diff options
Diffstat (limited to 'src/libimcv')
34 files changed, 514 insertions, 177 deletions
diff --git a/src/libimcv/Makefile.am b/src/libimcv/Makefile.am index d9a5cd50d..a61382723 100644 --- a/src/libimcv/Makefile.am +++ b/src/libimcv/Makefile.am @@ -127,7 +127,8 @@ imv_policy_manager_SOURCES = \ imv/imv_policy_manager.c \ imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c imv_policy_manager_LDADD = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtncif/libtncif.la #imv/imv_policy_manager.o : $(top_builddir)/config.status SUBDIRS = . diff --git a/src/libimcv/Makefile.in b/src/libimcv/Makefile.in index 239e62a17..03778a22c 100644 --- a/src/libimcv/Makefile.in +++ b/src/libimcv/Makefile.in @@ -237,7 +237,8 @@ am_imv_policy_manager_OBJECTS = imv/imv_policy_manager.$(OBJEXT) \ imv/imv_policy_manager_usage.$(OBJEXT) imv_policy_manager_OBJECTS = $(am_imv_policy_manager_OBJECTS) imv_policy_manager_DEPENDENCIES = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtncif/libtncif.la SCRIPTS = $(ipsec_SCRIPTS) AM_V_P = $(am__v_P_@AM_V@) am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) @@ -395,6 +396,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -455,10 +457,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -532,6 +536,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ @@ -708,7 +714,8 @@ imv_policy_manager_SOURCES = \ imv/imv_policy_manager_usage.h imv/imv_policy_manager_usage.c imv_policy_manager_LDADD = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libtncif/libtncif.la #imv/imv_policy_manager.o : $(top_builddir)/config.status SUBDIRS = . $(am__append_3) $(am__append_4) $(am__append_5) \ diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql index 425748f59..ff6191117 100644 --- a/src/libimcv/imv/data.sql +++ b/src/libimcv/imv/data.sql @@ -323,6 +323,71 @@ INSERT INTO products ( /* 54 */ 'Debian 7.6 armv6l' ); +INSERT INTO products ( /* 55 */ + name +) VALUES ( + 'Debian 7.7 i686' +); + +INSERT INTO products ( /* 56 */ + name +) VALUES ( + 'Debian 7.7 x86_64' +); +INSERT INTO products ( /* 57 */ + name +) VALUES ( + 'Debian 7.7 armv6l' +); + +INSERT INTO products ( /* 58 */ + name +) VALUES ( + 'Debian 7.8 i686' +); + +INSERT INTO products ( /* 59 */ + name +) VALUES ( + 'Debian 7.8 x86_64' +); + +INSERT INTO products ( /* 60 */ + name +) VALUES ( + 'Debian 7.8 armv6l' +); + +INSERT INTO products ( /* 61 */ + name +) VALUES ( + 'Ubuntu 14.10 i686' +); + +INSERT INTO products ( /* 62 */ + name +) VALUES ( + 'Ubuntu 14.10 x86_64' +); + +INSERT INTO products ( /* 63 */ + name +) VALUES ( + 'Android 5.0' +); + +INSERT INTO products ( /* 64 */ + name +) VALUES ( + 'Android 5.0.1' +); + +INSERT INTO products ( /* 65 */ + name +) VALUES ( + 'Debian 7.8 armv7l' +); + /* Directories */ INSERT INTO directories ( /* 1 */ @@ -741,6 +806,18 @@ INSERT INTO groups ( /* 14 */ 'Debian armv6l', 2 ); +INSERT INTO groups ( /* 15 */ + name, parent +) VALUES ( + 'Debian armv7l', 2 +); + +INSERT INTO groups ( /* 16 */ + name +) VALUES ( + 'TPM TBOOT' +); + /* Default Product Groups */ INSERT INTO groups_product_defaults ( @@ -800,6 +877,18 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 4, 55 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 58 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 5, 2 ); @@ -854,6 +943,18 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 5, 56 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 59 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 6, 9 ); @@ -902,6 +1003,12 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 6, 61 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 7, 8 ); @@ -956,6 +1063,12 