1 /* 2 * EAP-TNC - TNCS (IF-IMV, IF-TNCCS, and IF-TNCCS-SOH) 3 * Copyright (c) 2007-2008, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 */ 8 9 #include "includes.h" 10 #include <dlfcn.h> 11 12 #include "common.h" 13 #include "base64.h" 14 #include "common/tnc.h" 15 #include "tncs.h" 16 #include "eap_common/eap_tlv_common.h" 17 #include "eap_common/eap_defs.h" 18 19 20 /* TODO: TNCS must be thread-safe; review the code and add locking etc. if 21 * needed.. */ 22 23 #ifndef TNC_CONFIG_FILE 24 #define TNC_CONFIG_FILE "/etc/tnc_config" 25 #endif /* TNC_CONFIG_FILE */ 26 #define IF_TNCCS_START \ 27 "<?xml version=\"1.0\"?>\n" \ 28 "<TNCCS-Batch BatchId=\"%d\" Recipient=\"TNCS\" " \ 29 "xmlns=\"http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#\" " \ 30 "xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" " \ 31 "xsi:schemaLocation=\"http://www.trustedcomputinggroup.org/IWG/TNC/1_0/" \ 32 "IF_TNCCS# https://www.trustedcomputinggroup.org/XML/SCHEMA/TNCCS_1.0.xsd\">\n" 33 #define IF_TNCCS_END "\n</TNCCS-Batch>" 34 35 /* TNC IF-IMV */ 36 37 struct tnc_if_imv { 38 struct tnc_if_imv *next; 39 char *name; 40 char *path; 41 void *dlhandle; /* from dlopen() */ 42 TNC_IMVID imvID; 43 TNC_MessageTypeList supported_types; 44 size_t num_supported_types; 45 46 /* Functions implemented by IMVs (with TNC_IMV_ prefix) */ 47 TNC_Result (*Initialize)( 48 TNC_IMVID imvID, 49 TNC_Version minVersion, 50 TNC_Version maxVersion, 51 TNC_Version *pOutActualVersion); 52 TNC_Result (*NotifyConnectionChange)( 53 TNC_IMVID imvID, 54 TNC_ConnectionID connectionID, 55 TNC_ConnectionState newState); 56 TNC_Result (*ReceiveMessage)( 57 TNC_IMVID imvID, 58 TNC_ConnectionID connectionID, 59 TNC_BufferReference message, 60 TNC_UInt32 messageLength, 61 TNC_MessageType messageType); 62 TNC_Result (*SolicitRecommendation)( 63 TNC_IMVID imvID, 64 TNC_ConnectionID connectionID); 65 TNC_Result (*BatchEnding)( 66 TNC_IMVID imvID, 67 TNC_ConnectionID connectionID); 68 TNC_Result (*Terminate)(TNC_IMVID imvID); 69 TNC_Result (*ProvideBindFunction)( 70 TNC_IMVID imvID, 71 TNC_TNCS_BindFunctionPointer bindFunction); 72 }; 73 74 75 #define TNC_MAX_IMV_ID 10 76 77 struct tncs_data { 78 struct tncs_data *next; 79 struct tnc_if_imv *imv; /* local copy of tncs_global_data->imv */ 80 TNC_ConnectionID connectionID; 81 unsigned int last_batchid; 82 enum IMV_Action_Recommendation recommendation; 83 int done; 84 85 struct conn_imv { 86 u8 *imv_send; 87 size_t imv_send_len; 88 enum IMV_Action_Recommendation recommendation; 89 int recommendation_set; 90 } imv_data[TNC_MAX_IMV_ID]; 91 92 char *tncs_message; 93 }; 94 95 96 struct tncs_global { 97 struct tnc_if_imv *imv; 98 TNC_ConnectionID next_conn_id; 99 struct tncs_data *connections; 100 }; 101 102 static struct tncs_global *tncs_global_data = NULL; 103 104 105 static struct tnc_if_imv * tncs_get_imv(TNC_IMVID imvID) 106 { 107 struct tnc_if_imv *imv; 108 109 if (imvID >= TNC_MAX_IMV_ID || tncs_global_data == NULL) 110 return NULL; 111 imv = tncs_global_data->imv; 112 while (imv) { 113 if (imv->imvID == imvID) 114 return imv; 115 imv = imv->next; 116 } 117 return NULL; 118 } 119 120 121 static struct tncs_data * tncs_get_conn(TNC_ConnectionID connectionID) 122 { 123 struct tncs_data *tncs; 124 125 if (tncs_global_data == NULL) 126 return NULL; 127 128 tncs = tncs_global_data->connections; 129 while (tncs) { 130 if (tncs->connectionID == connectionID) 131 return tncs; 132 tncs = tncs->next; 133 } 134 135 wpa_printf(MSG_DEBUG, "TNC: Connection ID %lu not found", 136 (unsigned long) connectionID); 137 138 return NULL; 139 } 140 141 142 /* TNCS functions that IMVs can call */ 143 static TNC_Result TNC_TNCS_ReportMessageTypes( 144 TNC_IMVID imvID, 145 TNC_MessageTypeList supportedTypes, 146 TNC_UInt32 typeCount) 147 { 148 TNC_UInt32 i; 149 struct