diff options
| author | Romain Francoise <rfrancoise@debian.org> | 2014-10-21 19:28:38 +0200 |
|---|---|---|
| committer | Romain Francoise <rfrancoise@debian.org> | 2014-10-21 19:41:50 +0200 |
| commit | b23b0e5609ed4b3d29396a1727aab035fa4a395f (patch) | |
| tree | 091d0b144dd92a0c124b7fbe9eae68f79cb975dc /src/libpts/plugins/imv_attestation | |
| parent | 4a01a7e2574040cf246fd00ebff173b873c17349 (diff) | |
| download | vyos-strongswan-b23b0e5609ed4b3d29396a1727aab035fa4a395f.tar.gz vyos-strongswan-b23b0e5609ed4b3d29396a1727aab035fa4a395f.zip | |
Import upstream release 5.2.1
Diffstat (limited to 'src/libpts/plugins/imv_attestation')
17 files changed, 0 insertions, 6370 deletions
diff --git a/src/libpts/plugins/imv_attestation/Makefile.am b/src/libpts/plugins/imv_attestation/Makefile.am deleted file mode 100644 index 8dc74fd54..000000000 --- a/src/libpts/plugins/imv_attestation/Makefile.am +++ /dev/null @@ -1,36 +0,0 @@ -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libtncif \ - -I$(top_srcdir)/src/libimcv \ - -I$(top_srcdir)/src/libpts \ - -DPLUGINS=\""${attest_plugins}\"" - -AM_CFLAGS = \ - $(PLUGIN_CFLAGS) - -imcv_LTLIBRARIES = imv-attestation.la - -imv_attestation_la_LIBADD = \ - $(top_builddir)/src/libimcv/libimcv.la \ - $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(top_builddir)/src/libpts/libpts.la - -imv_attestation_la_SOURCES = imv_attestation.c \ - imv_attestation_state.h imv_attestation_state.c \ - imv_attestation_agent.h imv_attestation_agent.c \ - imv_attestation_process.h imv_attestation_process.c \ - imv_attestation_build.h imv_attestation_build.c - -imv_attestation_la_LDFLAGS = -module -avoid-version -no-undefined - -ipsec_PROGRAMS = attest -attest_SOURCES = attest.c \ - attest_usage.h attest_usage.c \ - attest_db.h attest_db.c -attest_LDADD = \ - $(top_builddir)/src/libimcv/libimcv.la \ - $(top_builddir)/src/libpts/libpts.la \ - $(top_builddir)/src/libstrongswan/libstrongswan.la -attest.o : $(top_builddir)/config.status - -EXTRA_DIST = build-database.sh diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in deleted file mode 100644 index b0e3787ae..000000000 --- a/src/libpts/plugins/imv_attestation/Makefile.in +++ /dev/null @@ -1,844 +0,0 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994-2013 Free Software Foundation, Inc. - -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - - -VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' -am__make_running_with_option = \ - case $${target_option-} in \ - ?) ;; \ - *) echo "am__make_running_with_option: internal error: invalid" \ - "target option '$${target_option-}' specified" >&2; \ - exit 1;; \ - esac; \ - has_opt=no; \ - sane_makeflags=$$MAKEFLAGS; \ - if $(am__is_gnu_make); then \ - sane_makeflags=$$MFLAGS; \ - else \ - case $$MAKEFLAGS in \ - *\\[\ \ ]*) \ - bs=\\; \ - sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ - | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ - esac; \ - fi; \ - skip_next=no; \ - strip_trailopt () \ - { \ - flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ - }; \ - for flg in $$sane_makeflags; do \ - test $$skip_next = yes && { skip_next=no; continue; }; \ - case $$flg in \ - *=*|--*) continue;; \ - -*I) strip_trailopt 'I'; skip_next=yes;; \ - -*I?*) strip_trailopt 'I';; \ - -*O) strip_trailopt 'O'; skip_next=yes;; \ - -*O?*) strip_trailopt 'O';; \ - -*l) strip_trailopt 'l'; skip_next=yes;; \ - -*l?*) strip_trailopt 'l';; \ - -[dEDm]) skip_next=yes;; \ - -[JT]) skip_next=yes;; \ - esac; \ - case $$flg in \ - *$$target_option*) has_opt=yes; break;; \ - esac; \ - done; \ - test $$has_opt = yes -am__make_dryrun = (target_option=n; $(am__make_running_with_option)) -am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -ipsec_PROGRAMS = attest$(EXEEXT) -subdir = src/libpts/plugins/imv_attestation -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/depcomp -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ - $(top_srcdir)/m4/config/ltoptions.m4 \ - $(top_srcdir)/m4/config/ltsugar.m4 \ - $(top_srcdir)/m4/config/ltversion.m4 \ - $(top_srcdir)/m4/config/lt~obsolete.m4 \ - $(top_srcdir)/m4/macros/split-package-version.m4 \ - $(top_srcdir)/m4/macros/with.m4 \ - $(top_srcdir)/m4/macros/enable-disable.m4 \ - $(top_srcdir)/m4/macros/add-plugin.m4 \ - $(top_srcdir)/configure.ac -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(install_sh) -d -CONFIG_HEADER = $(top_builddir)/config.h -CONFIG_CLEAN_FILES = -CONFIG_CLEAN_VPATH_FILES = -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -am__uninstall_files_from_dir = { \ - test -z "$$files" \ - || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ - || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ - $(am__cd) "$$dir" && rm -f $$files; }; \ - } -am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)" -LTLIBRARIES = $(imcv_LTLIBRARIES) -imv_attestation_la_DEPENDENCIES = \ - $(top_builddir)/src/libimcv/libimcv.la \ - $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(top_builddir)/src/libpts/libpts.la -am_imv_attestation_la_OBJECTS = imv_attestation.lo \ - imv_attestation_state.lo imv_attestation_agent.lo \ - imv_attestation_process.lo imv_attestation_build.lo -imv_attestation_la_OBJECTS = $(am_imv_attestation_la_OBJECTS) -AM_V_lt = $(am__v_lt_@AM_V@) -am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) -am__v_lt_0 = --silent -am__v_lt_1 = -imv_attestation_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ - $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ - $(AM_CFLAGS) $(CFLAGS) $(imv_attestation_la_LDFLAGS) \ - $(LDFLAGS) -o $@ -PROGRAMS = $(ipsec_PROGRAMS) -am_attest_OBJECTS = attest.$(OBJEXT) attest_usage.$(OBJEXT) \ - attest_db.$(OBJEXT) -attest_OBJECTS = $(am_attest_OBJECTS) -attest_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \ - $(top_builddir)/src/libpts/libpts.la \ - $(top_builddir)/src/libstrongswan/libstrongswan.la -AM_V_P = $(am__v_P_@AM_V@) -am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) -am__v_P_0 = false -am__v_P_1 = : -AM_V_GEN = $(am__v_GEN_@AM_V@) -am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; -am__v_GEN_1 = -AM_V_at = $(am__v_at_@AM_V@) -am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) -am__v_at_0 = @ -am__v_at_1 = -DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -depcomp = $(SHELL) $(top_srcdir)/depcomp -am__depfiles_maybe = depfiles -am__mv = mv -f -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ - $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ - $(AM_CFLAGS) $(CFLAGS) -AM_V_CC = $(am__v_CC_@AM_V@) -am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) -am__v_CC_0 = @echo " CC " $@; -am__v_CC_1 = -CCLD = $(CC) -LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(AM_LDFLAGS) $(LDFLAGS) -o $@ -AM_V_CCLD = $(am__v_CCLD_@AM_V@) -am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) -am__v_CCLD_0 = @echo " CCLD " $@; -am__v_CCLD_1 = -SOURCES = $(imv_attestation_la_SOURCES) $(attest_SOURCES) -DIST_SOURCES = $(imv_attestation_la_SOURCES) $(attest_SOURCES) -am__can_run_installinfo = \ - case $$AM_UPDATE_INFO_DIR in \ - n|no|NO) false;; \ - *) (install-info --version) >/dev/null 2>&1;; \ - esac -am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) -# Read a list of newline-separated strings from the standard input, -# and print each of them once, without duplicates. Input order is -# *not* preserved. -am__uniquify_input = $(AWK) '\ - BEGIN { nonempty = 0; } \ - { items[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in items) print i; }; } \ -' -# Make sure the list of sources is unique. This is necessary because, -# e.g., the same source file might be shared among _SOURCES variables -# for different programs/libraries. -am__define_uniq_tagged_files = \ - list='$(am__tagged_files)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | $(am__uniquify_input)` -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -ALLOCA = @ALLOCA@ -AMTAR = @AMTAR@ -AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -BFDLIB = @BFDLIB@ -BTLIB = @BTLIB@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ -COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLIB = @DLLIB@ -DLLTOOL = @DLLTOOL@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -GENHTML = @GENHTML@ -GPERF = @GPERF@ -GPRBUILD = @GPRBUILD@ -GREP = @GREP@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LCOV = @LCOV@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAKEINFO = @MAKEINFO@ -MANIFEST_TOOL = @MANIFEST_TOOL@ -MKDIR_P = @MKDIR_P@ -MYSQLCFLAG = @MYSQLCFLAG@ -MYSQLCONFIG = @MYSQLCONFIG@ -MYSQLLIB = @MYSQLLIB@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OPENSSL_LIB = @OPENSSL_LIB@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PACKAGE_VERSION_BUILD = @PACKAGE_VERSION_BUILD@ -PACKAGE_VERSION_MAJOR = @PACKAGE_VERSION_MAJOR@ -PACKAGE_VERSION_MINOR = @PACKAGE_VERSION_MINOR@ -PACKAGE_VERSION_REVIEW = @PACKAGE_VERSION_REVIEW@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -PERL = @PERL@ -PKG_CONFIG = @PKG_CONFIG@ -PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ -PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ -PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ -PTHREADLIB = @PTHREADLIB@ -PYTHON = @PYTHON@ -PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ -PYTHON_PLATFORM = @PYTHON_PLATFORM@ -PYTHON_PREFIX = @PYTHON_PREFIX@ -PYTHON_VERSION = @PYTHON_VERSION@ -RANLIB = @RANLIB@ -RTLIB = @RTLIB@ -RUBY = @RUBY@ -RUBYINCLUDE = @RUBYINCLUDE@ -RUBYLIB = @RUBYLIB@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -SOCKLIB = @SOCKLIB@ -STRIP = @STRIP@ -UNWINDLIB = @UNWINDLIB@ -VERSION = @VERSION@ -YACC = @YACC@ -YFLAGS = @YFLAGS@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_AR = @ac_ct_AR@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -aikgen_plugins = @aikgen_plugins@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -attest_plugins = @attest_plugins@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -c_plugins = @c_plugins@ -charon_natt_port = @charon_natt_port@ -charon_plugins = @charon_plugins@ -charon_udp_port = @charon_udp_port@ -clearsilver_LIBS = @clearsilver_LIBS@ -cmd_plugins = @cmd_plugins@ -datadir = @datadir@ -datarootdir = @datarootdir@ -dbusservicedir = @dbusservicedir@ -dev_headers = @dev_headers@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -fips_mode = @fips_mode@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ -h_plugins = @h_plugins@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -imcvdir = @imcvdir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -ipsec_script = @ipsec_script@ -ipsec_script_upper = @ipsec_script_upper@ -ipsecdir = @ipsecdir@ -ipsecgroup = @ipsecgroup@ -ipseclibdir = @ipseclibdir@ -ipsecuser = @ipsecuser@ -libdir = @libdir@ -libexecdir = @libexecdir@ -linux_headers = @linux_headers@ -localedir = @localedir@ -localstatedir = @localstatedir@ -maemo_CFLAGS = @maemo_CFLAGS@ -maemo_LIBS = @maemo_LIBS@ -manager_plugins = @manager_plugins@ -mandir = @mandir@ -medsrv_plugins = @medsrv_plugins@ -mkdir_p = @mkdir_p@ -nm_CFLAGS = @nm_CFLAGS@ -nm_LIBS = @nm_LIBS@ -nm_ca_dir = @nm_ca_dir@ -nm_plugins = @nm_plugins@ -oldincludedir = @oldincludedir@ -pcsclite_CFLAGS = @pcsclite_CFLAGS@ -pcsclite_LIBS = @pcsclite_LIBS@ -pdfdir = @pdfdir@ -piddir = @piddir@ -pkgpyexecdir = @pkgpyexecdir@ -pkgpythondir = @pkgpythondir@ -pki_plugins = @pki_plugins@ -plugindir = @plugindir@ -pool_plugins = @pool_plugins@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -pyexecdir = @pyexecdir@ -pythondir = @pythondir@ -random_device = @random_device@ -resolv_conf = @resolv_conf@ -routing_table = @routing_table@ -routing_table_prio = @routing_table_prio@ -s_plugins = @s_plugins@ -sbindir = @sbindir@ -scepclient_plugins = @scepclient_plugins@ -scripts_plugins = @scripts_plugins@ -sharedstatedir = @sharedstatedir@ -soup_CFLAGS = @soup_CFLAGS@ -soup_LIBS = @soup_LIBS@ -srcdir = @srcdir@ -starter_plugins = @starter_plugins@ -strongswan_conf = @strongswan_conf@ -strongswan_options = @strongswan_options@ -swanctldir = @swanctldir@ -sysconfdir = @sysconfdir@ -systemdsystemunitdir = @systemdsystemunitdir@ -t_plugins = @t_plugins@ -target_alias = @target_alias@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -urandom_device = @urandom_device@ -xml_CFLAGS = @xml_CFLAGS@ -xml_LIBS = @xml_LIBS@ -AM_CPPFLAGS = \ - -I$(top_srcdir)/src/libstrongswan \ - -I$(top_srcdir)/src/libtncif \ - -I$(top_srcdir)/src/libimcv \ - -I$(top_srcdir)/src/libpts \ - -DPLUGINS=\""${attest_plugins}\"" - -AM_CFLAGS = \ - $(PLUGIN_CFLAGS) - -imcv_LTLIBRARIES = imv-attestation.la -imv_attestation_la_LIBADD = \ - $(top_builddir)/src/libimcv/libimcv.la \ - $(top_builddir)/src/libstrongswan/libstrongswan.la \ - $(top_builddir)/src/libpts/libpts.la - -imv_attestation_la_SOURCES = imv_attestation.c \ - imv_attestation_state.h imv_attestation_state.c \ - imv_attestation_agent.h imv_attestation_agent.c \ - imv_attestation_process.h imv_attestation_process.c \ - imv_attestation_build.h imv_attestation_build.c - -imv_attestation_la_LDFLAGS = -module -avoid-version -no-undefined -attest_SOURCES = attest.c \ - attest_usage.h attest_usage.c \ - attest_db.h attest_db.c - -attest_LDADD = \ - $(top_builddir)/src/libimcv/libimcv.la \ - $(top_builddir)/src/libpts/libpts.la \ - $(top_builddir)/src/libstrongswan/libstrongswan.la - -EXTRA_DIST = build-database.sh -all: all-am - -.SUFFIXES: -.SUFFIXES: .c .lo .o .obj -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libpts/plugins/imv_attestation/Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libpts/plugins/imv_attestation/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(am__aclocal_m4_deps): - -install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES) - @$(NORMAL_INSTALL) - @list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \ - list2=; for p in $$list; do \ - if test -f $$p; then \ - list2="$$list2 $$p"; \ - else :; fi; \ - done; \ - test -z "$$list2" || { \ - echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \ - } - -uninstall-imcvLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \ - for p in $$list; do \ - $(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(imcvdir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(imcvdir)/$$f"; \ - done - -clean-imcvLTLIBRARIES: - -test -z "$(imcv_LTLIBRARIES)" || rm -f $(imcv_LTLIBRARIES) - @list='$(imcv_LTLIBRARIES)'; \ - locs=`for p in $$list; do echo $$p; done | \ - sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ - sort -u`; \ - test -z "$$locs" || { \ - echo rm -f $${locs}; \ - rm -f $${locs}; \ - } - -imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) $(EXTRA_imv_attestation_la_DEPENDENCIES) - $(AM_V_CCLD)$(imv_attestation_la_LINK) -rpath $(imcvdir) $(imv_attestation_la_OBJECTS) $(imv_attestation_la_LIBADD) $(LIBS) -install-ipsecPROGRAMS: $(ipsec_PROGRAMS) - @$(NORMAL_INSTALL) - @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ - if test -n "$$list"; then \ - echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \ - $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \ - fi; \ - for p in $$list; do echo "$$p $$p"; done | \ - sed 's/$(EXEEXT)$$//' | \ - while read p p1; do if test -f $$p \ - || test -f $$p1 \ - ; then echo "$$p"; echo "$$p"; else :; fi; \ - done | \ - sed -e 'p;s,.*/,,;n;h' \ - -e 's|.*|.|' \ - -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ - sed 'N;N;N;s,\n, ,g' | \ - $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ - { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ - if ($$2 == $$4) files[d] = files[d] " " $$1; \ - else { print "f", $$3 "/" $$4, $$1; } } \ - END { for (d in files) print "f", d, files[d] }' | \ - while read type dir files; do \ - if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ - test -z "$$files" || { \ - echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \ - $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \ - } \ - ; done - -uninstall-ipsecPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ - files=`for p in $$list; do echo "$$p"; done | \ - sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ - -e 's/$$/$(EXEEXT)/' \ - `; \ - test -n "$$list" || exit 0; \ - echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files - -clean-ipsecPROGRAMS: - @list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \ - echo " rm -f" $$list; \ - rm -f $$list || exit $$?; \ - test -n "$(EXEEXT)" || exit 0; \ - list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f" $$list; \ - rm -f $$list - -attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) $(EXTRA_attest_DEPENDENCIES) - @rm -f attest$(EXEEXT) - $(AM_V_CCLD)$(LINK) $(attest_OBJECTS) $(attest_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attest.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attest_db.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attest_usage.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_agent.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_build.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_process.