diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2013-01-02 14:18:20 +0100 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2013-01-02 14:18:20 +0100 |
| commit | c1343b3278cdf99533b7902744d15969f9d6fdc1 (patch) | |
| tree | d5ed3dc5677a59260ec41cd39bb284d3e94c91b3 /src/libpts/plugins | |
| parent | b34738ed08c2227300d554b139e2495ca5da97d6 (diff) | |
| download | vyos-strongswan-c1343b3278cdf99533b7902744d15969f9d6fdc1.tar.gz vyos-strongswan-c1343b3278cdf99533b7902744d15969f9d6fdc1.zip | |
Imported Upstream version 5.0.1
Diffstat (limited to 'src/libpts/plugins')
19 files changed, 1392 insertions, 324 deletions
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in index 583d2dfee..4734379bf 100644 --- a/src/libpts/plugins/imc_attestation/Makefile.in +++ b/src/libpts/plugins/imc_attestation/Makefile.in @@ -49,6 +49,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; @@ -84,7 +85,7 @@ imc_attestation_la_OBJECTS = $(am_imc_attestation_la_OBJECTS) imc_attestation_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(imc_attestation_la_LDFLAGS) $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I.@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f @@ -110,6 +111,7 @@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BFDLIB = @BFDLIB@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ @@ -204,11 +206,14 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ clearsilver_LIBS = @clearsilver_LIBS@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ -default_pkcs11 = @default_pkcs11@ +dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ @@ -225,11 +230,12 @@ imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ -libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ @@ -245,6 +251,7 @@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ @@ -254,7 +261,6 @@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ -pluto_plugins = @pluto_plugins@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c index 4f77ba093..7cb2a0671 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -21,6 +21,7 @@ #include <ietf/ietf_attr.h> #include <ietf/ietf_attr_pa_tnc_error.h> #include <ietf/ietf_attr_product_info.h> +#include <ietf/ietf_attr_assess_result.h> #include <libpts.h> @@ -108,9 +109,17 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id, case TNC_CONNECTION_STATE_CREATE: state = imc_attestation_state_create(connection_id); return imc_attestation->create_state(imc_attestation, state); + case TNC_CONNECTION_STATE_HANDSHAKE: + if (imc_attestation->change_state(imc_attestation, connection_id, + new_state, &state) != TNC_RESULT_SUCCESS) + { + return TNC_RESULT_FATAL; + } + state->set_result(state, imc_id, + TNC_IMV_EVALUATION_RESULT_DONT_KNOW); + return TNC_RESULT_SUCCESS; case TNC_CONNECTION_STATE_DELETE: return imc_attestation->delete_state(imc_attestation, connection_id); - case TNC_CONNECTION_STATE_HANDSHAKE: case TNC_CONNECTION_STATE_ACCESS_ISOLATED: case TNC_CONNECTION_STATE_ACCESS_NONE: default: @@ -149,17 +158,15 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id, platform_info = pts->get_platform_info(pts); if (platform_info) { - pa_tnc_msg_t *pa_tnc_msg; + linked_list_t *attr_list; pa_tnc_attr_t *attr; - pa_tnc_msg = pa_tnc_msg_create(); + attr_list = linked_list_create(); attr = ietf_attr_product_info_create(0, 0, platform_info); - pa_tnc_msg->add_attribute(pa_tnc_msg, attr); - pa_tnc_msg->build(pa_tnc_msg); + attr_list->insert_last(attr_list, attr); result = imc_attestation->send_message(imc_attestation, connection_id, - FALSE, 0, TNC_IMVID_ANY, - pa_tnc_msg->get_encoding(pa_tnc_msg)); - pa_tnc_msg->destroy(pa_tnc_msg); + FALSE, 0, TNC_IMVID_ANY, attr_list); + attr_list->destroy(attr_list); } return result; @@ -176,11 +183,13 @@ static TNC_Result receive_message(TNC_IMCID imc_id, { pa_tnc_msg_t *pa_tnc_msg; pa_tnc_attr_t *attr; + pen_type_t type; linked_list_t *attr_list; imc_state_t *state; imc_attestation_state_t *attestation_state; enumerator_t *enumerator; TNC_Result result; + TNC_UInt32 target_imc_id; if (!imc_attestation) { @@ -204,6 +213,7 @@ static TNC_Result receive_message(TNC_IMCID imc_id, { return result; } + target_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? imc_id : dst_imc_id; /* preprocess any IETF standard error attributes */ result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ? @@ -215,30 +225,40 @@ static TNC_Result receive_message(TNC_IMCID imc_id, enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg); while (enumerator->enumerate(enumerator, &attr)) { - if (attr->get_vendor_id(attr) == PEN_IETF && - attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR) - { - ietf_attr_pa_tnc_error_t *error_attr; - pen_t error_vendor_id; - pa_tnc_error_code_t error_code; - chunk_t msg_info; + type = attr->get_type(attr); - error_attr = (ietf_attr_pa_tnc_error_t*)attr; - error_vendor_id = error_attr->get_vendor_id(error_attr); - - if (error_vendor_id == PEN_TCG) + if (type.vendor_id == PEN_IETF) + { + if (type.type == IETF_ATTR_PA_TNC_ERROR) { + ietf_attr_pa_tnc_error_t *error_attr; + pen_type_t error_code; + chunk_t msg_info; + + error_attr = (ietf_attr_pa_tnc_error_t*)attr; error_code = error_attr->get_error_code(error_attr); - msg_info = error_attr->get_msg_info(error_attr); - DBG1(DBG_IMC, "received TCG-PTS error '%N'", - pts_error_code_names, error_code); - DBG1(DBG_IMC, "error information: %B", &msg_info); + if (error_code.vendor_id == PEN_TCG) + { + msg_info = error_attr->get_msg_info(error_attr); - result = TNC_RESULT_FATAL; + DBG1(DBG_IMC, "received TCG-PTS error '%N'", + pts_error_code_names, error_code.type); + DBG1(DBG_IMC, "error information: %B", &msg_info); + + result = TNC_RESULT_FATAL; + } + } + else if (type.type == IETF_ATTR_ASSESSMENT_RESULT) + { + ietf_attr_assess_result_t *ietf_attr; + + ietf_attr = (ietf_attr_assess_result_t*)attr; + state->set_result(state, target_imc_id, + ietf_attr->get_result(ietf_attr)); } } - else if (attr->get_vendor_id(attr) == PEN_TCG) + else if (type.vendor_id == PEN_TCG) { if (!imc_attestation_process(attr, attr_list, attestation_state, supported_algorithms, supported_dh_groups)) @@ -253,23 +273,11 @@ static TNC_Result receive_message(TNC_IMCID imc_id, if (result == TNC_RESULT_SUCCESS && attr_list->get_count(attr_list)) { - pa_tnc_msg = pa_tnc_msg_create(); - - enumerator = attr_list->create_enumerator(attr_list); - while (enumerator->enumerate(enumerator, &attr)) - { - pa_tnc_msg->add_attribute(pa_tnc_msg, attr); - } - enumerator->destroy(enumerator); - - pa_tnc_msg->build(pa_tnc_msg); result = imc_attestation->send_message(imc_attestation, connection_id, - FALSE, 0, TNC_IMVID_ANY, - pa_tnc_msg->get_encoding(pa_tnc_msg)); - pa_tnc_msg->destroy(pa_tnc_msg); + FALSE, 0, TNC_IMVID_ANY, attr_list); } - attr_list->destroy(attr_list); + return result; } diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.c b/src/libpts/plugins/imc_attestation/imc_attestation_process.c index b70c05370..bd2fa649d 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_process.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -23,7 +23,6 @@ #include <ietf/ietf_attr_pa_tnc_error.h> -#include <libpts.h> #include <pts/pts.h> #include <tcg/tcg_pts_attr_proto_caps.h> @@ -57,10 +56,13 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, chunk_t attr_info; pts_t *pts; pts_error_code_t pts_error; + pen_type_t attr_type; bool valid_path; pts = attestation_state->get_pts(attestation_state); - switch (attr->get_type(attr)) + attr_type = attr->get_type(attr); + + switch (attr_type.type) { case TCG_PTS_REQ_PROTO_CAPS: { @@ -182,12 +184,12 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, case TCG_PTS_GET_TPM_VERSION_INFO: { chunk_t tpm_version_info, attr_info; + pen_type_t error_code = { PEN_TCG, TCG_PTS_TPM_VERS_NOT_SUPPORTED }; if (!pts->get_tpm_version_info(pts, &tpm_version_info)) { attr_info = attr->get_value(attr); - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_TPM_VERS_NOT_SUPPORTED, attr_info); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); attr_list->insert_last(attr_list, attr); break; } @@ -221,6 +223,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, bool is_directory; u_int32_t delimiter; pts_file_meas_t *measurements; + pen_type_t error_code; attr_info = attr->get_value(attr); attr_cast = (tcg_pts_attr_req_file_meas_t*)attr; @@ -232,8 +235,8 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (valid_path && pts_error) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - pts_error, attr_info); + error_code = pen_type_create(PEN_TCG, pts_error); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); attr_list->insert_last(attr_list, attr); break; } @@ -244,8 +247,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (delimiter != SOLIDUS_UTF && delimiter != REVERSE_SOLIDUS_UTF) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_INVALID_DELIMITER, attr_info); + error_code = pen_type_create(PEN_TCG, + TCG_PTS_INVALID_DELIMITER); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); attr_list->insert_last(attr_list, attr); break; } @@ -254,8 +258,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, DBG2(DBG_IMC, "measurement request %d for %s '%s'", request_id, is_directory ? "directory" : "file", pathname); - measurements = pts->do_measurements(pts, request_id, - pathname, is_directory); + measurements = pts_file_meas_create_from_path(request_id, + pathname, is_directory, TRUE, + pts->get_meas_algorithm(pts)); if (!measurements) { /* TODO handle error codes from measurements */ @@ -273,6 +278,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, bool is_directory; u_int8_t delimiter; pts_file_meta_t *metadata; + pen_type_t error_code; attr_info = attr->get_value(attr); attr_cast = (tcg_pts_attr_req_file_meta_t*)attr; @@ -283,8 +289,8 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, valid_path = pts->is_path_valid(pts, pathname, &pts_error); if (valid_path && pts_error) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - pts_error, attr_info); + error_code = pen_type_create(PEN_TCG, pts_error); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); attr_list->insert_last(attr_list, attr); break; } @@ -294,8 +300,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } if (delimiter != SOLIDUS_UTF && delimiter != REVERSE_SOLIDUS_UTF) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_INVALID_DELIMITER, attr_info); + error_code = pen_type_create(PEN_TCG, + TCG_PTS_INVALID_DELIMITER); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); attr_list->insert_last(attr_list, attr); break; } @@ -323,6 +330,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, pts_comp_func_name_t *name; pts_comp_evidence_t *evid; pts_component_t *comp; + pen_type_t error_code; u_int32_t depth; u_int8_t flags; status_t status; @@ -342,32 +350,36 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (flags & PTS_REQ_FUNC_COMP_EVID_TTC) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_UNABLE_DET_TTC, attr_info); + error_code = pen_type_create(PEN_TCG, + TCG_PTS_UNABLE_DET_TTC); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); attr_list->insert_last(attr_list, attr); break; } if (flags & PTS_REQ_FUNC_COMP_EVID_VER && !(negotiated_caps & PTS_PROTO_CAPS_V)) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_UNABLE_LOCAL_VAL, attr_info); + error_code = pen_type_create(PEN_TCG, + TCG_PTS_UNABLE_LOCAL_VAL); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); attr_list->insert_last(attr_list, attr); break; } if (flags & PTS_REQ_FUNC_COMP_EVID_CURR && !(negotiated_caps & PTS_PROTO_CAPS_C)) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_UNABLE_CUR_EVID, attr_info); + error_code = pen_type_create(PEN_TCG, + TCG_PTS_UNABLE_CUR_EVID); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); attr_list->insert_last(attr_list, attr); break; } if (flags & PTS_REQ_FUNC_COMP_EVID_PCR && !