From 00cd79b6780acf1d2682038cb630e6871782f819 Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Thu, 19 Feb 2015 11:44:11 +0100 Subject: [PATCH] Make access requestor IP address available to TNC server --- src/libcharon/plugins/eap_tnc/eap_tnc.c | 26 +++- src/libcharon/plugins/tnc_pdp/tnc_pdp.c | 25 ++-- src/libimcv/Makefile.am | 3 +- src/libimcv/imv/imv_agent.c | 76 ++++-------- src/libimcv/imv/imv_database.c | 111 ++++++++++++------ src/libimcv/imv/imv_policy_manager.c | 76 +++++++++++- src/libimcv/imv/imv_session.c | 33 ++---- src/libimcv/imv/imv_session.h | 14 +-- src/libimcv/imv/imv_session_manager.c | 40 ++++++- src/libimcv/imv/imv_session_manager.h | 7 +- src/libimcv/imv/tables-mysql.sql | 8 ++ src/libimcv/imv/tables.sql | 8 ++ .../plugins/tnc_tnccs/tnc_tnccs_manager.c | 48 ++++++-- src/libtnccs/plugins/tnccs_11/tnccs_11.c | 57 ++++++--- src/libtnccs/plugins/tnccs_11/tnccs_11.h | 15 ++- src/libtnccs/plugins/tnccs_20/tnccs_20.c | 57 ++++++--- src/libtnccs/plugins/tnccs_20/tnccs_20.h | 15 ++- .../plugins/tnccs_dynamic/tnccs_dynamic.c | 61 +++++++--- .../plugins/tnccs_dynamic/tnccs_dynamic.h | 15 ++- src/libtnccs/tnc/tnccs/tnccs.h | 28 ++++- src/libtnccs/tnc/tnccs/tnccs_manager.h | 15 ++- src/libtncif/tncif_names.c | 14 ++- src/libtncif/tncif_names.h | 4 +- src/pt-tls-client/pt-tls-client.c | 38 ++++-- 24 files changed, 550 insertions(+), 244 deletions(-) diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c index 62d23d064..b1a6ff046 100644 --- a/src/libcharon/plugins/eap_tnc/eap_tnc.c +++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -256,6 +256,8 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, private_eap_tnc_t *this; int max_msg_count; char* protocol; + ike_sa_t *ike_sa; + host_t *server_ip, *peer_ip; tnccs_t *tnccs; tnccs_type_t tnccs_type; @@ -302,8 +304,28 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, free(this); return NULL; } + + /* Determine IP addresses of server and peer */ + ike_sa = charon->bus->get_sa(charon->bus); + if (!ike_sa) + { + DBG1(DBG_TNC, "%N constructor did not find IKE_SA", + eap_type_names, type); + return NULL; + } + if (is_server) + { + server_ip = ike_sa->get_my_host(ike_sa); + peer_ip = ike_sa->get_other_host(ike_sa); + } + else + { + peer_ip = ike_sa->get_my_host(ike_sa); + server_ip = ike_sa->get_other_host(ike_sa); + } + tnccs = tnc->tnccs->create_instance(tnc->tnccs, tnccs_type, - is_server, server, peer, + is_server, server, peer, server_ip, peer_ip, (type == EAP_TNC) ? TNC_IFT_EAP_1_1 : TNC_IFT_EAP_2_0, is_server ? enforce_recommendation : NULL); if (!tnccs) diff --git a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c index 109c216d5..91456f8da 100644 --- a/src/libcharon/plugins/tnc_pdp/tnc_pdp.c +++ b/src/libcharon/plugins/tnc_pdp/tnc_pdp.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2013 Andreas Steffen + * Copyright (C) 2012-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -646,8 +646,8 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even int pt_tls_fd; struct sockaddr_storage addr; socklen_t addrlen = sizeof(addr); - identification_t *peer; - host_t *host; + identification_t *client_id; + host_t *server_ip, *client_ip; pt_tls_server_t *pt_tls; tnccs_t *tnccs; pt_tls_auth_t auth = PT_TLS_AUTH_TLS_OR_SASL; @@ -658,17 +658,22 @@ static bool pt_tls_receive(private_tnc_pdp_t *this, int fd, watcher_event_t even DBG1(DBG_TNC, "accepting PT-TLS stream failed: %s", strerror(errno)); return FALSE; } - host = host_create_from_sockaddr((sockaddr_t*)&addr); - DBG1(DBG_TNC, "accepting PT-TLS stream from %H", host); - host->destroy(host); + client_ip = host_create_from_sockaddr((sockaddr_t*)&addr); + DBG1(DBG_TNC, "accepting PT-TLS stream from %H", client_ip); - /* At this moment the peer identity is not known yet */ - peer = identification_create_from_encoding(ID_ANY, chunk_empty), + /* Currently we do not determine the IP address of the server interface */ + server_ip = host_create_any(client_ip->get_family(client_ip)); + + /* At this moment the client identity is not known yet */ + client_id = identification_create_from_encoding(ID_ANY, chunk_empty), tnccs = tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, TRUE, - this->server, peer, TNC_IFT_TLS_2_0, + this->server, client_id, server_ip, + client_ip, TNC_IFT_TLS_2_0, (tnccs_cb_t)get_recommendation); - peer->destroy(peer); + client_id->destroy(client_id); + server_ip->destroy(server_ip); + client_ip->destroy(client_ip); if (!tnccs) { diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am index d9a5cd50d..a61382723 100644 --- a/src/libimcv/Makefile.am +++ b/src/libimcv/Makefile.am @@ -127,7 +127,8 @@ imv_policy_manager_SOURCES = \ imv/imv_policy_manager.c \ imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c imv_policy_manager_LDADD = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtncif/libtncif.la #imv/imv_policy_manager.o : $(top_builddir)/config.status SUBDIRS = . diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c index 6b24f4b28..d0508624d 100644 --- a/src/libimcv/imv/imv_agent.c +++ b/src/libimcv/imv/imv_agent.