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_state.Plo@am__quote@ - -.c.o: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< - -.c.obj: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` - -.c.lo: -@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ -@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -ID: $(am__tagged_files) - $(am__define_uniq_tagged_files); mkid -fID $$unique -tags: tags-am -TAGS: tags - -tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - set x; \ - here=`pwd`; \ - $(am__define_uniq_tagged_files); \ - shift; \ - if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ - test -n "$$unique" || unique=$$empty_fix; \ - if test $$# -gt 0; then \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - "$$@" $$unique; \ - else \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$unique; \ - fi; \ - fi -ctags: ctags-am - -CTAGS: ctags -ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) - $(am__define_uniq_tagged_files); \ - test -z "$(CTAGS_ARGS)$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && $(am__cd) $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) "$$here" -cscopelist: cscopelist-am - -cscopelist-am: $(am__tagged_files) - list='$(am__tagged_files)'; \ - case "$(srcdir)" in \ - [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ - *) sdir=$(subdir)/$(srcdir) ;; \ - esac; \ - for i in $$list; do \ - if test -f "$$i"; then \ - echo "$(subdir)/$$i"; \ - else \ - echo "$$sdir/$$i"; \ - fi; \ - done >> $(top_builddir)/cscope.files - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: check-am -all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) -installdirs: - for dir in "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)"; do \ - test -z "$$dir" || $(MKDIR_P) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - if test -z '$(STRIP)'; then \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - install; \ - else \ - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ - fi -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-imcvLTLIBRARIES clean-ipsecPROGRAMS \ - clean-libtool mostlyclean-am - -distclean: distclean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -html-am: - -info: info-am - -info-am: - -install-data-am: install-imcvLTLIBRARIES install-ipsecPROGRAMS - -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-imcvLTLIBRARIES uninstall-ipsecPROGRAMS - -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ - clean-imcvLTLIBRARIES clean-ipsecPROGRAMS clean-libtool \ - cscopelist-am ctags ctags-am distclean distclean-compile \ - distclean-generic distclean-libtool distclean-tags distdir dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-imcvLTLIBRARIES install-info install-info-am \ - install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-am uninstall uninstall-am uninstall-imcvLTLIBRARIES \ - uninstall-ipsecPROGRAMS - -attest.o : $(top_builddir)/config.status - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c deleted file mode 100644 index 63c0023a7..000000000 --- a/src/libpts/plugins/imv_attestation/attest.c +++ /dev/null @@ -1,487 +0,0 @@ -/* - * Copyright (C) 2011-2014 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#define _GNU_SOURCE -#include <getopt.h> -#include <unistd.h> -#include <stdio.h> -#include <string.h> -#include <errno.h> -#include <libgen.h> -#ifdef HAVE_SYSLOG -# include <syslog.h> -#endif - -#include <library.h> -#include <utils/debug.h> - -#include <imcv.h> -#include <libpts.h> -#include <pts/pts_meas_algo.h> - -#include "attest_db.h" -#include "attest_usage.h" - -/** - * global debug output variables - */ -static int debug_level = 1; -static bool stderr_quiet = TRUE; - -/** - * attest dbg function - */ -static void attest_dbg(debug_t group, level_t level, char *fmt, ...) -{ - va_list args; - - if (level <= debug_level) - { - if (!stderr_quiet) - { - va_start(args, fmt); - vfprintf(stderr, fmt, args); - fprintf(stderr, "\n"); - va_end(args); - } - -#ifdef HAVE_SYSLOG - { - int priority = LOG_INFO; - char buffer[8192]; - char *current = buffer, *next; - - /* write in memory buffer first */ - va_start(args, fmt); - vsnprintf(buffer, sizeof(buffer), fmt, args); - va_end(args); - - /* do a syslog with every line */ - while (current) - { - next = strchr(current, '\n'); - if (next) - { - *(next++) = '\0'; - } - syslog(priority, "%s\n", current); - current = next; - } - } -#endif /* HAVE_SYSLOG */ - } -} - -/** - * global attestation database object - */ -attest_db_t *attest; - - -/** - * atexit handler to close db on shutdown - */ -static void cleanup(void) -{ - attest->destroy(attest); - libpts_deinit(); - libimcv_deinit(); -#ifdef HAVE_SYSLOG - closelog(); -#endif -} - -static void do_args(int argc, char *argv[]) -{ - enum { - OP_UNDEF, - OP_USAGE, - OP_KEYS, - OP_COMPONENTS, - OP_DEVICES, - OP_DIRECTORIES, - OP_FILES, - OP_HASHES, - OP_MEASUREMENTS, - OP_PACKAGES, - OP_PRODUCTS, - OP_SESSIONS, - OP_ADD, - OP_DEL, - } op = OP_UNDEF; - - /* reinit getopt state */ - optind = 0; - - while (TRUE) - { - int c; - - struct option long_opts[] = { - { "help", no_argument, NULL, 'h' }, - { "components", no_argument, NULL, 'c' }, - { "devices", no_argument, NULL, 'e' }, - { "directories", no_argument, NULL, 'd' }, - { "dirs", no_argument, NULL, 'd' }, - { "files", no_argument, NULL, 'f' }, - { "keys", no_argument, NULL, 'k' }, - { "packages", no_argument, NULL, 'g' }, - { "products", no_argument, NULL, 'p' }, - { "hashes", no_argument, NULL, 'H' }, - { "measurements", no_argument, NULL, 'm' }, - { "sessions", no_argument, NULL, 's' }, - { "add", no_argument, NULL, 'a' }, - { "delete", no_argument, NULL, 'r' }, - { "del", no_argument, NULL, 'r' }, - { "remove", no_argument, NULL, 'r' }, - { "aik", required_argument, NULL, 'A' }, - { "blacklist", no_argument, NULL, 'B' }, - { "component", required_argument, NULL, 'C' }, - { "comp", required_argument, NULL, 'C' }, - { "directory", required_argument, NULL, 'D' }, - { "dir", required_argument, NULL, 'D' }, - { "file", required_argument, NULL, 'F' }, - { "package", required_argument, NULL, 'G' }, - { "key", required_argument, NULL, 'K' }, - { "measdir", required_argument, NULL, 'M' }, - { "owner", required_argument, NULL, 'O' }, - { "product", required_argument, NULL, 'P' }, - { "relative", no_argument, NULL, 'R' }, - { "rel", no_argument, NULL, 'R' }, - { "sequence", required_argument, NULL, 'S' }, - { "seq", required_argument, NULL, 'S' }, - { "utc", no_argument, NULL, 'U' }, - { "version", required_argument, NULL, 'V' }, - { "security", no_argument, NULL, 'Y' }, - { "sha1", no_argument, NULL, '1' }, - { "sha256", no_argument, NULL, '2' }, - { "sha384", no_argument, NULL, '3' }, - { "did", required_argument, NULL, '4' }, - { "fid", required_argument, NULL, '5' }, - { "pid", required_argument, NULL, '6' }, - { "cid", required_argument, NULL, '7' }, - { "kid", required_argument, NULL, '8' }, - { "gid", required_argument, NULL, '9' }, - { 0,0,0,0 } - }; - - c = getopt_long(argc, argv, "", long_opts, NULL); - switch (c) - { - case EOF: - break; - case 'h': - op = OP_USAGE; - break; - case 'c': - op = OP_COMPONENTS; - continue; - case 'd': - op = OP_DIRECTORIES; - continue; - case 'e': - op = OP_DEVICES; - continue; - case 'f': - op = OP_FILES; - continue; - case 'g': - op = OP_PACKAGES; - continue; - case 'k': - op = OP_KEYS; - continue; - case 'p': - op = OP_PRODUCTS; - continue; - case 'H': - op = OP_HASHES; - continue; - case 'm': - op = OP_MEASUREMENTS; - continue; - case 's': - op = OP_SESSIONS; - continue; - case 'a': - op = OP_ADD; - continue; - case 'r': - op = OP_DEL; - continue; - case 'A': - { - certificate_t *aik_cert; - public_key_t *aik_key; - chunk_t aik; - - aik_cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, - CERT_X509, BUILD_FROM_FILE, optarg, BUILD_END); - if (!aik_cert) - { - printf("AIK certificate '%s' could not be loaded\n", optarg); - exit(EXIT_FAILURE); - } - aik_key = aik_cert->get_public_key(aik_cert); - aik_cert->destroy(aik_cert); - - if (!aik_key) - { - printf("AIK public key could not be retrieved\n"); - exit(EXIT_FAILURE); - } - if (!aik_key->get_fingerprint(aik_key, KEYID_PUBKEY_INFO_SHA1, - &aik)) - { - printf("AIK fingerprint could not be computed\n"); - aik_key->destroy(aik_key); - exit(EXIT_FAILURE); - } - aik = chunk_clone(aik); - aik_key->destroy(aik_key); - - if (!attest->set_key(attest, aik, op == OP_ADD)) - { - exit(EXIT_FAILURE); - } - continue; - } - case 'B': - attest->set_package_state(attest, OS_PACKAGE_STATE_BLACKLIST); - continue; - case 'C': - if (!attest->set_component(attest, optarg, op == OP_ADD)) - { - exit(EXIT_FAILURE); - } - continue; - case 'D': - if (!attest->set_directory(attest, optarg, op == OP_ADD)) - { - exit(EXIT_FAILURE); - } - continue; - case 'F': - { - char *dir = path_dirname(optarg); - char *file = path_basename(optarg); - - if (*dir != '.') - { - if (!attest->set_directory(attest, dir, op == OP_ADD)) - { - free(file); - free(dir); - exit(EXIT_FAILURE); - } - } - free(dir); - - if (!attest->set_file(attest, file, op == OP_ADD)) - { - free(file); - exit(EXIT_FAILURE); - } - free(file); - continue; - } - case 'G': - if (!attest->set_package(attest, optarg, op == OP_ADD)) - { - exit(EXIT_FAILURE); - } - continue; - case 'K': - { - chunk_t aik; - - aik = chunk_from_hex(chunk_create(optarg, strlen(optarg)), NULL); - if (!attest->set_key(attest, aik, op == OP_ADD)) - { - exit(EXIT_FAILURE); - } - continue; - } - case 'M': - if (!attest->set_meas_directory(attest, optarg)) - { - exit(EXIT_FAILURE); - } - continue; - case 'O': - attest->set_owner(attest, optarg); - continue; - case 'P': - if (!attest->set_product(attest, optarg, op == OP_ADD)) - { - exit(EXIT_FAILURE); - } - continue; - case 'R': - attest->set_relative(attest); - continue; - case 'S': - attest->set_sequence(attest, atoi(optarg)); - continue; - case 'U': - attest->set_utc(attest); - continue; - case 'V': - if (!attest->set_version(attest, optarg)) - { - exit(EXIT_FAILURE); - } - continue; - case 'Y': - attest->set_package_state(attest, OS_PACKAGE_STATE_SECURITY); - continue; - case '1': - attest->set_algo(attest, PTS_MEAS_ALGO_SHA1); - continue; - case '2': - attest->set_algo(attest, PTS_MEAS_ALGO_SHA256); - continue; - case '3': - attest->set_algo(attest, PTS_MEAS_ALGO_SHA384); - continue; - case '4': - if (!attest->set_did(attest, atoi(optarg))) - { - exit(EXIT_FAILURE); - } - continue; - case '5': - if (!attest->set_fid(attest, atoi(optarg))) - { - exit(EXIT_FAILURE); - } - continue; - case '6': - if (!attest->set_pid(attest, atoi(optarg))) - { - exit(EXIT_FAILURE); - } - continue; - case '7': - if (!attest->set_cid(attest, atoi(optarg))) - { - exit(EXIT_FAILURE); - } - continue; - case '8': - if (!attest->set_kid(attest, atoi(optarg))) - { - exit(EXIT_FAILURE); - } - continue; - case '9': - if (!attest->set_gid(attest, atoi(optarg))) - { - exit(EXIT_FAILURE); - } - continue; - } - break; - } - - switch (op) - { - case OP_USAGE: - usage(); - break; - case OP_PACKAGES: - attest->list_packages(attest); - break; - case OP_PRODUCTS: - attest->list_products(attest); - break; - case OP_KEYS: - attest->list_keys(attest); - break; - case OP_COMPONENTS: - attest->list_components(attest); - break; - case OP_DEVICES: - attest->list_devices(attest); - break; - case OP_DIRECTORIES: - attest->list_directories(attest); - break; - case OP_FILES: - attest->list_files(attest); - break; - case OP_HASHES: - attest->list_hashes(attest); - break; - case OP_MEASUREMENTS: - attest->list_measurements(attest); - break; - case OP_SESSIONS: - attest->list_sessions(attest); - break; - case OP_ADD: - attest->add(attest); - break; - case OP_DEL: - attest->delete(attest); - break; - default: - usage(); - exit(EXIT_FAILURE); - } -} - -int main(int argc, char *argv[]) -{ - char *uri; - - /* enable attest debugging hook */ - dbg = attest_dbg; -#ifdef HAVE_SYSLOG - openlog("attest", 0, LOG_DEBUG); -#endif - - atexit(library_deinit); - - /* initialize library */ - if (!library_init(NULL, "attest")) - { - exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); - } - if (!lib->plugins->load(lib->plugins, - lib->settings->get_str(lib->settings, "attest.load", PLUGINS))) - { - exit(SS_RC_INITIALIZATION_FAILED); - } - - uri = lib->settings->get_str(lib->settings, "attest.database", NULL); - if (!uri) - { - fprintf(stderr, "database URI attest.database not set.\n"); - exit(SS_RC_INITIALIZATION_FAILED); - } - attest = attest_db_create(uri); - if (!attest) - { - exit(SS_RC_INITIALIZATION_FAILED); - } - atexit(cleanup); - libimcv_init(FALSE); - libpts_init(); - - do_args(argc, argv); - - exit(EXIT_SUCCESS); -} diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c deleted file mode 100644 index d7f45ad29..000000000 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ /dev/null @@ -1,1994 +0,0 @@ -/* - * Copyright (C) 2011-2014 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#define _GNU_SOURCE - -#include <stdio.h> -#include <libgen.h> -#include <time.h> - -#include <tncif_names.h> - -#include "attest_db.h" - -#include "libpts.h" -#include "pts/pts_meas_algo.h" -#include "pts/pts_file_meas.h" -#include "pts/components/pts_comp_func_name.h" - -#define IMA_MAX_NAME_LEN 255 -#define DEVICE_MAX_LEN 20 - -typedef struct private_attest_db_t private_attest_db_t; - -/** - * Private data of an attest_db_t object. - */ -struct private_attest_db_t { - - /** - * Public members of attest_db_state_t - */ - attest_db_t public; - - /** - * Component Functional Name to be queried - */ - pts_comp_func_name_t *cfn; - - /** - * Primary key of the Component Functional Name to be queried - */ - int cid; - - /** - * TRUE if Component Functional Name has been set - */ - bool comp_set; - - /** - * Directory containing the Measurement file to be queried - */ - char *dir; - - /** - * Primary key of the directory to be queried - */ - int did; - - /** - * Measurement file to be queried - */ - char *file; - - /** - * Primary key of measurement file to be queried - */ - int fid; - - /** - * Directory where file measurement are to be taken - */ - char *meas_dir; - - /** - * AIK to be queried - */ - chunk_t key; - - /** - * Primary key of the AIK to be queried - */ - int kid; - - /** - * TRUE if AIK has been set - */ - bool key_set; - - /** - * Software package to be queried - */ - char *package; - - /** - * Primary key of software package to be queried - */ - int gid; - - /** - * TRUE if package has been set - */ - bool package_set; - - /** - * Software product to be queried - */ - char *product; - - /** - * Primary key of software product to be queried - */ - int pid; - - /** - * TRUE if product has been set - */ - bool product_set; - - /** - * Software package version to be queried - */ - char *version; - - /** - * TRUE if version has been set - */ - bool version_set; - - /** - * TRUE if relative filenames are to be used - */ - bool relative; - - /** - * TRUE if dates are to be displayed in UTC - */ - bool utc; - - /** - * Package security or blacklist state - */ - os_package_state_t package_state; - - /** - * Sequence number for ordering entries - */ - int seq_no; - - /** - * File measurement hash algorithm - */ - pts_meas_algorithms_t algo; - - /** - * Optional owner (user/host name) - */ - char *owner; - - /** - * Attestation database - */ - database_t *db; - -}; - -char* print_cfn(pts_comp_func_name_t *cfn) -{ - static char buf[BUF_LEN]; - char flags[8]; - int type, vid, name, qualifier, n; - enum_name_t *names, *types; - - vid = cfn->get_vendor_id(cfn), - name = cfn->get_name(cfn); - qualifier = cfn->get_qualifier(cfn); - n = snprintf(buf, BUF_LEN, "0x%06x/0x%08x-0x%02x", vid, name, qualifier); - - names = pts_components->get_comp_func_names(pts_components, vid); - types = pts_components->get_qualifier_type_names(pts_components, vid); - type = pts_components->get_qualifier(pts_components, cfn, flags); - if (names && types) - { - n = snprintf(buf + n, BUF_LEN - n, " %N/%N [%s] %N", - pen_names, vid, names, name, flags, types, type); - } - return buf; -} - -/** - * Get the directory separator to append to a path - */ -static const char* get_separator(const char *path) -{ - if (streq(path, DIRECTORY_SEPARATOR)) - { /* root directory on Unix file system, no separator */ - return ""; - } - else - { /* non-root or Windows path, use system specific separator */ - return DIRECTORY_SEPARATOR; - } -} - -METHOD(attest_db_t, set_component, bool, - private_attest_db_t *this, char *comp, bool create) -{ - enumerator_t *e; - char *pos1, *pos2; - int vid, name, qualifier; - pts_comp_func_name_t *cfn; - - if (this->comp_set) - { - printf("component has already been set\n"); - return FALSE; - } - - /* parse component string */ - pos1 = strchr(comp, '/'); - pos2 = strchr(comp, '-'); - if (!pos1 || !pos2) - { - printf("component string must have the form \"vendor_id/name-qualifier\"\n"); - return FALSE; - } - vid = atoi(comp); - name = atoi(pos1 + 1); - qualifier = atoi(pos2 + 1); - cfn = pts_comp_func_name_create(vid, name, qualifier); - - e = this->db->query(this->db, - "SELECT id FROM components " - "WHERE vendor_id = ? AND name = ? AND qualifier = ?", - DB_UINT, vid, DB_INT, name, DB_INT, qualifier, DB_INT); - if (e) - { - if (e->enumerate(e, &this->cid)) - { - this->comp_set = TRUE; - this->cfn = cfn; - } - e->destroy(e); - } - if (this->comp_set) - { - return TRUE; - } - - if (!create) - { - printf("component '%s' not found in database\n", print_cfn(cfn)); - cfn->destroy(cfn); - return FALSE; - } - - /* Add a new database entry */ - this->comp_set = this->db->execute(this->db, &this->cid, - "INSERT INTO components (vendor_id, name, qualifier) " - "VALUES (?, ?, ?)", - DB_INT, vid, DB_INT, name, DB_INT, qualifier) == 1; - - printf("component '%s' %sinserted into database\n", print_cfn(cfn), - this->comp_set ? "" : "could not be "); - if (this->comp_set) - { - this->cfn = cfn; - } - else - { - cfn->destroy(cfn); - } - return this->comp_set; -} - -METHOD(attest_db_t, set_cid, bool, - private_attest_db_t *this, int cid) -{ - enumerator_t *e; - int vid, name, qualifier; - - if (this->comp_set) - { - printf("component has already been set\n"); - return FALSE; - } - this->cid = cid; - - e = this->db->query(this->db, "SELECT vendor_id, name, qualifier " - "FROM components WHERE id = ?", - DB_UINT, cid, DB_INT, DB_INT, DB_INT); - if (e) - { - if (e->enumerate(e, &vid, &name, &qualifier)) - { - this->cfn = pts_comp_func_name_create(vid, name, qualifier); - this->comp_set = TRUE; - } - else - { - printf("no component found with cid %d\n", cid); - } - e->destroy(e); - } - return this->comp_set; -} - -METHOD(attest_db_t, set_directory, bool, - private_attest_db_t *this, char *dir, bool create) -{ - enumerator_t *e; - int did; - size_t len; - - if (this->did) - { - printf("directory has already been set\n"); - return FALSE; - } - - /* remove trailing '/' or '\' character if not root directory */ - len = strlen(dir); - if (len > 1 && dir[len-1] == DIRECTORY_SEPARATOR[0]) - { - dir[len-1] = '\0'; - } - this->dir = strdup(dir); - - e = this->db->query(this->db, - "SELECT id FROM directories WHERE path = ?", - DB_TEXT, dir, DB_INT); - if (e) - { - if (e->enumerate(e, &did)) - { - this->did = did; - } - e->destroy(e); - } - if (this->did) - { - return TRUE; - } - - if (!create) - { - printf("directory '%s' not found in database\n", dir); - return FALSE; - } - - /* Add a new database entry */ - if (1 == this->db->execute(this->db, &did, - "INSERT INTO directories (path) VALUES (?)", DB_TEXT, dir)) - { - this->did = did; - } - printf("directory '%s' %sinserted into database\n", dir, - this->did ? "" : "could not be "); - - return this->did > 0; -} - -METHOD(attest_db_t, set_did, bool, - private_attest_db_t *this, int did) -{ - enumerator_t *e; - char *dir; - - if (this->did) - { - printf("directory has already been set\n"); - return FALSE; - } - - e = this->db->query(this->db, "SELECT path FROM directories WHERE id = ?", - DB_UINT, did, DB_TEXT); - if (e) - { - if (e->enumerate(e, &dir)) - { - this->dir = strdup(dir); - this->did = did; - } - else - { - printf("no directory found with did %d\n", did); - } - e->destroy(e); - } - return this->did > 0; -} - -METHOD(attest_db_t, set_file, bool, - private_attest_db_t *this, char *file, bool create) -{ - int fid; - enumerator_t *e; - - if (this->file) - { - printf("file has already been set\n"); - return FALSE; - } - this->file = strdup(file); - - if (!this->did) - { - return TRUE; - } - e = this->db->query(this->db, "SELECT id FROM files " - "WHERE dir = ? AND name = ?", - DB_INT, this->did, DB_TEXT, file, DB_INT); - if (e) - { - if (e->enumerate(e, &fid)) - { - this->fid = fid; - } - e->destroy(e); - } - if (this->fid) - { - return TRUE; - } - - if (!create) - { - printf("file '%s%s%s' not found in database\n", - this->dir, get_separator(this->dir), file); - return FALSE; - } - - /* Add a new database entry */ - if (1 == this->db->execute(this->db, &fid, - "INSERT INTO files (dir, name) VALUES (?, ?)", - DB_INT, this->did, DB_TEXT, file)) - { - this->fid = fid; - } - printf("file '%s%s%s' %sinserted into database\n", this->dir, - get_separator(this->dir), file, this->fid ? "" : "could not be "); - - return this->fid > 0; -} - -METHOD(attest_db_t, set_fid, bool, - private_attest_db_t *this, int fid) -{ - enumerator_t *e; - int did; - char *file; - - if (this->fid) - { - printf("file has already been set\n"); - return FALSE; - } - - e = this->db->query(this->db, "SELECT dir, name FROM files WHERE id = ?", - DB_UINT, fid, DB_INT, DB_TEXT); - if (e) - { - if (e->enumerate(e, &did, &file)) - { - if (did) - { - set_did(this, did); - } - this->file = strdup(file); - this->fid = fid; - } - else - { - printf("no file found with fid %d\n", fid); - } - e->destroy(e); - } - return this->fid > 0; -} - -METHOD(attest_db_t, set_meas_directory, bool, - private_attest_db_t *this, char *dir) -{ - size_t len; - - /* remove trailing '/' character if not root