diff options
Diffstat (limited to 'src/libimcv')
56 files changed, 2683 insertions, 1577 deletions
diff --git a/src/libimcv/Android.mk b/src/libimcv/Android.mk new file mode 100644 index 000000000..4253fe274 --- /dev/null +++ b/src/libimcv/Android.mk @@ -0,0 +1,66 @@ +LOCAL_PATH := $(call my-dir) +include $(CLEAR_VARS) + +# copy-n-paste from Makefile.am +libimcv_la_SOURCES := \ + imcv.h imcv.c \ + imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \ + imc/imc_msg.h imc/imc_msg.c \ + imc/imc_os_info.h imc/imc_os_info.c \ + imv/imv_agent.h imv/imv_agent.c imv/imv_state.h \ + imv/imv_agent_if.h imv/imv_if.h \ + imv/imv_database.h imv/imv_database.c \ + imv/imv_msg.h imv/imv_msg.c \ + imv/imv_lang_string.h imv/imv_lang_string.c \ + imv/imv_os_info.h imv/imv_os_info.c \ + imv/imv_reason_string.h imv/imv_reason_string.c \ + imv/imv_remediation_string.h imv/imv_remediation_string.c \ + imv/imv_session.h imv/imv_session.c \ + imv/imv_session_manager.h imv/imv_session_manager.c \ + imv/imv_workitem.h imv/imv_workitem.c \ + ietf/ietf_attr.h ietf/ietf_attr.c \ + ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \ + ietf/ietf_attr_attr_request.h ietf/ietf_attr_attr_request.c \ + ietf/ietf_attr_fwd_enabled.h ietf/ietf_attr_fwd_enabled.c \ + ietf/ietf_attr_default_pwd_enabled.h ietf/ietf_attr_default_pwd_enabled.c \ + ietf/ietf_attr_installed_packages.h ietf/ietf_attr_installed_packages.c \ + ietf/ietf_attr_numeric_version.h ietf/ietf_attr_numeric_version.c \ + ietf/ietf_attr_op_status.h ietf/ietf_attr_op_status.c \ + ietf/ietf_attr_pa_tnc_error.h ietf/ietf_attr_pa_tnc_error.c \ + ietf/ietf_attr_port_filter.h ietf/ietf_attr_port_filter.c \ + ietf/ietf_attr_product_info.h ietf/ietf_attr_product_info.c \ + ietf/ietf_attr_remediation_instr.h ietf/ietf_attr_remediation_instr.c \ + ietf/ietf_attr_string_version.h ietf/ietf_attr_string_version.c \ + ita/ita_attr.h ita/ita_attr.c \ + ita/ita_attr_command.h ita/ita_attr_command.c \ + ita/ita_attr_dummy.h ita/ita_attr_dummy.c \ + ita/ita_attr_get_settings.h ita/ita_attr_get_settings.c \ + ita/ita_attr_settings.h ita/ita_attr_settings.c \ + ita/ita_attr_angel.h ita/ita_attr_angel.c \ + ita/ita_attr_device_id.h ita/ita_attr_device_id.c \ + os_info/os_info.h os_info/os_info.c \ + pa_tnc/pa_tnc_attr.h \ + pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \ + pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c + +LOCAL_SRC_FILES := $(filter %.c,$(libimcv_la_SOURCES)) + +# build libimcv ---------------------------------------------------------------- + +LOCAL_C_INCLUDES += \ + $(strongswan_PATH)/src/libtncif \ + $(strongswan_PATH)/src/libstrongswan + +LOCAL_CFLAGS := $(strongswan_CFLAGS) + +LOCAL_MODULE := libimcv + +LOCAL_MODULE_TAGS := optional + +LOCAL_ARM_MODE := arm + +LOCAL_PRELINK_MODULE := false + +LOCAL_SHARED_LIBRARIES += libstrongswan libtncif + +include $(BUILD_SHARED_LIBRARY) diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am index 96e759724..4bed3bf03 100644 --- a/src/libimcv/Makefile.am +++ b/src/libimcv/Makefile.am @@ -11,18 +11,25 @@ libimcv_la_LIBADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(top_builddir)/src/libtncif/libtncif.la +if USE_WINDOWS + libimcv_la_LIBADD += -lws2_32 +endif + libimcv_la_SOURCES = \ imcv.h imcv.c \ imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \ imc/imc_msg.h imc/imc_msg.c \ + imc/imc_os_info.h imc/imc_os_info.c \ imv/imv_agent.h imv/imv_agent.c imv/imv_state.h \ imv/imv_agent_if.h imv/imv_if.h \ imv/imv_database.h imv/imv_database.c \ imv/imv_msg.h imv/imv_msg.c \ imv/imv_lang_string.h imv/imv_lang_string.c \ + imv/imv_os_info.h imv/imv_os_info.c \ imv/imv_reason_string.h imv/imv_reason_string.c \ imv/imv_remediation_string.h imv/imv_remediation_string.c \ imv/imv_session.h imv/imv_session.c \ + imv/imv_session_manager.h imv/imv_session_manager.c \ imv/imv_workitem.h imv/imv_workitem.c \ ietf/ietf_attr.h ietf/ietf_attr.c \ ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \ @@ -50,10 +57,10 @@ libimcv_la_SOURCES = \ pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c ipsec_SCRIPTS = imv/_imv_policy -EXTRA_DIST = imv/_imv_policy +EXTRA_DIST = imv/_imv_policy Android.mk templatesdir = $(pkgdatadir)/templates/database/imv -dist_templates_DATA = imv/tables.sql imv/data.sql +dist_templates_DATA = imv/tables.sql imv/tables-mysql.sql imv/data.sql ipsec_PROGRAMS = imv_policy_manager imv_policy_manager_SOURCES = \ diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in index 9d8d86358..4614dd607 100644 --- a/src/libimcv/Makefile.in +++ b/src/libimcv/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.3 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -81,13 +81,14 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ +@USE_WINDOWS_TRUE@am__append_1 = -lws2_32 ipsec_PROGRAMS = imv_policy_manager$(EXEEXT) -@USE_IMC_TEST_TRUE@am__append_1 = plugins/imc_test -@USE_IMV_TEST_TRUE@am__append_2 = plugins/imv_test -@USE_IMC_SCANNER_TRUE@am__append_3 = plugins/imc_scanner -@USE_IMV_SCANNER_TRUE@am__append_4 = plugins/imv_scanner -@USE_IMC_OS_TRUE@am__append_5 = plugins/imc_os -@USE_IMV_OS_TRUE@am__append_6 = plugins/imv_os +@USE_IMC_TEST_TRUE@am__append_2 = plugins/imc_test +@USE_IMV_TEST_TRUE@am__append_3 = plugins/imv_test +@USE_IMC_SCANNER_TRUE@am__append_4 = plugins/imc_scanner +@USE_IMV_SCANNER_TRUE@am__append_5 = plugins/imv_scanner +@USE_IMC_OS_TRUE@am__append_6 = plugins/imc_os +@USE_IMV_OS_TRUE@am__append_7 = plugins/imv_os subdir = src/libimcv DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp $(dist_templates_DATA) @@ -138,14 +139,16 @@ am__uninstall_files_from_dir = { \ am__installdirs = "$(DESTDIR)$(ipseclibdir)" "$(DESTDIR)$(ipsecdir)" \ "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(templatesdir)" LTLIBRARIES = $(ipseclib_LTLIBRARIES) +am__DEPENDENCIES_1 = libimcv_la_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(top_builddir)/src/libtncif/libtncif.la + $(top_builddir)/src/libtncif/libtncif.la $(am__DEPENDENCIES_1) am__dirstamp = $(am__leading_dot)dirstamp am_libimcv_la_OBJECTS = imcv.lo imc/imc_agent.lo imc/imc_msg.lo \ - imv/imv_agent.lo imv/imv_database.lo imv/imv_msg.lo \ - imv/imv_lang_string.lo imv/imv_reason_string.lo \ - imv/imv_remediation_string.lo imv/imv_session.lo \ + imc/imc_os_info.lo imv/imv_agent.lo imv/imv_database.lo \ + imv/imv_msg.lo imv/imv_lang_string.lo imv/imv_os_info.lo \ + imv/imv_reason_string.lo imv/imv_remediation_string.lo \ + imv/imv_session.lo imv/imv_session_manager.lo \ imv/imv_workitem.lo ietf/ietf_attr.lo \ ietf/ietf_attr_assess_result.lo ietf/ietf_attr_attr_request.lo \ ietf/ietf_attr_fwd_enabled.lo \ @@ -343,6 +346,7 @@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ @@ -361,6 +365,7 @@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ @@ -388,6 +393,7 @@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -479,6 +485,7 @@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -497,22 +504,24 @@ ipseclib_LTLIBRARIES = libimcv.la libimcv_la_LDFLAGS = \ -no-undefined -libimcv_la_LIBADD = \ +libimcv_la_LIBADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(top_builddir)/src/libtncif/libtncif.la - + $(top_builddir)/src/libtncif/libtncif.la $(am__append_1) libimcv_la_SOURCES = \ imcv.h imcv.c \ imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \ imc/imc_msg.h imc/imc_msg.c \ + imc/imc_os_info.h imc/imc_os_info.c \ imv/imv_agent.h imv/imv_agent.c imv/imv_state.h \ imv/imv_agent_if.h imv/imv_if.h \ imv/imv_database.h imv/imv_database.c \ imv/imv_msg.h imv/imv_msg.c \ imv/imv_lang_string.h imv/imv_lang_string.c \ + imv/imv_os_info.h imv/imv_os_info.c \ imv/imv_reason_string.h imv/imv_reason_string.c \ imv/imv_remediation_string.h imv/imv_remediation_string.c \ imv/imv_session.h imv/imv_session.c \ + imv/imv_session_manager.h imv/imv_session_manager.c \ imv/imv_workitem.h imv/imv_workitem.c \ ietf/ietf_attr.h ietf/ietf_attr.c \ ietf/ietf_attr_assess_result.h ietf/ietf_attr_assess_result.c \ @@ -540,9 +549,9 @@ libimcv_la_SOURCES = \ pa_tnc/pa_tnc_attr_manager.h pa_tnc/pa_tnc_attr_manager.c ipsec_SCRIPTS = imv/_imv_policy -EXTRA_DIST = imv/_imv_policy +EXTRA_DIST = imv/_imv_policy Android.mk templatesdir = $(pkgdatadir)/templates/database/imv -dist_templates_DATA = imv/tables.sql imv/data.sql +dist_templates_DATA = imv/tables.sql imv/tables-mysql.sql imv/data.sql imv_policy_manager_SOURCES = \ imv/imv_policy_manager.c \ imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c @@ -551,8 +560,8 @@ imv_policy_manager_LDADD = \ $(top_builddir)/src/libstrongswan/libstrongswan.la #imv/imv_policy_manager.o : $(top_builddir)/config.status -SUBDIRS = . $(am__append_1) $(am__append_2) $(am__append_3) \ - $(am__append_4) $(am__append_5) $(am__append_6) +SUBDIRS = . $(am__append_2) $(am__append_3) $(am__append_4) \ + $(am__append_5) $(am__append_6) $(am__append_7) all: all-recursive .SUFFIXES: @@ -630,6 +639,7 @@ imc/$(DEPDIR)/$(am__dirstamp): @: > imc/$(DEPDIR)/$(am__dirstamp) imc/imc_agent.lo: imc/$(am__dirstamp) imc/$(DEPDIR)/$(am__dirstamp) imc/imc_msg.lo: imc/$(am__dirstamp) imc/$(DEPDIR)/$(am__dirstamp) +imc/imc_os_info.lo: imc/$(am__dirstamp) imc/$(DEPDIR)/$(am__dirstamp) imv/$(am__dirstamp): @$(MKDIR_P) imv @: > imv/$(am__dirstamp) @@ -641,11 +651,14 @@ imv/imv_database.lo: imv/$(am__dirstamp) imv/$(DEPDIR)/$(am__dirstamp) imv/imv_msg.lo: imv/$(am__dirstamp) imv/$(DEPDIR)/$(am__dirstamp) imv/imv_lang_string.lo: imv/$(am__dirstamp) \ imv/$(DEPDIR)/$(am__dirstamp) +imv/imv_os_info.lo: imv/$(am__dirstamp) imv/$(DEPDIR)/$(am__dirstamp) imv/imv_reason_string.lo: imv/$(am__dirstamp) \ imv/$(DEPDIR)/$(am__dirstamp) imv/imv_remediation_string.lo: imv/$(am__dirstamp) \ imv/$(DEPDIR)/$(am__dirstamp) imv/imv_session.lo: imv/$(am__dirstamp) imv/$(DEPDIR)/$(am__dirstamp) +imv/imv_session_manager.lo: imv/$(am__dirstamp) \ + imv/$(DEPDIR)/$(am__dirstamp) imv/imv_workitem.lo: imv/$(am__dirstamp) imv/$(DEPDIR)/$(am__dirstamp) ietf/$(am__dirstamp): @$(MKDIR_P) ietf @@ -845,15 +858,18 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@ietf/$(DEPDIR)/ietf_attr_string_version.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@imc/$(DEPDIR)/imc_agent.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@imc/$(DEPDIR)/imc_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@imc/$(DEPDIR)/imc_os_info.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@imv/$(DEPDIR)/imv_agent.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@imv/$(DEPDIR)/imv_database.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@imv/$(DEPDIR)/imv_lang_string.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@imv/$(DEPDIR)/imv_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@imv/$(DEPDIR)/imv_os_info.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@imv/$(DEPDIR)/imv_policy_manager.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@imv/$(DEPDIR)/imv_policy_manager_usage.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@imv/$(DEPDIR)/imv_reason_string.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@imv/$(DEPDIR)/imv_remediation_string.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@imv/$(DEPDIR)/imv_session.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@imv/$(DEPDIR)/imv_session_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@imv/$(DEPDIR)/imv_workitem.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ita/$(DEPDIR)/ita_attr.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@ita/$(DEPDIR)/ita_attr_angel.Plo@am__quote@ diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.c b/src/libimcv/ietf/ietf_attr_installed_packages.c index 462805e38..f33f643af 100644 --- a/src/libimcv/ietf/ietf_attr_installed_packages.c +++ b/src/libimcv/ietf/ietf_attr_installed_packages.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -41,8 +41,6 @@ typedef struct package_entry_t package_entry_t; * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -#define INSTALLED_PACKAGES_MIN_SIZE 4 - /** * Private data of an ietf_attr_installed_packages_t object. */ @@ -132,7 +130,7 @@ METHOD(pa_tnc_attr_t, build, void, { return; } - writer = bio_writer_create(INSTALLED_PACKAGES_MIN_SIZE); + writer = bio_writer_create(IETF_INSTALLED_PACKAGES_MIN_SIZE); writer->write_uint16(writer, 0x0000); writer->write_uint16(writer, this->packages->get_count(this->packages)); @@ -160,7 +158,7 @@ METHOD(pa_tnc_attr_t, process, status_t, *offset = 0; - if (this->value.len < INSTALLED_PACKAGES_MIN_SIZE) + if (this->value.len < IETF_INSTALLED_PACKAGES_MIN_SIZE) { DBG1(DBG_TNC, "insufficient data for IETF installed packages"); return FAILED; @@ -168,7 +166,7 @@ METHOD(pa_tnc_attr_t, process, status_t, reader = bio_reader_create(this->value); reader->read_uint16(reader, &reserved); reader->read_uint16(reader, &count); - *offset = INSTALLED_PACKAGES_MIN_SIZE; + *offset = IETF_INSTALLED_PACKAGES_MIN_SIZE; while (reader->remaining(reader)) { diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.h b/src/libimcv/ietf/ietf_attr_installed_packages.h index b79c4040c..e19d0f47b 100644 --- a/src/libimcv/ietf/ietf_attr_installed_packages.h +++ b/src/libimcv/ietf/ietf_attr_installed_packages.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ typedef struct ietf_attr_installed_packages_t ietf_attr_installed_packages_t; #include "ietf_attr.h" #include "pa_tnc/pa_tnc_attr.h" +#define IETF_INSTALLED_PACKAGES_MIN_SIZE 4 /** * Class implementing the IETF PA-TNC Installed Packages attribute. diff --git a/src/libimcv/imc/imc_agent.c b/src/libimcv/imc/imc_agent.c index 7dc3abddd..533151799 100644 --- a/src/libimcv/imc/imc_agent.c +++ b/src/libimcv/imc/imc_agent.c @@ -490,7 +490,7 @@ METHOD(imc_agent_t, reserve_additional_ids, TNC_Result, count--; /* store the scalar value in the pointer */ - pointer = (void*)id; + pointer = (void*)(uintptr_t)id; this->additional_ids->insert_last(this->additional_ids, pointer); DBG2(DBG_IMC, "IMC %u \"%s\" reserved additional ID %u", this->id, this->name, id); @@ -566,4 +566,3 @@ imc_agent_t *imc_agent_create(const char *name, return &this->public; } - diff --git a/src/libimcv/imc/imc_msg.c b/src/libimcv/imc/imc_msg.c index 1fc3d3be5..1cf81c730 100644 --- a/src/libimcv/imc/imc_msg.c +++ b/src/libimcv/imc/imc_msg.c @@ -177,11 +177,21 @@ METHOD(imc_msg_t, send_, TNC_Result, /** * Print a clearly visible assessment header to the log */ -static void print_assessment_header(const char *name, TNC_UInt32 id, bool *first) +static void print_assessment_header(const char *name, TNC_UInt32 dst_id, + TNC_UInt32 src_id, bool *first) { if (*first) { - DBG1(DBG_IMC, "***** assessment of IMC %u \"%s\" *****", id, name); + if (src_id == TNC_IMCID_ANY) + { + DBG1(DBG_IMC, "***** assessment of IMC %u \"%s\" *****", + dst_id, name); + } + else + { + DBG1(DBG_IMC, "***** assessment of IMC %u \"%s\" from IMV %u *****", + dst_id, name, src_id); + } *first = FALSE; } } @@ -294,7 +304,7 @@ METHOD(imc_msg_t, receive, TNC_Result, this->state->set_result(this->state, target_imc_id, result); print_assessment_header(this->agent->get_name(this->agent), - target_imc_id, &first); + target_imc_id, this->src_id, &first); DBG1(DBG_IMC, "assessment result is '%N'", TNC_IMV_Evaluation_Result_names, result); } @@ -309,7 +319,7 @@ METHOD(imc_msg_t, receive, TNC_Result, parameters = attr_cast->get_parameters(attr_cast); print_assessment_header(this->agent->get_name(this->agent), - target_imc_id, &first); + target_imc_id, this->src_id, &first); if (parameters_type.vendor_id == PEN_IETF) { switch (parameters_type.type) diff --git a/src/libimcv/imc/imc_os_info.c b/src/libimcv/imc/imc_os_info.c new file mode 100644 index 000000000..b01a14c01 --- /dev/null +++ b/src/libimcv/imc/imc_os_info.c @@ -0,0 +1,632 @@ +/* + * Copyright (C) 2012-2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/* for GetTickCount64, Windows 7 */ +#ifdef WIN32 +# define _WIN32_WINNT 0x0601 +#endif + +#include "imc_os_info.h" + +#include <stdio.h> +#include <stdarg.h> + +#include <collections/linked_list.h> +#include <utils/debug.h> + +typedef struct private_imc_os_info_t private_imc_os_info_t; + +/** + * Private data of an imc_os_info_t object. + * + */ +struct private_imc_os_info_t { + + /** + * Public imc_os_info_t interface. + */ + imc_os_info_t public; + + /** + * OS type + */ + os_type_t type; + + /** + * OS name + */ + chunk_t name; + + /** + * OS version + */ + chunk_t version; + +}; + +METHOD(imc_os_info_t, get_type, os_type_t, + private_imc_os_info_t *this) +{ + return this->type; +} + +METHOD(imc_os_info_t, get_name, chunk_t, + private_imc_os_info_t *this) +{ + return this->name; +} + +METHOD(imc_os_info_t, get_numeric_version, void, + private_imc_os_info_t *this, u_int32_t *major, u_int32_t *minor) +{ + u_char *pos; + + if (major) + { + *major = atol(this->version.ptr); + } + pos = memchr(this->version.ptr, '.', this->version.len); + if (minor) + { + *minor = pos ? atol(pos + 1) : 0; + } +} + +METHOD(imc_os_info_t, get_version, chunk_t, + private_imc_os_info_t *this) +{ + return this->version; +} + +#ifdef WIN32 + +METHOD(imc_os_info_t, get_fwd_status, os_fwd_status_t, + private_imc_os_info_t *this) +{ + return OS_FWD_UNKNOWN; +} + +METHOD(imc_os_info_t, get_uptime, time_t, + private_imc_os_info_t *this) +{ + return GetTickCount64() / 1000; +} + +METHOD(imc_os_info_t, get_setting, chunk_t, + private_imc_os_info_t *this, char *name) +{ + return chunk_empty; +} + +METHOD(imc_os_info_t, create_package_enumerator, enumerator_t*, + private_imc_os_info_t *this) +{ + return NULL; +} + +/** + * Determine Windows release + */ +static bool extract_platform_info(os_type_t *type, chunk_t *name, + chunk_t *version) +{ + OSVERSIONINFOEX osvie; + char buf[64]; + + memset(&osvie, 0, sizeof(osvie)); + osvie.dwOSVersionInfoSize = sizeof(osvie); + + if (!GetVersionEx((LPOSVERSIONINFO)&osvie)) + { + return FALSE; + } + *type = OS_TYPE_WINDOWS; + snprintf(buf, sizeof(buf), "Windows %s %s", + osvie.wProductType == VER_NT_WORKSTATION ? "Client" : "Server", +#ifdef WIN64 + "x86_64" +#else + "x86" +#endif + ); + *name = chunk_clone(chunk_from_str(buf)); + + snprintf(buf, sizeof(buf), "%d.%d.%d (SP %d.