(negotiated_caps & PTS_PROTO_CAPS_T)) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_UNABLE_DET_PCR, attr_info); + error_code = pen_type_create(PEN_TCG, + TCG_PTS_UNABLE_DET_PCR); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); attr_list->insert_last(attr_list, attr); break; } @@ -377,17 +389,19 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, "support sub component measurements"); return FALSE; } - comp = pts_components->create(pts_components, name, depth, NULL); + comp = attestation_state->create_component(attestation_state, + name, depth); if (!comp) { DBG2(DBG_IMC, " not registered: no evidence provided"); continue; } - /* do the component evidence measurement[s] */ + /* do the component evidence measurement[s] and cache them */ do { - status = comp->measure(comp, pts, &evid); + status = comp->measure(comp, name->get_qualifier(name), + pts, &evid); if (status == FAILED) { break; @@ -395,7 +409,6 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, attestation_state->add_evidence(attestation_state, evid); } while (status == NEED_MORE); - comp->destroy(comp); } e->destroy(e); break; @@ -408,12 +421,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, chunk_t pcr_composite, quote_sig; bool use_quote2; - /* Send buffered Simple Component Evidences */ + /* Send cached Component Evidence entries */ while (attestation_state->next_evidence(attestation_state, &evid)) { - pts->select_pcr(pts, evid->get_extended_pcr(evid)); - - /* Send Simple Component Evidence */ attr = tcg_pts_attr_simple_comp_evid_create(evid); attr_list->insert_last(attr_list, attr); } diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_state.c b/src/libpts/plugins/imc_attestation/imc_attestation_state.c index 72a55f60e..8ebabafa2 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_state.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation_state.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,10 +15,15 @@ #include "imc_attestation_state.h" +#include <libpts.h> + +#include <tncif_names.h> + #include <utils/linked_list.h> #include <debug.h> typedef struct private_imc_attestation_state_t private_imc_attestation_state_t; +typedef struct func_comp_t func_comp_t; /** * Private data of an imc_attestation_state_t object. @@ -41,6 +46,11 @@ struct private_imc_attestation_state_t { TNC_ConnectionState state; /** + * Assessment/Evaluation Result + */ + TNC_IMV_Evaluation_Result result; + + /** * Does the TNCCS connection support long message types? */ bool has_long; @@ -51,12 +61,22 @@ struct private_imc_attestation_state_t { bool has_excl; /** + * Maximum PA-TNC message size for this TNCCS connection + */ + u_int32_t max_msg_len; + + /** * PTS object */ pts_t *pts; /** - * PTS Component Evidence list + * List of Functional Components + */ + linked_list_t *components; + + /** + * Functional Component Evidence cache list */ linked_list_t *list; @@ -87,18 +107,52 @@ METHOD(imc_state_t, set_flags, void, this->has_excl = has_excl; } +METHOD(imc_state_t, set_max_msg_len, void, + private_imc_attestation_state_t *this, u_int32_t max_msg_len) +{ + this->max_msg_len = max_msg_len; +} + +METHOD(imc_state_t, get_max_msg_len, u_int32_t, + private_imc_attestation_state_t *this) +{ + return this->max_msg_len; +} + METHOD(imc_state_t, change_state, void, private_imc_attestation_state_t *this, TNC_ConnectionState new_state) { this->state = new_state; } +METHOD(imc_state_t, set_result, void, + private_imc_attestation_state_t *this, TNC_IMCID id, + TNC_IMV_Evaluation_Result result) +{ + DBG1(DBG_IMC, "set assessment result for IMC %u to '%N'", + id, TNC_IMV_Evaluation_Result_names, result); + this->result = result; +} + +METHOD(imc_state_t, get_result, bool, + private_imc_attestation_state_t *this, TNC_IMCID id, + TNC_IMV_Evaluation_Result *result) +{ + if (result) + { + *result = this->result; + } + return this->result != TNC_IMV_EVALUATION_RESULT_DONT_KNOW; +} METHOD(imc_state_t, destroy, void, private_imc_attestation_state_t *this) { this->pts->destroy(this->pts); - this->list->destroy_offset(this->list, offsetof(pts_comp_evidence_t, destroy)); + this->components->destroy_offset(this->components, + offsetof(pts_component_t, destroy)); + this->list->destroy_offset(this->list, + offsetof(pts_comp_evidence_t, destroy)); free(this); } @@ -108,10 +162,42 @@ METHOD(imc_attestation_state_t, get_pts, pts_t*, return this->pts; } +METHOD(imc_attestation_state_t, create_component, pts_component_t*, + private_imc_attestation_state_t *this, pts_comp_func_name_t *name, + u_int32_t depth) +{ + enumerator_t *enumerator; + pts_component_t *component; + bool found = FALSE; + + enumerator = this->components->create_enumerator(this->components); + while (enumerator->enumerate(enumerator, &component)) + { + if (name->equals(name, component->get_comp_func_name(component))) + { + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + if (!found) + { + component = pts_components->create(pts_components, name, depth, NULL); + if (!component) + { + return NULL; + } + this->components->insert_last(this->components, component); + + } + return component; +} + METHOD(imc_attestation_state_t, add_evidence, void, - private_imc_attestation_state_t *this, pts_comp_evidence_t *evidence) + private_imc_attestation_state_t *this, pts_comp_evidence_t *evid) { - this->list->insert_last(this->list, evidence); + this->list->insert_last(this->list, evid); } METHOD(imc_attestation_state_t, next_evidence, bool, @@ -135,16 +221,23 @@ imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id) .has_long = _has_long, .has_excl = _has_excl, .set_flags = _set_flags, + .set_max_msg_len = _set_max_msg_len, + .get_max_msg_len = _get_max_msg_len, .change_state = _change_state, + .set_result = _set_result, + .get_result = _get_result, .destroy = _destroy, }, .get_pts = _get_pts, + .create_component = _create_component, .add_evidence = _add_evidence, .next_evidence = _next_evidence, }, .connection_id = connection_id, .state = TNC_CONNECTION_STATE_CREATE, + .result = TNC_IMV_EVALUATION_RESULT_DONT_KNOW, .pts = pts_create(TRUE), + .components = linked_list_create(), .list = linked_list_create(), ); diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_state.h b/src/libpts/plugins/imc_attestation/imc_attestation_state.h index 22b0bba23..e4fca71bb 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_state.h +++ b/src/libpts/plugins/imc_attestation/imc_attestation_state.h @@ -24,6 +24,7 @@ #include <imc/imc_state.h> #include <pts/pts.h> +#include <pts/components/pts_component.h> #include <pts/components/pts_comp_evidence.h> #include <library.h> @@ -47,14 +48,24 @@ struct imc_attestation_state_t { pts_t* (*get_pts)(imc_attestation_state_t *this); /** - * Add an entry to the Component Evidence list + * Create and add an entry to the list of Functional Components * - * @param entry Component Evidence entry + * @param name Component Functional Name + * @param depth Sub-component Depth + * @return created functional component instance or NULL */ - void (*add_evidence)(imc_attestation_state_t *this, pts_comp_evidence_t *entry); + pts_component_t* (*create_component)(imc_attestation_state_t *this, + pts_comp_func_name_t *name, u_int32_t depth); /** - * Removes next Component Evidence entry from list and returns it + * Add an entry to the Component Evidence cache list + * + * @param evid Component Evidence entry + */ + void (*add_evidence)(imc_attestation_state_t *this, pts_comp_evidence_t *evid); + + /** + * Removes next entry from the Component Evidence cache list and returns it * * @param evid Next Component Evidence entry * @return TRUE if next entry is available diff --git a/src/libpts/plugins/imv_attestation/Makefile.am b/src/libpts/plugins/imv_attestation/Makefile.am index a550a3552..5e7465195 100644 --- a/src/libpts/plugins/imv_attestation/Makefile.am +++ b/src/libpts/plugins/imv_attestation/Makefile.am @@ -31,3 +31,5 @@ attest_LDADD = \ $(top_builddir)/src/libpts/libpts.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la attest.o : $(top_builddir)/config.status + +EXTRA_DIST = build-database.sh diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in index 989a173b5..afb4abed7 100644 --- a/src/libpts/plugins/imv_attestation/Makefile.in +++ b/src/libpts/plugins/imv_attestation/Makefile.in @@ -51,6 +51,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; @@ -94,7 +95,7 @@ attest_OBJECTS = $(am_attest_OBJECTS) attest_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \ $(top_builddir)/src/libpts/libpts.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la -DEFAULT_INCLUDES = -I.@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f @@ -120,6 +121,7 @@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BFDLIB = @BFDLIB@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ @@ -214,11 +216,14 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ clearsilver_LIBS = @clearsilver_LIBS@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ -default_pkcs11 = @default_pkcs11@ +dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ @@ -235,11 +240,12 @@ imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ -libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ @@ -255,6 +261,7 @@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ p_plugins = @p_plugins@ @@ -264,7 +271,6 @@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ -pluto_plugins = @pluto_plugins@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ @@ -321,6 +327,7 @@ attest_LDADD = \ $(top_builddir)/src/libpts/libpts.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la +EXTRA_DIST = build-database.sh all: all-am .SUFFIXES: diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c index 9200820e8..a202d128f 100644 --- a/src/libpts/plugins/imv_attestation/attest.c +++ b/src/libpts/plugins/imv_attestation/attest.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Andreas Steffen + * Copyright (C) 2011-2012 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -34,7 +34,7 @@ /** * global debug output variables */ -static int debug_level = 2; +static int debug_level = 1; static bool stderr_quiet = TRUE; /** @@ -131,9 +131,14 @@ static void do_args(int argc, char *argv[]) { "directory", required_argument, NULL, 'D' }, { "dir", required_argument, NULL, 'D' }, { "file", required_argument, NULL, 'F' }, + { "sha1-ima", no_argument, NULL, 'I' }, { "key", required_argument, NULL, 'K' }, { "owner", required_argument, NULL, 'O' }, { "product", required_argument, NULL, 'P' }, + { "relative", no_argument, NULL, 'R' }, + { "rel", no_argument, NULL, 'R' }, + { "sequence", required_argument, NULL, 'S' }, + { "seq", required_argument, NULL, 'S' }, { "sha1", no_argument, NULL, '1' }, { "sha256", no_argument, NULL, '2' }, { "sha384", no_argument, NULL, '3' }, @@ -232,6 +237,9 @@ static void do_args(int argc, char *argv[]) exit(EXIT_FAILURE); } continue; + case 'I': + attest->set_algo(attest, PTS_MEAS_ALGO_SHA1_IMA); + continue; case 'K': { chunk_t aik; @@ -252,6 +260,12 @@ static void do_args(int argc, char *argv[]) exit(EXIT_FAILURE); } continue; + case 'R': + attest->set_relative(attest); + continue; + case 'S': + attest->set_sequence(attest, atoi(optarg)); + continue; case '1': attest->set_algo(attest, PTS_MEAS_ALGO_SHA1); continue; diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c index 88d19eee1..55afbf701 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ b/src/libpts/plugins/imv_attestation/attest_db.