tnc_if_imv *imv; 150 151 wpa_printf(MSG_DEBUG, "TNC: TNC_TNCS_ReportMessageTypes(imvID=%lu " 152 "typeCount=%lu)", 153 (unsigned long) imvID, (unsigned long) typeCount); 154 155 for (i = 0; i < typeCount; i++) { 156 wpa_printf(MSG_DEBUG, "TNC: supportedTypes[%lu] = %lu", 157 i, supportedTypes[i]); 158 } 159 160 imv = tncs_get_imv(imvID); 161 if (imv == NULL) 162 return TNC_RESULT_INVALID_PARAMETER; 163 os_free(imv->supported_types); 164 imv->supported_types = os_memdup(supportedTypes, 165 typeCount * sizeof(TNC_MessageType)); 166 if (imv->supported_types == NULL) 167 return TNC_RESULT_FATAL; 168 imv->num_supported_types = typeCount; 169 170 return TNC_RESULT_SUCCESS; 171 } 172 173 174 static TNC_Result TNC_TNCS_SendMessage( 175 TNC_IMVID imvID, 176 TNC_ConnectionID connectionID, 177 TNC_BufferReference message, 178 TNC_UInt32 messageLength, 179 TNC_MessageType messageType) 180 { 181 struct tncs_data *tncs; 182 unsigned char *b64; 183 size_t b64len; 184 185 wpa_printf(MSG_DEBUG, "TNC: TNC_TNCS_SendMessage(imvID=%lu " 186 "connectionID=%lu messageType=%lu)", 187 imvID, connectionID, messageType); 188 wpa_hexdump_ascii(MSG_DEBUG, "TNC: TNC_TNCS_SendMessage", 189 message, messageLength); 190 191 if (tncs_get_imv(imvID) == NULL) 192 return TNC_RESULT_INVALID_PARAMETER; 193 194 tncs = tncs_get_conn(connectionID); 195 if (tncs == NULL) 196 return TNC_RESULT_INVALID_PARAMETER; 197 198 b64 = base64_encode(message, messageLength, &b64len); 199 if (b64 == NULL) 200 return TNC_RESULT_FATAL; 201 202 os_free(tncs->imv_data[imvID].imv_send); 203 tncs->imv_data[imvID].imv_send_len = 0; 204 tncs->imv_data[imvID].imv_send = os_zalloc(b64len + 100); 205 if (tncs->imv_data[imvID].imv_send == NULL) { 206 os_free(b64); 207 return TNC_RESULT_OTHER; 208 } 209 210 tncs->imv_data[imvID].imv_send_len = 211 os_snprintf((char *) tncs->imv_data[imvID].imv_send, 212 b64len + 100, 213 "<IMC-IMV-Message><Type>%08X</Type>" 214 "<Base64>%s</Base64></IMC-IMV-Message>", 215 (unsigned int) messageType, b64); 216 217 os_free(b64); 218 219 return TNC_RESULT_SUCCESS; 220 } 221 222 223 static TNC_Result TNC_TNCS_RequestHandshakeRetry( 224 TNC_IMVID imvID, 225 TNC_ConnectionID connectionID, 226 TNC_RetryReason reason) 227 { 228 wpa_printf(MSG_DEBUG, "TNC: TNC_TNCS_RequestHandshakeRetry"); 229 /* TODO */ 230 return TNC_RESULT_SUCCESS; 231 } 232 233 234 static TNC_Result TNC_TNCS_ProvideRecommendation( 235 TNC_IMVID imvID, 236 TNC_ConnectionID connectionID, 237 TNC_IMV_Action_Recommendation recommendation, 238 TNC_IMV_Evaluation_Result evaluation) 239 { 240 struct tncs_data *tncs; 241 242 wpa_printf(MSG_DEBUG, "TNC: TNC_TNCS_ProvideRecommendation(imvID=%lu " 243 "connectionID=%lu recommendation=%lu evaluation=%lu)", 244 (unsigned long) imvID, (unsigned long) connectionID, 245 (unsigned long) recommendation, (unsigned long) evaluation); 246 247 if (tncs_get_imv(imvID) == NULL) 248 return TNC_RESULT_INVALID_PARAMETER; 249 250 tncs = tncs_get_conn(connectionID); 251 if (tncs == NULL) 252 return TNC_RESULT_INVALID_PARAMETER; 253 254 tncs->imv_data[imvID].recommendation = recommendation; 255 tncs->imv_data[imvID].recommendation_set = 1; 256 257 return TNC_RESULT_SUCCESS; 258 } 259 260 261 static TNC_Result TNC_TNCS_GetAttribute( 262 TNC_IMVID imvID, 263 TNC_ConnectionID connectionID, 264 TNC_AttributeID attribureID, 265 TNC_UInt32 bufferLength, 266 TNC_BufferReference buffer, 267 TNC_UInt32 *pOutValueLength) 268 { 269 wpa_printf(MSG_DEBUG, "TNC: TNC_TNCS_GetAttribute"); 270 /* TODO */ 271 return TNC_RESULT_SUCCESS; 272 } 273 274 275 static TNC_Result TNC_TNCS_SetAttribute( 276 TNC_IMVID imvID, 277 TNC_ConnectionID connectionID, 278 TNC_AttributeID attribureID, 279 TNC_UInt32 bufferLength, 280 TNC_BufferReference buffer) 281 { 282 wpa_printf(MSG_DEBUG, "TNC: TNC_TNCS_SetAttribute"); 283 /* TODO */ 