ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

make TNC Access Requestor ID available to IMVs

This commit is contained in:
Andreas Steffen 2013-03-03 17:18:09 +01:00
parent 1fc609fed3
commit c88104aa25
9 changed files with 132 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/libimcv/imv/imv_agent.c
View File

@ -72,6 +72,11 @@ struct private_imv_agent_t {
*/
rwlock_t *connection_lock;
/**
* Access Requestor ID
*/
identification_t *ar_id;
/**
* Inform a TNCS about the set of message types the IMV is able to receive
*
@ -445,7 +450,6 @@ METHOD(imv_agent_t, create_state, TNC_Result,
int tcg_id_type, tcg_subject_type, tcg_auth_type;
chunk_t id_value;
id_type_t ike_type;
identification_t *id;
id_type = tnc_id->get_identity_type(tnc_id);
id_value = tnc_id->get_identity_value(tnc_id);
@ -468,12 +472,14 @@ METHOD(imv_agent_t, create_state, TNC_Result,
ike_type = ID_IPV6_ADDR;
break;
case TNC_ID_FQDN:
case TNC_ID_USER_NAME:
ike_type = ID_FQDN;
break;
case TNC_ID_RFC822_ADDR:
ike_type = ID_RFC822_ADDR;
break;
case TNC_ID_USER_NAME:
ike_type = ID_USER_ID;
break;
case TNC_ID_DER_ASN1_DN:
ike_type = ID_DER_ASN1_DN;
break;
@ -486,11 +492,10 @@ METHOD(imv_agent_t, create_state, TNC_Result,
break;
}
id = identification_create_from_encoding(ike_type, id_value);
DBG2(DBG_IMV, "%N identity '%Y' authenticated by %N",
TNC_Subject_names, tcg_subject_type, id,
TNC_Authentication_names, tcg_auth_type);
id->destroy(id);
this->ar_id = identification_create_from_encoding(ike_type, id_value);
DBG2(DBG_IMV, " %N AR identity '%Y' authenticated by %N",
TNC_Subject_names, tcg_subject_type, this->ar_id,
TNC_Authentication_names, tcg_auth_type);
}
enumerator->destroy(enumerator);
@ -593,6 +598,12 @@ METHOD(imv_agent_t, get_id, TNC_IMVID,
return this->id;
}
METHOD(imv_agent_t, get_ar_id, identification_t*,
private_imv_agent_t *this)
{
return this->ar_id;
}
METHOD(imv_agent_t, reserve_additional_ids, TNC_Result,
private_imv_agent_t *this, int count)
{
@ -782,6 +793,7 @@ METHOD(imv_agent_t, destroy, void,
private_imv_agent_t *this)
{
DBG1(DBG_IMV, "IMV %u \"%s\" terminated", this->id, this->name);
DESTROY_IF(this->ar_id);
this->additional_ids->destroy(this->additional_ids);
this->connections->destroy_offset(this->connections,
offsetof(imv_state_t, destroy));
@ -816,6 +828,7 @@ imv_agent_t *imv_agent_create(const char *name,
.get_state = _get_state,
.get_name = _get_name,
.get_id = _get_id,
.get_ar_id = _get_ar_id,
.reserve_additional_ids = _reserve_additional_ids,
.count_additional_ids = _count_additional_ids,
.create_id_enumerator = _create_id_enumerator,

7
src/libimcv/imv/imv_agent.h
View File

@ -151,6 +151,13 @@ struct imv_agent_t {
*/
TNC_IMVID (*get_id)(imv_agent_t *this);
/**
* Get Access Requestor ID
*
* return Access Requestor ID
*/
identification_t* (*get_ar_id)(imv_agent_t *this);
/**
* Reserve additional IMV IDs from TNCS
*

2
src/libimcv/plugins/imv_os/imv_os.c
View File

@ -390,7 +390,7 @@ static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
device_id = os_state->get_device_id(os_state);
if (os_db && device_id)
{
os_db->set_device_info(os_db, device_id,
os_db->set_device_info(os_db, device_id, imv_os->get_ar_id(imv_os),
os_state->get_info(os_state, NULL, NULL, NULL),
count, count_update, count_blacklist, os_settings);
}

