Added reason string support to HCD IMV

src/libimcv/plugins/imv_hcd/imv_hcd_agent.c

@@ -591,11 +591,51 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
 	private_imv_hcd_agent_t *this, TNC_ConnectionID id)
 {
 	imv_state_t *state;
+	imv_hcd_state_t* hcd_state;
+	imv_hcd_handshake_state_t handshake_state;
+	enum_name_t *pa_subtype_names;
+	bool missing = FALSE;
+	uint32_t received;
+	int i;
 
 	if (!this->agent->get_state(this->agent, id, &state))
 	{
 		return TNC_RESULT_FATAL;
 	}
+	hcd_state = (imv_hcd_state_t*)state;
+	handshake_state = hcd_state->get_handshake_state(hcd_state);
+
+	if (handshake_state == IMV_HCD_STATE_ATTR_REQ)
+	{
+		pa_subtype_names = get_pa_subtype_names(PEN_PWG);
+
+		for (i = 1; i < countof(msg_types); i++)
+		{
+			hcd_state->set_subtype(hcd_state, msg_types[i].type);
+			received = state->get_action_flags(state);
+			if ((received & IMV_HCD_ATTR_MUST) != IMV_HCD_ATTR_MUST)
+			{
+				DBG1(DBG_IMV, "missing attributes for PA subtype %N/%N",
+					 pen_names, PEN_PWG, pa_subtype_names, msg_types[i].type);
+				missing = TRUE;
+			}
+		}
+
+		if (missing)
+		{
+			state->set_recommendation(state,
+							TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS ,
+							TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
+		}
+		else
+		{
+			state->set_recommendation(state,
+							TNC_IMV_ACTION_RECOMMENDATION_ALLOW ,
+							TNC_IMV_EVALUATION_RESULT_COMPLIANT);
+		}
+	}
+	hcd_state->set_handshake_state(hcd_state, IMV_HCD_STATE_END);
+
 	return this->agent->provide_recommendation(this->agent, state);
 }
 

src/libimcv/plugins/imv_hcd/imv_hcd_state.c

@@ -14,6 +14,8 @@
  */
 
 #include "imv_hcd_state.h"
+#include "imv/imv_lang_string.h"
+#include "imv/imv_reason_string.h"
 
 #include <tncif_policy.h>
 
@@ -97,6 +99,27 @@ struct private_imv_hcd_state_t {
 	 */
 	imv_hcd_handshake_state_t handshake_state;
 
+	/**
+	 * TNC Reason String
+	 */
+	imv_reason_string_t *reason_string;
+
+};
+
+/**
+ * Supported languages
+ */
+static char* languages[] = { "en", "de", "fr", "pl" };
+
+/**
+ * Reason strings for "Port Filter"
+ */
+static imv_lang_string_t reasons[] = {
+	{ "en", "Mandatory HCD attributes are missing" },
+	{ "de", "Obligatorische HCD Attribute fehlen" },
+	{ "fr", "Il manque des attributes HCD obligatoires" },
+	{ "pl", "Brakuje atrybutów obowiązkowych" },
+	{ NULL, NULL }
 };
 
 METHOD(imv_state_t, get_connection_id, TNC_ConnectionID,
@@ -200,7 +223,20 @@ METHOD(imv_state_t, get_reason_string, bool,
 	private_imv_hcd_state_t *this, enumerator_t *language_enumerator,
 	chunk_t *reason_string, char **reason_language)
 {
-	return FALSE;
+	if (this->rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION)
+	{
+		return FALSE;
+	}
+	*reason_language = imv_lang_string_select_lang(language_enumerator,
+											  languages, countof(languages));
+
+	/* Instantiate a TNC Reason String object */
+	DESTROY_IF(this->reason_string);
+	this->reason_string = imv_reason_string_create(*reason_language, "\n");
+	this->reason_string->add_reason(this->reason_string, reasons);
+	*reason_string = this->reason_string->get_encoding(this->reason_string);
+
+	return TRUE;
 }
 
 METHOD(imv_state_t, get_remediation_instructions, bool,
@@ -214,6 +250,7 @@ METHOD(imv_state_t, destroy, void,
 	private_imv_hcd_state_t *this)
 {
 	DESTROY_IF(this->session);
+	DESTROY_IF(this->reason_string);
 	this->contracts->destroy(this->contracts);
 	free(this);
 }

testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat

@@ -1,16 +1,19 @@
-dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
-dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
-dave:: cat /var/log/daemon.log::PB-TNC assessment result is.*don.*t know::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES
-dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
 carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
-carol:: cat /var/log/daemon.log::PB-TNC assessment result is.*don.*t know::YES
+carol:: cat /var/log/daemon.log::PB-TNC assessment result is.*non-compliant major::YES
 carol:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES
+carol:: cat /var/log/daemon.log::reason string is.*Mandatory HCD attributes are missing::YES
 carol:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
+dave:: cat /var/log/daemon.log::PB-TNC assessment result is.*non-compliant major::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES
+dave:: cat /var/log/daemon.log::reason string is.*Mandatory HCD attributes are missing::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
 alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by certificate::YES
 alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by certificate::YES
-alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES
 alice::cat /var/log/daemon.log::policy enforced on peer.*carol@strongswan.org.*is.*no access::YES
+alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
 moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
+