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 7, 62 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 3, 21 ); @@ -1016,6 +1129,18 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 3, 63 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 3, 64 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 3, 51 ); @@ -1061,6 +1186,24 @@ INSERT INTO groups_product_defaults ( 14, 54 ); +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 14, 57 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 14, 60 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 15, 65 +); + /* Policies */ INSERT INTO policies ( /* 1 */ @@ -1189,6 +1332,12 @@ INSERT INTO policies ( /* 21 */ 16, 'TPM BIOS/IMA Measurements', 'BI', 2, 2 ); +INSERT INTO policies ( /* 22 */ + type, name, argument, rec_fail, rec_noresult +) VALUES ( + 16, 'TPM TBOOT Measurements', 'T', 2, 2 +); + /* Enforcements */ INSERT INTO enforcements ( /* 1 */ @@ -1293,6 +1442,12 @@ INSERT INTO enforcements ( /* 17 */ 21, 13, 60 ); +INSERT INTO enforcements ( /* 18 */ + policy, group_id, max_age +) VALUES ( + 22, 16, 60 +); + /* swid_entities */ INSERT INTO "swid_entities" ( /* 1 */ diff --git a/src/libimcv/imv/imv_agent.c b/src/libimcv/imv/imv_agent.c index 6b24f4b28..d0508624d 100644 --- a/src/libimcv/imv/imv_agent.c +++ b/src/libimcv/imv/imv_agent.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -412,14 +412,10 @@ METHOD(imv_agent_t, create_state, TNC_Result, { TNC_ConnectionID conn_id; char *tnccs_p = NULL, *tnccs_v = NULL, *t_p = NULL, *t_v = NULL; - bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE, first = TRUE; + bool has_long = FALSE, has_excl = FALSE, has_soh = FALSE; linked_list_t *ar_identities; - enumerator_t *enumerator; - tncif_identity_t *tnc_id; imv_session_t *session; uint32_t max_msg_len; - uint32_t ar_id_type = TNC_ID_UNKNOWN; - chunk_t ar_id_value = chunk_empty; conn_id = state->get_connection_id(state); if (find_connection(this, conn_id)) @@ -431,15 +427,24 @@ METHOD(imv_agent_t, create_state, TNC_Result, } /* Get and display attributes from TNCS via IF-IMV */ - has_long = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_LONG_TYPES); - has_excl = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_EXCLUSIVE); - has_soh = get_bool_attribute(this, conn_id, TNC_ATTRIBUTEID_HAS_SOH); - tnccs_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL); - tnccs_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFTNCCS_VERSION); - t_p = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_PROTOCOL); - t_v = get_str_attribute(this, conn_id, TNC_ATTRIBUTEID_IFT_VERSION); - max_msg_len = get_uint_attribute(this, conn_id, TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE); - ar_identities = get_identity_attribute(this, conn_id, TNC_ATTRIBUTEID_AR_IDENTITIES); + has_long = get_bool_attribute(this, conn_id, + TNC_ATTRIBUTEID_HAS_LONG_TYPES); + has_excl = get_bool_attribute(this, conn_id, + TNC_ATTRIBUTEID_HAS_EXCLUSIVE); + has_soh = get_bool_attribute(this, conn_id, + TNC_ATTRIBUTEID_HAS_SOH); + tnccs_p = get_str_attribute(this, conn_id, + TNC_ATTRIBUTEID_IFTNCCS_PROTOCOL); + tnccs_v = get_str_attribute(this, conn_id, + TNC_ATTRIBUTEID_IFTNCCS_VERSION); + t_p = get_str_attribute(this, conn_id, + TNC_ATTRIBUTEID_IFT_PROTOCOL); + t_v = get_str_attribute(this, conn_id, + TNC_ATTRIBUTEID_IFT_VERSION); + max_msg_len = get_uint_attribute(this, conn_id, + TNC_ATTRIBUTEID_MAX_MESSAGE_SIZE); + ar_identities = get_identity_attribute(this, conn_id, + TNC_ATTRIBUTEID_AR_IDENTITIES); state->set_flags(state, has_long, has_excl); state->set_max_msg_len(state, max_msg_len); @@ -451,48 +456,9 @@ METHOD(imv_agent_t, create_state, TNC_Result, DBG2(DBG_IMV, " over %s %s with maximum PA-TNC message size of %u bytes", t_p ? t_p:"?", t_v ? t_v :"?", max_msg_len); - enumerator = ar_identities->create_enumerator(ar_identities); - while (enumerator->enumerate(enumerator, &tnc_id)) - { - pen_type_t id_type, subject_type, auth_type; - uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type; - chunk_t id_value; - - id_type = tnc_id->get_identity_type(tnc_id); - id_value = tnc_id->get_identity_value(tnc_id); - subject_type = tnc_id->get_subject_type(tnc_id); - auth_type = tnc_id->get_auth_type(tnc_id); - - tcg_id_type = (id_type.vendor_id == PEN_TCG) ? - id_type.type : TNC_ID_UNKNOWN; - tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ? - subject_type.type : TNC_SUBJECT_UNKNOWN; - tcg_auth_type = (auth_type.vendor_id == PEN_TCG) ? - auth_type.type : TNC_AUTH_UNKNOWN; - - - DBG2(DBG_IMV, " %N AR identity '%.*s' authenticated by %N", - TNC_Subject_names, tcg_subject_type, - id_value.len, id_value.ptr, - TNC_Authentication_names, tcg_auth_type); - - /* keep the first access requestor ID */ - if (first) - { - ar_id_type = tcg_id_type; - ar_id_value = id_value; - first = FALSE; - } - } - enumerator->destroy(enumerator); - - session = imcv_sessions->add_session(imcv_sessions, conn_id, - ar_id_type, ar_id_value); + session = imcv_sessions->add_session(imcv_sessions, conn_id, ar_identities); state->set_session(state, session); - /* clean up temporary variables */ - ar_identities->destroy_offset(ar_identities, - offsetof(tncif_identity_t, destroy)); free(tnccs_p); free(tnccs_v); free(t_p); diff --git a/src/libimcv/imv/imv_database.c b/src/libimcv/imv/imv_database.c index 0c4bb7514..0a18cd71b 100644 --- a/src/libimcv/imv/imv_database.c +++ b/src/libimcv/imv/imv_database.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2014 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -22,6 +22,8 @@ #include "imv_database.h" +#include <tncif_identity.h> + #include <utils/debug.h> #include <threading/mutex.h> @@ -60,41 +62,14 @@ METHOD(imv_database_t, get_database, database_t*, */ static bool create_session(private_imv_database_t *this, imv_session_t *session) { - enumerator_t *e; + enumerator_t *enumerator, *e; imv_os_info_t *os_info; - chunk_t device_id, ar_id_value; + chunk_t device_id; + tncif_identity_t *tnc_id; TNC_ConnectionID conn_id; - uint32_t ar_id_type; char *product, *device; - int session_id = 0, ar_id = 0, pid = 0, did = 0, trusted = 0, created; - - ar_id_value = session->get_ar_id(session, &ar_id_type); - if (ar_id_value.len) - { - /* get primary key of AR identity if it exists */ - e = this->db->query(this->db, - "SELECT id FROM identities WHERE type = ? AND value = ?", - DB_INT, ar_id_type, DB_BLOB, ar_id_value, DB_INT); - if (e) - { - e->enumerate(e, &ar_id); - e->destroy(e); - } - - /* if AR identity has not been found - register it */ - if (!ar_id) - { - this->db->execute(this->db, &ar_id, - "INSERT INTO identities (type, value) VALUES (?, ?)", - DB_INT, ar_id_type, DB_BLOB, ar_id_value); - } - - if (!ar_id) - { - DBG1(DBG_IMV, "imv_db: registering access requestor failed"); - return FALSE; - } - } + int session_id = 0, pid = 0, did = 0, trusted = 0, created; + bool first = TRUE, success = TRUE; /* get product info string */ os_info = session->get_os_info(session); @@ -170,10 +145,9 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session) created = session->get_creation_time(session); conn_id = session->get_connection_id(session); this->db->execute(this->db, &session_id, - "INSERT INTO sessions (time, connection, identity, product, device) " - "VALUES (?, ?, ?, ?, ?)", - DB_INT, created, DB_INT, conn_id, DB_INT, ar_id, - DB_INT, pid, DB_INT, did); + "INSERT