284 return TNC_RESULT_SUCCESS; 285 } 286 287 288 static TNC_Result TNC_TNCS_BindFunction( 289 TNC_IMVID imvID, 290 char *functionName, 291 void **pOutFunctionPointer) 292 { 293 wpa_printf(MSG_DEBUG, "TNC: TNC_TNCS_BindFunction(imcID=%lu, " 294 "functionName='%s')", (unsigned long) imvID, functionName); 295 296 if (tncs_get_imv(imvID) == NULL) 297 return TNC_RESULT_INVALID_PARAMETER; 298 299 if (pOutFunctionPointer == NULL) 300 return TNC_RESULT_INVALID_PARAMETER; 301 302 if (os_strcmp(functionName, "TNC_TNCS_ReportMessageTypes") == 0) 303 *pOutFunctionPointer = TNC_TNCS_ReportMessageTypes; 304 else if (os_strcmp(functionName, "TNC_TNCS_SendMessage") == 0) 305 *pOutFunctionPointer = TNC_TNCS_SendMessage; 306 else if (os_strcmp(functionName, "TNC_TNCS_RequestHandshakeRetry") == 307 0) 308 *pOutFunctionPointer = TNC_TNCS_RequestHandshakeRetry; 309 else if (os_strcmp(functionName, "TNC_TNCS_ProvideRecommendation") == 310 0) 311 *pOutFunctionPointer = TNC_TNCS_ProvideRecommendation; 312 else if (os_strcmp(functionName, "TNC_TNCS_GetAttribute") == 0) 313 *pOutFunctionPointer = TNC_TNCS_GetAttribute; 314 else if (os_strcmp(functionName, "TNC_TNCS_SetAttribute") == 0) 315 *pOutFunctionPointer = TNC_TNCS_SetAttribute; 316 else 317 *pOutFunctionPointer = NULL; 318 319 return TNC_RESULT_SUCCESS; 320 } 321 322 323 static void * tncs_get_sym(void *handle, char *func) 324 { 325 void *fptr; 326 327 fptr = dlsym(handle, func); 328 329 return fptr; 330 } 331 332 333 static int tncs_imv_resolve_funcs(struct tnc_if_imv *imv) 334 { 335 void *handle = imv->dlhandle; 336 337 /* Mandatory IMV functions */ 338 imv->Initialize = tncs_get_sym(handle, "TNC_IMV_Initialize"); 339 if (imv->Initialize == NULL) { 340 wpa_printf(MSG_ERROR, "TNC: IMV does not export " 341 "TNC_IMV_Initialize"); 342 return -1; 343 } 344 345 imv->SolicitRecommendation = tncs_get_sym( 346 handle, "TNC_IMV_SolicitRecommendation"); 347 if (imv->SolicitRecommendation == NULL) { 348 wpa_printf(MSG_ERROR, "TNC: IMV does not export " 349 "TNC_IMV_SolicitRecommendation"); 350 return -1; 351 } 352 353 imv->ProvideBindFunction = 354 tncs_get_sym(handle, "TNC_IMV_ProvideBindFunction"); 355 if (imv->ProvideBindFunction == NULL) { 356 wpa_printf(MSG_ERROR, "TNC: IMV does not export " 357 "TNC_IMV_ProvideBindFunction"); 358 return -1; 359 } 360 361 /* Optional IMV functions */ 362 imv->NotifyConnectionChange = 363 tncs_get_sym(handle, "TNC_IMV_NotifyConnectionChange"); 364 imv->ReceiveMessage = tncs_get_sym(handle, "TNC_IMV_ReceiveMessage"); 365 imv->BatchEnding = tncs_get_sym(handle, "TNC_IMV_BatchEnding"); 366 imv->Terminate = tncs_get_sym(handle, "TNC_IMV_Terminate"); 367 368 return 0; 369 } 370 371 372 static int tncs_imv_initialize(struct tnc_if_imv *imv) 373 { 374 TNC_Result res; 375 TNC_Version imv_ver; 376 377 wpa_printf(MSG_DEBUG, "TNC: Calling TNC_IMV_Initialize for IMV '%s'", 378 imv->name); 379 res = imv->Initialize(imv->imvID, TNC_IFIMV_VERSION_1, 380 TNC_IFIMV_VERSION_1, &imv_ver); 381 wpa_printf(MSG_DEBUG, "TNC: TNC_IMV_Initialize: res=%lu imv_ver=%lu", 382 (unsigned long) res, (unsigned long) imv_ver); 383 384 return res == TNC_RESULT_SUCCESS ? 0 : -1; 385 } 386 387 388 static int tncs_imv_terminate(struct tnc_if_imv *imv) 389 { 390 TNC_Result res; 391 392 if (imv->Terminate == NULL) 393 return 0; 394 395 wpa_printf(MSG_DEBUG, "TNC: Calling TNC_IMV_Terminate for IMV '%s'", 396 imv->name); 397 res = imv->Terminate(imv->imvID); 398 wpa_printf(MSG_DEBUG, "TNC: TNC_IMV_Terminate: %lu", 399 (unsigned long) res); 400 401 return res == TNC_RESULT_SUCCESS ? 0 : -1; 402 } 403 404 405 static int tncs_imv_provide_bind_function(struct tnc_if_imv *imv) 406 { 407 TNC_Result res; 408 409 wpa_printf(MSG_DEBUG, "TNC: Calling TNC_IMV_ProvideBindFunction for " 410 "IMV '%s'", imv->name); 411 res = imv->ProvideBindFunction(imv->imvID, TNC_TNCS_BindFunction); 412 wpa_printf(MSG_DEBUG, "TNC: TNC_IMV_ProvideBindFunction: res=%lu", 413 (unsigned long) res); 414 415 return res == TNC_RESULT_SUCCESS ? 