*s'", - pref_lang.len, pref_lang.ptr); - } - - /* find a reason string for the preferred or default language and set it */ - if (this->set_attribute && - state->get_reason_string(state, pref_lang, &reason_string, - &reason_lang)) - { - this->set_attribute(this->id, connection_id, - TNC_ATTRIBUTEID_REASON_STRING, - reason_string.len, reason_string.ptr); - this->set_attribute(this->id, connection_id, - TNC_ATTRIBUTEID_REASON_LANGUAGE, - reason_lang.len, reason_lang.ptr); - } - } - - return this->provide_recommendation(this->id, connection_id, rec, eval); + return this->id; } METHOD(imv_agent_t, reserve_additional_ids, TNC_Result, @@ -729,6 +642,146 @@ METHOD(imv_agent_t, create_id_enumerator, enumerator_t*, return this->additional_ids->create_enumerator(this->additional_ids); } +typedef struct { + /** + * implements enumerator_t + */ + enumerator_t public; + + /** + * language length + */ + TNC_UInt32 lang_len; + + /** + * language buffer + */ + char lang_buf[BUF_LEN]; + + /** + * position pointer into language buffer + */ + char *lang_pos; + +} language_enumerator_t; + +/** + * Implementation of language_enumerator.destroy. + */ +static void language_enumerator_destroy(language_enumerator_t *this) +{ + free(this); +} + +/** + * Implementation of language_enumerator.enumerate + */ +static bool language_enumerator_enumerate(language_enumerator_t *this, ...) +{ + char *pos, *cur_lang, **lang; + TNC_UInt32 len; + va_list args; + + if (!this->lang_len) + { + return FALSE; + } + cur_lang = this->lang_pos; + pos = strchr(this->lang_pos, ','); + if (pos) + { + len = pos - this->lang_pos; + this->lang_pos += len + 1, + this->lang_len -= len + 1; + } + else + { + len = this->lang_len; + pos = this->lang_pos + len; + this->lang_pos = NULL; + this->lang_len = 0; + } + + /* remove preceding whitespace */ + while (*cur_lang == ' ' && len--) + { + cur_lang++; + } + + /* remove trailing whitespace */ + while (len && *(--pos) == ' ') + { + len--; + } + cur_lang[len] = '\0'; + + va_start(args, this); + lang = va_arg(args, char**); + *lang = cur_lang; + va_end(args); + + return TRUE; +} + +METHOD(imv_agent_t, create_language_enumerator, enumerator_t*, + private_imv_agent_t *this, imv_state_t *state) +{ + language_enumerator_t *e; + + /* Create a language enumerator instance */ + e = malloc_thing(language_enumerator_t); + e->public.enumerate = (void*)language_enumerator_enumerate; + e->public.destroy = (void*)language_enumerator_destroy; + + if (!this->get_attribute || + !this->get_attribute(this->id, state->get_connection_id(state), + TNC_ATTRIBUTEID_PREFERRED_LANGUAGE, BUF_LEN, + e->lang_buf, &e->lang_len) == TNC_RESULT_SUCCESS || + e->lang_len >= BUF_LEN) + { + e->lang_len = 0; + } + e->lang_buf[e->lang_len] = '\0'; + e->lang_pos = e->lang_buf; + + return (enumerator_t*)e; +} + +METHOD(imv_agent_t, provide_recommendation, TNC_Result, + private_imv_agent_t *this, imv_state_t *state) +{ + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + TNC_ConnectionID connection_id; + chunk_t reason_string; + char *reason_lang; + enumerator_t *e; + + state->get_recommendation(state, &rec, &eval); + connection_id = state->get_connection_id(state); + + /* send a reason string if action recommendation is not allow */ + if (rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW) + { + /* find a reason string for the preferred language and set it */ + if (this->set_attribute) + { + e = create_language_enumerator(this, state); + if (state->get_reason_string(state, e, &reason_string, &reason_lang)) + { + this->set_attribute(this->id, connection_id, + TNC_ATTRIBUTEID_REASON_STRING, + reason_string.len, reason_string.ptr); + this->set_attribute(this->id, connection_id, + TNC_ATTRIBUTEID_REASON_LANGUAGE, + strlen(reason_lang), reason_lang); + } + e->destroy(e); + } + } + return this->provide_recommendation(this->id, connection_id, rec, eval); +} + METHOD(imv_agent_t, destroy, void, private_imv_agent_t *this) { @@ -747,13 +800,13 @@ METHOD(imv_agent_t, destroy, void, * Described in header. */ imv_agent_t *imv_agent_create(const char *name, - pen_t vendor_id, u_int32_t subtype, + pen_type_t *supported_types, u_int32_t type_count, TNC_IMVID id, TNC_Version *actual_version) { private_imv_agent_t *this; /* initialize or increase the reference count */ - if (!libimcv_init()) + if (!libimcv_init(TRUE)) { return NULL; } @@ -765,18 +818,18 @@ imv_agent_t *imv_agent_create(const char *name, .delete_state = _delete_state, .change_state = _change_state, .get_state = _get_state, - .send_message = _send_message, - .receive_message = _receive_message, - .set_recommendation = _set_recommendation, - .provide_recommendation = _provide_recommendation, + .get_name = _get_name, + .get_id = _get_id, .reserve_additional_ids = _reserve_additional_ids, .count_additional_ids = _count_additional_ids, .create_id_enumerator = _create_id_enumerator, + .create_language_enumerator = _create_language_enumerator, + .provide_recommendation = _provide_recommendation, .destroy = _destroy, }, .name = name, - .vendor_id = vendor_id, - .subtype = subtype, + .supported_types = supported_types, + .type_count = type_count, .id = id, .additional_ids = linked_list_create(), .connections = linked_list_create(), diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h index de70f3bc1..d58af260b 100644 --- a/src/libimcv/imv/imv_agent.h +++ b/src/libimcv/imv/imv_agent.h @@ -1,5 +1,6 @@ /* - * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * Copyright (C) 2011-2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -15,17 +16,19 @@ /** * * @defgroup imv_agent_t imv_agent - * @{ @ingroup imv_agent + * @{ @ingroup libimcv_imv */ #ifndef IMV_AGENT_H_ #define IMV_AGENT_H_ #include "imv_state.h" +#include "imv_database.h" #include "pa_tnc/pa_tnc_msg.h" #include <tncifimv.h> #include <pen/pen.h> +#include <collections/linked_list.h> #include <library.h> @@ -49,6 +52,44 @@ struct imv_agent_t { TNC_RetryReason reason); /** + * Call when an IMV-IMC message is to be sent + * + * @param imv_id IMV ID assigned by TNCS + * @param connection_id network connection ID assigned by TNCS + * @param msg message to send + * @param msg_len message length in bytes + * @param msg_type message type + * @return TNC result code + */ + TNC_Result (*send_message)(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type); + + /** + * Call when an IMV-IMC message is to be sent with long message types + * + * @param imv_id IMV ID assigned by TNCS + * @param connection_id network connection ID assigned by TNCS + * @param msg_flags message flags + * @param msg message to send + * @param msg_len message length in bytes + * @param msg_vid message vendor ID + * @param msg_subtype message subtype + * @param dst_imc_id destination IMC ID + * @return TNC result code + */ + TNC_Result (*send_message_long)(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_UInt32 msg_flags, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_VendorID msg_vid, + TNC_MessageSubtype msg_subtype, + TNC_UInt32 dst_imc_id); + + /** * Bind TNCS functions * * @param bind_function function offered by the TNCS @@ -98,61 +139,18 @@ struct imv_agent_t { TNC_ConnectionID connection_id, imv_state_t **state); /** - * Call when a PA-TNC message is to be sent - * - * @param connection_id network connection ID assigned by TNCS - * @param excl exclusive flag - * @param src_imv_id IMV ID to be set as source - * @param dst_imc_id IMD ID to be set as destination - * @param msg message to send - * @return TNC result code - */ - TNC_Result (*send_message)(imv_agent_t *this, - TNC_ConnectionID connection_id, bool excl, - TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id, - chunk_t msg); - - /** - * Call when a PA-TNC message was received + * Get IMV name * - * @param state state for current connection - * @param msg received unparsed message - * @param msg_vid message vendorID of the received message - * @param msg_subtype message subtype of the received message - * @param src_imc_id source IMC ID - * @param dst_imv_id destination IMV ID - * @param pa_tnc_message parsed PA-TNC message or NULL if an error occurred - * @return TNC result code + * return IMV name */ - TNC_Result (*receive_message)(imv_agent_t *this, - imv_state_t *state, chunk_t msg, - TNC_VendorID msg_vid, - TNC_MessageSubtype msg_subtype, - TNC_UInt32 src_imc_id, - TNC_UInt32 dst_imv_id, - pa_tnc_msg_t **pa_tnc_msg); + const char* (*get_name)(imv_agent_t *this); /** - * Set Action Recommendation and Evaluation Result in the IMV state + * Get base IMV ID * - * @param connection_id network connection ID assigned by TNCS - * @param rec IMV action recommendation - * @param eval IMV evaluation result - * @return TNC result code - */ - TNC_Result (*set_recommendation)(imv_agent_t *this, - TNC_ConnectionID connection_id, - TNC_IMV_Action_Recommendation rec, - TNC_IMV_Evaluation_Result eval); - - /** - * Deliver IMV Action Recommendation and IMV Evaluation Result to the TNCS - * - * @param connection_id network connection ID assigned by TNCS - * @return TNC result code + * return base IMV ID */ - TNC_Result (*provide_recommendation)(imv_agent_t *this, - TNC_ConnectionID connection_id); + TNC_IMVID (*get_id)(imv_agent_t *this); /** * Reserve additional IMV IDs from TNCS @@ -175,6 +173,22 @@ struct imv_agent_t { enumerator_t* (*create_id_enumerator)(imv_agent_t *this); /** + * Create a preferred languages enumerator + * + * @param state of TNCCS connection + */ + enumerator_t* (*create_language_enumerator)(imv_agent_t *this, + imv_state_t *state); + + /** + * Deliver IMV Action Recommendation and IMV Evaluation Result to the TNCS + * + * @param state state bound to a connection ID + * @return TNC result code + */ + TNC_Result (*provide_recommendation)(imv_agent_t *this, imv_state_t* state); + + /** * Destroys an imv_agent_t object */ void (*destroy)(imv_agent_t *this); @@ -184,14 +198,14 @@ struct imv_agent_t { * Create an imv_agent_t object * * @param name name of the IMV - * @param vendor_id vendor ID of the IMV - * @param subtype message subtype of the IMV + * @param supported_types list of message types registered by the IMV + * @param type_count number of registered message types * @param id ID of the IMV as assigned by the TNCS * @param actual_version actual version of the IF-IMV API * */ imv_agent_t *imv_agent_create(const char *name, - pen_t vendor_id, u_int32_t subtype, + pen_type_t *supported_types, u_int32_t type_count, TNC_IMVID id, TNC_Version *actual_version); #endif /** IMV_AGENT_H_ @}*/ diff --git a/src/libimcv/imv/imv_agent_if.h b/src/libimcv/imv/imv_agent_if.h new file mode 100644 index 000000000..db188793a --- /dev/null +++ b/src/libimcv/imv/imv_agent_if.h @@ -0,0 +1,115 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imv_agent_if_t imv_agent_if + * @{ @ingroup imv_os + */ + +#ifndef IMV_AGENT_IF_H_ +#define IMV_AGENT_IF_H_ + +#include <tncifimv.h> + +#include <library.h> + +typedef struct imv_agent_if_t imv_agent_if_t; + +/** + * IF-IMV interface for IMV agents + */ +struct imv_agent_if_t { + + /** + * Implements the TNC_IMV_ProvideBindFunction function of the IMV + * + * @param bind_function Function offered by the TNCS + * @return TNC result code + */ + TNC_Result (*bind_functions)(imv_agent_if_t *this, + TNC_TNCS_BindFunctionPointer bind_function); + + /** + * Implements the TNC_IMV_NotifyConnectionChange() function of the IMV + * + * @param id Network connection ID assigned by TNCS + * @param new_state New connection state to be set + * @return TNC result code + */ + TNC_Result (*notify_connection_change)(imv_agent_if_t *this, + TNC_ConnectionID id, + TNC_ConnectionState new_state); + + /** + * Implements the TNC_IMV_ReceiveMessage() function of the IMV + * + * @param id Network connection ID assigned by TNCS + * @param msg_type PA-TNC message type + * @param msg Received message + * @return TNC result code + */ + TNC_Result (*receive_message)(imv_agent_if_t *this, TNC_ConnectionID id, + TNC_MessageType msg_type, chunk_t msg); + + /** + * Implements the TNC_IMV_ReceiveMessageLong() function of the IMV + * + * @param id Network connection ID assigned by TNCS + * @param src_imc_id ID of source IMC + * @param dst_imv_id ID of destination IMV + * @param msg_vid Vendor ID of message type + * @param msg_subtype PA-TNC message subtype + * @param msg Received message + * @return TNC result code + */ + TNC_Result (*receive_message_long)(imv_agent_if_t *this, + TNC_ConnectionID id, + TNC_UInt32 src_imc_id, + TNC_UInt32 dst_imv_id, + TNC_VendorID msg_vid, + TNC_MessageSubtype msg_subtype, + chunk_t msg); + + /** + * Implements the TNC_IMV_BatchEnding() function of the IMV + * + * @param id Network connection ID assigned by TNCS + * @return TNC result code + */ + TNC_Result (*batch_ending)(imv_agent_if_t *this, TNC_ConnectionID id); + + /** + * Implements the TNC_IMV_SolicitRecommendation() function of the IMV + * + * @param id Network connection ID assigned by TNCS + * @return TNC result code + */ + TNC_Result (*solicit_recommendation)(imv_agent_if_t *this, + TNC_ConnectionID id); + + /** + * Destroys an imv_agent_if_t object + */ + void (*destroy)(imv_agent_if_t *this); + +}; + +/** + * Constructor template + */ +typedef imv_agent_if_t* (*imv_agent_create_t)(const char* name, TNC_IMVID id, + TNC_Version *actual_version); + +#endif /** IMV_AGENT_IF_H_ @}*/ diff --git a/src/libimcv/imv/imv_database.c b/src/libimcv/imv/imv_database.c new file mode 100644 index 000000000..dc7edd7aa --- /dev/null +++ b/src/libimcv/imv/imv_database.c @@ -0,0 +1,381 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE + +#include <stdio.h> +#include <stdarg.h> +#include <string.h> +#include <time.h> + +#include "imv_database.h" + +#include <utils/debug.h> +#include <threading/mutex.h> + +typedef struct private_imv_database_t private_imv_database_t; + +/** + * Private data of a imv_database_t object. + */ +struct private_imv_database_t { + + /** + * Public imv_database_t interface. + */ + imv_database_t public; + + /** + * database instance + */ + database_t *db; + + /** + * policy script + */ + char *script; + + /** + * Session list + */ + linked_list_t *sessions; + + /** + * mutex used to lock session list + */ + mutex_t *mutex; + +}; + +METHOD(imv_database_t, add_session, imv_session_t*, + private_imv_database_t *this, TNC_ConnectionID conn_id, + u_int32_t ar_id_type, chunk_t ar_id_value) +{ + enumerator_t *enumerator, *e; + imv_session_t *current, *session = NULL; + int ar_id = 0, session_id; + u_int created; + + this->mutex->lock(this->mutex); + + /* check if a session has already been assigned */ + enumerator = this->sessions->create_enumerator(this->sessions); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (conn_id == current->get_connection_id(current)) + { + session = current; + break; + } + } + enumerator->destroy(enumerator); + + /* session already exists */ + if (session) + { + this->mutex->unlock(this->mutex); + return session->get_ref(session); + } + + if (ar_id_value.len) + { + /* get primary key of AR identity if it exists */ + e = this->db->query(this->db, + "SELECT id FROM identities WHERE type = ? AND value = ?", + DB_INT, ar_id_type, DB_BLOB, ar_id_value, DB_INT); + if (e) + { + e->enumerate(e, &ar_id); + e->destroy(e); + } + + /* if AR identity has not been found - register it */ + if (!ar_id) + { + this->db->execute(this->db, &ar_id, + "INSERT INTO identities (type, value) VALUES (?, ?)", + DB_INT, ar_id_type, DB_BLOB, ar_id_value); + } + } + /* create a new session entry */ + created = time(NULL); + this->db->execute(this->db, &session_id, + "INSERT INTO sessions (time, connection, identity) " + "VALUES (?, ?, ?)", + DB_UINT, created, DB_INT, conn_id, DB_INT, ar_id); + session = imv_session_create(session_id, conn_id); + this->sessions->insert_last(this->sessions, session); + + this->mutex->unlock(this->mutex); + + return session; +} + +METHOD(imv_database_t, remove_session, void, + private_imv_database_t *this, imv_session_t *session) +{ + enumerator_t *enumerator; + imv_session_t *current; + + this->mutex->lock(this->mutex); + enumerator = this->sessions->create_enumerator(this->sessions); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (current == session) + { + this->sessions->remove_at(this->sessions, enumerator); + break; + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +METHOD(imv_database_t, add_product, int, + private_imv_database_t *this, imv_session_t *session, char *product) +{ + enumerator_t *e; + int pid = 0; + + /* get primary key of product info string if it exists */ + e = this->db->query(this->db, + "SELECT id FROM products WHERE name = ?", DB_TEXT, product, DB_INT); + if (e) + { + e->enumerate(e, &pid); + e->destroy(e); + } + + /* if product info string has not been found - register it */ + if (!pid) + { + this->db->execute(this->db, &pid, + "INSERT INTO products (name) VALUES (?)", DB_TEXT, product); + } + + /* add product reference to session */ + if (pid) + { + this->db->execute(this->db, NULL, + "UPDATE sessions SET product = ? WHERE id = ?", + DB_INT, pid, DB_INT, session->get_session_id(session)); + } + + return pid; +} + +METHOD(imv_database_t, add_device, int, + private_imv_database_t *this, imv_session_t *session, chunk_t device) +{ + enumerator_t *e; + char *device_str; + int pid = 0, did = 0; + + /* get primary key of product from session */ + e = this->db->query(this->db, + "SELECT product FROM sessions WHERE id = ?", + DB_INT, session->get_session_id(session), DB_INT); + if (e) + { + e->enumerate(e, &pid); + e->destroy(e); + } + + /* some IMV policy manager expect a text string */ + device_str = strndup(device.ptr, device.len); + + /* get primary key of device identification if it exists */ + e = this->db->query(this->db, + "SELECT id FROM devices WHERE value = ? AND product = ?", + DB_TEXT, device_str, DB_INT, pid, DB_INT); + if (e) + { + e->enumerate(e, &did); + e->destroy(e); + } + + /* if device identification has not been found - register it */ + if (!did) + { + this->db->execute(this->db, &did, + "INSERT INTO devices (value, product) VALUES (?, ?)", + DB_TEXT, device_str, DB_INT, pid); + } + free(device_str); + + /* add device reference to session */ + if (did) + { + this->db->execute(this->db, NULL, + "UPDATE sessions SET device = ? WHERE id = ?", + DB_INT, did, DB_INT, session->get_session_id(session)); + } + + return did; +} + +METHOD(imv_database_t, add_recommendation, void, + private_imv_database_t *this, imv_session_t *session, + TNC_IMV_Action_Recommendation rec) +{ + /* add final recommendation to session */ + this->db->execute(this->db, NULL, + "UPDATE sessions SET rec = ? WHERE id = ?", + DB_INT, rec, DB_INT, session->get_session_id(session)); +} + +METHOD(imv_database_t, policy_script, bool, + private_imv_database_t *this, imv_session_t *session, bool start) +{ + imv_workitem_t *workitem; + imv_workitem_type_t type; + int id, session_id, arg_int, rec_fail, rec_noresult; + enumerator_t *e; + char command[512], resp[128], *last, *arg_str; + FILE *shell; + + session_id = session->get_session_id(session); + + snprintf(command, sizeof(command), "2>&1 TNC_SESSION_ID='%d' %s %s", + session_id, this->script, start ? "start" : "stop"); + DBG3(DBG_IMV, "running policy script: %s", command); + + shell = popen(command, "r"); + if (shell == NULL) + { + DBG1(DBG_IMV, "could not execute policy script '%s'", + this->script); + return FALSE; + } + while (TRUE) + { + if (fgets(resp, sizeof(resp), shell) == NULL) + { + if (ferror(shell)) + { + DBG1(DBG_IMV, "error reading output from policy script"); + } + break; + } + else + { + last = resp + strlen(resp) - 1; + if (last >= resp && *last == '\n') + { + /* replace trailing '\n' */ + *last = '\0'; + } + DBG1(DBG_IMV, "policy: %s", resp); + } + } + pclose(shell); + + if (start && !session->get_policy_started(session)) + { + /* get workitem list generated by policy manager */ + e = this->db->query(this->db, + "SELECT id, type, arg_str, arg_int, rec_fail, rec_noresult " + "FROM workitems WHERE session = ?", DB_INT, session_id, + DB_INT, DB_INT, DB_TEXT, DB_INT,DB_INT, DB_INT); + if (!e) + { + DBG1(DBG_IMV, "no workitem enumerator returned"); + return FALSE; + } + while (e->enumerate(e, &id, &type, &arg_str, &arg_int, &rec_fail, + &rec_noresult)) + { + workitem = imv_workitem_create(id, type, arg_str, arg_int, rec_fail, + rec_noresult); + session->insert_workitem(session, workitem); + } + e->destroy(e); + + session->set_policy_started(session, TRUE); + } + else if (!start && session->get_policy_started(session)) + { + session->set_policy_started(session, FALSE); + } + + return TRUE; +} + +METHOD(imv_database_t, finalize_workitem, bool, + private_imv_database_t *this, imv_workitem_t *workitem) +{ + char *result; + int rec; + + rec = workitem->get_result(workitem, &result); + + return this->db->execute(this->db, NULL, + "UPDATE workitems SET result = ?, rec_final = ? WHERE id = ?", + DB_TEXT, result, DB_INT, rec, + DB_INT, workitem->get_id(workitem)) == 1; +} + +METHOD(imv_database_t, get_database, database_t*, + private_imv_database_t *this) +{ + return this->db; +} + +METHOD(imv_database_t, destroy, void, + private_imv_database_t *this) +{ + DESTROY_IF(this->db); + this->sessions->destroy_offset(this->sessions, + offsetof(imv_session_t, destroy)); + this->mutex->destroy(this->mutex); + free(this); +} + +/** + * See header + */ +imv_database_t *imv_database_create(char *uri, char *script) +{ + private_imv_database_t *this; + + INIT(this, + .public = { + .add_session = _add_session, + .remove_session = _remove_session, + .add_product = _add_product, + .add_device = _add_device, + .add_recommendation = _add_recommendation, + .policy_script = _policy_script, + .finalize_workitem = _finalize_workitem, + .get_database = _get_database, + .destroy = _destroy, + }, + .db = lib->db->create(lib->db, uri), + .script = script, + .sessions = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + ); + + if (!this->db) + { + DBG1(DBG_IMV, + "failed to connect to IMV database '%s'", uri); + destroy(this); + return NULL; + } + + return &this->public; +} + diff --git a/src/libimcv/imv/imv_database.h b/src/libimcv/imv/imv_database.h new file mode 100644 index 000000000..48a3ded9e --- /dev/null +++ b/src/libimcv/imv/imv_database.h @@ -0,0 +1,125 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup imv_database_t imv_database + * @{ @ingroup libimcv_imv + */ + +#ifndef IMV_DATABASE_H_ +#define IMV_DATABASE_H_ + +#include "imv_session.h" +#include "imv_workitem.h" + +#include <tncifimv.h> + +#include <library.h> + +typedef struct imv_database_t imv_database_t; + +/** + * IMV database interface + */ +struct imv_database_t { + + /** + * Create or get a session associated with a TNCCS connection + * + * @param conn_id TNCCS Connection ID + * @param ar_id_type Access Requestor identity type + * @param ar_id_value Access Requestor identity value + * @return Session associated with TNCCS Connection + */ + imv_session_t* (*add_session)(imv_database_t *this, + TNC_ConnectionID conn_id, + u_int32_t ar_id_type, chunk_t ar_id_value); + + /** + * Remove and delete a session + * + * @param session Session + */ + void (*remove_session)(imv_database_t *this, imv_session_t *session); + + /** + * Add product information string to a session database entry + * + * @param session Session + * @param product Product information string + * @return Product ID + */ + int (*add_product)(imv_database_t *this, imv_session_t *session, + char *product); + + /** + * Add device identification to a session database entry + * + * @param session Session + * @param device Device identification + * @return Device ID + */ + int (*add_device)(imv_database_t *this, imv_session_t *session, + chunk_t device); + + /** + * Add final recommendation to a session database entry + * + * @param session Session + * @param rec Final recommendation + */ + void (*add_recommendation)(imv_database_t *this, imv_session_t *session, + TNC_IMV_Action_Recommendation rec); + + /** + * Announce session start/stop to policy script + * + * @param session Session + * @param start TRUE if session start, FALSE if session stop + * @return TRUE if command successful, FALSE otherwise + */ + bool (*policy_script)(imv_database_t *this, imv_session_t *session, + bool start); + + /** + * Finalize a workitem + * + * @param workitem Workitem to be finalized + */ + bool (*finalize_workitem)(imv_database_t *this, imv_workitem_t *workitem); + + /** + * Get database handle + * + * @return Database handle + */ + database_t* (*get_database)(imv_database_t *this); + + /** + * Destroys an imv_database_t object + */ + void (*destroy)(imv_database_t *this); +}; + +/** + * Create an imv_database_t instance + * + * @param uri Database uri + * @param script Policy Manager script + */ +imv_database_t* imv_database_create(char *uri, char *script); + +#endif /** IMV_DATABASE_H_ @}*/ diff --git a/src/libimcv/imv/imv_if.h b/src/libimcv/imv/imv_if.h new file mode 100644 index 000000000..fa9765b11 --- /dev/null +++ b/src/libimcv/imv/imv_if.h @@ -0,0 +1,167 @@ +/* + * Copyright (C) 2012-2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * Define the following two static constants externally: + * static const char imv_name[] = "xx"; + * static const imv_agent_create_t imv_agent_create = imv_xx_agent_create; + */ + +#include <utils/debug.h> + +static imv_agent_if_t *imv_agent; + +/* + * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3 + */ +TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, + TNC_Version min_version, + TNC_Version max_version, + TNC_Version *actual_version) +{ + if (imv_agent) + { + DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name); + return TNC_RESULT_ALREADY_INITIALIZED; + } + + imv_agent = imv_agent_create(imv_name, imv_id, actual_version); + + if (!imv_agent) + { + return TNC_RESULT_FATAL; + } + if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1) + { + DBG1(DBG_IMV, "no common IF-IMV version"); + return TNC_RESULT_NO_COMMON_VERSION; + } + return TNC_RESULT_SUCCESS; +} + +/** + * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3 + */ +TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_ConnectionState new_state) +{ + if (!imv_agent) + { + DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); + return TNC_RESULT_NOT_INITIALIZED; + } + return imv_agent->notify_connection_change(imv_agent, connection_id, + new_state); +} + +/** + * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3 + */ +TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) +{ + if (!imv_agent) + { + DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); + return TNC_RESULT_NOT_INITIALIZED; + } + return imv_agent->receive_message(imv_agent, connection_id, msg_type, + chunk_create(msg, msg_len)); +} + +/** + * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3 + */ +TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_UInt32 msg_flags, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_VendorID msg_vid, + TNC_MessageSubtype msg_subtype, + TNC_UInt32 src_imc_id, + TNC_UInt32 dst_imv_id) +{ + if (!imv_agent) + { + DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); + return TNC_RESULT_NOT_INITIALIZED; + } + return imv_agent->receive_message_long(imv_agent, connection_id, + src_imc_id, dst_imv_id, + msg_vid, msg_subtype, chunk_create(msg, msg_len)); +} + +/** + * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3 + */ +TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id, + TNC_ConnectionID connection_id) +{ + + if (!imv_agent) + { + DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); + return TNC_RESULT_NOT_INITIALIZED; + } + return imv_agent->solicit_recommendation(imv_agent, connection_id); +} + +/** + * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3 + */ +TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id, TNC_ConnectionID connection_id) +{ + if (!imv_agent) + { + DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); + return TNC_RESULT_NOT_INITIALIZED; + } + return imv_agent->batch_ending(imv_agent, connection_id); +} + +/** + * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3 + */ +TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id) +{ + if (!imv_agent) + { + DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); + return TNC_RESULT_NOT_INITIALIZED; + } + imv_agent->destroy(imv_agent); + imv_agent = NULL; + + return TNC_RESULT_SUCCESS; +} + +/** + * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3 + */ +TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id, + TNC_TNCS_BindFunctionPointer bind_function) +{ + if (!imv_agent) + { + DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); + return TNC_RESULT_NOT_INITIALIZED; + } + return imv_agent->bind_functions(imv_agent, bind_function); +} diff --git a/src/libimcv/imv/imv_lang_string.c b/src/libimcv/imv/imv_lang_string.c new file mode 100644 index 000000000..c86fc5cd7 --- /dev/null +++ b/src/libimcv/imv/imv_lang_string.c @@ -0,0 +1,73 @@ +/* + * Copyright (C) 2012 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_lang_string.h" + +#include <utils/debug.h> + +/** + * Described in header. + */ +char* imv_lang_string_select_lang(enumerator_t *language_enumerator, + char* languages[], int lang_count) +{ + bool match = FALSE; + char *lang; + int i, i_chosen = 0; + + while (language_enumerator->enumerate(language_enumerator, &lang)) + { + for (i = 0; i < lang_count; i++) + { + if (streq(lang, languages[i])) + { + match = TRUE; + i_chosen = i; + break; + } + } + if (match) + { + break; + } + } + return languages[i_chosen]; +} + +/** + * Described in header. + */ +char* imv_lang_string_select_string(imv_lang_string_t lang_string[], char *lang) +{ + char *string; + int i = 0; + + if (!lang_string) + { + return NULL; + } + + string = lang_string[0].string; + while (lang_string[i].lang) + { + if (streq(lang, lang_string[i].lang)) + { + string = lang_string[i].string; + break; + } + i++; + } + return string; +} diff --git a/src/libimcv/imv/imv_lang_string.h b/src/libimcv/imv/imv_lang_string.h new file mode 100644 index 000000000..56b4572f8 --- /dev/null +++ b/src/libimcv/imv/imv_lang_string.h @@ -0,0 +1,67 @@ +/* + * Copyright (C) 2012 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup imv_lang_string_t imv_lang_string + * @{ @ingroup libimcv_imv + */ + +#ifndef IMV_LANG_STRING_H_ +#define IMV_LANG_STRING_H_ + +#include <library.h> +#include <collections/enumerator.h> + +typedef struct imv_lang_string_t imv_lang_string_t; + +/** + * Define a language string entry + */ +struct imv_lang_string_t { + + /** + * language code + */ + char *lang; + + /** + * UTF-8 string in the corresponding language + */ + char *string; + +}; + +/** + * Select the preferred language + * + * @param language_enumerator enumerator over user preferred languages + * @param languages string array of available languages + * @param lang_count number of available languages + * @return selected language as a language code + */ +char* imv_lang_string_select_lang(enumerator_t *language_enumerator, + char* languages[], int lang_count); + +/** + * Select the preferred language string + * + * @param lang_string multi-lingual array of strings + * @param lang language code of preferred language + * @return selected string + */ +char* imv_lang_string_select_string(imv_lang_string_t lang_string[], char *lang); + +#endif /** IMV_LANG_STRING_H_ @}*/ diff --git a/src/libimcv/imv/imv_msg.c b/src/libimcv/imv/imv_msg.c new file mode 100644 index 000000000..642b47935 --- /dev/null +++ b/src/libimcv/imv/imv_msg.c @@ -0,0 +1,443 @@ +/* + * Copyright (C) 2012 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_msg.h" + +#include "ietf/ietf_attr.h" +#include "ietf/ietf_attr_assess_result.h" +#include "ietf/ietf_attr_remediation_instr.h" + +#include <tncif_names.h> + +#include <pen/pen.h> +#include <collections/linked_list.h> +#include <utils/debug.h> + +typedef struct private_imv_msg_t private_imv_msg_t; + +/** + * Private data of a imv_msg_t object. + * + */ +struct private_imv_msg_t { + + /** + * Public imv_msg_t interface. + */ + imv_msg_t public; + + /** + * Connection ID + */ + TNC_ConnectionID connection_id; + + /** + * source ID + */ + TNC_UInt32 src_id; + + /** + * destination ID + */ + TNC_UInt32 dst_id; + + /** + * PA-TNC message type + */ + pen_type_t msg_type; + + /** + * List of PA-TNC attributes to be sent + */ + linked_list_t *attr_list; + + /** + * PA-TNC message + */ + pa_tnc_msg_t *pa_msg; + + /** + * Assigned IMV agent + */ + imv_agent_t *agent; + + /** + * Assigned IMV state + */ + imv_state_t *state; +}; + +METHOD(imv_msg_t, get_src_id, TNC_UInt32, + private_imv_msg_t *this) +{ + return