implemented the RFC 5792 PA-TNC protocol and an example IMC/IMV pair

configure.in

@@ -132,6 +132,8 @@ ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
 ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module.])
 ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
 ARG_ENABL_SET([tnccs-dynamic],  [enable dynamic TNCCS protocol discovery module.])
+ARG_ENABL_SET([imc-test],       [enable IMC test module.])
+ARG_ENABL_SET([imv-test],       [enable IMV test module.])
 ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
 ARG_ENABL_SET([kernel-pfkey],   [enable the PF_KEY kernel interface.])
 ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.])
@@ -240,6 +242,10 @@ if test x$eap_tls = xtrue -o x$eap_ttls = xtrue -o x$eap_peap = xtrue; then
 	tls=true;
 fi
 
+if test x$imc_test = xtrue -o x$imv_test = xtrue; then
+	imcv=true;
+fi
+
 if test x$fips_prf = xtrue; then
 	if test x$openssl = xfalse; then
 		sha1=true;
@@ -802,6 +808,8 @@ ADD_PLUGIN([maemo],                [c libcharon])
 ADD_PLUGIN([uci],                  [c libcharon])
 ADD_PLUGIN([addrblock],            [c libcharon])
 ADD_PLUGIN([unit-tester],          [c libcharon])
+ADD_PLUGIN([imc-test],             [c])
+ADD_PLUGIN([imv-test],             [c])
 
 AC_SUBST(libcharon_plugins)
 AC_SUBST(pluto_plugins)
@@ -902,6 +910,8 @@ AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue)
 AM_CONDITIONAL(USE_TNCCS_11, test x$tnccs_11 = xtrue)
 AM_CONDITIONAL(USE_TNCCS_20, test x$tnccs_20 = xtrue)
 AM_CONDITIONAL(USE_TNCCS_DYNAMIC, test x$tnccs_dynamic = xtrue)
+AM_CONDITIONAL(USE_IMC_TEST, test x$imc_test = xtrue)
+AM_CONDITIONAL(USE_IMV_TEST, test x$imv_test = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
 AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue)
@@ -952,6 +962,7 @@ AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
 AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue)
 AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue)
 AM_CONDITIONAL(USE_TLS, test x$tls = xtrue)
+AM_CONDITIONAL(USE_IMCV, test x$imcv = xtrue)
 AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue)
 
 dnl ==============================
@@ -1027,6 +1038,7 @@ AC_OUTPUT(
 	src/libfreeswan/Makefile
 	src/libsimaka/Makefile
 	src/libtls/Makefile
+	src/libimcv/Makefile
 	src/pluto/Makefile
 	src/pluto/plugins/xauth/Makefile
 	src/whack/Makefile
@@ -1054,6 +1066,8 @@ AC_OUTPUT(
 	src/libcharon/plugins/tnccs_11/Makefile
 	src/libcharon/plugins/tnccs_20/Makefile
 	src/libcharon/plugins/tnccs_dynamic/Makefile
+	src/libcharon/plugins/imc_test/Makefile
+	src/libcharon/plugins/imv_test/Makefile
 	src/libcharon/plugins/socket_default/Makefile
 	src/libcharon/plugins/socket_raw/Makefile
 	src/libcharon/plugins/socket_dynamic/Makefile

src/Makefile.am

@@ -16,6 +16,10 @@ if USE_TLS
   SUBDIRS += libtls
 endif
 
+if USE_IMCV
+  SUBDIRS += libimcv
+endif
+
 if USE_LIBCHARON
   SUBDIRS += libcharon
 endif

src/libcharon/Makefile.am

@@ -90,10 +90,11 @@ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \
 sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \
 sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \
 sa/tasks/task.c sa/tasks/task.h \
-tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \
+tnc/tncif.h tnc/tncif.c tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \
 tnc/imc/imc.h tnc/imc/imc_manager.h \
 tnc/imv/imv.h tnc/imv/imv_manager.h \
 tnc/imv/imv_recommendations.c tnc/imv/imv_recommendations.h \
+tnc/pen/pen.h tnc/pen/pen.c \
 tnc/tnccs/tnccs.c tnc/tnccs/tnccs.h \
 tnc/tnccs/tnccs_manager.c tnc/tnccs/tnccs_manager.h
 
@@ -370,6 +371,14 @@ if MONOLITHIC
 endif
 endif
 
+if USE_IMC_TEST
+  SUBDIRS += plugins/imc_test
+endif
+
+if USE_IMV_TEST
+  SUBDIRS += plugins/imv_test
+endif
+
 if USE_MEDSRV
   SUBDIRS += plugins/medsrv
 if MONOLITHIC

src/libcharon/plugins/imc_test/Makefile.am

@@ -0,0 +1,15 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-imc-test.la
+
+libstrongswan_imc_test_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la
+
+libstrongswan_imc_test_la_SOURCES = imc_test.c \
+	imc_test_state.h imc_test_state.c
+
+libstrongswan_imc_test_la_LDFLAGS = -module -avoid-version
+