0 : -1; 416 } 417 418 419 static int tncs_imv_notify_connection_change(struct tnc_if_imv *imv, 420 TNC_ConnectionID conn, 421 TNC_ConnectionState state) 422 { 423 TNC_Result res; 424 425 if (imv->NotifyConnectionChange == NULL) 426 return 0; 427 428 wpa_printf(MSG_DEBUG, "TNC: Calling TNC_IMV_NotifyConnectionChange(%d)" 429 " for IMV '%s'", (int) state, imv->name); 430 res = imv->NotifyConnectionChange(imv->imvID, conn, state); 431 wpa_printf(MSG_DEBUG, "TNC: TNC_IMC_NotifyConnectionChange: %lu", 432 (unsigned long) res); 433 434 return res == TNC_RESULT_SUCCESS ? 0 : -1; 435 } 436 437 438 static int tncs_load_imv(struct tnc_if_imv *imv) 439 { 440 if (imv->path == NULL) { 441 wpa_printf(MSG_DEBUG, "TNC: No IMV configured"); 442 return -1; 443 } 444 445 wpa_printf(MSG_DEBUG, "TNC: Opening IMV: %s (%s)", 446 imv->name, imv->path); 447 imv->dlhandle = dlopen(imv->path, RTLD_LAZY); 448 if (imv->dlhandle == NULL) { 449 wpa_printf(MSG_ERROR, "TNC: Failed to open IMV '%s' (%s): %s", 450 imv->name, imv->path, dlerror()); 451 return -1; 452 } 453 454 if (tncs_imv_resolve_funcs(imv) < 0) { 455 wpa_printf(MSG_ERROR, "TNC: Failed to resolve IMV functions"); 456 return -1; 457 } 458 459 if (tncs_imv_initialize(imv) < 0 || 460 tncs_imv_provide_bind_function(imv) < 0) { 461 wpa_printf(MSG_ERROR, "TNC: Failed to initialize IMV"); 462 return -1; 463 } 464 465 return 0; 466 } 467 468 469 static void tncs_free_imv(struct tnc_if_imv *imv) 470 { 471 os_free(imv->name); 472 os_free(imv->path); 473 os_free(imv->supported_types); 474 } 475 476 static void tncs_unload_imv(struct tnc_if_imv *imv) 477 { 478 tncs_imv_terminate(imv); 479 480 if (imv->dlhandle) 481 dlclose(imv->dlhandle); 482 483 tncs_free_imv(imv); 484 } 485 486 487 static int tncs_supported_type(struct tnc_if_imv *imv, unsigned int type) 488 { 489 size_t i; 490 unsigned int vendor, subtype; 491 492 if (imv == NULL || imv->supported_types == NULL) 493 return 0; 494 495 vendor = type >> 8; 496 subtype = type & 0xff; 497 498 for (i = 0; i < imv->num_supported_types; i++) { 499 unsigned int svendor, ssubtype; 500 svendor = imv->supported_types[i] >> 8; 501 ssubtype = imv->supported_types[i] & 0xff; 502 if ((vendor == svendor || svendor == TNC_VENDORID_ANY) && 503 (subtype == ssubtype || ssubtype == TNC_SUBTYPE_ANY)) 504 return 1; 505 } 506 507 return 0; 508 } 509 510 511 static void tncs_send_to_imvs(struct tncs_data *tncs, unsigned int type, 512 const u8 *msg, size_t len) 513 { 514 struct tnc_if_imv *imv; 515 TNC_Result res; 516 517 wpa_hexdump_ascii(MSG_MSGDUMP, "TNC: Message to IMV(s)", msg, len); 518 519 for (imv = tncs->imv; imv; imv = imv->next) { 520 if (imv->ReceiveMessage == NULL || 521 !tncs_supported_type(imv, type)) 522 continue; 523 524 wpa_printf(MSG_DEBUG, "TNC: Call ReceiveMessage for IMV '%s'", 525 imv->name); 526 res = imv->ReceiveMessage(imv->imvID, tncs->connectionID, 527 (TNC_BufferReference) msg, len, 528 type); 529 wpa_printf(MSG_DEBUG, "TNC: ReceiveMessage: %lu", 530 (unsigned long) res); 531 } 532 } 533 534 535 static void tncs_batch_ending(struct tncs_data *tncs) 536 { 537 struct tnc_if_imv *imv; 538 TNC_Result res; 539 540 for (imv = tncs->imv; imv; imv = imv->next) { 541 if (imv->BatchEnding == NULL) 542 continue; 543 544 wpa_printf(MSG_DEBUG, "TNC: Call BatchEnding for IMV '%s'", 545 imv->name); 546 res = imv->BatchEnding(imv->imvID, tncs->connectionID); 547 wpa_printf(MSG_DEBUG, "TNC: BatchEnding: %lu", 548 (unsigned long) res); 549 } 550 } 551 552 553 static void tncs_solicit_recommendation(struct tncs_data *tncs) 554 { 555 struct tnc_if_imv *imv; 556 TNC_Result res; 557 558 for (imv = tncs->imv; imv; imv = imv->next) { 559 if (tncs->imv_data[imv->imvID].recommendation_set) 560 continue; 561 562 wpa_printf(MSG_DEBUG, "TNC: Call SolicitRecommendation for " 563 "IMV '%s'", imv->name); 564 res = imv->SolicitRecommendation(imv->imvID, 565 tncs->connectionID); 566 wpa_printf(MSG_DEBUG, "TNC: SolicitRecommendation: %lu", 567 (unsigned long) res); 568 } 569 } 570 571 572 void tncs_init_connection(struct tncs_data *tncs) 573 { 574 struct tnc_if_imv *imv; 575 int i; 576 577 for (imv = tncs->imv; imv; imv = imv->next) { 578 tncs_imv_notify_connection_change( 579 imv, tncs->connectionID, TNC_CONNECTION_STATE_CREATE); 580 tncs_imv_notify_connection_change( 581 imv, tncs->connectionID, 582 TNC_CONNECTION_STATE_HANDSHAKE); 583 } 584 585 for (i = 0; i < TNC_MAX_IMV_ID; i++) { 586 os_free(tncs->imv_data[i].imv_send); 587 tncs->imv_data[i].imv_send = NULL; 588 tncs->imv_data[i].imv_send_len = 0; 589 } 590 } 591 592 593 size_t tncs_total_send_len(struct tncs_data *tncs) 594 { 595 int i; 596 size_t len = 0; 597 598 for (i = 0; i < TNC_MAX_IMV_ID; i++) 599 len += tncs->imv_data[i].imv_send_len; 600 if (tncs->tncs_message) 601 len += os_strlen(tncs->tncs_message); 602 return len; 603 } 604 605 606 u8 * tncs_copy_send_buf(struct tncs_data *tncs, u8 *pos) 607 { 608 int i; 609 610 for (i = 0; i < TNC_MAX_IMV_ID; i++) { 611 if (tncs->imv_data[i].imv_send == NULL) 612 continue; 613 614 os_memcpy(pos, tncs->imv_data[i].imv_send, 615 tncs->imv_data[i].imv_send_len); 616 pos += tncs->imv_data[i].imv_send_len; 617 os_free(tncs->imv_data[i].imv_send); 618 tncs->imv_data[i].imv_send = NULL; 619 tncs->imv_data[i].imv_send_len = 0; 620 } 621 622 if (tncs->tncs_message) { 623 size_t len = os_strlen(tncs->tncs_message); 624 os_memcpy(pos, tncs->tncs_message, len); 625 pos += len; 626 os_free(tncs->tncs_message); 627 tncs->tncs_message = NULL; 628 } 629 630 return pos; 631 } 632 633 634 char * tncs_if_tnccs_start(struct tncs_data *tncs) 635 { 636 char *buf = os_malloc(1000); 637 if (buf == NULL) 638 return NULL; 639 tncs->last_batchid++; 640 os_snprintf(buf, 1000, IF_TNCCS_START, tncs->last_batchid); 641 return buf; 642 } 643 644 645 char * tncs_if_tnccs_end(void) 646 { 647 char *buf = os_malloc(100); 648 if (buf == NULL) 649 return NULL; 650 os_snprintf(buf, 100, IF_TNCCS_END); 651 return buf; 652 } 653 654 655 static int tncs_get_type(char *start, unsigned int *type) 656 { 657 char *pos = os_strstr(start, "<Type>"); 658 if (pos == NULL) 659 return -1; 660 pos += 6; 661 *type = strtoul(pos, NULL, 16); 662 return 0; 663 } 664 665 666 static unsigned char * tncs_get_base64(char *start, size_t *decoded_len) 667 { 668 char *pos, *pos2; 669 unsigned char *decoded; 670 671 pos = os_strstr(start, "<Base64>"); 672 if (pos == NULL) 673 return NULL; 674 675 pos += 8; 676 pos2 = os_strstr(pos, "</Base64>"); 677 if (pos2 == NULL) 678 return NULL; 679 *pos2 = '\0'; 680 681 decoded = base64_decode((unsigned char *) pos, os_strlen(pos), 682 decoded_len); 683 *pos2 = '<'; 684 if (decoded == NULL) { 685 wpa_printf(MSG_DEBUG, "TNC: Failed to decode Base64 data"); 686 } 687 688 return decoded; 689 } 690 691 692 static enum tncs_process_res tncs_derive_recommendation(struct tncs_data *tncs) 693 { 694 enum IMV_Action_Recommendation rec; 695 struct tnc_if_imv *imv; 696 TNC_ConnectionState state; 697 char *txt; 698 699 wpa_printf(MSG_DEBUG, "TNC: No more messages from IMVs"); 700 701 if (tncs->done) 702 return TNCCS_PROCESS_OK_NO_RECOMMENDATION; 703 704 tncs_solicit_recommendation(tncs); 705 706 /* Select the most restrictive recommendation */ 707 rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION; 708 for (imv = tncs->imv; imv; imv = imv->next) { 709 TNC_IMV_Action_Recommendation irec; 710 irec = tncs->imv_data[imv->imvID].recommendation; 711 if (irec == TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS) 