%d)", + osvie.dwMajorVersion, osvie.dwMinorVersion, osvie.dwBuildNumber, + osvie.wServicePackMajor, osvie.wServicePackMinor); + *version = chunk_clone(chunk_from_str(buf)); + + return TRUE; +} + +#else /* !WIN32 */ + +#include <sys/utsname.h> + +METHOD(imc_os_info_t, get_fwd_status, os_fwd_status_t, + private_imc_os_info_t *this) +{ + const char ip_forward[] = "/proc/sys/net/ipv4/ip_forward"; + char buf[2]; + FILE *file; + + os_fwd_status_t fwd_status = OS_FWD_UNKNOWN; + + file = fopen(ip_forward, "r"); + if (file) + { + if (fread(buf, 1, 1, file) == 1) + { + switch (buf[0]) + { + case '0': + fwd_status = OS_FWD_DISABLED; + break; + case '1': + fwd_status = OS_FWD_ENABLED; + break; + default: + DBG1(DBG_IMC, "\"%s\" returns invalid value ", ip_forward); + break; + } + } + else + { + DBG1(DBG_IMC, "could not read from \"%s\"", ip_forward); + } + fclose(file); + } + else + { + DBG1(DBG_IMC, "failed to open \"%s\"", ip_forward); + } + + return fwd_status; +} + +METHOD(imc_os_info_t, get_uptime, time_t, + private_imc_os_info_t *this) +{ + const char proc_uptime[] = "/proc/uptime"; + FILE *file; + u_int uptime; + + file = fopen(proc_uptime, "r"); + if (!file) + { + DBG1(DBG_IMC, "failed to open \"%s\"", proc_uptime); + return 0; + } + if (fscanf(file, "%u", &uptime) != 1) + { + DBG1(DBG_IMC, "failed to read file \"%s\"", proc_uptime); + uptime = 0; + } + fclose(file); + + return uptime; +} + +METHOD(imc_os_info_t, get_setting, chunk_t, + private_imc_os_info_t *this, char *name) +{ + FILE *file; + u_char buf[2048]; + size_t i = 0; + chunk_t value; + + if (!strpfx(name, "/etc/") && !strpfx(name, "/proc/") && + !strpfx(name, "/sys/") && !strpfx(name, "/var/")) + { + /** + * In order to guarantee privacy, only settings from the + * /etc/, /proc/ and /sys/ directories can be retrieved + */ + DBG1(DBG_IMC, "not allowed to access '%s'", name); + + return chunk_empty; + } + + file = fopen(name, "r"); + if (!file) + { + DBG1(DBG_IMC, "failed to open '%s'", name); + + return chunk_empty; + } + while (i < sizeof(buf) && fread(buf + i, 1, 1, file) == 1) + { + i++; + } + fclose(file); + + value = chunk_create(buf, i); + + return chunk_clone(value); +} + +typedef struct { + /** + * implements enumerator_t + */ + enumerator_t public; + + /** + * package info pipe stream + */ + FILE* file; + + /** + * line buffer + */ + u_char line[512]; + +} package_enumerator_t; + +/** + * Implementation of package_enumerator.destroy. + */ +static void package_enumerator_destroy(package_enumerator_t *this) +{ + pclose(this->file); + free(this); +} + +/** + * Implementation of package_enumerator.enumerate + */ +static bool package_enumerator_enumerate(package_enumerator_t *this, ...) +{ + chunk_t *name, *version; + u_char *pos; + va_list args; + + while (TRUE) + { + if (!fgets(this->line, sizeof(this->line), this->file)) + { + return FALSE; + } + + pos = strchr(this->line, '\t'); + if (!pos) + { + return FALSE; + } + *pos++ = '\0'; + + if (!streq(this->line, "install ok installed")) + { + continue; + } + va_start(args, this); + + name = va_arg(args, chunk_t*); + name->ptr = pos; + pos = strchr(pos, '\t'); + if (!pos) + { + va_end(args); + return FALSE; + } + name->len = pos++ - name->ptr; + + version = va_arg(args, chunk_t*); + version->ptr = pos; + version->len = strlen(pos) - 1; + + va_end(args); + return TRUE; + } +} + +METHOD(imc_os_info_t, create_package_enumerator, enumerator_t*, + private_imc_os_info_t *this) +{ + FILE *file; + const char command[] = "dpkg-query --show --showformat=" + "'${Status}\t${Package}\t${Version}\n'"; + package_enumerator_t *enumerator; + + /* Only Debian and Ubuntu package enumeration is currently supported */ + if (this->type != OS_TYPE_DEBIAN && this->type != OS_TYPE_UBUNTU) + { + return NULL; + } + + /* Open a pipe stream for reading the output of the dpkg-query commmand */ + file = popen(command, "r"); + if (!file) + { + DBG1(DBG_IMC, "failed to run dpkg command"); + return NULL; + } + + /* Create a package enumerator instance */ + enumerator = malloc_thing(package_enumerator_t); + enumerator->public.enumerate = (void*)package_enumerator_enumerate; + enumerator->public.destroy = (void*)package_enumerator_destroy; + enumerator->file = file; + + return (enumerator_t*)enumerator; +} + +#define RELEASE_LSB 0 +#define RELEASE_DEBIAN 1 + +/** + * Determine Linux distribution version and hardware platform + */ +static bool extract_platform_info(os_type_t *type, chunk_t *name, + chunk_t *version) +{ + FILE *file; + u_char buf[BUF_LEN], *pos = buf; + int len = BUF_LEN - 1; + os_type_t os_type = OS_TYPE_UNKNOWN; + chunk_t os_name = chunk_empty; + chunk_t os_version = chunk_empty; + char *os_str; + struct utsname uninfo; + int i; + + /* Linux/Unix distribution release info (from http://linuxmafia.com) */ + const char* releases[] = { + "/etc/lsb-release", "/etc/debian_version", + "/etc/SuSE-release", "/etc/novell-release", + "/etc/sles-release", "/etc/redhat-release", + "/etc/fedora-release", "/etc/gentoo-release", + "/etc/slackware-version", "/etc/annvix-release", + "/etc/arch-release", "/etc/arklinux-release", + "/etc/aurox-release", "/etc/blackcat-release", + "/etc/cobalt-release", "/etc/conectiva-release", + "/etc/debian_release", "/etc/immunix-release", + "/etc/lfs-release", "/etc/linuxppc-release", + "/etc/mandrake-release", "/etc/mandriva-release", + "/etc/mandrakelinux-release", "/etc/mklinux-release", + "/etc/pld-release", "/etc/redhat_version", + "/etc/slackware-release", "/etc/e-smith-release", + "/etc/release", "/etc/sun-release", + "/etc/tinysofa-release", "/etc/turbolinux-release", + "/etc/ultrapenguin-release", "/etc/UnitedLinux-release", + "/etc/va-release", "/etc/yellowdog-release" + }; + + const char lsb_distrib_id[] = "DISTRIB_ID="; + const char lsb_distrib_release[] = "DISTRIB_RELEASE="; + + for (i = 0; i < countof(releases); i++) + { + file = fopen(releases[i], "r"); + if (!file) + { + continue; + } + + /* read release file into buffer */ + fseek(file, 0, SEEK_END); + len = min(ftell(file), len); + rewind(file); + buf[len] = '\0'; + if (fread(buf, 1, len, file) != len) + { + DBG1(DBG_IMC, "failed to read file \"%s\"", releases[i]); + fclose(file); + return FALSE; + } + fclose(file); + + DBG1(DBG_IMC, "processing \"%s\" file", releases[i]); + + switch (i) + { + case RELEASE_LSB: + { + /* Determine Distribution ID */ + pos = strstr(buf, lsb_distrib_id); + if (!pos) + { + DBG1(DBG_IMC, "failed to find begin of DISTRIB_ID field"); + return FALSE; + } + pos += strlen(lsb_distrib_id); + + os_name.ptr = pos; + + pos = strchr(pos, '\n'); + if (!pos) + { + DBG1(DBG_IMC, "failed to find end of DISTRIB_ID field"); + return FALSE; + } + os_name.len = pos - os_name.ptr; + + /* Determine Distribution Release */ + pos = strstr(buf, lsb_distrib_release); + if (!pos) + { + DBG1(DBG_IMC, "failed to find begin of DISTRIB_RELEASE field"); + return FALSE; + } + pos += strlen(lsb_distrib_release); + + os_version.ptr = pos; + + pos = strchr(pos, '\n'); + if (!pos) + { + DBG1(DBG_IMC, "failed to find end of DISTRIB_RELEASE field"); + return FALSE; + } + os_version.len = pos - os_version.ptr; + + break; + } + case RELEASE_DEBIAN: + { + os_type = OS_TYPE_DEBIAN; + + os_version.ptr = buf; + pos = strchr(buf, '\n'); + if (!pos) + { + DBG1(DBG_PTS, "failed to find end of release string"); + return FALSE; + } + + os_version.len = pos - os_version.ptr; + + break; + } + default: + { + const char str_release[] = " release "; + + os_name.ptr = buf; + + pos = strstr(buf, str_release); + if (!pos) + { + DBG1(DBG_IMC, "failed to find release keyword"); + return FALSE; + } + + os_name.len = pos - os_name.ptr; + + pos += strlen(str_release); + os_version.ptr = pos; + + pos = strchr(pos, '\n'); + if (!pos) + { + DBG1(DBG_IMC, "failed to find end of release string"); + return FALSE; + } + + os_version.len = pos - os_version.ptr; + + break; + } + } + break; + } + + if (!os_version.ptr) + { + DBG1(DBG_IMC, "no distribution release file found"); + return FALSE; + } + + if (uname(&uninfo) < 0) + { + DBG1(DBG_IMC, "could not retrieve machine architecture"); + return FALSE; + } + + /* Try to find a matching OS type based on the OS name */ + if (os_type == OS_TYPE_UNKNOWN) + { + os_type = os_type_from_name(os_name); + } + + /* If known use the official OS name */ + if (os_type != OS_TYPE_UNKNOWN) + { + os_str = enum_to_name(os_type_names, os_type); + os_name = chunk_create(os_str, strlen(os_str)); + } + + /* copy OS type */ + *type = os_type; + + /* copy OS name */ + *name = chunk_clone(os_name); + + /* copy OS version and machine architecture */ + *version = chunk_alloc(os_version.len + 1 + strlen(uninfo.machine)); + pos = version->ptr; + memcpy(pos, os_version.ptr, os_version.len); + pos += os_version.len; + *pos++ = ' '; + memcpy(pos, uninfo.machine, strlen(uninfo.machine)); + + return TRUE; +} + +#endif /* !WIN32 */ + +METHOD(imc_os_info_t, destroy, void, + private_imc_os_info_t *this) +{ + free(this->name.ptr); + free(this->version.ptr); + free(this); +} + +/** + * See header + */ +imc_os_info_t *imc_os_info_create(void) +{ + private_imc_os_info_t *this; + chunk_t name, version; + os_type_t type; + + /* As an option OS name and OS version can be configured manually */ + name.ptr = lib->settings->get_str(lib->settings, + "%s.imcv.imc_os_info.name", NULL, lib->ns); + version.ptr = lib->settings->get_str(lib->settings, + "%s.imcv.imc_os_info.version", NULL, lib->ns); + if (name.ptr && version.ptr) + { + name.len = strlen(name.ptr); + name = chunk_clone(name); + + version.len = strlen(version.ptr); + version = chunk_clone(version); + + type = os_type_from_name(name); + } + else + { + if (!extract_platform_info(&type, &name, &version)) + { + return NULL; + } + } + DBG1(DBG_IMC, "operating system name is '%.*s'", + name.len, name.ptr); + DBG1(DBG_IMC, "operating system version is '%.*s'", + version.len, version.ptr); + + INIT(this, + .public = { + .get_type = _get_type, + .get_name = _get_name, + .get_numeric_version = _get_numeric_version, + .get_version = _get_version, + .get_fwd_status = _get_fwd_status, + .get_uptime = _get_uptime, + .get_setting = _get_setting, + .create_package_enumerator = _create_package_enumerator, + .destroy = _destroy, + }, + .type = type, + .name = name, + .version = version, + ); + + return &this->public; +} diff --git a/src/libimcv/imc/imc_os_info.h b/src/libimcv/imc/imc_os_info.h new file mode 100644 index 000000000..a6db44314 --- /dev/null +++ b/src/libimcv/imc/imc_os_info.h @@ -0,0 +1,107 @@ +/* + * Copyright (C) 2012-2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imc_os_info imc_os_info + * @{ @ingroup libimcv + */ + +#ifndef IMC_OS_INFO_H_ +#define IMC_OS_INFO_H_ + +typedef struct imc_os_info_t imc_os_info_t; + +#include "os_info/os_info.h" + +#include <library.h> + +#include <time.h> + +/** + * Interface for the IMC Operating System (OS) information module + */ +struct imc_os_info_t { + + /** + * Get the OS type if it can be determined + * + * @return OS type + */ + os_type_t (*get_type)(imc_os_info_t *this); + + /** + * Get the OS product name or distribution + * + * @return OS name + */ + chunk_t (*get_name)(imc_os_info_t *this); + + /** + * Get the numeric OS version or release + * + * @param major OS major version number + * @param minor OS minor version number + */ + void (*get_numeric_version)(imc_os_info_t *this, u_int32_t *major, + u_int32_t *minor); + + /** + * Get the OS version or release + * + * @return OS version + */ + chunk_t (*get_version)(imc_os_info_t *this); + + /** + * Get the OS IPv4 forwarding status + * + * @return IP forwarding status + */ + os_fwd_status_t (*get_fwd_status)(imc_os_info_t *this); + + /** + * Get the OS uptime in seconds + * + * @return OS uptime + */ + time_t (*get_uptime)(imc_os_info_t *this); + + /** + * Get an OS setting (restricted to /proc, /sys, and /etc) + * + * @param name name of OS setting + * @return value of OS setting + */ + chunk_t (*get_setting)(imc_os_info_t *this, char *name); + + /** + * Enumerates over all installed packages + * + * @return return package enumerator + */ + enumerator_t* (*create_package_enumerator)(imc_os_info_t *this); + + /** + * Destroys an imc_os_info_t object. + */ + void (*destroy)(imc_os_info_t *this); +}; + +/** + * Create an imc_os_info_t object + */ +imc_os_info_t* imc_os_info_create(void); + +#endif /** IMC_OS_INFO_H_ @}*/ diff --git a/src/libimcv/imcv.c b/src/libimcv/imcv.c index 2a4fd33df..30679a33d 100644 --- a/src/libimcv/imcv.c +++ b/src/libimcv/imcv.c @@ -20,7 +20,9 @@ #include <utils/utils.h> #include <pen/pen.h> +#ifdef HAVE_SYSLOG #include <syslog.h> +#endif #define IMCV_DEBUG_LEVEL 1 #define IMCV_DEFAULT_POLICY_SCRIPT "ipsec _imv_policy" @@ -32,6 +34,11 @@ pa_tnc_attr_manager_t *imcv_pa_tnc_attributes; /** + * Global list of IMV sessions + */ +imv_session_manager_t *imcv_sessions; + +/** * Global IMV database */ imv_database_t *imcv_db; @@ -57,9 +64,6 @@ static bool imcv_stderr_quiet; */ static void imcv_dbg(debug_t group, level_t level, char *fmt, ...) { - int priority = LOG_INFO; - char buffer[8192]; - char *current = buffer, *next; va_list args; if (level <= imcv_debug_level) @@ -73,22 +77,30 @@ static void imcv_dbg(debug_t group, level_t level, char *fmt, ...) va_end(args); } - /* write in memory buffer first */ - va_start(args, fmt); - vsnprintf(buffer, sizeof(buffer), fmt, args); - va_end(args); - - /* do a syslog with every line */ - while (current) +#ifdef HAVE_SYSLOG { - next = strchr(current, '\n'); - if (next) + int priority = LOG_INFO; + char buffer[8192]; + char *current = buffer, *next; + + /* write in memory buffer first */ + va_start(args, fmt); + vsnprintf(buffer, sizeof(buffer), fmt, args); + va_end(args); + + /* do a syslog with every line */ + while (current) { - *(next++) = '\0'; + next = strchr(current, '\n'); + if (next) + { + *(next++) = '\0'; + } + syslog(priority, "[HSR] %s\n", current); + current = next; } - syslog(priority, "[HSR] %s\n", current); - current = next; } +#endif /* HAVE_SYSLOG */ } } @@ -122,7 +134,9 @@ bool libimcv_init(bool is_imv) /* activate the imcv debugging hook */ dbg = imcv_dbg; +#ifdef HAVE_SYSLOG openlog("imcv", 0, LOG_DAEMON); +#endif if (!lib->plugins->load(lib->plugins, lib->settings->get_str(lib->settings, "libimcv.load", @@ -149,9 +163,12 @@ bool libimcv_init(bool is_imv) imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_ITA, ita_attr_create_from_data, ita_attr_names); - /* attach global IMV database */ if (is_imv) { + /* instantiate global IMV session manager */ + imcv_sessions = imv_session_manager_create(); + + /* instantiate and attach global IMV database if URI is valid */ uri = lib->settings->get_str(lib->settings, "%s.imcv.database", NULL, lib->ns); script = lib->settings->get_str(lib->settings, @@ -181,6 +198,7 @@ void libimcv_deinit(void) DESTROY_IF(imcv_pa_tnc_attributes); imcv_pa_tnc_attributes = NULL; DESTROY_IF(imcv_db); + DESTROY_IF(imcv_sessions); DBG1(DBG_LIB, "libimcv terminated"); } if (ref_put(&libstrongswan_ref)) @@ -188,4 +206,3 @@ void libimcv_deinit(void) library_deinit(); } } - diff --git a/src/libimcv/imcv.h b/src/libimcv/imcv.h index 10c66e65a..771038803 100644 --- a/src/libimcv/imcv.h +++ b/src/libimcv/imcv.h @@ -36,6 +36,7 @@ #include "pa_tnc/pa_tnc_attr_manager.h" #include "imv/imv_database.h" +#include "imv/imv_session_manager.h" #include <library.h> @@ -62,4 +63,9 @@ extern pa_tnc_attr_manager_t* imcv_pa_tnc_attributes; */ extern imv_database_t* imcv_db; +/** + * Global IMV session manager + */ +extern imv_session_manager_t* imcv_sessions; + #endif /** IMCV_H_ @}*/ diff --git a/src/libimcv/imv/_imv_policy b/src/libimcv/imv/_imv_policy index 68a963c27..056284411 100755 --- a/src/libimcv/imv/_imv_policy +++ b/src/libimcv/imv/_imv_policy @@ -20,18 +20,20 @@ # that, and use the "libimcv.policy_script = " option in strongswan.conf # to make strongSwan use yours instead of this default one. -# Environment variables that this script gets +# Passed arguments # -# TNC_SESSION_ID -# unique session ID used as a reference by the policy -# manager. +# $1 +# action +# $2 +# unique session ID used as a reference by the policy +# manager. # case "$1" in start) - echo "start session $TNC_SESSION_ID" + echo "start session $2" ;; stop) - echo "stop session $TNC_SESSION_ID" + echo "stop session $2" ;; *) echo "$0: unknown command '$1'" exit 1 diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql index 7f3bae813..b45cad487 100644 --- a/src/libimcv/imv/data.sql +++ b/src/libimcv/imv/data.sql @@ -216,6 +216,96 @@ INSERT INTO products ( /* 36 */ 'Ubuntu 14.04 x86_64' ); +INSERT INTO products ( /* 37 */ + name +) VALUES ( + 'Debian 7.3 i686' +); + +INSERT INTO products ( /* 38 */ + name +) VALUES ( + 'Debian 7.3 x86_64' +); + +INSERT INTO products ( /* 39 */ + name +) VALUES ( + 'Debian 7.4 i686' +); + +INSERT INTO products ( /* 40 */ + name +) VALUES ( + 'Debian 7.4 x86_64' +); + +INSERT INTO products ( /* 41 */ + name +) VALUES ( + 'Debian 7.5 i686' +); + +INSERT INTO products ( /* 42 */ + name +) VALUES ( + 'Debian 7.5 x86_64' +); + +INSERT INTO products ( /* 43 */ + name +) VALUES ( + 'Debian 7.0 armv6l' +); + +INSERT INTO products ( /* 44 */ + name +) VALUES ( + 'Debian 7.1 armv6l' +); + +INSERT INTO products ( /* 45 */ + name +) VALUES ( + 'Debian 7.2 armv6l' +); + +INSERT INTO products ( /* 46 */ + name +) VALUES ( + 'Debian 7.3 armv6l' +); + +INSERT INTO products ( /* 47 */ + name +) VALUES ( + 'Debian 7.4 armv6l' +); + +INSERT INTO products ( /* 48 */ + name +) VALUES ( + 'Debian 7.5 armv6l' +); + +INSERT INTO products ( /* 49 */ + name +) VALUES ( + 'Android 4.3' +); + +INSERT INTO products ( /* 50 */ + name +) VALUES ( + 'Android 4.4.3' +); + +INSERT INTO products ( /* 51 */ + name +) VALUES ( + 'Android 4.4.4' +); + /* Directories */ INSERT INTO directories ( /* 1 */ @@ -345,12 +435,6 @@ INSERT INTO files ( /* 6 */ INSERT INTO algorithms ( id, name ) VALUES ( - 65536, 'SHA1-IMA' -); - -INSERT INTO algorithms ( - id, name -) VALUES ( 32768, 'SHA1' ); @@ -531,27 +615,27 @@ INSERT INTO versions ( /* Components */ INSERT INTO components ( - vendor_id, name, qualifier + vendor_id, name, qualifier, label ) VALUES ( - 36906, 1, 33 /* ITA TGRUB */ + 36906, 1, 33, 'G' /* ITA TGRUB */ ); INSERT INTO components ( - vendor_id, name, qualifier + vendor_id, name, qualifier, label ) VALUES ( - 36906, 2, 33 /* ITA TBOOT */ + 36906, 2, 33, 'T' /* ITA TBOOT */ ); INSERT INTO components ( - vendor_id, name, qualifier + vendor_id, name, qualifier, label ) VALUES ( - 36906, 3, 33 /* ITA IMA - Trusted Platform */ + 36906, 3, 33, 'B' /* ITA IMA - Trusted Platform */ ); INSERT INTO components ( - vendor_id, name, qualifier + vendor_id, name, qualifier, label ) VALUES ( - 36906, 3, 34 /* ITA IMA - Operating System */ + 36906, 3, 34, 'I' /* ITA IMA - Operating System */ ); /* Groups */ @@ -634,6 +718,12 @@ INSERT INTO groups ( /* 13 */ 'TPM BIOS/IMA' ); +INSERT INTO groups ( /* 14 */ + name, parent +) VALUES ( + 'Debian armv6l', 2 +); + /* Default Product Groups */ INSERT INTO groups_product_defaults ( @@ -669,6 +759,24 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 4, 37 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 39 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 41 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 5, 2 ); @@ -699,6 +807,24 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 5, 38 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 40 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 42 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 6, 9 ); @@ -846,6 +972,60 @@ INSERT INTO groups_product_defaults ( 3, 34 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 3, 49 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 3, 50 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 3, 51 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 14, 43 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 14, 44 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 14, 45 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 14, 46 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 14, 47 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 14, 48 +); + /* Policies */ INSERT INTO policies ( /* 1 */ @@ -1078,139 +1258,64 @@ INSERT INTO enforcements ( /* 17 */ 21, 13, 60 ); -/* regids */ +/* swid_entities */ -INSERT INTO regids ( /* 1 */ - name -) VALUES ( - 'regid.1986-12.com.adobe' -); - -INSERT INTO regids ( /* 2 */ - name -) VALUES ( - 'regid.1991-06.com.microsoft' -); - -INSERT INTO regids ( /* 3 */ - name -) VALUES ( - 'regid.2004-05.com.ubuntu' -); - -INSERT INTO regids ( /* 4 */ - name -) VALUES ( - 'regid.1995-04.org.apache' -); - -INSERT INTO regids ( /* 5 */ - name -) VALUES ( - 'regid.1999-03.org.debian' -); - -INSERT INTO regids ( /* 6 */ - name -) VALUES ( - 'regid.1994-04.org.isc' -); - -INSERT INTO regids ( /* 7 */ - name -) VALUES ( - 'regid.1998-12.org.openssl' -); - -INSERT INTO regids ( /* 8 */ - name -) VALUES ( - 'regid.1998-01.org.samba' -); - -INSERT INTO regids ( /* 9 */ - name -) VALUES ( - 'regid.2002-08.org.sqlite' -); - -INSERT INTO regids ( /* 10 */ - name -) VALUES ( - 'regid.2004-03.org.strongswan' -); - -/* Tags */ - -INSERT INTO tags ( - regid, unique_sw_id -) VALUES ( - 2, 'Windows-8-Pro' -); - -INSERT INTO tags ( - regid, unique_sw_id -) VALUES ( - 5, 'apache-2-2-22-13' -); - -INSERT INTO tags ( - regid, unique_sw_id +INSERT INTO "swid_entities" ( /* 1 */ + "name", "regid" ) VALUES ( - 5, 'bind-9-8-4-dfsg' + 'strongSwan Project', 'regid.2004-03.org.strongswan' ); -INSERT INTO tags ( - regid, unique_sw_id +INSERT INTO swid_entities ( /* 2 */ + "name", "regid" ) VALUES ( - 5, 'libsqlite-3-7-13-1' + 'Adobe Systems Inc.', 'regid.1986-12.com.adobe' ); -INSERT INTO tags ( - regid, unique_sw_id +INSERT INTO swid_entities ( /* 3 */ + "name", "regid" ) VALUES ( - 5, 'libssl-1-0-1e-2' + 'Microsoft Corporation', 'regid.1991-06.com.microsoft' ); -INSERT INTO tags ( - regid, unique_sw_id +INSERT INTO swid_entities ( /* 4 */ + "name", "regid" ) VALUES ( - 5, 'libssl-dev-1-0-1e-2' + 'Ubuntu Project', 'regid.2004-05.com.ubuntu' ); -INSERT INTO tags ( - regid, unique_sw_id +INSERT INTO swid_entities ( /* 5 */ + "name", "regid" ) VALUES ( - 5, 'libssl-doc-1-0-1e-2' + 'Apache Software Foundation', 'regid.1995-04.org.apache' ); -INSERT INTO tags ( - regid, unique_sw_id +INSERT INTO swid_entities ( /* 6 */ + "name", "regid" ) VALUES ( - 5, 'openssl-1-0-1e-2' + 'Debian Project', 'regid.1999-03.org.debian' ); -INSERT INTO tags ( - regid, unique_sw_id +INSERT INTO swid_entities ( /* 7 */ + "name", "regid" ) VALUES ( - 5, 'smbclient-3-6-6-6' + 'Internet Systems Consortium', 'regid.1994-04.org.isc' ); -INSERT INTO tags ( - regid, unique_sw_id +INSERT INTO swid_entities ( /* 8 */ + "name", "regid" ) VALUES ( - 5, 'sqlite-3-7-13-1' + 'OpenSSL Project', 'regid.1998-12.org.openssl' ); -INSERT INTO tags ( - regid, unique_sw_id +INSERT INTO swid_entities ( /* 9 */ + "name", "regid" ) VALUES ( - 10, 'strongSwan-5-1-1' + 'Samba Project', 'regid.1998-01.org.samba' ); -INSERT INTO tags ( - regid, unique_sw_id +INSERT INTO swid_entities ( /* 10 */ + "name", "regid" ) VALUES ( - 10, 'strongSwan-5-1-2' + 'SQLite Project', 'regid.2002-08.org.sqlite' ); - diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c index 435c25a3c..a46455d47 100644 --- a/src/libimcv/imv/imv_agent.c +++ b/src/libimcv/imv/imv_agent.