src/libcharon/plugins/imc_test/imc_test.c

@@ -0,0 +1,193 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_test_state.h"
+
+#include <imc/imc_agent.h>
+#include <pa_tnc/pa_tnc_msg.h>
+#include <ita/ita_attr_command.h>
+#include <tnc/pen/pen.h>
+#include <debug.h>
+
+/* IMC definitions */
+
+static const char imc_name[] = "Test";
+
+#define IMC_VENDOR_ID	PEN_ITA
+#define IMC_SUBTYPE		0x01
+
+static imc_agent_t *imc_test;
+ 
+/**
+ * see section 3.7.1 of TCG TNC IF-IMC Specification 1.2
+ */
+TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
+							  TNC_Version min_version,
+							  TNC_Version max_version,
+							  TNC_Version *actual_version)
+{
+	if (imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
+		return TNC_RESULT_ALREADY_INITIALIZED;
+	}
+	if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1)
+	{
+		DBG1(DBG_IMC, "no common IF-IMC version");
+		return TNC_RESULT_NO_COMMON_VERSION;
+	}
+	imc_test = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE,
+								imc_id, actual_version);
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.7.2 of TCG TNC IF-IMC Specification 1.2
+ */
+TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
+										  TNC_ConnectionID connection_id,
+										  TNC_ConnectionState new_state)
+{
+	imc_state_t *state;
+
+	if (!imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			state = imc_test_state_create(connection_id);
+			return imc_test->create_state(imc_test, state);
+		case TNC_CONNECTION_STATE_DELETE:
+			return imc_test->delete_state(imc_test, connection_id);
+		default:
+			return imc_test->change_state(imc_test, connection_id, new_state);
+	}
+}
+
+static TNC_Result send_message(TNC_ConnectionID connection_id)
+{
+	pa_tnc_msg_t *msg;
+	pa_tnc_attr_t *attr;
+	char *command;
+	TNC_Result result;
+
+	command = lib->settings->get_str(lib->settings, "imc-test.command", "none");
+	attr = ita_attr_command_create(command);
+	attr->set_noskip_flag(attr, TRUE);
+	msg = pa_tnc_msg_create();
+	msg->add_attribute(msg, attr);
+	msg->build(msg);
+	result = imc_test->send_message(imc_test, connection_id,
+									msg->get_encoding(msg));	
+	msg->destroy(msg);
+
+	return result;
+}
+
+/**
+ * see section 3.7.3 of TCG TNC IF-IMC Specification 1.2
+ */
+TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
+								  TNC_ConnectionID connection_id)
+{
+	TNC_Result result;
+
+	if (!imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return send_message(connection_id);
+}
+
+/**
+ * see section 3.7.4 of TCG TNC IF-IMC Specification 1.2
+ */
+TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
+								  TNC_ConnectionID connection_id,
+								  TNC_BufferReference msg,
+								  TNC_UInt32 msg_len,
+								  TNC_MessageType msg_type)
+{
+	pa_tnc_msg_t *pa_tnc_msg;
+	status_t status;
+	TNC_Result result;
+
+	if (!imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+
+	/* process received message */
+	DBG2(DBG_IMC, "IMC %u \"%s\" received message type 0x%08x for Connection ID %u",
+				   imc_id, imc_name, msg_type, connection_id);
+	pa_tnc_msg = pa_tnc_msg_create_from_data(chunk_create(msg, msg_len));
+	status = pa_tnc_msg->process(pa_tnc_msg);
+ 	pa_tnc_msg->destroy(pa_tnc_msg);
+	if (status != SUCCESS)
+	{
+		return TNC_RESULT_FATAL;
+	}
+
+	/* always return the same response */
+	return send_message(connection_id);
+}
+
+/**
+ * see section 3.7.5 of TCG TNC IF-IMC Specification 1.2
+ */
+TNC_Result TNC_IMC_BatchEnding(TNC_IMCID imc_id,
+							   TNC_ConnectionID connection_id)
+{
+	if (!imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.7.6 of TCG TNC IF-IMC Specification 1.2
+ */
+TNC_Result TNC_IMC_Terminate(TNC_IMCID imc_id)
+{
+	if (!imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	imc_test->destroy(imc_test);
+	imc_test = NULL;
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 4.2.8.1 of TCG TNC IF-IMC Specification 1.2
+ */
+TNC_Result TNC_IMC_ProvideBindFunction(TNC_IMCID imc_id,
+									   TNC_TNCC_BindFunctionPointer bind_function)
+{
+	if (!imc_test)
+	{
+		DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imc_test->bind_functions(imc_test, bind_function);
+}

