make TNC Access Requestor ID available to IMVs
This commit is contained in:
parent
1fc609fed3
commit
c88104aa25
|
@ -72,6 +72,11 @@ struct private_imv_agent_t {
|
|||
*/
|
||||
rwlock_t *connection_lock;
|
||||
|
||||
/**
|
||||
* Access Requestor ID
|
||||
*/
|
||||
identification_t *ar_id;
|
||||
|
||||
/**
|
||||
* Inform a TNCS about the set of message types the IMV is able to receive
|
||||
*
|
||||
|
@ -445,7 +450,6 @@ METHOD(imv_agent_t, create_state, TNC_Result,
|
|||
int tcg_id_type, tcg_subject_type, tcg_auth_type;
|
||||
chunk_t id_value;
|
||||
id_type_t ike_type;
|
||||
identification_t *id;
|
||||
|
||||
id_type = tnc_id->get_identity_type(tnc_id);
|
||||
id_value = tnc_id->get_identity_value(tnc_id);
|
||||
|
@ -468,12 +472,14 @@ METHOD(imv_agent_t, create_state, TNC_Result,
|
|||
ike_type = ID_IPV6_ADDR;
|
||||
break;
|
||||
case TNC_ID_FQDN:
|
||||
case TNC_ID_USER_NAME:
|
||||
ike_type = ID_FQDN;
|
||||
break;
|
||||
case TNC_ID_RFC822_ADDR:
|
||||
ike_type = ID_RFC822_ADDR;
|
||||
break;
|
||||
case TNC_ID_USER_NAME:
|
||||
ike_type = ID_USER_ID;
|
||||
break;
|
||||
case TNC_ID_DER_ASN1_DN:
|
||||
ike_type = ID_DER_ASN1_DN;
|
||||
break;
|
||||
|
@ -486,11 +492,10 @@ METHOD(imv_agent_t, create_state, TNC_Result,
|
|||
break;
|
||||
}
|
||||
|
||||
id = identification_create_from_encoding(ike_type, id_value);
|
||||
DBG2(DBG_IMV, "%N identity '%Y' authenticated by %N",
|
||||
TNC_Subject_names, tcg_subject_type, id,
|
||||
TNC_Authentication_names, tcg_auth_type);
|
||||
id->destroy(id);
|
||||
this->ar_id = identification_create_from_encoding(ike_type, id_value);
|
||||
DBG2(DBG_IMV, " %N AR identity '%Y' authenticated by %N",
|
||||
TNC_Subject_names, tcg_subject_type, this->ar_id,
|
||||
TNC_Authentication_names, tcg_auth_type);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
|
@ -593,6 +598,12 @@ METHOD(imv_agent_t, get_id, TNC_IMVID,
|
|||
return this->id;
|
||||
}
|
||||
|
||||
METHOD(imv_agent_t, get_ar_id, identification_t*,
|
||||
private_imv_agent_t *this)
|
||||
{
|
||||
return this->ar_id;
|
||||
}
|
||||
|
||||
METHOD(imv_agent_t, reserve_additional_ids, TNC_Result,
|
||||
private_imv_agent_t *this, int count)
|
||||
{
|
||||
|
@ -782,6 +793,7 @@ METHOD(imv_agent_t, destroy, void,
|
|||
private_imv_agent_t *this)
|
||||
{
|
||||
DBG1(DBG_IMV, "IMV %u \"%s\" terminated", this->id, this->name);
|
||||
DESTROY_IF(this->ar_id);
|
||||
this->additional_ids->destroy(this->additional_ids);
|
||||
this->connections->destroy_offset(this->connections,
|
||||
offsetof(imv_state_t, destroy));
|
||||
|
@ -816,6 +828,7 @@ imv_agent_t *imv_agent_create(const char *name,
|
|||
.get_state = _get_state,
|
||||
.get_name = _get_name,
|
||||
.get_id = _get_id,
|
||||
.get_ar_id = _get_ar_id,
|
||||
.reserve_additional_ids = _reserve_additional_ids,
|
||||
.count_additional_ids = _count_additional_ids,
|
||||
.create_id_enumerator = _create_id_enumerator,
|
||||
|
|
|
@ -151,6 +151,13 @@ struct imv_agent_t {
|
|||
*/
|
||||
TNC_IMVID (*get_id)(imv_agent_t *this);
|
||||
|
||||
/**
|
||||
* Get Access Requestor ID
|
||||
*
|
||||
* return Access Requestor ID
|
||||
*/
|
||||
identification_t* (*get_ar_id)(imv_agent_t *this);
|
||||
|
||||
/**
|
||||
* Reserve additional IMV IDs from TNCS
|
||||
*
|
||||
|
|
|
@ -390,7 +390,7 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
|
|||
device_id = os_state->get_device_id(os_state);
|
||||
if (os_db && device_id)
|
||||
{
|
||||
os_db->set_device_info(os_db, device_id,