this->src_id; +} + +METHOD(imv_msg_t, get_dst_id, TNC_UInt32, + private_imv_msg_t *this) +{ + return this->dst_id; +} + +METHOD(imv_msg_t, set_msg_type, void, + private_imv_msg_t *this, pen_type_t msg_type) +{ + if (msg_type.vendor_id != this->msg_type.vendor_id || + msg_type.type != this->msg_type.type) + { + this->msg_type = msg_type; + this->dst_id = TNC_IMCID_ANY; + } +} + +METHOD(imv_msg_t, get_msg_type, pen_type_t, + private_imv_msg_t *this) +{ + return this->msg_type; +} + +METHOD(imv_msg_t, add_attribute, void, + private_imv_msg_t *this, pa_tnc_attr_t *attr) +{ + this->attr_list->insert_last(this->attr_list, attr); +} + +METHOD(imv_msg_t, send_, TNC_Result, + private_imv_msg_t *this, bool excl) +{ + pa_tnc_msg_t *pa_tnc_msg; + pa_tnc_attr_t *attr; + TNC_UInt32 msg_flags; + TNC_MessageType msg_type; + bool attr_added; + chunk_t msg; + enumerator_t *enumerator; + TNC_Result result = TNC_RESULT_SUCCESS; + + while (this->attr_list->get_count(this->attr_list)) + { + pa_tnc_msg = pa_tnc_msg_create(this->state->get_max_msg_len(this->state)); + attr_added = FALSE; + + enumerator = this->attr_list->create_enumerator(this->attr_list); + while (enumerator->enumerate(enumerator, &attr)) + { + if (pa_tnc_msg->add_attribute(pa_tnc_msg, attr)) + { + attr_added = TRUE; + } + else + { + if (attr_added) + { + break; + } + else + { + DBG1(DBG_IMV, "PA-TNC attribute too large to send, deleted"); + attr->destroy(attr); + } + } + this->attr_list->remove_at(this->attr_list, enumerator); + } + enumerator->destroy(enumerator); + + /* build and send the PA-TNC message via the IF-IMV interface */ + if (!pa_tnc_msg->build(pa_tnc_msg)) + { + pa_tnc_msg->destroy(pa_tnc_msg); + return TNC_RESULT_FATAL; + } + msg = pa_tnc_msg->get_encoding(pa_tnc_msg); + DBG3(DBG_IMV, "created PA-TNC message: %B", &msg); + + if (this->state->has_long(this->state) && this->agent->send_message_long) + { + excl = excl && this->state->has_excl(this->state) && + this->dst_id != TNC_IMCID_ANY; + msg_flags = excl ? TNC_MESSAGE_FLAGS_EXCLUSIVE : 0; + result = this->agent->send_message_long(this->src_id, + this->connection_id, msg_flags, msg.ptr, msg.len, + this->msg_type.vendor_id, this->msg_type.type, + this->dst_id); + } + else if (this->agent->send_message) + { + msg_type = (this->msg_type.vendor_id << 8) | + (this->msg_type.type & 0x000000ff); + result = this->agent->send_message(this->src_id, this->connection_id, + msg.ptr, msg.len, msg_type); + } + + pa_tnc_msg->destroy(pa_tnc_msg); + + if (result != TNC_RESULT_SUCCESS) + { + break; + } + } + return result; +} + +METHOD(imv_msg_t, send_assessment, TNC_Result, + private_imv_msg_t *this) +{ + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + pa_tnc_attr_t *attr; + chunk_t string = chunk_empty; + char *lang_code = NULL, *uri = NULL; + enumerator_t *e; + + /* Remove any attributes that have already been constructed */ + while (this->attr_list->remove_last(this->attr_list, (void**)&attr) == SUCCESS) + { + attr->destroy(attr); + } + + /* Send an IETF Assessment Result attribute if enabled */ + if (lib->settings->get_bool(lib->settings, "libimcv.assessment_result", + TRUE)) + { + this->state->get_recommendation(this->state, &rec, &eval); + attr = ietf_attr_assess_result_create(eval); + add_attribute(this, attr); + + /* Send IETF Remediation Instructions if available */ + if (eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT) + { + e = this->agent->create_language_enumerator(this->agent, + this->state); + if (this->state->get_remediation_instructions(this->state, + e, &string, &lang_code, &uri)) + { + if (string.len && lang_code) + { + attr = ietf_attr_remediation_instr_create_from_string(string, + chunk_create(lang_code, strlen(lang_code))); + add_attribute(this, attr); + } + if (uri) + { + attr = ietf_attr_remediation_instr_create_from_uri( + chunk_create(uri, strlen(uri))); + add_attribute(this, attr); + } + } + e->destroy(e); + } + + /* send PA-TNC message with the excl flag set */ + return send_(this, TRUE); + } + return TNC_RESULT_SUCCESS; +} + +METHOD(imv_msg_t, receive, TNC_Result, + private_imv_msg_t *this, bool *fatal_error) +{ + enumerator_t *enumerator; + pa_tnc_attr_t *attr; + chunk_t msg; + + if (this->state->has_long(this->state)) + { + if (this->dst_id != TNC_IMVID_ANY) + { + DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u " + "from IMC %u to IMV %u", + this->agent->get_id(this->agent), + this->agent->get_name(this->agent), + this->connection_id, this->src_id, this->dst_id); + } + else + { + DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u " + "from IMC %u", this->agent->get_id(this->agent), + this->agent->get_name(this->agent), + this->connection_id, this->src_id); + } + } + else + { + DBG2(DBG_IMV, "IMV %u \"%s\" received message for Connection ID %u", + this->agent->get_id(this->agent), + this->agent->get_name(this->agent), + this->connection_id); + } + msg = this->pa_msg->get_encoding(this->pa_msg); + DBG3(DBG_IMV, "%B", &msg); + + switch (this->pa_msg->process(this->pa_msg)) + { + case SUCCESS: + break; + case VERIFY_ERROR: + { + imv_msg_t *error_msg; + TNC_Result result; + + error_msg = imv_msg_create_as_reply(&this->public); + + /* extract and copy by reference all error attributes */ + enumerator = this->pa_msg->create_error_enumerator(this->pa_msg); + while (enumerator->enumerate(enumerator, &attr)) + { + error_msg->add_attribute(error_msg, attr->get_ref(attr)); + } + enumerator->destroy(enumerator); + + /* + * send the PA-TNC message containing all error attributes + * with the excl flag set + */ + result = error_msg->send(error_msg, TRUE); + error_msg->destroy(error_msg); + return result; + } + case FAILED: + default: + return TNC_RESULT_FATAL; + } + + /* preprocess any received IETF standard error attributes */ + *fatal_error = this->pa_msg->process_ietf_std_errors(this->pa_msg); + + return TNC_RESULT_SUCCESS; +} + +METHOD(imv_msg_t, get_attribute_count, int, + private_imv_msg_t *this) +{ + return this->attr_list->get_count(this->attr_list); +} + +METHOD(imv_msg_t, create_attribute_enumerator, enumerator_t*, + private_imv_msg_t *this) +{ + return this->pa_msg->create_attribute_enumerator(this->pa_msg); +} + +METHOD(imv_msg_t, get_encoding, chunk_t, + private_imv_msg_t *this) +{ + if (this->pa_msg) + { + return this->pa_msg->get_encoding(this->pa_msg); + } + return chunk_empty; +} + +METHOD(imv_msg_t, destroy, void, + private_imv_msg_t *this) +{ + this->attr_list->destroy_offset(this->attr_list, + offsetof(pa_tnc_attr_t, destroy)); + DESTROY_IF(this->pa_msg); + free(this); +} + +/** + * See header + */ +imv_msg_t *imv_msg_create(imv_agent_t *agent, imv_state_t *state, + TNC_ConnectionID connection_id, + TNC_UInt32 src_id, TNC_UInt32 dst_id, + pen_type_t msg_type) +{ + private_imv_msg_t *this; + + INIT(this, + .public = { + .get_src_id = _get_src_id, + .get_dst_id = _get_dst_id, + .set_msg_type = _set_msg_type, + .get_msg_type = _get_msg_type, + .send = _send_, + .send_assessment = _send_assessment, + .receive = _receive, + .add_attribute = _add_attribute, + .get_attribute_count = _get_attribute_count, + .create_attribute_enumerator = _create_attribute_enumerator, + .get_encoding = _get_encoding, + .destroy = _destroy, + }, + .connection_id = connection_id, + .src_id = src_id, + .dst_id = dst_id, + .msg_type = msg_type, + .attr_list = linked_list_create(), + .agent = agent, + .state = state, + ); + + return &this->public; +} + +/** + * See header + */ +imv_msg_t* imv_msg_create_as_reply(imv_msg_t *msg) +{ + private_imv_msg_t *in; + TNC_UInt32 src_id; + + in = (private_imv_msg_t*)msg; + src_id = (in->dst_id != TNC_IMVID_ANY) ? + in->dst_id : in->agent->get_id(in->agent); + + return imv_msg_create(in->agent, in->state, in->connection_id, src_id, + in->src_id, in->msg_type); +} + +/** + * See header + */ +imv_msg_t *imv_msg_create_from_data(imv_agent_t *agent, imv_state_t *state, + TNC_ConnectionID connection_id, + TNC_MessageType msg_type, + chunk_t msg) +{ + TNC_VendorID msg_vid; + TNC_MessageSubtype msg_subtype; + + msg_vid = msg_type >> 8; + msg_subtype = msg_type & TNC_SUBTYPE_ANY; + + return imv_msg_create_from_long_data(agent, state, connection_id, + TNC_IMCID_ANY, agent->get_id(agent), + msg_vid, msg_subtype, msg); +} + +/** + * See header + */ +imv_msg_t *imv_msg_create_from_long_data(imv_agent_t *agent, imv_state_t *state, + TNC_ConnectionID connection_id, + TNC_UInt32 src_id, + TNC_UInt32 dst_id, + TNC_VendorID msg_vid, + TNC_MessageSubtype msg_subtype, + chunk_t msg) +{ + private_imv_msg_t *this; + + this = (private_imv_msg_t*)imv_msg_create(agent, state, + connection_id, src_id, dst_id, + pen_type_create(msg_vid, msg_subtype)); + this->pa_msg = pa_tnc_msg_create_from_data(msg); + + return &this->public; +} diff --git a/src/libimcv/imv/imv_msg.h b/src/libimcv/imv/imv_msg.h new file mode 100644 index 000000000..dfec169cc --- /dev/null +++ b/src/libimcv/imv/imv_msg.h @@ -0,0 +1,176 @@ +/* + * Copyright (C) 2012 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imv_msg_t imv_msg + * @{ @ingroup libimcv_imv + */ + +#ifndef IMV_MSG_H_ +#define IMV_MSG_H_ + +#include <imv/imv_agent.h> + +typedef struct imv_msg_t imv_msg_t; + +#include <library.h> + +/** + * Interface for a PA-TNC message handled by an IMV. + * + */ +struct imv_msg_t { + + /** + * Get source ID of PA-TNC message + * + * @return src ID + */ + TNC_UInt32 (*get_src_id)(imv_msg_t *this); + + /** + * Get destination ID of PA-TNC message + * + * @return destination ID + */ + TNC_UInt32 (*get_dst_id)(imv_msg_t *this); + + /** + * Set the type of a PA-TNC message + * + * @param msg_type message type + */ + void (*set_msg_type)(imv_msg_t *this, pen_type_t msg_type); + + /** + * Get the type of a PA-TNC message. + * + * @return message type + */ + pen_type_t (*get_msg_type)(imv_msg_t *this); + + /** + * Sends one or multiple PA-TNC messages + * + * @param excl set the excl message flag if supported + * @return TNC result code + */ + TNC_Result (*send)(imv_msg_t *this, bool excl); + + /** + * Send a PA-TNC message containing an IETF Assessment Result attribute + * + * @return TNC result code + */ + TNC_Result (*send_assessment)(imv_msg_t *this); + + /** + * Processes a received PA-TNC message + * + * @param fatal_error TRUE if IMC sent a fatal error message + * @return TNC result code + */ + TNC_Result (*receive)(imv_msg_t *this, bool *fatal_error); + + /** + * Add a PA-TNC attribute to the send queue + * + * @param attr PA-TNC attribute to be added + */ + void (*add_attribute)(imv_msg_t *this, pa_tnc_attr_t *attr); + + /** + * Get the number of PA-TNC attributes in the send queue + * + * @return number of PA-TNC attribute in send queue + */ + int (*get_attribute_count)(imv_msg_t *this); + + /** + * Enumerator over PA-TNC attributes contained in the PA-TNC message + * + * @return PA-TNC attribute enumerator + */ + enumerator_t* (*create_attribute_enumerator)(imv_msg_t *this); + + /** + * Get the full