src/libcharon/plugins/imc_test/imc_test_state.c

@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_test_state.h"
+
+#include <debug.h>
+
+typedef struct private_imc_test_state_t private_imc_test_state_t;
+
+/**
+ * Private data of an imc_test_state_t object.
+ */
+struct private_imc_test_state_t {
+
+	/**
+	 * Public members of imc_test_state_t
+	 */
+	imc_test_state_t public;
+
+	/**
+	 * TNCCS connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * TNCCS connection state
+	 */
+	TNC_ConnectionState state;
+
+};
+
+METHOD(imc_state_t, get_connection_id, TNC_ConnectionID,
+	private_imc_test_state_t *this)
+{
+	return this->connection_id;
+}
+
+METHOD(imc_state_t, change_state, void,
+	private_imc_test_state_t *this, TNC_ConnectionState new_state)
+{
+	this->state = new_state;
+}
+
+METHOD(imc_state_t, destroy, void,
+	private_imc_test_state_t *this)
+{
+	free(this);
+}
+
+/**
+ * Described in header.
+ */
+imc_state_t *imc_test_state_create(TNC_ConnectionID connection_id)
+{
+	private_imc_test_state_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_connection_id = _get_connection_id,
+				.change_state = _change_state,
+				.destroy = _destroy,
+			},
+		},
+		.state = TNC_CONNECTION_STATE_CREATE,
+		.connection_id = connection_id,
+	);
+	
+	return &this->public.interface;
+}
+
+

src/libcharon/plugins/imc_test/imc_test_state.h

@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imc_test_state_t imc_test_state
+ * @{ @ingroup imc_test_state
+ */
+
+#ifndef IMC_TEST_STATE_H_
+#define IMC_TEST_STATE_H_
+
+#include <imc/imc_state.h>
+#include <library.h>
+
+typedef struct imc_test_state_t imc_test_state_t;
+
+/**
+ * Internal state of an imc_test_t connection instance
+ */
+struct imc_test_state_t {
+
+	/**
+	 * imc_state_t interface
+	 */
+	imc_state_t interface;
+};
+
+/**
+ * Create an imc_test_state_t instance
+ *
+ * @param id		connection ID
+ * @param rounds	total number of IMC re-measurements
+ */
+imc_state_t* imc_test_state_create(TNC_ConnectionID id);
+
+#endif /** IMC_TEST_STATE_H_ @}*/

src/libcharon/plugins/imv_test/Makefile.am

@@ -0,0 +1,15 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libimcv
+
+AM_CFLAGS = -rdynamic
+
+plugin_LTLIBRARIES = libstrongswan-imv-test.la
+
+libstrongswan_imv_test_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la
+
+libstrongswan_imv_test_la_SOURCES = imv_test.c \
+	imv_test_state.h imv_test_state.c
+
+libstrongswan_imv_test_la_LDFLAGS = -module -avoid-version
+