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -412,14 +412,10 @@ METHOD(imv_agent_t, create_state, TNC_Result, { TNC_ConnectionID conn_id; char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL; - bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE, first = TRUE; + bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE; linked_list_t *ar_identities; - enumerator_t *enumerator; - tncif_identity_t *tnc_id; imv_session_t *session; uint32_t max_msg_len; - uint32_t ar_id_type = TNC_ID_UNKNOWN; - chunk_t ar_id_value = chunk_empty; conn_id = state->get_connection_id(state); if (find_connection(this, conn_id)) @@ -431,15 +427,24 @@ METHOD(imv_agent_t, create_state, TNC_Result, } /* Get and display attributes from TNCS via IF-IMV */ - has_long = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_LONG_TYPES); - has_excl = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_EXCLUSIVE); - has_soh = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_SOH); - tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL); - tnccs_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_VERSION); - t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL); - t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION); - max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE); - ar_identities = get_identity_attribute(this, conn_id, TNC_ATTRIBUTEID_AR_IDENTITIES); + has_long = get_bool_attribute(this, conn_id, + TNC_ATTRIBUTEID_HAS_LONG_TYPES); + has_excl = get_bool_attribute(this, conn_id, + TNC_ATTRIBUTEID_HAS_EXCLUSIVE); + has_soh = get_bool_attribute(this, conn_id, + TNC_ATTRIBUTEID_HAS_SOH); + tnccs_p = get_str_attribute(this, conn_id, + TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL); + tnccs_v = get_str_attribute(this, conn_id, + TNC_ATTRIBUTEID_IFTNCCS_VERSION); + t_p = get_str_attribute(this, conn_id, + TNC_ATTRIBUTEID_IFT_PROTOCOL); + t_v = get_str_attribute(this, conn_id, + TNC_ATTRIBUTEID_IFT_VERSION); + max_msg_len = get_uint_attribute(this, conn_id, + TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE); + ar_identities = get_identity_attribute(this, conn_id, + TNC_ATTRIBUTEID_AR_IDENTITIES); state->set_flags(state, has_long, has_excl); state->set_max_msg_len(state, max_msg_len); @@ -451,48 +456,9 @@ METHOD(imv_agent_t, create_state, TNC_Result, DBG2(DBG_IMV, " over %s %s with maximum PA-TNC message size of %u bytes", t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len); - enumerator = ar_identities->create_enumerator(ar_identities); - while (enumerator->enumerate(enumerator, &tnc_id)) - { - pen_type_t id_type, subject_type, auth_type; - uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type; - chunk_t id_value; - - id_type = tnc_id->get_identity_type(tnc_id); - id_value = tnc_id->get_identity_value(tnc_id); - subject_type = tnc_id->get_subject_type(tnc_id); - auth_type = tnc_id->get_auth_type(tnc_id); - - tcg_id_type = (id_type.vendor_id == PEN_TCG) ? - id_type.type : TNC_ID_UNKNOWN; - tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ? - subject_type.type : TNC_SUBJECT_UNKNOWN; - tcg_auth_type = (auth_type.vendor_id == PEN_TCG) ? - auth_type.type : TNC_AUTH_UNKNOWN; - - - DBG2(DBG_IMV, " %N AR identity '%.*s' authenticated by %N", - TNC_Subject_names, tcg_subject_type, - id_value.len, id_value.ptr, - TNC_Authentication_names, tcg_auth_type); - - /* keep the first access requestor ID */ - if (first) - { - ar_id_type = tcg_id_type; - ar_id_value = id_value; - first = FALSE; - } - } - enumerator->destroy(enumerator); - - session = imcv_sessions->add_session(imcv_sessions, conn_id, - ar_id_type, ar_id_value); + session = imcv_sessions->add_session(imcv_sessions, conn_id, ar_identities); state->set_session(state, session); - /* clean up temporary variables */ - ar_identities->destroy_offset(ar_identities, - offsetof(tncif_identity_t, destroy)); free(tnccs_p); free(tnccs_v); free(t_p); diff --git a/src/libimcv/imv/imv_database.c b/src/libimcv/imv/imv_database.c index 0c4bb7514..0a18cd71b 100644 --- a/src/libimcv/imv/imv_database.c +++ b/src/libimcv/imv/imv_database.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2014 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -22,6 +22,8 @@ #include "imv_database.h" +#include + #include #include @@ -60,41 +62,14 @@ METHOD(imv_database_t, get_database, database_t*, */ static bool create_session(private_imv_database_t *this, imv_session_t *session) { - enumerator_t *e; + enumerator_t *enumerator, *e; imv_os_info_t *os_info; - chunk_t device_id, ar_id_value; + chunk_t device_id; + tncif_identity_t *tnc_id; TNC_ConnectionID conn_id; - uint32_t ar_id_type; char *product, *device; - int session_id = 0, ar_id = 0, pid = 0, did = 0, trusted = 0, created; - - ar_id_value = session->get_ar_id(session, &ar_id_type); - if (ar_id_value.len) - { - /* get primary key of AR identity if it exists */ - e = this->db->query(this->db, - "SELECT id FROM identities WHERE type = ? AND value = ?", - DB_INT, ar_id_type, DB_BLOB, ar_id_value, DB_INT); - if (e) - { - e->enumerate(e, &ar_id); - e->destroy(e); - } - - /* if AR identity has not been found - register it */ - if (!ar_id) - { - this->db->execute(this->db, &ar_id, - "INSERT INTO identities (type, value) VALUES (?, ?)", - DB_INT, ar_id_type, DB_BLOB, ar_id_value); - } - - if (!ar_id) - { - DBG1(DBG_IMV, "imv_db: registering access requestor failed"); - return FALSE; - } - } + int session_id = 0, pid = 0, did = 0, trusted = 0, created; + bool first = TRUE, success = TRUE; /* get product info string */ os_info = session->get_os_info(session); @@ -170,10 +145,9 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session) created = session->get_creation_time(session); conn_id = session->get_connection_id(session); this->db->execute(this->db, &session_id, - "INSERT INTO sessions (time, connection, identity, product, device) " - "VALUES (?, ?, ?, ?, ?)", - DB_INT, created, DB_INT, conn_id, DB_INT, ar_id, - DB_INT, pid, DB_INT, did); + "INSERT INTO sessions (time, connection, product, device) " + "VALUES (?, ?, ?, ?)", + DB_INT, created, DB_INT, conn_id, DB_INT, pid, DB_INT, did); if (session_id) { @@ -187,7 +161,68 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session) } session->set_session_id(session, session_id, pid, did); - return TRUE; + enumerator = session->create_ar_identities_enumerator(session); + while (enumerator->enumerate(enumerator, &tnc_id)) + { + pen_type_t ar_id_type; + chunk_t ar_id_value; + int ar_id = 0, si_id = 0; + + ar_id_type = tnc_id->get_identity_type(tnc_id); + ar_id_value = tnc_id->get_identity_value(tnc_id); + + if (ar_id_type.vendor_id != PEN_TCG || ar_id_value.len == 0) + { + continue; + } + + /* get primary key of AR identity if it exists */ + e = this->db->query(this->db, + "SELECT id FROM identities WHERE type = ? AND value = ?", + DB_INT, ar_id_type.type, DB_BLOB, ar_id_value, DB_INT); + if (e) + { + e->enumerate(e, &ar_id); + e->destroy(e); + } + + /* if AR identity has not been found - register it */ + if (!ar_id) + { + this->db->execute(this->db, &ar_id, + "INSERT INTO identities (type, value) VALUES (?, ?)", + DB_INT, ar_id_type.type, DB_BLOB, ar_id_value); + } + if (!ar_id) + { + DBG1(DBG_IMV, "imv_db: registering access requestor failed"); + success = FALSE; + break; + } + + this->db->execute(this->db, &si_id, + "INSERT INTO sessions_identities (session_id, identity_id) " + "VALUES (?, ?)", + DB_INT, session_id, DB_INT, ar_id); + + if (!si_id) + { + DBG1(DBG_IMV, "imv_db: assigning identity to session failed"); + success = FALSE; + break; + } + + if (first) + { + this->db->execute(this->db, NULL, + "UPDATE sessions SET identity = ? WHERE id = ?", + DB_INT, ar_id, DB_INT, session_id); + first = FALSE; + } + } + enumerator->destroy(enumerator); + + return success; } static bool add_workitems(private_imv_database_t *this, imv_session_t *session) diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c index 50f7f2e39..9f7e4e8f4 100644 --- a/src/libimcv/imv/imv_policy_manager.c +++ b/src/libimcv/imv/imv_policy_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -19,6 +19,8 @@ #include #include +#include + #include #include #include @@ -251,9 +253,12 @@ static bool policy_start(database_t *db, int session_id) static bool policy_stop(database_t *db, int session_id) { enumerator_t *e; - int rec, policy; - char *result; + int rec, policy, final_rec, id_type; + chunk_t id_value; + char *result, *ip_address = NULL; + bool success = TRUE; + /* store all workitem results for this session in the results table */ e = db->query(db, "SELECT w.rec_final, w.result, e.policy FROM workitems AS w " "JOIN enforcements AS e ON w.enforcement = e.id " @@ -270,9 +275,68 @@ static bool policy_stop(database_t *db, int session_id) } e->destroy(e); } - return db->execute(db, NULL, - "DELETE FROM workitems WHERE session = ?", - DB_UINT, session_id) >= 0; + else + { + success = FALSE; + } + + /* delete all workitems for this session from the database */ + if (db->execute(db, NULL, + "DELETE FROM workitems WHERE session = ?", + DB_UINT, session_id) < 0) + { + success = FALSE; + } + + final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION; + + /* retrieve the final recommendation for this session */ + e = db->query(db, + "SELECT rec FROM sessions WHERE id = ?", + DB_INT, session_id, DB_INT); + if (e) + { + if (!e->enumerate(e, &final_rec)) + { + success = FALSE; + } + e->destroy(e); + } + else + { + success = FALSE; + } + + /* retrieve client IP address for this session */ + e = db->query(db, + "SELECT i.type, i.value FROM identities AS i " + "JOIN sessions_identities AS si ON si.identity_id = i.id " + "WHERE si.session_id = ? AND (i.type = ? OR i.type = ?)", + DB_INT, session_id, DB_INT, TNC_ID_IPV4_ADDR, DB_INT, + TNC_ID_IPV6_ADDR, DB_INT, DB_BLOB); + if (e) + { + if (e->enumerate(e, &id_type, &id_value)) + { + ip_address = strndup(id_value.ptr, id_value.len); + } + else + { + success = FALSE; + } + e->destroy(e); + } + else + { + success = FALSE; + } + + fprintf(stderr, "recommendation for access requestor %s is %N\n", + ip_address ? ip_address : "0.0.0.0", + TNC_IMV_Action_Recommendation_names, final_rec); + free(ip_address); + + return success; } int main(int argc, char *argv[]) diff --git a/src/libimcv/imv/imv_session.c b/src/libimcv/imv/imv_session.c index 1f0d8cf14..bc6b5a8d1 100644 --- a/src/libimcv/imv/imv_session.c +++ b/src/libimcv/imv/imv_session.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,6 +15,8 @@ #include "imv_session.h" +#include + #include typedef struct private_imv_session_t private_imv_session_t; @@ -55,14 +57,9 @@ struct private_imv_session_t { time_t created; /** - * Access Requestor ID type + * List of Access Requestor identities */ - uint32_t ar_id_type; - - /** - * Access Requestor ID value - */ - chunk_t ar_id_value; + linked_list_t *ar_identities; /** * OS information @@ -130,14 +127,10 @@ METHOD(imv_session_t, get_creation_time, time_t, return this->created; } -METHOD(imv_session_t, get_ar_id, chunk_t, - private_imv_session_t *this, uint32_t *ar_id_type) +METHOD(imv_session_t, create_ar_identities_enumerator, enumerator_t*, + private_imv_session_t *this) { - if (ar_id_type) - { - *ar_id_type = this->ar_id_type; - } - return this->ar_id_value; + return this->ar_identities->create_enumerator(this->ar_identities); } METHOD(imv_session_t, get_os_info, imv_os_info_t*, @@ -256,7 +249,8 @@ METHOD(imv_session_t, destroy, void, this->workitems->destroy_offset(this->workitems, offsetof(imv_workitem_t, destroy)); this->os_info->destroy(this->os_info); - free(this->ar_id_value.ptr); + this->ar_identities->destroy_offset(this->ar_identities, + offsetof(tncif_identity_t, destroy)); free(this->device_id.ptr); free(this); } @@ -266,7 +260,7 @@ METHOD(imv_session_t, destroy, void, * See header */ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created, - uint32_t ar_id_type, chunk_t ar_id_value) + linked_list_t *ar_identities) { private_imv_session_t *this; @@ -276,7 +270,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created, .get_session_id = _get_session_id, .get_connection_id = _get_connection_id, .get_creation_time = _get_creation_time, - .get_ar_id = _get_ar_id, + .create_ar_identities_enumerator = _create_ar_identities_enumerator, .get_os_info = _get_os_info, .set_device_id = _set_device_id, .get_device_id = _get_device_id, @@ -293,8 +287,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created, }, .conn_id = conn_id, .created = created, - .ar_id_type = ar_id_type, - .ar_id_value = chunk_clone(ar_id_value), + .ar_identities = ar_identities, .os_info = imv_os_info_create(), .workitems = linked_list_create(), .ref = 1, diff --git a/src/libimcv/imv/imv_session.h b/src/libimcv/imv/imv_session.h index 42b9118a6..107716f30 100644 --- a/src/libimcv/imv/imv_session.h +++ b/src/libimcv/imv/imv_session.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2014 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -70,12 +70,11 @@ struct imv_session_t { time_t (*get_creation_time)(imv_session_t *this); /** - * Get Access Requestor ID + * Get list of Access Requestor identities * - * @param id_type Access Requestor TCG Standard ID Type - * @return Access Requestor TCG Standard ID Value + * @return List of Access Requestor identities */ - chunk_t (*get_ar_id)(imv_session_t *this, uint32_t *id_type); + enumerator_t* (*create_ar_identities_enumerator)(imv_session_t *this); /** * Get OS Information @@ -172,10 +171,9 @@ struct imv_session_t { * * @param id Associated Connection ID * @param created Session creation time - * @param ar_id_type Access Requestor ID type - * @param ar_id_value Access Requestor ID value + * @param ar_identities List of Access Requestor identities */ imv_session_t* imv_session_create(TNC_ConnectionID id, time_t created, - uint32_t ar_id_type, chunk_t ar_id_value); + linked_list_t *ar_identities); #endif /** IMV_SESSION_H_ @}*/ diff --git a/src/libimcv/imv/imv_session_manager.c b/src/libimcv/imv/imv_session_manager.c index 0fb8de45e..c97602998 100644 --- a/src/libimcv/imv/imv_session_manager.c +++ b/src/libimcv/imv/imv_session_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,6 +15,9 @@ #include "imv_session_manager.h" +#include +#include + #include typedef struct private_imv_session_manager_t private_imv_session_manager_t; @@ -43,9 +46,10 @@ struct private_imv_session_manager_t { METHOD(imv_session_manager_t, add_session, imv_session_t*, private_imv_session_manager_t *this, TNC_ConnectionID conn_id, - uint32_t ar_id_type, chunk_t ar_id_value) + linked_list_t *ar_identities) { enumerator_t *enumerator; + tncif_identity_t *tnc_id; imv_session_t *current, *session = NULL; time_t created; @@ -66,13 +70,43 @@ METHOD(imv_session_manager_t, add_session, imv_session_t*, /* session already exists */ if (session) { + ar_identities->destroy_offset(ar_identities, + offsetof(tncif_identity_t, destroy)); this->mutex->unlock(this->mutex); return session->get_ref(session); } + /* Output list of Access Requestor identities */ + enumerator = ar_identities->create_enumerator(ar_identities); + while (enumerator->enumerate(enumerator, &tnc_id)) + { + pen_type_t id_type, subject_type, auth_type; + uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type; + chunk_t id_value; + + id_type = tnc_id->get_identity_type(tnc_id); + id_value = tnc_id->get_identity_value(tnc_id); + subject_type = tnc_id->get_subject_type(tnc_id); + auth_type = tnc_id->get_auth_type(tnc_id); + + tcg_id_type = (subject_type.vendor_id == PEN_TCG) ? + id_type.type : TNC_SUBJECT_UNKNOWN; + tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ? + subject_type.type : TNC_SUBJECT_UNKNOWN; + tcg_auth_type = (auth_type.vendor_id == PEN_TCG) ? + auth_type.type : TNC_AUTH_UNKNOWN; + + DBG2(DBG_IMV, " %N AR identity '%.*s' of type %N authenticated by %N", + TNC_Subject_names, tcg_subject_type, + id_value.len, id_value.ptr, + TNC_Identity_names, tcg_id_type, + TNC_Authentication_names, tcg_auth_type); + } + enumerator->destroy(enumerator); + /* create a new session entry */ created = time(NULL); - session = imv_session_create(conn_id, created, ar_id_type, ar_id_value); + session = imv_session_create(conn_id, created, ar_identities); this->sessions->insert_last(this->sessions, session); this->mutex->unlock(this->mutex); diff --git a/src/libimcv/imv/imv_session_manager.h b/src/libimcv/imv/imv_session_manager.h index 8a733accb..cfae23bc9 100644 --- a/src/libimcv/imv/imv_session_manager.h +++ b/src/libimcv/imv/imv_session_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -39,13 +39,12 @@ struct imv_session_manager_t { * Create or get a session associated with a TNCCS connection * * @param conn_id TNCCS Connection ID - * @param ar_id_type Access Requestor identity type - * @param ar_id_value Access Requestor identity value + * @param ar_identities List of Access Requestor identities * @return Session associated with TNCCS Connection */ imv_session_t* (*add_session)(imv_session_manager_t *this, TNC_ConnectionID conn_id, - uint32_t ar_id_type, chunk_t ar_id_value); + linked_list_t *ar_identities); /** * Remove a session diff --git a/src/libimcv/imv/tables-mysql.sql b/src/libimcv/imv/tables-mysql.sql index 47ee41c86..cf50742c3 100644 --- a/src/libimcv/imv/tables-mysql.sql +++ b/src/libimcv/imv/tables-mysql.sql @@ -99,6 +99,14 @@ CREATE TABLE `sessions` ( `rec` INTEGER DEFAULT 3 ); +DROP TABLE IF EXISTS `sessions_identities`; +CREATE TABLE `sessions_identities` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `session_id` INTEGER NOT NULL REFERENCES `sessions`(`id`), + `identity_id` INTEGER NOT NULL REFERENCES `identities`(`id`), + UNIQUE (`session_id`, `identity_id`) +); + DROP TABLE IF EXISTS `workitems`; CREATE TABLE `workitems` ( `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql index f7324896e..5c2a6563b 100644 --- a/src/libimcv/imv/tables.sql +++ b/src/libimcv/imv/tables.sql @@ -104,6 +104,14 @@ CREATE TABLE sessions ( rec INTEGER DEFAULT 3 ); +DROP TABLE IF EXISTS sessions_identities; +CREATE TABLE sessions_identities ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + session_id INTEGER NOT NULL REFERENCES sessions(id), + identity_id INTEGER NOT NULL REFERENCES identities(id), + UNIQUE (session_id, identity_id) +); + DROP TABLE IF EXISTS workitems; CREATE TABLE workitems ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, diff --git a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c index b8683f78c..30e505246 100644 --- a/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c +++ b/src/libtnccs/plugins/tnc_tnccs/tnc_tnccs_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -169,8 +169,8 @@ METHOD(tnccs_manager_t, remove_method, void, METHOD(tnccs_manager_t, create_instance, tnccs_t*, private_tnc_tnccs_manager_t *this, tnccs_type_t type, bool is_server, - identification_t *server, identification_t *peer, tnc_ift_type_t transport, - tnccs_cb_t cb) + identification_t *server_id, identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, tnccs_cb_t cb) { enumerator_t *enumerator; tnccs_entry_t *entry; @@ -182,7 +182,8 @@ METHOD(tnccs_manager_t, create_instance, tnccs_t*, { if (type == entry->type) { - protocol = entry->constructor(is_server, server, peer, transport, cb); + protocol = entry->constructor(is_server, server_id, peer_id, + server_ip, peer_ip, transport, cb); if (protocol) { break; @@ -716,7 +717,8 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result, case TNC_ATTRIBUTEID_AR_IDENTITIES: { linked_list_t *list; - identification_t *peer; + identification_t *peer_id; + host_t *peer_ip; tnccs_t *tnccs; tncif_identity_t *tnc_id; u_int32_t id_type, subject_type; @@ -726,10 +728,11 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result, list = linked_list_create(); tnccs = entry->tnccs; - peer = tnccs->tls.get_peer_id(&tnccs->tls); - if (peer) + + peer_id = tnccs->tls.get_peer_id(&tnccs->tls); + if (peer_id) { - switch (peer->get_type(peer)) + switch (peer_id->get_type(peer_id)) { case ID_IPV4_ADDR: id_type = TNC_ID_IPV4_ADDR; @@ -756,7 +759,7 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result, subject_type = TNC_SUBJECT_UNKNOWN; } if (id_type != TNC_ID_UNKNOWN && - asprintf(&id_str, "%Y", peer) >= 0) + asprintf(&id_str, "%Y", peer_id) >= 0) { id_value = chunk_from_str(id_str); tnc_id = tncif_identity_create( @@ -767,6 +770,33 @@ METHOD(tnccs_manager_t, get_attribute, TNC_Result, list->insert_last(list, tnc_id); } } + + peer_ip = tnccs->get_peer_ip(tnccs); + if (peer_ip) + { + switch (peer_ip->get_family(peer_ip)) + { + case AF_INET: + id_type = TNC_ID_IPV4_ADDR; + break; + case AF_INET6: + id_type = TNC_ID_IPV6_ADDR; + break; + default: + id_type = TNC_ID_UNKNOWN; + } + + if (id_type != TNC_ID_UNKNOWN && + asprintf(&id_str, "%H", peer_ip) >= 0) + { + id_value = chunk_from_str(id_str); + tnc_id = tncif_identity_create( + pen_type_create(PEN_TCG, id_type), id_value, + pen_type_create(PEN_TCG, TNC_SUBJECT_MACHINE), + pen_type_create(PEN_TCG, TNC_AUTH_UNKNOWN)); + list->insert_last(list, tnc_id); + } + } result = identity_attribute(buffer_len, buffer, value_len, list); list->destroy_offset(list, offsetof(tncif_identity_t, destroy)); return result; diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.c b/src/libtnccs/plugins/tnccs_11/tnccs_11.c index 28c5e52b7..0918a2bad 100644 --- a/src/libtnccs/plugins/tnccs_11/tnccs_11.c +++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -54,12 +54,22 @@ struct private_tnccs_11_t { /** * Server identity */ - identification_t *server; + identification_t *server_id; /** * Client identity */ - identification_t *peer; + identification_t *peer_id; + + /** + * Server IP address + */ + host_t *server_ip; + + /** + * Client IP address + */ + host_t *peer_ip; /** * Underlying TNC IF-T transport protocol @@ -527,20 +537,20 @@ METHOD(tls_t, is_server, bool, METHOD(tls_t, get_server_id, identification_t*, private_tnccs_11_t *this) { - return this->server; + return this->server_id; } METHOD(tls_t, set_peer_id, void, private_tnccs_11_t *this, identification_t *id) { - DESTROY_IF(this->peer); - this->peer = id->clone(id); + DESTROY_IF(this->peer_id); + this->peer_id = id->clone(id); } METHOD(tls_t, get_peer_id, identification_t*, private_tnccs_11_t *this) { - return this->peer; + return this->peer_id; } METHOD(tls_t, get_purpose, tls_purpose_t, @@ -578,14 +588,28 @@ METHOD(tls_t, destroy, void, { tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id, this->is_server); - this->server->destroy(this->server); - this->peer->destroy(this->peer); + this->server_id->destroy(this->server_id); + this->peer_id->destroy(this->peer_id); + this->server_ip->destroy(this->server_ip); + this->peer_ip->destroy(this->peer_ip); this->mutex->destroy(this->mutex); DESTROY_IF(this->batch); free(this); } } +METHOD(tnccs_t, get_server_ip, host_t*, + private_tnccs_11_t *this) +{ + return this->server_ip; +} + +METHOD(tnccs_t, get_peer_ip, host_t*, + private_tnccs_11_t *this) +{ + return this->peer_ip; +} + METHOD(tnccs_t, get_transport, tnc_ift_type_t, private_tnccs_11_t *this) { @@ -628,9 +652,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*, /** * See header */ -tnccs_t* tnccs_11_create(bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb) +tnccs_t* tnccs_11_create(bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb) { private_tnccs_11_t *this; @@ -648,6 +673,8 @@ tnccs_t* tnccs_11_create(bool is_server, .get_eap_msk = _get_eap_msk, .destroy = _destroy, }, + .get_server_ip = _get_server_ip, + .get_peer_ip = _get_peer_ip, .get_transport = _get_transport, .set_transport = _set_transport, .get_auth_type = _get_auth_type, @@ -656,8 +683,10 @@ tnccs_t* tnccs_11_create(bool is_server, .get_ref = _get_ref, }, .is_server = is_server, - .server = server->clone(server), - .peer = peer->clone(peer), + .server_id = server_id->clone(server_id), + .peer_id = peer_id->clone(peer_id), + .server_ip = server_ip->clone(server_ip), + .peer_ip = peer_ip->clone(peer_ip), .transport = transport, .callback = cb, .mutex = mutex_create(MUTEX_TYPE_DEFAULT), diff --git a/src/libtnccs/plugins/tnccs_11/tnccs_11.h b/src/libtnccs/plugins/tnccs_11/tnccs_11.h index e805df8bb..60d5518bc 100644 --- a/src/libtnccs/plugins/tnccs_11/tnccs_11.h +++ b/src/libtnccs/plugins/tnccs_11/tnccs_11.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -29,14 +29,17 @@ * Create an instance of the TNC IF-TNCCS 1.1 protocol handler. * * @param is_server TRUE to act as TNC Server, FALSE for TNC Client - * @param server Server identity - * @param peer Client identity + * @param server_id Server identity + * @param peer_id Client identity + * @param server_ip Server IP address + * @param peer_ip Client IP address * @param transport Underlying IF-T transport protocol * @param cb Callback function if TNC Server, NULL if TNC Client * @return TNC_IF_TNCCS 1.1 protocol stack */ -tnccs_t* tnccs_11_create(bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb); +tnccs_t* tnccs_11_create(bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb); #endif /** TNCCS_11_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.c b/src/libtnccs/plugins/tnccs_20/tnccs_20.c index dc4da51c6..997771406 100644 --- a/src/libtnccs/plugins/tnccs_20/tnccs_20.c +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2010 Sansar Choinyanbuu - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -60,12 +60,22 @@ struct private_tnccs_20_t { /** * Server identity */ - identification_t *server; + identification_t *server_id; /** * Client identity */ - identification_t *peer; + identification_t *peer_id; + + /** + * Server IP address + */ + host_t *server_ip; + + /** + * Client IP address + */ + host_t *peer_ip; /** * Underlying TNC IF-T transport protocol @@ -923,20 +933,20 @@ METHOD(tls_t, is_server, bool, METHOD(tls_t, get_server_id, identification_t*, private_tnccs_20_t *this) { - return this->server; + return this->server_id; } METHOD(tls_t, set_peer_id, void, private_tnccs_20_t *this, identification_t *id) { - DESTROY_IF(this->peer); - this->peer = id->clone(id); + DESTROY_IF(this->peer_id); + this->peer_id = id->clone(id); } METHOD(tls_t, get_peer_id, identification_t*, private_tnccs_20_t *this) { - return this->peer; + return this->peer_id; } METHOD(tls_t, get_purpose, tls_purpose_t, @@ -974,8 +984,10 @@ METHOD(tls_t, destroy, void, { tnc->tnccs->remove_connection(tnc->tnccs, this->connection_id, this->is_server); - this->server->destroy(this->server); - this->peer->destroy(this->peer); + this->server_id->destroy(this->server_id); + this->peer_id->destroy(this->peer_id); + this->server_ip->destroy(this->server_ip); + this->peer_ip->destroy(this->peer_ip); this->state_machine->destroy(this->state_machine); this->mutex->destroy(this->mutex); this->messages->destroy_offset(this->messages, @@ -985,6 +997,18 @@ METHOD(tls_t, destroy, void, } } +METHOD(tnccs_t, get_server_ip, host_t*, + private_tnccs_20_t *this) +{ + return this->server_ip; +} + +METHOD(tnccs_t, get_peer_ip, host_t*, + private_tnccs_20_t *this) +{ + return this->peer_ip; +} + METHOD(tnccs_t, get_transport, tnc_ift_type_t, private_tnccs_20_t *this) { @@ -1027,9 +1051,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*, /** * See header */ -tnccs_t* tnccs_20_create(bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb) +tnccs_t* tnccs_20_create(bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb) { private_tnccs_20_t *this; size_t max_batch_size, default_max_batch_size; @@ -1079,6 +1104,8 @@ tnccs_t* tnccs_20_create(bool is_server, .get_eap_msk = _get_eap_msk, .destroy = _destroy, }, + .get_server_ip = _get_server_ip, + .get_peer_ip = _get_peer_ip, .get_transport = _get_transport, .set_transport = _set_transport, .get_auth_type = _get_auth_type, @@ -1087,8 +1114,10 @@ tnccs_t* tnccs_20_create(bool is_server, .get_ref = _get_ref, }, .is_server = is_server, - .server = server->clone(server), - .peer = peer->clone(peer), + .server_id = server_id->clone(server_id), + .peer_id = peer_id->clone(peer_id), + .server_ip = server_ip->clone(server_ip), + .peer_ip = peer_ip->clone(peer_ip), .transport = transport, .callback = cb, .state_machine = pb_tnc_state_machine_create(is_server), diff --git a/src/libtnccs/plugins/tnccs_20/tnccs_20.h b/src/libtnccs/plugins/tnccs_20/tnccs_20.h index 2857b1408..010cbecdc 100644 --- a/src/libtnccs/plugins/tnccs_20/tnccs_20.h +++ b/src/libtnccs/plugins/tnccs_20/tnccs_20.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -29,14 +29,17 @@ * Create an instance of the TNC IF-TNCCS 2.0 protocol handler. * * @param is_server TRUE to act as TNC Server, FALSE for TNC Client - * @param server Server identity - * @param peer Client identity + * @param server_id Server identity + * @param peer_id Client identity + * @param server_ip Server IP address + * @param peer_ip Client IP address * @param transport Underlying IF-T transport protocol * @param cb Callback function if TNC Server, NULL if TNC Client * @return TNC_IF_TNCCS 2.0 protocol stack */ -tnccs_t* tnccs_20_create(bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb); +tnccs_t* tnccs_20_create(bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb); #endif /** TNCCS_20_H_ @}*/ diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c index e08236eb7..44b804fb2 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c +++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2013 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -34,12 +34,22 @@ struct private_tnccs_dynamic_t { /** * Server identity */ - identification_t *server; + identification_t *server_id; /** * Client identity */ - identification_t *peer; + identification_t *peer_id; + + /** + * Server IP address + */ + host_t *server_ip; + + /** + * Client IP address + */ + host_t *peer_ip; /** * Detected TNC IF-TNCCS stack @@ -109,8 +119,8 @@ METHOD(tls_t, process, status_t, DBG1(DBG_TNC, "%N protocol detected dynamically", tnccs_type_names, type); tnccs = tnc->tnccs->create_instance(tnc->tnccs, type, TRUE, - this->server, this->peer, this->transport, - this->callback); + this->server_id, this->peer_id, this->server_ip, + this->peer_ip, this->transport, this->callback); if (!tnccs) { DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type); @@ -137,14 +147,14 @@ METHOD(tls_t, is_server, bool, METHOD(tls_t, get_server_id, identification_t*, private_tnccs_dynamic_t *this) { - return this->server; + return this->server_id; } METHOD(tls_t, set_peer_id, void, private_tnccs_dynamic_t *this, identification_t *id) { - DESTROY_IF(this->peer); - this->peer = id->clone(id); + DESTROY_IF(this->peer_id); + this->peer_id = id->clone(id); if (this->tls) { this->tls->set_peer_id(this->tls, id); @@ -154,7 +164,7 @@ METHOD(tls_t, set_peer_id, void, METHOD(tls_t, get_peer_id, identification_t*, private_tnccs_dynamic_t *this) { - return this->peer; + return this->peer_id; } METHOD(tls_t, get_purpose, tls_purpose_t, @@ -181,12 +191,26 @@ METHOD(tls_t, destroy, void, if (ref_put(&this->ref)) { DESTROY_IF(this->tls); - this->server->destroy(this->server); - this->peer->destroy(this->peer); + this->server_id->destroy(this->server_id); + this->peer_id->destroy(this->peer_id); + this->server_ip->destroy(this->server_ip); + this->peer_ip->destroy(this->peer_ip); free(this); } } +METHOD(tnccs_t, get_server_ip, host_t*, + private_tnccs_dynamic_t *this) +{ + return this->server_ip; +} + +METHOD(tnccs_t, get_peer_ip, host_t*, + private_tnccs_dynamic_t *this) +{ + return this->peer_ip; +} + METHOD(tnccs_t, get_transport, tnc_ift_type_t, private_tnccs_dynamic_t *this) { @@ -229,9 +253,10 @@ METHOD(tnccs_t, get_ref, tnccs_t*, /** * See header */ -tnccs_t* tnccs_dynamic_create(bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb) +tnccs_t* tnccs_dynamic_create(bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb) { private_tnccs_dynamic_t *this; @@ -249,6 +274,8 @@ tnccs_t* tnccs_dynamic_create(bool is_server, .get_eap_msk = _get_eap_msk, .destroy = _destroy, }, + .get_server_ip = _get_server_ip, + .get_peer_ip = _get_peer_ip, .get_transport = _get_transport, .set_transport = _set_transport, .get_auth_type = _get_auth_type, @@ -256,8 +283,10 @@ tnccs_t* tnccs_dynamic_create(bool is_server, .get_pdp_server = _get_pdp_server, .get_ref = _get_ref, }, - .server = server->clone(server), - .peer = peer->clone(peer), + .server_id = server_id->clone(server_id), + .peer_id = peer_id->clone(peer_id), + .server_ip = server_ip->clone(server_ip), + .peer_ip = peer_ip->clone(peer_ip), .transport = transport, .callback = cb, .ref = 1, diff --git a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h index cbdc80b83..2e1141780 100644 --- a/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h +++ b/src/libtnccs/plugins/tnccs_dynamic/tnccs_dynamic.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2013 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -29,14 +29,17 @@ * Create an instance of a dynamic TNC IF-TNCCS protocol handler. * * @param is_server TRUE to act as TNC Server, FALSE for TNC Client - * @param server Server identity - * @param peer Client identity + * @param server_id Server identity + * @param peer_id Client identity + * @param server_ip Server IP address + * @param peer_ip Client IP address * @param transport Underlying IF-T transport protocol * @param cb Callback function if TNC Server, NULL if TNC Client * @return dynamic TNC IF-TNCCS protocol stack */ -tnccs_t* tnccs_dynamic_create(bool is_server, - identification_t *server, identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb); +tnccs_t* tnccs_dynamic_create(bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb); #endif /** TNCCS_DYNAMIC_H_ @}*/ diff --git a/src/libtnccs/tnc/tnccs/tnccs.h b/src/libtnccs/tnc/tnccs/tnccs.h index eefd5565d..6e3290dfb 100644 --- a/src/libtnccs/tnc/tnccs/tnccs.h +++ b/src/libtnccs/tnc/tnccs/tnccs.