|
||||
os_db->set_device_info(os_db, device_id, imv_os->get_ar_id(imv_os),
|
||||
os_state->get_info(os_state, NULL, NULL, NULL),
|
||||
count, count_update, count_blacklist, os_settings);
|
||||
}
|
||||
|
|
|
@ -214,12 +214,14 @@ METHOD(imv_os_database_t, get_device_id, int,
|
|||
}
|
||||
|
||||
METHOD(imv_os_database_t, set_device_info, void,
|
||||
private_imv_os_database_t *this, int device_id, char *os_info,
|
||||
int count, int count_update, int count_blacklist, u_int flags)
|
||||
private_imv_os_database_t *this, int device_id, identification_t *ar_id,
|
||||
char *os_info, int count, int count_update, int count_blacklist,
|
||||
u_int flags)
|
||||
{
|
||||
enumerator_t *e;
|
||||
time_t last_time;
|
||||
int pid = 0, last_pid = 0, last_count_update = 0, last_count_blacklist = 0;
|
||||
int pid = 0, last_pid = 0, iid = 0, last_iid;
|
||||
int last_count_update = 0, last_count_blacklist = 0;
|
||||
u_int last_flags;
|
||||
bool found = FALSE;
|
||||
|
||||
|
@ -233,26 +235,47 @@ METHOD(imv_os_database_t, set_device_info, void,
|
|||
e->destroy(e);
|
||||
}
|
||||
|
||||
/* if OS ifo string has not been found - register it */
|
||||
/* if OS info string has not been found - register it */
|
||||
if (!pid)
|
||||
{
|
||||
this->db->execute(this->db, &pid,
|
||||
"INSERT INTO products (name) VALUES (?)", DB_TEXT, os_info);
|
||||
}
|
||||
|
||||
/* get latest device info record if it exists */
|
||||
/* get primary key of AR identity if it exists */
|
||||
e = this->db->query(this->db,
|
||||
"SELECT time, product, count_update, count_blacklist, flags "
|
||||
"FROM device_infos WHERE device = ? ORDER BY time DESC",
|
||||
DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT);
|
||||
"SELECT id FROM identities WHERE type = ? AND data = ?",
|
||||
DB_INT, ar_id->get_type(ar_id),
|
||||
DB_BLOB, ar_id->get_encoding(ar_id), DB_INT);
|
||||
if (e)
|
||||
{
|
||||
found = e->enumerate(e, &last_time, &last_pid, &last_count_update,
|
||||
&last_count_blacklist, &last_flags);
|
||||
e->enumerate(e, &iid);
|
||||
e->destroy(e);
|
||||
}
|
||||
|
||||
/* if AR identity has not been found - register it */
|
||||
if (!iid)
|
||||
{
|
||||
this->db->execute(this->db, &iid,
|
||||
"INSERT INTO identities (type, data) VALUES (?, ?)",
|
||||
DB_INT, ar_id->get_type(ar_id),
|
||||
DB_BLOB, ar_id->get_encoding(ar_id));
|
||||
}
|
||||
|
||||
/* get latest device info record if it exists */
|
||||
e = this->db->query(this->db,
|
||||
"SELECT time, ar_id, product, count_update, count_blacklist, flags "
|
||||
"FROM device_infos WHERE device = ? ORDER BY time DESC",
|
||||
DB_INT, device_id, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_UINT);
|
||||
if (e)
|
||||
{
|
||||
found = e->enumerate(e, &last_time, &last_iid, &last_pid,
|
||||
&last_count_update, &last_count_blacklist,
|
||||
&last_flags);
|
||||
e->destroy(e);
|
||||
}
|
||||
if (found && !last_count_update && !last_count_blacklist && !last_flags &&
|
||||
pid == last_pid)
|
||||
iid == last_iid && pid == last_pid)
|
||||
{
|
||||
/* update device info */
|
||||
this->db->execute(this->db, NULL,
|
||||
|
@ -266,9 +289,10 @@ METHOD(imv_os_database_t, set_device_info, void,
|
|||
{
|
||||
/* insert device info */
|
||||
this->db->execute(this->db, NULL,
|
||||
"INSERT INTO device_infos (device, time, product, count, "
|
||||
"count_update, count_blacklist, flags) VALUES (?, ?, ?, ?, ?, ?, ?)",
|
||||
DB_INT, device_id, DB_UINT, time(NULL), DB_INT, pid,
|
||||