directory */ - len = strlen(dir); - if (len > 1 && dir[len-1] == '/') - { - dir[len-1] = '\0'; - } - this->meas_dir = strdup(dir); - - return TRUE; -} - -METHOD(attest_db_t, set_key, bool, - private_attest_db_t *this, chunk_t key, bool create) -{ - enumerator_t *e; - char *owner; - - if (this->key_set) - { - printf("key has already been set\n"); - return FALSE; - } - this->key = key; - - e = this->db->query(this->db, "SELECT id, owner FROM keys WHERE keyid= ?", - DB_BLOB, this->key, DB_INT, DB_TEXT); - if (e) - { - if (e->enumerate(e, &this->kid, &owner)) - { - free(this->owner); - this->owner = strdup(owner); - this->key_set = TRUE; - } - e->destroy(e); - } - if (this->key_set) - { - return TRUE; - } - - if (!create) - { - printf("key '%#B' not found in database\n", &this->key); - return FALSE; - } - - /* Add a new database entry */ - if (!this->owner) - { - this->owner = strdup(""); - } - this->key_set = this->db->execute(this->db, &this->kid, - "INSERT INTO keys (keyid, owner) VALUES (?, ?)", - DB_BLOB, this->key, DB_TEXT, this->owner) == 1; - - printf("key '%#B' %sinserted into database\n", &this->key, - this->key_set ? "" : "could not be "); - - return this->key_set; - -}; - -METHOD(attest_db_t, set_kid, bool, - private_attest_db_t *this, int kid) -{ - enumerator_t *e; - chunk_t key; - char *owner; - - if (this->key_set) - { - printf("key has already been set\n"); - return FALSE; - } - this->kid = kid; - - e = this->db->query(this->db, "SELECT keyid, owner FROM keys WHERE id = ?", - DB_UINT, kid, DB_BLOB, DB_TEXT); - if (e) - { - if (e->enumerate(e, &key, &owner)) - { - this->owner = strdup(owner); - this->key = chunk_clone(key); - this->key_set = TRUE; - } - else - { - printf("no key found with kid %d\n", kid); - } - e->destroy(e); - } - return this->key_set; - -}; - -METHOD(attest_db_t, set_product, bool, - private_attest_db_t *this, char *product, bool create) -{ - enumerator_t *e; - - if (this->product_set) - { - printf("product has already been set\n"); - return FALSE; - } - this->product = strdup(product); - - e = this->db->query(this->db, "SELECT id FROM products WHERE name = ?", - DB_TEXT, product, DB_INT); - if (e) - { - if (e->enumerate(e, &this->pid)) - { - this->product_set = TRUE; - } - e->destroy(e); - } - if (this->product_set) - { - return TRUE; - } - - if (!create) - { - printf("product '%s' not found in database\n", product); - return FALSE; - } - - /* Add a new database entry */ - this->product_set = this->db->execute(this->db, &this->pid, - "INSERT INTO products (name) VALUES (?)", - DB_TEXT, product) == 1; - - printf("product '%s' %sinserted into database\n", product, - this->product_set ? "" : "could not be "); - - return this->product_set; -} - -METHOD(attest_db_t, set_pid, bool, - private_attest_db_t *this, int pid) -{ - enumerator_t *e; - char *product; - - if (this->product_set) - { - printf("product has already been set\n"); - return FALSE; - } - this->pid = pid; - - e = this->db->query(this->db, "SELECT name FROM products WHERE id = ?", - DB_UINT, pid, DB_TEXT); - if (e) - { - if (e->enumerate(e, &product)) - { - this->product = strdup(product); - this->product_set = TRUE; - } - else - { - printf("no product found with pid %d in database\n", pid); - } - e->destroy(e); - } - return this->product_set; -} - -METHOD(attest_db_t, set_package, bool, - private_attest_db_t *this, char *package, bool create) -{ - enumerator_t *e; - - if (this->package_set) - { - printf("package has already been set\n"); - return FALSE; - } - this->package = strdup(package); - - e = this->db->query(this->db, "SELECT id FROM packages WHERE name = ?", - DB_TEXT, package, DB_INT); - if (e) - { - if (e->enumerate(e, &this->gid)) - { - this->package_set = TRUE; - } - e->destroy(e); - } - if (this->package_set) - { - return TRUE; - } - - if (!create) - { - printf("package '%s' not found in database\n", package); - return FALSE; - } - - /* Add a new database entry */ - this->package_set = this->db->execute(this->db, &this->gid, - "INSERT INTO packages (name) VALUES (?)", - DB_TEXT, package) == 1; - - printf("package '%s' %sinserted into database\n", package, - this->package_set ? "" : "could not be "); - - return this->package_set; -} - -METHOD(attest_db_t, set_gid, bool, - private_attest_db_t *this, int gid) -{ - enumerator_t *e; - char *package; - - if (this->package_set) - { - printf("package has already been set\n"); - return FALSE; - } - this->gid = gid; - - e = this->db->query(this->db, "SELECT name FROM packages WHERE id = ?", - DB_UINT, gid, DB_TEXT); - if (e) - { - if (e->enumerate(e, &package)) - { - this->package = strdup(package); - this->package_set = TRUE; - } - else - { - printf("no package found with gid %d in database\n", gid); - } - e->destroy(e); - } - return this->package_set; -} - -METHOD(attest_db_t, set_version, bool, - private_attest_db_t *this, char *version) -{ - if (this->version_set) - { - printf("version has already been set\n"); - return FALSE; - } - this->version = strdup(version); - this->version_set = TRUE; - - return TRUE; -} - - -METHOD(attest_db_t, set_algo, void, - private_attest_db_t *this, pts_meas_algorithms_t algo) -{ - this->algo = algo; -} - -METHOD(attest_db_t, set_relative, void, - private_attest_db_t *this) -{ - this->relative = TRUE; -} - -METHOD(attest_db_t, set_package_state, void, - private_attest_db_t *this, os_package_state_t package_state) -{ - this->package_state = package_state; -} - -METHOD(attest_db_t, set_sequence, void, - private_attest_db_t *this, int seq_no) -{ - this->seq_no = seq_no; -} - -METHOD(attest_db_t, set_owner, void, - private_attest_db_t *this, char *owner) -{ - free(this->owner); - this->owner = strdup(owner); -} - -METHOD(attest_db_t, set_utc, void, - private_attest_db_t *this) -{ - this->utc = TRUE; -} - -METHOD(attest_db_t, list_components, void, - private_attest_db_t *this) -{ - enumerator_t *e; - pts_comp_func_name_t *cfn; - int seq_no, cid, vid, name, qualifier, count = 0; - - if (this->kid) - { - e = this->db->query(this->db, - "SELECT kc.seq_no, c.id, c.vendor_id, c.name, c.qualifier " - "FROM components AS c " - "JOIN key_component AS kc ON c.id = kc.component " - "WHERE kc.key = ? ORDER BY kc.seq_no", - DB_UINT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT); - if (e) - { - while (e->enumerate(e, &cid, &seq_no, &vid, &name, &qualifier)) - { - cfn = pts_comp_func_name_create(vid, name, qualifier); - printf("%4d: #%-2d %s\n", seq_no, cid, print_cfn(cfn)); - cfn->destroy(cfn); - count++; - } - e->destroy(e); - printf("%d component%s found for key %#B\n", count, - (count == 1) ? "" : "s", &this->key); - } - } - else - { - e = this->db->query(this->db, - "SELECT id, vendor_id, name, qualifier FROM components " - "ORDER BY vendor_id, name, qualifier", - DB_INT, DB_INT, DB_INT, DB_INT); - if (e) - { - while (e->enumerate(e, &cid, &vid, &name, &qualifier)) - { - cfn = pts_comp_func_name_create(vid, name, qualifier); - printf("%4d: %s\n", cid, print_cfn(cfn)); - cfn->destroy(cfn); - count++; - } - e->destroy(e); - printf("%d component%s found\n", count, (count == 1) ? "" : "s"); - } - } -} - -METHOD(attest_db_t, list_devices, void, - private_attest_db_t *this) -{ - enumerator_t *e, *e_ar; - chunk_t ar_id_value = chunk_empty; - char *product, *device; - time_t timestamp; - int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0; - int session_id, rec; - u_int32_t ar_id_type; - u_int tstamp; - - e = this->db->query(this->db, - "SELECT d.id, d.value, s.id, s.time, s.identity, s.rec, p.name " - "FROM devices AS d " - "JOIN sessions AS s ON d.id = s.device " - "JOIN products AS p ON p.id = s.product " - "ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_UINT, - DB_INT, DB_INT, DB_TEXT); - - if (e) - { - while (e->enumerate(e, &id, &device, &session_id, &tstamp, &ar_id, &rec, - &product)) - { - if (id != last_id) - { - printf("%4d: %s - %s\n", id, device, product); - device_count++; - last_id = id; - } - timestamp = tstamp; - printf("%4d: %T", session_id, ×tamp, this->utc); - if (ar_id) - { - if (ar_id != last_ar_id) - { - chunk_free(&ar_id_value); - e_ar = this->db->query(this->db, - "SELECT type, value FROM identities " - "WHERE id = ?", DB_INT, ar_id, DB_INT, DB_BLOB); - if (e_ar) - { - e_ar->enumerate(e_ar, &ar_id_type, &ar_id_value); - ar_id_value = chunk_clone(ar_id_value); - e_ar->destroy(e_ar); - } - } - if (ar_id_value.len) - { - printf(" %.*s", (int)ar_id_value.len, ar_id_value.ptr); - } - last_ar_id = ar_id; - } - printf(" - %N\n", TNC_IMV_Action_Recommendation_names, rec); - } - e->destroy(e); - free(ar_id_value.ptr); - - printf("%d device%s found\n", device_count, - (device_count == 1) ? "" : "s"); - } -} - -METHOD(attest_db_t, list_keys, void, - private_attest_db_t *this) -{ - enumerator_t *e; - chunk_t keyid; - char *owner; - int kid, count = 0; - - if (this->cid) - { - e = this->db->query(this->db, - "SELECT k.id, k.keyid, k.owner FROM keys AS k " - "JOIN key_component AS kc ON k.id = kc.key " - "WHERE kc.component = ? ORDER BY k.keyid", - DB_UINT, this->cid, DB_INT, DB_BLOB, DB_TEXT); - if (e) - { - while (e->enumerate(e, &kid, &keyid, &owner)) - { - printf("%4d: %#B '%s'\n", kid, &keyid, owner); - count++; - } - e->destroy(e); - } - } - else - { - e = this->db->query(this->db, "SELECT id, keyid, owner FROM keys " - "ORDER BY keyid", - DB_INT, DB_BLOB, DB_TEXT); - if (e) - { - while (e->enumerate(e, &kid, &keyid, &owner)) - { - printf("%4d: %#B '%s'\n", kid, &keyid, owner); - count++; - } - e->destroy(e); - } - } - - printf("%d key%s found", count, (count == 1) ? "" : "s"); - if (this->comp_set) - { - printf(" for component '%s'", print_cfn(this->cfn)); - } - printf("\n"); -} - -METHOD(attest_db_t, list_files, void, - private_attest_db_t *this) -{ - enumerator_t *e; - char *dir, *file; - int did, last_did = 0, fid, count = 0; - - if (this->did) - { - e = this->db->query(this->db, - "SELECT id, name FROM files WHERE dir = ? ORDER BY name", - DB_INT, this->did, DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &fid, &file)) - { - printf("%4d: %s\n", fid, file); - count++; - } - e->destroy(e); - } - printf("%d file%s found in directory '%s'\n", count, - (count == 1) ? "" : "s", this->dir); - } - else - { - e = this->db->query(this->db, - "SELECT d.id, d.path, f.id, f.name FROM files AS f " - "JOIN directories AS d ON f.dir = d.id " - "ORDER BY d.path, f.name", - DB_INT, DB_TEXT, DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &did, &dir, &fid, &file)) - { - if (did != last_did) - { - printf("%4d: %s\n", did, dir); - last_did = did; - } - printf("%4d: %s\n", fid, file); - count++; - } - e->destroy(e); - } - printf("%d file%s found\n", count, (count == 1) ? "" : "s"); - } -} - -METHOD(attest_db_t, list_directories, void, - private_attest_db_t *this) -{ - enumerator_t *e; - char *dir; - int did, count = 0; - - if (this->file) - { - e = this->db->query(this->db, - "SELECT d.id, d.path FROM directories AS d " - "JOIN files AS f ON f.dir = d.id WHERE f.name = ? " - "ORDER BY path", DB_TEXT, this->file, DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &did, &dir)) - { - printf("%4d: %s\n", did, dir); - count++; - } - e->destroy(e); - } - printf("%d director%s found containing file '%s'\n", count, - (count == 1) ? "y" : "ies", this->file); - } - else - { - e = this->db->query(this->db, - "SELECT id, path FROM directories ORDER BY path", - DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &did, &dir)) - { - printf("%4d: %s\n", did, dir); - count++; - } - e->destroy(e); - } - printf("%d director%s found\n", count, (count == 1) ? "y" : "ies"); - } -} - -METHOD(attest_db_t, list_packages, void, - private_attest_db_t *this) -{ - enumerator_t *e; - char *package, *version; - os_package_state_t package_state; - int blacklist, security, gid, gid_old = 0, spaces, count = 0, t; - time_t timestamp; - - if (this->pid) - { - e = this->db->query(this->db, - "SELECT p.id, p.name, " - "v.release, v.security, v.blacklist, v.time " - "FROM packages AS p JOIN versions AS v ON v.package = p.id " - "WHERE v.product = ? ORDER BY p.name, v.release", - DB_INT, this->pid, - DB_INT, DB_TEXT, DB_TEXT, DB_INT, DB_INT, DB_INT); - if (e) - { - while (e->enumerate(e, &gid, &package, - &version, &security, &blacklist, &t)) - { - if (gid != gid_old) - { - printf("%5d: %s,", gid, package); - gid_old = gid; - } - else - { - spaces = 8 + strlen(package); - while (spaces--) - { - printf(" "); - } - } - timestamp = t; - if (blacklist) - { - package_state = OS_PACKAGE_STATE_BLACKLIST; - } - else - { - package_state = security ? OS_PACKAGE_STATE_SECURITY : - OS_PACKAGE_STATE_UPDATE; - } - printf(" %T (%s)%N\n", ×tamp, this->utc, version, - os_package_state_names, package_state); - count++; - } - e->destroy(e); - } - } - else - { - e = this->db->query(this->db, "SELECT id, name FROM packages " - "ORDER BY name", - DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &gid, &package)) - { - printf("%4d: %s\n", gid, package); - count++; - } - e->destroy(e); - } - } - - printf("%d package%s found", count, (count == 1) ? "" : "s"); - if (this->product_set) - { - printf(" for product '%s'", this->product); - } - printf("\n"); -} - -METHOD(attest_db_t, list_products, void, - private_attest_db_t *this) -{ - enumerator_t *e; - char *product; - int pid, meas, meta, count = 0; - - if (this->fid) - { - e = this->db->query(this->db, - "SELECT p.id, p.name, pf.measurement, pf.metadata " - "FROM products AS p " - "JOIN product_file AS pf ON p.id = pf.product " - "WHERE pf.file = ? ORDER BY p.name", - DB_UINT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT); - if (e) - { - while (e->enumerate(e, &pid, &product, &meas, &meta)) - { - printf("%4d: |%s%s| %s\n", pid, meas ? "M":" ", meta ? "T":" ", - product); - count++; - } - e->destroy(e); - } - } - else - { - e = this->db->query(this->db, "SELECT id, name FROM products " - "ORDER BY name", - DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &pid, &product)) - { - printf("%4d: %s\n", pid, product); - count++; - } - e->destroy(e); - } - } - - printf("%d product%s found", count, (count == 1) ? "" : "s"); - if (this->fid) - { - printf(" for file '%s'", this->file); - } - printf("\n"); -} - -METHOD(attest_db_t, list_hashes, void, - private_attest_db_t *this) -{ - enumerator_t *e; - chunk_t hash; - char *file, *dir, *product; - int id, fid, fid_old = 0, did, did_old = 0, pid, pid_old = 0, count = 0; - - if (this->pid && this->fid && this->did) - { - printf("%4d: %s\n", this->did, this->dir); - printf("%4d: %s\n", this->fid, this->file); - e = this->db->query(this->db, - "SELECT id, hash FROM file_hashes " - "WHERE algo = ? AND file = ? AND product = ?", - DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->pid, - DB_INT, DB_BLOB); - if (e) - { - while (e->enumerate(e, &id, &hash)) - { - printf("%4d: %#B\n", id, &hash); - count++; - } - e->destroy(e); - - printf("%d %N value%s found for product '%s'\n", count, - pts_meas_algorithm_names, this->algo, - (count == 1) ? "" : "s", this->product); - } - } - else if (this->pid && this->file) - { - e = this->db->query(this->db, - "SELECT h.id, h.hash, f.id, d.id, d.path " - "FROM file_hashes AS h " - "JOIN files AS f ON h.file = f.id " - "JOIN directories AS d ON f.dir = d.id " - "WHERE h.algo = ? AND h.product = ? AND f.name = ? " - "ORDER BY d.path, f.name, h.hash", - DB_INT, this->algo, DB_INT, this->pid, DB_TEXT, this->file, - DB_INT, DB_BLOB, DB_INT, DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &id, &hash, &fid, &did, &dir)) - { - if (did != did_old) - { - printf("%4d: %s\n", did, dir); - did_old = did; - } - if (fid != fid_old) - { - printf("%4d: %s\n", fid, this->file); - fid_old = fid; - } - printf("%4d: %#B\n", id, &hash); - count++; - } - e->destroy(e); - - printf("%d %N value%s found for product '%s'\n", count, - pts_meas_algorithm_names, this->algo, - (count == 1) ? "" : "s", this->product); - } - } - else if (this->pid && this->did) - { - printf("%4d: %s\n", this->did, this->dir); - e = this->db->query(this->db, - "SELECT h.id, h.hash, f.id, f.name " - "FROM file_hashes AS h " - "JOIN files AS f ON h.file = f.id " - "WHERE h.algo = ? AND h.product = ? AND f.dir = ? " - "ORDER BY f.name, h.hash", - DB_INT, this->algo, DB_INT, this->pid, DB_INT, this->did, - DB_INT, DB_BLOB, DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &id, &hash, &fid, &file)) - { - if (fid != fid_old) - { - printf("%4d: %s\n", fid, file); - fid_old = fid; - } - printf("%4d: %#B\n", id, &hash); - count++; - } - e->destroy(e); - - printf("%d %N value%s found for product '%s'\n", count, - pts_meas_algorithm_names, this->algo, - (count == 1) ? "" : "s", this->product); - } - } - else if (this->pid) - { - e = this->db->query(this->db, - "SELECT h.id, h.hash, f.id, f.name, d.id, d.path " - "FROM file_hashes AS h " - "JOIN files AS f ON h.file = f.id " - "JOIN directories AS d ON f.dir = d.id " - "WHERE h.algo = ? AND h.product = ? " - "ORDER BY d.path, f.name, h.hash", - DB_INT, this->algo, DB_INT, this->pid, - DB_INT, DB_BLOB, DB_INT, DB_TEXT, DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &id, &hash, &fid, &file, &did, &dir)) - { - if (did != did_old) - { - printf("%4d: %s\n", did, dir); - did_old = did; - } - if (fid != fid_old) - { - printf("%4d: %s\n", fid, file); - fid_old = fid; - } - printf("%4d: %#B\n", id, &hash); - count++; - } - e->destroy(e); - - printf("%d %N value%s found for product '%s'\n", count, - pts_meas_algorithm_names, this->algo, - (count == 1) ? "" : "s", this->product); - } - } - else if (this->fid && this->did) - { - e = this->db->query(this->db, - "SELECT h.id, h.hash, p.id, p.name FROM file_hashes AS h " - "JOIN products AS p ON h.product = p.id " - "WHERE h.algo = ? AND h.file = ? " - "ORDER BY p.name, h.hash", - DB_INT, this->algo, DB_INT, this->fid, - DB_INT, DB_BLOB, DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &id, &hash, &pid, &product)) - { - if (pid != pid_old) - { - printf("%4d: %s\n", pid, product); - pid_old = pid; - } - printf("%4d: %#B\n", id, &hash); - count++; - } - e->destroy(e); - - printf("%d %N value%s found for file '%s%s%s'\n", count, - pts_meas_algorithm_names, this->algo, - (count == 1) ? "" : "s", this->dir, - get_separator(this->dir), this->file); - } - } - else if (this->file) - { - e = this->db->query(this->db, - "SELECT h.id, h.hash, f.id, d.id, d.path, p.id, p.name " - "FROM file_hashes AS h " - "JOIN files AS f ON h.file = f.id " - "JOIN directories AS d ON f.dir = d.id " - "JOIN products AS p ON h.product = p.id " - "WHERE h.algo = ? AND f.name = ? " - "ORDER BY d.path, f.name, p.name, h.hash", - DB_INT, this->algo, DB_TEXT, this->file, - DB_INT, DB_BLOB, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &id, &hash, &fid, &did, &dir, &pid, &product)) - { - if (did != did_old) - { - printf("%4d: %s\n", did, dir); - did_old = did; - } - if (fid != fid_old) - { - printf("%4d: %s\n", fid, this->file); - fid_old = fid; - pid_old = 0; - } - if (pid != pid_old) - { - printf("%4d: %s\n", pid, product); - pid_old = pid; - } - printf("%4d: %#B\n", id, &hash); - count++; - } - e->destroy(e); - - printf("%d %N value%s found\n", count, pts_meas_algorithm_names, - this->algo, (count == 1) ? "" : "s"); - } - - } - else if (this->did) - { - e = this->db->query(this->db, - "SELECT h.id, h.hash, f.id, f.name, p.id, p.name " - "FROM file_hashes AS h " - "JOIN files AS f ON h.file = f.id " - "JOIN products AS p ON h.product = p.id " - "WHERE h.algo = ? AND f.dir = ? " - "ORDER BY f.name, p.name, h.hash", - DB_INT, this->algo, DB_INT, this->did, - DB_INT, DB_BLOB, DB_INT, DB_TEXT, DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &id, &hash, &fid, &file, &pid, &product)) - { - if (fid != fid_old) - { - printf("%4d: %s\n", fid, file); - fid_old = fid; - pid_old = 0; - } - if (pid != pid_old) - { - printf("%4d: %s\n", pid, product); - pid_old = pid; - } - printf("%4d: %#B\n", id, &hash); - count++; - } - e->destroy(e); - - printf("%d %N value%s found for directory '%s'\n", count, - pts_meas_algorithm_names, this->algo, - (count == 1) ? "" : "s", this->dir); - } - } - else - { - e = this->db->query(this->db, - "SELECT h.id, h.hash, f.id, f.name, d.id, d.path, p.id, p.name " - "FROM file_hashes AS h " - "JOIN files AS f ON h.file = f.id " - "JOIN directories AS d ON f.dir = d.id " - "JOIN products AS p on h.product = p.id " - "WHERE h.algo = ? " - "ORDER BY d.path, f.name, p.name, h.hash", - DB_INT, this->algo, DB_INT, DB_BLOB, DB_INT, DB_TEXT, - DB_INT, DB_TEXT, DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &id, &hash, &fid, &file, &did, &dir, &pid, - &product)) - { - if (did != did_old) - { - printf("%4d: %s\n", did, dir); - did_old = did; - } - if (fid != fid_old) - { - printf("%4d: %s\n", fid, file); - fid_old = fid; - pid_old = 0; - } - if (pid != pid_old) - { - printf("%4d: %s\n", pid, product); - pid_old = pid; - } - printf("%4d: %#B\n", id, &hash); - count++; - } - e->destroy(e); - - printf("%d %N value%s found\n", count, pts_meas_algorithm_names, - this->algo, (count == 1) ? "" : "s"); - } - } -} - -METHOD(attest_db_t, list_measurements, void, - private_attest_db_t *this) -{ - enumerator_t *e; - chunk_t hash, keyid; - pts_comp_func_name_t *cfn; - char *owner; - int seq_no, pcr, vid, name, qualifier; - int cid, cid_old = 0, kid, kid_old = 0, count = 0; - - if (this->kid && this->cid) - { - e = this->db->query(this->db, - "SELECT ch.seq_no, ch.pcr, ch.hash, k.owner " - "FROM component_hashes AS ch " - "JOIN keys AS k ON k.id = ch.key " - "WHERE ch.algo = ? AND ch.key = ? AND ch.component = ? " - "ORDER BY seq_no", - DB_INT, this->algo, DB_UINT, this->kid, DB_UINT, this->cid, - DB_INT, DB_INT, DB_BLOB, DB_TEXT); - if (e) - { - while (e->enumerate(e, &seq_no, &pcr, &hash, &owner)) - { - if (this->kid != kid_old) - { - printf("%4d: %#B '%s'\n", this->kid, &this->key, owner); - kid_old = this->kid; - } - printf("%7d %02d %#B\n", seq_no, pcr, &hash); - count++; - } - e->destroy(e); - - printf("%d %N value%s found for component '%s'\n", count, - pts_meas_algorithm_names, this->algo, - (count == 1) ? "" : "s", print_cfn(this->cfn)); - } - } - else if (this->cid) - { - e = this->db->query(this->db, - "SELECT ch.seq_no, ch.pcr, ch.hash, k.id, k.keyid, k.owner " - "FROM component_hashes AS ch " - "JOIN keys AS k ON k.id = ch.key " - "WHERE ch.algo = ? AND ch.component = ? " - "ORDER BY keyid, seq_no", - DB_INT, this->algo, DB_UINT, this->cid, - DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB, DB_TEXT); - if (e) - { - while (e->enumerate(e, &seq_no, &pcr, &hash, &kid, &keyid, &owner)) - { - if (kid != kid_old) - { - printf("%4d: %#B '%s'\n", kid, &keyid, owner); - kid_old = kid; - } - printf("%7d %02d %#B\n", seq_no, pcr, &hash); - count++; - } - e->destroy(e); - - printf("%d %N value%s found for component '%s'\n", count, - pts_meas_algorithm_names, this->algo, - (count == 1) ? "" : "s", print_cfn(this->cfn)); - } - - } - else if (this->kid) - { - e = this->db->query(this->db, - "SELECT ch.seq_no, ch.pcr, ch.hash, " - "c.id, c.vendor_id, c.name, c.qualifier " - "FROM component_hashes AS ch " - "JOIN components AS c ON c.id = ch.component " - "WHERE ch.algo = ? AND ch.key = ? " - "ORDER BY vendor_id, name, qualifier, seq_no", - DB_INT, this->algo, DB_UINT, this->kid, DB_INT, DB_INT, DB_BLOB, - DB_INT, DB_INT, DB_INT, DB_INT); - if (e) - { - while (e->enumerate(e, &seq_no, &pcr, &hash, &cid, &vid, &name, - &qualifier)) - { - if (cid != cid_old) - { - cfn = pts_comp_func_name_create(vid, name, qualifier); - printf("%4d: %s\n", cid, print_cfn(cfn)); - cfn->destroy(cfn); - cid_old = cid; - } - printf("%5d %02d %#B\n", seq_no, pcr, &hash); - count++; - } - e->destroy(e); - - printf("%d %N value%s found for key %#B '%s'\n", count, - pts_meas_algorithm_names, this->algo, - (count == 1) ? "" : "s", &this->key, this->owner); - } - } -} - -METHOD(attest_db_t, list_sessions, void, - private_attest_db_t *this) -{ - enumerator_t *e; - chunk_t identity; - char *product, *device; - int session_id, conn_id, rec, device_len; - time_t created; - u_int t; - - e = this->db->query(this->db, - "SELECT s.id, s.time, s.connection, s.rec, p.name, d.value, i.value " - "FROM sessions AS s " - "LEFT JOIN products AS p ON s.product = p.id " - "LEFT JOIN devices AS d ON s.device = d.id " - "LEFT JOIN identities AS i ON s.identity = i.id " - "ORDER BY s.time DESC", - DB_INT, DB_UINT, DB_INT, DB_INT, DB_TEXT, DB_TEXT, DB_BLOB); - if (e) - { - while (e->enumerate(e, &session_id, &t, &conn_id, &rec, &product, - &device, &identity)) - { - created = t; - product = product ? product : "-"; - device = strlen(device) ? device : "-"; - device_len = min(strlen(device), DEVICE_MAX_LEN); - identity = identity.len ? identity : chunk_from_str("-"); - printf("%4d: %T %2d %-20s %.*s%*s%.*s - %N\n", session_id, &created, - this->utc, conn_id, product, device_len, device, - DEVICE_MAX_LEN - device_len + 1, " ", (int)identity.len, - identity.ptr, TNC_IMV_Action_Recommendation_names, rec); - } - e->destroy(e); - } -} - -/** - * Insert a file hash into the database - */ -static bool insert_file_hash(private_attest_db_t *this, - pts_meas_algorithms_t algo, - chunk_t measurement, int fid, - int *hashes_added, int *hashes_updated) -{ - enumerator_t *e; - chunk_t hash; - char *label; - bool insert = TRUE, update = FALSE; - - label = "could not be created"; - - e = this->db->query(this->db, - "SELECT hash FROM file_hashes WHERE algo = ? " - "AND file = ? AND product = ? AND device = 0", - DB_INT, algo, DB_UINT, fid, DB_UINT, this->pid, DB_BLOB); - - if (!e) - { - printf("file_hashes query failed\n"); - return FALSE; - } - - while (e->enumerate(e, &hash)) - { - update = TRUE; - - if (chunk_equals(measurement, hash)) - { - label = "exists and equals"; - insert = FALSE; - break; - } - } - e->destroy(e); - - if (insert) - { - if (this->db->execute(this->db, NULL, - "INSERT INTO file_hashes " - "(file, product, device, algo, hash) " - "VALUES (?, ?, 0, ?, ?)", - DB_UINT, fid, DB_UINT, this->pid, - DB_INT, algo, DB_BLOB, measurement) != 1) - { - printf("file_hash insertion failed\n"); - return FALSE; - } - if (update) - { - label = "updated"; - (*hashes_updated)++; - } - else - { - label = "created"; - (*hashes_added)++; - } - } - printf(" %#B - %s\n", &measurement, label); - return TRUE; -} - -/** - * Add hash measurement for a single file or all files in a directory - */ -static bool add_hash(private_attest_db_t *this) -{ - char *pathname, *filename, *label; - const char *sep; - pts_file_meas_t *measurements; - chunk_t measurement; - hasher_t *hasher = NULL; - int fid, files_added = 0, hashes_added = 0, hashes_updated = 0; - enumerator_t *enumerator, *e; - - if (!this->meas_dir) - { - this->meas_dir = strdup(this->dir); - } - sep = get_separator(this->meas_dir); - - if (this->fid) - { - /* build pathname from directory path and relative filename */ - if (asprintf(&pathname, "%s%s%s", this->meas_dir, sep, this->file) == -1) - { - return FALSE; - } - measurements = pts_file_meas_create_from_path(0, pathname, FALSE, - TRUE, this->algo); - free(pathname); - } - else - { - measurements = pts_file_meas_create_from_path(0, this->meas_dir, TRUE, - TRUE, this->algo); - } - if (!measurements) - { - printf("file measurement failed\n"); - DESTROY_IF(hasher); - return FALSE; - } - - enumerator = measurements->create_enumerator(measurements); - while (enumerator->enumerate(enumerator, &filename, &measurement)) - { - if (this->fid) - { - /* a single file already exists */ - filename = this->file; - fid = this->fid; - label = "exists"; - } - else - { - /* retrieve or create filename */ - label = "could not be created"; - - e = this->db->query(this->db, - "SELECT id FROM files WHERE name = ? AND dir = ?", - DB_TEXT, filename, DB_INT, this->did, DB_INT); - if (!e) - { - printf("files query failed\n"); - break; - } - if (e->enumerate(e, &fid)) - { - label = "exists"; - } - else - { - if (this->db->execute(this->db, &fid, - "INSERT INTO files (name, dir) VALUES (?, ?)", - DB_TEXT, filename, DB_INT, this->did) == 1) - { - label = "created"; - files_added++; - } - } - e->destroy(e); - } - printf("%4d: %s - %s\n", fid, filename, label); - - /* compute file measurement hash */ - if (!insert_file_hash(this, this->algo, measurement, fid, - &hashes_added, &hashes_updated)) - { - break; - } - } - enumerator->destroy(enumerator); - - printf("%d measurements, added %d new files, %d file hashes, " - "updated %d file hashes\n", - measurements->get_file_count(measurements), - files_added, hashes_added, hashes_updated); - measurements->destroy(measurements); - - return TRUE; -} - -METHOD(attest_db_t, add, bool, - private_attest_db_t *this) -{ - bool success = FALSE; - - /* add directory or file hash measurement for a given product */ - if (this->did && this->pid) - { - return add_hash(this); - } - - /* insert package version */ - if (this->version_set && this->gid && this->pid) - { - time_t t = time(NULL); - int security, blacklist; - - security = this->package_state == OS_PACKAGE_STATE_SECURITY; - blacklist = this->package_state == OS_PACKAGE_STATE_BLACKLIST; - - success = this->db->execute(this->db, NULL, - "INSERT INTO versions " - "(package, product, release, security, blacklist, time) " - "VALUES (?, ?, ?, ?, ?, ?)", - DB_UINT, this->gid, DB_INT, this->pid, DB_TEXT, - this->version, DB_INT, security, DB_INT, blacklist, - DB_INT, t) == 1; - - printf("'%s' package %s (%s)%N %sinserted into database\n", - this->product, this->package, this->version, - os_package_state_names, this->package_state, - success ? "" : "could not be "); - } - return success; -} - -METHOD(attest_db_t, delete, bool, - private_attest_db_t *this) -{ - bool success; - int id, count = 0; - char *name; - enumerator_t *e; - - /* delete a file measurement hash for a given product */ - if (this->algo && this->pid && this->fid) - { - success = this->db->execute(this->db, NULL, - "DELETE FROM file_hashes " - "WHERE algo = ? AND product = ? AND file = ?", - DB_UINT, this->algo, DB_UINT, this->pid, - DB_UINT, this->fid) > 0; - - printf("%4d: %s%s%s\n", this->fid, this->dir, get_separator(this->dir), - this->file); - printf("%N value for product '%s' %sdeleted from database\n", - pts_meas_algorithm_names, this->algo, this->product, - success ? "" : "could not be "); - - return success; - } - - /* delete product/file entries */ - if (this->pid && (this->fid || this->did)) - { - success = this->db->execute(this->db, NULL, - "DELETE FROM product_file " - "WHERE product = ? AND file = ?", - DB_UINT, this->pid, - DB_UINT, this->fid ? this->fid : this->did) > 0; - - printf("product/file pair (%d/%d) %sdeleted from database\n", - this->pid, this->fid ? this->fid : this->did, - success ? "" : "could not be "); - - return success; - } - - if (this->cid) - { - success = this->db->execute(this->db, NULL, - "DELETE FROM components WHERE id = ?", - DB_UINT, this->cid) > 0; - - printf("component '%s' %sdeleted from database\n", print_cfn(this->cfn), - success ? "" : "could not be "); - return success; - } - - if (this->fid) - { - success = this->db->execute(this->db, NULL, - "DELETE FROM files WHERE id = ?", - DB_UINT, this->fid) > 0; - - printf("file '%s%s%s' %sdeleted from database\n", this->dir, - get_separator(this->dir), this->file, - success ? "" : "could not be "); - return success; - } - - if (this->did) - { - e = this->db->query(this->db, - "SELECT id, name FROM files WHERE dir = ? ORDER BY name", - DB_INT, this->did, DB_INT, DB_TEXT); - if (e) - { - while (e->enumerate(e, &id, &name)) - { - printf("%4d: %s\n", id, name); - count++; - } - e->destroy(e); - - if (count) - { - printf("%d dependent file%s found, " - "directory '%s' could not deleted\n", - count, (count == 1) ? "" : "s", this->dir); - return FALSE; - } - } - success = this->db->execute(this->db, NULL, - "DELETE FROM directories WHERE id = ?", - DB_UINT, this->did) > 0; - printf("directory '%s' %sdeleted from database\n", this->dir, - success ? "" : "could not be "); - return success; - } - - if (this->kid) - { - success = this->db->execute(this->db, NULL, - "DELETE FROM keys WHERE id = ?", - DB_UINT, this->kid) > 0; - - printf("key %#B %sdeleted from database\n", &this->key, - success ? "" : "could not be "); - return success; - } - if (this->pid) - { - success = this->db->execute(this->db, NULL, - "DELETE FROM products WHERE id = ?", - DB_UINT, this->pid) > 0; - - printf("product '%s' %sdeleted from database\n", this->product, - success ? "" : "could not be "); - return success; - } - - printf("empty delete command\n"); - return FALSE; -} - -METHOD(attest_db_t, destroy, void, - private_attest_db_t *this) -{ - DESTROY_IF(this->db); - DESTROY_IF(this->cfn); - free(this->package); - free(this->product); - free(this->version); - free(this->file); - free(this->dir); - free(this->meas_dir); - free(this->owner); - free(this->key.ptr); - free(this); -} - -/** - * Described in header. - */ -attest_db_t *attest_db_create(char *uri) -{ - private_attest_db_t *this; - - INIT(this, - .public = { - .set_component = _set_component, - .set_cid = _set_cid, - .set_directory = _set_directory, - .set_did = _set_did, - .set_file = _set_file, - .set_fid = _set_fid, - .set_meas_directory = _set_meas_directory, - .set_key = _set_key, - .set_kid = _set_kid, - .set_package = _set_package, - .set_gid = _set_gid, - .set_product = _set_product, - .set_pid = _set_pid, - .set_version = _set_version, - .set_algo = _set_algo, - .set_relative = _set_relative, - .set_package_state = _set_package_state, - .set_sequence = _set_sequence, - .set_owner = _set_owner, - .set_utc = _set_utc, - .list_packages = _list_packages, - .list_products = _list_products, - .list_files = _list_files, - .list_directories = _list_directories, - .list_components = _list_components, - .list_devices = _list_devices, - .list_keys = _list_keys, - .list_hashes = _list_hashes, - .list_measurements = _list_measurements, - .list_sessions = _list_sessions, - .add = _add, - .delete = _delete, - .destroy = _destroy, - }, - .db = lib->db->create(lib->db, uri), - ); - - if (!this->db) - { - fprintf(stderr, "opening database failed.\n"); - destroy(this); - return NULL; - } - - return &this->public; -} diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h deleted file mode 100644 index 07e55cce7..000000000 --- a/src/libpts/plugins/imv_attestation/attest_db.h +++ /dev/null @@ -1,267 +0,0 @@ -/* - * Copyright (C) 2011-2014 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup attest_db_t attest_db - * @{ @ingroup libpts - */ - -#ifndef ATTEST_DB_H_ -#define ATTEST_DB_H_ - -#include <pts/pts_meas_algo.h> -#include <os_info/os_info.h> -#include <library.h> - -typedef struct attest_db_t attest_db_t; - -/** - * Attestation database object - */ -struct attest_db_t { - - /** - * Set functional component to be queried - * - * @param comp functional component - * @param create if TRUE create database entry if it doesn't exist - * @return TRUE if successful - */ - bool (*set_component)(attest_db_t *this, char *comp, bool create); - - /** - * Set primary key of the functional component to be queried - * - * @param fid primary key of functional component - * @return TRUE if successful - */ - bool (*set_cid)(attest_db_t *this, int fid); - - /** - * Set directory to be queried - * - * @param dir directory - * @param create if TRUE create database entry if it doesn't exist - * @return TRUE if successful - */ - bool (*set_directory)(attest_db_t *this, char *dir, bool create); - - /** - * Set primary key of the directory to be queried - * - * @param did primary key of directory - * @return TRUE if successful - */ - bool (*set_did)(attest_db_t *this, int did); - - /** - * Set measurement file to be queried - * - * @param file measurement file - * @param create if TRUE create database entry if it doesn't exist - * @return TRUE if successful - */ - bool (*set_file)(attest_db_t *this, char *file, bool create); - - /** - * Set primary key of the measurement file to be queried - * - * @param fid primary key of measurement file - * @return TRUE if successful - */ - bool (*set_fid)(attest_db_t *this, int fid); - - /** - * Set path to directory where file[s] are to be measured - * - * @param meas_dir measurement directory - * @return TRUE if successful - */ - bool (*set_meas_directory)(attest_db_t *this, char *dir); - - /** - * Set functional component to be queried - * - * @param key AIK - * @param create if TRUE create database entry if it doesn't exist - * @return TRUE if successful - */ - bool (*set_key)(attest_db_t *this, chunk_t key, bool create); - - /** - * Set primary key of the AIK to be queried - * - * @param kid primary key of AIK - * @return TRUE if successful - */ - bool (*set_kid)(attest_db_t *this, int kid); - - /** - * Set software package to be queried - * - * @param product software package - * @param create if TRUE create database entry if it doesn't exist - * @return TRUE if successful - */ - bool (*set_package)(attest_db_t *this, char *package, bool create); - - /** - * Set primary key of the software package to be queried - * - * @param gid primary key of software package - * @return TRUE if successful - */ - bool (*set_gid)(attest_db_t *this, int gid); - - /** - * Set software product to be queried - * - * @param product software product - * @param create if TRUE create database entry if it doesn't exist - * @return TRUE if successful - */ - bool (*set_product)(attest_db_t *this, char *product, bool create); - - /** - * Set primary key of the software product to be queried - * - * @param pid primary key of software product - * @return TRUE if successful - */ - bool (*set_pid)(attest_db_t *this, int pid); - - /** - * Set software package version to be queried - * - * @param version software package version - * @return TRUE if successful - */ - bool (*set_version)(attest_db_t *this, char *version); - - /** - * Set measurement hash algorithm - * - * @param algo hash algorithm - */ - void (*set_algo)(attest_db_t *this, pts_meas_algorithms_t algo); - - /** - * Set that the IMA-specific SHA-1 template hash be computed - */ - void (*set_ima)(attest_db_t *this); - - /** - * Set that relative filenames are to be used - */ - void (*set_relative)(attest_db_t *this); - - /** - * Set the package security or blacklist state - */ - void (*set_package_state)(attest_db_t *this, os_package_state_t package_state); - - /** - * Set the sequence number - */ - void (*set_sequence)(attest_db_t *this, int seq_no); - - /** - * Set owner [user/host] of an AIK - * - * @param owner user/host name - * @return TRUE if successful - */ - void (*set_owner)(attest_db_t *this, char *owner); - - /** - * Display all dates in UTC - */ - void (*set_utc)(attest_db_t *this); - - /** - * List all packages stored in the database - */ - void (*list_packages)(attest_db_t *this); - - /** - * List all products stored in the database - */ - void (*list_products)(attest_db_t *this); - - /** - * List all directories stored in the database - */ - void (*list_directories)(attest_db_t *this); - - /** - * List selected files stored in the database - */ - void (*list_files)(attest_db_t *this); - - /** - * List all components stored in the database - */ - void (*list_components)(attest_db_t *this); - - /** - * List all devices stored in the database - */ - void (*list_devices)(attest_db_t *this); - - /** - * List all AIKs stored in the database - */ - void (*list_keys)(attest_db_t *this); - - /** - * List selected measurement hashes stored in the database - */ - void (*list_hashes)(attest_db_t *this); - - /** - * List selected component measurement stored in the database - */ - void (*list_measurements)(attest_db_t *this); - - /** - * List sessions stored in the database - */ - void (*list_sessions)(attest_db_t *this); - - /** - * Add an entry to the database - */ - bool (*add)(attest_db_t *this); - - /** - * Delete an entry from the database - */ - bool (*delete)(attest_db_t *this); - - /** - * Destroy attest_db_t object - */ - void (*destroy)(attest_db_t *this); - -}; - -/** - * Create an attest_db_t instance - * - * @param uri database URI - */ -attest_db_t* attest_db_create(char *uri); - -#endif /** ATTEST_DB_H_ @}*/ diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c deleted file mode 100644 index 8f4afdbad..000000000 --- a/src/libpts/plugins/imv_attestation/attest_usage.c +++ /dev/null @@ -1,111 +0,0 @@ -/* - * Copyright (C) 2011-2014 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include <stdio.h> - -#include "attest_usage.h" - -/** - * print attest usage info - */ -void usage(void) -{ - printf("\ -Usage:\n\ - ipsec attest --components|--devices|--sessions|--files|--hashes|--keys [options]\n\ - \n\ - ipsec attest --measurements|--packages|--products|--add|--del [options]\n\ - \n\ - ipsec attest --components [--key <digest>|--kid <id>]\n\ - Show a list of components with an AIK digest or\n\ - its primary key as an optional selector.