Import upstream version 5.1.3

12 files changed, 59 insertions, 26 deletions

diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in
index 05c27d9cb..af5eafd7f 100644
--- a/src/libpts/Makefile.in
+++ b/src/libpts/Makefile.in
@@ -448,7 +448,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in
index 7a539ef22..dd347d2d8 100644
--- a/src/libpts/plugins/imc_attestation/Makefile.in
+++ b/src/libpts/plugins/imc_attestation/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c
index 467b998c8..c71b21666 100644
--- a/src/libpts/plugins/imc_attestation/imc_attestation.c
+++ b/src/libpts/plugins/imc_attestation/imc_attestation.c
@@ -66,6 +66,8 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 							  TNC_Version max_version,
 							  TNC_Version *actual_version)
 {
+	bool mandatory_dh_groups;
+
 	if (imc_attestation)
 	{
 		DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
@@ -78,8 +80,11 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
 		return TNC_RESULT_FATAL;
 	}
 
+	mandatory_dh_groups = lib->settings->get_bool(lib->settings,
+			"%s.plugins.imc-attestation.mandatory_dh_groups", TRUE, lib->ns);
+
 	if (!pts_meas_algo_probe(&supported_algorithms) ||
-		!pts_dh_group_probe(&supported_dh_groups))
+		!pts_dh_group_probe(&supported_dh_groups, mandatory_dh_groups))
 	{
 		imc_attestation->destroy(imc_attestation);
 		imc_attestation = NULL;
diff --git a/src/libpts/plugins/imc_swid/Makefile.in b/src/libpts/plugins/imc_swid/Makefile.in
index e1c932e45..58402636f 100644
--- a/src/libpts/plugins/imc_swid/Makefile.in
+++ b/src/libpts/plugins/imc_swid/Makefile.in
@@ -372,7 +372,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in
index c1c14d476..ff94363bf 100644
--- a/src/libpts/plugins/imv_attestation/Makefile.in
+++ b/src/libpts/plugins/imv_attestation/Makefile.in
@@ -382,7 +382,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c
index b8a6854cb..8f4df39e7 100644
--- a/src/libpts/plugins/imv_attestation/attest.c
+++ b/src/libpts/plugins/imv_attestation/attest.c
@@ -278,12 +278,14 @@ static void do_args(int argc, char *argv[])
 						exit(EXIT_FAILURE);
 					}
 				}
-				free(file);
 				free(dir);
+
 				if (!attest->set_file(attest, file, op == OP_ADD))
 				{
+					free(file);
 					exit(EXIT_FAILURE);
 				}
+				free(file);
 				continue;
 			}
 			case 'G':
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
index e8c3c5e40..ae2660bae 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
@@ -482,6 +482,22 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 							}
 						}
 
+						/* do TPM TRUSTED BOOT measurements */
+						if (strchr(workitem->get_arg_str(workitem), 'T'))
+						{
+							comp_name = pts_comp_func_name_create(PEN_ITA,
+											 PTS_ITA_COMP_FUNC_NAME_TBOOT,
+											PTS_ITA_QUALIFIER_FLAG_KERNEL |
+											PTS_ITA_QUALIFIER_TYPE_TRUSTED);
+							comp = attestation_state->create_component(
+											attestation_state, comp_name,
+											0, this->pts_db);
+							if (!comp)
+							{
+								comp_name->log(comp_name, "unregistered ");
+								comp_name->destroy(comp_name);
+							}
+						}
 						attestation_state->set_handshake_state(attestation_state,
 											IMV_ATTESTATION_STATE_NONCE_REQ);
 						continue;
@@ -706,6 +722,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
 	private_imv_attestation_agent_t *this;
 	imv_agent_t *agent;
 	char *hash_alg, *dh_group, *cadir;
+	bool mandatory_dh_groups;
 
 	agent = imv_agent_create(name, msg_types, countof(msg_types), id,
 							 actual_version);
@@ -718,6 +735,8 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
 				"%s.plugins.imv-attestation.hash_algorithm", "sha256", lib->ns);
 	dh_group = lib->settings->get_str(lib->settings,
 				"%s.plugins.imv-attestation.dh_group", "ecp256", lib->ns);
+	mandatory_dh_groups = lib->settings->get_bool(lib->settings,
+				"%s.plugins.imv-attestation.mandatory_dh_groups", TRUE, lib->ns);
 	cadir = lib->settings->get_str(lib->settings,
 				"%s.plugins.imv-attestation.cadir", NULL, lib->ns);
 