src/libcharon/plugins/imv_test/imv_test.c

@@ -0,0 +1,251 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_test_state.h"
+
+#include <imv/imv_agent.h>
+#include <pa_tnc/pa_tnc_msg.h>
+#include <ita/ita_attr_command.h>
+#include <tnc/pen/pen.h>
+#include <debug.h>
+
+/* IMV definitions */
+
+static const char imv_name[] = "Test";
+
+#define IMV_VENDOR_ID	PEN_ITA
+#define IMV_SUBTYPE		0x01
+
+static imv_agent_t *imv_test;
+
+/**
+ * see section 3.7.1 of TCG TNC IF-IMV Specification 1.2
+ */
+TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
+							  TNC_Version min_version,
+							  TNC_Version max_version,
+							  TNC_Version *actual_version)
+{
+	if (imv_test)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
+		return TNC_RESULT_ALREADY_INITIALIZED;
+	}
+	if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
+	{
+		DBG1(DBG_IMV, "no common IF-IMV version");
+		return TNC_RESULT_NO_COMMON_VERSION;
+	}
+	imv_test = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
+								imv_id, actual_version);
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.7.2 of TCG TNC IF-IMV Specification 1.2
+ */
+TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
+										  TNC_ConnectionID connection_id,
+										  TNC_ConnectionState new_state)
+{
+	imv_state_t *state;
+	int rounds;
+
+	if (!imv_test)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_CREATE:
+			rounds = lib->settings->get_int(lib->settings, "imv-test.rounds", 0);
+			state = imv_test_state_create(connection_id, rounds);
+			return imv_test->create_state(imv_test, state);
+		case TNC_CONNECTION_STATE_DELETE:
+			return imv_test->delete_state(imv_test, connection_id);
+		default:
+			return imv_test->change_state(imv_test, connection_id, new_state);
+	}
+}
+
+static TNC_Result send_message(TNC_ConnectionID connection_id)
+{
+	pa_tnc_msg_t *msg;
+	pa_tnc_attr_t *attr;
+	TNC_Result result;
+
+	attr = ita_attr_command_create("repeat");
+	msg = pa_tnc_msg_create();
+	msg->add_attribute(msg, attr);
+	msg->build(msg);
+	result = imv_test->send_message(imv_test, connection_id,
+									msg->get_encoding(msg));	
+	msg->destroy(msg);
+
+	return result;
+}
+
+/**
+ * see section 3.7.3 of TCG TNC IF-IMV Specification 1.2
+ */
+TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
+								  TNC_ConnectionID connection_id,
+								  TNC_BufferReference msg,
+								  TNC_UInt32 msg_len,
+								  TNC_MessageType msg_type)
+{
+	pa_tnc_msg_t *pa_tnc_msg;
+	pa_tnc_attr_t *attr;
+	imv_state_t *state;
+	imv_test_state_t *imv_test_state;
+	TNC_Result result = TNC_RESULT_SUCCESS;
+	enumerator_t *enumerator;
+
+	if (!imv_test)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+
+	/* process received message */
+	DBG2(DBG_IMV, "IMV %u \"%s\" received message type 0x%08x for Connection ID %u",
+				   imv_id, imv_name, msg_type, connection_id);
+	pa_tnc_msg = pa_tnc_msg_create_from_data(chunk_create(msg, msg_len));
+
+	if (pa_tnc_msg->process(pa_tnc_msg) != SUCCESS)
+	{
+ 		pa_tnc_msg->destroy(pa_tnc_msg);
+		return TNC_RESULT_FATAL;
+	}
+
+	/* get current IMV state */
+	if (!imv_test->get_state(imv_test, connection_id, &state))
+	{
+		pa_tnc_msg->destroy(pa_tnc_msg);
+		return TNC_RESULT_FATAL;
+	}
+
+	enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
+	while (enumerator->enumerate(enumerator, &attr))
+	{
+		if (attr->get_vendor_id(attr) == PEN_ITA &&
+			attr->get_type(attr) == ITA_ATTR_COMMAND)
+		{
+			ita_attr_command_t *ita_attr;
+			char *command;
+	
+			ita_attr = (ita_attr_command_t*)attr;
+			command = ita_attr->get_command(ita_attr);
+
+			if (streq(command, "allow"))
+			{
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
+								TNC_IMV_EVALUATION_RESULT_COMPLIANT);			  
+			}
+			else if (streq(command, "isolate"))
+			{
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);			  
+			}
+			else if (streq(command, "none"))
+			{
+				state->set_recommendation(state,
+								TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS,
+								TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);			  
+			}
+			else
+			{
+				result = TNC_RESULT_FATAL;
+			}
+			break;
+		}		
+	}
+	enumerator->destroy(enumerator);
+	pa_tnc_msg->destroy(pa_tnc_msg);
+
+	if (result != TNC_RESULT_SUCCESS)
+	{
+		return result;
+	}
+
+	/* repeat the measurement ? */
+	imv_test_state = (imv_test_state_t*)state;
+	if (imv_test_state->another_round(imv_test_state))
+	{
+		return send_message(connection_id);
+	}
+
+	return imv_test->provide_recommendation(imv_test, connection_id);
+}
+
+/**
+ * see section 3.7.4 of TCG TNC IF-IMV Specification 1.2
+ */
+TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
+										 TNC_ConnectionID connection_id)
+{
+	if (!imv_test)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_test->provide_recommendation(imv_test, connection_id);
+}
+
+/**
+ * see section 3.7.5 of TCG TNC IF-IMV Specification 1.2
+ */
+TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
+							   TNC_ConnectionID connection_id)
+{
+	if (!imv_test)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 3.7.6 of TCG TNC IF-IMV Specification 1.2
+ */
+TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
+{
+	if (!imv_test)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	imv_test->destroy(imv_test);
+	imv_test = NULL;
+
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.2
+ */
+TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
+									   TNC_TNCS_BindFunctionPointer bind_function)
+{
+	if (!imv_test)
+	{
+		DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
+		return TNC_RESULT_NOT_INITIALIZED;
+	}
+	return imv_test->bind_functions(imv_test, bind_function);
+}

src/libcharon/plugins/imv_test/imv_test_state.c

@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imv_test_state.h"
+
+#include <debug.h>
+
+typedef struct private_imv_test_state_t private_imv_test_state_t;
+
+/**
+ * Private data of an imv_test_state_t object.
+ */
+struct private_imv_test_state_t {
+
+	/**
+	 * Public members of imv_test_state_t
+	 */
+	imv_test_state_t public;
+
+	/**
+	 * TNCCS connection ID
+	 */
+	TNC_ConnectionID connection_id;
+
+	/**
+	 * TNCCS connection state
+	 */
+	TNC_ConnectionState state;
+
+	/**
+	 * IMV action recommendation
+	 */
+	TNC_IMV_Action_Recommendation rec;
+
+	/**
+	 * IMV evaluation result
+	 */
+	TNC_IMV_Evaluation_Result eval;
+
+	/**
+	 * IMC-IMV round-trip count
+	 */
+	int rounds;
+
+};
+
+METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
+	private_imv_test_state_t *this)
+{
+	return this->connection_id;
+}
+
+METHOD(imv_state_t, change_state, void,
+	private_imv_test_state_t *this, TNC_ConnectionState new_state)
+{
+	this->state = new_state;
+}
+
+METHOD(imv_state_t, get_recommendation, void,
+	private_imv_test_state_t *this, TNC_IMV_Action_Recommendation *rec,
+									TNC_IMV_Evaluation_Result *eval)
+{
+	*rec = this->rec;
+	*eval = this->eval;
+}
+
+METHOD(imv_state_t, set_recommendation, void,
+	private_imv_test_state_t *this, TNC_IMV_Action_Recommendation rec,
+									TNC_IMV_Evaluation_Result eval)
+{
+	this->rec = rec;
+	this->eval = eval;
+}
+
+METHOD(imv_state_t, destroy, void,
+	private_imv_test_state_t *this)
+{
+	free(this);
+}
+
+METHOD(imv_state_t, another_round, bool,
+	private_imv_test_state_t *this)
+{
+	return (this->rounds-- > 0);
+}
+
+/**
+ * Described in header.
+ */
+imv_state_t *imv_test_state_create(TNC_ConnectionID connection_id, int rounds)
+{
+	private_imv_test_state_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.get_connection_id = _get_connection_id,
+				.change_state = _change_state,
+				.get_recommendation = _get_recommendation,
+				.set_recommendation = _set_recommendation,
+				.destroy = _destroy,
+			},
+			.another_round = _another_round,
+		},
+		.state = TNC_CONNECTION_STATE_CREATE,
+		.rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
+		.eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW,
+		.connection_id = connection_id,
+		.rounds = rounds,
+	);
+	
+	return &this->public.interface;
+}
+
+

