diff options
| author | Yves-Alexis Perez <corsac@debian.org> | 2013-02-07 13:27:27 +0100 |
|---|---|---|
| committer | Yves-Alexis Perez <corsac@debian.org> | 2013-02-07 13:27:27 +0100 |
| commit | 7585facf05d927eb6df3929ce09ed5e60d905437 (patch) | |
| tree | e4d14b4dc180db20356b6b01ce0112f3a2d7897e /src/libpts/plugins | |
| parent | c1343b3278cdf99533b7902744d15969f9d6fdc1 (diff) | |
| download | vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.tar.gz vyos-strongswan-7585facf05d927eb6df3929ce09ed5e60d905437.zip | |
Imported Upstream version 5.0.2
Diffstat (limited to 'src/libpts/plugins')
20 files changed, 941 insertions, 420 deletions
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in index 4734379bf..15028d677 100644 --- a/src/libpts/plugins/imc_attestation/Makefile.in +++ b/src/libpts/plugins/imc_attestation/Makefile.in @@ -1,9 +1,9 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.11.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } am__installdirs = "$(DESTDIR)$(imcvdir)" LTLIBRARIES = $(imcv_LTLIBRARIES) imc_attestation_la_DEPENDENCIES = \ @@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -149,6 +156,7 @@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ MYSQLCFLAG = @MYSQLCFLAG@ MYSQLCONFIG = @MYSQLCONFIG@ @@ -176,6 +184,7 @@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -241,7 +251,6 @@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ maemo_CFLAGS = @maemo_CFLAGS@ maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ @@ -367,7 +376,7 @@ clean-imcvLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done -imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) +imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) $(EXTRA_imc_attestation_la_DEPENDENCIES) $(imc_attestation_la_LINK) -rpath $(imcvdir) $(imc_attestation_la_OBJECTS) $(imc_attestation_la_LIBADD) $(LIBS) mostlyclean-compile: @@ -506,10 +515,15 @@ install-am: all-am installcheck: installcheck-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c index 7cb2a0671..bb327e936 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation.c @@ -17,11 +17,13 @@ #include "imc_attestation_process.h" #include <imc/imc_agent.h> -#include <pa_tnc/pa_tnc_msg.h> +#include <imc/imc_msg.h> #include <ietf/ietf_attr.h> #include <ietf/ietf_attr_pa_tnc_error.h> #include <ietf/ietf_attr_product_info.h> +#include <ietf/ietf_attr_string_version.h> #include <ietf/ietf_attr_assess_result.h> +#include <os_info/os_info.h> #include <libpts.h> @@ -33,15 +35,16 @@ #include <tncif_pa_subtypes.h> #include <pen/pen.h> -#include <debug.h> -#include <utils/linked_list.h> +#include <utils/debug.h> +#include <collections/linked_list.h> /* IMC definitions */ static const char imc_name[] = "Attestation"; -#define IMC_VENDOR_ID PEN_TCG -#define IMC_SUBTYPE PA_SUBTYPE_TCG_PTS +static pen_type_t msg_types[] = { + { PEN_TCG, PA_SUBTYPE_TCG_PTS } +}; static imc_agent_t *imc_attestation; @@ -73,7 +76,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, { return TNC_RESULT_FATAL; } - imc_attestation = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE, + imc_attestation = imc_agent_create(imc_name, msg_types, countof(msg_types), imc_id, actual_version); if (!imc_attestation) { @@ -81,7 +84,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, } libpts_init(); - + if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1) { DBG1(DBG_IMC, "no common IF-IMC version"); @@ -135,94 +138,35 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id, TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id, TNC_ConnectionID connection_id) { - imc_state_t *state; - imc_attestation_state_t *attestation_state; - pts_t *pts; - char *platform_info; - TNC_Result result = TNC_RESULT_SUCCESS; - if (!imc_attestation) { DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); return TNC_RESULT_NOT_INITIALIZED; } - /* get current IMC state */ - if (!imc_attestation->get_state(imc_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imc_attestation_state_t*)state; - pts = attestation_state->get_pts(attestation_state); - - platform_info = pts->get_platform_info(pts); - if (platform_info) - { - linked_list_t *attr_list; - pa_tnc_attr_t *attr; - - attr_list = linked_list_create(); - attr = ietf_attr_product_info_create(0, 0, platform_info); - attr_list->insert_last(attr_list, attr); - result = imc_attestation->send_message(imc_attestation, connection_id, - FALSE, 0, TNC_IMVID_ANY, attr_list); - attr_list->destroy(attr_list); - } - - return result; + return TNC_RESULT_SUCCESS; } -static TNC_Result receive_message(TNC_IMCID imc_id, - TNC_ConnectionID connection_id, - TNC_UInt32 msg_flags, - chunk_t msg, - TNC_VendorID msg_vid, - TNC_MessageSubtype msg_subtype, - TNC_UInt32 src_imv_id, - TNC_UInt32 dst_imc_id) +static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) { - pa_tnc_msg_t *pa_tnc_msg; - pa_tnc_attr_t *attr; - pen_type_t type; - linked_list_t *attr_list; - imc_state_t *state; + imc_msg_t *out_msg; imc_attestation_state_t *attestation_state; enumerator_t *enumerator; + pa_tnc_attr_t *attr; + pen_type_t type; TNC_Result result; - TNC_UInt32 target_imc_id; - - if (!imc_attestation) - { - DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); - return TNC_RESULT_NOT_INITIALIZED; - } - - /* get current IMC state */ - if (!imc_attestation->get_state(imc_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imc_attestation_state_t*)state; - - /* parse received PA-TNC message and automatically handle any errors */ - result = imc_attestation->receive_message(imc_attestation, state, msg, - msg_vid, msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg); + bool fatal_error = FALSE; - /* no parsed PA-TNC attributes available if an error occurred */ - if (!pa_tnc_msg) + /* parse received PA-TNC message and handle local and remote errors */ + result = in_msg->receive(in_msg, &fatal_error); + if (result != TNC_RESULT_SUCCESS) { return result; } - target_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? imc_id : dst_imc_id; - - /* preprocess any IETF standard error attributes */ - result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ? - TNC_RESULT_FATAL : TNC_RESULT_SUCCESS; - - attr_list = linked_list_create(); + out_msg = imc_msg_create_as_reply(in_msg); /* analyze PA-TNC attributes */ - enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg); + enumerator = in_msg->create_attribute_enumerator(in_msg); while (enumerator->enumerate(enumerator, &attr)) { type = attr->get_type(attr); @@ -249,18 +193,12 @@ static TNC_Result receive_message(TNC_IMCID imc_id, result = TNC_RESULT_FATAL; } } - else if (type.type == IETF_ATTR_ASSESSMENT_RESULT) - { - ietf_attr_assess_result_t *ietf_attr; - - ietf_attr = (ietf_attr_assess_result_t*)attr; - state->set_result(state, target_imc_id, - ietf_attr->get_result(ietf_attr)); - } } else if (type.vendor_id == PEN_TCG) { - if (!imc_attestation_process(attr, attr_list, attestation_state, + attestation_state = (imc_attestation_state_t*)state; + + if (!imc_attestation_process(attr, out_msg, attestation_state, supported_algorithms, supported_dh_groups)) { result = TNC_RESULT_FATAL; @@ -269,14 +207,13 @@ static TNC_Result receive_message(TNC_IMCID imc_id, } } enumerator->destroy(enumerator); - pa_tnc_msg->destroy(pa_tnc_msg); - if (result == TNC_RESULT_SUCCESS && attr_list->get_count(attr_list)) + if (result == TNC_RESULT_SUCCESS) { - result = imc_attestation->send_message(imc_attestation, connection_id, - FALSE, 0, TNC_IMVID_ANY, attr_list); + /* send PA-TNC message with the excl flag set */ + result = out_msg->send(out_msg, TRUE); } - attr_list->destroy(attr_list); + out_msg->destroy(out_msg); return result; } @@ -290,14 +227,26 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, TNC_UInt32 msg_len, TNC_MessageType msg_type) { - TNC_VendorID msg_vid; - TNC_MessageSubtype msg_subtype; + imc_state_t *state; + imc_msg_t *in_msg; + TNC_Result result; + + if (!imc_attestation) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imc_attestation->get_state(imc_attestation, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } - msg_vid = msg_type >> 8; - msg_subtype = msg_type & TNC_SUBTYPE_ANY; + in_msg = imc_msg_create_from_data(imc_attestation, state, connection_id, + msg_type, chunk_create(msg, msg_len)); + result = receive_message(state, in_msg); + in_msg->destroy(in_msg); - return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len), - msg_vid, msg_subtype, 0, TNC_IMCID_ANY); + return result; } /** @@ -313,9 +262,26 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id, TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id) { - return receive_message(imc_id, connection_id, msg_flags, - chunk_create(msg, msg_len), msg_vid, msg_subtype, - src_imv_id, dst_imc_id); + imc_state_t *state; + imc_msg_t *in_msg; + TNC_Result result; + + if (!imc_attestation) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imc_attestation->get_state(imc_attestation, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imc_msg_create_from_long_data(imc_attestation, state, connection_id, + src_imv_id, dst_imc_id, msg_vid, msg_subtype, + chunk_create(msg, msg_len)); + result =receive_message(state, in_msg); + in_msg->destroy(in_msg); + + return result; } /** diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.c b/src/libpts/plugins/imc_attestation/imc_attestation_process.c index bd2fa649d..88d24dd88 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_process.