52
src/libimcv/plugins/imv_os/imv_os_database.c
View File

@ -214,12 +214,14 @@ METHOD(imv_os_database_t, get_device_id, int,
}
METHOD(imv_os_database_t, set_device_info, void,
private_imv_os_database_t *this, int device_id, char *os_info,
int count, int count_update, int count_blacklist, u_int flags)
private_imv_os_database_t *this, int device_id, identification_t *ar_id,
char *os_info, int count, int count_update, int count_blacklist,
u_int flags)
{
enumerator_t *e;
time_t last_time;
int pid = 0, last_pid = 0, last_count_update = 0, last_count_blacklist = 0;
int pid = 0, last_pid = 0, iid = 0, last_iid;
int last_count_update = 0, last_count_blacklist = 0;
u_int last_flags;
bool found = FALSE;
@ -233,26 +235,47 @@ METHOD(imv_os_database_t, set_device_info, void,
e->destroy(e);
}
/* if OS ifo string has not been found - register it */
/* if OS info string has not been found - register it */
if (!pid)
{
this->db->execute(this->db, &pid,
"INSERT INTO products (name) VALUES (?)", DB_TEXT, os_info);
}
/* get latest device info record if it exists */
/* get primary key of AR identity if it exists */
e = this->db->query(this->db,
"SELECT time, product, count_update, count_blacklist, flags "
"FROM device_infos WHERE device = ? ORDER BY time DESC",
DB_INT, device_id, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT);
"SELECT id FROM identities WHERE type = ? AND data = ?",
DB_INT, ar_id->get_type(ar_id),
DB_BLOB, ar_id->get_encoding(ar_id), DB_INT);
if (e)
{
found = e->enumerate(e, &last_time, &last_pid, &last_count_update,
&last_count_blacklist, &last_flags);
e->enumerate(e, &iid);
e->destroy(e);
}
/* if AR identity has not been found - register it */
if (!iid)
{
this->db->execute(this->db, &iid,
"INSERT INTO identities (type, data) VALUES (?, ?)",
DB_INT, ar_id->get_type(ar_id),
DB_BLOB, ar_id->get_encoding(ar_id));
}
/* get latest device info record if it exists */
e = this->db->query(this->db,
"SELECT time, ar_id, product, count_update, count_blacklist, flags "
"FROM device_infos WHERE device = ? ORDER BY time DESC",
DB_INT, device_id, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_UINT);
if (e)
{
found = e->enumerate(e, &last_time, &last_iid, &last_pid,
&last_count_update, &last_count_blacklist,
&last_flags);
e->destroy(e);
}
if (found && !last_count_update && !last_count_blacklist && !last_flags &&
pid == last_pid)
iid == last_iid && pid == last_pid)
{
/* update device info */
this->db->execute(this->db, NULL,
@ -266,9 +289,10 @@ METHOD(imv_os_database_t, set_device_info, void,
{
/* insert device info */
this->db->execute(this->db, NULL,
"INSERT INTO device_infos (device, time, product, count, "
"count_update, count_blacklist, flags) VALUES (?, ?, ?, ?, ?, ?, ?)",
DB_INT, device_id, DB_UINT, time(NULL), DB_INT, pid,
"INSERT INTO device_infos (device, time, ar_id, product, count, "
"count_update, count_blacklist, flags) "
"VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
DB_INT, device_id, DB_UINT, time(NULL), DB_INT, iid, DB_INT, pid,
DB_INT, count, DB_INT, count_update, DB_INT, count_blacklist,
DB_UINT, flags);
}

4
src/libimcv/plugins/imv_os/imv_os_database.h
View File

@ -52,13 +52,15 @@ struct imv_os_database_t {
* Set health infos for a given device
*
* @param device_id Device ID primary key
* @param ar_id Access Requestor ID
* @param os_info OS info string
* @param count Number of installed packages
* @param count_update Number of packages to be updated
* @param count_blacklist Number of blacklisted packages
* @param flags Various flags, e.g. illegal OS settings
*/
void (*set_device_info)(imv_os_database_t *this, int device_id, char *os_info,
void (*set_device_info)(imv_os_database_t *this, int device_id,
identification_t *ar_id, char *os_info,
int count, int count_update, int count_blacklist,
u_int flags);