src/libcharon/plugins/imv_test/imv_test_state.h

@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ *
+ * @defgroup imv_test_state_t imv_test_state
+ * @{ @ingroup imv_test_state
+ */
+
+#ifndef IMV_TEST_STATE_H_
+#define IMV_TEST_STATE_H_
+
+#include <imv/imv_state.h>
+#include <library.h>
+
+typedef struct imv_test_state_t imv_test_state_t;
+
+/**
+ * Internal state of an imv_test_t connection instance
+ */
+struct imv_test_state_t {
+
+	/**
+	 * imv_state_t interface
+	 */
+	imv_state_t interface;
+
+	/**
+	 * Check and decrease IMC-IMV round-trip count
+	 *
+	 * @return		new connection state
+	 */
+	bool (*another_round)(imv_test_state_t *this);
+
+};
+
+/**
+ * Create an imv_test_state_t instance
+ *
+ * @param id		connection ID
+ * @param rounds	total number of IMC re-measurements
+ */
+imv_state_t* imv_test_state_create(TNC_ConnectionID id, int rounds);
+
+#endif /** IMV_TEST_STATE_H_ @}*/

src/libimcv/Makefile.am

@@ -0,0 +1,16 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libcharon \
+	-I$(top_srcdir)/src/libtls
+
+noinst_LTLIBRARIES = libimcv.la
+
+libimcv_la_LIBADD = $(top_builddir)/src/libtls/libtls.la
+
+libimcv_la_SOURCES = \
+	imc/imc_agent.h imc/imc_agent.c imc/imc_state.h \
+	imv/imv_agent.h imv/imv_agent.c imv/imv_state.h \
+	ietf/ietf_attr.h \
+	ietf/ietf_attr_pa_tnc_error.h ietf/ietf_attr_pa_tnc_error.c \
+	ita/ita_attr_command.h ita/ita_attr_command.c \
+	pa_tnc/pa_tnc_msg.h pa_tnc/pa_tnc_msg.c \
+	pa_tnc/pa_tnc_attr.h pa_tnc/pa_tnc_attr.c

src/libimcv/ietf/ietf_attr.h

@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attrt ietf_attr
+ * @{ @ingroup ietf_attr
+ */
+
+#ifndef IETF_ATTR_H_
+#define IETF_ATTR_H_
+
+typedef enum ietf_attr_t ietf_attr_t;
+
+/**
+ * IETF standard PA-TNC attribute types defined by RFC 5792
+ */
+enum ietf_attr_t {
+	IETF_ATTR_TESTING =                            0,
+	IETF_ATTR_ATTRIBUTE_REQUEST =                  1,
+	IETF_ATTR_PRODUCT_INFORMATION =                2,
+	IETF_ATTR_NUMERIC_VERSION =                    3,
+	IETF_ATTR_STRING_VERSION =                     4,
+	IETF_ATTR_OPERATIONAL_STATUS =                 5,
+	IETF_ATTR_PORT_FILTER =                        6,
+	IETF_ATTR_INSTALLED_PACKAGES =                 7,
+	IETF_ATTR_PA_TNC_ERROR =                       8,
+	IETF_ATTR_ASSESSMENT_RESULT =                  9,
+	IETF_ATTR_REMEDIATION_INSTRUCTIONS =          10,
+	IETF_ATTR_FORWARDING_ENABLED =                11,
+	IETF_ATTR_FACTORY_DEFAULT_PWD_ENABLED =       12,
+	IETF_ATTR_RESERVED =                  0xffffffff,
+};
+
+#endif /** IETF_ATTR_H_ @}*/