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2013 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -52,7 +52,7 @@ struct private_imv_agent_t { /** * number of message types registered by IMV */ - u_int32_t type_count; + uint32_t type_count; /** * ID of IMV as assigned by TNCS @@ -296,10 +296,7 @@ static bool delete_connection(private_imv_agent_t *this, TNC_ConnectionID id) { found = TRUE; session = state->get_session(state); - if (session) - { - imcv_db->remove_session(imcv_db, session); - } + imcv_sessions->remove_session(imcv_sessions, session); state->destroy(state); this->connections->remove_at(this->connections, enumerator); break; @@ -346,7 +343,7 @@ static char* get_str_attribute(private_imv_agent_t *this, TNC_ConnectionID id, /** * Read an UInt32 attribute */ -static u_int32_t get_uint_attribute(private_imv_agent_t *this, TNC_ConnectionID id, +static uint32_t get_uint_attribute(private_imv_agent_t *this, TNC_ConnectionID id, TNC_AttributeID attribute_id) { TNC_UInt32 len; @@ -370,7 +367,7 @@ static linked_list_t* get_identity_attribute(private_imv_agent_t *this, { TNC_UInt32 len; char buf[2048]; - u_int32_t count; + uint32_t count; tncif_identity_t *tnc_id; bio_reader_t *reader; linked_list_t *list; @@ -415,8 +412,8 @@ METHOD(imv_agent_t, create_state, TNC_Result, enumerator_t *enumerator; tncif_identity_t *tnc_id; imv_session_t *session; - u_int32_t max_msg_len; - u_int32_t ar_id_type = TNC_ID_UNKNOWN; + uint32_t max_msg_len; + uint32_t ar_id_type = TNC_ID_UNKNOWN; chunk_t ar_id_value = chunk_empty; conn_id = state->get_connection_id(state); @@ -453,7 +450,7 @@ METHOD(imv_agent_t, create_state, TNC_Result, while (enumerator->enumerate(enumerator, &tnc_id)) { pen_type_t id_type, subject_type, auth_type; - u_int32_t tcg_id_type, tcg_subject_type, tcg_auth_type; + uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type; chunk_t id_value; id_type = tnc_id->get_identity_type(tnc_id); @@ -474,30 +471,21 @@ METHOD(imv_agent_t, create_state, TNC_Result, id_value.len, id_value.ptr, TNC_Authentication_names, tcg_auth_type); + /* keep the first access requestor ID */ if (first) { ar_id_type = tcg_id_type; ar_id_value = id_value; - state->set_ar_id(state, ar_id_type, ar_id_value); first = FALSE; } } enumerator->destroy(enumerator); - if (imcv_db) - { - session = imcv_db->add_session(imcv_db, conn_id, ar_id_type, ar_id_value); - if (session) - { - DBG2(DBG_IMV, " assigned session ID %d", - session->get_session_id(session)); - state->set_session(state, session); - } - else - { - DBG1(DBG_IMV, " no session ID assigned"); - } - } + session = imcv_sessions->add_session(imcv_sessions, conn_id, + ar_id_type, ar_id_value); + state->set_session(state, session); + + /* clean up temporary variables */ ar_identities->destroy_offset(ar_identities, offsetof(tncif_identity_t, destroy)); free(tnccs_p); @@ -505,9 +493,11 @@ METHOD(imv_agent_t, create_state, TNC_Result, free(t_p); free(t_v); + /* insert state in connection list */ this->connection_lock->write_lock(this->connection_lock); this->connections->insert_last(this->connections, state); this->connection_lock->unlock(this->connection_lock); + return TNC_RESULT_SUCCESS; } @@ -622,7 +612,7 @@ METHOD(imv_agent_t, reserve_additional_ids, TNC_Result, count--; /* store the scalar value in the pointer */ - pointer = (void*)id; + pointer = (void*)(uintptr_t)id; this->additional_ids->insert_last(this->additional_ids, pointer); DBG2(DBG_IMV, "IMV %u \"%s\" reserved additional ID %u", this->id, this->name, id); @@ -800,7 +790,7 @@ METHOD(imv_agent_t, destroy, void, * Described in header. */ imv_agent_t *imv_agent_create(const char *name, - pen_type_t *supported_types, u_int32_t type_count, + pen_type_t *supported_types, uint32_t type_count, TNC_IMVID id, TNC_Version *actual_version) { private_imv_agent_t *this; @@ -841,5 +831,3 @@ imv_agent_t *imv_agent_create(const char *name, return &this->public; } - - diff --git a/src/libimcv/imv/imv_agent.h b/src/libimcv/imv/imv_agent.h index d58af260b..47ce770bc 100644 --- a/src/libimcv/imv/imv_agent.h +++ b/src/libimcv/imv/imv_agent.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2013 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -205,7 +205,7 @@ struct imv_agent_t { * */ imv_agent_t *imv_agent_create(const char *name, - pen_type_t *supported_types, u_int32_t type_count, + pen_type_t *supported_types, uint32_t type_count, TNC_IMVID id, TNC_Version *actual_version); #endif /** IMV_AGENT_H_ @}*/ diff --git a/src/libimcv/imv/imv_database.c b/src/libimcv/imv/imv_database.c index dc7edd7aa..0c4bb7514 100644 --- a/src/libimcv/imv/imv_database.c +++ b/src/libimcv/imv/imv_database.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -47,48 +47,28 @@ struct private_imv_database_t { */ char *script; - /** - * Session list - */ - linked_list_t *sessions; - - /** - * mutex used to lock session list - */ - mutex_t *mutex; - }; -METHOD(imv_database_t, add_session, imv_session_t*, - private_imv_database_t *this, TNC_ConnectionID conn_id, - u_int32_t ar_id_type, chunk_t ar_id_value) +METHOD(imv_database_t, get_database, database_t*, + private_imv_database_t *this) { - enumerator_t *enumerator, *e; - imv_session_t *current, *session = NULL; - int ar_id = 0, session_id; - u_int created; - - this->mutex->lock(this->mutex); - - /* check if a session has already been assigned */ - enumerator = this->sessions->create_enumerator(this->sessions); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (conn_id == current->get_connection_id(current)) - { - session = current; - break; - } - } - enumerator->destroy(enumerator); - - /* session already exists */ - if (session) - { - this->mutex->unlock(this->mutex); - return session->get_ref(session); - } + return this->db; +} +/** + * Create a session entry in the IMV database + */ +static bool create_session(private_imv_database_t *this, imv_session_t *session) +{ + enumerator_t *e; + imv_os_info_t *os_info; + chunk_t device_id, ar_id_value; + TNC_ConnectionID conn_id; + uint32_t ar_id_type; + char *product, *device; + int session_id = 0, ar_id = 0, pid = 0, did = 0, trusted = 0, created; + + ar_id_value = session->get_ar_id(session, &ar_id_type); if (ar_id_value.len) { /* get primary key of AR identity if it exists */ @@ -108,46 +88,22 @@ METHOD(imv_database_t, add_session, imv_session_t*, "INSERT INTO identities (type, value) VALUES (?, ?)", DB_INT, ar_id_type, DB_BLOB, ar_id_value); } - } - /* create a new session entry */ - created = time(NULL); - this->db->execute(this->db, &session_id, - "INSERT INTO sessions (time, connection, identity) " - "VALUES (?, ?, ?)", - DB_UINT, created, DB_INT, conn_id, DB_INT, ar_id); - session = imv_session_create(session_id, conn_id); - this->sessions->insert_last(this->sessions, session); - - this->mutex->unlock(this->mutex); - - return session; -} -METHOD(imv_database_t, remove_session, void, - private_imv_database_t *this, imv_session_t *session) -{ - enumerator_t *enumerator; - imv_session_t *current; - - this->mutex->lock(this->mutex); - enumerator = this->sessions->create_enumerator(this->sessions); - while (enumerator->enumerate(enumerator, ¤t)) - { - if (current == session) + if (!ar_id) { - this->sessions->remove_at(this->sessions, enumerator); - break; + DBG1(DBG_IMV, "imv_db: registering access requestor failed"); + return FALSE; } } - enumerator->destroy(enumerator); - this->mutex->unlock(this->mutex); -} -METHOD(imv_database_t, add_product, int, - private_imv_database_t *this, imv_session_t *session, char *product) -{ - enumerator_t *e; - int pid = 0; + /* get product info string */ + os_info = session->get_os_info(session); + product = os_info->get_info(os_info); + if (!product) + { + DBG1(DBG_IMV, "imv_db: product info is not available"); + return FALSE; + } /* get primary key of product info string if it exists */ e = this->db->query(this->db, @@ -164,92 +120,150 @@ METHOD(imv_database_t, add_product, int, this->db->execute(this->db, &pid, "INSERT INTO products (name) VALUES (?)", DB_TEXT, product); } - - /* add product reference to session */ - if (pid) + + if (!pid) { - this->db->execute(this->db, NULL, - "UPDATE sessions SET product = ? WHERE id = ?", - DB_INT, pid, DB_INT, session->get_session_id(session)); + DBG1(DBG_IMV, "imv_db: registering product info failed"); + return FALSE; } - return pid; -} - -METHOD(imv_database_t, add_device, int, - private_imv_database_t *this, imv_session_t *session, chunk_t device) -{ - enumerator_t *e; - char *device_str; - int pid = 0, did = 0; + /* get device ID string */ + if (!session->get_device_id(session, &device_id)) + { + DBG1(DBG_IMV, "imv_db: device ID is not available"); + return FALSE; + } + device = strndup(device_id.ptr, device_id.len); - /* get primary key of product from session */ + /* get primary key of device ID if it exists */ e = this->db->query(this->db, - "SELECT product FROM sessions WHERE id = ?", - DB_INT, session->get_session_id(session), DB_INT); + "SELECT id, trusted FROM devices WHERE value = ? AND product = ?", + DB_TEXT, device, DB_INT, pid, DB_INT, DB_INT); if (e) { - e->enumerate(e, &pid); + e->enumerate(e, &did, &trusted); e->destroy(e); } - /* some IMV policy manager expect a text string */ - device_str = strndup(device.ptr, device.len); - - /* get primary key of device identification if it exists */ - e = this->db->query(this->db, - "SELECT id FROM devices WHERE value = ? AND product = ?", - DB_TEXT, device_str, DB_INT, pid, DB_INT); - if (e) + /* if device ID is trusted, set trust in session */ + if (trusted) { - e->enumerate(e, &did); - e->destroy(e); + session->set_device_trust(session, TRUE); } - /* if device identification has not been found - register it */ + /* if device ID has not been found - register it */ if (!did) { this->db->execute(this->db, &did, "INSERT INTO devices (value, product) VALUES (?, ?)", - DB_TEXT, device_str, DB_INT, pid); + DB_TEXT, device, DB_INT, pid); + } + free(device); + + if (!did) + { + DBG1(DBG_IMV, "imv_db: registering device ID failed"); + return FALSE; + } + + /* create a new session entry */ + created = session->get_creation_time(session); + conn_id = session->get_connection_id(session); + this->db->execute(this->db, &session_id, + "INSERT INTO sessions (time, connection, identity, product, device) " + "VALUES (?, ?, ?, ?, ?)", + DB_INT, created, DB_INT, conn_id, DB_INT, ar_id, + DB_INT, pid, DB_INT, did); + + if (session_id) + { + DBG2(DBG_IMV, "assigned session ID %d to Connection ID %d", + session_id, conn_id); + } + else + { + DBG1(DBG_IMV, "imv_db: registering session failed"); + return FALSE; + } + session->set_session_id(session, session_id, pid, did); + + return TRUE; +} + +static bool add_workitems(private_imv_database_t *this, imv_session_t *session) +{ + char *arg_str; + int id, arg_int, rec_fail, rec_noresult; + imv_workitem_t *workitem; + imv_workitem_type_t type; + enumerator_t *e; + + e = this->db->query(this->db, + "SELECT id, type, arg_str, arg_int, rec_fail, rec_noresult " + "FROM workitems WHERE session = ?", + DB_INT, session->get_session_id(session, NULL, NULL), + DB_INT, DB_INT, DB_TEXT, DB_INT,DB_INT, DB_INT); + if (!e) + { + DBG1(DBG_IMV, "imv_db: no workitem enumerator returned"); + return FALSE; } - free(device_str); - - /* add device reference to session */ - if (did) + while (e->enumerate(e, &id, &type, &arg_str, &arg_int, &rec_fail, + &rec_noresult)) { - this->db->execute(this->db, NULL, - "UPDATE sessions SET device = ? WHERE id = ?", - DB_INT, did, DB_INT, session->get_session_id(session)); + DBG2(DBG_IMV, "%N workitem %d", imv_workitem_type_names, type, id); + workitem = imv_workitem_create(id, type, arg_str, arg_int, rec_fail, + rec_noresult); + session->insert_workitem(session, workitem); } + e->destroy(e); - return did; + return TRUE; } METHOD(imv_database_t, add_recommendation, void, private_imv_database_t *this, imv_session_t *session, TNC_IMV_Action_Recommendation rec) { - /* add final recommendation to session */ + /* add final recommendation to session DB entry */ this->db->execute(this->db, NULL, "UPDATE sessions SET rec = ? WHERE id = ?", - DB_INT, rec, DB_INT, session->get_session_id(session)); + DB_INT, rec, DB_INT, session->get_session_id(session, NULL, NULL)); } METHOD(imv_database_t, policy_script, bool, private_imv_database_t *this, imv_session_t *session, bool start) { - imv_workitem_t *workitem; - imv_workitem_type_t type; - int id, session_id, arg_int, rec_fail, rec_noresult; - enumerator_t *e; - char command[512], resp[128], *last, *arg_str; + char command[512], resp[128], *last; FILE *shell; - session_id = session->get_session_id(session); + if (start) + { + if (session->get_policy_started(session)) + { + DBG1(DBG_IMV, "policy script as already been started"); + return FALSE; + } - snprintf(command, sizeof(command), "2>&1 TNC_SESSION_ID='%d' %s %s", - session_id, this->script, start ? "start" : "stop"); + /* add product info and device ID to session DB entry */ + if (!create_session(this, session)) + { + return FALSE; + } + } + else + { + if (!session->get_policy_started(session)) + { + DBG1(DBG_IMV, "policy script as already been stopped"); + return FALSE; + } + } + + /* call the policy script */ + snprintf(command, sizeof(command), "2>&1 %s %s %d", + this->script, start ? "start" : "stop", + session->get_session_id(session, NULL, NULL)); DBG3(DBG_IMV, "running policy script: %s", command); shell = popen(command, "r"); @@ -282,30 +296,16 @@ METHOD(imv_database_t, policy_script, bool, } pclose(shell); - if (start && !session->get_policy_started(session)) + if (start) { - /* get workitem list generated by policy manager */ - e = this->db->query(this->db, - "SELECT id, type, arg_str, arg_int, rec_fail, rec_noresult " - "FROM workitems WHERE session = ?", DB_INT, session_id, - DB_INT, DB_INT, DB_TEXT, DB_INT,DB_INT, DB_INT); - if (!e) + /* add workitem list generated by policy manager to session object */ + if (!add_workitems(this, session)) { - DBG1(DBG_IMV, "no workitem enumerator returned"); return FALSE; } - while (e->enumerate(e, &id, &type, &arg_str, &arg_int, &rec_fail, - &rec_noresult)) - { - workitem = imv_workitem_create(id, type, arg_str, arg_int, rec_fail, - rec_noresult); - session->insert_workitem(session, workitem); - } - e->destroy(e); - session->set_policy_started(session, TRUE); } - else if (!start && session->get_policy_started(session)) + else { session->set_policy_started(session, FALSE); } @@ -327,19 +327,10 @@ METHOD(imv_database_t, finalize_workitem, bool, DB_INT, workitem->get_id(workitem)) == 1; } -METHOD(imv_database_t, get_database, database_t*, - private_imv_database_t *this) -{ - return this->db; -} - METHOD(imv_database_t, destroy, void, private_imv_database_t *this) { DESTROY_IF(this->db); - this->sessions->destroy_offset(this->sessions, - offsetof(imv_session_t, destroy)); - this->mutex->destroy(this->mutex); free(this); } @@ -352,20 +343,14 @@ imv_database_t *imv_database_create(char *uri, char *script) INIT(this, .public = { - .add_session = _add_session, - .remove_session = _remove_session, - .add_product = _add_product, - .add_device = _add_device, - .add_recommendation = _add_recommendation, + .get_database = _get_database, .policy_script = _policy_script, .finalize_workitem = _finalize_workitem, - .get_database = _get_database, + .add_recommendation = _add_recommendation, .destroy = _destroy, }, .db = lib->db->create(lib->db, uri), .script = script, - .sessions = linked_list_create(), - .