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Andreas Steffen + * Copyright (C) 2011-2012 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -16,8 +16,14 @@ #include "attest_db.h" #include "libpts.h" +#include "pts/pts_meas_algo.h" +#include "pts/pts_file_meas.h" #include "pts/components/pts_comp_func_name.h" +#include <libgen.h> + +#define IMA_MAX_NAME_LEN 255 + typedef struct private_attest_db_t private_attest_db_t; /** @@ -106,6 +112,16 @@ struct private_attest_db_t { bool product_set; /** + * TRUE if relative filenames are to be used + */ + bool relative; + + /** + * Sequence number for ordering entries + */ + int seq_no; + + /** * File measurement hash algorithm */ pts_meas_algorithms_t algo; @@ -175,7 +191,7 @@ METHOD(attest_db_t, set_component, bool, e = this->db->query(this->db, "SELECT id FROM components " "WHERE vendor_id = ? AND name = ? AND qualifier = ?", - DB_INT, vid, DB_INT, name, DB_INT, qualifier, DB_INT); + DB_UINT, vid, DB_INT, name, DB_INT, qualifier, DB_INT); if (e) { if (e->enumerate(e, &this->cid)) @@ -231,7 +247,7 @@ METHOD(attest_db_t, set_cid, bool, e = this->db->query(this->db, "SELECT vendor_id, name, qualifier " "FROM components WHERE id = ?", - DB_INT, cid, DB_INT, DB_INT, DB_INT); + DB_UINT, cid, DB_INT, DB_INT, DB_INT); if (e) { if (e->enumerate(e, &vid, &name, &qualifier)) @@ -252,6 +268,7 @@ METHOD(attest_db_t, set_directory, bool, private_attest_db_t *this, char *dir, bool create) { enumerator_t *e; + size_t len; if (this->dir_set) { @@ -259,6 +276,13 @@ METHOD(attest_db_t, set_directory, bool, return FALSE; } free(this->dir); + + /* remove trailing '/' character */ + len = strlen(dir); + if (len && dir[len-1] == '/') + { + dir[len-1] = '\0'; + } this->dir = strdup(dir); e = this->db->query(this->db, @@ -308,7 +332,7 @@ METHOD(attest_db_t, set_did, bool, this->did = did; e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?", - DB_INT, did, DB_TEXT); + DB_UINT, did, DB_TEXT); if (e) { if (e->enumerate(e, &dir)) @@ -330,6 +354,7 @@ METHOD(attest_db_t, set_file, bool, private_attest_db_t *this, char *file, bool create) { enumerator_t *e; + char *filename; if (this->file_set) { @@ -337,9 +362,10 @@ METHOD(attest_db_t, set_file, bool, return FALSE; } this->file = strdup(file); + filename = this->relative ? basename(file) : file; e = this->db->query(this->db, "SELECT id FROM files WHERE path = ?", - DB_TEXT, file, DB_INT); + DB_TEXT, filename, DB_INT); if (e) { if (e->enumerate(e, &this->fid)) @@ -362,9 +388,9 @@ METHOD(attest_db_t, set_file, bool, /* Add a new database entry */ this->file_set = this->db->execute(this->db, &this->fid, "INSERT INTO files (type, path) VALUES (0, ?)", - DB_TEXT, file) == 1; + DB_TEXT, filename) == 1; - printf("file '%s' %sinserted into database\n", file, + printf("file '%s' %sinserted into database\n", filename, this->file_set ? "" : "could not be "); return this->file_set; @@ -384,7 +410,7 @@ METHOD(attest_db_t, set_fid, bool, this->fid = fid; e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?", - DB_INT, fid, DB_TEXT); + DB_UINT, fid, DB_TEXT); if (e) { if (e->enumerate(e, &file)) @@ -468,7 +494,7 @@ METHOD(attest_db_t, set_kid, bool, this->kid = kid; e = this->db->query(this->db, "SELECT keyid, owner FROM keys WHERE id = ?", - DB_INT, kid, DB_BLOB, DB_TEXT); + DB_UINT, kid, DB_BLOB, DB_TEXT); if (e) { if (e->enumerate(e, &key, &owner)) @@ -545,7 +571,7 @@ METHOD(attest_db_t, set_pid, bool, this->pid = pid; e = this->db->query(this->db, "SELECT name FROM products WHERE id = ?", - DB_INT, pid, DB_TEXT); + DB_UINT, pid, DB_TEXT); if (e) { if (e->enumerate(e, &product)) @@ -568,6 +594,18 @@ METHOD(attest_db_t, set_algo, void, this->algo = algo; } +METHOD(attest_db_t, set_relative, void, + private_attest_db_t *this) +{ + this->relative = TRUE; +} + +METHOD(attest_db_t, set_sequence, void, + private_attest_db_t *this, int seq_no) +{ + this->seq_no = seq_no; +} + METHOD(attest_db_t, set_owner, void, private_attest_db_t *this, char *owner) { @@ -580,16 +618,29 @@ METHOD(attest_db_t, list_components, void, { enumerator_t *e; pts_comp_func_name_t *cfn; - int cid, vid, name, qualifier, count = 0; + int seq_no, cid, vid, name, qualifier, count = 0; if (this->kid) { e = this->db->query(this->db, - "SELECT c.id, c.vendor_id, c.name, c.qualifier " + "SELECT kc.seq_no, c.id, c.vendor_id, c.name, c.qualifier " "FROM components AS c " "JOIN key_component AS kc ON c.id = kc.component " - "WHERE kc.key = ? ORDER BY c.vendor_id, c.name, c.qualifier", - DB_INT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT); + "WHERE kc.key = ? ORDER BY kc.seq_no", + DB_UINT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT); + if (e) + { + while (e->enumerate(e, &cid, &seq_no, &vid, &name, &qualifier)) + { + cfn = pts_comp_func_name_create(vid, name, qualifier); + printf("%4d: #%-2d %s\n", seq_no, cid, print_cfn(cfn)); + cfn->destroy(cfn); + count++; + } + e->destroy(e); + printf("%d component%s found for key %#B\n", count, + (count == 1) ? "" : "s", &this->key); + } } else { @@ -597,24 +648,18 @@ METHOD(attest_db_t, list_components, void, "SELECT id, vendor_id, name, qualifier FROM components " "ORDER BY vendor_id, name, qualifier", DB_INT, DB_INT, DB_INT, DB_INT); - } - if (e) - { - while (e->enumerate(e, &cid, &vid, &name, &qualifier)) - { - cfn = pts_comp_func_name_create(vid, name, qualifier); - printf("%3d: %s\n", cid, print_cfn(cfn)); - cfn->destroy(cfn); - count++; - } - e->destroy(e); - - printf("%d component%s found", count, (count == 1) ? "" : "s"); - if (this->key_set) + if (e) { - printf(" for key %#B", &this->key); + while (e->enumerate(e, &cid, &vid, &name, &qualifier)) + { + cfn = pts_comp_func_name_create(vid, name, qualifier); + printf("%4d: %s\n", cid, print_cfn(cfn)); + cfn->destroy(cfn); + count++; + } + e->destroy(e); + printf("%d component%s found\n", count, (count == 1) ? "" : "s"); } - printf("\n"); } } @@ -632,12 +677,12 @@ METHOD(attest_db_t, list_keys, void, "SELECT k.id, k.keyid, k.owner FROM keys AS k " "JOIN key_component AS kc ON k.id = kc.key " "WHERE kc.component = ? ORDER BY k.keyid", - DB_INT, this->cid, DB_INT, DB_BLOB, DB_TEXT); + DB_UINT, this->cid, DB_INT, DB_BLOB, DB_TEXT); if (e) { while (e->enumerate(e, &kid, &keyid, &owner)) { - printf("%3d: %#B '%s'\n", kid, &keyid, owner); + printf("%4d: %#B '%s'\n", kid, &keyid, owner); count++; } e->destroy(e); @@ -652,7 +697,7 @@ METHOD(attest_db_t, list_keys, void, { while (e->enumerate(e, &kid, &keyid, &owner)) { - printf("%3d: %#B '%s'\n", kid, &keyid, owner); + printf("%4d: %#B '%s'\n", kid, &keyid, owner); count++; } e->destroy(e); @@ -681,13 +726,13 @@ METHOD(attest_db_t, list_files, void, "FROM files AS f " "JOIN product_file AS pf ON f.id = pf.file " "WHERE pf.product = ? ORDER BY f.path", - DB_INT, this->pid, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT); + DB_UINT, this->pid, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT); if (e) { while (e->enumerate(e, &fid, &type, &file, &meas, &meta)) { type = (type < 0 || type > 2) ? 0 : type; - printf("%3d: |%s%s| %s %s\n", fid, meas ? "M":" ", meta ? "T":" ", + printf("%4d: |%s%s| %s %s\n", fid, meas ? "M":" ", meta ? "T":" ", file_type[type], file); count++; } @@ -705,7 +750,7 @@ METHOD(attest_db_t, list_files, void, while (e->enumerate(e, &fid, &type, &file)) { type = (type < 0 || type > 2) ? 0 : type; - printf("%3d: %s %s\n", fid, file_type[type], file); + printf("%4d: %s %s\n", fid, file_type[type], file); count++; } e->destroy(e); @@ -734,12 +779,12 @@ METHOD(attest_db_t, list_products, void, "FROM products AS p " "JOIN product_file AS pf ON p.id = pf.product " "WHERE pf.file = ? ORDER BY p.name", - DB_INT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT); + DB_UINT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT); if (e) { while (e->enumerate(e, &pid, &product, &meas, &meta)) { - printf("%3d: |%s%s| %s\n", pid, meas ? "M":" ", meta ? "T":" ", + printf("%4d: |%s%s| %s\n", pid, meas ? "M":" ", meta ? "T":" ", product); count++; } @@ -755,7 +800,7 @@ METHOD(attest_db_t, list_products, void, { while (e->enumerate(e, &pid, &product)) { - printf("%3d: %s\n", pid, product); + printf("%4d: %s\n", pid, product); count++; } e->destroy(e); @@ -785,7 +830,7 @@ static void get_directory(private_attest_db_t *this, int did, char **directory) { e = this->db->query(this->db, "SELECT path from files WHERE id = ?", - DB_INT, did, DB_TEXT); + DB_UINT, did, DB_TEXT); if (e) { if (e->enumerate(e, &dir)) @@ -826,17 +871,17 @@ METHOD(attest_db_t, list_hashes, void, { if (this->fid != fid_old) { - printf("%3d: %s%s%s\n", this->fid, this->dir, + printf("%4d: %s%s%s\n", this->fid, this->dir, slash(this->dir, this->file) ? "/" : "", this->file); fid_old = this->fid; } - printf(" %#B\n", &hash); + printf(" %#B\n", &hash); count++; } e->destroy(e); printf("%d %N value%s found for product '%s'\n", count, - hash_algorithm_names, pts_meas_algo_to_hash(this->algo), + pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", this->product); } } @@ -848,7 +893,7 @@ METHOD(attest_db_t, list_hashes, void, "JOIN files AS f ON f.id = fh.file " "WHERE fh.algo = ? AND fh.product = ? " "ORDER BY fh.directory, f.path", - DB_INT, this->algo, DB_INT, this->pid, + DB_INT, this->algo, DB_UINT, this->pid, DB_INT, DB_TEXT, DB_BLOB, DB_INT); if (e) { @@ -860,18 +905,18 @@ METHOD(attest_db_t, list_hashes, void, { get_directory(this, did, &dir); } - printf("%3d: %s%s%s\n", fid, + printf("%4d: %s%s%s\n", fid, dir, slash(dir, file) ? "/" : "", file); fid_old = fid; did_old = did; } - printf(" %#B\n", &hash); + printf(" %#B\n", &hash); count++; } e->destroy(e); printf("%d %N value%s found for product '%s'\n", count, - hash_algorithm_names, pts_meas_algo_to_hash(this->algo), + pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", this->product); } } @@ -883,7 +928,7 @@ METHOD(attest_db_t, list_hashes, void, "JOIN products AS p ON p.id = fh.product " "WHERE fh.algo = ? AND fh.file = ? AND fh.directory = ?" "ORDER BY p.name", - DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->did, + DB_INT, this->algo, DB_UINT, this->fid, DB_UINT, this->did, DB_TEXT, DB_BLOB, DB_INT); if (e) { @@ -895,7 +940,7 @@ METHOD(attest_db_t, list_hashes, void, e->destroy(e); printf("%d %N value%s found for file '%s%s%s'\n", - count, hash_algorithm_names, pts_meas_algo_to_hash(this->algo), + count, pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", this->dir, slash(this->dir, this->file) ? "/" : "", this->file); } @@ -922,17 +967,17 @@ METHOD(attest_db_t, list_hashes, void, get_directory(this, did, &dir); did_old = did; } - printf("%3d: %s%s%s\n", fid, + printf("%4d: %s%s%s\n", fid, dir, slash(dir, file) ? "/" : "", file); fid_old = fid; } - printf(" %#B '%s'\n", &hash, product); + printf(" %#B '%s'\n", &hash, product); count++; } e->destroy(e); - printf("%d %N value%s found\n", count, hash_algorithm_names, - pts_meas_algo_to_hash(this->algo), (count == 1) ? "" : "s"); + printf("%d %N value%s found\n", count, pts_meas_algorithm_names, + this->algo, (count == 1) ? "" : "s"); } } free(dir); @@ -956,7 +1001,7 @@ METHOD(attest_db_t, list_measurements, void, "JOIN keys AS k ON k.id = ch.key " "WHERE ch.algo = ? AND ch.key = ? AND ch.component = ? " "ORDER BY seq_no", - DB_INT, this->algo, DB_INT, this->kid, DB_INT, this->cid, + DB_INT, this->algo, DB_UINT, this->kid, DB_UINT, this->cid, DB_INT, DB_INT, DB_BLOB, DB_TEXT); if (e) { @@ -964,16 +1009,16 @@ METHOD(attest_db_t, list_measurements, void, { if (this->kid != kid_old) { - printf("%3d: %#B '%s'\n", this->kid, &this->key, owner); + printf("%4d: %#B '%s'\n", this->kid, &this->key, owner); kid_old = this->kid; } - printf("%5d %02d %#B\n", seq_no, pcr, &hash); + printf("%7d %02d %#B\n", seq_no, pcr, &hash); count++; } e->destroy(e); printf("%d %N value%s found for component '%s'\n", count, - hash_algorithm_names, pts_meas_algo_to_hash(this->algo), + pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", print_cfn(this->cfn)); } } @@ -985,7 +1030,7 @@ METHOD(attest_db_t, list_measurements, void, "JOIN keys AS k ON k.id = ch.key " "WHERE ch.algo = ? AND ch.component = ? " "ORDER BY keyid, seq_no", - DB_INT, this->algo, DB_INT, this->cid, + DB_INT, this->algo, DB_UINT, this->cid, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB, DB_TEXT); if (e) { @@ -993,16 +1038,16 @@ METHOD(attest_db_t, list_measurements, void, { if (kid != kid_old) { - printf("%3d: %#B '%s'\n", kid, &keyid, owner); + printf("%4d: %#B '%s'\n", kid, &keyid, owner); kid_old = kid; } - printf("%5d %02d %#B\n", seq_no, pcr, &hash); + printf("%7d %02d %#B\n", seq_no, pcr, &hash); count++; } e->destroy(e); printf("%d %N value%s found for component '%s'\n", count, - hash_algorithm_names, pts_meas_algo_to_hash(this->algo), + pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", print_cfn(this->cfn)); } @@ -1016,7 +1061,7 @@ METHOD(attest_db_t, list_measurements, void, "JOIN components AS c ON c.id = ch.component " "WHERE ch.algo = ? AND ch.key = ? " "ORDER BY vendor_id, name, qualifier, seq_no", - DB_INT, this->algo, DB_INT, this->kid, DB_INT, DB_INT, DB_BLOB, + DB_INT, this->algo, DB_UINT, this->kid, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_INT, DB_INT, DB_INT); if (e) { @@ -1026,7 +1071,7 @@ METHOD(attest_db_t, list_measurements, void, if (cid != cid_old) { cfn = pts_comp_func_name_create(vid, name, qualifier); - printf("%3d: %s\n", cid, print_cfn(cfn)); + printf("%4d: %s\n", cid, print_cfn(cfn)); cfn->destroy(cfn); cid_old = cid; } @@ -1036,25 +1081,189 @@ METHOD(attest_db_t, list_measurements, void, e->destroy(e); printf("%d %N value%s found for key %#B '%s'\n", count, - hash_algorithm_names, pts_meas_algo_to_hash(this->algo), + pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", &this->key, this->owner); } } } +bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo, + chunk_t measurement, int fid, int did, bool ima, + int *hashes_added) +{ + enumerator_t *e; + chunk_t hash; + char *label; + + label = "could not be created"; + + e = this->db->query(this->db, + "SELECT hash FROM file_hashes WHERE algo = ? " + "AND file = ? AND directory = ? AND product = ? and key = 0", + DB_INT, algo, DB_UINT, fid, DB_UINT, did, DB_UINT, this->pid, DB_BLOB); + if (!e) + { + printf("file_hashes query failed\n"); + return FALSE; + } + if (e->enumerate(e, &hash)) + { + label = chunk_equals(measurement, hash) ? + "exists and equals" : "exists and differs"; + } + else + { + if (this->db->execute(this->db, NULL, + "INSERT INTO file_hashes " + "(file, directory, product, key, algo, hash) " + "VALUES (?, ?, ?, 0, ?, ?)", + DB_UINT, fid, DB_UINT, did, DB_UINT, this->pid, + DB_INT, algo, DB_BLOB, measurement) == 1) + { + label = "created"; + (*hashes_added)++; + } + } + e->destroy(e); + + printf(" %#B - %s%s\n", &measurement, ima ? "ima - " : "", label); + return TRUE; +} + METHOD(attest_db_t, add, bool, private_attest_db_t *this) { bool success = FALSE; + /* add key/component pair */ if (this->kid && this->cid) { success = this->db->execute(this->db, NULL, - "INSERT INTO key_component (key, component) VALUES (?, ?)", - DB_UINT, this->kid, DB_UINT, this->cid) == 1; + "INSERT INTO key_component (key, component, seq_no) " + "VALUES (?, ?, ?)", + DB_UINT, this->kid, DB_UINT, this->cid, + DB_UINT, this->seq_no) == 1; - printf("key/component pair (%d/%d) %sinserted into database\n", - this->kid, this->cid, success ? "" : "could not be "); + printf("key/component pair (%d/%d) %sinserted into database at " + "position %d\n", this->kid, this->cid, + success ? "" : "could not be ", this->seq_no); + + return success; + } + + /* add directory or file measurement for a given product */ + if ((this->did || this->fid) && this->pid) + { + char *pathname, *filename, *label; + char ima_buffer[IMA_MAX_NAME_LEN + 1]; + chunk_t measurement, ima_template; + pts_file_meas_t *measurements; + hasher_t *hasher = NULL; + bool ima = FALSE; + int fid, did; + int files_added = 0, hashes_added = 0, ima_hashes_added = 0; + enumerator_t *enumerator, *e; + + if (this->algo == PTS_MEAS_ALGO_SHA1_IMA) + { + ima = TRUE; + this->algo = PTS_MEAS_ALGO_SHA1; + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (!hasher) + { + printf("could not create hasher\n"); + return FALSE; + } + } + + pathname = this->did ? this->dir : this->file; + measurements = pts_file_meas_create_from_path(0, pathname, this->did, + this->relative, this->algo); + if (!measurements) + { + printf("file measurement failed\n"); + DESTROY_IF(hasher); + return FALSE; + } + if (this->fid && this->relative) + { + set_directory(this, dirname(pathname), TRUE); + } + did = this->relative ? this->did : 0; + + enumerator = measurements->create_enumerator(measurements); + while (enumerator->enumerate(enumerator, &filename, &measurement)) + { + /* retrieve or create filename */ + label = "could not be created"; + + e = this->db->query(this->db, + "SELECT id FROM files WHERE path = ?", + DB_TEXT, filename, DB_INT); + if (!e) + { + printf("files query failed\n"); + break; + } + if (e->enumerate(e, &fid)) + { + label = "exists"; + } + else + { + if (this->db->execute(this->db, &fid, + "INSERT INTO files (type, path) VALUES (0, ?)", + DB_TEXT, filename) == 1) + { + label = "created"; + files_added++; + } + } + e->destroy(e); + + printf("%4d: %s - %s\n", fid, filename, label); + + /* compute file measurement hash */ + if (!insert_file_hash(this, this->algo, measurement, + fid, did, FALSE, &hashes_added)) + { + break; + } + + if (!ima) + { + continue; + } + + /* compute IMA template hash */ + strncpy(ima_buffer, filename, IMA_MAX_NAME_LEN); + ima_buffer[IMA_MAX_NAME_LEN] = '\0'; + ima_template = chunk_create(ima_buffer, sizeof(ima_buffer)); + if (!hasher->get_hash(hasher, measurement, NULL) || + !hasher->get_hash(hasher, ima_template, measurement.ptr)) + { + printf("could not compute IMA template hash\n"); + break; + } + if (!insert_file_hash(this, PTS_MEAS_ALGO_SHA1_IMA, measurement, + fid, did, TRUE, &ima_hashes_added)) + { + break; + } + } + enumerator->destroy(enumerator); + + printf("%d measurements, added %d new files, %d new file hashes", + measurements->get_file_count(measurements), + files_added, hashes_added); + if (ima) + { + printf(" , %d new ima hashes", ima_hashes_added); + hasher->destroy(hasher); + } + printf("\n"); + measurements->destroy(measurements); + success = TRUE; } return success; } @@ -1064,12 +1273,42 @@ METHOD(attest_db_t, delete, bool, { bool success; + /* delete a file measurement hash for a given product */ + if (this->algo && this->pid && this->fid) + { + success = this->db->execute(this->db, NULL, + "DELETE FROM file_hashes " + "WHERE algo = ? AND product = ? " + "AND file = ? AND directory = ?", + DB_UINT, this->algo, DB_UINT, this->pid, + DB_UINT, this->fid, DB_UINT, this->did) > 0; + + printf("%4d: %s%s%s\n", this->fid, this->dir, this->did ? "/":"", + this->file); + printf("%N value for product '%s' %sdeleted from database\n", + pts_meas_algorithm_names, this->algo, this->product, + success ? "" : "could not be "); + + return success; + } + + /* delete product/file entries */ if (this->pid && (this->fid || this->did)) { - printf("deletion of product/file entries not supported yet\n"); - return FALSE; + success = this->db->execute(this->db, NULL, + "DELETE FROM product_file " + "WHERE product = ? AND file = ?", + DB_UINT, this->pid, + DB_UINT, this->fid ? this->fid : this->did) > 0; + + printf("product/file pair (%d/%d) %sdeleted from database\n", + this->pid, this->fid ? this->fid : this->did, + success ? "" : "could not be "); + + return success; } + /* delete key/component pair */ if (this->kid && this->cid) { success = this->db->execute(this->db, NULL, @@ -1173,6 +1412,8 @@ attest_db_t *attest_db_create(char *uri) .set_product = _set_product, .set_pid = _set_pid, .set_algo = _set_algo, + .set_relative = _set_relative, + .set_sequence = _set_sequence, .set_owner = _set_owner, .list_products = _list_products, .list_files = _list_files, @@ -1185,7 +1426,6 @@ attest_db_t *attest_db_create(char *uri) .destroy = _destroy, }, .dir = strdup(""), - .algo = PTS_MEAS_ALGO_SHA256, .db = lib->db->create(lib->db, uri), ); diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h index 9c9a9dcba..e32a368d8 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.h +++ b/src/libpts/plugins/imv_attestation/attest_db.h @@ -126,6 +126,21 @@ struct attest_db_t { void (*set_algo)(attest_db_t *this, pts_meas_algorithms_t algo); /** + * Set that the IMA-specific SHA-1 template hash be computed + */ + void (*set_ima)(attest_db_t *this); + + /** + * Set that relative filenames are to be used + */ + void (*set_relative)(attest_db_t *this); + + /** + * Set the sequence number + */ + void (*set_sequence)(attest_db_t *this, int seq_no); + + /** * Set owner [user/host] of an AIK * * @param owner user/host name diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c index e58f821e0..f7040f7ad 100644 --- a/src/libpts/plugins/imv_attestation/attest_usage.c +++ b/src/libpts/plugins/imv_attestation/attest_usage.c @@ -40,7 +40,7 @@ Usage:\n\ Show a list of measurement hashes for a given software product or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --hashes [--sha1|--sha256|--sha384] [--file <path>|--fid <id>]\n\ + ipsec attest --hashes [--sha1|--sha1-ima|--sha256|--sha384] [--file <path>|--fid <id>]\n\ Show a list of measurement hashes for a given file or\n\ its primary key as an optional selector.\n\ \n\ @@ -52,11 +52,11 @@ Usage:\n\ Show a list of AIK key digests with a component or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --measurements [--sha1|--sha256|--sha384] [--component <cfn>|--cid <id>]\n\ + ipsec attest --measurements --sha1|--sha256|--sha384 [--component <cfn>|--cid <id>]\n\ Show a list of component measurements for a given component or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>|--aik <path>]\n\ + ipsec attest --measurements --sha1|--sha256|--sha384 [--key <digest>|--kid <id>|--aik <path>]\n\ Show a list of component measurements for a given AIK or\n\ its primary key as an optional selector.\n\ \n\ @@ -67,14 +67,31 @@ Usage:\n\ ipsec attest --add [--owner <name>] --key <digest>|--aik <path>\n\ Add an AIK public key digest entry preceded by an optional owner name\n\ \n\ + ipsec attest --add --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\ + [--relative|--rel] --dir <path>|--file <path>\n\ + Add hashes of a single file or all files in a directory under absolute or relative filenames\n\ + \n\ + ipsec attest --add --key <digest|--kid <id> --component <cfn>|--cid <id> --sequence <no>|--seq <no>\n\ + Add an ordered key/component entry\n\ + \n\ ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\ Delete a file or directory entry referenced either by value or primary key\n\ \n\ ipsec attest --del --product <name>|--pid <id>|--component <cfn>|--cid <id>\n\ Delete a product or component entry referenced either by value or primary key\n\ \n\ + ipsec attest --del --product <name>|--pid <id> --file <path>|--fid <id>|--dir <path>|--did <id>\n\ + Delete a product/file entry referenced either by value or primary key\n\ + \n\ ipsec attest --del --key <digest>|--kid <id>|--aik <path>\n\ Delete an AIK entry referenced either by value or primary key\n\ + \n\ + ipsec attest --del --key <digest|--kid <id> --component <cfn>|--cid <id>\n\ + Delete a key/component entry\n\ + \n\ + ipsec attest --del --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\ + [--dir <path>|--did <id>] --file <path>|--fid <id>\n\ + Delete a file hash given an absolute or relative filename\n\ \n"); } diff --git a/src/libpts/plugins/imv_attestation/build-database.sh b/src/libpts/plugins/imv_attestation/build-database.sh new file mode 100755 index 000000000..a89258e1d --- /dev/null +++ b/src/libpts/plugins/imv_attestation/build-database.sh @@ -0,0 +1,221 @@ +#!