src/libimcv/ietf/ietf_attr_pa_tnc_error.c

@@ -0,0 +1,206 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ietf_attr_pa_tnc_error.h"
+
+#include <debug.h>
+
+ENUM(pa_tnc_error_code_names, PA_ERROR_RESERVED,
+							  PA_ERROR_ATTR_TYPE_NOT_SUPPORTED,
+	"Reserved",
+	"Invalid Parameter",
+	"Version Not Supported",
+	"Attribute Type Not Supported"
+);
+
+/**
+ * PA-TNC Error Attribute Type  (see section 4.2.8 of RFC 5792)
+ *
+ *                        1                   2                   3
+ *   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+ *
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |    Reserved   |            PA-TNC Error Code Vendor ID        |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                        PA-TNC Error Code                      |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ *  |                 Error Information (Variable Length)           |
+ *  +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+
+typedef struct private_ietf_attr_pa_tnc_error_t private_ietf_attr_pa_tnc_error_t;
+
+/**
+ * Private data of an ietf_attr_pa_tnc_error_t object.
+ */
+struct private_ietf_attr_pa_tnc_error_t {
+
+	/**
+	 * Public members of ietf_attr_pa_tnc_error_t
+	 */
+	ietf_attr_pa_tnc_error_t public;
+
+	/**
+	 * Attribute vendor ID
+	 */
+	pen_t vendor_id;
+
+	/**
+	 * Attribute type
+	 */
+	u_int32_t type;
+
+	/**
+	 * Attribute value
+	 */
+	chunk_t value;
+
+	/**
+	 * Noskip flag
+	 */
+	bool noskip_flag;
+
+	/**
+	 * Error code vendor ID
+	 */
+	pen_t error_vendor_id;
+
+	/**
+	 * Error code
+	 */
+	u_int32_t error_code;
+
+};
+
+METHOD(pa_tnc_attr_t, get_vendor_id, pen_t,
+	private_ietf_attr_pa_tnc_error_t *this)
+{
+	return this->vendor_id;
+}
+
+METHOD(pa_tnc_attr_t, get_type, u_int32_t,
+	private_ietf_attr_pa_tnc_error_t *this)
+{
+	return this->type;
+}
+
+METHOD(pa_tnc_attr_t, get_value, chunk_t,
+	private_ietf_attr_pa_tnc_error_t *this)
+{
+	return this->value;
+}
+
+METHOD(pa_tnc_attr_t, get_noskip_flag, bool,
+	private_ietf_attr_pa_tnc_error_t *this)
+{
+	return this->noskip_flag;
+}
+
+METHOD(pa_tnc_attr_t, set_noskip_flag,void,
+	private_ietf_attr_pa_tnc_error_t *this, bool noskip)
+{
+	this->noskip_flag = noskip;
+}
+
+METHOD(pa_tnc_attr_t, build, void,
+	private_ietf_attr_pa_tnc_error_t *this)
+{
+
+}
+
+METHOD(pa_tnc_attr_t, process, status_t,
+	private_ietf_attr_pa_tnc_error_t *this)
+{
+	return SUCCESS;	
+}
+
+METHOD(pa_tnc_attr_t, destroy, void,
+	private_ietf_attr_pa_tnc_error_t *this)
+{
+	free(this);
+}
+
+METHOD(ietf_attr_pa_tnc_error_t, get_error_vendor_id, pen_t,
+	private_ietf_attr_pa_tnc_error_t *this)
+{
+	return this->error_vendor_id;
+}
+
+METHOD(ietf_attr_pa_tnc_error_t, get_error_code, u_int32_t,
+	private_ietf_attr_pa_tnc_error_t *this)
+{
+	return this->error_code;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_pa_tnc_error_create(pen_t vendor_id,
+											 u_int32_t error_code)
+{
+	private_ietf_attr_pa_tnc_error_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_vendor_id = _get_vendor_id,
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.get_noskip_flag = _get_noskip_flag,
+				.set_noskip_flag = _set_noskip_flag,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_vendor_id = _get_error_vendor_id,
+			.get_error_code = _get_error_code,
+		},
+		.vendor_id = PEN_IETF,
+		.type = IETF_ATTR_PA_TNC_ERROR,
+		.error_vendor_id = vendor_id,
+		.error_code = error_code,
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t *ietf_attr_pa_tnc_error_create_from_data(chunk_t data)
+{
+	private_ietf_attr_pa_tnc_error_t *this;
+
+	INIT(this,
+		.public = {
+			.pa_tnc_attribute = {
+				.get_vendor_id = _get_vendor_id,
+				.get_type = _get_type,
+				.get_value = _get_value,
+				.build = _build,
+				.process = _process,
+				.destroy = _destroy,
+			},
+			.get_vendor_id = _get_error_vendor_id,
+			.get_error_code = _get_error_code,
+		},
+		.vendor_id = PEN_IETF,
+		.type = IETF_ATTR_PA_TNC_ERROR,
+		.value = chunk_clone(data),
+	);
+
+	return &this->public.pa_tnc_attribute;
+}
+
+