\n\ - \n\ - ipsec attest --devices [--utc]\n\ - Show a list of registered devices and associated collected information\n\ - \n\ - ipsec attest --sessions [--utc]\n\ - Show a chronologically sorted list of all TNC sessions\n\ - \n\ - ipsec attest --files [--product <name>|--pid <id>]\n\ - Show a list of files with a software product name or\n\ - its primary key as an optional selector.\n\ - \n\ - ipsec attest --hashes [--sha1|--sha256|--sha384] [--product <name>|--pid <id>]\n\ - Show a list of measurement hashes for a given software product or\n\ - its primary key as an optional selector.\n\ - \n\ - ipsec attest --hashes [--sha1|--sha1-ima|--sha256|--sha384] [--file <path>|--fid <id>]\n\ - Show a list of measurement hashes for a given file or\n\ - its primary key as an optional selector.\n\ - \n\ - ipsec attest --keys [--components <cfn>|--cid <id>]\n\ - Show a list of AIK key digests with a component or\n\ - its primary key as an optional selector.\n\ - \n\ - ipsec attest --measurements --sha1|--sha256|--sha384 [--component <cfn>|--cid <id>]\n\ - Show a list of component measurements for a given component or\n\ - its primary key as an optional selector.\n\ - \n\ - ipsec attest --measurements --sha1|--sha256|--sha384 [--key <digest>|--kid <id>|--aik <path>]\n\ - Show a list of component measurements for a given AIK or\n\ - its primary key as an optional selector.\n\ - \n\ - ipsec attest --packages [--product <name>|--pid <id>] [--utc]\n\ - Show a list of software packages for a given product or\n\ - its primary key as an optional selector.\n\ - \n\ - ipsec attest --products [--file <path>|--fid <id>]\n\ - Show a list of supported software products with a file path or\n\ - its primary key as an optional selector.\n\ - \n\ - ipsec attest --add --file <path>|--dir <path>|--product <name>|--component <cfn>\n\ - Add a file, directory, product or component entry\n\ - Component <cfn> entries must be of the form <vendor_id>/<name>-<qualifier>\n\ - \n\ - ipsec attest --add [--owner <name>] --key <digest>|--aik <path>\n\ - Add an AIK public key digest entry preceded by an optional owner name\n\ - \n\ - ipsec attest --add --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\ - [--relative|--rel] --dir <path>|--file <path>\n\ - Add hashes of a single file or all files in a directory under absolute or relative filenames\n\ - \n\ - ipsec attest --add --key <digest|--kid <id> --component <cfn>|--cid <id> --sequence <no>|--seq <no>\n\ - Add an ordered key/component entry\n\ - \n\ - ipsec attest --add --package <name> --version <string> [--security|--blacklist]\n\ - [--product <name>|--pid <id>]\n\ - Add a package version for a given product optionally with security or blacklist flag\n\ - \n\ - ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\ - Delete a file or directory entry referenced either by value or primary key\n\ - \n\ - ipsec attest --del --product <name>|--pid <id>|--component <cfn>|--cid <id>\n\ - Delete a product or component entry referenced either by value or primary key\n\ - \n\ - ipsec attest --del --product <name>|--pid <id> --file <path>|--fid <id>|--dir <path>|--did <id>\n\ - Delete a product/file entry referenced either by value or primary key\n\ - \n\ - ipsec attest --del --key <digest>|--kid <id>|--aik <path>\n\ - Delete an AIK entry referenced either by value or primary key\n\ - \n\ - ipsec attest --del --key <digest|--kid <id> --component <cfn>|--cid <id>\n\ - Delete a key/component entry\n\ - \n\ - ipsec attest --del --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\ - [--dir <path>|--did <id>] --file <path>|--fid <id>\n\ - Delete a file hash given an absolute or relative filename\n\ - \n"); -} - diff --git a/src/libpts/plugins/imv_attestation/attest_usage.h b/src/libpts/plugins/imv_attestation/attest_usage.h deleted file mode 100644 index bce801e9d..000000000 --- a/src/libpts/plugins/imv_attestation/attest_usage.h +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright (C) 2011 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef ATTEST_USAGE_H_ -#define ATTEST_USAGE_H_ - -/** - * print attest usage info - */ -void usage(void); - - -#endif /* ATTEST_USAGE_H_ */ diff --git a/src/libpts/plugins/imv_attestation/build-database.sh b/src/libpts/plugins/imv_attestation/build-database.sh deleted file mode 100755 index f16b5d152..000000000 --- a/src/libpts/plugins/imv_attestation/build-database.sh +++ /dev/null @@ -1,84 +0,0 @@ -#!/bin/sh - -p="Ubuntu 14.04 x86_64" -a="x86_64-linux-gnu" -k="3.13.0-30-generic" - -for hash in sha1 sha256 -do - ipsec attest --add --product "$p" --$hash --dir /sbin - ipsec attest --add --product "$p" --$hash --dir /usr/sbin - ipsec attest --add --product "$p" --$hash --dir /bin - ipsec attest --add --product "$p" --$hash --dir /usr/bin - - ipsec attest --add --product "$p" --$hash --file /etc/init.d/rc - ipsec attest --add --product "$p" --$hash --file /etc/init.d/rcS - ipsec attest --add --product "$p" --$hash --dir /etc/network/if-pre-up.d - ipsec attest --add --product "$p" --$hash --dir /etc/network/if-up.d - ipsec attest --add --product "$p" --$hash --dir /etc/ppp/ip-down.d - ipsec attest --add --product "$p" --$hash --dir /etc/rcS.d - ipsec attest --add --product "$p" --$hash --dir /etc/rc2.d - ipsec attest --add --product "$p" --$hash --file /etc/rc.local - ipsec attest --add --product "$p" --$hash --dir /etc/resolvconf/update.d - ipsec attest --add --product "$p" --$hash --file /etc/resolvconf/update-libc.d/avahi-daemon - ipsec attest --add --product "$p" --$hash --dir /etc/update-motd.d - - ipsec attest --add --product "$p" --$hash --dir /lib - ipsec attest --add --product "$p" --$hash --file /lib/crda/setregdomain - ipsec attest --add --product "$p" --$hash --dir /lib/ebtables - ipsec attest --add --product "$p" --$hash --file /lib/init/apparmor-profile-load - ipsec attest --add --product "$p" --$hash --file /lib/resolvconf/list-records - ipsec attest --add --product "$p" --$hash --dir /lib/ufw - ipsec attest --add --product "$p" --$hash --dir /lib/udev - ipsec attest --add --product "$p" --$hash --dir /lib/systemd - ipsec attest --add --product "$p" --$hash --dir /lib/xtables - ipsec attest --add --product "$p" --$hash --dir /lib/$a - ipsec attest --add --product "$p" --$hash --dir /lib/$a/plymouth - ipsec attest --add --product "$p" --$hash --dir /lib/$a/plymouth/renderers - ipsec attest --add --product "$p" --$hash --dir /lib/$a/security - - ipsec attest --add --product "$p" --$hash --file /lib64/ld-linux-x86-64.so.2 - - for file in `find /usr/lib -name *.so` - do - ipsec attest --add --product "$p" --$hash --file $file - done - - for file in `find /usr/lib -name *service` - do - ipsec attest --add --product "$p" --$hash --file $file - done - - ipsec attest --add --product "$p" --$hash --dir /usr/lib - ipsec attest --add --product "$p" --$hash --dir /usr/lib/accountsservice - ipsec attest --add --product "$p" --$hash --dir /usr/lib/at-spi2-core - ipsec attest --add --product "$p" --$hash --file /usr/lib/avahi/avahi-daemon-check-dns.sh - ipsec attest --add --product "$p" --$hash --file /usr/lib/dbus-1.0/dbus-daemon-launch-helper - ipsec attest --add --product "$p" --$hash --dir /usr/lib/gvfs - ipsec attest --add --product "$p" --$hash --file /usr/lib/firefox/firefox - ipsec attest --add --product "$p" --$hash --dir /usr/lib/NetworkManager - ipsec attest --add --product "$p" --$hash --dir /usr/lib/pm-utils/power.d - ipsec attest --add --product "$p" --$hash --file /usr/lib/policykit-1/polkitd - ipsec attest --add --product "$p" --$hash --file /usr/lib/thunderbird/thunderbird - ipsec attest --add --product "$p" --$hash --dir /usr/lib/ubuntu-release-upgrader - ipsec attest --add --product "$p" --$hash --dir /usr/lib/update-notifier - - ipsec attest --add --product "$p" --$hash --dir /usr/lib/$a - ipsec attest --add --product "$p" --$hash --file /usr/lib/$a/mesa/libGL.so.1.2.0 - ipsec attest --add --product "$p" --$hash --dir /usr/lib/$a/samba - ipsec attest --add --product "$p" --$hash --dir /usr/lib/$a/sasl2 - - ipsec attest --add --product "$p" --$hash --dir /usr/share/language-tools - - ipsec attest --add --product "$p" --$hash --file /init \ - --measdir /usr/share/initramfs-tools - - ipsec attest --add --product "$p" --$hash --file /scripts/functions \ - --measdir /usr/share/initramfs-tools/scripts - - for file in `find /lib/modules/$k -name *.ko` - do - ipsec attest --add --product "$p" --$hash --file $file - done -done - diff --git a/src/libpts/plugins/imv_attestation/imv_attestation.c b/src/libpts/plugins/imv_attestation/imv_attestation.c deleted file mode 100644 index 542a561aa..000000000 --- a/src/libpts/plugins/imv_attestation/imv_attestation.c +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright (C) 2013 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "imv_attestation_agent.h" - -static const char imv_name[] = "Attestation"; -static const imv_agent_create_t imv_agent_create = imv_attestation_agent_create; - -/* include generic TGC TNC IF-IMV API code below */ - -#include <imv/imv_if.h> - diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c deleted file mode 100644 index fcfee31c1..000000000 --- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c +++ /dev/null @@ -1,909 +0,0 @@ -/* - * Copyright (C) 2011-2012 Sansar Choinyambuu - * Copyright (C) 2011-2014 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#define _GNU_SOURCE /* for stdndup() */ -#include <string.h> - -#include "imv_attestation_agent.h" -#include "imv_attestation_state.h" -#include "imv_attestation_process.h" -#include "imv_attestation_build.h" - -#include <imcv.h> -#include <imv/imv_agent.h> -#include <imv/imv_msg.h> -#include <imv/imv_session.h> -#include <imv/imv_os_info.h> -#include <ietf/ietf_attr.h> -#include <ietf/ietf_attr_attr_request.h> -#include <ietf/ietf_attr_pa_tnc_error.h> -#include <ietf/ietf_attr_product_info.h> -#include <ietf/ietf_attr_string_version.h> -#include <ita/ita_attr.h> -#include <ita/ita_attr_device_id.h> - -#include <libpts.h> - -#include <pts/pts.h> -#include <pts/pts_database.h> -#include <pts/pts_creds.h> -#include <pts/components/ita/ita_comp_func_name.h> - -#include <tcg/tcg_attr.h> -#include <tcg/pts/tcg_pts_attr_meas_algo.h> -#include <tcg/pts/tcg_pts_attr_proto_caps.h> -#include <tcg/pts/tcg_pts_attr_req_file_meas.h> -#include <tcg/pts/tcg_pts_attr_req_file_meta.h> - -#include <tncif_pa_subtypes.h> - -#include <pen/pen.h> -#include <utils/debug.h> -#include <credentials/credential_manager.h> -#include <collections/linked_list.h> - -typedef struct private_imv_attestation_agent_t private_imv_attestation_agent_t; - -/* Subscribed PA-TNC message subtypes */ -static pen_type_t msg_types[] = { - { PEN_TCG, PA_SUBTYPE_TCG_PTS }, - { PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM } -}; - -/** - * Private data of an imv_attestation_agent_t object. - */ -struct private_imv_attestation_agent_t { - - /** - * Public members of imv_attestation_agent_t - */ - imv_agent_if_t public; - - /** - * IMV agent responsible for generic functions - */ - imv_agent_t *agent; - - /** - * Supported PTS measurement algorithms - */ - pts_meas_algorithms_t supported_algorithms; - - /** - * Supported PTS Diffie Hellman Groups - */ - pts_dh_group_t supported_dh_groups; - - /** - * PTS file measurement database - */ - pts_database_t *pts_db; - - /** - * PTS credentials - */ - pts_creds_t *pts_creds; - - /** - * PTS credential manager - */ - credential_manager_t *pts_credmgr; - -}; - -METHOD(imv_agent_if_t, bind_functions, TNC_Result, - private_imv_attestation_agent_t *this, TNC_TNCS_BindFunctionPointer bind_function) -{ - return this->agent->bind_functions(this->agent, bind_function); -} - -METHOD(imv_agent_if_t, notify_connection_change, TNC_Result, - private_imv_attestation_agent_t *this, TNC_ConnectionID id, - TNC_ConnectionState new_state) -{ - TNC_IMV_Action_Recommendation rec; - imv_state_t *state; - imv_session_t *session; - - switch (new_state) - { - case TNC_CONNECTION_STATE_CREATE: - state = imv_attestation_state_create(id); - return this->agent->create_state(this->agent, state); - case TNC_CONNECTION_STATE_DELETE: - return this->agent->delete_state(this->agent, id); - case TNC_CONNECTION_STATE_ACCESS_ALLOWED: - case TNC_CONNECTION_STATE_ACCESS_ISOLATED: - case TNC_CONNECTION_STATE_ACCESS_NONE: - if (this->agent->get_state(this->agent, id, &state) && imcv_db) - { - session = state->get_session(state); - - if (session->get_policy_started(session)) - { - switch (new_state) - { - case TNC_CONNECTION_STATE_ACCESS_ALLOWED: - rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW; - break; - case TNC_CONNECTION_STATE_ACCESS_ISOLATED: - rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE; - break; - case TNC_CONNECTION_STATE_ACCESS_NONE: - default: - rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS; - } - imcv_db->add_recommendation(imcv_db, session, rec); - if (!imcv_db->policy_script(imcv_db, session, FALSE)) - { - DBG1(DBG_IMV, "error in policy script stop"); - } - } - } - /* fall through to default state */ - default: - return this->agent->change_state(this->agent, id, new_state, NULL); - } -} - -/** - * Process a received message - */ -static TNC_Result receive_msg(private_imv_attestation_agent_t *this, - imv_state_t *state, imv_msg_t *in_msg) -{ - imv_msg_t *out_msg; - imv_session_t *session; - imv_os_info_t *os_info; - enumerator_t *enumerator; - pa_tnc_attr_t *attr; - pen_type_t type; - TNC_Result result; - chunk_t os_name, os_version; - bool fatal_error = FALSE; - - /* parse received PA-TNC message and handle local and remote errors */ - result = in_msg->receive(in_msg, &fatal_error); - if (result != TNC_RESULT_SUCCESS) - { - return result; - } - - session = state->get_session(state); - os_info = session->get_os_info(session); - - out_msg = imv_msg_create_as_reply(in_msg); - out_msg->set_msg_type(out_msg, msg_types[0]); - - /* analyze PA-TNC attributes */ - enumerator = in_msg->create_attribute_enumerator(in_msg); - while (enumerator->enumerate(enumerator, &attr)) - { - type = attr->get_type(attr); - - if (type.vendor_id == PEN_IETF) - { - switch (type.type) - { - case IETF_ATTR_PA_TNC_ERROR: - { - ietf_attr_pa_tnc_error_t *error_attr; - pen_type_t error_code; - chunk_t msg_info; - - error_attr = (ietf_attr_pa_tnc_error_t*)attr; - error_code = error_attr->get_error_code(error_attr); - - if (error_code.vendor_id == PEN_TCG) - { - msg_info = error_attr->get_msg_info(error_attr); - - DBG1(DBG_IMV, "received TCG-PTS error '%N'", - pts_error_code_names, error_code.type); - DBG1(DBG_IMV, "error information: %B", &msg_info); - fatal_error = TRUE; - } - break; - } - case IETF_ATTR_PRODUCT_INFORMATION: - { - ietf_attr_product_info_t *attr_cast; - pen_t vendor_id; - - state->set_action_flags(state, - IMV_ATTESTATION_ATTR_PRODUCT_INFO); - attr_cast = (ietf_attr_product_info_t*)attr; - os_name = attr_cast->get_info(attr_cast, &vendor_id, NULL); - os_info->set_name(os_info, os_name); - - if (vendor_id != PEN_IETF) - { - DBG1(DBG_IMV, "operating system name is '%.*s' " - "from vendor %N", os_name.len, os_name.ptr, - pen_names, vendor_id); - } - else - { - DBG1(DBG_IMV, "operating system name is '%.*s'", - os_name.len, os_name.ptr); - } - break; - - break; - } - case IETF_ATTR_STRING_VERSION: - { - ietf_attr_string_version_t *attr_cast; - - state->set_action_flags(state, - IMV_ATTESTATION_ATTR_STRING_VERSION); - attr_cast = (ietf_attr_string_version_t*)attr; - os_version = attr_cast->get_version(attr_cast, NULL, NULL); - os_info->set_version(os_info, os_version); - - if (os_version.len) - { - DBG1(DBG_IMV, "operating system version is '%.*s'", - os_version.len, os_version.ptr); - } - break; - } - default: - break; - } - } - else if (type.vendor_id == PEN_ITA) - { - switch (type.type) - { - case ITA_ATTR_DEVICE_ID: - { - chunk_t value; - - state->set_action_flags(state, - IMV_ATTESTATION_ATTR_DEVICE_ID); - - value = attr->get_value(attr); - DBG1(DBG_IMV, "device ID is %.*s", value.len, value.ptr); - session->set_device_id(session, value); - break; - } - default: - break; - } - } - else if (type.vendor_id == PEN_TCG) - { - if (!imv_attestation_process(attr, out_msg, state, - this->supported_algorithms, this->supported_dh_groups, - this->pts_db, this->pts_credmgr)) - { - result = TNC_RESULT_FATAL; - break; - } - } - } - enumerator->destroy(enumerator); - - if (fatal_error || result != TNC_RESULT_SUCCESS) - { - state->set_recommendation(state, - TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, - TNC_IMV_EVALUATION_RESULT_ERROR); - result = out_msg->send_assessment(out_msg); - out_msg->destroy(out_msg); - if (result != TNC_RESULT_SUCCESS) - { - return result; - } - return this->agent->provide_recommendation(this->agent, state); - } - - /* send PA-TNC message with excl flag set */ - result = out_msg->send(out_msg, TRUE); - out_msg->destroy(out_msg); - - return result; -} - -METHOD(imv_agent_if_t, receive_message, TNC_Result, - private_imv_attestation_agent_t *this, TNC_ConnectionID id, - TNC_MessageType msg_type, chunk_t msg) -{ - imv_state_t *state; - imv_msg_t *in_msg; - TNC_Result result; - - if (!this->agent->get_state(this->agent, id, &state)) - { - return TNC_RESULT_FATAL; - } - in_msg = imv_msg_create_from_data(this->agent, state, id, msg_type, msg); - result = receive_msg(this, state, in_msg); - in_msg->destroy(in_msg); - - return result; -} - -METHOD(imv_agent_if_t, receive_message_long, TNC_Result, - private_imv_attestation_agent_t *this, TNC_ConnectionID id, - TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id, - TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype, chunk_t msg) -{ - imv_state_t *state; - imv_msg_t *in_msg; - TNC_Result result; - - if (!this->agent->get_state(this->agent, id, &state)) - { - return TNC_RESULT_FATAL; - } - in_msg = imv_msg_create_from_long_data(this->agent, state, id, - src_imc_id, dst_imv_id, msg_vid, msg_subtype, msg); - result = receive_msg(this, state, in_msg); - in_msg->destroy(in_msg); - - return result; -} - -/** - * Build an IETF Attribute Request attribute for missing attributes - */ -static pa_tnc_attr_t* build_attr_request(uint32_t received) -{ - pa_tnc_attr_t *attr; - ietf_attr_attr_request_t *attr_cast; - - attr = ietf_attr_attr_request_create(PEN_RESERVED, 0); - attr_cast = (ietf_attr_attr_request_t*)attr; - - if (!