encoding of an IMV message. + * + * @return message encoding, internal data + */ + chunk_t (*get_encoding)(imv_msg_t *this); + + /** + * Destroys a imv_msg_t object. + */ + void (*destroy)(imv_msg_t *this); +}; + +/** + * Create a wrapper for an outbound message + * + * @param agent IMV agent responsible for the message + * @param state IMV state for the given connection ID + * @param connection_id connection ID + * @param src_id source IMV ID + * @param dst_id destination IMC ID + * @param msg_type PA-TNC message type + */ +imv_msg_t* imv_msg_create(imv_agent_t *agent, imv_state_t *state, + TNC_ConnectionID connection_id, + TNC_UInt32 src_id, TNC_UInt32 dst_id, + pen_type_t msg_type); + +/** + * Create a wrapper for an outbound message based on a received message + * + * @param msg received message the reply is based on + */ +imv_msg_t* imv_msg_create_as_reply(imv_msg_t *msg); + +/** + * Create a wrapper around message data received via the legacy IF-IMV interface + * + * @param agent IMV agent responsible for the message + * @param state IMV state for the given connection ID + * @param connection_id connection ID + * @param msg_type PA-TNC message type + * @param msg received PA-TNC message blob + */ +imv_msg_t* imv_msg_create_from_data(imv_agent_t *agent, imv_state_t *state, + TNC_ConnectionID connection_id, + TNC_MessageType msg_type, + chunk_t msg); + +/** + * Create a wrapper around message data received via the long IF-IMV interface + * + * @param agent IMV agent responsible for the message + * @param state IMV state for the given connection ID + * @param connection_id connection ID + * @param src_id source IMC ID + * @param dst_id destination IMV ID + * @param msg_vid PA-TNC message vendor ID + * @param msg_subtype PA-TNC subtype + * @param msg received PA-TNC message blob + */ +imv_msg_t* imv_msg_create_from_long_data(imv_agent_t *agent, imv_state_t *state, + TNC_ConnectionID connection_id, + TNC_UInt32 src_id, TNC_UInt32 dst_id, + TNC_VendorID msg_vid, + TNC_MessageSubtype msg_subtype, + chunk_t msg); + +#endif /** IMV_MSG_H_ @}*/ diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c new file mode 100644 index 000000000..61e0cd05b --- /dev/null +++ b/src/libimcv/imv/imv_policy_manager.c @@ -0,0 +1,359 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_policy_manager_usage.h" +#include "imv_workitem.h" + +#include <library.h> +#include <utils/debug.h> + +#include <stdlib.h> +#include <stdio.h> +#include <time.h> + +/* The default policy group #1 is assumed to always exist */ +#define DEFAULT_GROUP_ID 1 + +/** + * global debug output variables + */ +static int debug_level = 1; +static bool stderr_quiet = FALSE; + +/** + * attest dbg function + */ +static void stderr_dbg(debug_t group, level_t level, char *fmt, ...) +{ + va_list args; + + if (level <= debug_level) + { + if (!stderr_quiet) + { + va_start(args, fmt); + vfprintf(stderr, fmt, args); + fprintf(stderr, "\n"); + va_end(args); + } + } +} + +/** + * Collect all enforcements by iterating up through parent groups + */ +static bool iterate_enforcements(database_t *db, int device_id, int session_id, + int group_id) +{ + int id, type, file, dir, arg_int, parent, policy, max_age; + int p_rec_fail, p_rec_noresult, e_rec_fail, e_rec_noresult, latest_rec; + bool latest_success; + char *argument; + time_t now; + enumerator_t *e, *e1, *e2; + + now = time(NULL); + + while (group_id) + { + e1 = db->query(db, + "SELECT e.id, p.type, p.argument, p.file, p.dir, p.rec_fail, " + "p.rec_noresult, e.policy, e.max_age, e.rec_fail, e.rec_noresult " + "FROM enforcements AS e JOIN policies as p ON e.policy = p.id " + "WHERE e.group_id = ?", DB_INT, group_id, + DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT, + DB_INT, DB_INT, DB_INT, DB_INT); + if (!e1) + { + return FALSE; + } + while (e1->enumerate(e1, &id, &type, &argument, &file, &dir, + &p_rec_fail, &p_rec_noresult, &policy, &max_age, + &e_rec_fail, &e_rec_noresult)) + { + /* check if the latest measurement of the device was successful */ + latest_success = FALSE; + + if (device_id) + { + e2 = db->query(db, + "SELECT r.rec FROM results AS r " + "JOIN sessions AS s ON s.id = r.session " + "WHERE r.policy = ? AND s.device = ? AND s.time > ? " + "ORDER BY s.time DESC", + DB_INT, policy, DB_INT, device_id, + DB_UINT, now - max_age, DB_INT); + if (!e2) + { + e1->destroy(e1); + return FALSE; + } + if (e2->enumerate(e2, &latest_rec) && + latest_rec == TNC_IMV_ACTION_RECOMMENDATION_ALLOW) + { + latest_success = TRUE; + } + e2->destroy(e2); + } + + if (latest_success) + { + /*skipping enforcement */ + printf("skipping enforcment %d\n", id); + continue; + } + + /* determine arg_int */ + switch ((imv_workitem_type_t)type) + { + case IMV_WORKITEM_FILE_REF_MEAS: + case IMV_WORKITEM_FILE_MEAS: + case IMV_WORKITEM_FILE_META: + arg_int = file; + break; + case IMV_WORKITEM_DIR_REF_MEAS: + case IMV_WORKITEM_DIR_MEAS: + case IMV_WORKITEM_DIR_META: + arg_int = dir; + break; + default: + arg_int = 0; + } + + /* insert a workitem */ + if (db->execute(db, NULL, + "INSERT INTO workitems (session, enforcement, type, arg_str, " + "arg_int, rec_fail, rec_noresult) VALUES (?, ?, ?, ?, ?, ?, ?)", + DB_INT, session_id, DB_INT, id, DB_INT, type, DB_TEXT, argument, + DB_INT, arg_int, DB_INT, e_rec_fail ? e_rec_fail : p_rec_fail, + DB_INT, e_rec_noresult ? e_rec_noresult : p_rec_noresult) != 1) + { + e1->destroy(e1); + fprintf(stderr, "could not insert workitem\n"); + return FALSE; + } + } + e1->destroy(e1); + + e = db->query(db, + "SELECT parent FROM groups WHERE id = ?", + DB_INT, group_id, DB_INT); + if (!e) + { + return FALSE; + } + if (e->enumerate(e, &parent)) + { + group_id = parent; + } + else + { + fprintf(stderr, "group information not found\n"); + group_id = 0; + } + e->destroy(e); + } + return TRUE; +} + +static bool policy_start(database_t *db, int session_id) +{ + enumerator_t *e; + int device_id, product_id, gid, group_id = DEFAULT_GROUP_ID; + u_int created; + + /* get session data */ + e = db->query(db, + "SELECT s.device, s.product, d.created FROM sessions AS s " + "LEFT JOIN devices AS d ON s.device = d.id WHERE s.id = ?", + DB_INT, session_id, DB_INT, DB_INT, DB_UINT); + if (!e || !e->enumerate(e, &device_id, &product_id, &created)) + { + DESTROY_IF(e); + fprintf(stderr, "session %d not found\n", session_id); + return FALSE; + } + e->destroy(e); + + /* if a device ID with a creation date exists, get all group memberships */ + if (device_id & created) + { + e = db->query(db, + "SELECT group_id FROM groups_members WHERE device_id = ?", + DB_INT, device_id, DB_INT); + if (!e) + { + return FALSE; + } + while (e->enumerate(e, &group_id)) + { + if (!iterate_enforcements(db, device_id, session_id, group_id)) + { + e->destroy(e); + return FALSE; + } + } + e->destroy(e); + + return TRUE; + } + + /* determine if a default product group exists */ + e = db->query(db, + "SELECT group_id FROM groups_product_defaults " + "WHERE product_id = ?", DB_INT, product_id, DB_INT); + if (!e) + { + return FALSE; + } + if (e->enumerate(e, &gid)) + { + group_id = gid; + } + e->destroy(e); + + if (device_id && !created) + { + /* assign a newly created device to a default group */ + if (db->execute(db, NULL, + "INSERT INTO groups_members (device_id, group_id) " + "VALUES (?, ?)", DB_INT, device_id, DB_INT, group_id) != 1) + { + fprintf(stderr, "could not assign device to a default group\n"); + return FALSE; + } + + /* set the creation date if it hasn't been set yet */ + if (db->execute(db, NULL, + "UPDATE devices SET created = ? WHERE id = ?", + DB_UINT, time(NULL), DB_INT, device_id) != 1) + { + fprintf(stderr, "creation date of device could not be set\n"); + return FALSE; + } + } + + return iterate_enforcements(db, device_id, session_id, group_id); +} + +static bool policy_stop(database_t *db, int session_id) +{ + enumerator_t *e; + int rec, policy; + char *result; + + e = db->query(db, + "SELECT w.rec_final, w.result, e.policy FROM workitems AS w " + "JOIN enforcements AS e ON w.enforcement = e.id " + "WHERE w.session = ? AND w.result IS NOT NULL", + DB_INT, session_id, DB_INT, DB_TEXT, DB_INT); + if (e) + { + while (e->enumerate(e, &rec, &result, &policy)) + { + db->execute(db, NULL, + "INSERT INTO results (session, policy, rec, result) " + "VALUES (?, ?, ?, ?)", DB_INT, session_id, DB_INT, policy, + DB_INT, rec, DB_TEXT, result); + } + e->destroy(e); + } + return db->execute(db, NULL, + "DELETE FROM workitems WHERE session = ?", + DB_UINT, session_id) >= 0; +} + +int main(int argc, char *argv[]) +{ + database_t *db; + char *uri, *tnc_session_id; + int session_id; + bool start, success; + + /* enable attest debugging hook */ + dbg = stderr_dbg; + + atexit(library_deinit); + + /* initialize library */ + if (!library_init(NULL)) + { + exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); + } + if (!lib->plugins->load(lib->plugins, + lib->settings->get_str(lib->settings, "imv_policy_manager.load", + "sqlite"))) + { + exit(SS_RC_INITIALIZATION_FAILED); + } + + if (argc < 2) + { + usage(); + exit(SS_RC_INITIALIZATION_FAILED); + } + if (streq(argv[1], "start")) + { + start = TRUE; + } + else if (streq(argv[1], "stop")) + { + start = FALSE; + } + else + { + usage(); + exit(SS_RC_INITIALIZATION_FAILED); + } + + /* get session ID */ + tnc_session_id = getenv("TNC_SESSION_ID"); + if (!tnc_session_id) + { + fprintf(stderr, "environment variable TNC_SESSION_ID is not defined\n"); + exit(SS_RC_INITIALIZATION_FAILED); + } + session_id = atoi(tnc_session_id); + + /* attach IMV database */ + uri = lib->settings->get_str(lib->settings, "libimcv.database", NULL); + if (!uri) + { + fprintf(stderr, "database uri not defined.\n"); + exit(SS_RC_INITIALIZATION_FAILED); + } + + db = lib->db->create(lib->db, uri); + if (!db) + { + fprintf(stderr, "opening database failed.