"INSERT INTO device_infos (device, time, ar_id, product, count, "
|
||||
"count_update, count_blacklist, flags) "
|
||||
"VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
|
||||
DB_INT, device_id, DB_UINT, time(NULL), DB_INT, iid, DB_INT, pid,
|
||||
DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist,
|
||||
DB_UINT, flags);
|
||||
}
|
||||
|
|
|
@ -52,13 +52,15 @@ struct imv_os_database_t {
|
|||
* Set health infos for a given device
|
||||
*
|
||||
* @param device_id Device ID primary key
|
||||
* @param ar_id Access Requestor ID
|
||||
* @param os_info OS info string
|
||||
* @param count Number of installed packages
|
||||
* @param count_update Number of packages to be updated
|
||||
* @param count_blacklist Number of blacklisted packages
|
||||
* @param flags Various flags, e.g. illegal OS settings
|
||||
*/
|
||||
void (*set_device_info)(imv_os_database_t *this, int device_id, char *os_info,
|
||||
void (*set_device_info)(imv_os_database_t *this, int device_id,
|
||||
identification_t *ar_id, char *os_info,
|
||||
int count, int count_update, int count_blacklist,
|
||||
u_int flags);
|
||||
|
||||
|
|
|
@ -804,26 +804,29 @@ METHOD(attest_db_t, list_components, void,
|
|||
METHOD(attest_db_t, list_devices, void,
|
||||
private_attest_db_t *this)
|
||||
{
|
||||
enumerator_t *e;
|
||||
chunk_t value;
|
||||
enumerator_t *e, *e_ar;
|
||||
chunk_t value, ar_data;
|
||||
char *product;
|
||||
time_t timestamp;
|
||||
int id, last_id = 0, device_count = 0;
|
||||
int id, last_id = 0, iid = 0, last_iid = 0, device_count = 0;
|
||||
int count, count_update, count_blacklist;
|
||||
id_type_t ar_type;
|
||||
identification_t *ar_id = NULL;
|
||||
u_int tstamp, flags = 0;
|
||||
|
||||
e = this->db->query(this->db,
|
||||
"SELECT d.id, d.value, i.time, i.count, i.count_update, "
|
||||
"i.count_blacklist, i.flags, p.name FROM devices AS d "
|
||||
"i.count_blacklist, i.flags, i.ar_id, p.name FROM devices AS d "
|
||||
"JOIN device_infos AS i ON d.id = i.device "
|
||||
"JOIN products AS p ON p.id = i.product "
|
||||
"ORDER BY d.value, i.time DESC",
|
||||
DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT);
|
||||
DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT,
|
||||
DB_INT, DB_TEXT);
|
||||
|
||||
if (e)
|
||||
{
|
||||
while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update,
|
||||
&count_blacklist, &flags, &product))
|
||||
&count_blacklist, &flags, &iid, &product))
|
||||
{
|
||||
if (id != last_id)
|
||||
{
|
||||
|
@ -832,10 +835,35 @@ METHOD(attest_db_t, list_devices, void,
|
|||
last_id = id;
|
||||
}
|
||||
timestamp = tstamp;
|
||||
printf(" %T, %4d, %3d, %3d, %1u, '%s'\n", ×tamp, this->utc,
|
||||
printf(" %T, %4d, %3d, %3d, %1u, '%s'", ×tamp, this->utc,
|
||||
count, count_update, count_blacklist, flags, product);
|
||||
if (iid)
|
||||
{
|
||||
if (iid != last_iid)
|
||||
{
|
||||
DESTROY_IF(ar_id);
|
||||
ar_id = NULL;
|
||||
|
||||
e_ar = this->db->query(this->db,
|
||||
"SELECT type, data FROM identities "
|
||||
"WHERE id = ?", DB_INT, iid, DB_INT, DB_BLOB);
|
||||
if (e_ar->enumerate(e_ar, &ar_type, &ar_data))
|
||||
{
|
||||
ar_id = identification_create_from_encoding(ar_type,
|
||||
ar_data);
|
||||
}
|
||||
e_ar->destroy(e_ar);
|
||||
}
|
||||
if (ar_id)
|
||||
{
|
||||
printf(" %Y", ar_id);
|
||||
}
|
||||
}
|
||||
printf("\n");
|
||||
}
|
||||
e->destroy(e);
|
||||
DESTROY_IF(ar_id);
|
||||
|
||||
printf("%d device%s found\n", device_count,
|
||||
(device_count == 1) ? "" : "s");
|