src/libimcv/ietf/ietf_attr_pa_tnc_error.h

@@ -0,0 +1,88 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ietf_attr_pa_tnc_errort ietf_attr_pa_tnc_error
+ * @{ @ingroup ietf_attr_pa_tnc_error
+ */
+
+#ifndef IETF_ATTR_PA_TNC_ERROR_H_
+#define IETF_ATTR_PA_TNC_ERROR_H_
+
+typedef struct ietf_attr_pa_tnc_error_t ietf_attr_pa_tnc_error_t;
+
+#include "ietf_attr.h"
+#include "pa_tnc/pa_tnc_attr.h"
+
+
+/**
+ * IETF Standard PA-TNC Error Codes as defined in section 4.2.8 of RFC 5792
+ */
+enum  pa_tnc_error_code_t {
+    PA_ERROR_RESERVED =                 0,
+	PA_ERROR_INVALID_PARAMETER =        1,
+	PA_ERROR_VERSION_NOT_SUPPORTED =    2,
+	PA_ERROR_ATTR_TYPE_NOT_SUPPORTED =  3,
+};
+
+/**
+ * enum name for pa_tnc_error_code_t.
+ */
+extern enum_name_t *pa_tnc_error_code_names;
+
+/**
+ * Class implementing the IETF PA-TNC Error attribute.
+ *
+ */
+struct ietf_attr_pa_tnc_error_t {
+
+	/**
+	 * Public PA-TNC attribute interface
+	 */
+	pa_tnc_attr_t pa_tnc_attribute;
+
+	/**
+	 * Get PA-TNC error code vendor ID
+	 *
+	 * @return				error code vendor ID
+	 */
+	pen_t (*get_vendor_id)(ietf_attr_pa_tnc_error_t *this);
+
+	/**
+	 * Get PA-TNC error code
+	 *
+	 * @return				error code
+	 */
+	pen_t (*get_error_code)(ietf_attr_pa_tnc_error_t *this);
+};
+
+/**
+ * Creates an ietf_attr_pa_tnc_error_t object from an error code
+ *
+ * @param vendor_id			PA-TNC error code vendor ID
+ * @param error_code		PA-TNC error code
+ * 
+ */
+pa_tnc_attr_t* ietf_attr_pa_tnc_error_create(pen_t vendor_id,
+											 u_int32_t error_code);
+
+/**
+ * Creates an ietf_attr_pa_tnc_error_t object from received data
+ *
+ * @param value				unparsed attribute value
+ */
+pa_tnc_attr_t* ietf_attr_pa_tnc_error_create_from_data(chunk_t value);
+
+#endif /** IETF_ATTR_PA_TNC_ERROR_H_ @}*/