42
src/libpts/plugins/imv_attestation/attest_db.c
View File

@ -804,26 +804,29 @@ METHOD(attest_db_t, list_components, void,
METHOD(attest_db_t, list_devices, void,
private_attest_db_t *this)
{
enumerator_t *e;
chunk_t value;
enumerator_t *e, *e_ar;
chunk_t value, ar_data;
char *product;
time_t timestamp;
int id, last_id = 0, device_count = 0;
int id, last_id = 0, iid = 0, last_iid = 0, device_count = 0;
int count, count_update, count_blacklist;
id_type_t ar_type;
identification_t *ar_id = NULL;
u_int tstamp, flags = 0;
e = this->db->query(this->db,
"SELECT d.id, d.value, i.time, i.count, i.count_update, "
"i.count_blacklist, i.flags, p.name FROM devices AS d "
"i.count_blacklist, i.flags, i.ar_id, p.name FROM devices AS d "
"JOIN device_infos AS i ON d.id = i.device "
"JOIN products AS p ON p.id = i.product "
"ORDER BY d.value, i.time DESC",
DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT);
DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT,
DB_INT, DB_TEXT);
if (e)
{
while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update,
&count_blacklist, &flags, &product))
&count_blacklist, &flags, &iid, &product))
{
if (id != last_id)
{
@ -832,10 +835,35 @@ METHOD(attest_db_t, list_devices, void,
last_id = id;
}
timestamp = tstamp;
printf(" %T, %4d, %3d, %3d, %1u, '%s'\n", &timestamp, this->utc,
printf(" %T, %4d, %3d, %3d, %1u, '%s'", &timestamp, this->utc,
count, count_update, count_blacklist, flags, product);
if (iid)
{
if (iid != last_iid)
{
DESTROY_IF(ar_id);
ar_id = NULL;
e_ar = this->db->query(this->db,
"SELECT type, data FROM identities "
"WHERE id = ?", DB_INT, iid, DB_INT, DB_BLOB);
if (e_ar->enumerate(e_ar, &ar_type, &ar_data))
{
ar_id = identification_create_from_encoding(ar_type,
ar_data);
}
e_ar->destroy(e_ar);
}
if (ar_id)
{
printf(" %Y", ar_id);
}
}
printf("\n");
}
e->destroy(e);
DESTROY_IF(ar_id);
printf("%d device%s found\n", device_count,
(device_count == 1) ? "" : "s");
}

12
src/libpts/plugins/imv_attestation/tables.sql
View File

@ -126,13 +126,21 @@ CREATE INDEX devices_value ON devices (
DROP TABLE IF EXISTS device_infos;
CREATE TABLE device_infos (
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
device INTEGER NOT NULL,
time INTEGER NOT NULL,
ar_id INTEGER DEFAULT 0,
product INTEGER DEFAULT 0,
count INTEGER DEFAULT 0,
count_update INTEGER DEFAULT 0,
count_blacklist INTEGER DEFAULT 0,
flags INTEGER DEFAULT 0,
PRIMARY KEY (device, time)
flags INTEGER DEFAULT 0
);
DROP TABLE IF EXISTS identities;
CREATE TABLE identities (
id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
type INTEGER NOT NULL,
data BLOB NOT NULL,
UNIQUE (type, data)
);

24
src/libstrongswan/utils/identification.c
View File

@ -49,10 +49,10 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID,
"ID_DER_ASN1_DN",
"ID_DER_ASN1_GN",
"ID_KEY_ID");
ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID,
ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_USER_ID, ID_KEY_ID,
"ID_DER_ASN1_GN_URI",
"ID_MYID");
ENUM_END(id_type_names, ID_MYID);
"ID_USER_ID");
ENUM_END(id_type_names, ID_USER_ID);
/**
* coding of X.501 distinguished name
@ -790,6 +790,7 @@ int identification_printf_hook(printf_hook_data_t *data,
case ID_FQDN:
case ID_RFC822_ADDR:
case ID_DER_ASN1_GN_URI:
case ID_USER_ID:
chunk_printable(this->encoded, &proper, '?');
snprintf(buf, sizeof(buf), "%.*s", (int)proper.len, proper.ptr);
chunk_free(&proper);
@ -812,9 +813,6 @@ int identification_printf_hook(printf_hook_data_t *data,
snprintf(buf, sizeof(buf), "%#B", &this->encoded);
}
break;
case ID_MYID:
snprintf(buf, sizeof(buf), "%%myid");
break;
default:
snprintf(buf, sizeof(buf), "(unknown ID type: %d)", this->type);
break;
@ -873,6 +871,7 @@ static private_identification_t *identification_create(id_type_t type)
break;
case ID_FQDN:
case ID_RFC822_ADDR:
case ID_USER_ID:
this->public.matches = _matches_string;
this->public.equals = _equals_strcasecmp;
this->public.contains_wildcards = _contains_wildcards_memchr;
@ -1023,9 +1022,16 @@ identification_t * identification_create_from_data(chunk_t data)
{
char buf[data.len + 1];
/* use string constructor */
snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
return identification_create_from_string(buf);
if (is_asn1(data))
{
return identification_create_from_encoding(ID_DER_ASN1_DN, data);
}
else
{
/* use string constructor */
snprintf(buf, sizeof(buf), "%.*s", (int)data.len, data.ptr);
return identification_create_from_string(buf);
}
}
/*

6
src/libstrongswan/utils/identification.h
View File

@ -126,14 +126,14 @@ enum id_type_t {
ID_KEY_ID = 11,
/**
* private type which represents a GeneralName of type URI
* Private ID type which represents a GeneralName of type URI
*/
ID_DER_ASN1_GN_URI = 201,
/**
* Private ID used by the pluto daemon for opportunistic encryption
* Private ID type which represents a user ID
*/
ID_MYID = 203,
ID_USER_ID = 202
};
/**