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.c @@ -43,12 +43,12 @@ #include <tcg/tcg_pts_attr_req_file_meta.h> #include <tcg/tcg_pts_attr_unix_file_meta.h> -#include <debug.h> +#include <utils/debug.h> #include <utils/lexparser.h> #define DEFAULT_NONCE_LEN 20 -bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, +bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg, imc_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups) @@ -76,7 +76,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, /* Send PTS Protocol Capabilities attribute */ attr = tcg_pts_attr_proto_caps_create(imc_caps & imv_caps, FALSE); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_MEAS_ALGO: @@ -91,14 +91,14 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (selected_algorithm == PTS_MEAS_ALGO_NONE) { attr = pts_hash_alg_error_create(supported_algorithms); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } /* Send Measurement Algorithm Selection attribute */ pts->set_meas_algorithm(pts, selected_algorithm); attr = tcg_pts_attr_meas_algo_create(selected_algorithm, TRUE); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_DH_NONCE_PARAMS_REQ: @@ -118,7 +118,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, (min_nonce_len > 0 && nonce_len < min_nonce_len)) { attr = pts_dh_nonce_error_create(nonce_len, PTS_MAX_NONCE_LEN); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } @@ -128,7 +128,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (selected_dh_group == PTS_DH_GROUP_NONE) { attr = pts_dh_group_error_create(supported_dh_groups); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } @@ -142,7 +142,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, /* Send DH Nonce Parameters Response attribute */ attr = tcg_pts_attr_dh_nonce_params_resp_create(selected_dh_group, supported_algorithms, responder_nonce, responder_value); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_DH_NONCE_FINISH: @@ -173,7 +173,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, "have differing lengths"); return FALSE; } - + pts->set_peer_public_value(pts, initiator_value, initiator_nonce); if (!pts->calculate_secret(pts)) { @@ -190,13 +190,13 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { attr_info = attr->get_value(attr); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } /* Send TPM Version Info attribute */ attr = tcg_pts_attr_tpm_version_info_create(tpm_version_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_GET_AIK: @@ -212,7 +212,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, /* Send AIK attribute */ attr = tcg_pts_attr_aik_create(aik); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_REQ_FILE_MEAS: @@ -237,7 +237,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { error_code = pen_type_create(PEN_TCG, pts_error); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } else if (!valid_path) @@ -250,7 +250,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, error_code = pen_type_create(PEN_TCG, TCG_PTS_INVALID_DELIMITER); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } @@ -268,7 +268,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } attr = tcg_pts_attr_file_meas_create(measurements); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_REQ_FILE_META: @@ -291,7 +291,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { error_code = pen_type_create(PEN_TCG, pts_error); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } else if (!valid_path) @@ -303,7 +303,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, error_code = pen_type_create(PEN_TCG, TCG_PTS_INVALID_DELIMITER); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } /* Get File Metadata and send them to PTS-IMV */ @@ -319,8 +319,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } attr = tcg_pts_attr_unix_file_meta_create(metadata); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); - + msg->add_attribute(msg, attr); break; } case TCG_PTS_REQ_FUNC_COMP_EVID: @@ -335,7 +334,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, u_int8_t flags; status_t status; enumerator_t *e; - + attr_info = attr->get_value(attr); attr_cast = (tcg_pts_attr_req_func_comp_evid_t*)attr; @@ -351,9 +350,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (flags & PTS_REQ_FUNC_COMP_EVID_TTC) { error_code = pen_type_create(PEN_TCG, - TCG_PTS_UNABLE_DET_TTC); + TCG_PTS_UNABLE_DET_TTC); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } if (flags & PTS_REQ_FUNC_COMP_EVID_VER && @@ -362,7 +361,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, error_code = pen_type_create(PEN_TCG, TCG_PTS_UNABLE_LOCAL_VAL); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } if (flags & PTS_REQ_FUNC_COMP_EVID_CURR && @@ -371,7 +370,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, error_code = pen_type_create(PEN_TCG, TCG_PTS_UNABLE_CUR_EVID); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } if (flags & PTS_REQ_FUNC_COMP_EVID_PCR && @@ -380,7 +379,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, error_code = pen_type_create(PEN_TCG, TCG_PTS_UNABLE_DET_PCR); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } if (depth > 0) @@ -425,7 +424,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, while (attestation_state->next_evidence(attestation_state, &evid)) { attr = tcg_pts_attr_simple_comp_evid_create(evid); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); } use_quote2 = lib->settings->get_bool(lib->settings, @@ -443,7 +442,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, attr = tcg_pts_attr_simple_evid_final_create(flags, comp_hash_algorithm, pcr_composite, quote_sig); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } /* TODO: Not implemented yet */ diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.h b/src/libpts/plugins/imc_attestation/imc_attestation_process.h index b6dca1f56..5ada104fa 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_process.h +++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.h @@ -26,6 +26,7 @@ #include <library.h> +#include <imc/imc_msg.h> #include <pa_tnc/pa_tnc_attr.h> #include <pts/pts_dh_group.h> @@ -35,13 +36,13 @@ * Process a TCG PTS attribute * * @param attr PA-TNC attribute to be processed - * @param attr_list list with PA-TNC error attributes + * @param msg outbound PA-TNC message to be assembled * @param attestation_state attestation state of a given connection * @param supported_algorithms supported PTS measurement algorithms * @param supported_dh_groups supported DH groups * @return TRUE if successful */ -bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, +bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg, imc_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups); diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_state.c b/src/libpts/plugins/imc_attestation/imc_attestation_state.c index 8ebabafa2..4fcbdfa8a 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_state.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation_state.c @@ -19,8 +19,8 @@ #include <tncif_names.h> -#include <utils/linked_list.h> -#include <debug.h> +#include <collections/linked_list.h> +#include <utils/debug.h> typedef struct private_imc_attestation_state_t private_imc_attestation_state_t; typedef struct func_comp_t func_comp_t; @@ -129,8 +129,6 @@ METHOD(imc_state_t, set_result, void, private_imc_attestation_state_t *this, TNC_IMCID id, TNC_IMV_Evaluation_Result result) { - DBG1(DBG_IMC, "set assessment result for IMC %u to '%N'", - id, TNC_IMV_Evaluation_Result_names, result); this->result = result; } @@ -212,7 +210,6 @@ METHOD(imc_attestation_state_t, next_evidence, bool, imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id) { private_imc_attestation_state_t *this; - char *platform_info; INIT(this, .public = { @@ -241,13 +238,6 @@ imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id) .list = linked_list_create(), ); - platform_info = lib->settings->get_str(lib->settings, - "libimcv.plugins.imc-attestation.platform_info", NULL); - if (platform_info) - { - this->pts->set_platform_info(this->pts, platform_info); - } - return &this->public.interface; } diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in index afb4abed7..59ef5311e 100644 --- a/src/libpts/plugins/imv_attestation/Makefile.in +++ b/src/libpts/plugins/imv_attestation/Makefile.in @@ -1,9 +1,9 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.11.