3 files changed, 127 insertions, 48 deletions
diff --git a/src/libimcv/plugins/imc_os/Makefile.am b/src/libimcv/plugins/imc_os/Makefile.am
index fec38cd4e..e6dd10be5 100644
--- a/src/libimcv/plugins/imc_os/Makefile.am
+++ b/src/libimcv/plugins/imc_os/Makefile.am
@@ -4,7 +4,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libimcv
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 imcv_LTLIBRARIES = imc-os.la
 
diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in
index 7b25614f3..2f0b85404 100644
--- a/src/libimcv/plugins/imc_os/Makefile.in
+++ b/src/libimcv/plugins/imc_os/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.13.3 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994-2013 Free Software Foundation, Inc.
@@ -261,6 +261,7 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
+OPENSSL_LIB = @OPENSSL_LIB@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
 PACKAGE = @PACKAGE@
@@ -279,6 +280,7 @@ PERL = @PERL@
 PKG_CONFIG = @PKG_CONFIG@
 PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@
 PKG_CONFIG_PATH = @PKG_CONFIG_PATH@
+PLUGIN_CFLAGS = @PLUGIN_CFLAGS@
 PTHREADLIB = @PTHREADLIB@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -306,6 +308,7 @@ abs_top_srcdir = @abs_top_srcdir@
 ac_ct_AR = @ac_ct_AR@
 ac_ct_CC = @ac_ct_CC@
 ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
+aikgen_plugins = @aikgen_plugins@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
@@ -397,6 +400,7 @@ srcdir = @srcdir@
 starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 strongswan_options = @strongswan_options@
+swanctldir = @swanctldir@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 t_plugins = @t_plugins@
@@ -413,7 +417,7 @@ AM_CPPFLAGS = \
 	-I$(top_srcdir)/src/libimcv
 
 AM_CFLAGS = \
-	-rdynamic
+	$(PLUGIN_CFLAGS)
 
 imcv_LTLIBRARIES = imc-os.la
 imc_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \
diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c
index 647a44957..c624d26b1 100644
--- a/src/libimcv/plugins/imc_os/imc_os.c
+++ b/src/libimcv/plugins/imc_os/imc_os.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011-2012 Andreas Steffen
+ * Copyright (C) 2011-2014 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -17,6 +17,7 @@
 
 #include <imc/imc_agent.h>
 #include <imc/imc_msg.h>
+#include <imc/imc_os_info.h>
 #include <ietf/ietf_attr.h>
 #include <ietf/ietf_attr_attr_request.h>
 #include <ietf/ietf_attr_default_pwd_enabled.h>
@@ -31,7 +32,6 @@
 #include <ita/ita_attr_settings.h>
 #include <ita/ita_attr_angel.h>
 #include <ita/ita_attr_device_id.h>
-#include <os_info/os_info.h>
 
 #include <tncif_pa_subtypes.h>
 
@@ -47,15 +47,15 @@ static pen_type_t msg_types[] = {
 };
 
 static imc_agent_t *imc_os;
-static os_info_t *os;
+static imc_os_info_t *os;
 
 /**
  * see section 3.8.1 of TCG TNC IF-IMC Specification 1.3
  */
-TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
-							  TNC_Version min_version,
-							  TNC_Version max_version,
-							  TNC_Version *actual_version)
+TNC_Result TNC_IMC_API TNC_IMC_Initialize(TNC_IMCID imc_id,
+										  TNC_Version min_version,
+										  TNC_Version max_version,
+										  TNC_Version *actual_version)
 {
 	if (imc_os)
 	{
@@ -69,7 +69,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 		return TNC_RESULT_FATAL;
 	}
 
-	os = os_info_create();
+	os = imc_os_info_create();
 	if (!os)
 	{
 		imc_os->destroy(imc_os);
@@ -89,9 +89,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 /**
  * see section 3.8.2 of TCG TNC IF-IMC Specification 1.3
  */
-TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
-										  TNC_ConnectionID connection_id,
-										  TNC_ConnectionState new_state)
+TNC_Result TNC_IMC_API TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
+				TNC_ConnectionID connection_id, TNC_ConnectionState new_state)
 {
 	imc_state_t *state;
 