/bin/sh + +p="Ubuntu 12.04.1 LTS i686" + +ipsec attest --add --product "$p" --sha1-ima --dir /sbin +ipsec attest --add --product "$p" --sha1-ima --dir /usr/sbin +ipsec attest --add --product "$p" --sha1-ima --dir /bin +ipsec attest --add --product "$p" --sha1-ima --dir /usr/bin +ipsec attest --add --product "$p" --sha1-ima --dir /etc/acpi +ipsec attest --add --product "$p" --sha1-ima --file /etc/init.d/rc +ipsec attest --add --product "$p" --sha1-ima --file /etc/init.d/rcS +ipsec attest --add --product "$p" --sha1-ima --dir /etc/network/if-post-down.d +ipsec attest --add --product "$p" --sha1-ima --dir /etc/network/if-pre-up.d +ipsec attest --add --product "$p" --sha1-ima --dir /etc/network/if-up.d +ipsec attest --add --product "$p" --sha1-ima --file /etc/NetworkManager/dispatcher.d/01ifupdown +ipsec attest --add --product "$p" --sha1-ima --dir /etc/ppp/ip-down.d +ipsec attest --add --product "$p" --sha1-ima --dir /etc/rc2.d +ipsec attest --add --product "$p" --sha1-ima --dir /etc/rcS.d +ipsec attest --add --product "$p" --sha1-ima --file /etc/rc.local +ipsec attest --add --product "$p" --sha1-ima --dir /etc/resolvconf/update.d +ipsec attest --add --product "$p" --sha1-ima --file /etc/resolvconf/update-libc.d/avahi-daemon +ipsec attest --add --product "$p" --sha1-ima --dir /etc/update-motd.d +ipsec attest --add --product "$p" --sha1-ima --file /lib/crda/setregdomain +ipsec attest --add --product "$p" --sha1-ima --file /lib/init/apparmor-profile-load +ipsec attest --add --product "$p" --sha1-ima --file /lib/resolvconf/list-records +ipsec attest --add --product "$p" --sha1-ima --dir /lib/udev +ipsec attest --add --product "$p" --sha1-ima --file /lib/ufw/ufw-init +ipsec attest --add --product "$p" --sha1-ima --file /opt/Adobe/Reader9/Reader/intellinux/bin/acroread +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/accountsservice/accounts-daemon +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/apt/methods +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/at-spi2-core +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/avahi/avahi-daemon-check-dns.sh +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/bamf/bamfdaemon +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ConsoleKit +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ConsoleKit/run-seat.d +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ConsoleKit/run-session.d +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/cups/notifier +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/dconf/dconf-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/dbus-1.0/dbus-daemon-launch-helper +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/deja-dup/deja-dup/deja-dup-monitor +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/evolution/3.2/evolution-alarm-notify +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/firefox/firefox +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/firefox/plugin-container +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gcc/i686-linux-gnu/4.6/cc1 +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gcc/i686-linux-gnu/4.6/collect2 +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/geoclue/geoclue-master +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/git-core +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-desktop3/check_gl_texture_size +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-disk-utility/gdu-notification-daemon +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-online-accounts/goa-daemon +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/gnome-settings-daemon +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-user-share/gnome-user-share +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-screensaver/gnome-screensaver-dialog +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/gvfs +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gvfs//gvfs-fuse-daemon +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/i386-linux-gnu/colord/colord +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/i386-linux-gnu/gconf +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-application/indicator-application-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-appmenu/hud-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-datetime/indicator-datetime-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-messages/indicator-messages-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-printers/indicator-printers-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-session/indicator-session-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-sound/indicator-sound-service +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/lightdm +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/NetworkManager/nm-dhcp-client.action +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/NetworkManager/nm-dispatcher.action +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/notify-osd/notify-osd +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/nux/unity_support_test +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/pm-utils/power.d +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/pm-utils/sleep.d +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/policykit-1/polkitd +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/pulseaudio/pulse/gconf-helper +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/rtkit/rtkit-daemon +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/system-service/system-service-d +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/telepathy/mission-control-5 +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/thunderbird/thunderbird +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ubuntuone-client +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/ubuntu-geoip/ubuntu-geoip-provider +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ubuntu-sso-client +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/udisks +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity/unity-panel-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-lens-applications/unity-applications-daemon +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-lens-files/unity-files-daemon +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/unity-lens-music +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-lens-video/unity-lens-video +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-scope-video-remote/unity-scope-video-remote +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/update-manager/release-upgrade-motd +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/update-notifier +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/upower/upowerd +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/libvte-2.90-9/gnome-pty-helper +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/zeitgeist/zeitgeist-fts +ipsec attest --add --product "$p" --sha1-ima --file /usr/share/apport/apport +ipsec attest --add --product "$p" --sha1-ima --file /usr/share/apport/apport-checkreports +ipsec attest --add --product "$p" --sha1-ima --file /usr/share/apport/apport-gtk +ipsec attest --add --product "$p" --sha1-ima --dir /usr/share/language-tools +ipsec attest --add --product "$p" --sha1-ima --file /usr/share/virtualbox/VBoxCreateUSBNode.sh +ipsec attest --add --product "$p" --sha1-ima --relative --file /etc/ld.so.cache +ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib +ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/i386-linux-gnu +ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/i386-linux-gnu/security +for file in `find /lib/modules/3.2.21ima/kernel -name *.ko` +do +ipsec attest --add --product "$p" --sha1-ima --relative --file $file +done +ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/plymouth +ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/plymouth/renderers +ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/security +ipsec attest --add --product "$p" --sha1-ima --relative --dir /opt/Adobe/Reader9/Reader/intellinux/lib +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/apache2/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/compiz +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/compizconfig/backends/ +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/enchant +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/evolution/3.2/libemiscwidgets.so.0.0.0 +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/evolution/3.2/libeutil.so.0.0.0 +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/evolution/3.2/libgnomecanvas.so.0.0.0 +for file in /usr/lib/firefox/*.so +do +ipsec attest --add --product "$p" --sha1-ima --relative --file $file +done +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox/components/libbrowsercomps.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox/components/libdbusservice.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox/components/libmozgnome.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox-addons/extensions/globalmenu@ubuntu.com/components/libglobalmenu.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox-addons/plugins/nppdf.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/flashplugin-installer/libflashplayer.so +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gedit/plugins +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gnome-bluetooth +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gnome-settings-daemon-3.0 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gtk-2.0/2.10.0/menuproxies +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gtk-3.0/3.0.0/menuproxies +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gtk-3.0/3.0.0/theming-engines +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/alsa-lib +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/dri +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gconf/2 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gconv +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gio/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-2.0/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-2.0/2.10.0/engines +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-2.0/2.10.0/immodules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-3.0/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-3.0/3.0.0/immodules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gvfs +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/libcanberra-0.28 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/mesa +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/mit-krb5 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/openssl-1.0.0/engines +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/pango/1.6.0/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/pkcs11 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/polkit-1/extensions +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/nss +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/sane +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/sse2 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/indicators3/7 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/indicator-messages/status-providers/1 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/libpeas-1.0/loaders +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/man-db/libman-2.6.1.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/man-db/libmandb-2.6.1.so +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/mission-control-plugins.0 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/ModemManager +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/nautilus/extensions-3.0 +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/NetworkManager/libnm-settings-plugin-ifupdown.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/perl/5.14.2/auto/File/Glob/Glob.so +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/pulse-1.1/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/python2.7/lib-dynload +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/apt_inst.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/apt_pkg.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/cairo/_cairo.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/dbus/mainloop/qt.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/_dbus_bindings.