@@ -742,7 +761,7 @@ imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id,
 	libpts_init();
 
 	if (!pts_meas_algo_probe(&this->supported_algorithms) ||
-		!pts_dh_group_probe(&this->supported_dh_groups) ||
+		!pts_dh_group_probe(&this->supported_dh_groups, mandatory_dh_groups) ||
 		!pts_meas_algo_update(hash_alg, &this->supported_algorithms) ||
 		!pts_dh_group_update(dh_group, &this->supported_dh_groups))
 	{
diff --git a/src/libpts/plugins/imv_swid/Makefile.in b/src/libpts/plugins/imv_swid/Makefile.in
index b92f7d4d0..f9bd93ce0 100644
--- a/src/libpts/plugins/imv_swid/Makefile.in
+++ b/src/libpts/plugins/imv_swid/Makefile.in
@@ -370,7 +370,6 @@ nm_LIBS = @nm_LIBS@
 nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
-openac_plugins = @openac_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c
index 8699282f0..3ab9b92e6 100644
--- a/src/libpts/pts/pts.c
+++ b/src/libpts/pts/pts.c
@@ -393,7 +393,7 @@ static void load_aik_blob(private_pts_t *this)
 		fseek(fp, 0L, SEEK_SET);
 
 		this->aik_blob = chunk_alloc(aikBlobLen);
-		if (fread(this->aik_blob.ptr, 1, aikBlobLen, fp))
+		if (fread(this->aik_blob.ptr, 1, aikBlobLen, fp) == aikBlobLen)
 		{
 			DBG2(DBG_PTS, "loaded AIK Blob from '%s'", blob_path);
 			DBG3(DBG_PTS, "AIK Blob: %B", &this->aik_blob);
@@ -401,6 +401,7 @@ static void load_aik_blob(private_pts_t *this)
 		else
 		{
 			DBG1(DBG_PTS, "unable to read AIK Blob file '%s'", blob_path);
+			chunk_free(&this->aik_blob);
 		}
 		fclose(fp);
 		return;
diff --git a/src/libpts/pts/pts_database.c b/src/libpts/pts/pts_database.c
index 07e8ae1da..fda644a6a 100644
--- a/src/libpts/pts/pts_database.c
+++ b/src/libpts/pts/pts_database.c
@@ -280,20 +280,17 @@ METHOD(pts_database_t, check_file_measurement, status_t,
 				DB_TEXT, dir, DB_INT);
 		if (!e)
 		{
-			free(file);
-			free(dir);
-			return FAILED;
+			status = FAILED;
+			goto err;
 		}
 		dir_found = e->enumerate(e, &did);
 		e->destroy(e);
 
 		if (!dir_found)
 		{
-			free(file);
-			free(dir);
-			return NOT_FOUND;
+			status = NOT_FOUND;
+			goto err;
 		}
-
 		e = this->db->query(this->db,
 				"SELECT fh.hash FROM file_hashes AS fh "
 				"JOIN files AS f ON f.id = fh.file "
@@ -302,12 +299,10 @@ METHOD(pts_database_t, check_file_measurement, status_t,
 				DB_TEXT, product, DB_INT, did, DB_TEXT, file, DB_INT, algo,
 				DB_BLOB);
 	}
-	free(file);
-	free(dir);
-
 	if (!e)
 	{
-		return FAILED;
+		status = FAILED;
+		goto err;
 	}
 	while (e->enumerate(e, &hash))
 	{
@@ -324,6 +319,10 @@ METHOD(pts_database_t, check_file_measurement, status_t,
 	}
 	e->destroy(e);
 
+err:
+	free(file);
+	free(dir);
+
 	return status;
 }
 
diff --git a/src/libpts/pts/pts_dh_group.c b/src/libpts/pts/pts_dh_group.c
index 41a436036..305b4ec4f 100644
--- a/src/libpts/pts/pts_dh_group.c
+++ b/src/libpts/pts/pts_dh_group.c
@@ -20,7 +20,7 @@
 /**
  * Described in header.
  */
-bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
+bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups)
 {
 	enumerator_t *enumerator;
 	diffie_hellman_group_t dh_group;
@@ -68,14 +68,23 @@ bool pts_dh_group_probe(pts_dh_group_t *dh_groups)
 
 	if (*dh_groups & PTS_DH_GROUP_IKE19)
 	{
+		/* mandatory PTS DH group is available */
 		return TRUE;
 	}
-	else
+	if (*dh_groups == PTS_DH_GROUP_NONE)
+	{
+		DBG1(DBG_PTS, "no PTS DH group available");
+		return FALSE;
+	}
+	if (mandatory_dh_groups)
 	{
 		DBG1(DBG_PTS, format2, "mandatory", diffie_hellman_group_names,
 											ECP_256_BIT);
+		return FALSE;
 	}
-	return FALSE;
+
+	/* at least one optional PTS DH group is available */
+	return TRUE;
 }
 
 /**
diff --git a/src/libpts/pts/pts_dh_group.h b/src/libpts/pts/pts_dh_group.h
index 2aab90263..f5d951e9a 100644
--- a/src/libpts/pts/pts_dh_group.h
+++ b/src/libpts/pts/pts_dh_group.h
@@ -59,10 +59,13 @@ enum pts_dh_group_t {
 /**
  * Probe available PTS Diffie-Hellman groups
  *
- * @param dh_groups			returns set of available DH groups
- * @return					TRUE if mandatory DH groups are available
+ * @param dh_groups				returns set of available DH groups
+ * @param mandatory_dh_groups	if TRUE enforce mandatory PTS DH groups
+ * @return						TRUE if mandatory DH groups are available
+ *								or at least one optional DH group if 
+ *								mandatory_dh_groups is set to FALSE.
  */
-bool pts_dh_group_probe(pts_dh_group_t *dh_groups);
+bool pts_dh_group_probe(pts_dh_group_t *dh_groups, bool mandatory_dh_groups);
 
 /**
  * Update supported Diffie-Hellman groups according to configuration