||||
}
|
||||
|
|
|
@ -126,13 +126,21 @@ CREATE INDEX devices_value ON devices (
|
|||
|
||||
DROP TABLE IF EXISTS device_infos;
|
||||
CREATE TABLE device_infos (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
device INTEGER NOT NULL,
|
||||
time INTEGER NOT NULL,
|
||||
ar_id INTEGER DEFAULT 0,
|
||||
product INTEGER DEFAULT 0,
|
||||
count INTEGER DEFAULT 0,
|
||||
count_update INTEGER DEFAULT 0,
|
||||
count_blacklist INTEGER DEFAULT 0,
|
||||
flags INTEGER DEFAULT 0,
|
||||
PRIMARY KEY (device, time)
|
||||
flags INTEGER DEFAULT 0
|
||||
);
|
||||
|
||||
DROP TABLE IF EXISTS identities;
|
||||
CREATE TABLE identities (
|
||||
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
|
||||
type INTEGER NOT NULL,
|
||||
data BLOB NOT NULL,
|
||||
UNIQUE (type, data)
|
||||
);
|
||||
|
|
|
@ -49,10 +49,10 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
|
|||
"ID_DER_ASN1_DN",
|
||||
"ID_DER_ASN1_GN",
|
||||
"ID_KEY_ID");
|
||||
ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
|
||||
ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_USER_ID, ID_KEY_ID,
|
||||
"ID_DER_ASN1_GN_URI",
|
||||
"ID_MYID");
|
||||
ENUM_END(id_type_names, ID_MYID);
|
||||
"ID_USER_ID");
|
||||
ENUM_END(id_type_names, ID_USER_ID);
|
||||
|
||||
/**
|
||||
* coding of X.501 distinguished name
|
||||
|
@ -790,6 +790,7 @@ int identification_printf_hook(printf_hook_data_t *data,
|
|||
case ID_FQDN:
|
||||
case ID_RFC822_ADDR:
|
||||
case ID_DER_ASN1_GN_URI:
|
||||
case ID_USER_ID:
|
||||
chunk_printable(this->encoded, &proper, '?');
|
||||
snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr);
|
||||
chunk_free(&proper);
|
||||
|
@ -812,9 +813,6 @@ int identification_printf_hook(printf_hook_data_t *data,
|
|||
snprintf(buf, sizeof(buf), "%#B", &this->encoded);
|
||||
}
|
||||
break;
|
||||
case ID_MYID:
|
||||
snprintf(buf, sizeof(buf), "%%myid");
|
||||
break;
|
||||
default:
|
||||
snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
|
||||
break;
|
||||
|
@ -873,6 +871,7 @@ static private_identification_t *identification_create(id_type_t type)
|
|||
break;
|
||||
case ID_FQDN:
|
||||
case ID_RFC822_ADDR:
|
||||
case ID_USER_ID:
|
||||
this->public.matches = _matches_string;
|
||||
this->public.equals = _equals_strcasecmp;
|
||||
this->public.contains_wildcards = _contains_wildcards_memchr;
|
||||
|
@ -1023,9 +1022,16 @@ identification_t * identification_create_from_data(chunk_t data)
|
|||
{
|
||||
char buf[data.len + 1];
|
||||
|
||||
/* use string constructor */
|
||||
snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
|
||||
return identification_create_from_string(buf);
|
||||
if (is_asn1(data))
|
||||
{
|
||||
return identification_create_from_encoding(ID_DER_ASN1_DN, data);
|
||||
}
|
||||
else
|
||||
{
|
||||
/* use string constructor */
|
||||
snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
|
||||
return identification_create_from_string(buf);
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
@ -126,14 +126,14 @@ enum id_type_t {
|
|||
ID_KEY_ID = 11,
|
||||
|
||||
/**
|
||||
* private type which represents a GeneralName of type URI
|
||||
* Private ID type which represents a GeneralName of type URI
|
||||
*/
|
||||
ID_DER_ASN1_GN_URI = 201,
|
||||
|
||||
/**
|
||||
* Private ID used by the pluto daemon for opportunistic encryption
|
||||
* Private ID type which represents a user ID
|
||||
*/
|
||||
ID_MYID = 203,
|
||||
ID_USER_ID = 202
|
||||
};
|
||||
|
||||
/**
|
||||
|
|
Loading…
Reference in New Issue