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); if (!this->db) @@ -378,4 +363,3 @@ imv_database_t *imv_database_create(char *uri, char *script) return &this->public; } - diff --git a/src/libimcv/imv/imv_database.h b/src/libimcv/imv/imv_database.h index 48a3ded9e..79551cc79 100644 --- a/src/libimcv/imv/imv_database.h +++ b/src/libimcv/imv/imv_database.h @@ -56,26 +56,6 @@ struct imv_database_t { void (*remove_session)(imv_database_t *this, imv_session_t *session); /** - * Add product information string to a session database entry - * - * @param session Session - * @param product Product information string - * @return Product ID - */ - int (*add_product)(imv_database_t *this, imv_session_t *session, - char *product); - - /** - * Add device identification to a session database entry - * - * @param session Session - * @param device Device identification - * @return Device ID - */ - int (*add_device)(imv_database_t *this, imv_session_t *session, - chunk_t device); - - /** * Add final recommendation to a session database entry * * @param session Session diff --git a/src/libimcv/imv/imv_if.h b/src/libimcv/imv/imv_if.h index fa9765b11..2118509e3 100644 --- a/src/libimcv/imv/imv_if.h +++ b/src/libimcv/imv/imv_if.h @@ -26,10 +26,10 @@ static imv_agent_if_t *imv_agent; /* * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3 */ -TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, - TNC_Version min_version, - TNC_Version max_version, - TNC_Version *actual_version) +TNC_Result TNC_IMV_API TNC_IMV_Initialize(TNC_IMVID imv_id, + TNC_Version min_version, + TNC_Version max_version, + TNC_Version *actual_version) { if (imv_agent) { @@ -54,9 +54,9 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, /** * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3 */ -TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id, - TNC_ConnectionID connection_id, - TNC_ConnectionState new_state) +TNC_Result TNC_IMV_API TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_ConnectionState new_state) { if (!imv_agent) { @@ -70,11 +70,11 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id, /** * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3 */ -TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, - TNC_ConnectionID connection_id, - TNC_BufferReference msg, - TNC_UInt32 msg_len, - TNC_MessageType msg_type) +TNC_Result TNC_IMV_API TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) { if (!imv_agent) { @@ -88,15 +88,15 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, /** * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3 */ -TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id, - TNC_ConnectionID connection_id, - TNC_UInt32 msg_flags, - TNC_BufferReference msg, - TNC_UInt32 msg_len, - TNC_VendorID msg_vid, - TNC_MessageSubtype msg_subtype, - TNC_UInt32 src_imc_id, - TNC_UInt32 dst_imv_id) +TNC_Result TNC_IMV_API TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_UInt32 msg_flags, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_VendorID msg_vid, + TNC_MessageSubtype msg_subtype, + TNC_UInt32 src_imc_id, + TNC_UInt32 dst_imv_id) { if (!imv_agent) { @@ -111,8 +111,8 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id, /** * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3 */ -TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id, - TNC_ConnectionID connection_id) +TNC_Result TNC_IMV_API TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id, + TNC_ConnectionID connection_id) { if (!imv_agent) @@ -126,7 +126,8 @@ TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id, /** * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3 */ -TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id, TNC_ConnectionID connection_id) +TNC_Result TNC_IMV_API TNC_IMV_BatchEnding(TNC_IMVID imv_id, + TNC_ConnectionID connection_id) { if (!imv_agent) { @@ -139,7 +140,7 @@ TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id, TNC_ConnectionID connection_id) /** * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3 */ -TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id) +TNC_Result TNC_IMV_API TNC_IMV_Terminate(TNC_IMVID imv_id) { if (!imv_agent) { @@ -155,8 +156,8 @@ TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id) /** * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3 */ -TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id, - TNC_TNCS_BindFunctionPointer bind_function) +TNC_Result TNC_IMV_API TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id, + TNC_TNCS_BindFunctionPointer bind_function) { if (!imv_agent) { diff --git a/src/libimcv/imv/imv_os_info.c b/src/libimcv/imv/imv_os_info.c new file mode 100644 index 000000000..dfab19434 --- /dev/null +++ b/src/libimcv/imv/imv_os_info.c @@ -0,0 +1,168 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_os_info.h" + +typedef struct private_imv_os_info_t private_imv_os_info_t; + +/** + * Private data of an imv_os_info_t object. + * + */ +struct private_imv_os_info_t { + + /** + * Public imv_os_info_t interface. + */ + imv_os_info_t public; + + /** + * OS type + */ + os_type_t type; + + /** + * OS name + */ + chunk_t name; + + /** + * OS version + */ + chunk_t version; + + /** + * This flag allows the OS version to be empty + */ + bool version_is_set; + + /** + * OS Product Information (OS Name | OS Version) + */ + char *info; + +}; + +METHOD(imv_os_info_t, get_type, os_type_t, + private_imv_os_info_t *this) +{ + return this->type; +} + +METHOD(imv_os_info_t, set_name, void, + private_imv_os_info_t *this, chunk_t name) +{ + /* Has the OS name already been set? */ + if (this->name.len) + { + if (chunk_equals(name, this->name)) + { + return; + } + free(this->name.ptr); + + /* Also clear the OS info string */ + free(this->info); + this->info = NULL; + } + this->name = chunk_clone(name); + this->type = os_type_from_name(name); +} + +METHOD(imv_os_info_t, get_name, chunk_t, + private_imv_os_info_t *this) +{ + return this->name; +} + +METHOD(imv_os_info_t, set_version, void, + private_imv_os_info_t *this, chunk_t version) +{ + /* Has the OS version already been set? */ + if (this->version_is_set) + { + if (chunk_equals(version, this->version)) + { + return; + } + free(this->version.ptr); + + /* Also clear the OS info string */ + free(this->info); + this->info = NULL; + } + this->version = chunk_clone(version); + this->version_is_set = TRUE; +} + +METHOD(imv_os_info_t, get_version, chunk_t, + private_imv_os_info_t *this) +{ + return this->version; +} + +METHOD(imv_os_info_t, get_info, char*, + private_imv_os_info_t *this) +{ + int len; + + if (!this->info) + { + /* Have both OS name and OS version been set? */ + if (this->name.len == 0 || !this->version_is_set) + { + return NULL; + } + + /* OS info is a concatenation of OS name and OS version */ + len = this->name.len + 1 + this->version.len + 1; + this->info = malloc(len); + snprintf(this->info, len, "%.*s %.*s", + (int)this->name.len, this->name.ptr, + (int)this->version.len, this->version.ptr); + } + return this->info; +} + +METHOD(imv_os_info_t, destroy, void, + private_imv_os_info_t *this) +{ + free(this->name.ptr); + free(this->version.ptr); + free(this->info); + free(this); +} + +/** + * See header + */ +imv_os_info_t *imv_os_info_create(void) +{ + private_imv_os_info_t *this; + + INIT(this, + .public = { + .get_type = _get_type, + .set_name = _set_name, + .get_name = _get_name, + .set_version = _set_version, + .get_version = _get_version, + .get_info = _get_info, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libimcv/imv/imv_os_info.h b/src/libimcv/imv/imv_os_info.h new file mode 100644 index 000000000..b68a17ee7 --- /dev/null +++ b/src/libimcv/imv/imv_os_info.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imv_os_info imv_os_info + * @{ @ingroup libimcv + */ + +#ifndef IMV_OS_INFO_H_ +#define IMV_OS_INFO_H_ + +typedef struct imv_os_info_t imv_os_info_t; + +#include "os_info/os_info.h" + +#include <library.h> + +/** + * Interface for the IMV Operating System (OS) information module + */ +struct imv_os_info_t { + + /** + * Get the OS type + * + * @return OS type + */ + os_type_t (*get_type)(imv_os_info_t *this); + + /** + * Set the OS product name or distribution + * + * @param name OS name + */ + void (*set_name)(imv_os_info_t *this, chunk_t name); + + /** + * Get the OS product name or distribution + * + * @return OS name + */ + chunk_t (*get_name)(imv_os_info_t *this); + + /** + * Set the OS version or release + * + * @param version OS version + */ + void (*set_version)(imv_os_info_t *this, chunk_t version); + + /** + * Get the OS version or release + * + * @return OS version + */ + chunk_t (*get_version)(imv_os_info_t *this); + + /** + * Get the OS version or release + * + * @return OS name | OS version + */ + char* (*get_info)(imv_os_info_t *this); + + /** + * Destroys an imv_os_info_t object. + */ + void (*destroy)(imv_os_info_t *this); +}; + +/** + * Create an imv_os_info_t object + */ +imv_os_info_t* imv_os_info_create(void); + +#endif /** IMV_OS_INFO_H_ @}*/ diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c index 028721af3..50f7f2e39 100644 --- a/src/libimcv/imv/imv_policy_manager.c +++ b/src/libimcv/imv/imv_policy_manager.c @@ -278,7 +278,7 @@ static bool policy_stop(database_t *db, int session_id) int main(int argc, char *argv[]) { database_t *db; - char *uri, *tnc_session_id; + char *uri; int session_id; bool start, success; @@ -299,7 +299,7 @@ int main(int argc, char *argv[]) exit(SS_RC_INITIALIZATION_FAILED); } - if (argc < 2) + if (argc < 3) { usage(); exit(SS_RC_INITIALIZATION_FAILED); @@ -318,14 +318,7 @@ int main(int argc, char *argv[]) exit(SS_RC_INITIALIZATION_FAILED); } - /* get session ID */ - tnc_session_id = getenv("TNC_SESSION_ID"); - if (!tnc_session_id) - { - fprintf(stderr, "environment variable TNC_SESSION_ID is not defined\n"); - exit(SS_RC_INITIALIZATION_FAILED); - } - session_id = atoi(tnc_session_id); + session_id = atoi(argv[2]); /* attach IMV database */ uri = lib->settings->get_str(lib->settings, diff --git a/src/libimcv/imv/imv_policy_manager_usage.c b/src/libimcv/imv/imv_policy_manager_usage.c index 3167a5441..c71bc9958 100644 --- a/src/libimcv/imv/imv_policy_manager_usage.c +++ b/src/libimcv/imv/imv_policy_manager_usage.c @@ -24,6 +24,5 @@ void usage(void) { printf("\ Usage:\n\ - imv_policy_manager start|stop\n"); + imv_policy_manager start|stop <tnc-session-id>\n"); } - diff --git a/src/libimcv/imv/imv_session.c b/src/libimcv/imv/imv_session.c index 754f1f74c..1f0d8cf14 100644 --- a/src/libimcv/imv/imv_session.c +++ b/src/libimcv/imv/imv_session.c @@ -35,11 +35,51 @@ struct private_imv_session_t { int session_id; /** + * Unique Product ID + */ + int pid; + + /** + * Unique Device ID + */ + int did; + + /** * TNCCS connection ID */ TNC_ConnectionID conn_id; /** + * Session creation time + */ + time_t created; + + /** + * Access Requestor ID type + */ + uint32_t ar_id_type; + + /** + * Access Requestor ID value + */ + chunk_t ar_id_value; + + /** + * OS information + */ + imv_os_info_t *os_info; + + /** + * Device ID + */ + chunk_t device_id; + + /** + * Is Device ID trusted? + */ + bool trusted; + + /** * Have the workitems been generated? */ bool policy_started; @@ -56,9 +96,25 @@ struct private_imv_session_t { }; +METHOD(imv_session_t, set_session_id, void, + private_imv_session_t *this, int session_id, int pid, int did) +{ + this->session_id = session_id; + this->pid = pid; + this->did = did; +} + METHOD(imv_session_t, get_session_id, int, - private_imv_session_t *this) + private_imv_session_t *this, int *pid, int *did) { + if (pid) + { + *pid = this->pid; + } + if (did) + { + *did = this->did; + } return this->session_id; } @@ -68,6 +124,72 @@ METHOD(imv_session_t, get_connection_id, TNC_ConnectionID, return this->conn_id; } +METHOD(imv_session_t, get_creation_time, time_t, + private_imv_session_t *this) +{ + return this->created; +} + +METHOD(imv_session_t, get_ar_id, chunk_t, + private_imv_session_t *this, uint32_t *ar_id_type) +{ + if (ar_id_type) + { + *ar_id_type = this->ar_id_type; + } + return this->ar_id_value; +} + +METHOD(imv_session_t, get_os_info, imv_os_info_t*, + private_imv_session_t *this) +{ + return this->os_info; +} + +METHOD(imv_session_t, set_device_id, void, + private_imv_session_t *this, chunk_t device_id) +{ + if (device_id.len == 0) + { + device_id = chunk_from_str("unknown"); + } + if (this->device_id.len) + { + if (chunk_equals(device_id, this->device_id)) + { + return; + } + free(this->device_id.ptr); + } + this->device_id = chunk_clone(device_id); +} + +METHOD(imv_session_t, get_device_id, bool, + private_imv_session_t *this, chunk_t *device_id) +{ + if (this->device_id.len == 0) + { + return FALSE; + } + if (device_id) + { + *device_id = this->device_id; + } + return TRUE; +} + +METHOD(imv_session_t, set_device_trust, void, + private_imv_session_t *this, bool trusted) +{ + this->trusted = trusted; +} + +METHOD(imv_session_t, get_device_trust, bool, + private_imv_session_t *this) +{ + return this->trusted; +} + METHOD(imv_session_t, set_policy_started, void, private_imv_session_t *this, bool start) { @@ -95,10 +217,6 @@ METHOD(imv_session_t, remove_workitem, void, METHOD(imv_session_t, create_workitem_enumerator, enumerator_t*, private_imv_session_t *this) { - if (!this->policy_started) - { - return NULL; - } return this->workitems->create_enumerator(this->workitems); } @@ -137,6 +255,9 @@ METHOD(imv_session_t, destroy, void, { this->workitems->destroy_offset(this->workitems, offsetof(imv_workitem_t, destroy)); + this->os_info->destroy(this->os_info); + free(this->ar_id_value.ptr); + free(this->device_id.ptr); free(this); } } @@ -144,14 +265,23 @@ METHOD(imv_session_t, destroy, void, /** * See header */ -imv_session_t *imv_session_create(int session_id, TNC_ConnectionID conn_id) +imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created, + uint32_t ar_id_type, chunk_t ar_id_value) { private_imv_session_t *this; INIT(this, .public = { + .set_session_id = _set_session_id, .get_session_id = _get_session_id, .get_connection_id = _get_connection_id, + .get_creation_time = _get_creation_time, + .get_ar_id = _get_ar_id, + .get_os_info = _get_os_info, + .set_device_id = _set_device_id, + .get_device_id = _get_device_id, + .set_device_trust = _set_device_trust, + .get_device_trust = _get_device_trust, .set_policy_started = _set_policy_started, .get_policy_started = _get_policy_started, .insert_workitem = _insert_workitem, @@ -161,8 +291,11 @@ imv_session_t *imv_session_create(int session_id, TNC_ConnectionID conn_id) .get_ref = _get_ref, .destroy = _destroy, }, - .session_id = session_id, .conn_id = conn_id, + .created = created, + .ar_id_type = ar_id_type, + .ar_id_value = chunk_clone(ar_id_value), + .os_info = imv_os_info_create(), .workitems = linked_list_create(), .ref = 1, ); diff --git a/src/libimcv/imv/imv_session.h b/src/libimcv/imv/imv_session.h index 6b94523b8..42b9118a6 100644 --- a/src/libimcv/imv/imv_session.h +++ b/src/libimcv/imv/imv_session.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -23,11 +23,13 @@ #define IMV_SESSION_H_ #include "imv_workitem.h" +#include "imv_os_info.h" #include <tncifimv.h> - #include <library.h> +#include <time.h> + typedef struct imv_session_t imv_session_t; /** @@ -36,11 +38,22 @@ typedef struct imv_session_t imv_session_t; struct imv_session_t { /** + * Set unique session ID + * + * @param session_id primary key into sessions table + * @param pid primary key into products table + * @param did Primary key into devices table + */ + void (*set_session_id)(imv_session_t *this, int session_id, int pid, int did); + + /** * Get unique session ID * - * @return Session ID + * @param pid primary key into products table + * @param did Primary key into devices table + * @return primary key into sessions table */ - int (*get_session_id)(imv_session_t *this); + int (*get_session_id)(imv_session_t *this, int *pid, int *did); /** * Get TNCCS Connection ID @@ -50,6 +63,58 @@ struct imv_session_t { TNC_ConnectionID (*get_connection_id)(imv_session_t *this); /** + * Get session creation time + * + * @return Session creation time + */ + time_t (*get_creation_time)(imv_session_t *this); + + /** + * Get Access Requestor ID + * + * @param id_type Access Requestor TCG Standard ID Type + * @return Access Requestor TCG Standard ID Value + */ + chunk_t (*get_ar_id)(imv_session_t *this, uint32_t *id_type); + + /** + * Get OS Information + * + * @return OS info object + */ + imv_os_info_t* (*get_os_info)(imv_session_t *this); + + /** + * Set Device ID + * + * @param device_id Device ID + */ + void (*set_device_id)(imv_session_t *this, chunk_t device_id); + + /** + * Get Device ID + * + * @param device_id Device ID + * @return TRUE if Device ID has already been set + */ + bool (*get_device_id)(imv_session_t *this, chunk_t *device_id); + + /** + * Set trust into Device ID + * + * @param trusted TRUE if Device ID is trusted + */ + void (*set_device_trust)(imv_session_t *this, bool trusted); + + + /** + * Get device ID trust (needed for TPM-based attestation) + * + * @return TRUE if Device ID is trusted + */ + bool (*get_device_trust)(imv_session_t *this); + + /** * Set policy_started status * * @param start TRUE if policy started, FALSE if policy stopped @@ -105,9 +170,12 @@ struct imv_session_t { /** * Create an imv_session_t instance * - * @param session_id Unique Session ID * @param id Associated Connection ID + * @param created Session creation time + * @param ar_id_type Access Requestor ID type + * @param ar_id_value Access Requestor ID value */ -imv_session_t* imv_session_create(int session_id, TNC_ConnectionID id); +imv_session_t* imv_session_create(TNC_ConnectionID id, time_t created, + uint32_t ar_id_type, chunk_t ar_id_value); #endif /** IMV_SESSION_H_ @}*/ diff --git a/src/libimcv/imv/imv_session_manager.c b/src/libimcv/imv/imv_session_manager.c new file mode 100644 index 000000000..0fb8de45e --- /dev/null +++ b/src/libimcv/imv/imv_session_manager.c @@ -0,0 +1,131 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_session_manager.h" + +#include <threading/mutex.h> + +typedef struct private_imv_session_manager_t private_imv_session_manager_t; + +/** + * Private data of a imv_session_manager_t object. + */ +struct private_imv_session_manager_t { + + /** + * Public imv_session_manager_t interface. + */ + imv_session_manager_t public; + + /** + * Session list + */ + linked_list_t *sessions; + + /** + * mutex used to lock session list + */ + mutex_t *mutex; + +}; + +METHOD(imv_session_manager_t, add_session, imv_session_t*, + private_imv_session_manager_t *this, TNC_ConnectionID conn_id, + uint32_t ar_id_type, chunk_t ar_id_value) +{ + enumerator_t *enumerator; + imv_session_t *current, *session = NULL; + time_t created; + + this->mutex->lock(this->mutex); + + /* check if a session has already been assigned */ + enumerator = this->sessions->create_enumerator(this->sessions); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (conn_id == current->get_connection_id(current)) + { + session = current; + break; + } + } + enumerator->destroy(enumerator); + + /* session already exists */ + if (session) + { + this->mutex->unlock(this->mutex); + return session->get_ref(session); + } + + /* create a new session entry */ + created = time(NULL); + session = imv_session_create(conn_id, created, ar_id_type, ar_id_value); + this->sessions->insert_last(this->sessions, session); + + this->mutex->unlock(this->mutex); + + return session; +} + +METHOD(imv_session_manager_t, remove_session, void, + private_imv_session_manager_t *this, imv_session_t *session) +{ + enumerator_t *enumerator; + imv_session_t *current; + + this->mutex->lock(this->mutex); + enumerator = this->sessions->create_enumerator(this->sessions); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (current == session) + { + this->sessions->remove_at(this->sessions, enumerator); + break; + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +METHOD(imv_session_manager_t, destroy, void, + private_imv_session_manager_t *this) +{ + this->sessions->destroy_offset(this->sessions, + offsetof(imv_session_t, destroy)); + this->mutex->destroy(this->mutex); + free(this); +} + +/** + * See header + */ +imv_session_manager_t *imv_session_manager_create(void) +{ + private_imv_session_manager_t *this; + + INIT(this, + .public = { + .add_session = _add_session, + .remove_session = _remove_session, + .destroy = _destroy, + }, + .sessions = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + ); + + return &this->public; +} + diff --git a/src/libimcv/imv/imv_session_manager.h b/src/libimcv/imv/imv_session_manager.h new file mode 100644 index 000000000..8a733accb --- /dev/null +++ b/src/libimcv/imv/imv_session_manager.h @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2014 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup imv_session_manager_t imv_session_manager + * @{ @ingroup libimcv_imv + */ + +#ifndef IMV_SESSION_MANAGER_H_ +#define IMV_SESSION_MANAGER_H_ + +#include "imv_session.h" + +#include <tncifimv.h> + +#include <library.h> + +typedef struct imv_session_manager_t imv_session_manager_t; + +/** + * IMV session manager interface + */ +struct imv_session_manager_t { + + /** + * Create or get a session associated with a TNCCS connection + * + * @param conn_id TNCCS Connection ID + * @param ar_id_type Access Requestor identity type + * @param ar_id_value Access Requestor identity value + * @return Session associated with TNCCS Connection + */ + imv_session_t* (*add_session)(imv_session_manager_t *this, + TNC_ConnectionID conn_id, + uint32_t ar_id_type, chunk_t ar_id_value); + + /** + * Remove a session + * + * @param session Session + */ + void (*remove_session)(imv_session_manager_t *this, imv_session_t *session); + + + /** + * Destroys an imv_session_manager_t object + */ + void (*destroy)(imv_session_manager_t *this); +}; + +/** + * Create an imv_session_manager_t instance + */ +imv_session_manager_t* imv_session_manager_create(); + +#endif /** IMV_SESSION_MANAGER_H_ @}*/ diff --git a/src/libimcv/imv/imv_state.h b/src/libimcv/imv/imv_state.h index 791846bb1..d11d15e0d 100644 --- a/src/libimcv/imv/imv_state.h +++ b/src/libimcv/imv/imv_state.