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/_dbus_glib_bindings.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/duplicity/_librsync.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gi/_gi.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gi/_gobject/_gobject.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gi/_glib/_glib.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/glib/_glib.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gobject/_gobject.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/atk.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/gtk/_gtk.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/gio/_gio.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/gio/unix.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/pango.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/pangocairo.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/pynotify/_pynotify.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/OpenSSL/crypto.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/OpenSSL/rand.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/OpenSSL/SSL.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/PyQt4/QtCore.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/simplejson/_speedups.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/sip.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/twisted/internet/_sigchld.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/twisted/python/_initgroups.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/xapian/_xapian.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/zope/interface/_zope_interface_coptimizations.so +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/rsyslog +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/sane +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/sse2 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/sudo +for file in /usr/lib/thunderbird/*.so +do +ipsec attest --add --product "$p" --sha1-ima --relative --file $file +done +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/thunderbird/components/libdbusservice.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/thunderbird/components/libmozgnome.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/thunderbird-addons/extensions/globalmenu@ubuntu.com/components/libglobalmenu.so +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/xorg/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/xorg/modules/drivers +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/xorg/modules/extensions +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/xorg/modules/input +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/share/fonts/truetype/ubuntu-font-family +ipsec attest --del --product "$p" --sha1 --file /lib/resolvconf/list-records +ipsec attest --del --product "$p" --sha1-ima --file /lib/resolvconf/list-records +ipsec attest --del --product "$p" --sha1 --file /usr/bin/lsb_release +ipsec attest --del --product "$p" --sha1-ima --file /usr/bin/lsb_release +ipsec attest --del --product "$p" --sha1 --file /usr/share/language-tools/language-options +ipsec attest --del --product "$p" --sha1-ima --file /usr/share/language-tools/language-options + diff --git a/src/libpts/plugins/imv_attestation/data.sql b/src/libpts/plugins/imv_attestation/data.sql index e6e03627a..b1646b724 100644 --- a/src/libpts/plugins/imv_attestation/data.sql +++ b/src/libpts/plugins/imv_attestation/data.sql @@ -42,6 +42,18 @@ INSERT INTO products ( 'Ubuntu 11.10 i686' ); +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.04 LTS i686' +); + +INSERT INTO products ( + name +) VALUES ( + 'Ubuntu 12.04.1 LTS i686' +); + /* Files */ INSERT INTO files ( /* 1 */ @@ -83,7 +95,7 @@ INSERT INTO files ( INSERT INTO files ( type, path ) VALUES ( - 1, '/lib/xtables/' + 1, '/lib/xtables' ); INSERT INTO files ( @@ -176,6 +188,19 @@ INSERT INTO files ( 0, '/etc/tnc_config' ); +INSERT INTO files ( + type, path +) VALUES ( + 0, '/lib/libxtables.so.7' +); + +INSERT INTO files ( + type, path +) VALUES ( + 0, '/sbin/xtables-multi' +); + + /* Product-File */ INSERT INTO product_file ( @@ -388,6 +413,48 @@ INSERT INTO product_file ( 7, 22, 1 ); +INSERT INTO product_file ( + product, file, measurement +) VALUES ( + 8, 1, 1 +); + +INSERT INTO product_file ( + product, file, measurement +) VALUES ( + 8, 7, 1 +); + +INSERT INTO product_file ( + product, file, metadata +) VALUES ( + 8, 22, 1 +); + +INSERT INTO product_file ( + product, file, measurement +) VALUES ( + 8, 23, 1 +); + +INSERT INTO product_file ( + product, file, measurement +) VALUES ( + 8, 24, 1 +); + +INSERT INTO product_file ( + product, file, measurement +) VALUES ( + 9, 1, 1 +); + +INSERT INTO product_file ( + product, file, metadata +) VALUES ( + 9, 22, 1 +); + /* File Hashes */ INSERT INTO file_hashes ( @@ -429,6 +496,42 @@ INSERT INTO file_hashes ( INSERT INTO file_hashes ( file, product, algo, hash ) VALUES ( + 1, 8, 32768, X'9c3ed3179990c0ffb3a65b75a09b61faa4aca907' +); + +INSERT INTO file_hashes ( + file, product, algo, hash +) VALUES ( + 1, 8, 16384, X'af474dd532c9f2d85c12368334eda3609a7c6287e08940f078547ab0f2871c94' +); + +INSERT INTO file_hashes ( + file, product, algo, hash +) VALUES ( + 1, 8, 8192, X'a23fa7034dabdce2d10f2893d52b21d14fe24c6ae4c8570fb6c7190228046e4c064c4d29d736cd84ca42a3d9abf9bfde' +); + +INSERT INTO file_hashes ( + file, product, algo, hash +) VALUES ( + 1, 9, 32768, X'9c3ed3179990c0ffb3a65b75a09b61faa4aca907' +); + +INSERT INTO file_hashes ( + file, product, algo, hash +) VALUES ( + 1, 9, 16384, X'af474dd532c9f2d85c12368334eda3609a7c6287e08940f078547ab0f2871c94' +); + +INSERT INTO file_hashes ( + file, product, algo, hash +) VALUES ( + 1, 9, 8192, X'a23fa7034dabdce2d10f2893d52b21d14fe24c6ae4c8570fb6c7190228046e4c064c4d29d736cd84ca42a3d9abf9bfde' +); + +INSERT INTO file_hashes ( + file, product, algo, hash +) VALUES ( 2, 2, 32768, X'2a4047437e6fb346e2d854fc415e16b80e75bf6b' ); @@ -736,6 +839,24 @@ INSERT INTO file_hashes ( INSERT INTO file_hashes ( file, directory, product, algo, hash ) VALUES ( + 8, 7, 8, 32768, X'a93f870078b69ba530e6335eaee698908b12078f' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 8, 7, 8, 16384, X'0c31c1f41a57f4b15fafeb541de475e6da88380c911bb606b35413fda8428006' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 8, 7, 8, 8192, X'bb8fc7073691910d315621de176be64316923782df8d836b384414fd9a3d293be5bea51811ee6ef68a497f12384bba42' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( 8, 21, 6, 32768, X'010873de0d682a26e1c6795dd4992248cc47cdd1' ); @@ -808,6 +929,24 @@ INSERT INTO file_hashes ( INSERT INTO file_hashes ( file, directory, product, algo, hash ) VALUES ( + 9, 7, 8, 32768, X'225836cb243c3502d90c92c3eb54310403303270' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 9, 7, 8, 16384, X'7862ed16eeb35d2f10e6d416a6fcbe8000ba1bbc2daddd15f43b375686308d7d' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 9, 7, 8, 8192, X'd4b6b939d0fdcd84bbc66fbf9bd044a61de823b4acb52e0ead7ae7f955d9b2d6399da1f673eadbb4792b819923e5e845' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( 9, 21, 6, 32768, X'e1df4f3949b09c25e15b9c9b7088a60d683903a8' ); @@ -862,6 +1001,24 @@ INSERT INTO file_hashes ( INSERT INTO file_hashes ( file, directory, product, algo, hash ) VALUES ( + 10, 7, 8, 32768, X'008374e704c81351c333a214f4ee2d89e996f344' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 10, 7, 8, 16384, X'0e28034f99a3e0cdffa64bf126858afb48ee25b5cbfc70bbcd997bab7ef1e056' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 10, 7, 8, 8192, X'b6e01ba0706e48ce37abef3fbc59a45fd50c7abd3bb7950b1d892bc4a0db3f9784f573d74ef51376267183d26513d1d0' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( 10, 21, 6, 32768, X'87df2d01b85d8354819b431bae0a0a65bfc5d2db' ); @@ -916,6 +1073,24 @@ INSERT INTO file_hashes ( INSERT INTO file_hashes ( file, directory, product, algo, hash ) VALUES ( + 11, 7, 8, 32768, X'105fc70c5ecde30ebe841ac0a229b77b6d5f3d8a' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 11, 7, 8, 16384, X'e4cdc17b835eabe06d719bccada0e59d3ee5eb3759ca75eb9c037166e8dafd30' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 11, 7, 8, 8192, X'a9f6a18ff6f85208583e0b3fdd2fdafc4575baf5d973c7a831ce74d8bb5a24b8ae8e4504ddefa4a2c2b91f31cd68edea' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( 12, 7, 1, 32768, X'6c0b2df4fc4c9122b5762ae140d53fdd1cf9e89b' ); @@ -952,6 +1127,24 @@ INSERT INTO file_hashes ( INSERT INTO file_hashes ( file, directory, product, algo, hash ) VALUES ( + 12, 7, 8, 32768, X'a9d8ea0203810d269b3ef3d974fed2ac4d486bae' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 12, 7, 8, 16384, X'c071aedaa6f66f8ab45ce037d72bbc42fb1894ac69ab689ad21ce6ff0c1c5d6a' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 12, 7, 8, 8192, X'1612eb51a3be3fcba24808326e29967b6f798c5140aefc8279601c5f5600030148fd01e8fbe737fba9c3972832e67601' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( 13, 7, 1, 32768, X'e2f7b92abda769f82796f57a29801870585dcea3' ); @@ -988,6 +1181,24 @@ INSERT INTO file_hashes ( INSERT INTO file_hashes ( file, directory, product, algo, hash ) VALUES ( + 13, 7, 8, 32768, X'da655441bf10f7dc32978474c77903f2f9120cc4' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 13, 7, 8, 16384, X'ec6a4bb332af51cf60cc30ce95197a8c89d42e6135d6e0d4e1d9e4bcc88e838c' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 13, 7, 8, 8192, X'135a84e988f219d5bcd7cb4e7ada6f9239c0164a0021262be0c4f9c00d8bece341aa88e0e35011b195c737e438225f4b' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( 14, 7, 1, 32768, X'160d2b04d11eb225fb148615b699081869e15b6c' ); @@ -1024,6 +1235,24 @@ INSERT INTO file_hashes ( INSERT INTO file_hashes ( file, directory, product, algo, hash ) VALUES ( + 14, 7, 8, 32768, X'7b401b741cc32bcc86c3eac43059c9dd26e99a40' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 14, 7, 8, 16384, X'9a7cf37befecc40b494f9176bb887dd478e72c750fed8d540e5d7bbf4b5f2765' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 14, 7, 8, 8192, X'161c2f502f10a72ef159b6308219c38cb13387e21645e4357e6934d7afc62727cd76fd518dc6f676e2db47125eb9a2f6' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( 15, 7, 1, 32768, X'5a0d07ab036603a76759e5f61f7d04f2d3c056cc' ); @@ -1060,6 +1289,24 @@ INSERT INTO file_hashes ( INSERT INTO file_hashes ( file, directory, product, algo, hash ) VALUES ( + 15, 7, 8, 32768, X'129f6ecfb596fd751e33209b2ad2a28f2d243fdc' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 15, 7, 8, 16384, X'2fd1e8874b2faf18973881af54bd3e1fd21aaa8ee181313919569715885e69bc' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 15, 7, 8, 8192, X'3862f52ec823474ccfffeb6ead7c6a18b132057018704cb2fa05b08aaee3a1abfaf0eb4c826348f427dfbbb5b3e56647' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( 16, 7, 1, 32768, X'd6c8dfbaae7ab28b5cef2626a2af3f99a6ea4365' ); @@ -1094,6 +1341,24 @@ INSERT INTO file_hashes ( ); INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 16, 7, 8, 32768, X'2b686cd8359dea842cfdcacf39d22f5e0e6d06f2' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 16, 7, 8, 16384, X'e14fb3f87b9539108e023660f2d7b4fc728b0622a85de89bdc1fe20162f200a3' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 16, 7, 8, 8192, X'6f55292ad4061b0575dca0a3e6abe5f86d5288e0b860e6f76715bd5c9df8b5f751bc547d3147e9da12593b56a3f83252' +); + +INSERT INTO file_hashes ( file, product, algo, hash ) VALUES ( 17, 1, 32768, X'8a7c41167bc0fcc1dec8329a868ba265c23857f5' @@ -1186,6 +1451,24 @@ INSERT INTO file_hashes ( INSERT INTO file_hashes ( file, directory, product, algo, hash ) VALUES ( + 18, 7, 8, 32768, X'9ff04217b3b40cb328440e40b6dc1c283f9f71ec' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 18, 7, 8, 16384, X'76de3b5b8df6d685e522aeea01d79ac457808437c02d40eb2e6ff06098057d41' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 18, 7, 8, 