created tnc-imc and tnc-imv plugins

configure.in

@@ -115,6 +115,8 @@ ARG_ENABL_SET([eap-tls],        [enable EAP TLS authentication module.])
 ARG_ENABL_SET([eap-ttls],       [enable EAP TTLS authentication module.])
 ARG_ENABL_SET([eap-tnc],        [enable EAP TNC trusted network connect module.])
 ARG_ENABL_SET([eap-radius],     [enable RADIUS proxy authentication module.])
+ARG_ENABL_SET([tnc-imc],        [enable TNC IMC module.])
+ARG_ENABL_SET([tnc-imv],        [enable TNC IMV module.])
 ARG_ENABL_SET([tnccs-11],       [enable TNCCS 1.1 protocol module.])
 ARG_ENABL_SET([tnccs-20],       [enable TNCCS 2.0 protocol module.])
 ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.])
@@ -604,7 +606,7 @@ if test x$gcrypt = xtrue; then
 	)
 fi
 
-if test x$tnccs_11 = xtrue; then
+if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then
 	AC_CHECK_HEADER([libtnc.h],,[AC_MSG_ERROR([libtnc header libtnc.h not found!])])
 fi
 
@@ -760,6 +762,8 @@ ADD_PLUGIN([eap-radius],           [c libcharon])
 ADD_PLUGIN([eap-tls],              [c libcharon])
 ADD_PLUGIN([eap-ttls],             [c libcharon])
 ADD_PLUGIN([eap-tnc],              [c libcharon])
+ADD_PLUGIN([tnc_imc],              [c libcharon])
+ADD_PLUGIN([tnc_imv],              [c libcharon])
 ADD_PLUGIN([tnccs-11],             [c libcharon])
 ADD_PLUGIN([tnccs-20],             [c libcharon])
 ADD_PLUGIN([medsrv],               [c libcharon])
@@ -858,6 +862,8 @@ AM_CONDITIONAL(USE_EAP_TLS, test x$eap_tls = xtrue)
 AM_CONDITIONAL(USE_EAP_TTLS, test x$eap_ttls = xtrue)
 AM_CONDITIONAL(USE_EAP_TNC, test x$eap_tnc = xtrue)
 AM_CONDITIONAL(USE_EAP_RADIUS, test x$eap_radius = xtrue)
+AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue)
+AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue)
 AM_CONDITIONAL(USE_TNCCS_11, test x$tnccs_11 = xtrue)
 AM_CONDITIONAL(USE_TNCCS_20, test x$tnccs_20 = xtrue)
 AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue)
@@ -997,6 +1003,8 @@ AC_OUTPUT(
 	src/libcharon/plugins/eap_ttls/Makefile
 	src/libcharon/plugins/eap_tnc/Makefile
 	src/libcharon/plugins/eap_radius/Makefile
+	src/libcharon/plugins/tnc_imc/Makefile
+	src/libcharon/plugins/tnc_imv/Makefile
 	src/libcharon/plugins/tnccs_11/Makefile
 	src/libcharon/plugins/tnccs_20/Makefile
 	src/libcharon/plugins/socket_default/Makefile

src/libcharon/Makefile.am

@@ -314,17 +314,31 @@ if MONOLITHIC
 endif
 endif
 
+if USE_TNC_IMC
+  SUBDIRS += plugins/tnc_imc
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/tnc_imc/libstrongswan-tnc_imc.la
+endif
+endif
+
+if USE_TNC_IMV
+  SUBDIRS += plugins/tnc_imv
+if MONOLITHIC
+  libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc_imv.la
+endif
+endif
+
 if USE_TNCCS_11
   SUBDIRS += plugins/tnccs_11
 if MONOLITHIC
-  libcharon_la_LIBADD += plugins/eap_tnc/libstrongswan-tnccs-11.la
+  libcharon_la_LIBADD += plugins/tnccs_11/libstrongswan-tnccs-11.la
 endif
 endif
 
 if USE_TNCCS_20
   SUBDIRS += plugins/tnccs_20
 if MONOLITHIC
-  libcharon_la_LIBADD += plugins/eap_tnc/libstrongswan-tnccs-20.la
+  libcharon_la_LIBADD += plugins/tnccs_20/libstrongswan-tnccs-20.la
 endif
 endif
 