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -86,6 +86,20 @@ struct tnccs_t { */ tls_t tls; + /** + * Get server IP address + * + * @return Server IP address + */ + host_t* (*get_server_ip)(tnccs_t *this); + + /** + * Get peer IP address + * + * @return Peer IP address + */ + host_t* (*get_peer_ip)(tnccs_t *this); + /** * Get underlying TNC IF-T transport protocol * @@ -135,15 +149,19 @@ struct tnccs_t { * Constructor definition for a pluggable TNCCS protocol implementation. * * @param is_server TRUE if TNC Server, FALSE if TNC Client - * @param server Server identity - * @param peer Client identity + * @param server_id Server identity + * @param peer_id Client identity + * @param server_ip Server IP address + * @param peer_ip Client IP address * @param transport Underlying TNC IF-T transport protocol used * @param cb Callback function if TNC Server, NULL if TNC Client * @return implementation of the tnccs_t interface */ typedef tnccs_t *(*tnccs_constructor_t)(bool is_server, - identification_t *server, - identification_t *peer, + identification_t *server_id, + identification_t *peer_id, + host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, tnccs_cb_t cb); diff --git a/src/libtnccs/tnc/tnccs/tnccs_manager.h b/src/libtnccs/tnc/tnccs/tnccs_manager.h index 791336ee1..b5c85f3c0 100644 --- a/src/libtnccs/tnc/tnccs/tnccs_manager.h +++ b/src/libtnccs/tnc/tnccs/tnccs_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2013 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -56,16 +56,19 @@ struct tnccs_manager_t { * * @param type type of the TNCCS protocol * @param is_server TRUE if TNC Server, FALSE if TNC Client - * @param server Server identity - * @param peer Client identity + * @param server_id Server identity + * @param peer_id Client identity + * @param server_ip Server IP address + * @param peer_ip Client IP address * @param transport Underlying TNC IF-T transport protocol used * @param cb Callback function if TNC Server, NULL if TNC Client * @return TNCCS protocol instance, NULL if no constructor found */ tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type, - bool is_server, identification_t *server, - identification_t *peer, - tnc_ift_type_t transport, tnccs_cb_t cb); + bool is_server, identification_t *server_id, + identification_t *peer_id, host_t *server_ip, + host_t *peer_ip, tnc_ift_type_t transport, + tnccs_cb_t cb); /** * Create a TNCCS connection and assign a unique connection ID as well a diff --git a/src/libtncif/tncif_names.c b/src/libtncif/tncif_names.c index ac948c8ba..b348c548e 100644 --- a/src/libtncif/tncif_names.c +++ b/src/libtncif/tncif_names.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010 Andreas Steffen + * Copyright (C) 2010-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -46,6 +46,18 @@ ENUM(TNC_IMV_Evaluation_Result_names, "don't know" ); +ENUM(TNC_Identity_names, + TNC_ID_UNKNOWN, + TNC_ID_X500_DN, + "unknown", + "IPv4 address", + "IPv6 address", + "FQDN", + "email address", + "username", + "X.500 DN" +); + ENUM(TNC_Subject_names, TNC_SUBJECT_UNKNOWN, TNC_SUBJECT_USER, diff --git a/src/libtncif/tncif_names.h b/src/libtncif/tncif_names.h index 75458f960..64dd14fc2 100644 --- a/src/libtncif/tncif_names.h +++ b/src/libtncif/tncif_names.h @@ -1,5 +1,6 @@ /* - * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * Copyright (C) 2011-2015 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -30,6 +31,7 @@ extern enum_name_t *TNC_Connection_State_names; extern enum_name_t *TNC_IMV_Action_Recommendation_names; extern enum_name_t *TNC_IMV_Evaluation_Result_names; +extern enum_name_t *TNC_Identity_names; extern enum_name_t *TNC_Subject_names; extern enum_name_t *TNC_Authentication_names; diff --git a/src/pt-tls-client/pt-tls-client.c b/src/pt-tls-client/pt-tls-client.c index a8d45b54f..bf26e3ab3 100644 --- a/src/pt-tls-client/pt-tls-client.c +++ b/src/pt-tls-client/pt-tls-client.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2010-2013 Martin Willi, revosec AG - * Copyright (C) 2013-2014 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule für Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -54,32 +54,44 @@ static int client(char *address, u_int16_t port, char *identity) { pt_tls_client_t *assessment; tls_t *tnccs; - identification_t *server, *client; - host_t *host; + identification_t *server_id, *client_id; + host_t *server_ip, *client_ip; status_t status; - host = host_create_from_dns(address, AF_UNSPEC, port); - if (!host) + server_ip = host_create_from_dns(address, AF_UNSPEC, port); + if (!server_ip) { return 1; } - server = identification_create_from_string(address); - client = identification_create_from_string(identity); + + client_ip = host_create_any(server_ip->get_family(server_ip)); + if (!client_ip) + { + server_ip->destroy(server_ip); + return 1; + } + server_id = identification_create_from_string(address); + client_id = identification_create_from_string(identity); + tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE, - server, client, TNC_IFT_TLS_2_0, NULL); + server_id, client_id, server_ip, client_ip, + TNC_IFT_TLS_2_0, NULL); + client_ip->destroy(client_ip); + if (!tnccs) { fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS); - host->destroy(host); - server->destroy(server); - client->destroy(client); + server_ip->destroy(server_ip); + server_id->destroy(server_id); + client_id->destroy(client_id); return 1; } - assessment = pt_tls_client_create(host, server, client); + assessment = pt_tls_client_create(server_ip, server_id, client_id); status = assessment->run_assessment(assessment, (tnccs_t*)tnccs); assessment->destroy(assessment); tnccs->destroy(tnccs); - return status; + + return (status != SUCCESS); }