8192, X'ca1c0f6e3516f82a40cbaaea84dd42a8c97cea6b729dc07343f18a5d1b898a94e861b0dfb574c3efad64c363bb07ebf5' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( 19, 7, 1, 32768, X'd537d437f058136eb3d7be517dbe7647b623c619' ); @@ -1222,6 +1505,24 @@ INSERT INTO file_hashes ( INSERT INTO file_hashes ( file, directory, product, algo, hash ) VALUES ( + 19, 7, 8, 32768, X'b3d6df204cc27f59704c19ab501172892a9c7c5d' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 19, 7, 8, 16384, X'9168ba26a67a3daf0ad3ea956d88358235ebb968b95f91bd110eab34ba75e4f8' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 19, 7, 8, 8192, X'e3a69702f9d07ea6e1f7cb85157f3d76d7e7dc577fd48ca7f6cf8f917ca7e5015e0f7dd463e1229aebf18aabcfd39cc3' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( 20, 7, 1, 32768, X'f9e3531abb67a020cf667d46ca823675dd0a0dd4' ); @@ -1255,6 +1556,60 @@ INSERT INTO file_hashes ( 20, 7, 7, 8192, X'84200bd318bb022915150842ddf4002e061ef593604ad0d07021dc662cc40bfa749cce084ddf25d0e5137f6380f613d8' ); +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 20, 7, 8, 32768, X'8696176c12bf8291b6b9989ec5c94c3fdf26b14f' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 20, 7, 8, 16384, X'e7b5896d1dbe17f501f20424e8ed7d2de14d79e984e0c0a032ea70ca2f44e83a' +); + +INSERT INTO file_hashes ( + file, directory, product, algo, hash +) VALUES ( + 20, 7, 8, 8192, X'0d87fb31cf84b57b5b872af0b5e65610df929e48877f5ea199c073da6087c7a0e4b4c186545f654bb5db94284fde6274' +); + +INSERT INTO file_hashes ( + file, product, algo, hash +) VALUES ( + 23, 8, 32768, X'a67433717c2b9e2a9293f15a88456efbf7998a84' +); + +INSERT INTO file_hashes ( + file, product, algo, hash +) VALUES ( + 23, 8, 16384, X'1453d3ceaea4043cecd34f1eb24e0fbbe9fe04978077d06a0f728de849e71365' +); + +INSERT INTO file_hashes ( + file, product, algo, hash +) VALUES ( + 23, 8, 8192, X'abd1134f68a2daf92183aeae372f970cb076164468d4df08b8cb53743cae0867c17231e8f087e3367b6ec6905eb03c16' +); + +INSERT INTO file_hashes ( + file, product, algo, hash +) VALUES ( + 24, 8, 32768, X'bc3f9d1edeb00192c5c040a53823b58642ed8f41' +); + +INSERT INTO file_hashes ( + file, product, algo, hash +) VALUES ( + 24, 8, 16384, X'78f76b5c274705d09cd73cfad04791b8009c56d00849a00613909a659dc9ac63' +); + +INSERT INTO file_hashes ( + file, product, algo, hash +) VALUES ( + 24, 8, 8192, X'52cea5a859d0a1e06ffa8c1fc4f7b8dffde2de99915d660b2d3756315efdd873bee67ba3732f2c1ec692c38a8780cd72' +); + /* AIKs */ INSERT INTO keys ( @@ -1280,7 +1635,13 @@ INSERT INTO components ( INSERT INTO components ( vendor_id, name, qualifier ) VALUES ( - 36906, 3, 33 /* ITA IMA */ + 36906, 3, 33 /* ITA IMA - Trusted Platform */ +); + +INSERT INTO components ( + vendor_id, name, qualifier +) VALUES ( + 36906, 3, 34 /* ITA IMA - Operating System */ ); /* AIK Component */ @@ -1288,18 +1649,18 @@ INSERT INTO components ( INSERT INTO key_component ( key, component, depth, seq_no ) VALUES ( - 2, 2, 0, 1 + 1, 3, 0, 1 ); INSERT INTO key_component ( key, component, depth, seq_no ) VALUES ( - 1, 3, 0, 1 + 1, 2, 0, 2 ); INSERT INTO key_component ( key, component, depth, seq_no ) VALUES ( - 1, 2, 0, 2 + 1, 4, 0, 3 ); diff --git a/src/libpts/plugins/imv_attestation/imv_attestation.c b/src/libpts/plugins/imv_attestation/imv_attestation.c index 51069b02d..201496e8a 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -168,13 +168,10 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id, static TNC_Result send_message(TNC_ConnectionID connection_id) { - pa_tnc_msg_t *msg; - pa_tnc_attr_t *attr; + linked_list_t *attr_list; imv_state_t *state; imv_attestation_state_t *attestation_state; TNC_Result result; - linked_list_t *attr_list; - enumerator_t *enumerator; if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) { @@ -188,21 +185,8 @@ static TNC_Result send_message(TNC_ConnectionID connection_id) { if (attr_list->get_count(attr_list)) { - msg = pa_tnc_msg_create(); - - /* move PA-TNC attributes to PA-TNC message */ - enumerator = attr_list->create_enumerator(attr_list); - while (enumerator->enumerate(enumerator, &attr)) - { - msg->add_attribute(msg, attr); - } - enumerator->destroy(enumerator); - - msg->build(msg); result = imv_attestation->send_message(imv_attestation, - connection_id, FALSE, 0, TNC_IMCID_ANY, - msg->get_encoding(msg)); - msg->destroy(msg); + connection_id, FALSE, 0, TNC_IMCID_ANY, attr_list); } else { @@ -230,6 +214,7 @@ static TNC_Result receive_message(TNC_IMVID imv_id, { pa_tnc_msg_t *pa_tnc_msg; pa_tnc_attr_t *attr; + pen_type_t type; linked_list_t *attr_list; imv_state_t *state; imv_attestation_state_t *attestation_state; @@ -271,31 +256,31 @@ static TNC_Result receive_message(TNC_IMVID imv_id, enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg); while (enumerator->enumerate(enumerator, &attr)) { - if (attr->get_vendor_id(attr) == PEN_IETF) + type = attr->get_type(attr); + + if (type.vendor_id == PEN_IETF) { - if (attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR) + if (type.type == IETF_ATTR_PA_TNC_ERROR) { ietf_attr_pa_tnc_error_t *error_attr; - pen_t error_vendor_id; - pa_tnc_error_code_t error_code; + pen_type_t error_code; chunk_t msg_info; error_attr = (ietf_attr_pa_tnc_error_t*)attr; - error_vendor_id = error_attr->get_vendor_id(error_attr); + error_code = error_attr->get_error_code(error_attr); - if (error_vendor_id == PEN_TCG) + if (error_code.vendor_id == PEN_TCG) { - error_code = error_attr->get_error_code(error_attr); msg_info = error_attr->get_msg_info(error_attr); DBG1(DBG_IMV, "received TCG-PTS error '%N'", - pts_error_code_names, error_code); + pts_error_code_names, error_code.type); DBG1(DBG_IMV, "error information: %B", &msg_info); result = TNC_RESULT_FATAL; } } - else if (attr->get_type(attr) == IETF_ATTR_PRODUCT_INFORMATION) + else if (type.type == IETF_ATTR_PRODUCT_INFORMATION) { ietf_attr_product_info_t *attr_cast; char *platform_info; @@ -305,7 +290,7 @@ static TNC_Result receive_message(TNC_IMVID imv_id, pts->set_platform_info(pts, platform_info); } } - else if (attr->get_vendor_id(attr) == PEN_TCG) + else if (type.vendor_id == PEN_TCG) { if (!imv_attestation_process(attr, attr_list, attestation_state, supported_algorithms,supported_dh_groups, pts_db, pts_credmgr)) @@ -325,29 +310,14 @@ static TNC_Result receive_message(TNC_IMVID imv_id, TNC_IMV_ACTION_RECOMMENDATION_ISOLATE, TNC_IMV_EVALUATION_RESULT_ERROR); return imv_attestation->provide_recommendation(imv_attestation, - connection_id); + connection_id, src_imc_id); } if (attr_list->get_count(attr_list)) { - pa_tnc_msg = pa_tnc_msg_create(); - - /* move PA-TNC attributes to PA-TNC message */ - enumerator = attr_list->create_enumerator(attr_list); - while (enumerator->enumerate(enumerator, &attr)) - { - pa_tnc_msg->add_attribute(pa_tnc_msg, attr); - } - enumerator->destroy(enumerator); - - pa_tnc_msg->build(pa_tnc_msg); result = imv_attestation->send_message(imv_attestation, connection_id, - FALSE, 0, TNC_IMCID_ANY, - pa_tnc_msg->get_encoding(pa_tnc_msg)); - - pa_tnc_msg->destroy(pa_tnc_msg); + FALSE, 0, TNC_IMCID_ANY, attr_list); attr_list->destroy(attr_list); - return result; } attr_list->destroy(attr_list); @@ -360,7 +330,7 @@ static TNC_Result receive_message(TNC_IMVID imv_id, TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, TNC_IMV_EVALUATION_RESULT_ERROR); return imv_attestation->provide_recommendation(imv_attestation, - connection_id); + connection_id, src_imc_id); } if (attestation_state->get_handshake_state(attestation_state) == @@ -372,12 +342,6 @@ static TNC_Result receive_message(TNC_IMVID imv_id, attestation_state->get_file_meas_request_count(attestation_state)); attestation_state->set_measurement_error(attestation_state); } - if (attestation_state->get_component_count(attestation_state)) - { - DBG1(DBG_IMV, "failure due to %d components waiting for evidence", - attestation_state->get_component_count(attestation_state)); - attestation_state->set_measurement_error(attestation_state); - } if (attestation_state->get_measurement_error(attestation_state)) { state->set_recommendation(state, @@ -391,7 +355,7 @@ static TNC_Result receive_message(TNC_IMVID imv_id, TNC_IMV_EVALUATION_RESULT_COMPLIANT); } return imv_attestation->provide_recommendation(imv_attestation, - connection_id); + connection_id, src_imc_id); } return result; @@ -446,7 +410,7 @@ TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id, return TNC_RESULT_NOT_INITIALIZED; } return imv_attestation->provide_recommendation(imv_attestation, - connection_id); + connection_id, TNC_IMCID_ANY); } /** diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c index 4f2cc1e95..23195d6e3 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -16,7 +16,6 @@ #include "imv_attestation_build.h" #include "imv_attestation_state.h" -#include <libpts.h> #include <tcg/tcg_pts_attr_proto_caps.h> #include <tcg/tcg_pts_attr_meas_algo.h> #include <tcg/tcg_pts_attr_dh_nonce_params_req.h> @@ -198,7 +197,13 @@ bool imv_attestation_build(linked_list_t *attr_list, attr_list->insert_last(attr_list, attr); } enumerator->destroy(enumerator); - break; + + /* do we have any file metadata or measurement requests? */ + if (attr_list->get_count(attr_list)) + { + break; + } + /* fall through to next state */ } case IMV_ATTESTATION_STATE_COMP_EVID: { @@ -252,15 +257,15 @@ bool imv_attestation_build(linked_list_t *attr_list, comp_name = pts_comp_func_name_create(vid, name, qualifier); comp_name->log(comp_name, " "); - comp = pts_components->create(pts_components, comp_name, - depth, pts_db); + comp = attestation_state->create_component(attestation_state, + comp_name, depth, pts_db); if (!comp) { - DBG2(DBG_IMV, " not registered: removed from request"); + DBG2(DBG_IMV, " not registered or duplicate" + " - removed from request"); comp_name->destroy(comp_name); continue; } - attestation_state->add_component(attestation_state, comp); if (first_component) { attr = tcg_pts_attr_req_func_comp_evid_create(); @@ -290,8 +295,11 @@ bool imv_attestation_build(linked_list_t *attr_list, break; } case IMV_ATTESTATION_STATE_EVID_FINAL: - attestation_state->set_handshake_state(attestation_state, + if (attestation_state->components_finalized(attestation_state)) + { + attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_END); + } break; case IMV_ATTESTATION_STATE_END: break; diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c index a742b6697..37e9ac77a 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -41,11 +41,13 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, pts_database_t *pts_db, credential_manager_t *pts_credmgr) { + pen_type_t attr_type; pts_t *pts; - + pts = attestation_state->get_pts(attestation_state); - - switch (attr->get_type(attr)) + attr_type = attr->get_type(attr); + + switch (attr_type.type) { case TCG_PTS_PROTO_CAPS: { @@ -169,7 +171,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, KEY_ANY, aik->get_issuer(aik), FALSE); while (e->enumerate(e, &issuer)) { - if (aik->issued_by(aik, issuer)) + if (aik->issued_by(aik, issuer, NULL)) { trusted = TRUE; break; @@ -216,22 +218,29 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, DBG1(DBG_IMV, "measurement request %d returned %d file%s:", request_id, file_count, (file_count == 1) ? "":"s"); - if (!attestation_state->check_off_file_meas_request(attestation_state, - request_id, &file_id, &is_dir)) + if (request_id) { - DBG1(DBG_IMV, " no entry found for file measurement request %d", - request_id); - break; - } + if (!attestation_state->check_off_file_meas_request( + attestation_state, request_id, &file_id, &is_dir)) + { + DBG1(DBG_IMV, " no entry found for file measurement " + "request %d", request_id); + break; + } - /* check hashes from database against measurements */ - e_hash = pts_db->create_file_hash_enumerator(pts_db, - platform_info, algo, file_id, is_dir); - if (!measurements->verify(measurements, e_hash, is_dir)) + /* check hashes from database against measurements */ + e_hash = pts_db->create_file_hash_enumerator(pts_db, + platform_info, algo, file_id, is_dir); + if (!measurements->verify(measurements, e_hash, is_dir)) + { + attestation_state->set_measurement_error(attestation_state); + } + e_hash->destroy(e_hash); + } + else { - attestation_state->set_measurement_error(attestation_state); + measurements->check(measurements, pts_db, platform_info, algo); } - e_hash->destroy(e_hash); break; } case TCG_PTS_UNIX_FILE_META: @@ -276,34 +285,22 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, pts_comp_evidence_t *evidence; pts_component_t *comp; u_int32_t depth; - status_t status; attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr; evidence = attr_cast->get_comp_evidence(attr_cast); name = evidence->get_comp_func_name(evidence, &depth); - comp = attestation_state->check_off_component(attestation_state, name); + comp = attestation_state->get_component(attestation_state, name); if (!comp) { DBG1(DBG_IMV, " no entry found for component evidence request"); break; } - status = comp->verify(comp, pts, evidence); - - switch (status) + if (comp->verify(comp, name->get_qualifier(name), pts, + evidence) != SUCCESS) { - default: - case FAILED: - attestation_state->set_measurement_error(attestation_state); - comp->destroy(comp); - break; - case SUCCESS: - name->log(name, " successfully measured "); - comp->destroy(comp); - break; - case NEED_MORE: - /* re-enter component into list */ - attestation_state->add_component(attestation_state, comp); + attestation_state->set_measurement_error(attestation_state); + name->log(name, " measurement mismatch for "); } break; } @@ -353,8 +350,11 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, DBG2(DBG_IMV, "TPM Quote Info signature verification successful"); free(quote_info.ptr); - /* Finalize any pending measurement registrations */ - attestation_state->check_off_registrations(attestation_state); + /** + * Finalize any pending measurement registrations and check + * if all expected component measurements were received + */ + attestation_state->finalize_components(attestation_state); } if (attr_cast->get_evid_sig(attr_cast, &evid_sig)) diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c index a58fd3ec3..1dbc88309 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,21 +15,15 @@ #include "imv_attestation_state.h" +#include <libpts.h> + #include <utils/lexparser.h> #include <utils/linked_list.h> #include <debug.h> typedef struct private_imv_attestation_state_t private_imv_attestation_state_t; typedef struct file_meas_request_t file_meas_request_t; - -/** - * PTS File/Directory Measurement request entry - */ -struct file_meas_request_t { - u_int16_t id; - int file_id; - bool is_dir; -}; +typedef struct func_comp_t func_comp_t; /** * Private data of an imv_attestation_state_t object. @@ -62,6 +56,11 @@ struct private_imv_attestation_state_t { bool has_excl; /** + * Maximum PA-TNC message size for this TNCCS connection + */ + u_int32_t max_msg_len; + + /** * IMV Attestation handshake state */ imv_attestation_handshake_state_t handshake_state; @@ -103,6 +102,32 @@ struct private_imv_attestation_state_t { }; +/** + * PTS File/Directory Measurement request entry + */ +struct file_meas_request_t { + u_int16_t id; + int file_id; + bool is_dir; +}; + +/** + * PTS Functional Component entry + */ +struct func_comp_t { + pts_component_t *comp; + u_int8_t qualifier; +}; + +/** + * Frees a func_comp_t object + */ +static void free_func_comp(func_comp_t *this) +{ + this->comp->destroy(this->comp); + free(this); +} + typedef struct entry_t entry_t; /** @@ -150,6 +175,18 @@ METHOD(imv_state_t, set_flags, void, this->has_excl = has_excl; } +METHOD(imv_state_t, set_max_msg_len, void, + private_imv_attestation_state_t *this, u_int32_t max_msg_len) +{ + this->max_msg_len = max_msg_len; +} + +METHOD(imv_state_t, get_max_msg_len, u_int32_t, + private_imv_attestation_state_t *this) +{ + return this->max_msg_len; +} + METHOD(imv_state_t, change_state, void, private_imv_attestation_state_t *this, TNC_ConnectionState new_state) { @@ -220,8 +257,7 @@ METHOD(imv_state_t, destroy, void, private_imv_attestation_state_t *this) { this->file_meas_requests->destroy_function(this->file_meas_requests, free); - this->components->destroy_offset(this->components, - offsetof(pts_component_t, destroy)); + this->components->destroy_function(this->components, (void *)free_func_comp); this->pts->destroy(this->pts); free(this); } @@ -290,54 +326,74 @@ METHOD(imv_attestation_state_t, get_file_meas_request_count, int, return this->file_meas_requests->get_count(this->file_meas_requests); } -METHOD(imv_attestation_state_t, add_component, void, - private_imv_attestation_state_t *this, pts_component_t *entry) -{ - this->components->insert_last(this->components, entry); -} - -METHOD(imv_attestation_state_t, check_off_component, pts_component_t*, - private_imv_attestation_state_t *this, pts_comp_func_name_t *name) +METHOD(imv_attestation_state_t, create_component, pts_component_t*, + private_imv_attestation_state_t *this, pts_comp_func_name_t *name, + u_int32_t depth, pts_database_t *pts_db) { enumerator_t *enumerator; - pts_component_t *entry, *found = NULL; + func_comp_t *entry, *new_entry; + pts_component_t *component; + bool found = FALSE; enumerator = this->components->create_enumerator(this->components); while (enumerator->enumerate(enumerator, &entry)) { - if (name->equals(name, entry->get_comp_func_name(entry))) + if (name->equals(name, entry->comp->get_comp_func_name(entry->comp))) { - found = entry; - this->components->remove_at(this->components, enumerator); + found = TRUE; break; } } enumerator->destroy(enumerator); - return found; + + if (found) + { + if (name->get_qualifier(name) == entry->qualifier) + { + /* duplicate entry */ + return NULL; + } + new_entry = malloc_thing(func_comp_t); + new_entry->qualifier = name->get_qualifier(name); + new_entry->comp = entry->comp->get_ref(entry->comp); + this->components->insert_last(this->components, new_entry); + return entry->comp; + } + else + { + component = pts_components->create(pts_components, name, depth, pts_db); + if (!component) + { + /* unsupported component */ + return NULL; + } + new_entry = malloc_thing(func_comp_t); + new_entry->qualifier = name->get_qualifier(name); + new_entry->comp = component; + this->components->insert_last(this->components, new_entry); + return component; + } } -METHOD(imv_attestation_state_t, check_off_registrations, void, - private_imv_attestation_state_t *this) +METHOD(imv_attestation_state_t, get_component, pts_component_t*, + private_imv_attestation_state_t *this, pts_comp_func_name_t *name) { enumerator_t *enumerator; - pts_component_t *entry; + func_comp_t *entry; + pts_component_t *found = NULL; enumerator = this->components->create_enumerator(this->components); while (enumerator->enumerate(enumerator, &entry)) { - if (entry->check_off_registrations(entry)) + if (name->equals(name, entry->comp->get_comp_func_name(entry->comp)) && + name->get_qualifier(name) == entry->qualifier) { - this->components->remove_at(this->components, enumerator); - entry->destroy(entry); + found = entry->comp; + break; } } enumerator->destroy(enumerator); -} - -METHOD(imv_attestation_state_t, get_component_count, int, - private_imv_attestation_state_t *this) -{ - return this->components->get_count(this->components); + return found; } METHOD(imv_attestation_state_t, get_measurement_error, bool, @@ -352,6 +408,28 @@ METHOD(imv_attestation_state_t, set_measurement_error, void, this->measurement_error = TRUE; } +METHOD(imv_attestation_state_t, finalize_components, void, + private_imv_attestation_state_t *this) +{ + func_comp_t *entry; + + while (this->components->remove_last(this->components, + (void**)&entry) == SUCCESS) + { + if (!entry->comp->finalize(entry->comp, entry->qualifier)) + { + _set_measurement_error(this); + } + free_func_comp(entry); + } +} + +METHOD(imv_attestation_state_t, components_finalized, bool, + private_imv_attestation_state_t *this) +{ + return this->components->get_count(this->components) == 0; +} + /** * Described in header. */ @@ -367,6 +445,8 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) .has_long = _has_long, .has_excl = _has_excl, .set_flags = _set_flags, + .set_max_msg_len = _set_max_msg_len, + .get_max_msg_len = _get_max_msg_len, .change_state = _change_state, .get_recommendation = _get_recommendation, .set_recommendation = _set_recommendation, @@ -379,10 +459,10 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) .add_file_meas_request = _add_file_meas_request, .check_off_file_meas_request = _check_off_file_meas_request, .get_file_meas_request_count = _get_file_meas_request_count, - .add_component = _add_component, - .check_off_component = _check_off_component, - .check_off_registrations = _check_off_registrations, - .get_component_count = _get_component_count, + .create_component = _create_component, + .get_component = _get_component, + .finalize_components = _finalize_components, + .components_finalized = _components_finalized, .get_measurement_error = _get_measurement_error, .set_measurement_error = _set_measurement_error, }, diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h index 0e2c04da4..901d4b19d 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -24,6 +24,7 @@ #include <imv/imv_state.h> #include <pts/pts.h> +#include <pts/pts_database.h> #include <pts/components/pts_component.h> #include <library.h> @@ -105,32 +106,37 @@ struct imv_attestation_state_t { u_int16_t id, int *file_id, bool *is_dir); /** - * Add an entry to the list of Functional Components waiting for evidence + * Create and add an entry to the list of Functional Components * - * @param entry Functional Component + * @param name Component Functional Name + * @param depth Sub-component Depth + * @param pts_db PTS measurement database + * @return created functional component instance or NULL */ - void (*add_component)(imv_attestation_state_t *this, pts_component_t *entry); + pts_component_t* (*create_component)(imv_attestation_state_t *this, + pts_comp_func_name_t *name, + u_int32_t depth, + pts_database_t *pts_db); /** - * Returns the number of Functional Component waiting for evidence - * - * @return Number of waiting Functional Components - */ - int (*get_component_count)(imv_attestation_state_t *this); - - /** - * Check for presence of Functional Component and remove and return it + * Get a Functional Component with a given name * * @param name Name of the requested Functional Component * @return Functional Component if found, NULL otherwise */ - pts_component_t* (*check_off_component)(imv_attestation_state_t *this, - pts_comp_func_name_t *name); + pts_component_t* (*get_component)(imv_attestation_state_t *this, + pts_comp_func_name_t *name); /** * Tell the Functional Components to finalize any measurement registrations + * and to check if all expected measurements were received + */ + void (*finalize_components)(imv_attestation_state_t *this); + + /** + * Have the Functional Component measurements been finalized? */ - void (*check_off_registrations)(imv_attestation_state_t *this); + bool (*components_finalized)(imv_attestation_state_t *this); /** * Indicates if a file measurement error occurred diff --git a/src/libpts/plugins/imv_attestation/tables.sql b/src/libpts/plugins/imv_attestation/tables.sql index 703557a07..42553bef0 100644 --- a/src/libpts/plugins/imv_attestation/tables.sql +++ b/src/libpts/plugins/imv_attestation/tables.sql @@ -6,6 +6,10 @@ CREATE TABLE files ( type INTEGER NOT NULL, path TEXT NOT NULL ); +DROP INDEX IF EXISTS files_path; +CREATE INDEX files_path ON files ( + path +); DROP TABLE IF EXISTS products; CREATE TABLE products ( @@ -31,6 +35,7 @@ CREATE TABLE file_hashes ( file INTEGER NOT NULL, directory INTEGER DEFAULT 0, product INTEGER NOT NULL, + key INTEGER DEFAULT 0, algo INTEGER NOT NULL, hash BLOB NOT NULL, PRIMARY KEY(file, directory, product, algo) |