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2013 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -70,45 +70,28 @@ struct imv_state_t { * * @param max_msg_len maximum size of a PA-TNC message */ - void (*set_max_msg_len)(imv_state_t *this, u_int32_t max_msg_len); + void (*set_max_msg_len)(imv_state_t *this, uint32_t max_msg_len); /** * Get the maximum size of a PA-TNC message for this TNCCS connection * * @return maximum size of a PA-TNC message */ - u_int32_t (*get_max_msg_len)(imv_state_t *this); + uint32_t (*get_max_msg_len)(imv_state_t *this); /** * Set flags for completed actions * * @param flags Flags to be set */ - void (*set_action_flags)(imv_state_t *this, u_int32_t flags); + void (*set_action_flags)(imv_state_t *this, uint32_t flags); /** * Get flags set for completed actions * * @return Flags set for completed actions */ - u_int32_t (*get_action_flags)(imv_state_t *this); - - /** - * Set Access Requestor ID - * - * @param id_type Access Requestor TCG Standard ID Type - * @param id_value Access Requestor TCG Standard ID Value - * - */ - void (*set_ar_id)(imv_state_t *this, u_int32_t id_type, chunk_t id_value); - - /** - * Get Access Requestor ID - * - * @param id_type Access Requestor TCG Standard ID Type - * @return Access Requestor TCG Standard ID Value - */ - chunk_t (*get_ar_id)(imv_state_t *this, u_int32_t *id_type); + uint32_t (*get_action_flags)(imv_state_t *this); /** * Set session associated with TNCCS Connection diff --git a/src/libimcv/imv/tables-mysql.sql b/src/libimcv/imv/tables-mysql.sql new file mode 100644 index 000000000..47ee41c86 --- /dev/null +++ b/src/libimcv/imv/tables-mysql.sql @@ -0,0 +1,200 @@ + +DROP TABLE IF EXISTS `directories`; +CREATE TABLE `directories` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `path` VARCHAR(2048) NOT NULL +); + +DROP TABLE IF EXISTS `files`; +CREATE TABLE `files` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `dir` INTEGER DEFAULT 0 REFERENCES `directories`(`id`), + `name` VARCHAR(512) NOT NULL +); + +DROP TABLE IF EXISTS `products`; +CREATE TABLE `products` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `name` VARCHAR(128) NOT NULL +); + +DROP TABLE IF EXISTS `algorithms`; +CREATE TABLE `algorithms` ( + `id` INTEGER PRIMARY KEY, + `name` VARCHAR(20) NOT NULL +); + +DROP TABLE IF EXISTS `file_hashes`; +CREATE TABLE `file_hashes` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `file` INTEGER NOT NULL REFERENCES `files`(`id`), + `product` INTEGER NOT NULL REFERENCES `products`(`id`), + `device` INTEGER DEFAULT 0, + `key` INTEGER DEFAULT 0 REFERENCES `keys`(id), + `algo` INTEGER NOT NULL REFERENCES `algorithms`(`id`), + `hash` VARBINARY(64) NOT NULL +); + +DROP TABLE IF EXISTS `keys`; +CREATE TABLE `keys` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `keyid` VARBINARY(128) NOT NULL, + `owner` VARCHAR(128) NOT NULL +); + +DROP TABLE IF EXISTS `groups`; +CREATE TABLE `groups` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `name` VARCHAR(50) NOT NULL UNIQUE, + `parent` INTEGER +); + +DROP TABLE IF EXISTS `groups_members`; +CREATE TABLE `groups_members` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `group_id` INTEGER NOT NULL REFERENCES `groups`(`id`), + `device_id` INTEGER NOT NULL REFERENCES `devices`(`id`), + UNIQUE (`group_id`, `device_id`) +); + +DROP TABLE IF EXISTS `groups_product_defaults`; +CREATE TABLE `groups_product_defaults` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `group_id` INTEGER NOT NULL REFERENCES `groups`(`id`), + `product_id` INTEGER NOT NULL REFERENCES `products`(`id`), + UNIQUE (`group_id`, `product_id`) +); + +DROP TABLE IF EXISTS `policies`; +CREATE TABLE `policies` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `type` INTEGER NOT NULL, + `name` VARCHAR(100) NOT NULL UNIQUE, + `argument` VARCHAR(100) DEFAULT '' NOT NULL, + `rec_fail` INTEGER NOT NULL, + `rec_noresult` INTEGER NOT NULL, + `file` INTEGER DEFAULT 0 REFERENCES `files`(`id`), + `dir` INTEGER DEFAULT 0 REFERENCES `directories`(`id`) +); + +DROP TABLE IF EXISTS `enforcements`; +CREATE TABLE `enforcements` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `policy` INTEGER NOT NULL REFERENCES `policies`(`id`), + `group_id` INTEGER NOT NULL REFERENCES `groups`(`id`), + `rec_fail` INTEGER, + `rec_noresult` INTEGER, + `max_age` INTEGER NOT NULL, + UNIQUE (`policy`, `group_id`) +); + +DROP TABLE IF EXISTS `sessions`; +CREATE TABLE `sessions` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `time` INTEGER NOT NULL, + `connection` INTEGER NOT NULL, + `identity` INTEGER DEFAULT 0 REFERENCES `identities`(`id`), + `device` INTEGER DEFAULT 0 REFERENCES `devices`(`id`), + `product` INTEGER DEFAULT 0 REFERENCES `products`(`id`), + `rec` INTEGER DEFAULT 3 +); + +DROP TABLE IF EXISTS `workitems`; +CREATE TABLE `workitems` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `session` INTEGER NOT NULL REFERENCES `sessions`(`id`), + `enforcement` INTEGER NOT NULL REFERENCES `enforcements`(`id`), + `type` INTEGER NOT NULL, + `arg_str` VARCHAR(128), + `arg_int` INTEGER DEFAULT 0, + `rec_fail` INTEGER NOT NULL, + `rec_noresult` INTEGER NOT NULL, + `rec_final` INTEGER, + `result` VARCHAR(128) +); + +DROP TABLE IF EXISTS `results`; +CREATE TABLE `results` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `session` INTEGER NOT NULL REFERENCES `measurements`(`id`), + `policy` INTEGER NOT NULL REFERENCES `policies`(`id`), + `rec` INTEGER NOT NULL, + `result` TEXT NOT NULL +); + +DROP TABLE IF EXISTS `components`; +CREATE TABLE `components` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `vendor_id` INTEGER NOT NULL, + `name` INTEGER NOT NULL, + `qualifier` INTEGER DEFAULT 0 +); + +DROP TABLE IF EXISTS `key_component`; +CREATE TABLE `key_component` ( + `key` INTEGER NOT NULL, + `component` INTEGER NOT NULL, + `depth` INTEGER DEFAULT 0, + `seq_no` INTEGER DEFAULT 0, + PRIMARY KEY (`key`, `component`) +); + +DROP TABLE IF EXISTS `component_hashes`; +CREATE TABLE `component_hashes` ( + `component` INTEGER NOT NULL, + `key` INTEGER NOT NULL, + `seq_no` INTEGER NOT NULL, + `pcr` INTEGER NOT NULL, + `algo` INTEGER NOT NULL, + `hash` VARBINARY(32) NOT NULL, + PRIMARY KEY(`component`, `key`, `seq_no`, `algo`) +); + +DROP TABLE IF EXISTS `packages`; +CREATE TABLE `packages` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `name` VARCHAR(128) NOT NULL, + `blacklist` INTEGER DEFAULT 0 +); + +DROP TABLE IF EXISTS versions; +CREATE TABLE versions ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `package` INTEGER NOT NULL REFERENCES packages(id), + `product` INTEGER NOT NULL REFERENCES products(id), + `release` VARCHAR(32) NOT NULL, + `security` INTEGER DEFAULT 0, + `blacklist` INTEGER DEFAULT 0, + `time` INTEGER DEFAULT 0 +); + +DROP TABLE IF EXISTS `devices`; +CREATE TABLE `devices` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `description` VARCHAR(100) DEFAULT "", + `value` VARCHAR(256) NOT NULL, + `product` INTEGER REFERENCES `products`(`id`), + `created` INTEGER +); + +DROP TABLE IF EXISTS `identities`; +CREATE TABLE `identities` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `type` INTEGER NOT NULL, + `value` VARBINARY(128) NOT NULL, + UNIQUE (type, value) +); + +DROP TABLE IF EXISTS `regids`; +CREATE TABLE `regids` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `name` TEXT NOT NULL +); + +DROP TABLE IF EXISTS `tags`; +CREATE TABLE `tags` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `regid` INTEGER NOT NULL REFERENCES `regids`(`id`), + `unique_sw_id` VARCHAR(64) NOT NULL, + `value` VARCHAR(128) +); diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql index a0f3a4e8d..f7324896e 100644 --- a/src/libimcv/imv/tables.sql +++ b/src/libimcv/imv/tables.sql @@ -42,27 +42,11 @@ CREATE TABLE file_hashes ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, file INTEGER NOT NULL REFERENCES files(id), product INTEGER NOT NULL REFERENCES products(id), - device INTEGER DEFAULT 0, - key INTEGER DEFAULT 0 REFERENCES keys(id), + device INTEGER DEFAULT 0 REFERENCES devices(id), algo INTEGER NOT NULL REFERENCES algorithms(id), hash BLOB NOT NULL ); -DROP TABLE IF EXISTS keys; -CREATE TABLE keys ( - id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, - keyid BLOB NOT NULL, - owner TEXT NOT NULL -); -DROP INDEX IF EXISTS keys_keyid; -CREATE INDEX keys_keyid ON keys ( - keyid -); -DROP INDEX IF EXISTS keys_owner; -CREATE INDEX keys_owner ON keys ( - owner -); - DROP TABLE IF EXISTS groups; CREATE TABLE groups ( id INTEGER NOT NULL PRIMARY KEY, @@ -156,29 +140,19 @@ CREATE TABLE components ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, vendor_id INTEGER NOT NULL, name INTEGER NOT NULL, - qualifier INTEGER DEFAULT 0 + qualifier INTEGER DEFAULT 0, + label TEXT NOT NULL ); - -DROP TABLE IF EXISTS key_component; -CREATE TABLE key_component ( - key INTEGER NOT NULL, - component INTEGER NOT NULL, - depth INTEGER DEFAULT 0, - seq_no INTEGER DEFAULT 0, - PRIMARY KEY (key, component) -); - - DROP TABLE IF EXISTS component_hashes; CREATE TABLE component_hashes ( - component INTEGER NOT NULL, - key INTEGER NOT NULL, + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + component INTEGER NOT NULL REFERENCES components(id), + key INTEGER NOT NULL REFERENCES devices(id), seq_no INTEGER NOT NULL, pcr INTEGER NOT NULL, - algo INTEGER NOT NULL, - hash BLOB NOT NULL, - PRIMARY KEY(component, key, seq_no, algo) + algo INTEGER NOT NULL REFERENCES algorithms(id), + hash BLOB NOT NULL ); DROP TABLE IF EXISTS packages; @@ -217,6 +191,7 @@ CREATE TABLE devices ( description TEXT DEFAULT '', value TEXT NOT NULL, product INTEGER REFERENCES products(id), + trusted INTEGER DEFAULT 0, created INTEGER ); DROP INDEX IF EXISTS devices_id; @@ -232,25 +207,101 @@ CREATE TABLE identities ( UNIQUE (type, value) ); -DROP TABLE IF EXISTS regids; -CREATE TABLE regids ( - id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, - name TEXT NOT NULL +DROP TABLE IF EXISTS "swid_entities"; +CREATE TABLE "swid_entities" ( + "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + "name" VARCHAR(255) NOT NULL, + "regid" VARCHAR(255) NOT NULL ); -DROP INDEX IF EXISTS regids_name; -CREATE INDEX regids_name ON regids ( - name +DROP INDEX IF EXISTS "swid_entities_name"; +DROP INDEX IF EXISTS "swid_entities_regid"; +CREATE INDEX "swid_entities_name" ON "swid_entities" ( + "name" +); +CREATE INDEX "swid_entities_regid" ON "swid_entities" ( + "regid" ); -DROP TABLE IF EXISTS tags; -CREATE TABLE tags ( - id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, - regid INTEGER NOT NULL REFERENCES regids(id), - unique_sw_id TEXT NOT NULL, - value TEXT +DROP TABLE IF EXISTS "swid_entityroles"; +CREATE TABLE "swid_entityroles" ( + "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + "tag_id" INTEGER NOT NULL REFERENCES "swid_tags" ("id"), + "entity_id" INTEGER NOT NULL, + "role" SMALLINT UNSIGNED NOT NULL +); +DROP INDEX if EXISTS "swid_entityroles_tag_id"; +DROP INDEX IF EXISTS "swid_entityroles_tag_entity_id"; +CREATE INDEX "swid_entityroles_tag_id" ON "swid_entityroles" ( + "tag_id" +); +CREATE INDEX "swid_entityroles_entity_id" ON "swid_entityroles" ( + "entity_id" +); + +DROP TABLE IF EXISTS "swid_tags"; +CREATE TABLE "swid_tags" ( + "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + "package_name" VARCHAR(255) NOT NULL, + "version" VARCHAR(255) NOT NULL, + "unique_id" VARCHAR(255) NOT NULL, + "swid_xml" TEXT NOT NULL, + "software_id" VARCHAR(255) NOT NULL +); +DROP INDEX if EXISTS "swid_tags_unique_id"; +DROP INDEX IF EXISTS "swid_tags_package_name"; +DROP INDEX IF EXISTS "swid_tags_software_id"; +CREATE INDEX "swid_tags_unique_id" ON "swid_tags" ( + "unique_id" +); +CREATE INDEX "swid_tags_package_name" ON "swid_tags" ( + "package_name" +); +CREATE INDEX "swid_tags_software_id" ON "swid_tags" ( + "software_id" +); + +DROP TABLE IF EXISTS "swid_tags_files"; +CREATE TABLE "swid_tags_files" ( + "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + "tag_id" INTEGER NOT NULL, + "file_id" INTEGER NOT NULL REFERENCES "files" ("id"), + UNIQUE ("tag_id", "file_id") +); +DROP INDEX IF EXISTS "swid_tags_files_file_id"; +DROP INDEX IF EXISTS "swid_tags_files_tag_id"; +CREATE INDEX "swid_tags_files_file_id" ON "swid_tags_files" ( + "file_id" +); +CREATE INDEX "swid_tags_files_tag_id" ON "swid_tags_files" ( + "tag_id" +); + +DROP TABLE IF EXISTS "swid_tags_sessions"; +CREATE TABLE "swid_tags_sessions" ( + "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + "tag_id" INTEGER NOT NULL, + "session_id" INTEGER NOT NULL REFERENCES "sessions" ("id"), + UNIQUE ("tag_id", "session_id") +); +DROP INDEX IF EXISTS "swid_tags_sessions_tag_id"; +DROP INDEX IF EXISTS "swid_tags_sessions_session_id"; +CREATE INDEX "swid_tags_sessions_tag_id" ON "swid_tags_sessions" ( + "tag_id" ); -DROP INDEX IF EXISTS tags_name; -CREATE INDEX tags_unique_sw_id ON tags ( - unique_sw_id +CREATE INDEX "swid_tags_sessions_session_id" ON "swid_tags_sessions" ( +"session_id" ); +DROP TABLE IF EXISTS "swid_tagstats"; +CREATE TABLE "swid_tagstats" ( + "id" integer NOT NULL PRIMARY KEY, + "tag_id" integer NOT NULL REFERENCES "swid_tags" ("id"), + "device_id" integer NOT NULL REFERENCES "devices" ("id"), + "first_seen_id" integer NOT NULL REFERENCES "sessions" ("id"), + "last_seen_id" integer NOT NULL REFERENCES "sessions" ("id"), + UNIQUE ("tag_id", "device_id") +); +CREATE INDEX "swid_tagstats_tag_id" ON "swid_tagstats" ("tag_id"); +CREATE INDEX "swid_tagstats_device_id" ON "swid_tagstats" ("device_id"); +CREATE INDEX "swid_tagstats_first_seen_id" ON "swid_tagstats" ("first_seen_id"); +CREATE INDEX "swid_tagstats_last_seen_id" ON "swid_tagstats" ("last_seen_id"); diff --git a/src/libimcv/os_info/os_info.c b/src/libimcv/os_info/os_info.c index 06427575c..258b8b442 100644 --- a/src/libimcv/os_info/os_info.c +++ b/src/libimcv/os_info/os_info.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,16 +15,7 @@ #include "os_info.h" -#include <sys/utsname.h> -#include <stdio.h> -#include <stdarg.h> - -#include <collections/linked_list.h> -#include <utils/debug.h> - -typedef struct private_os_info_t private_os_info_t; - -ENUM(os_type_names, OS_TYPE_UNKNOWN, OS_TYPE_ANDROID, +ENUM(os_type_names, OS_TYPE_UNKNOWN, OS_TYPE_WINDOWS, "Unknown", "Debian", "Ubuntu", @@ -33,7 +24,8 @@ ENUM(os_type_names, OS_TYPE_UNKNOWN, OS_TYPE_ANDROID, "CentOS", "SUSE", "Gentoo", - "Android" + "Android", + "Windows", ); ENUM(os_fwd_status_names, OS_FWD_DISABLED, OS_FWD_UNKNOWN, @@ -49,487 +41,6 @@ ENUM(os_package_state_names, OS_PACKAGE_STATE_UPDATE, OS_PACKAGE_STATE_BLACKLIST ); /** - * Private data of an os_info_t object. - * - */ -struct private_os_info_t { - - /** - * Public os_info_t interface. - */ - os_info_t public; - - /** - * OS type - */ - os_type_t type; - - /** - * OS name - */ - chunk_t name; - - /** - * OS version - */ - chunk_t version; - -}; - -METHOD(os_info_t, get_type, os_type_t, - private_os_info_t *this) -{ - return this->type; -} - -METHOD(os_info_t, get_name, chunk_t, - private_os_info_t *this) -{ - return this->name; -} - -METHOD(os_info_t, get_numeric_version, void, - private_os_info_t *this, u_int32_t *major, u_int32_t *minor) -{ - u_char *pos; - - if (major) - { - *major = atol(this->version.ptr); - } - pos = memchr(this->version.ptr, '.', this->version.len); - if (minor) - { - *minor = pos ? atol(pos + 1) : 0; - } -} - -METHOD(os_info_t, get_version, chunk_t, - private_os_info_t *this) -{ - return this->version; -} - -METHOD(os_info_t, get_fwd_status, os_fwd_status_t, - private_os_info_t *this) -{ - const char ip_forward[] = "/proc/sys/net/ipv4/ip_forward"; - char buf[2]; - FILE *file; - - os_fwd_status_t fwd_status = OS_FWD_UNKNOWN; - - file = fopen(ip_forward, "r"); - if (file) - { - if (fread(buf, 1, 1, file) == 1) - { - switch (buf[0]) - { - case '0': - fwd_status = OS_FWD_DISABLED; - break; - case '1': - fwd_status = OS_FWD_ENABLED; - break; - default: - DBG1(DBG_IMC, "\"%s\" returns invalid value ", ip_forward); - break; - } - } - else - { - DBG1(DBG_IMC, "could not read from \"%s\"", ip_forward); - } - fclose(file); - } - else - { - DBG1(DBG_IMC, "failed to open \"%s\"", ip_forward); - } - - return fwd_status; -} - -METHOD(os_info_t, get_uptime, time_t, - private_os_info_t *this) -{ - const char proc_uptime[] = "/proc/uptime"; - FILE *file; - u_int uptime; - - file = fopen(proc_uptime, "r"); - if (!file) - { - DBG1(DBG_IMC, "failed to open \"%s\"", proc_uptime); - return 0; - } - if (fscanf(file, "%u", &uptime) != 1) - { - DBG1(DBG_IMC, "failed to read file \"%s\"", proc_uptime); - uptime = 0; - } - fclose(file); - - return uptime; -} - -METHOD(os_info_t, get_setting, chunk_t, - private_os_info_t *this, char *name) -{ - FILE *file; - u_char buf[2048]; - size_t i = 0; - chunk_t value; - - if (!strpfx(name, "/etc/") && !strpfx(name, "/proc/") && - !strpfx(name, "/sys/") && !strpfx(name, "/var/")) - { - /** - * In order to guarantee privacy, only settings from the - * /etc/, /proc/ and /sys/ directories can be retrieved - */ - DBG1(DBG_IMC, "not allowed to access '%s'", name); - - return chunk_empty; - } - - file = fopen(name, "r"); - if (!file) - { - DBG1(DBG_IMC, "failed to open '%s'", name); - - return chunk_empty; - } - while (i < sizeof(buf) && fread(buf + i, 1, 1, file) == 1) - { - i++; - } - fclose(file); - - value = chunk_create(buf, i); - - return chunk_clone(value); -} - -typedef struct { - /** - * implements enumerator_t - */ - enumerator_t public; - - /** - * package info pipe stream - */ - FILE* file; - - /** - * line buffer - */ - u_char line[512]; - -} package_enumerator_t; - -/** - * Implementation of package_enumerator.destroy. - */ -static void package_enumerator_destroy(package_enumerator_t *this) -{ - pclose(this->file); - free(this); -} - -/** - * Implementation of package_enumerator.enumerate - */ -static bool package_enumerator_enumerate(package_enumerator_t *this, ...) -{ - chunk_t *name, *version; - u_char *pos; - va_list args; - - while (TRUE) - { - if (!fgets(this->line, sizeof(this->line), this->file)) - { - return FALSE; - } - - pos = strchr(this->line, '\t'); - if (!pos) - { - return FALSE; - } - *pos++ = '\0'; - - if (!streq(this->line, "install ok installed")) - { - continue; - } - va_start(args, this); - - name = va_arg(args, chunk_t*); - name->ptr = pos; - pos = strchr(pos, '\t'); - if (!pos) - { - va_end(args); - return FALSE; - } - name->len = pos++ - name->ptr; - - version = va_arg(args, chunk_t*); - version->ptr = pos; - version->len = strlen(pos) - 1; - - va_end(args); - return TRUE; - } -} - -METHOD(os_info_t, create_package_enumerator, enumerator_t*, - private_os_info_t *this) -{ - FILE *file; - const char command[] = "dpkg-query --show --showformat=" - "'${Status}\t${Package}\t${Version}\n'"; - package_enumerator_t *enumerator; - - /* Only Debian and Ubuntu package enumeration is currently supported */ - if (this->type != OS_TYPE_DEBIAN && this->type != OS_TYPE_UBUNTU) - { - return NULL; - } - - /* Open a pipe stream for reading the output of the dpkg-query commmand */ - file = popen(command, "r"); - if (!file) - { - DBG1(DBG_IMC, "failed to run dpkg command"); - return NULL; - } - - /* Create a package enumerator instance */ - enumerator = malloc_thing(package_enumerator_t); - enumerator->public.enumerate = (void*)package_enumerator_enumerate; - enumerator->public.destroy = (void*)package_enumerator_destroy; - enumerator->file = file; - - return (enumerator_t*)enumerator; -} - - -METHOD(os_info_t, destroy, void, - private_os_info_t *this) -{ - free(this->name.ptr); - free(this->version.ptr); - free(this); -} - -#define RELEASE_LSB 0 -#define RELEASE_DEBIAN 1 - -/** - * Determine Linux distribution version and hardware platform - */ -static bool extract_platform_info(os_type_t *type, chunk_t *name, - chunk_t *version) -{ - FILE *file; - u_char buf[BUF_LEN], *pos = buf; - int len = BUF_LEN - 1; - os_type_t os_type = OS_TYPE_UNKNOWN; - chunk_t os_name = chunk_empty; - chunk_t os_version = chunk_empty; - char *os_str; - struct utsname uninfo; - int i; - - /* Linux/Unix distribution release info (from http://linuxmafia.com) */ - const char* releases[] = { - "/etc/lsb-release", "/etc/debian_version", - "/etc/SuSE-release", "/etc/novell-release", - "/etc/sles-release", "/etc/redhat-release", - "/etc/fedora-release", "/etc/gentoo-release", - "/etc/slackware-version", "/etc/annvix-release", - "/etc/arch-release", "/etc/arklinux-release", - "/etc/aurox-release", "/etc/blackcat-release", - "/etc/cobalt-release", "/etc/conectiva-release", - "/etc/debian_release", "/etc/immunix-release", - "/etc/lfs-release", "/etc/linuxppc-release", - "/etc/mandrake-release", "/etc/mandriva-release", - "/etc/mandrakelinux-release", "/etc/mklinux-release", - "/etc/pld-release", "/etc/redhat_version", - "/etc/slackware-release", "/etc/e-smith-release", - "/etc/release", "/etc/sun-release", - "/etc/tinysofa-release", "/etc/turbolinux-release", - "/etc/ultrapenguin-release", "/etc/UnitedLinux-release", - "/etc/va-release", "/etc/yellowdog-release" - }; - - const char lsb_distrib_id[] = "DISTRIB_ID="; - const char lsb_distrib_release[] = "DISTRIB_RELEASE="; - - for (i = 0; i < countof(releases); i++) - { - file = fopen(releases[i], "r"); - if (!file) - { - continue; - } - - /* read release file into buffer */ - fseek(file, 0, SEEK_END); - len = min(ftell(file), len); - rewind(file); - buf[len] = '\0'; - if (fread(buf, 1, len, file) != len) - { - DBG1(DBG_IMC, "failed to read file \"%s\"", releases[i]); - fclose(file); - return FALSE; - } - fclose(file); - - DBG1(DBG_IMC, "processing \"%s\" file", releases[i]); - - switch (i) - { - case RELEASE_LSB: - { - /* Determine Distribution ID */ - pos = strstr(buf, lsb_distrib_id); - if (!pos) - { - DBG1(DBG_IMC, "failed to find begin of DISTRIB_ID field"); - return FALSE; - } - pos += strlen(lsb_distrib_id); - - os_name.ptr = pos; - - pos = strchr(pos, '\n'); - if (!pos) - { - DBG1(DBG_IMC, "failed to find end of DISTRIB_ID field"); - return FALSE; - } - os_name.len = pos - os_name.ptr; - - /* Determine Distribution Release */ - pos = strstr(buf, lsb_distrib_release); - if (!pos) - { - DBG1(DBG_IMC, "failed to find begin of DISTRIB_RELEASE field"); - return FALSE; - } - pos += strlen(lsb_distrib_release); - - os_version.ptr = pos; - - pos = strchr(pos, '\n'); - if (!pos) - { - DBG1(DBG_IMC, "failed to find end of DISTRIB_RELEASE field"); - return FALSE; - } - os_version.len = pos - os_version.ptr; - - break; - } - case RELEASE_DEBIAN: - { - os_type = OS_TYPE_DEBIAN; - - os_version.ptr = buf; - pos = strchr(buf, '\n'); - if (!pos) - { - DBG1(DBG_PTS, "failed to find end of release string"); - return FALSE; - } - - os_version.len = pos - os_version.ptr; - - break; - } - default: - { - const char str_release[] = " release "; - - os_name.ptr = buf; - - pos = strstr(buf, str_release); - if (!pos) - { - DBG1(DBG_IMC, "failed to find release keyword"); - return FALSE; - } - - os_name.len = pos - os_name.ptr; - - pos += strlen(str_release); - os_version.ptr = pos; - - pos = strchr(pos, '\n'); - if (!pos) - { - DBG1(DBG_IMC, "failed to find end of release string"); - return FALSE; - } - - os_version.len = pos - os_version.ptr; - - break; - } - } - break; - } - - if (!os_version.ptr) - { - DBG1(DBG_IMC, "no distribution release file found"); - return FALSE; - } - - if (uname(&uninfo) < 0) - { - DBG1(DBG_IMC, "could not retrieve machine architecture"); - return FALSE; - } - - /* Try to find a matching OS type based on the OS name */ - if (os_type == OS_TYPE_UNKNOWN) - { - os_type = os_type_from_name(os_name); - } - - /* If known use the official OS name */ - if (os_type != OS_TYPE_UNKNOWN) - { - os_str = enum_to_name(os_type_names, os_type); - os_name = chunk_create(os_str, strlen(os_str)); - } - - /* copy OS type */ - *type = os_type; - - /* copy OS name */ - *name = chunk_clone(os_name); - - /* copy OS version and machine architecture */ - *version = chunk_alloc(os_version.len + 1 + strlen(uninfo.machine)); - pos = version->ptr; - memcpy(pos, os_version.ptr, os_version.len); - pos += os_version.len; - *pos++ = ' '; - memcpy(pos, uninfo.machine, strlen(uninfo.machine)); - - return TRUE; -} - -/** * See header */ os_type_t os_type_from_name(chunk_t name) @@ -548,59 +59,3 @@ os_type_t os_type_from_name(chunk_t name) } return OS_TYPE_UNKNOWN; } - -/** - * See header - */ -os_info_t *os_info_create(void) -{ - private_os_info_t *this; - chunk_t name, version; - os_type_t type; - - /* As an option OS name and OS version can be configured manually */ - name.ptr = lib->settings->get_str(lib->settings, - "%s.imcv.os_info.name", NULL, lib->ns); - version.ptr = lib->settings->get_str(lib->settings, - "%s.imcv.os_info.version", NULL, lib->ns); - if (name.ptr && version.ptr) - { - name.len = strlen(name.ptr); - name = chunk_clone(name); - - version.len = strlen(version.ptr); - version = chunk_clone(version); - - type = os_type_from_name(name); - } - else - { - if (!extract_platform_info(&type, &name, &version)) - { - return NULL; - } - } - DBG1(DBG_IMC, "operating system name is '%.*s'", - name.len, name.ptr); - DBG1(DBG_IMC, "operating system version is '%.*s'", - version.len, version.ptr); - - INIT(this, - .public = { - .get_type = _get_type, - .get_name = _get_name, - .get_numeric_version = _get_numeric_version, - .get_version = _get_version, - .get_fwd_status = _get_fwd_status, - .get_uptime = _get_uptime, - .get_setting = _get_setting, - .create_package_enumerator = _create_package_enumerator, - .destroy = _destroy, - }, - .type = type, - .name = name, - .version = version, - ); - - return &this->public; -} diff --git a/src/libimcv/os_info/os_info.h b/src/libimcv/os_info/os_info.h index f47460709..031355458 100644 --- a/src/libimcv/os_info/os_info.h +++ b/src/libimcv/os_info/os_info.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -40,6 +40,7 @@ enum os_type_t { OS_TYPE_SUSE, OS_TYPE_GENTOO, OS_TYPE_ANDROID, + OS_TYPE_WINDOWS, OS_TYPE_ROOF }; @@ -68,86 +69,11 @@ enum os_fwd_status_t { extern enum_name_t *os_fwd_status_names; /** - * Interface for the Operating System (OS) information module - */ -struct os_info_t { - - /** - * Get the OS type if it can be determined - * - * @return OS type - */ - os_type_t (*get_type)(os_info_t *this); - - /** - * Get the OS product name or distribution - * - * @return OS name - */ - chunk_t (*get_name)(os_info_t *this); - - /** - * Get the numeric OS version or release - * - * @param major OS major version number - * @param minor OS minor version number - */ - void (*get_numeric_version)(os_info_t *this, u_int32_t *major, - u_int32_t *minor); - - /** - * Get the OS version or release - * - * @return OS version - */ - chunk_t (*get_version)(os_info_t *this); - - /** - * Get the OS IPv4 forwarding status - * - * @return IP forwarding status - */ - os_fwd_status_t (*get_fwd_status)(os_info_t *this); - - /** - * Get the OS uptime in seconds - * - * @return OS uptime - */ - time_t (*get_uptime)(os_info_t *this); - - /** - * Get an OS setting (restricted to /proc, /sys, and /etc) - * - * @param name name of OS setting - * @return value of OS setting - */ - chunk_t (*get_setting)(os_info_t *this, char *name); - - /** - * Enumerates over all installed packages - * - * @return return package enumerator - */ - enumerator_t* (*create_package_enumerator)(os_info_t *this); - - /** - * Destroys an os_info_t object. - */ - void (*destroy)(os_info_t *this); -}; - -/** * Convert an OS name into an OS enumeration type * - * @param name OS name - * @return OS enumeration type + * @param name OS name + * @return OS enumeration type */ os_type_t os_type_from_name(chunk_t name); -/** - * Create an os_info_t object - */ -os_info_t* os_info_create(void); - #endif /** OS_INFO_H_ @}*/ diff --git a/src/libimcv/pa_tnc/pa_tnc_attr.h b/src/libimcv/pa_tnc/pa_tnc_attr.h index e2ce06ee4..1e0c339c9 100644 --- a/src/libimcv/pa_tnc/pa_tnc_attr.h +++ b/src/libimcv/pa_tnc/pa_tnc_attr.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2012 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -26,6 +26,8 @@ typedef struct pa_tnc_attr_t pa_tnc_attr_t; #include <library.h> #include <pen/pen.h> +#define PA_TNC_ATTR_HEADER_SIZE 12 + /** * Interface for an RFC 5792 PA-TNC Posture Attribute. * @@ -71,7 +73,7 @@ struct pa_tnc_attr_t { * @param relative error offset within attribute body * @return result status */ - status_t (*process)(pa_tnc_attr_t *this, u_int32_t *offset); + status_t (*process)(pa_tnc_attr_t *this, uint32_t *offset); /** * Get a new reference to the PA-TNC attribute diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c index 140463b83..77d383b93 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.c +++ b/src/libimcv/pa_tnc/pa_tnc_msg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2012 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -23,7 +23,6 @@ #include <pen/pen.h> #include <utils/debug.h> - typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t; /** @@ -38,7 +37,6 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t; * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -#define PA_TNC_HEADER_SIZE 8 #define PA_TNC_RESERVED 0x000000 /** @@ -59,7 +57,6 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t; #define PA_TNC_ATTR_FLAG_NONE 0x00 #define PA_TNC_ATTR_FLAG_NOSKIP (1<<7) -#define PA_TNC_ATTR_HEADER_SIZE 12 #define PA_TNC_ATTR_INFO_SIZE 8 /** @@ -86,7 +83,7 @@ struct private_pa_tnc_msg_t { /** * Message identifier */ - u_int32_t identifier; + uint32_t identifier; /** * Current PA-TNC Message size @@ -139,13 +136,13 @@ METHOD(pa_tnc_msg_t, build, bool, pa_tnc_attr_t *attr; enum_name_t *pa_attr_names; pen_type_t type; - u_int8_t flags; + uint8_t flags; chunk_t value; nonce_gen_t *ng; /* generate a nonce as a message identifier */ ng = lib->crypto->create_nonce_gen(lib->crypto); - if (!ng || !ng->get_nonce(ng, 4, (u_int8_t*)&this->identifier)) + if (!ng || !ng->get_nonce(ng, 4, (uint8_t*)&this->identifier)) { DBG1(DBG_TNC, "failed to generate random PA-TNC message identifier"); DESTROY_IF(ng); @@ -205,8 +202,8 @@ METHOD(pa_tnc_msg_t, process, status_t, { bio_reader_t *reader; pa_tnc_attr_t *error; - u_int8_t version; - u_int32_t reserved, offset, attr_offset; + uint8_t version; + uint32_t reserved, offset, attr_offset; pen_type_t error_code = { PEN_IETF, PA_ERROR_INVALID_PARAMETER }; /* process message header */ @@ -237,8 +234,8 @@ METHOD(pa_tnc_msg_t, process, status_t, while (reader->remaining(reader) >= PA_TNC_ATTR_HEADER_SIZE) { pen_t vendor_id; - u_int8_t flags; - u_int32_t type, length; + uint8_t flags; + uint32_t type, length; chunk_t value, attr_info; pa_tnc_attr_t *attr; enum_name_t *pa_attr_names; @@ -372,7 +369,7 @@ METHOD(pa_tnc_msg_t, process_ietf_std_errors, bool, ietf_attr_pa_tnc_error_t *error_attr; pen_type_t error_code; chunk_t msg_info, attr_info; - u_int32_t offset; + uint32_t offset; error_attr = (ietf_attr_pa_tnc_error_t*)attr; error_code = error_attr->get_error_code(error_attr); diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.h b/src/libimcv/pa_tnc/pa_tnc_msg.h index 218d3d673..84814b92b 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.h +++ b/src/libimcv/pa_tnc/pa_tnc_msg.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2012 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -24,6 +24,7 @@ typedef struct pa_tnc_msg_t pa_tnc_msg_t; #define PA_TNC_VERSION 0x01 +#define PA_TNC_HEADER_SIZE 8 #include "pa_tnc_attr.h" diff --git a/src/libimcv/plugins/imc_os/Makefile.am b/src/libimcv/plugins/imc_os/Makefile.am index fec38cd4e..e6dd10be5 100644 --- a/src/libimcv/plugins/imc_os/Makefile.am +++ b/src/libimcv/plugins/imc_os/Makefile.am @@ -4,7 +4,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libimcv AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imc-os.la diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in index 7b25614f3..2f0b85404 100644 --- a/src/libimcv/plugins/imc_os/Makefile.in +++ b/src/libimcv/plugins/imc_os/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.3 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -261,6 +261,7 @@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ @@ -279,6 +280,7 @@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ @@ -306,6 +308,7 @@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -397,6 +400,7 @@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -413,7 +417,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libimcv AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imc-os.la imc_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c index 647a44957..c624d26b1 100644 --- a/src/libimcv/plugins/imc_os/imc_os.c +++ b/src/libimcv/plugins/imc_os/imc_os.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2012 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -17,6 +17,7 @@ #include <imc/imc_agent.h> #include <imc/imc_msg.h> +#include <imc/imc_os_info.h> #include <ietf/ietf_attr.h> #include <ietf/ietf_attr_attr_request.h> #include <ietf/ietf_attr_default_pwd_enabled.h> @@ -31,7 +32,6 @@ #include <ita/ita_attr_settings.h> #include <ita/ita_attr_angel.h> #include <ita/ita_attr_device_id.h> -#include <os_info/os_info.h> #include <tncif_pa_subtypes.h> @@ -47,15 +47,15 @@ static pen_type_t msg_types[] = { }; static imc_agent_t *imc_os; -static os_info_t *os; +static imc_os_info_t *os; /** * see section 3.8.1 of TCG TNC IF-IMC Specification 1.3 */ -TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, - TNC_Version min_version, - TNC_Version max_version, - TNC_Version *actual_version) +TNC_Result TNC_IMC_API TNC_IMC_Initialize(TNC_IMCID imc_id, + TNC_Version min_version, + TNC_Version max_version, + TNC_Version *actual_version) { if (imc_os) { @@ -69,7 +69,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, return TNC_RESULT_FATAL; } - os = os_info_create(); + os = imc_os_info_create(); if (!os) { imc_os->destroy(imc_os); @@ -89,9 +89,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, /** * see section 3.8.2 of TCG TNC IF-IMC Specification 1.3 */ -TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id, - TNC_ConnectionID connection_id, - TNC_ConnectionState new_state) +TNC_Result TNC_IMC_API TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id, + TNC_ConnectionID connection_id, TNC_ConnectionState new_state) { imc_state_t *state; @@ -238,23 +237,97 @@ static void add_default_pwd_enabled(imc_msg_t *msg) static void add_device_id(imc_msg_t *msg) { pa_tnc_attr_t *attr; - chunk_t value; - char *name; + chunk_t value = chunk_empty, keyid; + char *name, *device_id, *cert_path; + certificate_t *cert = NULL; + public_key_t *pubkey; + + /* Get the device ID as a character string */ + device_id = lib->settings->get_str(lib->settings, + "%s.plugins.imc-os.device_id", NULL, lib->ns); + if (device_id) + { + value = chunk_clone(chunk_from_str(device_id)); + } + + if (value.len == 0) + { + /* Derive the device ID from a raw public key */ + cert_path = lib->settings->get_str(lib->settings, + "%s.plugins.imc-os.device_pubkey", NULL, lib->ns); + if (cert_path) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_TRUSTED_PUBKEY, BUILD_FROM_FILE, + cert_path, BUILD_END); + if (cert) + { + DBG2(DBG_IMC, "loaded device public key from '%s'", cert_path); + } + else + { + DBG1(DBG_IMC, "loading device public key from '%s' failed", + cert_path); + } + } + + if (!cert) + { + /* Derive the device ID from the public key contained in a certificate */ + cert_path = lib->settings->get_str(lib->settings, + "%s.plugins.imc-os.device_cert", NULL, lib->ns); + if (cert_path) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_X509, BUILD_FROM_FILE, + cert_path, BUILD_END); + if (cert) + { + DBG2(DBG_IMC, "loaded device certificate from '%s'", cert_path); + } + else + { + DBG1(DBG_IMC, "loading device certificate from '%s' failed", + cert_path); + } + } + } - name = os->get_type(os) == OS_TYPE_ANDROID ? - "android_id" : "/var/lib/dbus/machine-id"; - value = os->get_setting(os, name); + /* Compute the SHA-1 keyid of the retrieved device public key */ + if (cert) + { + pubkey = cert->get_public_key(cert); + if (pubkey) + { + if (pubkey->get_fingerprint(pubkey, KEYID_PUBKEY_INFO_SHA1, + &keyid)) + { + value = chunk_to_hex(keyid, NULL, FALSE); + } + pubkey->destroy(pubkey); + } + cert->destroy(cert); + } + } if (value.len == 0) { - DBG1(DBG_IMC, "no device ID available"); - return; + /* Derive the device ID from some unique OS settings */ + name = os->get_type(os) == OS_TYPE_ANDROID ? + "android_id" : "/var/lib/dbus/machine-id"; + value = os->get_setting(os, name); + + /* Trim trailing newline character */ + if (value.len > 0 && value.ptr[value.len - 1] == '\n') + { + value.len--; + } } - /* trim trailing newline character */ - if (value.ptr[value.len - 1] == '\n') + if (value.len == 0) { - value.len--; + DBG1(DBG_IMC, "no device ID available"); + return; } DBG1(DBG_IMC, "device ID is %.