make TNC client authentication type available to IMVs

src/libcharon/Makefile.am

@@ -60,7 +60,7 @@ processing/jobs/start_action_job.c processing/jobs/start_action_job.h \
 processing/jobs/roam_job.c processing/jobs/roam_job.h \
 processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \
 processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \
-sa/eap/eap_method.c sa/eap/eap_method.h \
+sa/eap/eap_method.c sa/eap/eap_method.h sa/eap/eap_inner_method.h \
 sa/eap/eap_manager.c sa/eap/eap_manager.h \
 sa/xauth/xauth_method.c sa/xauth/xauth_method.h \
 sa/xauth/xauth_manager.c sa/xauth/xauth_manager.h \

src/libcharon/plugins/eap_tnc/eap_tnc.c

@@ -21,6 +21,8 @@
 #include <utils/debug.h>
 #include <daemon.h>
 
+#include <tncifimv.h>
+
 /**
  * Maximum size of an EAP-TNC message
  */
@@ -43,16 +45,51 @@ struct private_eap_tnc_t {
 	 */
 	eap_tnc_t public;
 
+	/**
+	 * Outer EAP authentication type
+	 */
+	eap_type_t auth_type;
+
 	/**
 	 * TLS stack, wrapped by EAP helper
 	 */
 	tls_eap_t *tls_eap;
+
+	/**
+	 * TNCCS instance running over EAP-TNC
+	 */
+	tnccs_t *tnccs;
+
 };
 
 METHOD(eap_method_t, initiate, status_t,
 	private_eap_tnc_t *this, eap_payload_t **out)
 {
 	chunk_t data;
+	u_int32_t auth_type;
+
+	/* Determine TNC Client Authentication Type */
+	switch (this->auth_type)
+	{
+		case EAP_TLS:
+		case EAP_TTLS:
+		case EAP_PEAP:
+			auth_type = TNC_AUTH_CERT;
+			break;
+		case EAP_MD5:
+		case EAP_MSCHAPV2:
+		case EAP_GTC:
+		case EAP_OTP:
+			auth_type = TNC_AUTH_PASSWORD;
+			break;
+		case EAP_SIM:
+		case EAP_AKA:
+			auth_type = TNC_AUTH_SIM;
+			break;
+		default:
+			auth_type = TNC_AUTH_UNKNOWN;
+	}
+	this->tnccs->set_auth_type(this->tnccs, auth_type);
 
 	if (this->tls_eap->initiate(this->tls_eap, &data) == NEED_MORE)
 	{
@@ -122,6 +159,18 @@ METHOD(eap_method_t, destroy, void,
 	free(this);
 }
 
+METHOD(eap_inner_method_t, get_auth_type, eap_type_t,
+	private_eap_tnc_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(eap_inner_method_t, set_auth_type, void,
+	private_eap_tnc_t *this, eap_type_t type)
+{
+	this->auth_type = type;
+}
+
 /**
  * Generic private constructor
  */
@@ -132,19 +181,22 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 	int max_msg_count;
 	char* protocol;
 	tnccs_type_t type;
-	tnccs_t *tnccs;
 
 	INIT(this,
 		.public = {
-			.eap_method = {
-				.initiate = _initiate,
-				.process = _process,
-				.get_type = _get_type,
-				.is_mutual = _is_mutual,
-				.get_msk = _get_msk,
-				.get_identifier = _get_identifier,
-				.set_identifier = _set_identifier,
-				.destroy = _destroy,
+			.eap_inner_method = {
+				.eap_method = {
+					.initiate = _initiate,
+					.process = _process,
+					.get_type = _get_type,
+					.is_mutual = _is_mutual,
+					.get_msk = _get_msk,
+					.get_identifier = _get_identifier,
+					.set_identifier = _set_identifier,
+					.destroy = _destroy,
+				},
+				.get_auth_type = _get_auth_type,
+				.set_auth_type = _set_auth_type,
 			},
 		},
 	);
@@ -172,9 +224,9 @@ static eap_tnc_t *eap_tnc_create(identification_t *server,
 		free(this);
 		return NULL;
 	}
-	tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
-										server, peer, TNC_IFT_EAP_1_1);
-	this->tls_eap = tls_eap_create(EAP_TNC, &tnccs->tls,
+	this->tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, is_server,
+											  server, peer, TNC_IFT_EAP_1_1);
+	this->tls_eap = tls_eap_create(EAP_TNC, &this->tnccs->tls,
 								   EAP_TNC_MAX_MESSAGE_LEN,
 								   max_msg_count, FALSE);
 	if (!this->tls_eap)

src/libcharon/plugins/eap_tnc/eap_tnc.h

@@ -23,7 +23,7 @@
 
 typedef struct eap_tnc_t eap_tnc_t;
 
-#include <sa/eap/eap_method.h>
+#include <sa/eap/eap_inner_method.h>
 
 /**
  * Implementation of the eap_method_t interface using EAP-TNC.
@@ -31,9 +31,9 @@ typedef struct eap_tnc_t eap_tnc_t;
 struct eap_tnc_t {
 