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)" LTLIBRARIES = $(imcv_LTLIBRARIES) imv_attestation_la_DEPENDENCIES = \ @@ -132,6 +138,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -159,6 +166,7 @@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ MYSQLCFLAG = @MYSQLCFLAG@ MYSQLCONFIG = @MYSQLCONFIG@ @@ -186,6 +194,7 @@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -198,6 +207,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -251,7 +261,6 @@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ maemo_CFLAGS = @maemo_CFLAGS@ maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ @@ -393,7 +402,7 @@ clean-imcvLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done -imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) +imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) $(EXTRA_imv_attestation_la_DEPENDENCIES) $(imv_attestation_la_LINK) -rpath $(imcvdir) $(imv_attestation_la_OBJECTS) $(imv_attestation_la_LIBADD) $(LIBS) install-ipsecPROGRAMS: $(ipsec_PROGRAMS) @$(NORMAL_INSTALL) @@ -438,7 +447,7 @@ clean-ipsecPROGRAMS: list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list -attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) +attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) $(EXTRA_attest_DEPENDENCIES) @rm -f attest$(EXEEXT) $(LINK) $(attest_OBJECTS) $(attest_LDADD) $(LIBS) @@ -582,10 +591,15 @@ install-am: all-am installcheck: installcheck-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c index a202d128f..1cdacaeeb 100644 --- a/src/libpts/plugins/imv_attestation/attest.c +++ b/src/libpts/plugins/imv_attestation/attest.c @@ -22,7 +22,7 @@ #include <syslog.h> #include <library.h> -#include <debug.h> +#include <utils/debug.h> #include <imcv.h> #include <libpts.h> @@ -99,9 +99,11 @@ static void do_args(int argc, char *argv[]) OP_USAGE, OP_KEYS, OP_COMPONENTS, + OP_DEVICES, OP_FILES, OP_HASHES, OP_MEASUREMENTS, + OP_PACKAGES, OP_PRODUCTS, OP_ADD, OP_DEL, @@ -117,8 +119,10 @@ static void do_args(int argc, char *argv[]) struct option long_opts[] = { { "help", no_argument, NULL, 'h' }, { "components", no_argument, NULL, 'c' }, + { "devices", no_argument, NULL, 'e' }, { "files", no_argument, NULL, 'f' }, { "keys", no_argument, NULL, 'k' }, + { "packages", no_argument, NULL, 'g' }, { "products", no_argument, NULL, 'p' }, { "hashes", no_argument, NULL, 'H' }, { "measurements", no_argument, NULL, 'm' }, @@ -126,12 +130,14 @@ static void do_args(int argc, char *argv[]) { "delete", no_argument, NULL, 'd' }, { "del", no_argument, NULL, 'd' }, { "aik", required_argument, NULL, 'A' }, + { "blacklist", no_argument, NULL, 'B' }, { "component", required_argument, NULL, 'C' }, { "comp", required_argument, NULL, 'C' }, { "directory", required_argument, NULL, 'D' }, { "dir", required_argument, NULL, 'D' }, { "file", required_argument, NULL, 'F' }, { "sha1-ima", no_argument, NULL, 'I' }, + { "package", required_argument, NULL, 'G' }, { "key", required_argument, NULL, 'K' }, { "owner", required_argument, NULL, 'O' }, { "product", required_argument, NULL, 'P' }, @@ -139,6 +145,9 @@ static void do_args(int argc, char *argv[]) { "rel", no_argument, NULL, 'R' }, { "sequence", required_argument, NULL, 'S' }, { "seq", required_argument, NULL, 'S' }, + { "utc", no_argument, NULL, 'U' }, + { "version", required_argument, NULL, 'V' }, + { "security", no_argument, NULL, 'Y' }, { "sha1", no_argument, NULL, '1' }, { "sha256", no_argument, NULL, '2' }, { "sha384", no_argument, NULL, '3' }, @@ -147,6 +156,7 @@ static void do_args(int argc, char *argv[]) { "pid", required_argument, NULL, '6' }, { "cid", required_argument, NULL, '7' }, { "kid", required_argument, NULL, '8' }, + { "gid", required_argument, NULL, '9' }, { 0,0,0,0 } }; @@ -161,9 +171,15 @@ static void do_args(int argc, char *argv[]) case 'c': op = OP_COMPONENTS; continue; + case 'e': + op = OP_DEVICES; + continue; case 'f': op = OP_FILES; continue; + case 'g': + op = OP_PACKAGES; + continue; case 'k': op = OP_KEYS; continue; @@ -219,6 +235,9 @@ static void do_args(int argc, char *argv[]) } continue; } + case 'B': + attest->set_security(attest, OS_PACKAGE_STATE_BLACKLIST); + continue; case 'C': if (!attest->set_component(attest, optarg, op == OP_ADD)) { @@ -237,6 +256,12 @@ static void do_args(int argc, char *argv[]) exit(EXIT_FAILURE); } continue; + case 'G': + if (!attest->set_package(attest, optarg, op == OP_ADD)) + { + exit(EXIT_FAILURE); + } + continue; case 'I': attest->set_algo(attest, PTS_MEAS_ALGO_SHA1_IMA); continue; @@ -266,6 +291,18 @@ static void do_args(int argc, char *argv[]) case 'S': attest->set_sequence(attest, atoi(optarg)); continue; + case 'U': + attest->set_utc(attest); + continue; + case 'V': + if (!attest->set_version(attest, optarg)) + { + exit(EXIT_FAILURE); + } + continue; + case 'Y': + attest->set_security(attest, OS_PACKAGE_STATE_SECURITY); + continue; case '1': attest->set_algo(attest, PTS_MEAS_ALGO_SHA1); continue; @@ -305,6 +342,12 @@ static void do_args(int argc, char *argv[]) exit(EXIT_FAILURE); } continue; + case '9': + if (!attest->set_gid(attest, atoi(optarg))) + { + exit(EXIT_FAILURE); + } + continue; } break; } @@ -314,6 +357,9 @@ static void do_args(int argc, char *argv[]) case OP_USAGE: usage(); break; + case OP_PACKAGES: + attest->list_packages(attest); + break; case OP_PRODUCTS: attest->list_products(attest); break; @@ -323,6 +369,9 @@ static void do_args(int argc, char *argv[]) case OP_COMPONENTS: attest->list_components(attest); break; + case OP_DEVICES: + attest->list_devices(attest); + break; case OP_FILES: attest->list_files(attest); break; diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c index 55afbf701..91e9766d0 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ b/src/libpts/plugins/imv_attestation/attest_db.c @@ -21,6 +21,7 @@ #include "pts/components/pts_comp_func_name.h" #include <libgen.h> +#include <time.h> #define IMA_MAX_NAME_LEN 255 @@ -97,6 +98,21 @@ struct private_attest_db_t { bool key_set; /** + * Software package to be queried + */ + char *package; + + /** + * Primary key of software package to be queried + */ + int gid; + + /** + * TRUE if package has been set + */ + bool package_set; + + /** * Software product to be queried */ char *product; @@ -112,11 +128,31 @@ struct private_attest_db_t { bool product_set; /** + * Software package version to be queried + */ + char *version; + + /** + * TRUE if version has been set + */ + bool version_set; + + /** * TRUE if relative filenames are to be used */ bool relative; /** + * TRUE if dates are to be displayed in UTC + */ + bool utc; + + /** + * Package security state + */ + os_package_state_t security; + + /** * Sequence number for ordering entries */ int seq_no; @@ -588,6 +624,96 @@ METHOD(attest_db_t, set_pid, bool, return this->product_set; } +METHOD(attest_db_t, set_package, bool, + private_attest_db_t *this, char *package, bool create) +{ + enumerator_t *e; + + if (this->package_set) + { + printf("package has already been set\n"); + return FALSE; + } + this->package = strdup(package); + + e = this->db->query(this->db, "SELECT id FROM packages WHERE name = ?", + DB_TEXT, package, DB_INT); + if (e) + { + if (e->enumerate(e, &this->gid)) + { + this->package_set = TRUE; + } + e->destroy(e); + } + if (this->package_set) + { + return TRUE; + } + + if (!create) + { + printf("package '%s' not found in database\n", package); + return FALSE; + } + + /* Add a new database entry */ + this->package_set = this->db->execute(this->db, &this->gid, + "INSERT INTO packages (name) VALUES (?)", + DB_TEXT, package) == 1; + + printf("package '%s' %sinserted into database\n", package, + this->package_set ? "" : "could not be "); + + return this->package_set; +} + +METHOD(attest_db_t, set_gid, bool, + private_attest_db_t *this, int gid) +{ + enumerator_t *e; + char *package; + + if (this->package_set) + { + printf("package has already been set\n"); + return FALSE; + } + this->gid = gid; + + e = this->db->query(this->db, "SELECT name FROM packages WHERE id = ?", + DB_UINT, gid, DB_TEXT); + if (e) + { + if (e->enumerate(e, &package)) + { + this->package = strdup(package); + this->package_set = TRUE; + } + else + { + printf("no package found with gid %d in database\n", gid); + } + e->destroy(e); + } + return this->package_set; +} + +METHOD(attest_db_t, set_version, bool, + private_attest_db_t *this, char *version) +{ + if (this->version_set) + { + printf("version has already been set\n"); + return FALSE; + } + this->version = strdup(version); + this->version_set = TRUE; + + return TRUE; +} + + METHOD(attest_db_t, set_algo, void, private_attest_db_t *this, pts_meas_algorithms_t algo) { @@ -600,6 +726,12 @@ METHOD(attest_db_t, set_relative, void, this->relative = TRUE; } +METHOD(attest_db_t, set_security, void, + private_attest_db_t *this, os_package_state_t security) +{ + this->security = security; +} + METHOD(attest_db_t, set_sequence, void, private_attest_db_t *this, int seq_no) { @@ -613,6 +745,12 @@ METHOD(attest_db_t, set_owner, void, this->owner = strdup(owner); } +METHOD(attest_db_t, set_utc, void, + private_attest_db_t *this) +{ + this->utc = TRUE; +} + METHOD(attest_db_t, list_components, void, private_attest_db_t *this) { @@ -663,6 +801,46 @@ METHOD(attest_db_t, list_components, void, } } +METHOD(attest_db_t, list_devices, void, + private_attest_db_t *this) +{ + enumerator_t *e; + chunk_t value; + char *product; + time_t timestamp; + int id, last_id = 0, device_count = 0; + int count, count_update, count_blacklist; + u_int tstamp, flags = 0; + + e = this->db->query(this->db, + "SELECT d.id, d.value, i.time, i.count, i.count_update, " + "i.count_blacklist, i.flags, p.name FROM devices AS d " + "JOIN device_infos AS i ON d.id = i.device " + "JOIN products AS p ON p.id = i.product " + "ORDER BY d.value, i.time DESC", + DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT); + + if (e) + { + while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update, + &count_blacklist, &flags, &product)) + { + if (id != last_id) + { + printf("%4d: %.*s\n", id, (int)value.len, value.ptr); + device_count++; + last_id = id; + } + timestamp = tstamp; + printf(" %T, %4d, %3d, %3d, %1u, '%s'\n", ×tamp, this->utc, + count, count_update, count_blacklist, flags, product); + } + e->destroy(e); + printf("%d device%s found\n", device_count, + (device_count == 1) ? "" : "s"); + } +} + METHOD(attest_db_t, list_keys, void, private_attest_db_t *this) { @@ -765,6 +943,70 @@ METHOD(attest_db_t, list_files, void, printf("\n"); } +METHOD(attest_db_t, list_packages, void, + private_attest_db_t *this) +{ + enumerator_t *e; + char *package, *version; + os_package_state_t security; + int gid, gid_old = 0, spaces, count = 0; + time_t t; + + if (this->pid) + { + e = this->db->query(this->db, + "SELECT p.id, p.name, v.release, v.security, v.time " + "FROM packages AS p JOIN versions AS v ON v.package = p.id " + "WHERE v.product = ? ORDER BY p.name, v.release", + DB_INT, this->pid, DB_INT, DB_TEXT, DB_TEXT, DB_INT, DB_INT); + if (e) + { + while (e->enumerate(e, &gid, &package, &version, &security, &t)) + { + if (gid != gid_old) + { + printf("%5d: %s,", gid, package); + gid_old = gid; + } + else + { + spaces = 8 + strlen(package); + while (spaces--) + { + printf(" "); + } + } + printf(" %T (%s)%N\n", &t, this->utc, version, + os_package_state_names, security); + count++; + } + e->destroy(e); + } + } + else + { + e = this->db->query(this->db, "SELECT id, name FROM packages " + "ORDER BY name", + DB_INT, DB_TEXT); + if (e) + { + while (e->enumerate(e, &gid, &package)) + { + printf("%4d: %s\n", gid, package); + count++; + } + e->destroy(e); + } + } + + printf("%d package%s found", count, (count == 1) ? "" : "s"); + if (this->product_set) + { + printf(" for product '%s'", this->product); + } + printf("\n"); +} + METHOD(attest_db_t, list_products, void, private_attest_db_t *this) { @@ -858,7 +1100,7 @@ METHOD(attest_db_t, list_hashes, void, dir = strdup(""); - if (this->pid && this->fid) + if (this->pid && this->fid & this->did) { e = this->db->query(this->db, "SELECT hash FROM file_hashes " @@ -885,6 +1127,32 @@ METHOD(attest_db_t, list_hashes, void, (count == 1) ? "" : "s", this->product); } } + else if (this->pid && this->fid) + { + e = this->db->query(this->db, + "SELECT f.path, fh.hash FROM file_hashes AS fh " + "JOIN files AS f ON f.id = fh.file " + "WHERE algo = ? AND file = ? AND product = ?", + DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->pid, + DB_TEXT, DB_BLOB); + if (e) + { + free(dir); + while (e->enumerate(e, &dir, &hash)) + { + printf("%4d: %s%s%s\n", this->fid, dir, + slash(dir, this->file) ? "/" : "", this->file); + printf(" %#B\n", &hash); + count++; + } + e->destroy(e); + + printf("%d %N value%s found for product '%s'\n", count, + pts_meas_algorithm_names, this->algo, + (count == 1) ? "" : "s", this->product); + dir = NULL; + } + } else if (this->pid) { e = this->db->query(this->db, @@ -1089,7 +1357,7 @@ METHOD(attest_db_t, list_measurements, void, bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo, chunk_t measurement, int fid, int did, bool ima, - int *hashes_added) + int *hashes_added, int *hashes_updated) { enumerator_t *e; chunk_t hash; @@ -1108,8 +1376,22 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo, } if (e->enumerate(e, &hash)) { - label = chunk_equals(measurement, hash) ? - "exists and equals" : "exists and differs"; + if (chunk_equals(measurement, hash)) + { + label = "exists and equals"; + } + else + { + if (this->db->execute(this->db, NULL, + "UPDATE file_hashes SET hash = ? WHERE algo = ? " + "AND file = ? AND directory = ? AND product = ? and key = 0", + DB_BLOB, measurement, DB_INT, algo, DB_UINT, fid, DB_UINT, did, + DB_UINT, this->pid) == 1) + { + label = "updated"; + (*hashes_updated)++; + } + } } else { @@ -1161,7 +1443,8 @@ METHOD(attest_db_t, add, bool, hasher_t *hasher = NULL; bool ima = FALSE; int fid, did; - int files_added = 0, hashes_added = 0, ima_hashes_added = 0; + int files_added = 0, hashes_added = 0, hashes_updated = 0; + int ima_hashes_added = 0, ima_hashes_updated = 0; enumerator_t *enumerator, *e; if (this->algo == PTS_MEAS_ALGO_SHA1_IMA) @@ -1225,7 +1508,8 @@ METHOD(attest_db_t, add, bool, /* compute file measurement hash */ if (!insert_file_hash(this, this->algo, measurement, - fid, did, FALSE, &hashes_added)) + fid, did, FALSE, + &hashes_added, &hashes_updated)) { break; } @@ -1246,25 +1530,49 @@ METHOD(attest_db_t, add, bool, break; } if (!insert_file_hash(this, PTS_MEAS_ALGO_SHA1_IMA, measurement, - fid, did, TRUE, &ima_hashes_added)) + fid, did, TRUE, + &ima_hashes_added, &ima_hashes_updated)) { break; } } enumerator->destroy(enumerator); - printf("%d measurements, added %d new files, %d new file hashes", - measurements->get_file_count(measurements), - files_added, hashes_added); + printf("%d measurements, added %d new files, %d file hashes", + measurements->get_file_count(measurements), files_added, + hashes_added); if (ima) { - printf(" , %d new ima hashes", ima_hashes_added); + printf(", %d ima hashes", ima_hashes_added); hasher->destroy(hasher); } + printf(", updated %d file hashes", hashes_updated); + if (ima) + { + printf(", %d ima hashes", ima_hashes_updated); + } printf("\n"); measurements->destroy(measurements); success = TRUE; } + + /* insert package version */ + if (this->version_set && this->gid && this->pid) + { + time_t t = time(NULL); + + success = this->db->execute(this->db, NULL, + "INSERT INTO versions " + "(package, product, release, security, time) " + "VALUES (?, ?, ?, ?, ?)", + DB_UINT, this->gid, DB_UINT, this->pid, DB_TEXT, + this->version, DB_UINT, this->security, DB_INT, t) == 1; + + printf("'%s' package %s (%s)%N %sinserted into database\n", + this->product, this->package, this->version, + os_package_state_names, this->security, + success ? "" : "could not be "); + } return success; } @@ -1384,7 +1692,9 @@ METHOD(attest_db_t, destroy, void, { DESTROY_IF(this->db); DESTROY_IF(this->cfn); + free(this->package); free(this->product); + free(this->version); free(this->file); free(this->dir); free(this->owner); @@ -1409,15 +1719,22 @@ attest_db_t *attest_db_create(char *uri) .set_fid = _set_fid, .set_key = _set_key, .set_kid = _set_kid, + .set_package = _set_package, + .set_gid = _set_gid, .set_product = _set_product, .set_pid = _set_pid, + .set_version = _set_version, .set_algo = _set_algo, .set_relative = _set_relative, + .set_security = _set_security, .set_sequence = _set_sequence, .set_owner = _set_owner, + .set_utc = _set_utc, + .list_packages = _list_packages, .list_products = _list_products, .list_files = _list_files, .list_components = _list_components, + .list_devices = _list_devices, .list_keys = _list_keys, .list_hashes = _list_hashes, .list_measurements = _list_measurements, diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h index e32a368d8..e2297d0c4 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.h +++ b/src/libpts/plugins/imv_attestation/attest_db.h @@ -23,7 +23,7 @@ #define ATTEST_DB_H_ #include <pts/pts_meas_algo.h> - +#include <os_info/os_info.h> #include <library.h> typedef struct attest_db_t attest_db_t; @@ -102,6 +102,23 @@ struct attest_db_t { bool (*set_kid)(attest_db_t *this, int kid); /** + * Set software package to be queried + * + * @param product software package + * @param create if TRUE create database entry if it doesn't exist + * @return TRUE if successful + */ + bool (*set_package)(attest_db_t *this, char *package, bool create); + + /** + * Set primary key of the software package to be queried + * + * @param gid primary key of software package + * @return TRUE if successful + */ + bool (*set_gid)(attest_db_t *this, int gid); + + /** * Set software product to be queried * * @param product software product @@ -119,6 +136,14 @@ struct attest_db_t { bool (*set_pid)(attest_db_t *this, int pid); /** + * Set software package version to be queried + * + * @param version software package version + * @return TRUE if successful + */ + bool (*set_version)(attest_db_t *this, char *version); + + /** * Set measurement hash algorithm * * @param algo hash algorithm @@ -136,6 +161,11 @@ struct attest_db_t { void (*set_relative)(attest_db_t *this); /** + * Set the package security state + */ + void (*set_security)(attest_db_t *this, os_package_state_t security); + + /** * Set the sequence number */ void (*set_sequence)(attest_db_t *this, int seq_no); @@ -149,6 +179,16 @@ struct attest_db_t { void (*set_owner)(attest_db_t *this, char *owner); /** + * Display all dates in UTC + */ + void (*set_utc)(attest_db_t *this); + + /** + * List all packages stored in the database + */ + void (*list_packages)(attest_db_t *this); + + /** * List all products stored in the database */ void (*list_products)(attest_db_t *this); @@ -164,6 +204,11 @@ struct attest_db_t { void (*list_components)(attest_db_t *this); /** + * List all devices stored in the database + */ + void (*list_devices)(attest_db_t *this); + + /** * List all AIKs stored in the database */ void (*list_keys)(attest_db_t *this); diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c index f7040f7ad..324fcafc3 100644 --- a/src/libpts/plugins/imv_attestation/attest_usage.c +++ b/src/libpts/plugins/imv_attestation/attest_usage.c @@ -24,16 +24,19 @@ void usage(void) { printf("\ Usage:\n\ - ipsec attest --files|--products|--keys|--hashes [options]\n\ + ipsec attest --components|--devices|--files|--hashes|--keys [options]\n\ \n\ - ipsec attest --components|-keys|--measurements|--add|--del [options]\n\ + ipsec attest --measurements|--packages|--products|--add|--del [options]\n\ \n\ - ipsec attest --files [--product <name>|--pid <id>]\n\ - Show a list of files with a software product name or\n\ + ipsec attest --components [--key <digest>|--kid <id>]\n\ + Show a list of components with an AIK digest or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --products [--file <path>|--fid <id>]\n\ - Show a list of supported software products with a file path or\n\ + ipsec attest --devices [--utc]\n\ + Show a list of registered devices and associated collected information\n\ + \n\ + ipsec attest --files [--product <name>|--pid <id>]\n\ + Show a list of files with a software product name or\n\ its primary key as an optional selector.\n\ \n\ ipsec attest --hashes [--sha1|--sha256|--sha384] [--product <name>|--pid <id>]\n\ @@ -44,10 +47,6 @@ Usage:\n\ Show a list of measurement hashes for a given file or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --components [--key <digest>|--kid <id>]\n\ - Show a list of components with an AIK digest or\n\ - its primary key as an optional selector.\n\ - \n\ ipsec attest --keys [--components <cfn>|--cid <id>]\n\ Show a list of AIK key digests with a component or\n\ its primary key as an optional selector.\n\ @@ -60,6 +59,14 @@ Usage:\n\ Show a list of component measurements for a given AIK or\n\ its primary key as an optional selector.\n\ \n\ + ipsec attest --packages [--product <name>|--pid <id>] [--utc]\n\ + Show a list of software packages for a given product or\n\ + its primary key as an optional selector.\n\ + \n\ + ipsec attest --products [--file <path>|--fid <id>]\n\ + Show a list of supported software products with a file path or\n\ + its primary key as an optional selector.\n\ + \n\ ipsec attest --add --file <path>|--dir <path>|--product <name>|--component <cfn>\n\ Add a file, directory, product or component entry\n\ Component <cfn> entries must be of the form <vendor_id>/<name>-<qualifier>\n\ @@ -74,6 +81,10 @@ Usage:\n\ ipsec attest --add --key <digest|--kid <id> --component <cfn>|--cid <id> --sequence <no>|--seq <no>\n\ Add an ordered key/component entry\n\ \n\ + ipsec attest --add --package <name> --version <string> [--security|--blacklist]\n\ + [--product <name>|--pid <id>]\n\ + Add a package version for a given product optionally with security or blacklist flag\n\ + \n\ ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\ Delete a file or directory entry referenced either by value or primary key\n\ \n\ diff --git a/src/libpts/plugins/imv_attestation/build-database.sh b/src/libpts/plugins/imv_attestation/build-database.sh index a89258e1d..be1024de0 100755 --- a/src/libpts/plugins/imv_attestation/build-database.sh +++ b/src/libpts/plugins/imv_attestation/build-database.sh @@ -1,6 +1,6 @@ #!/bin/sh -p="Ubuntu 12.04.1 LTS i686" +p="Ubuntu 12.04 i686" ipsec attest --add --product "$p" --sha1-ima --dir /sbin ipsec attest --add --product "$p" --sha1-ima --dir /usr/sbin diff --git a/src/libpts/plugins/imv_attestation/data.sql b/src/libpts/plugins/imv_attestation/data.sql index b1646b724..60c312e30 100644 --- a/src/libpts/plugins/imv_attestation/data.sql +++ b/src/libpts/plugins/imv_attestation/data.sql @@ -51,7 +51,7 @@ INSERT INTO products ( INSERT INTO products ( name ) VALUES ( - 'Ubuntu 12.04.1 LTS i686' + 'Ubuntu 12.04 i686' ); /* Files */ diff --git a/src/libpts/plugins/imv_attestation/imv_attestation.c b/src/libpts/plugins/imv_attestation/imv_attestation.c index 201496e8a..3c5488eba 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation.c @@ -18,10 +18,11 @@ #include "imv_attestation_build.h" #include <imv/imv_agent.h> -#include <pa_tnc/pa_tnc_msg.h> +#include <imv/imv_msg.h> #include <ietf/ietf_attr.h> #include <ietf/ietf_attr_pa_tnc_error.h> #include <ietf/ietf_attr_product_info.h> +#include <ietf/ietf_attr_string_version.h> #include <libpts.h> @@ -34,16 +35,18 @@ #include <tncif_pa_subtypes.h> #include <pen/pen.h> -#include <debug.h> +#include <utils/debug.h> #include <credentials/credential_manager.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> /* IMV definitions */ static const char imv_name[] = "Attestation"; -#define IMV_VENDOR_ID PEN_TCG -#define IMV_SUBTYPE PA_SUBTYPE_TCG_PTS +static pen_type_t msg_types[] = { + { PEN_TCG, PA_SUBTYPE_TCG_PTS }, + { PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM } +}; static imv_agent_t *imv_attestation; @@ -92,7 +95,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, { return TNC_RESULT_FATAL; } - imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE, + imv_attestation = imv_agent_create(imv_name, msg_types, countof(msg_types), imv_id, actual_version); if (!imv_attestation) { @@ -100,7 +103,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, } libpts_init(); - + if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1) { DBG1(DBG_IMV, "no common IF-IMV version"); @@ -166,133 +169,106 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id, } } -static TNC_Result send_message(TNC_ConnectionID connection_id) +static TNC_Result send_message(imv_state_t *state, imv_msg_t *out_msg) { - linked_list_t *attr_list; - imv_state_t *state; imv_attestation_state_t *attestation_state; TNC_Result result; - if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } attestation_state = (imv_attestation_state_t*)state; - attr_list = linked_list_create(); - if (imv_attestation_build(attr_list, attestation_state, supported_algorithms, + if (imv_attestation_build(out_msg, attestation_state, supported_algorithms, supported_dh_groups, pts_db)) { - if (attr_list->get_count(attr_list)) - { - result = imv_attestation->send_message(imv_attestation, - connection_id, FALSE, 0, TNC_IMCID_ANY, attr_list); - } - else - { - result = TNC_RESULT_SUCCESS; - } - attr_list->destroy(attr_list); + result = out_msg->send(out_msg, TRUE); } else { - attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy)); result = TNC_RESULT_FATAL; } return result; } -static TNC_Result receive_message(TNC_IMVID imv_id, - TNC_ConnectionID connection_id, - TNC_UInt32 msg_flags, - chunk_t msg, - TNC_VendorID msg_vid, - TNC_MessageSubtype msg_subtype, - TNC_UInt32 src_imc_id, - TNC_UInt32 dst_imv_id) +static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg) { - pa_tnc_msg_t *pa_tnc_msg; - pa_tnc_attr_t *attr; - pen_type_t type; - linked_list_t *attr_list; - imv_state_t *state; imv_attestation_state_t *attestation_state; - pts_t *pts; + imv_msg_t *out_msg; enumerator_t *enumerator; + pa_tnc_attr_t *attr; + pen_type_t type; TNC_Result result; + pts_t *pts; + chunk_t os_name = chunk_empty; + chunk_t os_version = chunk_empty; + bool fatal_error = FALSE; - if (!imv_attestation) + /* parse received PA-TNC message and handle local and remote errors */ + result = in_msg->receive(in_msg, &fatal_error); + if (result != TNC_RESULT_SUCCESS) { - DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); - return TNC_RESULT_NOT_INITIALIZED; + return result; } - /* get current IMV state */ - if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } attestation_state = (imv_attestation_state_t*)state; pts = attestation_state->get_pts(attestation_state); - /* parse received PA-TNC message and automatically handle any errors */ - result = imv_attestation->receive_message(imv_attestation, state, msg, - msg_vid, msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg); - - /* no parsed PA-TNC attributes available if an error occurred */ - if (!pa_tnc_msg) - { - return result; - } - - /* preprocess any IETF standard error attributes */ - result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ? - TNC_RESULT_FATAL : TNC_RESULT_SUCCESS; - - attr_list = linked_list_create(); + out_msg = imv_msg_create_as_reply(in_msg); + out_msg->set_msg_type(out_msg, msg_types[0]); /* analyze PA-TNC attributes */ - enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg); + enumerator = in_msg->create_attribute_enumerator(in_msg); while (enumerator->enumerate(enumerator, &attr)) { type = attr->get_type(attr); if (type.vendor_id == PEN_IETF) { - if (type.type == IETF_ATTR_PA_TNC_ERROR) + switch (type.type) { - ietf_attr_pa_tnc_error_t *error_attr; - pen_type_t error_code; - chunk_t msg_info; + case IETF_ATTR_PA_TNC_ERROR: + { + ietf_attr_pa_tnc_error_t *error_attr; + pen_type_t error_code; + chunk_t msg_info; - error_attr = (ietf_attr_pa_tnc_error_t*)attr; - error_code = error_attr->get_error_code(error_attr); + error_attr = (ietf_attr_pa_tnc_error_t*)attr; + error_code = error_attr->get_error_code(error_attr); - if (error_code.vendor_id == PEN_TCG) - { - msg_info = error_attr->get_msg_info(error_attr); + if (error_code.vendor_id == PEN_TCG) + { + msg_info = error_attr->get_msg_info(error_attr); - DBG1(DBG_IMV, "received TCG-PTS error '%N'", - pts_error_code_names, error_code.type); - DBG1(DBG_IMV, "error information: %B", &msg_info); + DBG1(DBG_IMV, "received TCG-PTS error '%N'", + pts_error_code_names, error_code.type); + DBG1(DBG_IMV, "error information: %B", &msg_info); - result = TNC_RESULT_FATAL; + result = TNC_RESULT_FATAL; + } + break; } - } - else if (type.type == IETF_ATTR_PRODUCT_INFORMATION) - { - ietf_attr_product_info_t *attr_cast; - char *platform_info; + case IETF_ATTR_PRODUCT_INFORMATION: + { + ietf_attr_product_info_t *attr_cast; - attr_cast = (ietf_attr_product_info_t*)attr; - platform_info = attr_cast->get_info(attr_cast, NULL, NULL); - pts->set_platform_info(pts, platform_info); + attr_cast = (ietf_attr_product_info_t*)attr; + os_name = attr_cast->get_info(attr_cast, NULL, NULL); + break; + } + case IETF_ATTR_STRING_VERSION: + { + ietf_attr_string_version_t *attr_cast; + + attr_cast = (ietf_attr_string_version_t*)attr; + os_version = attr_cast->get_version(attr_cast, NULL, NULL); + break; + } + default: + break; } } else if (type.vendor_id == PEN_TCG) { - if (!imv_attestation_process(attr, attr_list, attestation_state, + if (!imv_attestation_process(attr, out_msg, attestation_state, supported_algorithms,supported_dh_groups, pts_db, pts_credmgr)) { result = TNC_RESULT_FATAL; @@ -301,36 +277,50 @@ static TNC_Result receive_message(TNC_IMVID imv_id, } } enumerator->destroy(enumerator); - pa_tnc_msg->destroy(pa_tnc_msg); - if (result != TNC_RESULT_SUCCESS) + if (os_name.len && os_version.len) + { + pts->set_platform_info(pts, os_name, os_version); + } + + if (fatal_error || result != TNC_RESULT_SUCCESS) { - attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy)); state->set_recommendation(state, - TNC_IMV_ACTION_RECOMMENDATION_ISOLATE, + TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, TNC_IMV_EVALUATION_RESULT_ERROR); - return imv_attestation->provide_recommendation(imv_attestation, - connection_id, src_imc_id); + result = out_msg->send_assessment(out_msg); + out_msg->destroy(out_msg); + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + return imv_attestation->provide_recommendation(imv_attestation, state); } - if (attr_list->get_count(attr_list)) + /* send PA-TNC message with excl flag set */ + result = out_msg->send(out_msg, TRUE); + + if (result != TNC_RESULT_SUCCESS) { - result = imv_attestation->send_message(imv_attestation, connection_id, - FALSE, 0, TNC_IMCID_ANY, attr_list); - attr_list->destroy(attr_list); + out_msg->destroy(out_msg); return result; } - attr_list->destroy(attr_list); /* check the IMV state for the next PA-TNC attributes to send */ - result = send_message(connection_id); + result = send_message(state, out_msg); + if (result != TNC_RESULT_SUCCESS) { state->set_recommendation(state, TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, TNC_IMV_EVALUATION_RESULT_ERROR); - return imv_attestation->provide_recommendation(imv_attestation, - connection_id, src_imc_id); + result = out_msg->send_assessment(out_msg); + out_msg->destroy(out_msg); + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + return imv_attestation->provide_recommendation(imv_attestation, state); } if (attestation_state->get_handshake_state(attestation_state) == @@ -340,7 +330,8 @@ static TNC_Result receive_message(TNC_IMVID imv_id, { DBG1(DBG_IMV, "failure due to %d pending file measurements", attestation_state->get_file_meas_request_count(attestation_state)); - attestation_state->set_measurement_error(attestation_state); + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_FILE_MEAS_PEND); } if (attestation_state->get_measurement_error(attestation_state)) { @@ -354,9 +345,15 @@ static TNC_Result receive_message(TNC_IMVID imv_id, TNC_IMV_ACTION_RECOMMENDATION_ALLOW, TNC_IMV_EVALUATION_RESULT_COMPLIANT); } - return imv_attestation->provide_recommendation(imv_attestation, - connection_id, src_imc_id); + result = out_msg->send_assessment(out_msg); + out_msg->destroy(out_msg); + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + return imv_attestation->provide_recommendation(imv_attestation, state); } + out_msg->destroy(out_msg); return result; } @@ -370,14 +367,25 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, TNC_UInt32 msg_len, TNC_MessageType msg_type) { - TNC_VendorID msg_vid; - TNC_MessageSubtype msg_subtype; + imv_state_t *state; + imv_msg_t *in_msg; + TNC_Result result; - msg_vid = msg_type >> 8; - msg_subtype = msg_type & TNC_SUBTYPE_ANY; + if (!imv_attestation) + { + DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imv_msg_create_from_data(imv_attestation, state, connection_id, + msg_type, chunk_create(msg, msg_len)); + result = receive_message(state, in_msg); + in_msg->destroy(in_msg); - return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len), - msg_vid, msg_subtype, 0, TNC_IMVID_ANY); + return result; } /** @@ -393,9 +401,26 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id, TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id) { - return receive_message(imv_id, connection_id, msg_flags, - chunk_create(msg, msg_len), msg_vid, msg_subtype, - src_imc_id, dst_imv_id); + imv_state_t *state; + imv_msg_t *in_msg; + TNC_Result result; + + if (!imv_attestation) + { + DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imv_msg_create_from_long_data(imv_attestation, state, connection_id, + src_imc_id, dst_imv_id, msg_vid, msg_subtype, + chunk_create(msg, msg_len)); + result =receive_message(state, in_msg); + in_msg->destroy(in_msg); + + return result; } /** @@ -404,13 +429,18 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id, TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id, TNC_ConnectionID connection_id) { + imv_state_t *state; + if (!imv_attestation) { DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); return TNC_RESULT_NOT_INITIALIZED; } - return imv_attestation->provide_recommendation(imv_attestation, - connection_id, TNC_IMCID_ANY); + if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + return imv_attestation->provide_recommendation(imv_attestation, state); } /** @@ -419,27 +449,11 @@ TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id, TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id, TNC_ConnectionID connection_id) { - imv_state_t *state; - imv_attestation_state_t *attestation_state; - if (!imv_attestation) { DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); return TNC_RESULT_NOT_INITIALIZED; } - /* get current IMV state */ - if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imv_attestation_state_t*)state; - - /* Check if IMV has to initiate the PA-TNC exchange */ - if (attestation_state->get_handshake_state(attestation_state) == - IMV_ATTESTATION_STATE_INIT) - { - return send_message(connection_id); - } return TNC_RESULT_SUCCESS; } diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c index 23195d6e3..b4feec7cd 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c @@ -27,9 +27,9 @@ #include <tcg/tcg_pts_attr_req_file_meas.h> #include <tcg/tcg_pts_attr_req_file_meta.h> -#include <debug.h> +#include <utils/debug.h> -bool imv_attestation_build(linked_list_t *attr_list, +bool imv_attestation_build(imv_msg_t *out_msg, imv_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups, @@ -76,12 +76,12 @@ bool imv_attestation_build(linked_list_t *attr_list, flags = pts->get_proto_caps(pts); attr = tcg_pts_attr_proto_caps_create(flags, TRUE); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); /* Send Measurement Algorithms attribute */ attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_NONCE_REQ); @@ -97,7 +97,7 @@ bool imv_attestation_build(linked_list_t *attr_list, attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len, supported_dh_groups); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_TPM_INIT); @@ -116,18 +116,18 @@ bool imv_attestation_build(linked_list_t *attr_list, attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm, initiator_value, initiator_nonce); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); } /* Send Get TPM Version attribute */ attr = tcg_pts_attr_get_tpm_version_info_create(); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); /* Send Get AIK attribute */ attr = tcg_pts_attr_get_aik_create(); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_MEAS); @@ -140,7 +140,7 @@ bool imv_attestation_build(linked_list_t *attr_list, char *platform_info, *pathname; u_int16_t request_id; int id, type; - bool is_dir; + bool is_dir, have_request = FALSE; attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_COMP_EVID); @@ -173,10 +173,11 @@ bool imv_attestation_build(linked_list_t *attr_list, attr = tcg_pts_attr_req_file_meta_create(is_dir, delimiter, pathname); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); + have_request = TRUE; } enumerator->destroy(enumerator); - + /* Send Request File Measurement attribute */ enumerator = pts_db->create_file_meas_enumerator(pts_db, platform_info); @@ -194,12 +195,13 @@ bool imv_attestation_build(linked_list_t *attr_list, attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id, delimiter, pathname); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); + have_request = TRUE; } enumerator->destroy(enumerator); /* do we have any file metadata or measurement requests? */ - if (attr_list->get_count(attr_list)) + if (have_request) { break; } @@ -282,12 +284,12 @@ bool imv_attestation_build(linked_list_t *attr_list, if (attr) { /* Send Request Functional Component Evidence attribute */ - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); /* Send Generate Attestation Evidence attribute */ attr = tcg_pts_attr_gen_attest_evid_create(); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_EVID_FINAL); diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.h b/src/libpts/plugins/imv_attestation/imv_attestation_build.h index 7f934fd09..0fc10f0ce 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_build.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.h @@ -24,7 +24,7 @@ #include "imv_attestation_state.h" -#include <pa_tnc/pa_tnc_msg.h> +#include <imv/imv_msg.h> #include <library.h> #include <pts/pts_database.h> @@ -34,14 +34,14 @@ /** * Process a TCG PTS attribute * - * @param attr_list list of PA-TNC attriubutes to be built + * @param out_msg outbound PA-TNC message to be built * @param attestation_state attestation state of a given connection * @param supported_algorithms supported PTS measurement algorithms * @param supported_dh_groups supported DH groups * @param pts_db PTS configuration database * @return TRUE if successful */ -bool imv_attestation_build(linked_list_t *attr_list, +bool imv_attestation_build(imv_msg_t *out_msg, imv_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups, diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c index 37e9ac77a..4541075ef 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c @@ -29,12 +29,12 @@ #include <tcg/tcg_pts_attr_tpm_version_info.h> #include <tcg/tcg_pts_attr_unix_file_meta.h> -#include <debug.h> +#include <utils/debug.h> #include <crypto/hashers/hasher.h> #include <inttypes.h> -bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, +bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, imv_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups, @@ -43,7 +43,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { pen_type_t attr_type; pts_t *pts; - + pts = attestation_state->get_pts(attestation_state); attr_type = attr->get_type(attr); @@ -96,7 +96,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, attr = pts_dh_nonce_error_create( max(PTS_MIN_NONCE_LEN, min_nonce_len), PTS_MAX_NONCE_LEN); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); break; } @@ -113,7 +113,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (selected_algorithm == PTS_MEAS_ALGO_NONE) { attr = pts_hash_alg_error_create(supported_algorithms); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); break; } pts->set_dh_hash_algorithm(pts, selected_algorithm); @@ -233,7 +233,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, platform_info, algo, file_id, is_dir); if (!measurements->verify(measurements, e_hash, is_dir)) { - attestation_state->set_measurement_error(attestation_state); + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL); } e_hash->destroy(e_hash); } @@ -299,7 +300,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (comp->verify(comp, name->get_qualifier(name), pts, evidence) != SUCCESS) { - attestation_state->set_measurement_error(attestation_state); + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_COMP_EVID_FAIL); name->log(name, " measurement mismatch for "); } break; @@ -335,17 +337,21 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { DBG1(DBG_IMV, "received PCR Composite does not match " "constructed one"); + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL); free(pcr_composite.ptr); free(quote_info.ptr); - return FALSE; + break; } DBG2(DBG_IMV, "received PCR Composite matches constructed one"); free(pcr_composite.ptr); if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig)) { + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL); free(quote_info.ptr); - return FALSE; + break; } DBG2(DBG_IMV, "TPM Quote Info signature verification successful"); free(quote_info.ptr); diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.h b/src/libpts/plugins/imv_attestation/imv_attestation_process.h index 4d4eeefbb..73b4251e0 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.h @@ -25,10 +25,11 @@ #include "imv_attestation_state.h" #include <library.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> #include <credentials/credential_manager.h> #include <crypto/hashers/hasher.h> +#include <imv/imv_msg.h> #include <pa_tnc/pa_tnc_attr.h> #include <pts/pts_database.h> @@ -39,7 +40,7 @@ * Process a TCG PTS attribute * * @param attr PA-TNC attribute to be processed - * @param attr_list list with PA-TNC error attributes + * @param out_msg PA-TNC message containing error messages * @param attestation_state attestation state of a given connection * @param supported_algorithms supported PTS measurement algorithms * @param supported_dh_groups supported DH groups @@ -47,7 +48,7 @@ * @param pts_credmgr PTS credential manager * @return TRUE if successful */ -bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, +bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, imv_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups, diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c index 1dbc88309..93da9aee5 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c @@ -17,9 +17,11 @@ #include <libpts.h> -#include <utils/lexparser.h> -#include <utils/linked_list.h> -#include <debug.h> +#include <imv/imv_lang_string.h> +#include "imv/imv_reason_string.h" + +#include <collections/linked_list.h> +#include <utils/debug.h> typedef struct private_imv_attestation_state_t private_imv_attestation_state_t; typedef struct file_meas_request_t file_meas_request_t; @@ -44,7 +46,7 @@ struct private_imv_attestation_state_t { * TNCCS connection state */ TNC_ConnectionState state; - + /** * Does the TNCCS connection support long message types? */ @@ -96,9 +98,14 @@ struct private_imv_attestation_state_t { pts_t *pts; /** - * Measurement error + * Measurement error flags + */ + u_int32_t measurement_error; + + /** + * TNC Reason String */ - bool measurement_error; + imv_reason_string_t *reason_string; }; @@ -128,26 +135,47 @@ static void free_func_comp(func_comp_t *this) free(this); } -typedef struct entry_t entry_t; - /** - * Define an internal reason string entry + * Supported languages */ -struct entry_t { - char *lang; - char *string; -}; +static char* languages[] = { "en", "de", "mn" }; /** - * Table of multi-lingual reason string entries + * Table of reason strings */ -static entry_t reasons[] = { - { "en", "IMV Attestation: Incorrect/pending file measurement/component" - " evidence or invalid TPM Quote signature received" }, - { "mn", "IMV Attestation: Буруу/хүлээгдэж байгаа файл/компонент хэмжилт " - "эсвэл буруу TPM Quote гарын үсэг" }, - { "de", "IMV Attestation: Falsche/Fehlende Dateimessung/Komponenten Beweis " - "oder ungültige TPM Quote Unterschrift ist erhalten" }, +static imv_lang_string_t reason_file_meas_fail[] = { + { "en", "Incorrect file measurement" }, + { "de", "Falsche Dateimessung" }, + { "mn", "Буруу байгаа файл" }, + { NULL, NULL } +}; + +static imv_lang_string_t reason_file_meas_pend[] = { + { "en", "Pending file measurement" }, + { "de", "Ausstehende Dateimessung" }, + { "mn", "Xүлээгдэж байгаа файл" }, + { NULL, NULL } +}; + +static imv_lang_string_t reason_comp_evid_fail[] = { + { "en", "Incorrect component evidence" }, + { "de", "Falsche Komponenten-Evidenz" }, + { "mn", "Буруу компонент хэмжилт" }, + { NULL, NULL } +}; + +static imv_lang_string_t reason_comp_evid_pend[] = { + { "en", "Pending component evidence" }, + { "de", "Ausstehende Komponenten-Evidenz" }, + { "mn", "Xүлээгдэж компонент хэмжилт" }, + { NULL, NULL } +}; + +static imv_lang_string_t reason_tpm_quote_fail[] = { + { "en", "Invalid TPM Quote signature received" }, + { "de", "Falsche TPM Quote Signature erhalten" }, + { "mn", "Буруу TPM Quote гарын үсэг" }, + { NULL, NULL } }; METHOD(imv_state_t, get_connection_id, TNC_ConnectionID, @@ -210,52 +238,57 @@ METHOD(imv_state_t, set_recommendation, void, } METHOD(imv_state_t, get_reason_string, bool, - private_imv_attestation_state_t *this, chunk_t preferred_language, - chunk_t *reason_string, chunk_t *reason_language) + private_imv_attestation_state_t *this, enumerator_t *language_enumerator, + chunk_t *reason_string, char **reason_language) { - chunk_t pref_lang, lang; - u_char *pos; - int i; + *reason_language = imv_lang_string_select_lang(language_enumerator, + languages, countof(languages)); - while (eat_whitespace(&preferred_language)) - { - if (!extract_token(&pref_lang, ',', &preferred_language)) - { - /* last entry in a comma-separated list or single entry */ - pref_lang = preferred_language; - } + /* Instantiate a TNC Reason String object */ + DESTROY_IF(this->reason_string); + this->reason_string = imv_reason_string_create(*reason_language); - /* eat trailing whitespace */ - pos = pref_lang.ptr + pref_lang.len - 1; - while (pref_lang.len && *pos-- == ' ') - { - pref_lang.len--; - } - - for (i = 0 ; i < countof(reasons); i++) - { - lang = chunk_create(reasons[i].lang, strlen(reasons[i].lang)); - if (chunk_equals(lang, pref_lang)) - { - *reason_language = lang; - *reason_string = chunk_create(reasons[i].string, - strlen(reasons[i].string)); - return TRUE; - } - } + if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL) + { + this->reason_string->add_reason(this->reason_string, + reason_file_meas_fail); + } + if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_PEND) + { + this->reason_string->add_reason(this->reason_string, + reason_file_meas_pend); + } + if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL) + { + this->reason_string->add_reason(this->reason_string, + reason_comp_evid_fail); + } + if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_PEND) + { + this->reason_string->add_reason(this->reason_string, + reason_comp_evid_pend); } + if (this->measurement_error & IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL) + { + this->reason_string->add_reason(this->reason_string, + reason_tpm_quote_fail); + } + *reason_string = this->reason_string->get_encoding(this->reason_string); - /* no preferred language match found - use the default language */ - *reason_string = chunk_create(reasons[0].string, - strlen(reasons[0].string)); - *reason_language = chunk_create(reasons[0].lang, - strlen(reasons[0].lang)); return TRUE; } +METHOD(imv_state_t, get_remediation_instructions, bool, + private_imv_attestation_state_t *this, enumerator_t *language_enumerator, + chunk_t *string, char **lang_code, char **uri) +{ + return FALSE; +} + METHOD(imv_state_t, destroy, void, private_imv_attestation_state_t *this) { + DESTROY_IF(this->reason_string); this->file_meas_requests->destroy_function(this->file_meas_requests, free); this->components->destroy_function(this->components, (void *)free_func_comp); this->pts->destroy(this->pts); @@ -302,7 +335,7 @@ METHOD(imv_attestation_state_t, check_off_file_meas_request, bool, enumerator_t *enumerator; file_meas_request_t *request; bool found = FALSE; - + enumerator = this->file_meas_requests->create_enumerator(this->file_meas_requests); while (enumerator->enumerate(enumerator, &request)) { @@ -396,16 +429,16 @@ METHOD(imv_attestation_state_t, get_component, pts_component_t*, return found; } -METHOD(imv_attestation_state_t, get_measurement_error, bool, +METHOD(imv_attestation_state_t, get_measurement_error, u_int32_t, private_imv_attestation_state_t *this) { return this->measurement_error; } METHOD(imv_attestation_state_t, set_measurement_error, void, - private_imv_attestation_state_t *this) + private_imv_attestation_state_t *this, u_int32_t error) { - this->measurement_error = TRUE; + this->measurement_error |= error; } METHOD(imv_attestation_state_t, finalize_components, void, @@ -418,7 +451,7 @@ METHOD(imv_attestation_state_t, finalize_components, void, { if (!entry->comp->finalize(entry->comp, entry->qualifier)) { - _set_measurement_error(this); + set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND); } free_func_comp(entry); } @@ -436,7 +469,6 @@ METHOD(imv_attestation_state_t, components_finalized, bool, imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) { private_imv_attestation_state_t *this; - char *platform_info; INIT(this, .public = { @@ -451,6 +483,7 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) .get_recommendation = _get_recommendation, .set_recommendation = _set_recommendation, .get_reason_string = _get_reason_string, + .get_remediation_instructions = _get_remediation_instructions, .destroy = _destroy, }, .get_handshake_state = _get_handshake_state, @@ -476,12 +509,5 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) .pts = pts_create(FALSE), ); - platform_info = lib->settings->get_str(lib->settings, - "libimcv.plugins.imv-attestation.platform_info", NULL); - if (platform_info) - { - this->pts->set_platform_info(this->pts, platform_info); - } - return &this->public.interface; } diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h index 901d4b19d..f64314e71 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h @@ -30,6 +30,7 @@ typedef struct imv_attestation_state_t imv_attestation_state_t; typedef enum imv_attestation_handshake_state_t imv_attestation_handshake_state_t; +typedef enum imv_meas_error_t imv_meas_error_t; /** * IMV Attestation Handshake States (state machine) @@ -45,6 +46,17 @@ enum imv_attestation_handshake_state_t { }; /** + * IMV Measurement Error Types + */ +enum imv_meas_error_t { + IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL = 1, + IMV_ATTESTATION_ERROR_FILE_MEAS_PEND = 2, + IMV_ATTESTATION_ERROR_COMP_EVID_FAIL = 4, + IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 8, + IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16 +}; + +/** * Internal state of an imv_attestation_t connection instance */ struct imv_attestation_state_t { @@ -139,16 +151,19 @@ struct imv_attestation_state_t { bool (*components_finalized)(imv_attestation_state_t *this); /** - * Indicates if a file measurement error occurred + * Indicates the types of measurement errors that occurred * - * @return TRUE in case of measurement error + * @return Measurement error flags */ - bool (*get_measurement_error)(imv_attestation_state_t *this); + u_int32_t (*get_measurement_error)(imv_attestation_state_t *this); /** - * Call if a file measurement error is encountered + * Call if a measurement error is encountered + * + * @param error Measurement error type */ - void (*set_measurement_error)(imv_attestation_state_t *this); + void (*set_measurement_error)(imv_attestation_state_t *this, + u_int32_t error); }; diff --git a/src/libpts/plugins/imv_attestation/tables.sql b/src/libpts/plugins/imv_attestation/tables.sql index 42553bef0..8a79ea7cf 100644 --- a/src/libpts/plugins/imv_attestation/tables.sql +++ b/src/libpts/plugins/imv_attestation/tables.sql @@ -85,3 +85,54 @@ CREATE TABLE component_hashes ( hash BLOB NOT NULL, PRIMARY KEY(component, key, seq_no, algo) ); + +DROP TABLE IF EXISTS packages; +CREATE TABLE packages ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name TEXT NOT NULL +); +DROP INDEX IF EXISTS packages_name; +CREATE INDEX packages_name ON packages ( + name +); + +DROP TABLE IF EXISTS versions; +CREATE TABLE versions ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + package INTEGER NOT NULL, + product INTEGER NOT NULL, + release TEXT NOT NULL, + security INTEGER DEFAULT 0, + time INTEGER DEFAULT 0 +); +DROP INDEX IF EXISTS versions_release; +CREATE INDEX versions_release ON versions ( + release +); +DROP INDEX IF EXISTS versions_package_product; +CREATE INDEX versions_package_product ON versions ( + package, product +); + +DROP TABLE IF EXISTS devices; +CREATE TABLE devices ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + value BLOB NOT NULL +); +DROP INDEX IF EXISTS devices_id; +CREATE INDEX devices_value ON devices ( + value +); + +DROP TABLE IF EXISTS device_infos; +CREATE TABLE device_infos ( + device INTEGER NOT NULL, + time INTEGER NOT NULL, + product INTEGER DEFAULT 0, + count INTEGER DEFAULT 0, + count_update INTEGER DEFAULT 0, + count_blacklist INTEGER DEFAULT 0, + flags INTEGER DEFAULT 0, + PRIMARY KEY (device, time) +); + |