src/libcharon/plugins/eap_tnc/eap_tnc.c

@@ -40,7 +40,7 @@ struct private_eap_tnc_t {
 
 
 /** Maximum number of EAP-TNC messages/fragments allowed */
-#define MAX_MESSAGE_COUNT 2 
+#define MAX_MESSAGE_COUNT 10 
 /** Default size of a EAP-TNC fragment */
 #define MAX_FRAGMENT_LEN 50000
 

src/libcharon/plugins/tnc_imc/Makefile.am

@@ -0,0 +1,19 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+
+libstrongswan_tnc_imc_la_LIBADD = -ltnc
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnc-imc.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnc-imc.la
+endif
+
+libstrongswan_tnc_imc_la_SOURCES = \
+	tnc_imc_plugin.h tnc_imc_plugin.c
+
+libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version
+

src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c

@@ -0,0 +1,63 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imc_plugin.h"
+
+#include <libtnctncc.h>
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	tnc_imc_plugin_t *this)
+{
+	libtnc_tncc_Terminate();
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnc_imc_plugin_create()
+{
+	char *tnc_config, *pref_lang;
+	int imc_count;
+	tnc_imc_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	tnc_config = lib->settings->get_str(lib->settings,
+					"charon.plugins.tnc-imc.tnc_config", "/etc/tnc_config");
+	pref_lang = lib->settings->get_str(lib->settings,
+					"charon.plugins.tnc-imc.preferred_language", "en");
+	imc_count = libtnc_imc_load_config(tnc_config);
+	if (imc_count < 0)
+	{
+		free(this);
+		DBG1(DBG_IKE, "TNC IMC initialization failed");
+		return NULL;
+	}
+	else
+	{
+		DBG1(DBG_IKE, "loaded %d TNC IMC%s", imc_count, (imc_count > 1)? "s":"");
+		libtnc_tncc_PreferredLanguage(pref_lang);
+	}
+
+	return &this->plugin;
+}
+

src/libcharon/plugins/tnc_imc/tnc_imc_plugin.h

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_imc tnc_imc
+ * @ingroup cplugins
+ *
+ * @defgroup tnc_imc_plugin tnc_imc_plugin
+ * @{ @ingroup tnc_imc
+ */
+
+#ifndef TNC_IMC_PLUGIN_H_
+#define TNC_IMC_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tnc_imc_plugin_t tnc_imc_plugin_t;
+
+/**
+ * TNC IMC plugin
+ */
+struct tnc_imc_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** TNC_IMC_PLUGIN_H_ @}*/

src/libcharon/plugins/tnc_imv/Makefile.am

@@ -0,0 +1,19 @@
+
+INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \
+	-I$(top_srcdir)/src/libcharon `xml2-config --cflags`
+
+AM_CFLAGS = -rdynamic
+
+libstrongswan_tnc_imv_la_LIBADD = -ltnc
+
+if MONOLITHIC
+noinst_LTLIBRARIES = libstrongswan-tnc-imv.la
+else
+plugin_LTLIBRARIES = libstrongswan-tnc-imv.la
+endif
+
+libstrongswan_tnc_imv_la_SOURCES = \
+	tnc_imv_plugin.h tnc_imv_plugin.c
+
+libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version
+

src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c

@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "tnc_imv_plugin.h"
+
+#include <libtnctncs.h>
+
+#include <daemon.h>
+
+METHOD(plugin_t, destroy, void,
+	tnc_imv_plugin_t *this)
+{
+	libtnc_tncs_Terminate();
+	free(this);
+}
+
+/*
+ * see header file
+ */
+plugin_t *tnc_imv_plugin_create()
+{
+	char *tnc_config;
+	int imv_count;
+	tnc_imv_plugin_t *this;
+
+	INIT(this,
+		.plugin = {
+			.destroy = _destroy,
+		},
+	);
+
+	tnc_config = lib->settings->get_str(lib->settings,
+					"charon.plugins.tnc-imv.tnc_config", "/etc/tnc_config");
+	imv_count = libtnc_imv_load_config(tnc_config);
+	if (imv_count < 0)
+	{
+		free(this);
+		DBG1(DBG_IKE, "TNC IMV initialization failed");
+		return NULL;
+	}
+	else
+	{
+		DBG1(DBG_IKE, "loaded %d TNC IMV%s", imv_count, (imv_count > 1)? "s":"");
+	}
+
+	return &this->plugin;
+}
+