(received & IMV_ATTESTATION_ATTR_PRODUCT_INFO) || - !(received & IMV_ATTESTATION_ATTR_STRING_VERSION)) - { - attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_PRODUCT_INFORMATION); - attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION); - } - if (!(received & IMV_ATTESTATION_ATTR_DEVICE_ID)) - { - attr_cast->add(attr_cast, PEN_ITA, ITA_ATTR_DEVICE_ID); - } - - return attr; -} - -METHOD(imv_agent_if_t, batch_ending, TNC_Result, - private_imv_attestation_agent_t *this, TNC_ConnectionID id) -{ - imv_msg_t *out_msg; - imv_state_t *state; - imv_session_t *session; - imv_attestation_state_t *attestation_state; - imv_attestation_handshake_state_t handshake_state; - imv_workitem_t *workitem; - TNC_IMV_Action_Recommendation rec; - TNC_IMV_Evaluation_Result eval; - TNC_IMVID imv_id; - TNC_Result result = TNC_RESULT_SUCCESS; - pts_t *pts; - int pid; - uint32_t actions; - enumerator_t *enumerator; - - if (!this->agent->get_state(this->agent, id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imv_attestation_state_t*)state; - pts = attestation_state->get_pts(attestation_state); - handshake_state = attestation_state->get_handshake_state(attestation_state); - actions = state->get_action_flags(state); - session = state->get_session(state); - imv_id = this->agent->get_id(this->agent); - - /* exit if a recommendation has already been provided */ - if (actions & IMV_ATTESTATION_REC) - { - return TNC_RESULT_SUCCESS; - } - - /* send an IETF attribute request if no platform info was received */ - if (!(actions & IMV_ATTESTATION_ATTR_REQ)) - { - if ((actions & IMV_ATTESTATION_ATTR_MUST) != IMV_ATTESTATION_ATTR_MUST) - { - imv_msg_t *os_msg; - - /* create attribute request for missing mandatory attributes */ - os_msg = imv_msg_create(this->agent, state, id, imv_id, - TNC_IMCID_ANY, msg_types[1]); - os_msg->add_attribute(os_msg, build_attr_request(actions)); - result = os_msg->send(os_msg, FALSE); - os_msg->destroy(os_msg); - - if (result != TNC_RESULT_SUCCESS) - { - return result; - } - } - state->set_action_flags(state, IMV_ATTESTATION_ATTR_REQ); - } - - if (!session->get_policy_started(session) && - (actions & IMV_ATTESTATION_ATTR_PRODUCT_INFO) && - (actions & IMV_ATTESTATION_ATTR_STRING_VERSION) && - (actions & IMV_ATTESTATION_ATTR_DEVICE_ID)) - { - if (imcv_db) - { - /* start the policy script */ - if (!imcv_db->policy_script(imcv_db, session, TRUE)) - { - DBG1(DBG_IMV, "error in policy script start"); - } - } - else - { - DBG2(DBG_IMV, "no workitems available - no evaluation possible"); - state->set_recommendation(state, - TNC_IMV_ACTION_RECOMMENDATION_ALLOW, - TNC_IMV_EVALUATION_RESULT_DONT_KNOW); - session->set_policy_started(session, TRUE); - } - } - - if (handshake_state == IMV_ATTESTATION_STATE_INIT) - { - pa_tnc_attr_t *attr; - pts_proto_caps_flag_t flags; - - out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY, - msg_types[0]); - - /* Send Request Protocol Capabilities attribute */ - flags = pts->get_proto_caps(pts); - attr = tcg_pts_attr_proto_caps_create(flags, TRUE); - attr->set_noskip_flag(attr, TRUE); - out_msg->add_attribute(out_msg, attr); - - /* Send Measurement Algorithms attribute */ - attr = tcg_pts_attr_meas_algo_create(this->supported_algorithms, FALSE); - attr->set_noskip_flag(attr, TRUE); - out_msg->add_attribute(out_msg, attr); - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_DISCOVERY); - - /* send these initial PTS attributes and exit */ - result = out_msg->send(out_msg, FALSE); - out_msg->destroy(out_msg); - - return result; - } - - /* exit if we are not ready yet for PTS measurements */ - if (!(actions & IMV_ATTESTATION_ALGO)) - { - return TNC_RESULT_SUCCESS; - } - - session->get_session_id(session, &pid, NULL); - pts->set_platform_id(pts, pid); - - /* create an empty out message - we might need it */ - out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY, - msg_types[0]); - - /* establish the PTS measurements to be taken */ - if (!(actions & IMV_ATTESTATION_FILE_MEAS)) - { - bool is_dir, no_workitems = TRUE; - uint32_t delimiter = SOLIDUS_UTF; - uint16_t request_id; - pa_tnc_attr_t *attr; - char *pathname; - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_END); - - enumerator = session->create_workitem_enumerator(session); - if (enumerator) - { - while (enumerator->enumerate(enumerator, &workitem)) - { - if (workitem->get_imv_id(workitem) != TNC_IMVID_ANY) - { - continue; - } - - switch (workitem->get_type(workitem)) - { - case IMV_WORKITEM_FILE_REF_MEAS: - case IMV_WORKITEM_FILE_MEAS: - case IMV_WORKITEM_FILE_META: - is_dir = FALSE; - break; - case IMV_WORKITEM_DIR_REF_MEAS: - case IMV_WORKITEM_DIR_MEAS: - case IMV_WORKITEM_DIR_META: - is_dir = TRUE; - break; - case IMV_WORKITEM_TPM_ATTEST: - { - pts_component_t *comp; - pts_comp_func_name_t *comp_name; - bool no_d_flag, no_t_flag; - char result_str[BUF_LEN]; - - workitem->set_imv_id(workitem, imv_id); - no_workitems = FALSE; - no_d_flag = !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D); - no_t_flag = !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T); - if (no_d_flag || no_t_flag) - { - snprintf(result_str, BUF_LEN, "%s%s%s", - (no_t_flag) ? "no TPM available" : "", - (no_t_flag && no_d_flag) ? ", " : "", - (no_d_flag) ? "no DH nonce negotiation" : ""); - eval = TNC_IMV_EVALUATION_RESULT_ERROR; - session->remove_workitem(session, enumerator); - rec = workitem->set_result(workitem, result_str, eval); - state->update_recommendation(state, rec, eval); - imcv_db->finalize_workitem(imcv_db, workitem); - workitem->destroy(workitem); - continue; - } - - /* do TPM BIOS measurements */ - if (strchr(workitem->get_arg_str(workitem), 'B')) - { - comp_name = pts_comp_func_name_create(PEN_ITA, - PTS_ITA_COMP_FUNC_NAME_IMA, - PTS_ITA_QUALIFIER_FLAG_KERNEL | - PTS_ITA_QUALIFIER_TYPE_TRUSTED); - comp = attestation_state->create_component( - attestation_state, comp_name, - 0, this->pts_db); - if (!comp) - { - comp_name->log(comp_name, "unregistered "); - comp_name->destroy(comp_name); - } - } - - /* do TPM IMA measurements */ - if (strchr(workitem->get_arg_str(workitem), 'I')) - { - comp_name = pts_comp_func_name_create(PEN_ITA, - PTS_ITA_COMP_FUNC_NAME_IMA, - PTS_ITA_QUALIFIER_FLAG_KERNEL | - PTS_ITA_QUALIFIER_TYPE_OS); - comp = attestation_state->create_component( - attestation_state, comp_name, - 0, this->pts_db); - if (!comp) - { - comp_name->log(comp_name, "unregistered "); - comp_name->destroy(comp_name); - } - } - - /* do TPM TRUSTED BOOT measurements */ - if (strchr(workitem->get_arg_str(workitem), 'T')) - { - comp_name = pts_comp_func_name_create(PEN_ITA, - PTS_ITA_COMP_FUNC_NAME_TBOOT, - PTS_ITA_QUALIFIER_FLAG_KERNEL | - PTS_ITA_QUALIFIER_TYPE_TRUSTED); - comp = attestation_state->create_component( - attestation_state, comp_name, - 0, this->pts_db); - if (!comp) - { - comp_name->log(comp_name, "unregistered "); - comp_name->destroy(comp_name); - } - } - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_NONCE_REQ); - continue; - } - default: - continue; - } - - /* initiate file and directory measurements */ - pathname = this->pts_db->get_pathname(this->pts_db, is_dir, - workitem->get_arg_int(workitem)); - if (!pathname) - { - continue; - } - workitem->set_imv_id(workitem, imv_id); - no_workitems = FALSE; - - if (workitem->get_type(workitem) == IMV_WORKITEM_FILE_META) - { - TNC_IMV_Action_Recommendation rec; - TNC_IMV_Evaluation_Result eval; - char result_str[BUF_LEN]; - - DBG2(DBG_IMV, "IMV %d requests metadata for %s '%s'", - imv_id, is_dir ? "directory" : "file", pathname); - - /* currently just fire and forget metadata requests */ - attr = tcg_pts_attr_req_file_meta_create(is_dir, - delimiter, pathname); - snprintf(result_str, BUF_LEN, "%s metadata requested", - is_dir ? "directory" : "file"); - eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT; - session->remove_workitem(session, enumerator); - rec = workitem->set_result(workitem, result_str, eval); - state->update_recommendation(state, rec, eval); - imcv_db->finalize_workitem(imcv_db, workitem); - workitem->destroy(workitem); - } - else - { - /* use lower 16 bits of the workitem ID as request ID */ - request_id = workitem->get_id(workitem) & 0xffff; - - DBG2(DBG_IMV, "IMV %d requests measurement %d for %s '%s'", - imv_id, request_id, is_dir ? "directory" : "file", - pathname); - attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id, - delimiter, pathname); - } - free(pathname); - attr->set_noskip_flag(attr, TRUE); - out_msg->add_attribute(out_msg, attr); - } - enumerator->destroy(enumerator); - - /* sent all file and directory measurement and metadata requests */ - state->set_action_flags(state, IMV_ATTESTATION_FILE_MEAS); - - if (no_workitems) - { - DBG2(DBG_IMV, "IMV %d has no workitems - " - "no evaluation requested", imv_id); - state->set_recommendation(state, - TNC_IMV_ACTION_RECOMMENDATION_ALLOW, - TNC_IMV_EVALUATION_RESULT_DONT_KNOW); - } - } - } - - /* check the IMV state for the next PA-TNC attributes to send */ - enumerator = session->create_workitem_enumerator(session); - while (enumerator->enumerate(enumerator, &workitem)) - { - if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST) - { - if (!imv_attestation_build(out_msg, state, - this->supported_dh_groups, this->pts_db)) - { - imv_reason_string_t *reason_string; - chunk_t result; - char *result_str; - - reason_string = imv_reason_string_create("en", ", "); - attestation_state->add_comp_evid_reasons(attestation_state, - reason_string); - result = reason_string->get_encoding(reason_string); - result_str = strndup(result.ptr, result.len); - reason_string->destroy(reason_string); - - eval = TNC_IMV_EVALUATION_RESULT_ERROR; - session->remove_workitem(session, enumerator); - rec = workitem->set_result(workitem, result_str, eval); - state->update_recommendation(state, rec, eval); - imcv_db->finalize_workitem(imcv_db, workitem); - } - break; - } - } - enumerator->destroy(enumerator); - - /* finalized all workitems? */ - if (session->get_policy_started(session) && - session->get_workitem_count(session, imv_id) == 0 && - attestation_state->get_handshake_state(attestation_state) == - IMV_ATTESTATION_STATE_END) - { - result = out_msg->send_assessment(out_msg); - out_msg->destroy(out_msg); - state->set_action_flags(state, IMV_ATTESTATION_REC); - - if (result != TNC_RESULT_SUCCESS) - { - return result; - } - return this->agent->provide_recommendation(this->agent, state); - } - - /* send non-empty PA-TNC message with excl flag not set */ - if (out_msg->get_attribute_count(out_msg)) - { - result = out_msg->send(out_msg, FALSE); - } - out_msg->destroy(out_msg); - - return result; -} - -METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result, - private_imv_attestation_agent_t *this, TNC_ConnectionID id) -{ - TNC_IMVID imv_id; - imv_state_t *state; - imv_attestation_state_t *attestation_state; - imv_session_t *session; - - if (!this->agent->get_state(this->agent, id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imv_attestation_state_t*)state; - session = state->get_session(state); - imv_id = this->agent->get_id(this->agent); - - if (imcv_db) - { - TNC_IMV_Evaluation_Result eval; - TNC_IMV_Action_Recommendation rec; - imv_workitem_t *workitem; - enumerator_t *enumerator; - int pending_file_meas = 0; - char *result_str; - chunk_t result_buf; - bio_writer_t *result; - - enumerator = session->create_workitem_enumerator(session); - if (enumerator) - { - while (enumerator->enumerate(enumerator, &workitem)) - { - if (workitem->get_imv_id(workitem) != imv_id) - { - continue; - } - result = bio_writer_create(128); - - switch (workitem->get_type(workitem)) - { - case IMV_WORKITEM_FILE_REF_MEAS: - case IMV_WORKITEM_FILE_MEAS: - case IMV_WORKITEM_DIR_REF_MEAS: - case IMV_WORKITEM_DIR_MEAS: - result_str = "pending file measurements"; - pending_file_meas++; - break; - case IMV_WORKITEM_TPM_ATTEST: - attestation_state->finalize_components(attestation_state, - result); - result->write_data(result, - chunk_from_str("; pending component evidence")); - result->write_uint8(result, '\0'); - result_buf = result->get_buf(result); - result_str = result_buf.ptr; - break; - default: - result->destroy(result); - continue; - } - session->remove_workitem(session, enumerator); - eval = TNC_IMV_EVALUATION_RESULT_ERROR; - rec = workitem->set_result(workitem, result_str, eval); - state->update_recommendation(state, rec, eval); - imcv_db->finalize_workitem(imcv_db, workitem); - workitem->destroy(workitem); - result->destroy(result); - } - enumerator->destroy(enumerator); - - if (pending_file_meas) - { - DBG1(DBG_IMV, "failure due to %d pending file measurements", - pending_file_meas); - attestation_state->set_measurement_error(attestation_state, - IMV_ATTESTATION_ERROR_FILE_MEAS_PEND); - } - } - } - return this->agent->provide_recommendation(this->agent, state); -} - -METHOD(imv_agent_if_t, destroy, void, - private_imv_attestation_agent_t *this) -{ - if (this->pts_creds) - { - this->pts_credmgr->remove_set(this->pts_credmgr, - this->pts_creds->get_set(this->pts_creds)); - this->pts_creds->destroy(this->pts_creds); - } - DESTROY_IF(this->pts_db); - DESTROY_IF(this->pts_credmgr); - DESTROY_IF(this->agent); - free(this); - libpts_deinit(); -} - -/** - * Described in header. - */ -imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id, - TNC_Version *actual_version) -{ - private_imv_attestation_agent_t *this; - imv_agent_t *agent; - char *hash_alg, *dh_group, *cadir; - bool mandatory_dh_groups; - - agent = imv_agent_create(name, msg_types, countof(msg_types), id, - actual_version); - if (!agent) - { - return NULL; - } - - hash_alg = lib->settings->get_str(lib->settings, - "%s.plugins.imv-attestation.hash_algorithm", "sha256", lib->ns); - dh_group = lib->settings->get_str(lib->settings, - "%s.plugins.imv-attestation.dh_group", "ecp256", lib->ns); - mandatory_dh_groups = lib->settings->get_bool(lib->settings, - "%s.plugins.imv-attestation.mandatory_dh_groups", TRUE, lib->ns); - cadir = lib->settings->get_str(lib->settings, - "%s.plugins.imv-attestation.cadir", NULL, lib->ns); - - INIT(this, - .public = { - .bind_functions = _bind_functions, - .notify_connection_change = _notify_connection_change, - .receive_message = _receive_message, - .receive_message_long = _receive_message_long, - .batch_ending = _batch_ending, - .solicit_recommendation = _solicit_recommendation, - .destroy = _destroy, - }, - .agent = agent, - .supported_algorithms = PTS_MEAS_ALGO_NONE, - .supported_dh_groups = PTS_DH_GROUP_NONE, - .pts_credmgr = credential_manager_create(), - .pts_creds = pts_creds_create(cadir), - .pts_db = pts_database_create(imcv_db), - ); - - libpts_init(); - - if (!pts_meas_algo_probe(&this->supported_algorithms) || - !pts_dh_group_probe(&this->supported_dh_groups, mandatory_dh_groups) || - !pts_meas_algo_update(hash_alg, &this->supported_algorithms) || - !pts_dh_group_update(dh_group, &this->supported_dh_groups)) - { - destroy(this); - return NULL; - } - - if (this->pts_creds) - { - this->pts_credmgr->add_set(this->pts_credmgr, - this->pts_creds->get_set(this->pts_creds)); - } - - return &this->public; -} diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.h b/src/libpts/plugins/imv_attestation/imv_attestation_agent.h deleted file mode 100644 index cc421a29a..000000000 --- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.h +++ /dev/null @@ -1,36 +0,0 @@ -/* - * Copyright (C) 2013 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup imv_attestation_agent_t imv_attestation_agent - * @{ @ingroup imv_attestation - */ - -#ifndef IMV_ATTESTATION_AGENT_H_ -#define IMV_ATTESTATION_AGENT_H_ - -#include <imv/imv_agent_if.h> - -/** - * Creates a Attestation IMV agent - * - * @param name Name of the IMV - * @param id ID of the IMV - * @param actual_version TNC IF-IMV version - */ -imv_agent_if_t* imv_attestation_agent_create(const char* name, TNC_IMVID id, - TNC_Version *actual_version); - -#endif /** IMV_ATTESTATION_AGENT_H_ @}*/ diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c deleted file mode 100644 index 120fe3eaa..000000000 --- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c +++ /dev/null @@ -1,150 +0,0 @@ -/* - * Copyright (C) 2011-2012 Sansar Choinyambuu - * Copyright (C) 2011-2014 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "imv_attestation_build.h" -#include "imv_attestation_state.h" - -#include <tcg/pts/tcg_pts_attr_dh_nonce_params_req.h> -#include <tcg/pts/tcg_pts_attr_dh_nonce_finish.h> -#include <tcg/pts/tcg_pts_attr_get_tpm_version_info.h> -#include <tcg/pts/tcg_pts_attr_get_aik.h> -#include <tcg/pts/tcg_pts_attr_req_func_comp_evid.h> -#include <tcg/pts/tcg_pts_attr_gen_attest_evid.h> - -#include <utils/debug.h> - -bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state, - pts_dh_group_t supported_dh_groups, - pts_database_t *pts_db) -{ - imv_attestation_state_t *attestation_state; - imv_attestation_handshake_state_t handshake_state; - pts_t *pts; - pa_tnc_attr_t *attr = NULL; - - attestation_state = (imv_attestation_state_t*)state; - handshake_state = attestation_state->get_handshake_state(attestation_state); - pts = attestation_state->get_pts(attestation_state); - - switch (handshake_state) - { - case IMV_ATTESTATION_STATE_NONCE_REQ: - { - int min_nonce_len; - - /* Send DH nonce parameters request attribute */ - min_nonce_len = lib->settings->get_int(lib->settings, - "%s.plugins.imv-attestation.min_nonce_len", 0, lib->ns); - attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len, - supported_dh_groups); - attr->set_noskip_flag(attr, TRUE); - out_msg->add_attribute(out_msg, attr); - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_TPM_INIT); - break; - } - case IMV_ATTESTATION_STATE_TPM_INIT: - { - pts_meas_algorithms_t selected_algorithm; - chunk_t initiator_value, initiator_nonce; - - if (!