 	/**
-	 * Implemented eap_method_t interface.
+	 * Implemented eap_inner_method_t interface.
 	 */
-	eap_method_t eap_method;
+	eap_inner_method_t eap_inner_method;
 };
 
 /**

src/libcharon/plugins/eap_ttls/eap_ttls_server.c

@@ -20,6 +20,7 @@
 #include <daemon.h>
 
 #include <sa/eap/eap_method.h>
+#include <sa/eap/eap_inner_method.h>
 
 typedef struct private_eap_ttls_server_t private_eap_ttls_server_t;
 
@@ -108,8 +109,11 @@ static status_t start_phase2_auth(private_eap_ttls_server_t *this)
 /**
  * If configured, start EAP-TNC protocol
  */
-static status_t start_phase2_tnc(private_eap_ttls_server_t *this)
+static status_t start_phase2_tnc(private_eap_ttls_server_t *this,
+								 eap_type_t auth_type)
 {
+	eap_inner_method_t *inner_method;
+
 	if (this->start_phase2_tnc && lib->settings->get_bool(lib->settings,
 						"%s.plugins.eap-ttls.phase2_tnc", FALSE, charon->name))
 	{
@@ -121,6 +125,9 @@ static status_t start_phase2_tnc(private_eap_ttls_server_t *this)
 			DBG1(DBG_IKE, "%N method not available", eap_type_names, EAP_TNC);
 			return FAILED;
 		}
+		inner_method = (eap_inner_method_t *)this->method;
+		inner_method->set_auth_type(inner_method, auth_type);
+
 		this->start_phase2_tnc = FALSE;
 		if (this->method->initiate(this->method, &this->out) == NEED_MORE)
 		{
@@ -237,7 +244,7 @@ METHOD(tls_application_t, process, status_t,
 		if (lib->settings->get_bool(lib->settings,
 				"%s.plugins.eap-ttls.request_peer_auth", FALSE, charon->name))
 		{
-			return start_phase2_tnc(this);
+			return start_phase2_tnc(this, EAP_TLS);
 		}
 		else
 		{
@@ -265,7 +272,7 @@ METHOD(tls_application_t, process, status_t,
 			this->method = NULL;
 
 			/* continue phase2 with EAP-TNC? */
-			return start_phase2_tnc(this);
+			return start_phase2_tnc(this, type);
 		case NEED_MORE:
 			break;
 		case FAILED:

src/libcharon/plugins/tnc_tnccs/tnc_tnccs_manager.c

@@ -712,15 +712,15 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 		case TNC_ATTRIBUTEID_AR_IDENTITIES:
 		{
 			linked_list_t *list;
-			tls_t *tnccs;
 			identification_t *peer;
+			tnccs_t *tnccs;
 			tncif_identity_t *tnc_id;
 			u_int32_t id_type, subject_type;
 			TNC_Result result;
 
 			list = linked_list_create();
-			tnccs = &entry->tnccs->tls;
-			peer = tnccs->get_peer_id(tnccs);
+			tnccs = entry->tnccs;
+			peer = tnccs->tls.get_peer_id(&tnccs->tls);
 			if (peer)
 			{
 				switch (peer->get_type(peer))
@@ -759,7 +759,8 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result,
 								pen_type_create(PEN_TCG, id_type),
 								peer->get_encoding(peer),
 								pen_type_create(PEN_TCG, subject_type),
-								pen_type_create(PEN_TCG, TNC_AUTH_UNKNOWN));
+								pen_type_create(PEN_TCG,
+												tnccs->get_auth_type(tnccs)));
 					list->insert_last(list, tnc_id);
 				}
 			}

src/libcharon/plugins/tnccs_11/tnccs_11.c

@@ -67,6 +67,11 @@ struct private_tnccs_11_t {
 	 */
 	tnc_ift_type_t transport;
 
+	/**
+	 * Type of TNC client authentication
+	 */
+	u_int32_t auth_type;
+
 	/**
 	 * Connection ID assigned to this TNCCS connection
 	 */
@@ -574,6 +579,18 @@ METHOD(tnccs_t, set_transport, void,
 	this->transport = transport;
 }
 
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+	private_tnccs_11_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+	private_tnccs_11_t *this, u_int32_t auth_type)
+{
+	this->auth_type = auth_type;
+}
+
 /**
  * See header
  */
@@ -599,6 +616,8 @@ tnccs_t* tnccs_11_create(bool is_server,
 			},
 			.get_transport = _get_transport,
 			.set_transport = _set_transport,
+			.get_auth_type = _get_auth_type,
+			.set_auth_type = _set_auth_type,
 		},
 		.is_server = is_server,
 		.server = server->clone(server),

src/libcharon/plugins/tnccs_20/tnccs_20.c

@@ -72,6 +72,11 @@ struct private_tnccs_20_t {
 	 */
 	tnc_ift_type_t transport;
 