src/libimcv/imc/imc_agent.c

@@ -0,0 +1,313 @@
+/*
+ * Copyright (C) 2011 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "imc_agent.h"
+
+#include <debug.h>
+#include <utils/linked_list.h>
+#include <threading/rwlock.h>
+
+typedef struct private_imc_agent_t private_imc_agent_t;
+
+/**
+ * Private data of an imc_agent_t object.
+ */
+struct private_imc_agent_t {
+
+	/**
+	 * Public members of imc_agent_t
+	 */
+	imc_agent_t public;
+
+	/**
+	 * name of IMC
+	 */
+	const char *name;
+
+	/**
+	 * message type of IMC
+	 */
+	TNC_MessageType type;
+
+	/**
+	 * ID of IMC as assigned by TNCC
+	 */
+	TNC_IMCID id;
+
+	/**
+	 * list of TNCC connection entries
+	 */
+	linked_list_t *connections;
+
+	/**
+	 * rwlock to lock TNCS connection entries
+	 */
+	rwlock_t *connection_lock;
+
+	/**
+	 * Inform a TNCS about the set of message types the IMC is able to receive 
+	 *
+	 * @param imc_id			IMC ID assigned by TNCC
+	 * @param supported_types	list of supported message types
+	 * @param type_count		number of list elements
+	 * @return					TNC result code
+	 */
+	TNC_Result (*report_message_types)(TNC_IMCID imc_id,
+									   TNC_MessageTypeList supported_types,
+									   TNC_UInt32 type_count);
+
+	/**
+	 * Call when an IMC-IMC message is to be sent
+	 *
+	 * @param imc_id			IMC ID assigned by TNCC
+	 * @param connection_id		network connection ID assigned by TNCC
+	 * @param msg				message to send
+	 * @param msg_len			message length in bytes
+	 * @param msg_type			message type
+	 * @return					TNC result code
+	 */
+	TNC_Result (*send_message)(TNC_IMCID imc_id,
+							   TNC_ConnectionID connection_id,
+							   TNC_BufferReference msg,
+							   TNC_UInt32 msg_len,
+							   TNC_MessageType msg_type);
+};
+
+METHOD(imc_agent_t, bind_functions, TNC_Result,
+	private_imc_agent_t *this, TNC_TNCC_BindFunctionPointer bind_function)
+{
+	if (!bind_function)
+	{
+		DBG1(DBG_IMC, "TNC client failed to provide bind function");
+		return TNC_RESULT_INVALID_PARAMETER;
+	}
+	if (bind_function(this->id, "TNC_TNCC_ReportMessageTypes",
+			(void**)&this->report_message_types) != TNC_RESULT_SUCCESS)
+	{
+		this->report_message_types = NULL;
+	}
+	if (bind_function(this->id, "TNC_TNCC_RequestHandshakeRetry",
+			(void**)&this->public.request_handshake_retry) != TNC_RESULT_SUCCESS)
+	{
+		this->public.request_handshake_retry = NULL;
+	}
+	if (bind_function(this->id, "TNC_TNCC_SendMessage",
+			(void**)&this->send_message) != TNC_RESULT_SUCCESS)
+	{
+		this->send_message = NULL;
+	}
+	DBG2(DBG_IMC, "IMC %u \"%s\" provided with bind function",
+				  this->id, this->name);
+
+	if (this->report_message_types)
+	{
+		this->report_message_types(this->id, &this->type, 1);
+	}
+	return TNC_RESULT_SUCCESS;
+}
+
+/**
+ * finds a connection state based on its Connection ID
+ */
+static imc_state_t* find_connection(private_imc_agent_t *this,
+									 TNC_ConnectionID id)
+{
+	enumerator_t *enumerator;
+	imc_state_t *state, *found = NULL;
+
+	this->connection_lock->read_lock(this->connection_lock);
+	enumerator = this->connections->create_enumerator(this->connections);
+	while (enumerator->enumerate(enumerator, &state))
+	{
+		if (id == state->get_connection_id(state))
+		{
+			found = state;
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->connection_lock->unlock(this->connection_lock);
+
+	return found;
+}
+
+/**
+ * delete a connection state with a given Connection ID
+ */
+static bool delete_connection(private_imc_agent_t *this, TNC_ConnectionID id)
+{
+	enumerator_t *enumerator;
+	imc_state_t *state;
+	bool found = FALSE;
+
+	this->connection_lock->write_lock(this->connection_lock);
+	enumerator = this->connections->create_enumerator(this->connections);
+	while (enumerator->enumerate(enumerator, &state))
+	{
+		if (id == state->get_connection_id(state))
+		{
+			found = TRUE;
+			state->destroy(state);
+			this->connections->remove_at(this->connections, enumerator);
+			break;
+		}
+	}
+	enumerator->destroy(enumerator);
+	this->connection_lock->unlock(this->connection_lock);
+
+	return found;
+}
+
+METHOD(imc_agent_t, create_state, TNC_Result,
+	private_imc_agent_t *this, imc_state_t *state)
+{
+	TNC_ConnectionID connection_id;
+
+	connection_id = state->get_connection_id(state);
+	if (find_connection(this, connection_id))
+	{
+		DBG1(DBG_IMC, "IMC %u \"%s\" already created a state for Connection ID %u",
+					   this->id, this->name, connection_id);
+		state->destroy(state);
+		return TNC_RESULT_OTHER;
+	}
+	this->connection_lock->write_lock(this->connection_lock);
+	this->connections->insert_last(this->connections, state);
+	this->connection_lock->unlock(this->connection_lock);
+	DBG2(DBG_IMC, "IMC %u \"%s\" created a state for Connection ID %u",
+				  this->id, this->name, connection_id);
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imc_agent_t, delete_state, TNC_Result,
+	private_imc_agent_t *this, TNC_ConnectionID connection_id)
+{
+	if (!delete_connection(this, connection_id))
+	{
+		DBG1(DBG_IMC, "IMC %u \"%s\" has no state for Connection ID %u",
+					  this->id, this->name, connection_id);
+		return TNC_RESULT_FATAL;
+	}
+	DBG2(DBG_IMC, "IMC %u \"%s\" deleted the state of Connection ID %u",
+				  this->id, this->name, connection_id);
+	return TNC_RESULT_SUCCESS;
+}
+
+METHOD(imc_agent_t, change_state, TNC_Result,
+	private_imc_agent_t *this, TNC_ConnectionID connection_id,
+							   TNC_ConnectionState new_state)
+{
+	imc_state_t *state;
+
+	switch (new_state)
+	{
+		case TNC_CONNECTION_STATE_HANDSHAKE:
+		case TNC_CONNECTION_STATE_ACCESS_ALLOWED:
+		case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
+		case TNC_CONNECTION_STATE_ACCESS_NONE:
+			state = find_connection(this, connection_id);
+			if (!state)
+			{
+				DBG1(DBG_IMC, "IMC %u \"%s\" has no state for Connection ID %u",
+							  this->id, this->name, connection_id);
+				return TNC_RESULT_FATAL;
+			}
+			state->change_state(state, new_state);
+			DBG2(DBG_IMC, "IMC %u \"%s\" changed state of Connection ID %u to '%N'",
+						  this->id, this->name, connection_id,
+						  TNC_Connection_State_names, new_state);
+			break;
+		case TNC_CONNECTION_STATE_CREATE:
+			DBG1(DBG_IMC, "state '%N' should be handled by create_state()",
+						  TNC_Connection_State_names, new_state);
+				return TNC_RESULT_FATAL;
+		case TNC_CONNECTION_STATE_DELETE: