sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-17 00:00:59 -04:00
Code Issues Projects Releases Wiki Activity

enforce_recommendation inserts TNC group membership rules for IKE_SA

Browse Source
This commit is contained in:
Andreas Steffen 2010-11-10 17:59:41 +01:00
parent 498a583f4a
commit 41ec04c34d
2 changed files with 48 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
src/libcharon/plugins/tnc_imv/tnc_imv_manager.c
View File

@ -19,8 +19,7 @@
#include <tnc/tncifimv.h> #include <tnc/tncifimv.h>
#include <debug.h> #include <debug.h>
#include <library.h> #include <daemon.h>
#include <utils/linked_list.h>
typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t; typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t;
@ -98,6 +97,42 @@ METHOD(imv_manager_t, get_count, int,
return this->imvs->get_count(this->imvs); return this->imvs->get_count(this->imvs);
} }
METHOD(imv_manager_t, enforce_recommendation, bool,
private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec)
{
char *group;
identification_t *id;
ike_sa_t *ike_sa;
auth_cfg_t *auth;
switch (rec)
{
case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
DBG1(DBG_TNC, "TNC recommendation is allow");
group = "allow";
break;
case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
DBG1(DBG_TNC, "TNC recommendation is isolate");
group = "isolate";
break;
case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
default:
DBG1(DBG_TNC, "TNC recommendation is none");
return FALSE;
}
ike_sa = charon->bus->get_sa(charon->bus);
if (ike_sa)
{
auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
id = identification_create_from_string(group);
auth->add(auth, AUTH_RULE_GROUP, id);
DBG1(DBG_TNC, "TNC added group membership '%s'", group);
}
return TRUE;
}
METHOD(imv_manager_t, notify_connection_change, void, METHOD(imv_manager_t, notify_connection_change, void,
private_tnc_imv_manager_t *this, TNC_ConnectionID id, private_tnc_imv_manager_t *this, TNC_ConnectionID id,
TNC_ConnectionState state) TNC_ConnectionState state)
@ -222,6 +257,7 @@ imv_manager_t* tnc_imv_manager_create(void)
.add = _add, .add = _add,
.remove = _remove_, /* avoid name conflict with stdio.h */ .remove = _remove_, /* avoid name conflict with stdio.h */
.get_count = _get_count, .get_count = _get_count,
.enforce_recommendation = _enforce_recommendation,
.notify_connection_change = _notify_connection_change, .notify_connection_change = _notify_connection_change,
.set_message_types = _set_message_types, .set_message_types = _set_message_types,
.solicit_recommendation = _solicit_recommendation, .solicit_recommendation = _solicit_recommendation,

10
src/libcharon/tnc/imv/imv_manager.h
View File

@ -55,6 +55,16 @@ struct imv_manager_t {
*/ */
int (*get_count)(imv_manager_t *this); int (*get_count)(imv_manager_t *this);
/**
* Enforce the TNC recommendation on the IKE_SA by either inserting an
* allow|isolate group membership rule (TRUE) or by blocking access (FALSE)
*
* @param void TNC action recommendation
* @return TRUE for allow|isolate, FALSE for none
*/
bool (*enforce_recommendation)(imv_manager_t *this,
TNC_IMV_Action_Recommendation rec);
/** /**
* Notify all IMV instances * Notify all IMV instances
* *