712 rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS; 713 if (irec == TNC_IMV_ACTION_RECOMMENDATION_ISOLATE && 714 rec != TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS) 715 rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE; 716 if (irec == TNC_IMV_ACTION_RECOMMENDATION_ALLOW && 717 rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION) 718 rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW; 719 } 720 721 wpa_printf(MSG_DEBUG, "TNC: Recommendation: %d", rec); 722 tncs->recommendation = rec; 723 tncs->done = 1; 724 725 txt = NULL; 726 switch (rec) { 727 case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: 728 case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: 729 txt = "allow"; 730 state = TNC_CONNECTION_STATE_ACCESS_ALLOWED; 731 break; 732 case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: 733 txt = "isolate"; 734 state = TNC_CONNECTION_STATE_ACCESS_ISOLATED; 735 break; 736 case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: 737 txt = "none"; 738 state = TNC_CONNECTION_STATE_ACCESS_NONE; 739 break; 740 default: 741 state = TNC_CONNECTION_STATE_ACCESS_ALLOWED; 742 break; 743 } 744 745 if (txt) { 746 os_free(tncs->tncs_message); 747 tncs->tncs_message = os_zalloc(200); 748 if (tncs->tncs_message) { 749 os_snprintf(tncs->tncs_message, 199, 750 "<TNCC-TNCS-Message><Type>%08X</Type>" 751 "<XML><TNCCS-Recommendation type=\"%s\">" 752 "</TNCCS-Recommendation></XML>" 753 "</TNCC-TNCS-Message>", 754 TNC_TNCCS_RECOMMENDATION, txt); 755 } 756 } 757 758 for (imv = tncs->imv; imv; imv = imv->next) { 759 tncs_imv_notify_connection_change(imv, tncs->connectionID, 760 state); 761 } 762 763 switch (rec) { 764 case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: 765 return TNCCS_RECOMMENDATION_ALLOW; 766 case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: 767 return TNCCS_RECOMMENDATION_NO_ACCESS; 768 case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: 769 return TNCCS_RECOMMENDATION_ISOLATE; 770 case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: 771 return TNCCS_RECOMMENDATION_NO_RECOMMENDATION; 772 default: 773 return TNCCS_PROCESS_ERROR; 774 } 775 } 776 777 778 enum tncs_process_res tncs_process_if_tnccs(struct tncs_data *tncs, 779 const u8 *msg, size_t len) 780 { 781 char *buf, *start, *end, *pos, *pos2, *payload; 782 unsigned int batch_id; 783 unsigned char *decoded; 784 size_t decoded_len; 785 786 buf = dup_binstr(msg, len); 787 if (buf == NULL) 788 return TNCCS_PROCESS_ERROR; 789 790 start = os_strstr(buf, "<TNCCS-Batch "); 791 end = os_strstr(buf, "</TNCCS-Batch>"); 792 if (start == NULL || end == NULL || start > end) { 793 os_free(buf); 794 return TNCCS_PROCESS_ERROR; 795 } 796 797 start += 13; 798 while (*start == ' ') 799 start++; 800 *end = '\0'; 801 802 pos = os_strstr(start, "BatchId="); 803 if (pos == NULL) { 804 os_free(buf); 805 return TNCCS_PROCESS_ERROR; 806 } 807 808 pos += 8; 809 if (*pos == '"') 810 pos++; 811 batch_id = atoi(pos); 812 wpa_printf(MSG_DEBUG, "TNC: Received IF-TNCCS BatchId=%u", 813 batch_id); 814 if (batch_id != tncs->last_batchid + 1) { 815 wpa_printf(MSG_DEBUG, "TNC: Unexpected IF-TNCCS BatchId " 816 "%u (expected %u)", 817 batch_id, tncs->last_batchid + 1); 818 os_free(buf); 819 return TNCCS_PROCESS_ERROR; 820 } 821 tncs->last_batchid = batch_id; 822 823 while (*pos != '\0' && *pos != '>') 824 pos++; 825 if (*pos == '\0') { 826 os_free(buf); 827 return TNCCS_PROCESS_ERROR; 828 } 829 pos++; 830 payload = start; 831 832 /* 833 * <IMC-IMV-Message> 834 * <Type>01234567</Type> 835 * <Base64>foo==</Base64> 836 * </IMC-IMV-Message> 837 */ 838 839 while (*start) { 840 char *endpos; 841 unsigned int type; 842 843 pos = os_strstr(start, "<IMC-IMV-Message>"); 844 if (pos == NULL) 845 break; 846 start = pos + 17; 847 end = os_strstr(start, "</IMC-IMV-Message>"); 848 if (end == NULL) 849 break; 850 *end = '\0'; 851 endpos = end; 852 end += 18; 853 854 if (tncs_get_type(start, &type) < 0) { 855 *endpos = '<'; 856 start = end; 857 continue; 858 } 859 wpa_printf(MSG_DEBUG, "TNC: IMC-IMV-Message Type 0x%x", type); 860 861 decoded = tncs_get_base64(start, &decoded_len); 862 if (decoded == NULL) { 863 *endpos = '<'; 864 start = end; 865 continue; 866 } 867 868 tncs_send_to_imvs(tncs, type, decoded, decoded_len); 869 870 os_free(decoded); 871 872 start = end; 873 } 874 875 /* 876 * <TNCC-TNCS-Message> 877 * <Type>01234567</Type> 878 * <XML><TNCCS-Foo type="foo"></TNCCS-Foo></XML> 879 * <Base64>foo==</Base64> 880 * </TNCC-TNCS-Message> 881 */ 882 883 start = payload; 884 while (*start) { 885 unsigned int type; 886 char *xml, *xmlend, *endpos; 887 888 pos = os_strstr(start, "<TNCC-TNCS-Message>"); 889 if (pos == NULL) 890 break; 891 start = pos + 19; 892 end = os_strstr(start, "</TNCC-TNCS-Message>"); 893 if (end == NULL) 894 break; 895 *end = '\0'; 896 endpos = end; 897 end += 20; 898 899 if (tncs_get_type(start, &type) < 0) { 900 *endpos = '<'; 901 start = end; 902 continue; 903 } 904 wpa_printf(MSG_DEBUG, "TNC: TNCC-TNCS-Message Type 0x%x", 905 type); 906 907 /* Base64 OR XML */ 908 decoded = NULL; 909 xml = NULL; 910 xmlend = NULL; 911 pos = os_strstr(start, "<XML>"); 912 if (pos) { 913 pos += 5; 914 pos2 = os_strstr(pos, "</XML>"); 915 if (pos2 == NULL) { 916 *endpos = '<'; 917 start = end; 918 continue; 919 } 920 xmlend = pos2; 921 xml = pos; 922 } else { 923 decoded = tncs_get_base64(start, &decoded_len); 924 if (decoded == NULL) { 925 *endpos = '<'; 926 start = end; 927 continue; 928 } 929 } 930 931 if (decoded) { 932 wpa_hexdump_ascii(MSG_MSGDUMP, 933 "TNC: TNCC-TNCS-Message Base64", 934 decoded, decoded_len); 935 os_free(decoded); 936 } 937 938 if (xml) { 939 wpa_hexdump_ascii(MSG_MSGDUMP, 940 "TNC: TNCC-TNCS-Message XML", 941 (unsigned char *) xml, 942 xmlend - xml); 943 } 944 945 start = end; 946 } 947 948 os_free(buf); 949 950 tncs_batch_ending(tncs); 951 952 if (tncs_total_send_len(tncs) == 0) 953 return tncs_derive_recommendation(tncs); 954 955 return TNCCS_PROCESS_OK_NO_RECOMMENDATION; 956 } 957 958 959 static struct tnc_if_imv * tncs_parse_imv(int id, char *start, char *end, 960 int *error) 961 { 962 struct tnc_if_imv *imv; 963 char *pos, *pos2; 964 965 if (id >= TNC_MAX_IMV_ID) { 966 wpa_printf(MSG_DEBUG, "TNC: Too many IMVs"); 967 return NULL; 968 } 969 970 imv = os_zalloc(sizeof(*imv)); 971 if (imv == NULL) { 972 *error = 1; 973 return NULL; 974 } 975 976 imv->imvID = id; 977 978 pos = start; 979 wpa_printf(MSG_DEBUG, "TNC: Configured IMV: %s", pos); 980 if (pos + 1 >= end || *pos != '"') { 981 wpa_printf(MSG_ERROR, "TNC: Ignoring invalid IMV line '%s' " 982 "(no starting quotation mark)", start); 983 os_free(imv); 984 return NULL; 985 } 986 987 pos++; 988 pos2 = pos; 989 while (pos2 < end && *pos2 != '"') 990 pos2++; 991 if (pos2 >= end) { 992 wpa_printf(MSG_ERROR, "TNC: Ignoring invalid IMV line '%s' " 993 "(no ending quotation mark)", start); 994 os_free(imv); 995 return NULL; 996 } 997 *pos2 = '\0'; 998 wpa_printf(MSG_DEBUG, "TNC: Name: '%s'", pos); 999 imv->name = os_strdup(pos); 1000 1001 pos = pos2 + 1; 1002 if (pos >= end || *pos != ' ') { 1003 wpa_printf(MSG_ERROR, "TNC: Ignoring invalid IMV line '%s' " 1004 "(no space after name)", start); 1005 os_free(imv); 1006 return NULL; 1007 } 1008 1009 pos++; 1010 wpa_printf(MSG_DEBUG, "TNC: IMV file: '%s'", pos); 1011 imv->path = os_strdup(pos); 1012 1013 return imv; 1014 } 1015 1016 1017 static int tncs_read_config(struct tncs_global *global) 1018 { 1019 char *config, *end, *pos, *line_end; 1020 size_t config_len; 1021 struct tnc_if_imv *imv, *last; 1022 int id = 0; 1023 1024 last = NULL; 1025 1026 config = os_readfile(TNC_CONFIG_FILE, &config_len); 1027 if (config == NULL) { 1028 wpa_printf(MSG_ERROR, "TNC: Could not open TNC configuration " 1029 "file '%s'", TNC_CONFIG_FILE); 1030 return -1; 1031 } 1032 1033 end = config + config_len; 1034 for (pos = config; pos < end; pos = line_end + 1) { 1035 line_end = pos; 1036 while (*line_end != '\n' && *line_end != '\r' && 1037 line_end < end) 1038 line_end++; 1039 *line_end = '\0'; 1040 1041 if (os_strncmp(pos, "IMV ", 4) == 0) { 1042 int error = 0; 1043 1044 imv = tncs_parse_imv(id++, pos + 4, line_end, &error); 1045 if (error) 1046 return -1; 1047 if (imv) { 1048 if (last == NULL) 1049 global->imv = imv; 1050 else 1051 last->next = imv; 1052 last = imv; 1053 } 1054 } 1055 } 1056 1057 os_free(config); 1058 1059 return 0; 1060 } 1061 1062 1063 struct tncs_data * tncs_init(void) 1064 { 1065 struct tncs_data *tncs; 1066 1067 if (tncs_global_data == NULL) 1068 return NULL; 1069 1070 tncs = os_zalloc(sizeof(*tncs)); 1071 if (tncs == NULL) 1072 return NULL; 1073 tncs->imv = tncs_global_data->imv; 1074 tncs->connectionID = tncs_global_data->next_conn_id++; 1075 tncs->next = tncs_global_data->connections; 1076 tncs_global_data->connections = tncs; 1077 1078 return tncs; 1079 } 1080 1081 1082 void tncs_deinit(struct tncs_data *tncs) 1083 { 1084 int i; 1085 struct tncs_data *prev, *conn; 1086 1087 if (tncs == NULL) 1088 return; 1089 1090 for (i = 0; i < TNC_MAX_IMV_ID; i++) 1091 os_free(tncs->imv_data[i].imv_send); 1092 1093 prev = NULL; 1094 conn = tncs_global_data->connections; 1095 while (conn) { 1096 if (conn == tncs) { 1097 if (prev) 1098 prev->next = tncs->next; 1099 else 1100 tncs_global_data->connections = tncs->next; 1101 break; 1102 } 1103 prev = conn; 1104 conn = conn->next; 1105 } 1106 1107 os_free(tncs->tncs_message); 1108 os_free(tncs); 1109 } 1110 1111 1112 int tncs_global_init(void) 1113 { 1114 struct tnc_if_imv *imv; 1115 1116 if (tncs_global_data) 1117 return 0; 1118 1119 tncs_global_data = os_zalloc(sizeof(*tncs_global_data)); 1120 if (tncs_global_data == NULL) 1121 return -1; 1122 1123 if (tncs_read_config(tncs_global_data) < 0) { 1124 wpa_printf(MSG_ERROR, "TNC: Failed to read TNC configuration"); 1125 goto failed; 1126 } 1127 1128 for (imv = tncs_global_data->imv; imv; imv = imv->next) { 1129 if (tncs_load_imv(imv)) { 1130 wpa_printf(MSG_ERROR, "TNC: Failed to load IMV '%s'", 1131 imv->name); 1132 goto failed; 1133 } 1134 } 1135 1136 return 0; 1137 1138 failed: 1139 tncs_global_deinit(); 1140 return -1; 1141 } 1142 1143 1144 void tncs_global_deinit(void) 1145 { 1146 struct tnc_if_imv *imv, *prev; 1147 1148 if (tncs_global_data == NULL) 1149 return; 1150 1151 imv = tncs_global_data->imv; 1152 while (imv) { 1153 tncs_unload_imv(imv); 1154 1155 prev = imv; 1156 imv = imv->next; 1157 os_free(prev); 1158 } 1159 1160 os_free(tncs_global_data); 1161 tncs_global_data = NULL; 1162 } 1163 1164 1165 struct wpabuf * tncs_build_soh_request(void) 1166 { 1167 struct wpabuf *buf; 1168 1169 /* 1170 * Build a SoH Request TLV (to be used inside SoH EAP Extensions 1171 * Method) 1172 */ 1173 1174 buf = wpabuf_alloc(8 + 4); 1175 if (buf == NULL) 1176 return NULL; 1177 1178 /* Vendor-Specific TLV (Microsoft) - SoH Request */ 1179 wpabuf_put_be16(buf, EAP_TLV_VENDOR_SPECIFIC_TLV); /* TLV Type */ 1180 wpabuf_put_be16(buf, 8); /* Length */ 1181 1182 wpabuf_put_be32(buf, EAP_VENDOR_MICROSOFT); /* Vendor_Id */ 1183 1184 wpabuf_put_be16(buf, 0x02); /* TLV Type - SoH Request TLV */ 1185 wpabuf_put_be16(buf, 0); /* Length */ 1186 1187 return buf; 1188 } 1189 1190 1191 struct wpabuf * tncs_process_soh(const u8 *soh_tlv, size_t soh_tlv_len, 1192 int *failure) 1193 { 1194 wpa_hexdump(MSG_DEBUG, "TNC: SoH TLV", soh_tlv, soh_tlv_len); 1195 *failure = 0; 1196 1197 /* TODO: return MS-SoH Response TLV */ 1198 1199 return NULL; 1200 } 1201