*s", value.len, value.ptr); @@ -279,11 +352,12 @@ static void add_installed_packages(imc_state_t *state, imc_msg_t *msg) * Compute the maximum IETF Installed Packages attribute size * leaving space for an additional ITA Angel attribute */ - max_attr_size = state->get_max_msg_len(state) - 8 - 12; + max_attr_size = state->get_max_msg_len(state) - + PA_TNC_HEADER_SIZE - PA_TNC_ATTR_HEADER_SIZE; /* At least one IETF Installed Packages attribute is sent */ attr = ietf_attr_installed_packages_create(); - attr_size = 12 + 4; + attr_size = PA_TNC_ATTR_HEADER_SIZE + IETF_INSTALLED_PACKAGES_MIN_SIZE; enumerator = os->create_package_enumerator(os); if (enumerator) @@ -310,7 +384,8 @@ static void add_installed_packages(imc_state_t *state, imc_msg_t *msg) /* create the next IETF Installed Packages attribute */ attr = ietf_attr_installed_packages_create(); - attr_size = 12 + 4; + attr_size = PA_TNC_ATTR_HEADER_SIZE + + IETF_INSTALLED_PACKAGES_MIN_SIZE; } attr_cast = (ietf_attr_installed_packages_t*)attr; attr_cast->add(attr_cast, name, version); @@ -370,8 +445,8 @@ static void add_settings(enumerator_t *enumerator, imc_msg_t *msg) /** * see section 3.8.3 of TCG TNC IF-IMC Specification 1.3 */ -TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id, - TNC_ConnectionID connection_id) +TNC_Result TNC_IMC_API TNC_IMC_BeginHandshake(TNC_IMCID imc_id, + TNC_ConnectionID connection_id) { imc_state_t *state; imc_msg_t *out_msg; @@ -518,11 +593,11 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) * see section 3.8.4 of TCG TNC IF-IMC Specification 1.3 */ -TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, - TNC_ConnectionID connection_id, - TNC_BufferReference msg, - TNC_UInt32 msg_len, - TNC_MessageType msg_type) +TNC_Result TNC_IMC_API TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, + TNC_ConnectionID connection_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) { imc_state_t *state; imc_msg_t *in_msg; @@ -548,15 +623,15 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, /** * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3 */ -TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id, - TNC_ConnectionID connection_id, - TNC_UInt32 msg_flags, - TNC_BufferReference msg, - TNC_UInt32 msg_len, - TNC_VendorID msg_vid, - TNC_MessageSubtype msg_subtype, - TNC_UInt32 src_imv_id, - TNC_UInt32 dst_imc_id) +TNC_Result TNC_IMC_API TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id, + TNC_ConnectionID connection_id, + TNC_UInt32 msg_flags, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_VendorID msg_vid, + TNC_MessageSubtype msg_subtype, + TNC_UInt32 src_imv_id, + TNC_UInt32 dst_imc_id) { imc_state_t *state; imc_msg_t *in_msg; @@ -583,8 +658,8 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id, /** * see section 3.8.7 of TCG TNC IF-IMC Specification 1.3 */ -TNC_Result TNC_IMC_BatchEnding(TNC_IMCID imc_id, - TNC_ConnectionID connection_id) +TNC_Result TNC_IMC_API TNC_IMC_BatchEnding(TNC_IMCID imc_id, + TNC_ConnectionID connection_id) { if (!imc_os) { @@ -597,7 +672,7 @@ TNC_Result TNC_IMC_BatchEnding(TNC_IMCID imc_id, /** * see section 3.8.8 of TCG TNC IF-IMC Specification 1.3 */ -TNC_Result TNC_IMC_Terminate(TNC_IMCID imc_id) +TNC_Result TNC_IMC_API TNC_IMC_Terminate(TNC_IMCID imc_id) { if (!imc_os) { @@ -616,8 +691,8 @@ TNC_Result TNC_IMC_Terminate(TNC_IMCID imc_id) /** * see section 4.2.8.1 of TCG TNC IF-IMC Specification 1.3 */ -TNC_Result TNC_IMC_ProvideBindFunction(TNC_IMCID imc_id, - TNC_TNCC_BindFunctionPointer bind_function) +TNC_Result TNC_IMC_API TNC_IMC_ProvideBindFunction(TNC_IMCID imc_id, + TNC_TNCC_BindFunctionPointer bind_function) { if (!imc_os) { diff --git a/src/libimcv/plugins/imc_scanner/Makefile.am b/src/libimcv/plugins/imc_scanner/Makefile.am index 7bf9075ed..44d3ad749 100644 --- a/src/libimcv/plugins/imc_scanner/Makefile.am +++ b/src/libimcv/plugins/imc_scanner/Makefile.am @@ -4,7 +4,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libimcv AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imc-scanner.la diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in index afcaf1ac3..c66bb1afa 100644 --- a/src/libimcv/plugins/imc_scanner/Makefile.in +++ b/src/libimcv/plugins/imc_scanner/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.3 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -262,6 +262,7 @@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ @@ -280,6 +281,7 @@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ @@ -307,6 +309,7 @@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -398,6 +401,7 @@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -414,7 +418,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libimcv AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imc-scanner.la imc_scanner_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ diff --git a/src/libimcv/plugins/imc_test/Makefile.am b/src/libimcv/plugins/imc_test/Makefile.am index 5a04f1fbe..4bdc23487 100644 --- a/src/libimcv/plugins/imc_test/Makefile.am +++ b/src/libimcv/plugins/imc_test/Makefile.am @@ -4,7 +4,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libimcv AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imc-test.la diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in index 1c3065456..1702574f9 100644 --- a/src/libimcv/plugins/imc_test/Makefile.in +++ b/src/libimcv/plugins/imc_test/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.3 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -261,6 +261,7 @@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ @@ -279,6 +280,7 @@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ @@ -306,6 +308,7 @@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -397,6 +400,7 @@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -413,7 +417,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libimcv AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imc-test.la imc_test_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ diff --git a/src/libimcv/plugins/imv_os/Makefile.am b/src/libimcv/plugins/imv_os/Makefile.am index 434e26f69..3b3f793f1 100644 --- a/src/libimcv/plugins/imv_os/Makefile.am +++ b/src/libimcv/plugins/imv_os/Makefile.am @@ -4,7 +4,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libimcv AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imv-os.la @@ -18,9 +18,11 @@ imv_os_la_SOURCES = \ imv_os_la_LDFLAGS = -module -avoid-version -no-undefined +if !USE_WINDOWS ipsec_PROGRAMS = pacman pacman_SOURCES = pacman.c pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la pacman.o : $(top_builddir)/config.status EXTRA_DIST = pacman.sh +endif diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in index 044175029..cae6dbe84 100644 --- a/src/libimcv/plugins/imv_os/Makefile.in +++ b/src/libimcv/plugins/imv_os/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.3 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -79,7 +79,7 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -ipsec_PROGRAMS = pacman$(EXEEXT) +@USE_WINDOWS_FALSE@ipsec_PROGRAMS = pacman$(EXEEXT) subdir = src/libimcv/plugins/imv_os DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ $(top_srcdir)/depcomp @@ -142,10 +142,10 @@ imv_os_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(imv_os_la_LDFLAGS) $(LDFLAGS) -o $@ PROGRAMS = $(ipsec_PROGRAMS) -am_pacman_OBJECTS = pacman.$(OBJEXT) +am__pacman_SOURCES_DIST = pacman.c +@USE_WINDOWS_FALSE@am_pacman_OBJECTS = pacman.$(OBJEXT) pacman_OBJECTS = $(am_pacman_OBJECTS) -pacman_DEPENDENCIES = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la +@USE_WINDOWS_FALSE@pacman_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) am__v_P_0 = false @@ -181,7 +181,7 @@ am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES) -DIST_SOURCES = $(imv_os_la_SOURCES) $(pacman_SOURCES) +DIST_SOURCES = $(imv_os_la_SOURCES) $(am__pacman_SOURCES_DIST) am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -269,6 +269,7 @@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ @@ -287,6 +288,7 @@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ @@ -314,6 +316,7 @@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -405,6 +408,7 @@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -421,7 +425,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libimcv AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imv-os.la imv_os_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ @@ -433,9 +437,9 @@ imv_os_la_SOURCES = \ imv_os_database.c imv_os_database.h imv_os_la_LDFLAGS = -module -avoid-version -no-undefined -pacman_SOURCES = pacman.c -pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -EXTRA_DIST = pacman.sh +@USE_WINDOWS_FALSE@pacman_SOURCES = pacman.c +@USE_WINDOWS_FALSE@pacman_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +@USE_WINDOWS_FALSE@EXTRA_DIST = pacman.sh all: all-am .SUFFIXES: @@ -812,7 +816,7 @@ uninstall-am: uninstall-imcvLTLIBRARIES uninstall-ipsecPROGRAMS tags tags-am uninstall uninstall-am uninstall-imcvLTLIBRARIES \ uninstall-ipsecPROGRAMS -pacman.o : $(top_builddir)/config.status +@USE_WINDOWS_FALSE@pacman.o : $(top_builddir)/config.status # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/libimcv/plugins/imv_os/imv_os_agent.c b/src/libimcv/plugins/imv_os/imv_os_agent.c index 84a24b48f..ca8bac6ca 100644 --- a/src/libimcv/plugins/imv_os/imv_os_agent.c +++ b/src/libimcv/plugins/imv_os/imv_os_agent.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -118,23 +118,30 @@ METHOD(imv_agent_if_t, notify_connection_change, TNC_Result, case TNC_CONNECTION_STATE_ACCESS_ALLOWED: case TNC_CONNECTION_STATE_ACCESS_ISOLATED: case TNC_CONNECTION_STATE_ACCESS_NONE: - if (imcv_db && this->agent->get_state(this->agent, id, &state)) + if (this->agent->get_state(this->agent, id, &state) && imcv_db) { - switch (new_state) + session = state->get_session(state); + + if (session->get_policy_started(session)) { - case TNC_CONNECTION_STATE_ACCESS_ALLOWED: - rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW; - break; - case TNC_CONNECTION_STATE_ACCESS_ISOLATED: - rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE; - break; - case TNC_CONNECTION_STATE_ACCESS_NONE: - default: - rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS; + switch (new_state) + { + case TNC_CONNECTION_STATE_ACCESS_ALLOWED: + rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW; + break; + case TNC_CONNECTION_STATE_ACCESS_ISOLATED: + rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE; + break; + case TNC_CONNECTION_STATE_ACCESS_NONE: + default: + rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS; + } + imcv_db->add_recommendation(imcv_db, session, rec); + if (!imcv_db->policy_script(imcv_db, session, FALSE)) + { + DBG1(DBG_IMV, "error in policy script stop"); + } } - session = state->get_session(state); - imcv_db->add_recommendation(imcv_db, session, rec); - imcv_db->policy_script(imcv_db, session, FALSE); } /* fall through to default state */ default: @@ -150,6 +157,8 @@ static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state, { imv_msg_t *out_msg; imv_os_state_t *os_state; + imv_session_t *session; + imv_os_info_t *os_info = NULL; enumerator_t *enumerator; pa_tnc_attr_t *attr; pen_type_t type; @@ -159,6 +168,8 @@ static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state, bool fatal_error = FALSE, assessment = FALSE; os_state = (imv_os_state_t*)state; + session = state->get_session(state); + os_info = session->get_os_info(session); /* parse received PA-TNC message and handle local and remote errors */ result = in_msg->receive(in_msg, &fatal_error); @@ -188,6 +199,8 @@ static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state, IMV_OS_ATTR_PRODUCT_INFORMATION); attr_cast = (ietf_attr_product_info_t*)attr; os_name = attr_cast->get_info(attr_cast, &vendor_id, NULL); + os_info->set_name(os_info, os_name); + if (vendor_id != PEN_IETF) { DBG1(DBG_IMV, "operating system name is '%.*s' " @@ -209,6 +222,8 @@ static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state, IMV_OS_ATTR_STRING_VERSION); attr_cast = (ietf_attr_string_version_t*)attr; os_version = attr_cast->get_version(attr_cast, NULL, NULL); + os_info->set_version(os_info, os_version); + if (os_version.len) { DBG1(DBG_IMV, "operating system version is '%.*s'", @@ -219,7 +234,7 @@ static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state, case IETF_ATTR_NUMERIC_VERSION: { ietf_attr_numeric_version_t *attr_cast; - u_int32_t major, minor; + uint32_t major, minor; state->set_action_flags(state, IMV_OS_ATTR_NUMERIC_VERSION); @@ -350,8 +365,8 @@ static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state, state->set_action_flags(state, IMV_OS_ATTR_DEVICE_ID); value = attr->get_value(attr); - os_state->set_device_id(os_state, value); DBG1(DBG_IMV, "device ID is %.*s", value.len, value.ptr); + session->set_device_id(session, value); break; } case ITA_ATTR_START_ANGEL: @@ -367,25 +382,6 @@ static TNC_Result receive_msg(private_imv_os_agent_t *this, imv_state_t *state, } enumerator->destroy(enumerator); - /** - * The IETF Product Information and String Version attributes - * are supposed to arrive in the same PA-TNC message - */ - if (os_name.len && os_version.len) - { - os_type_t os_type; - - /* set the OS type, name and version */ - os_type = os_type_from_name(os_name); - os_state->set_info(os_state,os_type, os_name, os_version); - - if (imcv_db) - { - imcv_db->add_product(imcv_db, state->get_session(state), - os_state->get_info(os_state, NULL, NULL, NULL)); - } - } - if (fatal_error) { state->set_recommendation(state, @@ -457,7 +453,7 @@ METHOD(imv_agent_if_t, receive_message_long, TNC_Result, /** * Build an IETF Attribute Request attribute for missing attributes */ -static pa_tnc_attr_t* build_attr_request(u_int32_t received) +static pa_tnc_attr_t* build_attr_request(uint32_t received) { pa_tnc_attr_t *attr; ietf_attr_attr_request_t *attr_cast; @@ -510,7 +506,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, TNC_Result result = TNC_RESULT_SUCCESS; bool no_workitems = TRUE; enumerator_t *enumerator; - u_int32_t received; + uint32_t received; if (!this->agent->get_state(this->agent, id, &state)) { @@ -542,56 +538,70 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, if (handshake_state < IMV_OS_STATE_POLICY_START) { - if (((received & IMV_OS_ATTR_PRODUCT_INFORMATION) && - (received & IMV_OS_ATTR_STRING_VERSION)) && - ((received & IMV_OS_ATTR_DEVICE_ID) || - (handshake_state == IMV_OS_STATE_ATTR_REQ))) + if (session->get_policy_started(session)) { - if (imcv_db) + /* the policy script has already been started by another IMV */ + handshake_state = IMV_OS_STATE_POLICY_START; + } + else + { + if (((received & IMV_OS_ATTR_PRODUCT_INFORMATION) && + (received & IMV_OS_ATTR_STRING_VERSION)) && + ((received & IMV_OS_ATTR_DEVICE_ID) || + (handshake_state == IMV_OS_STATE_ATTR_REQ))) { - imcv_db->add_device(imcv_db, session, - os_state->get_device_id(os_state)); - - /* trigger the policy manager */ - imcv_db->policy_script(imcv_db, session, TRUE); + if (!session->get_device_id(session, NULL)) + { + session->set_device_id(session, chunk_empty); + } + if (imcv_db) + { + /* start the policy script */ + if (!imcv_db->policy_script(imcv_db, session, TRUE)) + { + DBG1(DBG_IMV, "error in policy script start"); + } + } + else + { + DBG2(DBG_IMV, "no workitems available - " + "no evaluation possible"); + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_ALLOW, + TNC_IMV_EVALUATION_RESULT_DONT_KNOW); + session->set_policy_started(session, TRUE); + } + handshake_state = IMV_OS_STATE_POLICY_START; } - else + else if (handshake_state == IMV_OS_STATE_ATTR_REQ) { - DBG2(DBG_IMV, "no workitems available - no evaluation possible"); + /** + * both the IETF Product Information and IETF String Version + * attribute should have been present + */ state->set_recommendation(state, - TNC_IMV_ACTION_RECOMMENDATION_ALLOW, - TNC_IMV_EVALUATION_RESULT_DONT_KNOW); - } - handshake_state = IMV_OS_STATE_POLICY_START; - } - else if (handshake_state == IMV_OS_STATE_ATTR_REQ) - { - /** - * both the IETF Product Information and IETF String Version - * attribute should have been present - */ - state->set_recommendation(state, TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, TNC_IMV_EVALUATION_RESULT_ERROR); - /* send assessment */ - result = out_msg->send_assessment(out_msg); - out_msg->destroy(out_msg); + /* send assessment */ + result = out_msg->send_assessment(out_msg); + out_msg->destroy(out_msg); - if (result != TNC_RESULT_SUCCESS) + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + return this->agent->provide_recommendation(this->agent, state); + } + else { - return result; - } - return this->agent->provide_recommendation(this->agent, state); - } - else - { - handshake_state = IMV_OS_STATE_ATTR_REQ; + handshake_state = IMV_OS_STATE_ATTR_REQ; + } } os_state->set_handshake_state(os_state, handshake_state); } - if (handshake_state == IMV_OS_STATE_POLICY_START && session) + if (handshake_state == IMV_OS_STATE_POLICY_START) { enumerator = session->create_workitem_enumerator(session); if (enumerator) @@ -638,7 +648,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, } } - if (handshake_state == IMV_OS_STATE_WORKITEMS && session) + if (handshake_state == IMV_OS_STATE_WORKITEMS) { TNC_IMV_Evaluation_Result eval; TNC_IMV_Action_Recommendation rec; @@ -661,7 +671,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, int count, count_update, count_blacklist, count_ok; if (!(received & IMV_OS_ATTR_INSTALLED_PACKAGES) || - os_state->get_angel_count(os_state)) + os_state->get_angel_count(os_state) > 0) { continue; } @@ -672,7 +682,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, TNC_IMV_EVALUATION_RESULT_COMPLIANT; snprintf(result_str, BUF_LEN, "processed %d packages: " "%d not updated, %d blacklisted, %d ok, " - "%d not found", + "%d unknown", count, count_update, count_blacklist, count_ok, count - count_update - count_blacklist - count_ok); break; diff --git a/src/libimcv/plugins/imv_os/imv_os_database.c b/src/libimcv/plugins/imv_os/imv_os_database.c index 12cf207d8..31b889b74 100644 --- a/src/libimcv/plugins/imv_os/imv_os_database.c +++ b/src/libimcv/plugins/imv_os/imv_os_database.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -41,41 +41,49 @@ struct private_imv_os_database_t { }; METHOD(imv_os_database_t, check_packages, status_t, - private_imv_os_database_t *this, imv_os_state_t *state, + private_imv_os_database_t *this, imv_os_state_t *os_state, enumerator_t *package_enumerator) { + imv_state_t *state; + imv_session_t *session; + imv_os_info_t *os_info; + os_type_t os_type; char *product, *package, *release, *cur_release; chunk_t name, version; - os_type_t os_type; int pid, gid, security, blacklist; int count = 0, count_ok = 0, count_no_match = 0, count_blacklist = 0; enumerator_t *e; status_t status = SUCCESS; bool found, match; - product = state->get_info(state, &os_type, NULL, NULL); + state = &os_state->interface; + session = state->get_session(state); + session->get_session_id(session, &pid, NULL); + os_info = session->get_os_info(session); + os_type = os_info->get_type(os_info); + product = os_info->get_info(os_info); if (os_type == OS_TYPE_ANDROID) { /*no package dependency on Android version */ product = enum_to_name(os_type_names, os_type); - } - DBG1(DBG_IMV, "processing installed '%s' packages", product); - /* Get primary key of product */ - e = this->db->query(this->db, - "SELECT id FROM products WHERE name = ?", - DB_TEXT, product, DB_INT); - if (!e) - { - return FAILED; - } - if (!e->enumerate(e, &pid)) - { + /* Get primary key of product */ + e = this->db->query(this->db, + "SELECT id FROM products WHERE name = ?", + DB_TEXT, product, DB_INT); + if (!e) + { + return FAILED; + } + if (!e->enumerate(e, &pid)) + { + e->destroy(e); + return NOT_FOUND; + } e->destroy(e); - return NOT_FOUND; } - e->destroy(e); + DBG1(DBG_IMV, "processing installed '%s' packages", product); while (package_enumerator->enumerate(package_enumerator, &name, &version)) { @@ -143,8 +151,8 @@ METHOD(imv_os_database_t, check_packages, status_t, DBG2(DBG_IMV, "package '%s' (%s) is blacklisted", package, release); count_blacklist++; - state->add_bad_package(state, package, - OS_PACKAGE_STATE_BLACKLIST); + os_state->add_bad_package(os_state, package, + OS_PACKAGE_STATE_BLACKLIST); } else { @@ -157,8 +165,8 @@ METHOD(imv_os_database_t, check_packages, status_t, { DBG1(DBG_IMV, "package '%s' (%s) no match", package, release); count_no_match++; - state->add_bad_package(state, package, - OS_PACKAGE_STATE_SECURITY); + os_state->add_bad_package(os_state, package, + OS_PACKAGE_STATE_SECURITY); } } else @@ -168,22 +176,12 @@ METHOD(imv_os_database_t, check_packages, status_t, free(package); free(release); } - state->set_count(state, count, count_no_match, count_blacklist, count_ok); + os_state->set_count(os_state, count, count_no_match, + count_blacklist, count_ok); return status; } -METHOD(imv_os_database_t, set_device_info, void, - private_imv_os_database_t *this, int session_id, int count, - int count_update, int count_blacklist, u_int flags) -{ - this->db->execute(this->db, NULL, - "INSERT INTO device_infos (session, count, count_update, " - "count_blacklist, flags) VALUES (?, ?, ?, ?, ?)", - DB_INT, session_id, DB_INT, count, DB_INT, count_update, - DB_INT, count_blacklist, DB_UINT, flags); -} - METHOD(imv_os_database_t, destroy, void, private_imv_os_database_t *this) { @@ -205,7 +203,6 @@ imv_os_database_t *imv_os_database_create(imv_database_t *imv_db) INIT(this, .public = { .check_packages = _check_packages, - .set_device_info = _set_device_info, .destroy = _destroy, }, .db = imv_db->get_database(imv_db), diff --git a/src/libimcv/plugins/imv_os/imv_os_database.h b/src/libimcv/plugins/imv_os/imv_os_database.h index 7b9ef3c33..9bf54fe06 100644 --- a/src/libimcv/plugins/imv_os/imv_os_database.h +++ b/src/libimcv/plugins/imv_os/imv_os_database.