\n"); + exit(SS_RC_INITIALIZATION_FAILED); + } + + if (start) + { + success = policy_start(db, session_id); + } + else + { + success = policy_stop(db, session_id); + } + db->destroy(db); + + fprintf(stderr, "imv_policy_manager %s %s\n", start ? "start" : "stop", + success ? "successful" : "failed"); + + exit(EXIT_SUCCESS); +} diff --git a/src/libimcv/imv/imv_policy_manager_usage.c b/src/libimcv/imv/imv_policy_manager_usage.c new file mode 100644 index 000000000..3167a5441 --- /dev/null +++ b/src/libimcv/imv/imv_policy_manager_usage.c @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include <stdio.h> + +#include "imv_policy_manager_usage.h" + +/** + * print imv_policy_manager usage info + */ +void usage(void) +{ + printf("\ +Usage:\n\ + imv_policy_manager start|stop\n"); +} + diff --git a/src/libimcv/imv/imv_policy_manager_usage.h b/src/libimcv/imv/imv_policy_manager_usage.h new file mode 100644 index 000000000..9c90d40c6 --- /dev/null +++ b/src/libimcv/imv/imv_policy_manager_usage.h @@ -0,0 +1,24 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef IMV_POLICY_MANAGER_USAGE_H_ +#define IMV_POLICY_MANAGER_USAGE_H_ + +/** + * print imv_policy_manager usage info + */ +void usage(void); + +#endif /* IMV_POLICY_MANAGER_USAGE_H_ */ diff --git a/src/libimcv/imv/imv_reason_string.c b/src/libimcv/imv/imv_reason_string.c new file mode 100644 index 000000000..d1447ec35 --- /dev/null +++ b/src/libimcv/imv/imv_reason_string.c @@ -0,0 +1,95 @@ +/* + * Copyright (C) 2012 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_reason_string.h" + +#include <utils/debug.h> + +typedef struct private_imv_reason_string_t private_imv_reason_string_t; + +/** + * Private data of an imv_reason_string_t object. + */ +struct private_imv_reason_string_t { + + /** + * Public members of imv_reason_string_t + */ + imv_reason_string_t public; + + /** + * Preferred language + */ + char *lang; + + /** + * Contains the concatenated reasons + */ + chunk_t reasons; + +}; + +METHOD(imv_reason_string_t, add_reason, void, + private_imv_reason_string_t *this, imv_lang_string_t reason[]) +{ + char *s_reason; + + s_reason = imv_lang_string_select_string(reason, this->lang); + + if (this->reasons.len) + { + /* append any further reasons */ + this->reasons = chunk_cat("mcc", this->reasons, chunk_from_chars('\n'), + chunk_create(s_reason, strlen(s_reason))); + } + else + { + /* add the first reason */ + this->reasons = chunk_clone(chunk_create(s_reason, strlen(s_reason))); + } +} + +METHOD(imv_reason_string_t, get_encoding, chunk_t, + private_imv_reason_string_t *this) +{ + return this->reasons; +} + +METHOD(imv_reason_string_t, destroy, void, + private_imv_reason_string_t *this) +{ + free(this->reasons.ptr); + free(this); +} + +/** + * Described in header. + */ +imv_reason_string_t *imv_reason_string_create(char *lang) +{ + private_imv_reason_string_t *this; + + INIT(this, + .public = { + .add_reason = _add_reason, + .get_encoding = _get_encoding, + .destroy = _destroy, + }, + .lang = lang, + ); + + return &this->public; +} + diff --git a/src/libimcv/imv/imv_reason_string.h b/src/libimcv/imv/imv_reason_string.h new file mode 100644 index 000000000..cb4c27f93 --- /dev/null +++ b/src/libimcv/imv/imv_reason_string.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2012 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup imv_reason_string_t imv_reason_string + * @{ @ingroup libimcv_imv + */ + +#ifndef IMV_REASON_STRING_H_ +#define IMV_REASON_STRING_H_ + +#include "imv_lang_string.h" + +#include <library.h> +#include <collections/linked_list.h> + +typedef struct imv_reason_string_t imv_reason_string_t; + +/** + * Defines and builds a TNC Reason String + */ +struct imv_reason_string_t { + + /** + * Add an individual remediation instruction to the string + * + * @param reason Multi-lingual reason string + */ + void (*add_reason)(imv_reason_string_t *this, imv_lang_string_t reason[]); + + /** + * Gets encoding of the reason string + * + * @return TNC reason string + */ + chunk_t (*get_encoding)(imv_reason_string_t *this); + + /** + * Destroys an imv_reason_string_t object + */ + void (*destroy)(imv_reason_string_t *this); +}; + +/** + * Creates an Reason String object + * + * @param lang Preferred language + */ + imv_reason_string_t* imv_reason_string_create(char *lang); + +#endif /** IMV_REASON_STRING_H_ @}*/ diff --git a/src/libimcv/imv/imv_remediation_string.c b/src/libimcv/imv/imv_remediation_string.c new file mode 100644 index 000000000..af82e1cdd --- /dev/null +++ b/src/libimcv/imv/imv_remediation_string.c @@ -0,0 +1,209 @@ +/* + * Copyright (C) 2012 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_remediation_string.h" + +#include <utils/debug.h> + +typedef struct private_imv_remediation_string_t private_imv_remediation_string_t; + +/** + * Private data of an imv_remediation_string_t object. + */ +struct private_imv_remediation_string_t { + + /** + * Public members of imv_remediation_string_t + */ + imv_remediation_string_t public; + + /** + * XML or plaintext encoding + */ + bool as_xml; + + /** + * Preferred language + */ + char *lang; + + /** + * Contains the concatenated remediation instructions + */ + chunk_t instructions; + +}; + +METHOD(imv_remediation_string_t, add_instruction, void, + private_imv_remediation_string_t *this, imv_lang_string_t title[], + imv_lang_string_t description[], imv_lang_string_t itemsheader[], + linked_list_t *item_list) +{ + char xml_format[] = " <instruction>\n" + " <title>%s</title>\n" + " <description>%s</description>\n" + "%s%s" + " </instruction>\n"; + char *instruction, *format, *item, *pos, *header, *items; + char *s_title, *s_description, *s_itemsheader; + size_t len; + + s_title = imv_lang_string_select_string(title, this->lang); + s_description = imv_lang_string_select_string(description, this->lang); + s_itemsheader = imv_lang_string_select_string(itemsheader, this->lang); + header = NULL; + items = NULL; + + if (s_itemsheader) + { + int header_len = strlen(s_itemsheader); + char *header_format; + + if (this->as_xml) + { + header_format = " <itemsheader>%s</itemsheader>\n"; + header_len += strlen(header_format) - 2; + } + else + { + header_format = "\n %s"; + header_len += 3; + } + header = malloc(header_len + 1); + sprintf(header, header_format, s_itemsheader); + } + + if (item_list && item_list->get_count(item_list)) + { + enumerator_t *enumerator; + int items_len = 0; + + /* compute total length of all items */ + enumerator = item_list->create_enumerator(item_list); + while (enumerator->enumerate(enumerator, &item)) + { + items_len += strlen(item); + } + enumerator->destroy(enumerator); + + if (this->as_xml) + { + items_len += 12 + 20 * item_list->get_count(item_list) + 13; + + pos = items = malloc(items_len + 1); + pos += sprintf(pos, " <items>\n"); + + enumerator = item_list->create_enumerator(item_list); + while (enumerator->enumerate(enumerator, &item)) + { + pos += sprintf(pos, " <item>%s</item>\n", item); + } + enumerator->destroy(enumerator); + + pos += sprintf(pos, " </items>\n"); + } + else + { + items_len += 5 * item_list->get_count(item_list); + + pos = items = malloc(items_len + 1); + + enumerator = item_list->create_enumerator(item_list); + while (enumerator->enumerate(enumerator, &item)) + { + pos += sprintf(pos, "\n %s", item); + } + enumerator->destroy(enumerator); + } + } + + len = strlen(s_title) + strlen(s_description); + if (header) + { + len += strlen(header); + } + if (items) + { + len += strlen(items); + } + + if (this->as_xml) + { + format = xml_format; + len += strlen(xml_format) - 8; + } + else + { + format = this->instructions.len ? "\n%s\n %s%s%s" : "%s\n %s%s%s"; + len += 4; + } + instruction = malloc(len + 1); + sprintf(instruction, format, s_title, s_description, header ? header : "", + items ? items : ""); + free(header); + free(items); + this->instructions = chunk_cat("mm", this->instructions, + chunk_create(instruction, strlen(instruction))); +} + +METHOD(imv_remediation_string_t, get_encoding, chunk_t, + private_imv_remediation_string_t *this) +{ + char xml_header[] = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" + "<remediationinstructions>\n"; + char xml_trailer[] = "</remediationinstructions>"; + + if (!this->instructions.len) + { + return chunk_empty; + } + if (this->as_xml) + { + this->instructions = chunk_cat("cmc", + chunk_create(xml_header, strlen(xml_header)), + this->instructions, + chunk_create(xml_trailer, strlen(xml_trailer)) + ); + } + return this->instructions; +} + +METHOD(imv_remediation_string_t, destroy, void, + private_imv_remediation_string_t *this) +{ + free(this->instructions.ptr); + free(this); +} + +/** + * Described in header. + */ +imv_remediation_string_t *imv_remediation_string_create(bool as_xml, char *lang) +{ + private_imv_remediation_string_t *this; + + INIT(this, + .public = { + .add_instruction = _add_instruction, + .get_encoding = _get_encoding, + .destroy = _destroy, + }, + .as_xml = as_xml, + .lang = lang, + ); + + return &this->public; +} + diff --git a/src/libimcv/imv/imv_remediation_string.h b/src/libimcv/imv/imv_remediation_string.h new file mode 100644 index 000000000..605013abb --- /dev/null +++ b/src/libimcv/imv/imv_remediation_string.h @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2012 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup imv_remediation_string_t imv_remediation_string + * @{ @ingroup libimcv_imv + */ + +#ifndef IMV_REMEDIATION_STRING_H_ +#define IMV_REMEDIATION_STRING_H_ + +#include "imv_lang_string.h" + +#include <library.h> +#include <collections/linked_list.h> + +typedef struct imv_remediation_string_t imv_remediation_string_t; + +/** + * Defines and builds an IETF Remediation Instructions String + */ +struct imv_remediation_string_t { + + /** + * Add an individual remediation instruction to the string + * + * @param title instruction title + * @param description instruction description + * @param itemsheader optional items header or NULL + * @param items optional items list or NULL + */ + void (*add_instruction)(imv_remediation_string_t *this, + imv_lang_string_t title[], + imv_lang_string_t description[], + imv_lang_string_t itemsheader[], + linked_list_t *items); + + /** + * Gets the plaintext or XML encoding of the remediation instructions + * + * @return remediation instructions string + */ + chunk_t (*get_encoding)(imv_remediation_string_t *this); + + /** + * Destroys an imv_remediation_string_t object + */ + void (*destroy)(imv_remediation_string_t *this); +}; + +/** + * Creates an IETF Remediation Instructions String object + * + * @param as_xml XML encoding if TRUE, plaintext otherwise + * @param lang Preferred language + */ + imv_remediation_string_t* imv_remediation_string_create(bool as_xml, char *lang); + +#endif /** IMV_REMEDIATION_STRING_H_ @}*/ diff --git a/src/libimcv/imv/imv_session.c b/src/libimcv/imv/imv_session.c new file mode 100644 index 000000000..754f1f74c --- /dev/null +++ b/src/libimcv/imv/imv_session.c @@ -0,0 +1,171 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_session.h" + +#include <utils/debug.h> + +typedef struct private_imv_session_t private_imv_session_t; + +/** + * Private data of a imv_session_t object. + */ +struct private_imv_session_t { + + /** + * Public imv_session_t interface. + */ + imv_session_t public; + + /** + * Unique Session ID + */ + int session_id; + + /** + * TNCCS connection ID + */ + TNC_ConnectionID conn_id; + + /** + * Have the workitems been generated? + */ + bool policy_started; + + /** + * List of worklist items + */ + linked_list_t *workitems; + + /** + * Reference count + */ + refcount_t ref; + +}; + +METHOD(imv_session_t, get_session_id, int, + private_imv_session_t *this) +{ + return this->session_id; +} + +METHOD(imv_session_t, get_connection_id, TNC_ConnectionID, + private_imv_session_t *this) +{ + return this->conn_id; +} + +METHOD(imv_session_t, set_policy_started, void, + private_imv_session_t *this, bool start) +{ + this->policy_started = start; +} + +METHOD(imv_session_t, get_policy_started, bool, + private_imv_session_t *this) +{ + return this->policy_started; +} + +METHOD(imv_session_t, insert_workitem, void, + private_imv_session_t *this, imv_workitem_t *workitem) +{ + this->workitems->insert_last(this->workitems, workitem); +} + +METHOD(imv_session_t, remove_workitem, void, + private_imv_session_t *this, enumerator_t *enumerator) +{ + this->workitems->remove_at(this->workitems, enumerator); +} + +METHOD(imv_session_t, create_workitem_enumerator, enumerator_t*, + private_imv_session_t *this) +{ + if (!this->policy_started) + { + return NULL; + } + return this->workitems->create_enumerator(this->workitems); +} + +METHOD(imv_session_t, get_workitem_count, int, + private_imv_session_t *this, TNC_IMVID imv_id) +{ + enumerator_t *enumerator; + imv_workitem_t *workitem; + int count = 0; + + enumerator = this->workitems->create_enumerator(this->workitems); + while (enumerator->enumerate(enumerator, &workitem)) + { + if (workitem->get_imv_id(workitem) == imv_id) + { + count++; + } + } + enumerator->destroy(enumerator); + + return count; +} + +METHOD(imv_session_t, get_ref, imv_session_t*, + private_imv_session_t *this) +{ + ref_get(&this->ref); + + return &this->public; +} + +METHOD(imv_session_t, destroy, void, + private_imv_session_t *this) +{ + if (ref_put(&this->ref)) + { + this->workitems->destroy_offset(this->workitems, + offsetof(imv_workitem_t, destroy)); + free(this); + } +} + +/** + * See header + */ +imv_session_t *imv_session_create(int session_id, TNC_ConnectionID conn_id) +{ + private_imv_session_t *this; + + INIT(this, + .public = { + .get_session_id = _get_session_id, + .get_connection_id = _get_connection_id, + .set_policy_started = _set_policy_started, + .get_policy_started = _get_policy_started, + .insert_workitem = _insert_workitem, + .remove_workitem = _remove_workitem, + .create_workitem_enumerator = _create_workitem_enumerator, + .get_workitem_count = _get_workitem_count, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .session_id = session_id, + .conn_id = conn_id, + .workitems = linked_list_create(), + .ref = 1, + ); + + return &this->public; +} diff --git a/src/libimcv/imv/imv_session.h b/src/libimcv/imv/imv_session.h new file mode 100644 index 000000000..6b94523b8 --- /dev/null +++ b/src/libimcv/imv/imv_session.h @@ -0,0 +1,113 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup imv_session_t imv_session + * @{ @ingroup libimcv_imv + */ + +#ifndef IMV_SESSION_H_ +#define IMV_SESSION_H_ + +#include "imv_workitem.h" + +#include <tncifimv.h> + +#include <library.h> + +typedef struct imv_session_t imv_session_t; + +/** + * IMV session interface + */ +struct imv_session_t { + + /** + * Get unique session ID + * + * @return Session ID + */ + int (*get_session_id)(imv_session_t *this); + + /** + * Get TNCCS Connection ID + * + * @return TNCCS Connection ID + */ + TNC_ConnectionID (*get_connection_id)(imv_session_t *this); + + /** + * Set policy_started status + * + * @param start TRUE if policy started, FALSE if policy stopped + */ + void (*set_policy_started)(imv_session_t *this, bool start); + + /** + * Get policy_started status + * + * @return TRUE if policy started, FALSE if policy stopped + */ + bool (*get_policy_started)(imv_session_t *this); + + /** + * Insert workitem into list + * + * @param workitem Workitem to be inserted + */ + void (*insert_workitem)(imv_session_t *this, imv_workitem_t *workitem); + + /** + * Remove workitem from list + * + * @param enumerator Enumerator pointing to workitem to be removed + */ + void (*remove_workitem)(imv_session_t *this, enumerator_t *enumerator); + + /** + * Create workitem enumerator + * + */ + enumerator_t* (*create_workitem_enumerator)(imv_session_t *this); + + /** + * Get number of workitem allocated to a given IMV + * + * @param imv_id IMV ID + * @return Number of workitems assigned to given IMV + */ + int (*get_workitem_count)(imv_session_t *this, TNC_IMVID imv_id); + + /** + * Get reference to session + */ + imv_session_t* (*get_ref)(imv_session_t*); + + /** + * Destroys an imv_session_t object + */ + void (*destroy)(imv_session_t *this); +}; + +/** + * Create an imv_session_t instance + * + * @param session_id Unique Session ID + * @param id Associated Connection ID + */ +imv_session_t* imv_session_create(int session_id, TNC_ConnectionID id); + +#endif /** IMV_SESSION_H_ @}*/ diff --git a/src/libimcv/imv/imv_state.h b/src/libimcv/imv/imv_state.h index 9e7a29a9f..791846bb1 100644 --- a/src/libimcv/imv/imv_state.h +++ b/src/libimcv/imv/imv_state.h @@ -1,5 +1,6 @@ /* - * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * Copyright (C) 2011-2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -15,12 +16,14 @@ /** * * @defgroup imv_state_t imv_state - * @{ @ingroup imv_state + * @{ @ingroup libimcv_imv */ #ifndef IMV_STATE_H_ #define IMV_STATE_H_ +#include "imv_session.h" + #include <tncifimv.h> #include <library.h> @@ -33,9 +36,9 @@ typedef struct imv_state_t imv_state_t; struct imv_state_t { /** - * Get the TNCS connection ID attached to the state + * Get the TNCCS connection ID attached to the state * - * @return TNCS connection ID of the state + * @return TNCCS connection ID of the state */ TNC_ConnectionID (*get_connection_id)(imv_state_t *this); @@ -63,6 +66,65 @@ struct imv_state_t { void (*set_flags)(imv_state_t *this, bool has_long, bool has_excl); /** + * Set the maximum size of a PA-TNC message for this TNCCS connection + * + * @param max_msg_len maximum size of a PA-TNC message + */ + void (*set_max_msg_len)(imv_state_t *this, u_int32_t max_msg_len); + + /** + * Get the maximum size of a PA-TNC message for this TNCCS connection + * + * @return maximum size of a PA-TNC message + */ + u_int32_t (*get_max_msg_len)(imv_state_t *this); + + /** + * Set flags for completed actions + * + * @param flags Flags to be set + */ + void (*set_action_flags)(imv_state_t *this, u_int32_t flags); + + /** + * Get flags set for completed actions + * + * @return Flags set for completed actions + */ + u_int32_t (*get_action_flags)(imv_state_t *this); + + /** + * Set Access Requestor ID + * + * @param id_type Access Requestor TCG Standard ID Type + * @param id_value Access Requestor TCG Standard ID Value + * + */ + void (*set_ar_id)(imv_state_t *this, u_int32_t id_type, chunk_t id_value); + + /** + * Get Access Requestor ID + * + * @param id_type Access Requestor TCG Standard ID Type + * @return Access Requestor TCG Standard ID Value + */ + chunk_t (*get_ar_id)(imv_state_t *this, u_int32_t *id_type); + + /** + * Set session associated with TNCCS Connection + * + * @param session Session associated with TNCCS Connection + */ + void (*set_session)(imv_state_t *this, imv_session_t *session); + + /** + * Get session associated with TNCCS Connection + * + * @return Session associated with TNCCS Connection + */ + imv_session_t* (*get_session)(imv_state_t *this); + + /** * Change the connection state * * @param new_state new connection state @@ -92,15 +154,41 @@ struct imv_state_t { TNC_IMV_Evaluation_Result eval); /** + * Update IMV action recommendation and evaluation result + * + * @param rec IMV action recommendation + * @param eval IMV evaluation result + * + */ + void (*update_recommendation)(imv_state_t *this, + TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval); + + /** * Get reason string based on the preferred language * - * @param preferred_language preferred language + * @param language_enumerator language enumerator * @param reason_string reason string - * @param language code language of the returned reason string + * @param reason_language language of the returned reason string * @return TRUE if a reason string was found */ - bool (*get_reason_string)(imv_state_t *this, chunk_t preferred_language, - chunk_t *reason_string, chunk_t *language_code); + bool (*get_reason_string)(imv_state_t *this, + enumerator_t *language_enumerator, + chunk_t *reason_string, char **reason_language); + + /** + * Get remediation instructions based on the preferred language + * + * @param language_enumerator language enumerator + * @param string remediation instruction string + * @param lang_code language of the remediation instructions + * @param uri remediation URI + * @return TRUE if remediation instructions were found + */ + bool (*get_remediation_instructions)(imv_state_t *this, + enumerator_t *language_enumerator, + chunk_t *string, char **lang_code, + char **uri); /** * Destroys an imv_state_t object diff --git a/src/libimcv/imv/imv_workitem.c b/src/libimcv/imv/imv_workitem.c new file mode 100644 index 000000000..a61a826bc --- /dev/null +++ b/src/libimcv/imv/imv_workitem.c @@ -0,0 +1,213 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_workitem.h" + +#include <utils/debug.h> +#include <tncif_names.h> + +typedef struct private_imv_workitem_t private_imv_workitem_t; + +ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_UDP_PORT_BLOCK, + "PCKGS", + "UNSRC", + "FWDEN", + "PWDEN", + "FREFM", + "FMEAS", + "FMETA", + "DREFM", + "DMEAS", + "DMETA", + "TCPOP", + "TCPBL", + "UDPOP", + "UDPBL" +); + +/** + * Private data of a imv_workitem_t object. + * + */ +struct private_imv_workitem_t { + + /** + * Public imv_workitem_t interface. + */ + imv_workitem_t public; + + /** + * Primary workitem key + */ + int id; + + /** + * IMV ID + */ + TNC_IMVID imv_id; + + /** + * Workitem type + */ + imv_workitem_type_t type; + + /** + * Argument string + */ + char *arg_str; + + /** + * Argument integer + */ + int arg_int; + + /** + * Result string + */ + char *result; + + /** + * IMV action recommendation + */ + TNC_IMV_Action_Recommendation rec_fail; + + /** + * IMV action recommendation + */ + TNC_IMV_Action_Recommendation rec_noresult; + + /** + * IMV action recommendation + */ + TNC_IMV_Action_Recommendation rec_final; + +}; + +METHOD(imv_workitem_t, get_id, int, + private_imv_workitem_t *this) +{ + return this->id; +} + +METHOD(imv_workitem_t, set_imv_id, void, + private_imv_workitem_t *this, TNC_IMVID imv_id) +{ + this->imv_id = imv_id; +} + +METHOD(imv_workitem_t, get_imv_id, TNC_IMVID, + private_imv_workitem_t *this) +{ + return this->imv_id; +} + +METHOD(imv_workitem_t, get_type, imv_workitem_type_t, + private_imv_workitem_t *this) +{ + return this->type; +} + +METHOD(imv_workitem_t, get_arg_str, char*, + private_imv_workitem_t *this) +{ + return this->arg_str; +} + +METHOD(imv_workitem_t, get_arg_int, int, + private_imv_workitem_t *this) +{ + return this->arg_int; +} + +METHOD(imv_workitem_t, set_result, TNC_IMV_Action_Recommendation, + private_imv_workitem_t *this, char *result, TNC_IMV_Evaluation_Result eval) +{ + this->result = strdup(result); + switch (eval) + { + case TNC_IMV_EVALUATION_RESULT_COMPLIANT: + this->rec_final = TNC_IMV_ACTION_RECOMMENDATION_ALLOW; + break; + case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR: + case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR: + this->rec_final = this->rec_fail; + break; + case TNC_IMV_EVALUATION_RESULT_ERROR: + case TNC_IMV_EVALUATION_RESULT_DONT_KNOW: + default: + this->rec_final = this->rec_noresult; + break; + } + DBG2(DBG_IMV, "IMV %d handled %N workitem %d: %N%s%s", this->imv_id, + imv_workitem_type_names, this->type, this->id, + TNC_IMV_Action_Recommendation_names, this->rec_final, + strlen(result) ? " - " : "", result); + + return this->rec_final; +} + +METHOD(imv_workitem_t, get_result, TNC_IMV_Action_Recommendation, + private_imv_workitem_t *this, char **result) +{ + if (result) + { + *result = this->result; + } + return this->rec_final; +} + +METHOD(imv_workitem_t, destroy, void, + private_imv_workitem_t *this) +{ + free(this->arg_str); + free(this->result); + free(this); +} + +/** + * See header + */ +imv_workitem_t *imv_workitem_create(int id, imv_workitem_type_t type, + char *arg_str, int arg_int, + TNC_IMV_Action_Recommendation rec_fail, + TNC_IMV_Action_Recommendation rec_noresult) +{ + private_imv_workitem_t *this; + + INIT(this, + .public = { + .get_id = _get_id, + .set_imv_id = _set_imv_id, + .get_imv_id = _get_imv_id, + .get_type = _get_type, + .get_arg_str = _get_arg_str, + .get_arg_int = _get_arg_int, + .set_result = _set_result, + .get_result = _get_result, + .destroy = _destroy, + }, + .id = id, + .imv_id = TNC_IMVID_ANY, + .type = type, + .arg_str = arg_str ? strdup(arg_str) : NULL, + .arg_int = arg_int, + .rec_fail = rec_fail, + .rec_noresult = rec_noresult, + .rec_final = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, + ); + + return &this->public; +} + diff --git a/src/libimcv/imv/imv_workitem.h b/src/libimcv/imv/imv_workitem.h new file mode 100644 index 000000000..f6ca3ea68 --- /dev/null +++ b/src/libimcv/imv/imv_workitem.h @@ -0,0 +1,138 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup imv_workitem_t imv_workitem + * @{ @ingroup libimcv_imv + */ + +#ifndef IMV_WORKITEM_H_ +#define IMV_WORKITEM_H_ + +#include <tncifimv.h> + +#include <library.h> + +typedef struct imv_workitem_t imv_workitem_t; +typedef enum imv_workitem_type_t imv_workitem_type_t; + +enum imv_workitem_type_t { + IMV_WORKITEM_PACKAGES = 1, + IMV_WORKITEM_UNKNOWN_SOURCE = 2, + IMV_WORKITEM_FORWARDING = 3, + IMV_WORKITEM_DEFAULT_PWD = 4, + IMV_WORKITEM_FILE_REF_MEAS = 5, + IMV_WORKITEM_FILE_MEAS = 6, + IMV_WORKITEM_FILE_META = 7, + IMV_WORKITEM_DIR_REF_MEAS = 8, + IMV_WORKITEM_DIR_MEAS = 9, + IMV_WORKITEM_DIR_META = 10, + IMV_WORKITEM_TCP_PORT_OPEN = 11, + IMV_WORKITEM_TCP_PORT_BLOCK = 12, + IMV_WORKITEM_UDP_PORT_OPEN = 13, + IMV_WORKITEM_UDP_PORT_BLOCK = 14 +}; + +extern enum_name_t *imv_workitem_type_names; + +/** + * IMV database interface + */ +struct imv_workitem_t { + + /** + * Get primary workitem key + * + * @return Primary workitem key + */ + int (*get_id)(imv_workitem_t *this); + + /** + * Get workitem type + * + * @return Workitem type + */ + imv_workitem_type_t (*get_type)(imv_workitem_t *this); + + /** + * Set IMV ID + * + * @param id IMV ID + */ + void (*set_imv_id)(imv_workitem_t *this, TNC_IMVID imv_id); + + /** + * Get IMV ID + * + * @return IMV ID + */ + TNC_IMVID (*get_imv_id)(imv_workitem_t *this); + + /** + * Get string argument + * + * @return Argument string + */ + char* (*get_arg_str)(imv_workitem_t *this); + + /** + * Get integer argument + * + * @return Argument integer + */ + int (*get_arg_int)(imv_workitem_t *this); + + /** + * Set result string + * + * @param result Result string + * @param eval Evaluation Result + * @return Action Recommendation + */ + TNC_IMV_Action_Recommendation (*set_result)(imv_workitem_t *this, + char *result, TNC_IMV_Evaluation_Result eval); + + /** + * Set result string + * + * @param result Result string + * @return Action Recommendatino + */ + TNC_IMV_Action_Recommendation (*get_result)(imv_workitem_t *this, + char **result); + + /** + * Destroys an imv_workitem_t object + */ + void (*destroy)(imv_workitem_t *this); +}; + +/** + * Create an imv_workitem_t instance + * + * @param id Primary workitem key + * @param type Workitem type + * @param arg_str String argument + * @param arg_int Integer argument + * @param rec_fail Recommendation with minor/major non-compliance case + * @param rec_noresult Recommendation in don't know/error case + */ +imv_workitem_t *imv_workitem_create(int id, imv_workitem_type_t type, + char *arg_str, int arg_int, + TNC_IMV_Action_Recommendation rec_fail, + TNC_IMV_Action_Recommendation rec_noresult); + +#endif /** IMV_WORKITEM_H_ @}*/ diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql new file mode 100644 index 000000000..4cc959e09 --- /dev/null +++ b/src/libimcv/imv/tables.sql @@ -0,0 +1,234 @@ +/* IMV PTS SQLite database */ + +DROP TABLE IF EXISTS directories; +CREATE TABLE directories ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + path TEXT NOT NULL +); +DROP INDEX IF EXISTS directories_path; +CREATE INDEX directories_path ON directories ( + path +); + +DROP TABLE IF EXISTS files; +CREATE TABLE files ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + dir INTEGER DEFAULT 0 REFERENCES directories(id), + name TEXT NOT NULL +); +DROP INDEX IF EXISTS files_name; +CREATE INDEX files_name ON files ( + name +); + +DROP TABLE IF EXISTS products; +CREATE TABLE products ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name TEXT NOT NULL +); +DROP INDEX IF EXISTS products_name; +CREATE INDEX products_name ON products ( + name +); + +DROP TABLE IF EXISTS algorithms; +CREATE TABLE algorithms ( + id INTEGER PRIMARY KEY, + name VARCHAR(20) not NULL +); + +DROP TABLE IF EXISTS file_hashes; +CREATE TABLE file_hashes ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + file INTEGER NOT NULL REFERENCES files(id), + product INTEGER NOT NULL REFERENCES products(id), + device INTEGER DEFAULT 0, + key INTEGER DEFAULT 0 REFERENCES keys(id), + algo INTEGER NOT NULL REFERENCES algorithms(id), + hash BLOB NOT NULL +); + +DROP TABLE IF EXISTS keys; +CREATE TABLE keys ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + keyid BLOB NOT NULL, + owner TEXT NOT NULL +); +DROP INDEX IF EXISTS keys_keyid; +CREATE INDEX keys_keyid ON keys ( + keyid +); +DROP INDEX IF EXISTS keys_owner; +CREATE INDEX keys_owner ON keys ( + owner +); + +DROP TABLE IF EXISTS groups; +CREATE TABLE groups ( + id INTEGER NOT NULL PRIMARY KEY, + name VARCHAR(50) NOT NULL UNIQUE, + parent INTEGER +); + +DROP TABLE IF EXISTS groups_members; +CREATE TABLE groups_members ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + group_id INTEGER NOT NULL REFERENCES groups(id), + device_id INTEGER NOT NULL REFERENCES devices(id), + UNIQUE (group_id, device_id) +); + +DROP TABLE IF EXISTS groups_product_defaults; +CREATE TABLE groups_product_defaults ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + group_id INTEGER NOT NULL REFERENCES groups(id), + product_id INTEGER NOT NULL REFERENCES products(id), + UNIQUE (group_id, product_id) +); + +DROP TABLE IF EXISTS policies; +CREATE TABLE policies ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + type INTEGER NOT NULL, + name VARCHAR(100) NOT NULL UNIQUE, + argument TEXT DEFAULT '' NOT NULL, + rec_fail INTEGER NOT NULL, + rec_noresult INTEGER NOT NULL, + file INTEGER DEFAULT 0 REFERENCES files(id), + dir INTEGER DEFAULT 0 REFERENCES directories(id) +); + +DROP TABLE IF EXISTS enforcements; +CREATE TABLE enforcements ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + policy INTEGER NOT NULL REFERENCES policies(id), + group_id INTEGER NOT NULL REFERENCES groups(id), + rec_fail INTEGER, + rec_noresult INTEGER, + max_age INTEGER NOT NULL, + UNIQUE (policy, group_id) +); + +DROP TABLE IF EXISTS sessions; +CREATE TABLE sessions ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + time INTEGER NOT NULL, + connection INTEGER NOT NULL, + identity INTEGER DEFAULT 0 REFERENCES identities(id), + device INTEGER DEFAULT 0 REFERENCES devices(id), + product INTEGER DEFAULT 0 REFERENCES products(id), + rec INTEGER DEFAULT 3 +); + +DROP TABLE IF EXISTS workitems; +CREATE TABLE workitems ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + session INTEGER NOT NULL REFERENCES sessions(id), + enforcement INTEGER NOT NULL REFERENCES enforcements(id), + type INTEGER NOT NULL, + arg_str TEXT, + arg_int INTEGER DEFAULT 0, + rec_fail INTEGER NOT NULL, + rec_noresult INTEGER NOT NULL, + rec_final INTEGER, + result TEXT +); +DROP INDEX IF EXISTS workitems_session; +CREATE INDEX workitems_sessions ON workitems ( + session +); + +DROP TABLE IF EXISTS results; +CREATE TABLE results ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + session INTEGER NOT NULL REFERENCES measurements(id), + policy INTEGER NOT NULL REFERENCES policies(id), + rec INTEGER NOT NULL, + result TEXT NOT NULL +); +DROP INDEX IF EXISTS results_session; +CREATE INDEX results_session ON results ( + session +); + +DROP TABLE IF EXISTS components; +CREATE TABLE components ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + vendor_id INTEGER NOT NULL, + name INTEGER NOT NULL, + qualifier INTEGER DEFAULT 0 +); + + +DROP TABLE IF EXISTS key_component; +CREATE TABLE key_component ( + key INTEGER NOT NULL, + component INTEGER NOT NULL, + depth INTEGER DEFAULT 0, + seq_no INTEGER DEFAULT 0, + PRIMARY KEY (key, component) +); + + +DROP TABLE IF EXISTS component_hashes; +CREATE TABLE component_hashes ( + component INTEGER NOT NULL, + key INTEGER NOT NULL, + seq_no INTEGER NOT NULL, + pcr INTEGER NOT NULL, + algo INTEGER NOT NULL, + hash BLOB NOT NULL, + PRIMARY KEY(component, key, seq_no, algo) +); + +DROP TABLE IF EXISTS packages; +CREATE TABLE packages ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name TEXT NOT NULL, + blacklist INTEGER DEFAULT 0 +); +DROP INDEX IF EXISTS packages_name; +CREATE INDEX packages_name ON packages ( + name +); + +DROP TABLE IF EXISTS versions; +CREATE TABLE versions ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + package INTEGER NOT NULL REFERENCES packages(id), + product INTEGER NOT NULL REFERENCES products(id), + release TEXT NOT NULL, + security INTEGER DEFAULT 0, + blacklist INTEGER DEFAULT 0, + time INTEGER DEFAULT 0 +); +DROP INDEX IF EXISTS versions_release; +CREATE INDEX versions_release ON versions ( + release +); +DROP INDEX IF EXISTS versions_package_product; +CREATE INDEX versions_package_product ON versions ( + package, product +); + +DROP TABLE IF EXISTS devices; +CREATE TABLE devices ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + description TEXT DEFAULT '', + value TEXT NOT NULL, + product INTEGER REFERENCES products(id), + created INTEGER +); +DROP INDEX IF EXISTS devices_id; +CREATE INDEX devices_value ON devices ( + value +); + +DROP TABLE IF EXISTS identities; +CREATE TABLE identities ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + type INTEGER NOT NULL, + value BLOB NOT NULL, + UNIQUE (type, value) +); + |