@@ -238,23 +237,97 @@ static void add_default_pwd_enabled(imc_msg_t *msg)
 static void add_device_id(imc_msg_t *msg)
 {
 	pa_tnc_attr_t *attr;
-	chunk_t value;
-	char *name;
+	chunk_t value = chunk_empty, keyid;
+	char *name, *device_id, *cert_path;
+	certificate_t *cert = NULL;
+	public_key_t *pubkey;
+
+	/* Get the device ID as a character string */
+	device_id = lib->settings->get_str(lib->settings,
+						"%s.plugins.imc-os.device_id", NULL, lib->ns);
+	if (device_id)
+	{
+		value = chunk_clone(chunk_from_str(device_id));
+	}
+
+	if (value.len == 0)
+	{
+		/* Derive the device ID from a raw public key */
+		cert_path = lib->settings->get_str(lib->settings,
+							"%s.plugins.imc-os.device_pubkey", NULL, lib->ns);
+		if (cert_path)
+		{
+			cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+									  CERT_TRUSTED_PUBKEY, BUILD_FROM_FILE,
+									  cert_path, BUILD_END);
+			if (cert)
+			{
+				DBG2(DBG_IMC, "loaded device public key from '%s'", cert_path);
+			}
+			else
+			{
+				DBG1(DBG_IMC, "loading device public key from '%s' failed",
+							   cert_path);
+			}
+		}
+
+		if (!cert)
+		{
+			/* Derive the device ID from the public key contained in a certificate */
+			cert_path = lib->settings->get_str(lib->settings,
+								"%s.plugins.imc-os.device_cert", NULL, lib->ns);
+			if (cert_path)
+			{
+				cert = lib->creds->create(lib->creds, CRED_CERTIFICATE,
+										  CERT_X509, BUILD_FROM_FILE,
+										  cert_path, BUILD_END);
+				if (cert)
+				{
+					DBG2(DBG_IMC, "loaded device certificate from '%s'", cert_path);
+				}
+				else
+				{
+					DBG1(DBG_IMC, "loading device certificate from '%s' failed",
+								   cert_path);
+				}
+			}
+		}
 
-	name = os->get_type(os) == OS_TYPE_ANDROID ?
-				  "android_id" : "/var/lib/dbus/machine-id";
-	value = os->get_setting(os, name);
+		/* Compute the SHA-1 keyid of the retrieved device public key */
+		if (cert)
+		{
+			pubkey = cert->get_public_key(cert);
+			if (pubkey)
+			{
+				if (pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_INFO_SHA1,
+											&keyid))
+				{
+					value = chunk_to_hex(keyid, NULL, FALSE);
+				}
+				pubkey->destroy(pubkey);
+			}
+			cert->destroy(cert);
+		}
+	}
 
 	if (value.len == 0)
 	{
-		DBG1(DBG_IMC, "no device ID available");
-		return;
+		/* Derive the device ID from some unique OS settings */
+		name = os->get_type(os) == OS_TYPE_ANDROID ?
+					  "android_id" : "/var/lib/dbus/machine-id";
+		value = os->get_setting(os, name);
+
+		/* Trim trailing newline character */
+		if (value.len > 0 && value.ptr[value.len - 1] == '\n')
+		{
+			value.len--;
+		}
 	}
 
-	/* trim trailing newline character */
-	if (value.ptr[value.len - 1] == '\n')
+	if (value.len == 0)
 	{
-		value.len--;
+		DBG1(DBG_IMC, "no device ID available");
+		return;
 	}
 
 	DBG1(DBG_IMC, "device ID is %.*s", value.len, value.ptr);
@@ -279,11 +352,12 @@ static void add_installed_packages(imc_state_t *state, imc_msg_t *msg)
 	 * Compute the maximum IETF Installed Packages attribute size
 	 * leaving space for an additional ITA Angel attribute
 	 */
-	max_attr_size = state->get_max_msg_len(state) - 8 - 12;
+	max_attr_size = state->get_max_msg_len(state) -
+					PA_TNC_HEADER_SIZE - PA_TNC_ATTR_HEADER_SIZE;
 
 	/* At least one IETF Installed Packages attribute is sent */
 	attr = ietf_attr_installed_packages_create();
-	attr_size = 12 + 4;
+	attr_size = PA_TNC_ATTR_HEADER_SIZE + IETF_INSTALLED_PACKAGES_MIN_SIZE;
 
 	enumerator = os->create_package_enumerator(os);
 	if (enumerator)
@@ -310,7 +384,8 @@ static void add_installed_packages(imc_state_t *state, imc_msg_t *msg)
 