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -43,18 +43,6 @@ struct imv_os_database_t { enumerator_t *package_enumerator); /** - * Set health infos for a given device - * - * @param sesson_id Session ID - * @param count Number of installed packages - * @param count_update Number of packages to be updated - * @param count_blacklist Number of blacklisted packages - * @param flags Various flags, e.g. illegal OS settings - */ - void (*set_device_info)(imv_os_database_t *this, int session_id, int count, - int count_update, int count_blacklist, u_int flags); - - /** * Destroys an imv_os_database_t object. */ void (*destroy)(imv_os_database_t *this); diff --git a/src/libimcv/plugins/imv_os/imv_os_state.c b/src/libimcv/plugins/imv_os/imv_os_state.c index 4f5a4b039..dc8474ac9 100644 --- a/src/libimcv/plugins/imv_os/imv_os_state.c +++ b/src/libimcv/plugins/imv_os/imv_os_state.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2013 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -18,6 +18,7 @@ #include "imv/imv_lang_string.h" #include "imv/imv_reason_string.h" #include "imv/imv_remediation_string.h" +#include "imv/imv_os_info.h" #include <tncif_policy.h> @@ -62,22 +63,12 @@ struct private_imv_os_state_t { /** * Maximum PA-TNC message size for this TNCCS connection */ - u_int32_t max_msg_len; + uint32_t max_msg_len; /** * Flags set for completed actions */ - u_int32_t action_flags; - - /** - * Access Requestor ID Type - */ - u_int32_t ar_id_type; - - /** - * Access Requestor ID Value - */ - chunk_t ar_id_value; + uint32_t action_flags; /** * IMV database session associated with TNCCS connection @@ -100,32 +91,12 @@ struct private_imv_os_state_t { imv_os_handshake_state_t handshake_state; /** - * OS Product Information (concatenation of OS Name and Version) - */ - char *info; - - /** - * OS Type - */ - os_type_t type; - - /** - * OS Name - */ - chunk_t name; - - /** - * OS Version - */ - chunk_t version; - - /** * List of blacklisted packages to be removed */ linked_list_t *remove_packages; /** - * List of vulnerable packages to be updated + h* List of vulnerable packages to be updated */ linked_list_t *update_packages; @@ -140,11 +111,6 @@ struct private_imv_os_state_t { imv_remediation_string_t *remediation_string; /** - * Dgevice ID - */ - chunk_t device_id; - - /** * Number of processed packages */ int count; @@ -326,46 +292,29 @@ METHOD(imv_state_t, set_flags, void, } METHOD(imv_state_t, set_max_msg_len, void, - private_imv_os_state_t *this, u_int32_t max_msg_len) + private_imv_os_state_t *this, uint32_t max_msg_len) { this->max_msg_len = max_msg_len; } -METHOD(imv_state_t, get_max_msg_len, u_int32_t, +METHOD(imv_state_t, get_max_msg_len, uint32_t, private_imv_os_state_t *this) { return this->max_msg_len; } METHOD(imv_state_t, set_action_flags, void, - private_imv_os_state_t *this, u_int32_t flags) + private_imv_os_state_t *this, uint32_t flags) { this->action_flags |= flags; } -METHOD(imv_state_t, get_action_flags, u_int32_t, +METHOD(imv_state_t, get_action_flags, uint32_t, private_imv_os_state_t *this) { return this->action_flags; } -METHOD(imv_state_t, set_ar_id, void, - private_imv_os_state_t *this, u_int32_t id_type, chunk_t id_value) -{ - this->ar_id_type = id_type; - this->ar_id_value = chunk_clone(id_value); -} - -METHOD(imv_state_t, get_ar_id, chunk_t, - private_imv_os_state_t *this, u_int32_t *id_type) -{ - if (id_type) - { - *id_type = this->ar_id_type; - } - return this->ar_id_value; -} - METHOD(imv_state_t, set_session, void, private_imv_os_state_t *this, imv_session_t *session) { @@ -440,6 +389,9 @@ METHOD(imv_state_t, get_remediation_instructions, bool, private_imv_os_state_t *this, enumerator_t *language_enumerator, chunk_t *string, char **lang_code, char **uri) { + imv_os_info_t *os_info; + bool as_xml = FALSE; + if (!this->count_update && !this->count_blacklist & !this->os_settings) { return FALSE; @@ -449,8 +401,12 @@ METHOD(imv_state_t, get_remediation_instructions, bool, /* Instantiate an IETF Remediation Instructions String object */ DESTROY_IF(this->remediation_string); - this->remediation_string = imv_remediation_string_create( - this->type == OS_TYPE_ANDROID, *lang_code); + if (this->session) + { + os_info = this->session->get_os_info(this->session); + as_xml = os_info->get_type(os_info) == OS_TYPE_ANDROID; + } + this->remediation_string = imv_remediation_string_create(as_xml, *lang_code); /* List of blacklisted packages to be removed, if any */ if (this->count_blacklist) @@ -507,11 +463,6 @@ METHOD(imv_state_t, destroy, void, DESTROY_IF(this->remediation_string); this->update_packages->destroy_function(this->update_packages, free); this->remove_packages->destroy_function(this->remove_packages, free); - free(this->info); - free(this->name.ptr); - free(this->version.ptr); - free(this->ar_id_value.ptr); - free(this->device_id.ptr); free(this); } @@ -527,39 +478,6 @@ METHOD(imv_os_state_t, get_handshake_state, imv_os_handshake_state_t, return this->handshake_state; } -METHOD(imv_os_state_t, set_info, void, - private_imv_os_state_t *this, os_type_t type, chunk_t name, chunk_t version) -{ - int len = name.len + 1 + version.len + 1; - - /* OS info is a concatenation of OS name and OS version */ - free(this->info); - this->info = malloc(len); - snprintf(this->info, len, "%.*s %.*s", (int)name.len, name.ptr, - (int)version.len, version.ptr); - this->type = type; - this->name = chunk_clone(name); - this->version = chunk_clone(version); -} - -METHOD(imv_os_state_t, get_info, char*, - private_imv_os_state_t *this, os_type_t *type, chunk_t *name, - chunk_t *version) -{ - if (type) - { - *type = this->type; - } - if (name) - { - *name = this->name; - } - if (version) - { - *version = this->version; - } - return this->info; -} METHOD(imv_os_state_t, set_count, void, private_imv_os_state_t *this, int count, int count_update, @@ -593,18 +511,6 @@ METHOD(imv_os_state_t, get_count, void, } } -METHOD(imv_os_state_t, set_device_id, void, - private_imv_os_state_t *this, chunk_t id) -{ - this->device_id = chunk_clone(id); -} - -METHOD(imv_os_state_t, get_device_id, chunk_t, - private_imv_os_state_t *this) -{ - return this->device_id; -} - METHOD(imv_os_state_t, set_os_settings, void, private_imv_os_state_t *this, u_int settings) { @@ -663,8 +569,6 @@ imv_state_t *imv_os_state_create(TNC_ConnectionID connection_id) .get_max_msg_len = _get_max_msg_len, .set_action_flags = _set_action_flags, .get_action_flags = _get_action_flags, - .set_ar_id = _set_ar_id, - .get_ar_id = _get_ar_id, .set_session = _set_session, .get_session = _get_session, .change_state = _change_state, @@ -677,12 +581,8 @@ imv_state_t *imv_os_state_create(TNC_ConnectionID connection_id) }, .set_handshake_state = _set_handshake_state, .get_handshake_state = _get_handshake_state, - .set_info = _set_info, - .get_info = _get_info, .set_count = _set_count, .get_count = _get_count, - .set_device_id = _set_device_id, - .get_device_id = _get_device_id, .set_os_settings = _set_os_settings, .get_os_settings = _get_os_settings, .set_angel_count = _set_angel_count, diff --git a/src/libimcv/plugins/imv_os/imv_os_state.h b/src/libimcv/plugins/imv_os/imv_os_state.h index 97f695319..82ebb6cc9 100644 --- a/src/libimcv/plugins/imv_os/imv_os_state.h +++ b/src/libimcv/plugins/imv_os/imv_os_state.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -78,27 +78,6 @@ struct imv_os_state_t { imv_os_handshake_state_t (*get_handshake_state)(imv_os_state_t *this); /** - * Set OS Product Information - * - * @param type OS type (enumerated) - * @param name OS name (string) - * @param version OS version - */ - void (*set_info)(imv_os_state_t *this, os_type_t os_type, - chunk_t name, chunk_t version); - - /** - * Get OS Product Information - * - * @param type OS type (enumerated) - * @param name OS name (string) - * @param version OS version - * @return OS name & version as a concatenated string - */ - char* (*get_info)(imv_os_state_t *this, os_type_t *os_type, - chunk_t *name, chunk_t *version); - - /** * Set [or with multiple attributes increment] package counters * * @param count Number of processed packages @@ -121,20 +100,6 @@ struct imv_os_state_t { int *count_blacklist, int *count_ok); /** - * Set device ID - * - * @param device_id Device ID - */ - void (*set_device_id)(imv_os_state_t *this, chunk_t id); - - /** - * Get device ID - * - * @return Device ID - */ - chunk_t (*get_device_id)(imv_os_state_t *this); - - /** * Set OS settings * * @param settings OS settings diff --git a/src/libimcv/plugins/imv_os/pacman.sh b/src/libimcv/plugins/imv_os/pacman.sh index 3dfea3905..fcf35b644 100755 --- a/src/libimcv/plugins/imv_os/pacman.sh +++ b/src/libimcv/plugins/imv_os/pacman.sh @@ -3,7 +3,7 @@ DIR="/etc/pts" DATE=`date +%Y%m%d-%H%M` UBUNTU="http://security.ubuntu.com/ubuntu/dists" -UBUNTU_VERSIONS="saucy raring quantal precise lucid" +UBUNTU_VERSIONS="trusty saucy raring quantal precise lucid" UBUNTU_DIRS="main multiverse restricted universe" UBUNTU_ARCH="binary-amd64 binary-i386" DEBIAN="http://security.debian.org/dists" @@ -44,6 +44,27 @@ do done done +for f in trusty-security/binary-amd64/* +do + $PACMAN --product "Ubuntu 14.04 x86_64" --file $f --security >> $PACMAN_LOG +done +echo +for f in trusty-updates/binary-amd64/* +do + $PACMAN --product "Ubuntu 14.04 x86_64" --file $f >> $PACMAN_LOG +done +echo +for f in trusty-security/binary-i386/* +do + $PACMAN --product "Ubuntu 14.04 i686" --file $f --security >> $PACMAN_LOG +done +echo +for f in trusty-updates/binary-i386/* +do + $PACMAN --product "Ubuntu 14.04 i686" --file $f >> $PACMAN_LOG +done +echo + for f in saucy-security/binary-amd64/* do $PACMAN --product "Ubuntu 13.10 x86_64" --file $f --security >> $PACMAN_LOG diff --git a/src/libimcv/plugins/imv_scanner/Makefile.am b/src/libimcv/plugins/imv_scanner/Makefile.am index 2bb0d675e..98814437e 100644 --- a/src/libimcv/plugins/imv_scanner/Makefile.am +++ b/src/libimcv/plugins/imv_scanner/Makefile.am @@ -4,7 +4,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libimcv AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imv-scanner.la diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in index 525f445ef..18446e73a 100644 --- a/src/libimcv/plugins/imv_scanner/Makefile.in +++ b/src/libimcv/plugins/imv_scanner/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.3 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -263,6 +263,7 @@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ @@ -281,6 +282,7 @@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ @@ -308,6 +310,7 @@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -399,6 +402,7 @@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -415,7 +419,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libimcv AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imv-scanner.la imv_scanner_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c index d1e093137..85ef23b80 100644 --- a/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c +++ b/src/libimcv/plugins/imv_scanner/imv_scanner_agent.c @@ -259,7 +259,7 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY, msg_types[0]); - if (!session) + if (!imcv_db) { DBG2(DBG_IMV, "no workitems available - no evaluation possible"); state->set_recommendation(state, @@ -276,7 +276,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, return this->agent->provide_recommendation(this->agent, state); } - if (handshake_state == IMV_SCANNER_STATE_INIT) + if (handshake_state == IMV_SCANNER_STATE_INIT && + session->get_policy_started(session)) { enumerator = session->create_workitem_enumerator(session); if (enumerator) diff --git a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c index 90475d34d..24a49a76c 100644 --- a/src/libimcv/plugins/imv_scanner/imv_scanner_state.c +++ b/src/libimcv/plugins/imv_scanner/imv_scanner_state.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2013 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -58,22 +58,12 @@ struct private_imv_scanner_state_t { /** * Maximum PA-TNC message size for this TNCCS connection */ - u_int32_t max_msg_len; + uint32_t max_msg_len; /** * Flags set for completed actions */ - u_int32_t action_flags; - - /** - * Access Requestor ID Type - */ - u_int32_t ar_id_type; - - /** - * Access Requestor ID Value - */ - chunk_t ar_id_value; + uint32_t action_flags; /** * IMV database session associatied with TNCCS connection @@ -186,46 +176,29 @@ METHOD(imv_state_t, set_flags, void, } METHOD(imv_state_t, set_max_msg_len, void, - private_imv_scanner_state_t *this, u_int32_t max_msg_len) + private_imv_scanner_state_t *this, uint32_t max_msg_len) { this->max_msg_len = max_msg_len; } -METHOD(imv_state_t, get_max_msg_len, u_int32_t, +METHOD(imv_state_t, get_max_msg_len, uint32_t, private_imv_scanner_state_t *this) { return this->max_msg_len; } METHOD(imv_state_t, set_action_flags, void, - private_imv_scanner_state_t *this, u_int32_t flags) + private_imv_scanner_state_t *this, uint32_t flags) { this->action_flags |= flags; } -METHOD(imv_state_t, get_action_flags, u_int32_t, +METHOD(imv_state_t, get_action_flags, uint32_t, private_imv_scanner_state_t *this) { return this->action_flags; } -METHOD(imv_state_t, set_ar_id, void, - private_imv_scanner_state_t *this, u_int32_t id_type, chunk_t id_value) -{ - this->ar_id_type = id_type; - this->ar_id_value = chunk_clone(id_value); -} - -METHOD(imv_state_t, get_ar_id, chunk_t, - private_imv_scanner_state_t *this, u_int32_t *id_type) -{ - if (id_type) - { - *id_type = this->ar_id_type; - } - return this->ar_id_value; -} - METHOD(imv_state_t, set_session, void, private_imv_scanner_state_t *this, imv_session_t *session) { @@ -327,7 +300,6 @@ METHOD(imv_state_t, destroy, void, DESTROY_IF(this->remediation_string); DESTROY_IF(&this->port_filter_attr->pa_tnc_attribute); this->violating_ports->destroy_function(this->violating_ports, free); - free(this->ar_id_value.ptr); free(this); } @@ -380,8 +352,6 @@ imv_state_t *imv_scanner_state_create(TNC_ConnectionID connection_id) .get_max_msg_len = _get_max_msg_len, .set_action_flags = _set_action_flags, .get_action_flags = _get_action_flags, - .set_ar_id = _set_ar_id, - .get_ar_id = _get_ar_id, .set_session = _set_session, .get_session= _get_session, .change_state = _change_state, diff --git a/src/libimcv/plugins/imv_test/Makefile.am b/src/libimcv/plugins/imv_test/Makefile.am index 5ed916163..4fe715fa8 100644 --- a/src/libimcv/plugins/imv_test/Makefile.am +++ b/src/libimcv/plugins/imv_test/Makefile.am @@ -4,7 +4,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libimcv AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imv-test.la diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in index 3724cc582..5ac6a8f7b 100644 --- a/src/libimcv/plugins/imv_test/Makefile.in +++ b/src/libimcv/plugins/imv_test/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.13.3 from Makefile.am. +# Makefile.in generated by automake 1.14.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994-2013 Free Software Foundation, Inc. @@ -262,6 +262,7 @@ NM = @NM@ NMEDIT = @NMEDIT@ OBJDUMP = @OBJDUMP@ OBJEXT = @OBJEXT@ +OPENSSL_LIB = @OPENSSL_LIB@ OTOOL = @OTOOL@ OTOOL64 = @OTOOL64@ PACKAGE = @PACKAGE@ @@ -280,6 +281,7 @@ PERL = @PERL@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ @@ -307,6 +309,7 @@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +aikgen_plugins = @aikgen_plugins@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ @@ -398,6 +401,7 @@ srcdir = @srcdir@ starter_plugins = @starter_plugins@ strongswan_conf = @strongswan_conf@ strongswan_options = @strongswan_options@ +swanctldir = @swanctldir@ sysconfdir = @sysconfdir@ systemdsystemunitdir = @systemdsystemunitdir@ t_plugins = @t_plugins@ @@ -414,7 +418,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/src/libimcv AM_CFLAGS = \ - -rdynamic + $(PLUGIN_CFLAGS) imcv_LTLIBRARIES = imv-test.la imv_test_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ diff --git a/src/libimcv/plugins/imv_test/imv_test_state.c b/src/libimcv/plugins/imv_test/imv_test_state.c index f05db8027..3564456a8 100644 --- a/src/libimcv/plugins/imv_test/imv_test_state.c +++ b/src/libimcv/plugins/imv_test/imv_test_state.c @@ -58,17 +58,7 @@ struct private_imv_test_state_t { /** * Maximum PA-TNC message size for this TNCCS connection */ - u_int32_t max_msg_len; - - /** - * Access Requestor ID Type - */ - u_int32_t ar_id_type; - - /** - * Access Requestor ID Value - */ - chunk_t ar_id_value; + uint32_t max_msg_len; /** * IMV database session associated with TNCCS connection @@ -149,34 +139,17 @@ METHOD(imv_state_t, set_flags, void, } METHOD(imv_state_t, set_max_msg_len, void, - private_imv_test_state_t *this, u_int32_t max_msg_len) + private_imv_test_state_t *this, uint32_t max_msg_len) { this->max_msg_len = max_msg_len; } -METHOD(imv_state_t, get_max_msg_len, u_int32_t, +METHOD(imv_state_t, get_max_msg_len, uint32_t, private_imv_test_state_t *this) { return this->max_msg_len; } -METHOD(imv_state_t, set_ar_id, void, - private_imv_test_state_t *this, u_int32_t id_type, chunk_t id_value) -{ - this->ar_id_type = id_type; - this->ar_id_value = chunk_clone(id_value); -} - -METHOD(imv_state_t, get_ar_id, chunk_t, - private_imv_test_state_t *this, u_int32_t *id_type) -{ - if (id_type) - { - *id_type = this->ar_id_type; - } - return this->ar_id_value; -} - METHOD(imv_state_t, set_session, void, private_imv_test_state_t *this, imv_session_t *session) { @@ -248,7 +221,6 @@ METHOD(imv_state_t, destroy, void, DESTROY_IF(this->session); DESTROY_IF(this->reason_string); this->imcs->destroy_function(this->imcs, free); - free(this->ar_id_value.ptr); free(this); } @@ -333,8 +305,6 @@ imv_state_t *imv_test_state_create(TNC_ConnectionID connection_id) .set_flags = _set_flags, .set_max_msg_len = _set_max_msg_len, .get_max_msg_len = _get_max_msg_len, - .set_ar_id = _set_ar_id, - .get_ar_id = _get_ar_id, .set_session = _set_session, .get_session = _get_session, .change_state = _change_state, |