src/libcharon/plugins/tnc_imv/tnc_imv_plugin.h

@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2010 Andreas Steffen
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup tnc_imv tnc_imv
+ * @ingroup cplugins
+ *
+ * @defgroup tnc_imv_plugin tnc_imv_plugin
+ * @{ @ingroup tnc_imv
+ */
+
+#ifndef TNC_IMV_PLUGIN_H_
+#define TNC_IMV_PLUGIN_H_
+
+#include <plugins/plugin.h>
+
+typedef struct tnc_imv_plugin_t tnc_imv_plugin_t;
+
+/**
+ * TNC IMV plugin
+ */
+struct tnc_imv_plugin_t {
+
+	/**
+	 * implements plugin interface
+	 */
+	plugin_t plugin;
+};
+
+#endif /** TNC_IMV_PLUGIN_H_ @}*/

src/libcharon/plugins/tnccs_11/tnccs_11.c

@@ -16,20 +16,31 @@
 #include "tnccs_11.h"
 
 #include <libtnctncc.h>
+#include <libtnctncs.h>
 
 #include <debug.h>
 
-static chunk_t tncc_output;
+static chunk_t output;
 
 /**
- * Define callback function called by the libtnc library
+ * Define callback functions called by the libtnc library
  */
 TNC_Result TNC_TNCC_SendBatch(libtnc_tncc_connection* conn, 
 							  const char* messageBuffer, size_t messageLength)
 {
-	chunk_free(&tncc_output);
-	tncc_output = chunk_alloc(messageLength);
-	memcpy(tncc_output.ptr, messageBuffer, messageLength);
+	chunk_free(&output);
+	output = chunk_alloc(messageLength);
+	memcpy(output.ptr, messageBuffer, messageLength);
+
+	return TNC_RESULT_SUCCESS;
+}
+
+TNC_Result TNC_TNCS_SendBatch(libtnc_tncs_connection* conn, 
+							  const char* messageBuffer, size_t messageLength)
+{
+	chunk_free(&output);
+	output = chunk_alloc(messageLength);
+	memcpy(output.ptr, messageBuffer, messageLength);
 
 	return TNC_RESULT_SUCCESS;
 }
@@ -55,16 +66,46 @@ struct private_tnccs_11_t {
 	 * TNCC Connection to IMCs
 	 */
 	libtnc_tncc_connection* tncc_connection;
+
+	/**
+	 * TNCS Connection to IMVs
+	 */
+	libtnc_tncs_connection* tncs_connection;
 };
 
 METHOD(tls_t, process, status_t,
 	private_tnccs_11_t *this, void *buf, size_t buflen)
 {
-	/* TODO */
+	if (this->is_server && !this->tncs_connection)
+	{
+		this->tncs_connection = libtnc_tncs_CreateConnection(NULL);
+		if (!this->tncs_connection)
+		{
+			DBG1(DBG_IKE, "TNCS CreateConnection failed");
+			return FAILED;
+		}
+		DBG1(DBG_IKE, "assigned TNCS Connection ID: %d",
+			 this->tncs_connection->connectionID);
+		if (libtnc_tncs_BeginSession(this->tncs_connection) != TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_IKE, "TNCS BeginSession failed");
+			return FAILED;
+		}
+	}
+
 	DBG1(DBG_IKE, "received TNCCS Batch with %u bytes:", buflen);
 	DBG1(DBG_IKE, "%.*s", buflen, buf);
 
-	if (!this->is_server)
+	if (this->is_server)
+	{
+		if (libtnc_tncs_ReceiveBatch(this->tncs_connection, buf, buflen) !=
+			TNC_RESULT_SUCCESS)
+		{
+			DBG1(DBG_IKE, "TNCS ReceiveBatch failed");
+			return FAILED;
+		}
+	}
+	else
 	{
 		if (libtnc_tncc_ReceiveBatch(this->tncc_connection, buf, buflen) !=
 			TNC_RESULT_SUCCESS)
@@ -89,7 +130,7 @@ METHOD(tls_t, build, status_t,
 			DBG1(DBG_IKE, "TNCC CreateConnection failed");
 			return FAILED;
 		}
-		DBG1(DBG_IKE, "assigned TNC ConnectionID: %d",
+		DBG1(DBG_IKE, "assigned TNCC Connection ID: %d",
 			 this->tncc_connection->connectionID);
 		if (libtnc_tncc_BeginSession(this->tncc_connection) != TNC_RESULT_SUCCESS)
 		{
@@ -99,19 +140,19 @@ METHOD(tls_t, build, status_t,
 	}
 		
 	len = *buflen;
-	len = min(len, tncc_output.len);
+	len = min(len, output.len);
 	*buflen = len;
 	if (msglen)
 	{
-		*msglen = tncc_output.len;
+		*msglen = output.len;
 	}
 
-	if (tncc_output.len)
+	if (output.len)
 	{
-		DBG1(DBG_IKE, "sending TNCCS Batch with %d bytes:", tncc_output.len);
-		DBG1(DBG_IKE, "%.*s", tncc_output.len, tncc_output.ptr);
-		memcpy(buf, tncc_output.ptr, len);
-		chunk_free(&tncc_output);
+		DBG1(DBG_IKE, "sending TNCCS Batch with %d bytes:", output.len);
+		DBG1(DBG_IKE, "%.*s", output.len, output.ptr);
+		memcpy(buf, output.ptr, len);
+		chunk_free(&output);
 		return ALREADY_DONE;
 	}
 	else
@@ -135,7 +176,20 @@ METHOD(tls_t, get_purpose, tls_purpose_t,
 METHOD(tls_t, is_complete, bool,
 	private_tnccs_11_t *this)
 {
-	return FALSE;
+	TNC_IMV_Action_Recommendation* rec = NULL;
+	TNC_IMV_Evaluation_Result* eval = NULL;
+	
+	if (libtnc_tncs_HaveRecommendation(this->tncs_connection, rec, eval) ==
+		TNC_RESULT_SUCCESS)
+	{
+		DBG1(DBG_IKE, "have recommendation");
+		return TRUE;
+	}
+	else
+	{
+		DBG1(DBG_IKE, "no recommendation");
+		return FALSE;
+	}
 }
 
 METHOD(tls_t, get_eap_msk, chunk_t,
@@ -147,7 +201,14 @@ METHOD(tls_t, get_eap_msk, chunk_t,
 METHOD(tls_t, destroy, void,
 	private_tnccs_11_t *this)
 {
-	if (!this->is_server)
+	if (this->is_server)
+	{
+		if (this->tncs_connection)
+		{
+			/* libtnc_tncs_DeleteConnection(this->tncs_connection); */
+		}
+	}
+	else
 	{
 		if (this->tncc_connection)
 		{
@@ -179,27 +240,5 @@ tls_t *tnccs_11_create(bool is_server)
 		.is_server = is_server,
 	);
 
-	tnc_config = lib->settings->get_str(lib->settings,
-					"charon.plugins.tnccs-11.tnc_config", "/etc/tnc_config");
-	pref_lang = lib->settings->get_str(lib->settings,
-					"charon.plugins.tnccs-11.preferred_language", "en");
-
-	if (!is_server)
-	{
-		int imc_count;
-
-		imc_count = libtnc_imc_load_config(tnc_config);
-		if (imc_count < 0)
-		{
-			free(this);
-			DBG1(DBG_IKE, "TNC IMC initialization failed");
-			return NULL;
-		}
-		else
-		{
-			DBG1(DBG_IKE, "loaded %d TNC IMC instances", imc_count);
-		}
-		libtnc_tncc_PreferredLanguage(pref_lang);
-	}
 	return &this->public;
 }

testing/scripts/build-umlrootfs

@@ -187,6 +187,16 @@ then
     echo -n " --enable-eap-tnc" >> $INSTALLSHELL
 fi
 
+if [ "$USE_TNC_IMC" = "yes" ]
+then
+    echo -n " --enable-tnc-imc" >> $INSTALLSHELL
+fi
+
+if [ "$USE_TNC_IMV" = "yes" ]
+then
+    echo -n " --enable-tnc-imv" >> $INSTALLSHELL
+fi
+
 if [ "$USE_TNCCS_11" = "yes" ]
 then
     echo -n " --enable-tnccs-11" >> $INSTALLSHELL

testing/testing.conf

@@ -45,6 +45,8 @@ USE_EAP_RADIUS="yes"
 USE_EAP_TLS="yes"
 USE_EAP_TTLS="yes"
 USE_EAP_TNC="yes"
+USE_TNC_IMC="yes"
+USE_TNC_IMV="yes"
 USE_TNCCS_11="yes"
 USE_SQL="yes"
 USE_MEDIATION="yes"

testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf

@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
   multiple_authentication=no
 }

testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf

@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
   multiple_authentication=no
 }

testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf

@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
   multiple_authentication=no
 }

testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf

@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnccs-11 updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
   multiple_authentication=no
 }