(state->get_action_flags(state) & IMV_ATTESTATION_DH_NONCE)) - { - break; - } - - /* Send DH nonce finish attribute */ - selected_algorithm = pts->get_meas_algorithm(pts); - pts->get_my_public_value(pts, &initiator_value, &initiator_nonce); - attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm, - initiator_value, initiator_nonce); - attr->set_noskip_flag(attr, TRUE); - out_msg->add_attribute(out_msg, attr); - - /* Send Get TPM Version attribute */ - attr = tcg_pts_attr_get_tpm_version_info_create(); - attr->set_noskip_flag(attr, TRUE); - out_msg->add_attribute(out_msg, attr); - - /* Send Get AIK attribute */ - attr = tcg_pts_attr_get_aik_create(); - attr->set_noskip_flag(attr, TRUE); - out_msg->add_attribute(out_msg, attr); - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_COMP_EVID); - break; - } - case IMV_ATTESTATION_STATE_COMP_EVID: - { - tcg_pts_attr_req_func_comp_evid_t *attr_cast; - enumerator_t *enumerator; - pts_comp_func_name_t *name; - uint8_t flags; - uint32_t depth; - bool first_component = TRUE; - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_END); - - if (!pts->get_aik_id(pts)) - { - attestation_state->set_measurement_error(attestation_state, - IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK); - return FALSE; - } - - enumerator = attestation_state->create_component_enumerator( - attestation_state); - while (enumerator->enumerate(enumerator, &flags, &depth, &name)) - { - if (first_component) - { - attr = tcg_pts_attr_req_func_comp_evid_create(); - attr->set_noskip_flag(attr, TRUE); - first_component = FALSE; - DBG2(DBG_IMV, "evidence request by"); - } - name->log(name, " "); - - /* TODO check flags against negotiated_caps */ - attr_cast = (tcg_pts_attr_req_func_comp_evid_t *)attr; - attr_cast->add_component(attr_cast, flags, depth, name); - } - enumerator->destroy(enumerator); - - if (attr) - { - /* Send Request Functional Component Evidence attribute */ - out_msg->add_attribute(out_msg, attr); - - /* Send Generate Attestation Evidence attribute */ - attr = tcg_pts_attr_gen_attest_evid_create(); - attr->set_noskip_flag(attr, TRUE); - out_msg->add_attribute(out_msg, attr); - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_EVID_FINAL); - } - break; - } - default: - break; - } - - return TRUE; -} diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.h b/src/libpts/plugins/imv_attestation/imv_attestation_build.h deleted file mode 100644 index 88538b198..000000000 --- a/src/libpts/plugins/imv_attestation/imv_attestation_build.h +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (C) 2011 Sansar Choinyambuu - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup imv_attestation_build_t imv_attestation_build - * @{ @ingroup imv_attestation - */ - -#ifndef IMV_ATTESTATION_BUILD_H_ -#define IMV_ATTESTATION_BUILD_H_ - -#include "imv_attestation_state.h" - -#include <imv/imv_msg.h> -#include <library.h> - -#include <pts/pts_database.h> -#include <pts/pts_dh_group.h> -#include <pts/pts_meas_algo.h> - -/** - * Process a TCG PTS attribute - * - * @param out_msg outbound PA-TNC message to be built - * @param state state of a given connection - * @param supported_dh_groups supported DH groups - * @param pts_db PTS configuration database - * @return TRUE if successful - */ -bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state, - pts_dh_group_t supported_dh_groups, - pts_database_t *pts_db); - -#endif /** IMV_ATTESTATION_BUILD_H_ @}*/ diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c deleted file mode 100644 index 26a57d15c..000000000 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c +++ /dev/null @@ -1,563 +0,0 @@ -/* - * Copyright (C) 2011-2012 Sansar Choinyambuu - * Copyright (C) 2011-2014 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#define _GNU_SOURCE /* for stdndup() */ -#include <string.h> - -#include "imv_attestation_process.h" - -#include <imcv.h> -#include <ietf/ietf_attr_pa_tnc_error.h> - -#include <pts/pts.h> - -#include <tcg/pts/tcg_pts_attr_aik.h> -#include <tcg/pts/tcg_pts_attr_dh_nonce_params_resp.h> -#include <tcg/pts/tcg_pts_attr_file_meas.h> -#include <tcg/pts/tcg_pts_attr_meas_algo.h> -#include <tcg/pts/tcg_pts_attr_proto_caps.h> -#include <tcg/pts/tcg_pts_attr_simple_comp_evid.h> -#include <tcg/pts/tcg_pts_attr_simple_evid_final.h> -#include <tcg/pts/tcg_pts_attr_tpm_version_info.h> -#include <tcg/pts/tcg_pts_attr_unix_file_meta.h> - -#include <utils/debug.h> -#include <crypto/hashers/hasher.h> - -#include <inttypes.h> - -bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, - imv_state_t *state, - pts_meas_algorithms_t supported_algorithms, - pts_dh_group_t supported_dh_groups, - pts_database_t *pts_db, - credential_manager_t *pts_credmgr) -{ - imv_session_t *session; - imv_attestation_state_t *attestation_state; - pen_type_t attr_type; - pts_t *pts; - - session = state->get_session(state); - attestation_state = (imv_attestation_state_t*)state; - pts = attestation_state->get_pts(attestation_state); - attr_type = attr->get_type(attr); - - switch (attr_type.type) - { - case TCG_PTS_PROTO_CAPS: - { - tcg_pts_attr_proto_caps_t *attr_cast; - pts_proto_caps_flag_t flags; - - attr_cast = (tcg_pts_attr_proto_caps_t*)attr; - flags = attr_cast->get_flags(attr_cast); - pts->set_proto_caps(pts, flags); - break; - } - case TCG_PTS_MEAS_ALGO_SELECTION: - { - tcg_pts_attr_meas_algo_t *attr_cast; - pts_meas_algorithms_t selected_algorithm; - - attr_cast = (tcg_pts_attr_meas_algo_t*)attr; - selected_algorithm = attr_cast->get_algorithms(attr_cast); - if (!(selected_algorithm & supported_algorithms)) - { - DBG1(DBG_IMV, "PTS-IMC selected unsupported" - " measurement algorithm"); - return FALSE; - } - pts->set_meas_algorithm(pts, selected_algorithm); - state->set_action_flags(state, IMV_ATTESTATION_ALGO); - break; - } - case TCG_PTS_DH_NONCE_PARAMS_RESP: - { - tcg_pts_attr_dh_nonce_params_resp_t *attr_cast; - int nonce_len, min_nonce_len; - pts_dh_group_t dh_group; - pts_meas_algorithms_t offered_algorithms, selected_algorithm; - chunk_t responder_value, responder_nonce; - - attr_cast = (tcg_pts_attr_dh_nonce_params_resp_t*)attr; - responder_nonce = attr_cast->get_responder_nonce(attr_cast); - - /* check compliance of responder nonce length */ - min_nonce_len = lib->settings->get_int(lib->settings, - "%s.plugins.imv-attestation.min_nonce_len", 0, lib->ns); - nonce_len = responder_nonce.len; - if (nonce_len < PTS_MIN_NONCE_LEN || - (min_nonce_len > 0 && nonce_len < min_nonce_len)) - { - attr = pts_dh_nonce_error_create( - max(PTS_MIN_NONCE_LEN, min_nonce_len), - PTS_MAX_NONCE_LEN); - out_msg->add_attribute(out_msg, attr); - break; - } - - dh_group = attr_cast->get_dh_group(attr_cast); - if (!(dh_group & supported_dh_groups)) - { - DBG1(DBG_IMV, "PTS-IMC selected unsupported DH group"); - return FALSE; - } - - offered_algorithms = attr_cast->get_hash_algo_set(attr_cast); - selected_algorithm = pts_meas_algo_select(supported_algorithms, - offered_algorithms); - if (selected_algorithm == PTS_MEAS_ALGO_NONE) - { - attr = pts_hash_alg_error_create(supported_algorithms); - out_msg->add_attribute(out_msg, attr); - break; - } - pts->set_dh_hash_algorithm(pts, selected_algorithm); - - if (!pts->create_dh_nonce(pts, dh_group, nonce_len)) - { - return FALSE; - } - - responder_value = attr_cast->get_responder_value(attr_cast); - pts->set_peer_public_value(pts, responder_value, - responder_nonce); - - /* Calculate secret assessment value */ - if (!pts->calculate_secret(pts)) - { - return FALSE; - } - state->set_action_flags(state, IMV_ATTESTATION_DH_NONCE); - break; - } - case TCG_PTS_TPM_VERSION_INFO: - { - tcg_pts_attr_tpm_version_info_t *attr_cast; - chunk_t tpm_version_info; - - attr_cast = (tcg_pts_attr_tpm_version_info_t*)attr; - tpm_version_info = attr_cast->get_tpm_version_info(attr_cast); - pts->set_tpm_version_info(pts, tpm_version_info); - break; - } - case TCG_PTS_AIK: - { - tcg_pts_attr_aik_t *attr_cast; - certificate_t *aik, *issuer; - public_key_t *public; - chunk_t keyid, keyid_hex, device_id; - int aik_id; - enumerator_t *e; - bool trusted = FALSE, trusted_chain = FALSE; - - attr_cast = (tcg_pts_attr_aik_t*)attr; - aik = attr_cast->get_aik(attr_cast); - if (!aik) - { - DBG1(DBG_IMV, "AIK unavailable"); - attestation_state->set_measurement_error(attestation_state, - IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK); - break; - } - - /* check trust into public key as stored in the database */ - public = aik->get_public_key(aik); - public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid); - DBG1(DBG_IMV, "verifying AIK with keyid %#B", &keyid); - keyid_hex = chunk_to_hex(keyid, NULL, FALSE); - if (session->get_device_id(session, &device_id) && - chunk_equals(keyid_hex, device_id)) - { - trusted = session->get_device_trust(session); - } - else - { - DBG1(DBG_IMV, "device ID unknown or different from AIK keyid"); - } - DBG1(DBG_IMV, "AIK public key is %strusted", trusted ? "" : "not "); - public->destroy(public); - chunk_free(&keyid_hex); - - if (aik->get_type(aik) == CERT_X509) - { - - e = pts_credmgr->create_trusted_enumerator(pts_credmgr, - KEY_ANY, aik->get_issuer(aik), FALSE); - while (e->enumerate(e, &issuer)) - { - if (aik->issued_by(aik, issuer, NULL)) - { - trusted_chain = TRUE; - break; - } - } - e->destroy(e); - DBG1(DBG_IMV, "AIK certificate is %strusted", - trusted_chain ? "" : "not "); - if (!trusted || !trusted_chain) - { - attestation_state->set_measurement_error(attestation_state, - IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK); - break; - } - } - session->get_session_id(session, NULL, &aik_id); - pts->set_aik(pts, aik, aik_id); - break; - } - case TCG_PTS_FILE_MEAS: - { - TNC_IMV_Evaluation_Result eval; - TNC_IMV_Action_Recommendation rec; - tcg_pts_attr_file_meas_t *attr_cast; - uint16_t request_id; - int arg_int, file_count; - pts_meas_algorithms_t algo; - pts_file_meas_t *measurements; - imv_workitem_t *workitem, *found = NULL; - imv_workitem_type_t type; - char result_str[BUF_LEN]; - bool is_dir, correct; - enumerator_t *enumerator; - - eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT; - algo = pts->get_meas_algorithm(pts); - attr_cast = (tcg_pts_attr_file_meas_t*)attr; - measurements = attr_cast->get_measurements(attr_cast); - request_id = measurements->get_request_id(measurements); - file_count = measurements->get_file_count(measurements); - - DBG1(DBG_IMV, "measurement request %d returned %d file%s:", - request_id, file_count, (file_count == 1) ? "":"s"); - - if (request_id) - { - enumerator = session->create_workitem_enumerator(session); - while (enumerator->enumerate(enumerator, &workitem)) - { - /* request ID consist of lower 16 bits of workitem ID */ - if ((workitem->get_id(workitem) & 0xffff) == request_id) - { - found = workitem; - break; - } - } - - if (!found) - { - DBG1(DBG_IMV, " no entry found for file measurement " - "request %d", request_id); - enumerator->destroy(enumerator); - break; - } - type = found->get_type(found); - arg_int = found->get_arg_int(found); - - switch (type) - { - default: - case IMV_WORKITEM_FILE_REF_MEAS: - case IMV_WORKITEM_FILE_MEAS: - is_dir = FALSE; - break; - case IMV_WORKITEM_DIR_REF_MEAS: - case IMV_WORKITEM_DIR_MEAS: - is_dir = TRUE; - } - - switch (type) - { - case IMV_WORKITEM_FILE_MEAS: - case IMV_WORKITEM_DIR_MEAS: - { - enumerator_t *e; - - /* check hashes from database against measurements */ - e = pts_db->create_file_hash_enumerator(pts_db, - pts->get_platform_id(pts), - algo, is_dir, arg_int); - if (!e) - { - eval = TNC_IMV_EVALUATION_RESULT_ERROR; - break; - } - correct = measurements->verify(measurements, e, is_dir); - if (!correct) - { - attestation_state->set_measurement_error( - attestation_state, - IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL); - eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR; - } - e->destroy(e); - - snprintf(result_str, BUF_LEN, "%s measurement%s correct", - is_dir ? "directory" : "file", - correct ? "" : " not"); - break; - } - case IMV_WORKITEM_FILE_REF_MEAS: - case IMV_WORKITEM_DIR_REF_MEAS: - { - enumerator_t *e; - char *filename; - chunk_t measurement; - - e = measurements->create_enumerator(measurements); - while (e->enumerate(e, &filename, &measurement)) - { - if (pts_db->add_file_measurement(pts_db, - pts->get_platform_id(pts), algo, measurement, - filename, is_dir, arg_int) != SUCCESS) - { - eval = TNC_IMV_EVALUATION_RESULT_ERROR; - } - } - e->destroy(e); - snprintf(result_str, BUF_LEN, "%s reference measurement " - "successful", is_dir ? "directory" : "file"); - break; - } - default: - break; - } - - session->remove_workitem(session, enumerator); - enumerator->destroy(enumerator); - rec = found->set_result(found, result_str, eval); - state->update_recommendation(state, rec, eval); - imcv_db->finalize_workitem(imcv_db, found); - found->destroy(found); - } - else - { - measurements->check(measurements, pts_db, - pts->get_platform_id(pts), algo); - } - break; - } - case TCG_PTS_UNIX_FILE_META: - { - tcg_pts_attr_file_meta_t *attr_cast; - int file_count; - pts_file_meta_t *metadata; - pts_file_metadata_t *entry; - time_t created, modified, accessed; - bool utc = FALSE; - enumerator_t *e; - - attr_cast = (tcg_pts_attr_file_meta_t*)attr; - metadata = attr_cast->get_metadata(attr_cast); - file_count = metadata->get_file_count(metadata); - - DBG1(DBG_IMV, "metadata request returned %d file%s:", - file_count, (file_count == 1) ? "":"s"); - - e = metadata->create_enumerator(metadata); - while (e->enumerate(e, &entry)) - { - DBG1(DBG_IMV, " '%s' (%"PRIu64" bytes)" - " owner %"PRIu64", group %"PRIu64", type %N", - entry->filename, entry->filesize, entry->owner, - entry->group, pts_file_type_names, entry->type); - - created = entry->created; - modified = entry->modified; - accessed = entry->accessed; - - DBG1(DBG_IMV, " created %T, modified %T, accessed %T", - &created, utc, &modified, utc, &accessed, utc); - } - e->destroy(e); - break; - } - case TCG_PTS_SIMPLE_COMP_EVID: - { - tcg_pts_attr_simple_comp_evid_t *attr_cast; - pts_comp_func_name_t *name; - pts_comp_evidence_t *evidence; - pts_component_t *comp; - uint32_t depth; - status_t status; - - attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr; - evidence = attr_cast->get_comp_evidence(attr_cast); - name = evidence->get_comp_func_name(evidence, &depth); - - comp = attestation_state->get_component(attestation_state, name); - if (!comp) - { - DBG1(DBG_IMV, " no entry found for component evidence request"); - break; - } - status = comp->verify(comp, name->get_qualifier(name), pts, evidence); - if (status == VERIFY_ERROR || status == FAILED) - { - attestation_state->set_measurement_error(attestation_state, - IMV_ATTESTATION_ERROR_COMP_EVID_FAIL); - name->log(name, " measurement mismatch for "); - } - break; - } - case TCG_PTS_SIMPLE_EVID_FINAL: - { - tcg_pts_attr_simple_evid_final_t *attr_cast; - uint8_t flags; - pts_meas_algorithms_t comp_hash_algorithm; - chunk_t pcr_comp, tpm_quote_sig, evid_sig; - chunk_t pcr_composite, quote_info, result_buf; - imv_workitem_t *workitem; - imv_reason_string_t *reason_string; - enumerator_t *enumerator; - bool use_quote2, use_ver_info; - bio_writer_t *result; - - attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr; - flags = attr_cast->get_quote_info(attr_cast, &comp_hash_algorithm, - &pcr_comp, &tpm_quote_sig); - - if (flags != PTS_SIMPLE_EVID_FINAL_NO) - { - use_quote2 = (flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2 || - flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2_CAP_VER); - use_ver_info = (flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2_CAP_VER); - - /* Construct PCR Composite and TPM Quote Info structures */ - if (!pts->get_quote_info(pts, use_quote2, use_ver_info, - comp_hash_algorithm, &pcr_composite, "e_info)) - { - DBG1(DBG_IMV, "unable to construct TPM Quote Info"); - return FALSE; - } - - if (!chunk_equals(pcr_comp, pcr_composite)) - { - DBG1(DBG_IMV, "received PCR Composite does not match " - "constructed one"); - attestation_state->set_measurement_error(attestation_state, - IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL); - goto quote_error; - } - DBG2(DBG_IMV, "received PCR Composite matches constructed one"); - - if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig)) - { - attestation_state->set_measurement_error(attestation_state, - IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL); - goto quote_error; - } - DBG2(DBG_IMV, "TPM Quote Info signature verification successful"); - -quote_error: - free(pcr_composite.ptr); - free(quote_info.ptr); - - /** - * Finalize any pending measurement registrations and check - * if all expected component measurements were received - */ - result = bio_writer_create(128); - attestation_state->finalize_components(attestation_state, - result); - - enumerator = session->create_workitem_enumerator(session); - while (enumerator->enumerate(enumerator, &workitem)) - { - if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST) - { - TNC_IMV_Action_Recommendation rec; - TNC_IMV_Evaluation_Result eval; - uint32_t error; - - error = attestation_state->get_measurement_error( - attestation_state); - if (error & (IMV_ATTESTATION_ERROR_COMP_EVID_FAIL | - IMV_ATTESTATION_ERROR_COMP_EVID_PEND | - IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL)) - { - reason_string = imv_reason_string_create("en", ", "); - attestation_state->add_comp_evid_reasons( - attestation_state, reason_string); - result->write_data(result, chunk_from_str("; ")); - result->write_data(result, - reason_string->get_encoding(reason_string)); - reason_string->destroy(reason_string); - eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR; - } - else - { - eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT; - } - session->remove_workitem(session, enumerator); - - result->write_uint8(result, '\0'); - result_buf = result->get_buf(result); - rec = workitem->set_result(workitem, result_buf.ptr, - eval); - state->update_recommendation(state, rec, eval); - imcv_db->finalize_workitem(imcv_db, workitem); - workitem->destroy(workitem); - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_END); - break; - } - } - enumerator->destroy(enumerator); - result->destroy(result); - } - - if (attr_cast->get_evid_sig(attr_cast, &evid_sig)) - { - /** TODO: What to do with Evidence Signature */ - DBG1(DBG_IMV, "this version of the Attestation IMV can not " - "handle Evidence Signatures"); - } - break; - } - - /* TODO: Not implemented yet */ - case TCG_PTS_INTEG_MEAS_LOG: - /* Attributes using XML */ - case TCG_PTS_TEMPL_REF_MANI_SET_META: - case TCG_PTS_VERIFICATION_RESULT: - case TCG_PTS_INTEG_REPORT: - /* On Windows only*/ - case TCG_PTS_WIN_FILE_META: - case TCG_PTS_REGISTRY_VALUE: - /* Received on IMC side only*/ - case TCG_PTS_REQ_PROTO_CAPS: - case TCG_PTS_DH_NONCE_PARAMS_REQ: - case TCG_PTS_DH_NONCE_FINISH: - case TCG_PTS_MEAS_ALGO: - case TCG_PTS_GET_TPM_VERSION_INFO: - case TCG_PTS_REQ_TEMPL_REF_MANI_SET_META: - case TCG_PTS_UPDATE_TEMPL_REF_MANI: - case TCG_PTS_GET_AIK: - case TCG_PTS_REQ_FUNC_COMP_EVID: - case TCG_PTS_GEN_ATTEST_EVID: - case TCG_PTS_REQ_FILE_META: - case TCG_PTS_REQ_FILE_MEAS: - case TCG_PTS_REQ_INTEG_MEAS_LOG: - default: - DBG1(DBG_IMV, "received unsupported attribute '%N'", - tcg_attr_names, attr->get_type(attr)); - break; - } - return TRUE; -} - diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.h b/src/libpts/plugins/imv_attestation/imv_attestation_process.h deleted file mode 100644 index af8666b66..000000000 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.h +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (C) 2011 Sansar Choinyambuu - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup imv_attestation_process_t imv_attestation_process - * @{ @ingroup imv_attestation - */ - -#ifndef IMV_ATTESTATION_PROCESS_H_ -#define IMV_ATTESTATION_PROCESS_H_ - -#include "imv_attestation_state.h" - -#include <library.h> -#include <collections/linked_list.h> -#include <credentials/credential_manager.h> -#include <crypto/hashers/hasher.h> - -#include <imv/imv_msg.h> -#include <pa_tnc/pa_tnc_attr.h> - -#include <pts/pts_database.h> -#include <pts/pts_dh_group.h> -#include <pts/pts_meas_algo.h> - -/** - * Process a TCG PTS attribute - * - * @param attr PA-TNC attribute to be processed - * @param out_msg PA-TNC message containing error messages - * @param state state of a given connection - * @param supported_algorithms supported PTS measurement algorithms - * @param supported_dh_groups supported DH groups - * @param pts_db PTS configuration database - * @param pts_credmgr PTS credential manager - * @return TRUE if successful - */ -bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, - imv_state_t *state, - pts_meas_algorithms_t supported_algorithms, - pts_dh_group_t supported_dh_groups, - pts_database_t *pts_db, - credential_manager_t *pts_credmgr); - -#endif /** IMV_ATTESTATION_PROCESS_H_ @}*/ diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c deleted file mode 100644 index 11afbc29d..000000000 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c +++ /dev/null @@ -1,546 +0,0 @@ -/* - * Copyright (C) 2011-2012 Sansar Choinyambuu - * Copyright (C) 2011-2014 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "imv_attestation_state.h" - -#include <libpts.h> - -#include <imv/imv_lang_string.h> -#include "imv/imv_reason_string.h" - -#include <tncif_policy.h> - -#include <collections/linked_list.h> -#include <utils/debug.h> - -typedef struct private_imv_attestation_state_t private_imv_attestation_state_t; -typedef struct file_meas_request_t file_meas_request_t; -typedef struct func_comp_t func_comp_t; - -/** - * Private data of an imv_attestation_state_t object. - */ -struct private_imv_attestation_state_t { - - /** - * Public members of imv_attestation_state_t - */ - imv_attestation_state_t public; - - /** - * TNCCS connection ID - */ - TNC_ConnectionID connection_id; - - /** - * TNCCS connection state - */ - TNC_ConnectionState state; - - /** - * Does the TNCCS connection support long message types? - */ - bool has_long; - - /** - * Does the TNCCS connection support exclusive delivery? - */ - bool has_excl; - - /** - * Maximum PA-TNC message size for this TNCCS connection - */ - uint32_t max_msg_len; - - /** - * Flags set for completed actions - */ - uint32_t action_flags; - - /** - * IMV database session associated with TNCCS connection - */ - imv_session_t *session; - - /** - * IMV Attestation handshake state - */ - imv_attestation_handshake_state_t handshake_state; - - /** - * IMV action recommendation - */ - TNC_IMV_Action_Recommendation rec; - - /** - * IMV evaluation result - */ - TNC_IMV_Evaluation_Result eval; - - /** - * List of Functional Components - */ - linked_list_t *components; - - /** - * PTS object - */ - pts_t *pts; - - /** - * Measurement error flags - */ - uint32_t measurement_error; - - /** - * TNC Reason String - */ - imv_reason_string_t *reason_string; - -}; - -/** - * PTS Functional Component entry - */ -struct func_comp_t { - pts_component_t *comp; - pts_comp_func_name_t* name; -}; - -/** - * Frees a func_comp_t object - */ -static void free_func_comp(func_comp_t *this) -{ - this->comp->destroy(this->comp); - this->name->destroy(this->name); - free(this); -} - -/** - * Supported languages - */ -static char* languages[] = { "en", "de", "mn" }; - -/** - * Table of reason strings - */ -static imv_lang_string_t reason_file_meas_fail[] = { - { "en", "Incorrect file measurement" }, - { "de", "Falsche Dateimessung" }, - { "mn", "Буруу байгаа файл" }, - { NULL, NULL } -}; - -static imv_lang_string_t reason_file_meas_pend[] = { - { "en", "Pending file measurement" }, - { "de", "Ausstehende Dateimessung" }, - { "mn", "Xүлээгдэж байгаа файл" }, - { NULL, NULL } -}; - -static imv_lang_string_t reason_no_trusted_aik[] = { - { "en", "No trusted AIK available" }, - { "de", "Kein vetrauenswürdiger AIK verfügbar" }, - { NULL, NULL } -}; - -static imv_lang_string_t reason_comp_evid_fail[] = { - { "en", "Incorrect component evidence" }, - { "de", "Falsche Komponenten-Evidenz" }, - { "mn", "Буруу компонент хэмжилт" }, - { NULL, NULL } -}; - -static imv_lang_string_t reason_comp_evid_pend[] = { - { "en", "Pending component evidence" }, - { "de", "Ausstehende Komponenten-Evidenz" }, - { "mn", "Xүлээгдэж компонент хэмжилт" }, - { NULL, NULL } -}; - -static imv_lang_string_t reason_tpm_quote_fail[] = { - { "en", "Invalid TPM Quote signature received" }, - { "de", "Falsche TPM Quote Signature erhalten" }, - { "mn", "Буруу TPM Quote гарын үсэг" }, - { NULL, NULL } -}; - -METHOD(imv_state_t, get_connection_id, TNC_ConnectionID, - private_imv_attestation_state_t *this) -{ - return this->connection_id; -} - -METHOD(imv_state_t, has_long, bool, - private_imv_attestation_state_t *this) -{ - return this->has_long; -} - -METHOD(imv_state_t, has_excl, bool, - private_imv_attestation_state_t *this) -{ - return this->has_excl; -} - -METHOD(imv_state_t, set_flags, void, - private_imv_attestation_state_t *this, bool has_long, bool has_excl) -{ - this->has_long = has_long; - this->has_excl = has_excl; -} - -METHOD(imv_state_t, set_max_msg_len, void, - private_imv_attestation_state_t *this, uint32_t max_msg_len) -{ - this->max_msg_len = max_msg_len; -} - -METHOD(imv_state_t, get_max_msg_len, uint32_t, - private_imv_attestation_state_t *this) -{ - return this->max_msg_len; -} - -METHOD(imv_state_t, set_action_flags, void, - private_imv_attestation_state_t *this, uint32_t flags) -{ - this->action_flags |= flags; -} - -METHOD(imv_state_t, get_action_flags, uint32_t, - private_imv_attestation_state_t *this) -{ - return this->action_flags; -} - -METHOD(imv_state_t, set_session, void, - private_imv_attestation_state_t *this, imv_session_t *session) -{ - this->session = session; -} - -METHOD(imv_state_t, get_session, imv_session_t*, - private_imv_attestation_state_t *this) -{ - return this->session; -} - -METHOD(imv_state_t, change_state, void, - private_imv_attestation_state_t *this, TNC_ConnectionState new_state) -{ - this->state = new_state; -} - -METHOD(imv_state_t, get_recommendation, void, - private_imv_attestation_state_t *this, TNC_IMV_Action_Recommendation *rec, - TNC_IMV_Evaluation_Result *eval) -{ - *rec = this->rec; - *eval = this->eval; -} - -METHOD(imv_state_t, set_recommendation, void, - private_imv_attestation_state_t *this, TNC_IMV_Action_Recommendation rec, - TNC_IMV_Evaluation_Result eval) -{ - this->rec = rec; - this->eval = eval; -} - -METHOD(imv_state_t, update_recommendation, void, - private_imv_attestation_state_t *this, TNC_IMV_Action_Recommendation rec, - TNC_IMV_Evaluation_Result eval) -{ - this->rec = tncif_policy_update_recommendation(this->rec, rec); - this->eval = tncif_policy_update_evaluation(this->eval, eval); -} - -METHOD(imv_attestation_state_t, add_file_meas_reasons, void, - private_imv_attestation_state_t *this, imv_reason_string_t *reason_string) -{ - if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL) - { - reason_string->add_reason(reason_string, reason_file_meas_fail); - } - if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_PEND) - { - reason_string->add_reason(reason_string, reason_file_meas_pend); - } -} - -METHOD(imv_attestation_state_t, add_comp_evid_reasons, void, - private_imv_attestation_state_t *this, imv_reason_string_t *reason_string) -{ - if (this->measurement_error & IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK) - { - reason_string->add_reason(reason_string, reason_no_trusted_aik); - } - if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL) - { - reason_string->add_reason(reason_string, reason_comp_evid_fail); - } - if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_PEND) - { - reason_string->add_reason(reason_string, reason_comp_evid_pend); - } - if (this->measurement_error & IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL) - { - reason_string->add_reason(reason_string, reason_tpm_quote_fail); - } -} - -METHOD(imv_state_t, get_reason_string, bool, - private_imv_attestation_state_t *this, enumerator_t *language_enumerator, - chunk_t *reason_string, char **reason_language) -{ - *reason_language = imv_lang_string_select_lang(language_enumerator, - languages, countof(languages)); - - /* Instantiate a TNC Reason String object */ - DESTROY_IF(this->reason_string); - this->reason_string = imv_reason_string_create(*reason_language, "\n"); - add_file_meas_reasons(this, this->reason_string); - add_comp_evid_reasons(this, this->reason_string); - *reason_string = this->reason_string->get_encoding(this->reason_string); - - return TRUE; -} - -METHOD(imv_state_t, get_remediation_instructions, bool, - private_imv_attestation_state_t *this, enumerator_t *language_enumerator, - chunk_t *string, char **lang_code, char **uri) -{ - return FALSE; -} - -METHOD(imv_state_t, destroy, void, - private_imv_attestation_state_t *this) -{ - DESTROY_IF(this->session); - DESTROY_IF(this->reason_string); - this->components->destroy_function(this->components, (void *)free_func_comp); - this->pts->destroy(this->pts); - free(this); -} - -METHOD(imv_attestation_state_t, get_handshake_state, - imv_attestation_handshake_state_t, private_imv_attestation_state_t *this) -{ - return this->handshake_state; -} - -METHOD(imv_attestation_state_t, set_handshake_state, void, - private_imv_attestation_state_t *this, - imv_attestation_handshake_state_t new_state) -{ - this->handshake_state = new_state; -} - -METHOD(imv_attestation_state_t, get_pts, pts_t*, - private_imv_attestation_state_t *this) -{ - return this->pts; -} - -METHOD(imv_attestation_state_t, create_component, pts_component_t*, - private_imv_attestation_state_t *this, pts_comp_func_name_t *name, - uint32_t depth, pts_database_t *pts_db) -{ - enumerator_t *enumerator; - func_comp_t *entry, *new_entry; - pts_component_t *component; - bool found = FALSE; - - enumerator = this->components->create_enumerator(this->components); - while (enumerator->enumerate(enumerator, &entry)) - { - if (name->equals(name, entry->comp->get_comp_func_name(entry->comp))) - { - found = TRUE; - break; - } - } - enumerator->destroy(enumerator); - - if (found) - { - if (name->equals(name, entry->name)) - { - /* duplicate entry */ - return NULL; - } - new_entry = malloc_thing(func_comp_t); - new_entry->name = name->clone(name); - new_entry->comp = entry->comp->get_ref(entry->comp); - this->components->insert_last(this->components, new_entry); - return entry->comp; - } - else - { - component = pts_components->create(pts_components, name, depth, pts_db); - if (!component) - { - /* unsupported component */ - return NULL; - } - new_entry = malloc_thing(func_comp_t); - new_entry->name = name->clone(name); - new_entry->comp = component; - this->components->insert_last(this->components, new_entry); - return component; - } -} - -/** - * Enumerate file measurement entries - */ -static bool entry_filter(void *null, func_comp_t **entry, uint8_t *flags, - void *i2, uint32_t *depth, - void *i3, pts_comp_func_name_t **comp_name) -{ - pts_component_t *comp; - pts_comp_func_name_t *name; - - comp = (*entry)->comp; - name = (*entry)->name; - - *flags = comp->get_evidence_flags(comp); - *depth = comp->get_depth(comp); - *comp_name = name; - - return TRUE; -} - -METHOD(imv_attestation_state_t, create_component_enumerator, enumerator_t*, - private_imv_attestation_state_t *this) -{ - return enumerator_create_filter( - this->components->create_enumerator(this->components), - (void*)entry_filter, NULL, NULL); -} - -METHOD(imv_attestation_state_t, get_component, pts_component_t*, - private_imv_attestation_state_t *this, pts_comp_func_name_t *name) -{ - enumerator_t *enumerator; - func_comp_t *entry; - pts_component_t *found = NULL; - - enumerator = this->components->create_enumerator(this->components); - while (enumerator->enumerate(enumerator, &entry)) - { - if (name->equals(name, entry->name)) - { - found = entry->comp; - break; - } - } - enumerator->destroy(enumerator); - return found; -} - -METHOD(imv_attestation_state_t, get_measurement_error, uint32_t, - private_imv_attestation_state_t *this) -{ - return this->measurement_error; -} - -METHOD(imv_attestation_state_t, set_measurement_error, void, - private_imv_attestation_state_t *this, uint32_t error) -{ - this->measurement_error |= error; -} - -METHOD(imv_attestation_state_t, finalize_components, void, - private_imv_attestation_state_t *this, bio_writer_t *result) -{ - func_comp_t *entry; - bool first = TRUE; - - while (this->components->remove_last(this->components, - (void**)&entry) == SUCCESS) - { - if (first) - { - first = FALSE; - } - else - { - result->write_data(result, chunk_from_str("; ")); - } - if (!entry->comp->finalize(entry->comp, - entry->name->get_qualifier(entry->name), - result)) - { - set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND); - } - free_func_comp(entry); - } -} - -/** - * Described in header. - */ -imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) -{ - private_imv_attestation_state_t *this; - - INIT(this, - .public = { - .interface = { - .get_connection_id = _get_connection_id, - .has_long = _has_long, - .has_excl = _has_excl, - .set_flags = _set_flags, - .set_max_msg_len = _set_max_msg_len, - .get_max_msg_len = _get_max_msg_len, - .set_action_flags = _set_action_flags, - .get_action_flags = _get_action_flags, - .set_session = _set_session, - .get_session = _get_session, - .change_state = _change_state, - .get_recommendation = _get_recommendation, - .set_recommendation = _set_recommendation, - .update_recommendation = _update_recommendation, - .get_reason_string = _get_reason_string, - .get_remediation_instructions = _get_remediation_instructions, - .destroy = _destroy, - }, - .get_handshake_state = _get_handshake_state, - .set_handshake_state = _set_handshake_state, - .get_pts = _get_pts, - .create_component = _create_component, - .create_component_enumerator = _create_component_enumerator, - .get_component = _get_component, - .finalize_components = _finalize_components, - .get_measurement_error = _get_measurement_error, - .set_measurement_error = _set_measurement_error, - .add_file_meas_reasons = _add_file_meas_reasons, - .add_comp_evid_reasons = _add_comp_evid_reasons, - }, - .connection_id = connection_id, - .state = TNC_CONNECTION_STATE_CREATE, - .handshake_state = IMV_ATTESTATION_STATE_INIT, - .rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, - .eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW, - .components = linked_list_create(), - .pts = pts_create(FALSE), - ); - - return &this->public.interface; -} diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h deleted file mode 100644 index b72857552..000000000 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h +++ /dev/null @@ -1,191 +0,0 @@ -/* - * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup imv_attestation imv_attestation - * @ingroup libpts_plugins - * - * @defgroup imv_attestation_state_t imv_attestation_state - * @{ @ingroup imv_attestation - */ - -#ifndef IMV_ATTESTATION_STATE_H_ -#define IMV_ATTESTATION_STATE_H_ - -#include <imv/imv_state.h> -#include <imv/imv_reason_string.h> -#include <pts/pts.h> -#include <pts/pts_database.h> -#include <pts/components/pts_component.h> - -#include <library.h> -#include <bio/bio_writer.h> - -typedef struct imv_attestation_state_t imv_attestation_state_t; -typedef enum imv_attestation_flag_t imv_attestation_flag_t; -typedef enum imv_attestation_handshake_state_t imv_attestation_handshake_state_t; -typedef enum imv_meas_error_t imv_meas_error_t; - -/** - * IMV Attestation Flags set for completed actions - */ -enum imv_attestation_flag_t { - IMV_ATTESTATION_ATTR_PRODUCT_INFO = (1<<0), - IMV_ATTESTATION_ATTR_STRING_VERSION = (1<<1), - IMV_ATTESTATION_ATTR_DEVICE_ID = (1<<2), - IMV_ATTESTATION_ATTR_MUST = (1<<3)-1, - IMV_ATTESTATION_ATTR_REQ = (1<<3), - IMV_ATTESTATION_ALGO = (1<<4), - IMV_ATTESTATION_DH_NONCE = (1<<5), - IMV_ATTESTATION_FILE_MEAS = (1<<6), - IMV_ATTESTATION_REC = (1<<7) -}; - -/** - * IMV Attestation Handshake States (state machine) - */ -enum imv_attestation_handshake_state_t { - IMV_ATTESTATION_STATE_INIT, - IMV_ATTESTATION_STATE_DISCOVERY, - IMV_ATTESTATION_STATE_NONCE_REQ, - IMV_ATTESTATION_STATE_TPM_INIT, - IMV_ATTESTATION_STATE_COMP_EVID, - IMV_ATTESTATION_STATE_EVID_FINAL, - IMV_ATTESTATION_STATE_END, -}; - -/** - * IMV Measurement Error Types - */ -enum imv_meas_error_t { - IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL = 1, - IMV_ATTESTATION_ERROR_FILE_MEAS_PEND = 2, - IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK = 4, - IMV_ATTESTATION_ERROR_COMP_EVID_FAIL = 8, - IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 16, - IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 32 -}; - -/** - * Internal state of an imv_attestation_t connection instance - */ -struct imv_attestation_state_t { - - /** - * imv_state_t interface - */ - imv_state_t interface; - - /** - * Get state of the handshake - * - * @return the handshake state of IMV - */ - imv_attestation_handshake_state_t (*get_handshake_state)( - imv_attestation_state_t *this); - - /** - * Set state of the handshake - * - * @param new_state the handshake state of IMV - */ - void (*set_handshake_state)(imv_attestation_state_t *this, - imv_attestation_handshake_state_t new_state); - - /** - * Get the PTS object - * - * @return PTS object - */ - pts_t* (*get_pts)(imv_attestation_state_t *this); - - /** - * Create and add an entry to the list of Functional Components - * - * @param name Component Functional Name - * @param depth Sub-component Depth - * @param pts_db PTS measurement database - * @return created functional component instance or NULL - */ - pts_component_t* (*create_component)(imv_attestation_state_t *this, - pts_comp_func_name_t *name, - uint32_t depth, - pts_database_t *pts_db); - - /** - * Enumerate over all Functional Components - * - * @return Functional Component enumerator - */ - enumerator_t* (*create_component_enumerator)(imv_attestation_state_t *this); - - /** - * Get a Functional Component with a given name - * - * @param name Name of the requested Functional Component - * @return Functional Component if found, NULL otherwise - */ - pts_component_t* (*get_component)(imv_attestation_state_t *this, - pts_comp_func_name_t *name); - - /** - * Tell the Functional Components to finalize any measurement registrations - * and to check if all expected measurements were received - * - * @param result Writer appending component measurement results - */ - void (*finalize_components)(imv_attestation_state_t *this, - bio_writer_t *result); - - /** - * Indicates the types of measurement errors that occurred - * - * @return Measurement error flags - */ - uint32_t (*get_measurement_error)(imv_attestation_state_t *this); - - /** - * Call if a measurement error is encountered - * - * @param error Measurement error type - */ - void (*set_measurement_error)(imv_attestation_state_t *this, - uint32_t error); - - /** - * Returns a concatenation of File Measurement reason strings - * - * @param reason_string Concatenated reason strings - */ - void (*add_file_meas_reasons)(imv_attestation_state_t *this, - imv_reason_string_t *reason_string); - - /** - * Returns a concatenation of Component Evidence reason strings - * - * @param reason_string Concatenated reason strings - */ - void (*add_comp_evid_reasons)(imv_attestation_state_t *this, - imv_reason_string_t *reason_string); -}; - -/** - * Create an imv_attestation_state_t instance - * - * @param id connection ID - */ -imv_state_t* imv_attestation_state_create(TNC_ConnectionID id); - -#endif /** IMV_ATTESTATION_STATE_H_ @}*/ |