+	/**
+	 * Type of TNC client authentication
+	 */
+	u_int32_t auth_type;
+
 	/**
 	 * PB-TNC State Machine
 	 */
@@ -840,6 +845,18 @@ METHOD(tnccs_t, set_transport, void,
 	this->transport = transport;
 }
 
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+	private_tnccs_20_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+	private_tnccs_20_t *this, u_int32_t auth_type)
+{
+	this->auth_type = auth_type;
+}
+
 /**
  * See header
  */
@@ -865,6 +882,8 @@ tnccs_t* tnccs_20_create(bool is_server,
 			},
 			.get_transport = _get_transport,
 			.set_transport = _set_transport,
+			.get_auth_type = _get_auth_type,
+			.set_auth_type = _set_auth_type,
 		},
 		.is_server = is_server,
 		.server = server->clone(server),

src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c

@@ -51,6 +51,11 @@ struct private_tnccs_dynamic_t {
 	 */
 	tnc_ift_type_t transport;
 
+	/**
+	 * Type of TNC client authentication
+	 */
+	u_int32_t auth_type;
+
 };
 
 /**
@@ -82,6 +87,7 @@ METHOD(tls_t, process, status_t,
 	private_tnccs_dynamic_t *this, void *buf, size_t buflen)
 {
 	tnccs_type_t type;
+	tnccs_t *tnccs;
 
 	if (!this->tls)
 	{
@@ -92,13 +98,15 @@ METHOD(tls_t, process, status_t,
 		type = determine_tnccs_protocol(*(char*)buf);
 		DBG1(DBG_TNC, "%N protocol detected dynamically",
 					   tnccs_type_names, type);
-		this->tls = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
-									this->server, this->peer, this->transport);
-		if (!this->tls)
+		tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE,
+							this->server, this->peer, this->transport);
+		if (!tnccs)
 		{
 			DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type);
 			return FAILED;
 		}
+		tnccs->set_auth_type(tnccs, this->auth_type);
+		this->tls = &tnccs->tls;
 	}
 	return this->tls->process(this->tls, buf, buflen);
 }
@@ -166,6 +174,18 @@ METHOD(tnccs_t, set_transport, void,
 	this->transport = transport;
 }
 
+METHOD(tnccs_t, get_auth_type, u_int32_t,
+	private_tnccs_dynamic_t *this)
+{
+	return this->auth_type;
+}
+
+METHOD(tnccs_t, set_auth_type, void,
+	private_tnccs_dynamic_t *this, u_int32_t auth_type)
+{
+	this->auth_type = auth_type;
+}
+
 /**
  * See header
  */
@@ -191,6 +211,8 @@ tnccs_t* tnccs_dynamic_create(bool is_server,
 			},
 			.get_transport = _get_transport,
 			.set_transport = _set_transport,
+			.get_auth_type = _get_auth_type,
+			.set_auth_type = _set_auth_type,
 		},
 		.server = server->clone(server),
 		.peer = peer->clone(peer),

src/libcharon/sa/eap/eap_inner_method.h

@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) 2013 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup eap_inner_method eap_inner_method
+ * @{ @ingroup eap
+ */
+
+#ifndef EAP_INNER_METHOD_H_
+#define EAP_INNER_METHOD_H_
+
+typedef struct eap_inner_method_t eap_inner_method_t;
+
+#include <library.h>
+
+#include "eap_method.h"
+
+/**
+ * Interface of a weak inner EAP method like EAP-TNC or PT-EAP
+ * that must be encapsulated in a strong TLS-based EAP method 
+ */
+struct eap_inner_method_t {
+
+	/*
+	 * Public EAP method interface
+	 */
+	eap_method_t eap_method;
+
+	/*
+	 * Get type of outer EAP authentication method
+	 *
+	 * @return			outer EAP authentication type
+	 */
+	eap_type_t (*get_auth_type)(eap_inner_method_t *this); 
+
+	/*
+	 * Set type of outer EAP Client/Server authentication
+	 *
+	 * @param type		outer EAP authentication type
+	 */
+	void (*set_auth_type)(eap_inner_method_t *this, eap_type_t type); 
+
+};
+
+#endif /** EAP_INNER_METHOD_H_ @}*/

src/libtnccs/tnc/tnccs/tnccs.h

@@ -82,9 +82,20 @@ struct tnccs_t {
 
 	/**
 	 * Set underlying TNC IF-T transport protocol
+
 	 */
 	void (*set_transport)(tnccs_t *this, tnc_ift_type_t transport);
 
+	/**
+	 * Get type of TNC Client authentication
+	 */
+	u_int32_t (*get_auth_type)(tnccs_t *this);
+
+	/**
+	 * Set type of TNC Client authentication
+	 */
+	void (*set_auth_type)(tnccs_t *this, u_int32_t auth_type);
+
 };
 
 /**