 				/* create the next IETF Installed Packages attribute */
 				attr = ietf_attr_installed_packages_create();
-				attr_size = 12 + 4;
+				attr_size = PA_TNC_ATTR_HEADER_SIZE +
+							IETF_INSTALLED_PACKAGES_MIN_SIZE;
 			}
 			attr_cast = (ietf_attr_installed_packages_t*)attr;
 			attr_cast->add(attr_cast, name, version);
@@ -370,8 +445,8 @@ static void add_settings(enumerator_t *enumerator, imc_msg_t *msg)
 /**
  * see section 3.8.3 of TCG TNC IF-IMC Specification 1.3
  */
-TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
-								  TNC_ConnectionID connection_id)
+TNC_Result TNC_IMC_API TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
+											  TNC_ConnectionID connection_id)
 {
 	imc_state_t *state;
 	imc_msg_t *out_msg;
@@ -518,11 +593,11 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg)
  * see section 3.8.4 of TCG TNC IF-IMC Specification 1.3
 
  */
-TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
-								  TNC_ConnectionID connection_id,
-								  TNC_BufferReference msg,
-								  TNC_UInt32 msg_len,
-								  TNC_MessageType msg_type)
+TNC_Result TNC_IMC_API TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
+											  TNC_ConnectionID connection_id,
+											  TNC_BufferReference msg,
+											  TNC_UInt32 msg_len,
+											  TNC_MessageType msg_type)
 {
 	imc_state_t *state;
 	imc_msg_t *in_msg;
@@ -548,15 +623,15 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
 /**
  * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
  */
-TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
-									  TNC_ConnectionID connection_id,
-									  TNC_UInt32 msg_flags,
-									  TNC_BufferReference msg,
-									  TNC_UInt32 msg_len,
-									  TNC_VendorID msg_vid,
-									  TNC_MessageSubtype msg_subtype,
-									  TNC_UInt32 src_imv_id,
-									  TNC_UInt32 dst_imc_id)
+TNC_Result TNC_IMC_API TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
+												  TNC_ConnectionID connection_id,
+												  TNC_UInt32 msg_flags,
+												  TNC_BufferReference msg,
+												  TNC_UInt32 msg_len,
+												  TNC_VendorID msg_vid,
+												  TNC_MessageSubtype msg_subtype,
+												  TNC_UInt32 src_imv_id,
+												  TNC_UInt32 dst_imc_id)
 {
 	imc_state_t *state;
 	imc_msg_t *in_msg;
@@ -583,8 +658,8 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
 /**
  * see section 3.8.7 of TCG TNC IF-IMC Specification 1.3
  */
-TNC_Result TNC_IMC_BatchEnding(TNC_IMCID imc_id,
-							   TNC_ConnectionID connection_id)
+TNC_Result TNC_IMC_API TNC_IMC_BatchEnding(TNC_IMCID imc_id,
+										   TNC_ConnectionID connection_id)
 {
 	if (!imc_os)
 	{
@@ -597,7 +672,7 @@ TNC_Result TNC_IMC_BatchEnding(TNC_IMCID imc_id,
 /**
  * see section 3.8.8 of TCG TNC IF-IMC Specification 1.3
  */
-TNC_Result TNC_IMC_Terminate(TNC_IMCID imc_id)
+TNC_Result TNC_IMC_API TNC_IMC_Terminate(TNC_IMCID imc_id)
 {
 	if (!imc_os)
 	{
@@ -616,8 +691,8 @@ TNC_Result TNC_IMC_Terminate(TNC_IMCID imc_id)
 /**
  * see section 4.2.8.1 of TCG TNC IF-IMC Specification 1.3
  */
-TNC_Result TNC_IMC_ProvideBindFunction(TNC_IMCID imc_id,
-									   TNC_TNCC_BindFunctionPointer bind_function)
+TNC_Result TNC_IMC_API TNC_IMC_ProvideBindFunction(TNC_IMCID imc_id,
+									TNC_TNCC_BindFunctionPointer bind_function)
 {
 	if (!imc_os)
 	{