INTO sessions (time, connection, product, device) " + "VALUES (?, ?, ?, ?)", + DB_INT, created, DB_INT, conn_id, DB_INT, pid, DB_INT, did); if (session_id) { @@ -187,7 +161,68 @@ static bool create_session(private_imv_database_t *this, imv_session_t *session) } session->set_session_id(session, session_id, pid, did); - return TRUE; + enumerator = session->create_ar_identities_enumerator(session); + while (enumerator->enumerate(enumerator, &tnc_id)) + { + pen_type_t ar_id_type; + chunk_t ar_id_value; + int ar_id = 0, si_id = 0; + + ar_id_type = tnc_id->get_identity_type(tnc_id); + ar_id_value = tnc_id->get_identity_value(tnc_id); + + if (ar_id_type.vendor_id != PEN_TCG || ar_id_value.len == 0) + { + continue; + } + + /* get primary key of AR identity if it exists */ + e = this->db->query(this->db, + "SELECT id FROM identities WHERE type = ? AND value = ?", + DB_INT, ar_id_type.type, DB_BLOB, ar_id_value, DB_INT); + if (e) + { + e->enumerate(e, &ar_id); + e->destroy(e); + } + + /* if AR identity has not been found - register it */ + if (!ar_id) + { + this->db->execute(this->db, &ar_id, + "INSERT INTO identities (type, value) VALUES (?, ?)", + DB_INT, ar_id_type.type, DB_BLOB, ar_id_value); + } + if (!ar_id) + { + DBG1(DBG_IMV, "imv_db: registering access requestor failed"); + success = FALSE; + break; + } + + this->db->execute(this->db, &si_id, + "INSERT INTO sessions_identities (session_id, identity_id) " + "VALUES (?, ?)", + DB_INT, session_id, DB_INT, ar_id); + + if (!si_id) + { + DBG1(DBG_IMV, "imv_db: assigning identity to session failed"); + success = FALSE; + break; + } + + if (first) + { + this->db->execute(this->db, NULL, + "UPDATE sessions SET identity = ? WHERE id = ?", + DB_INT, ar_id, DB_INT, session_id); + first = FALSE; + } + } + enumerator->destroy(enumerator); + + return success; } static bool add_workitems(private_imv_database_t *this, imv_session_t *session) diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c index 50f7f2e39..9f7e4e8f4 100644 --- a/src/libimcv/imv/imv_policy_manager.c +++ b/src/libimcv/imv/imv_policy_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -19,6 +19,8 @@ #include <library.h> #include <utils/debug.h> +#include <tncif_names.h> + #include <stdlib.h> #include <stdio.h> #include <time.h> @@ -251,9 +253,12 @@ static bool policy_start(database_t *db, int session_id) static bool policy_stop(database_t *db, int session_id) { enumerator_t *e; - int rec, policy; - char *result; + int rec, policy, final_rec, id_type; + chunk_t id_value; + char *result, *ip_address = NULL; + bool success = TRUE; + /* store all workitem results for this session in the results table */ e = db->query(db, "SELECT w.rec_final, w.result, e.policy FROM workitems AS w " "JOIN enforcements AS e ON w.enforcement = e.id " @@ -270,9 +275,68 @@ static bool policy_stop(database_t *db, int session_id) } e->destroy(e); } - return db->execute(db, NULL, - "DELETE FROM workitems WHERE session = ?", - DB_UINT, session_id) >= 0; + else + { + success = FALSE; + } + + /* delete all workitems for this session from the database */ + if (db->execute(db, NULL, + "DELETE FROM workitems WHERE session = ?", + DB_UINT, session_id) < 0) + { + success = FALSE; + } + + final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION; + + /* retrieve the final recommendation for this session */ + e = db->query(db, + "SELECT rec FROM sessions WHERE id = ?", + DB_INT, session_id, DB_INT); + if (e) + { + if (!e->enumerate(e, &final_rec)) + { + success = FALSE; + } + e->destroy(e); + } + else + { + success = FALSE; + } + + /* retrieve client IP address for this session */ + e = db->query(db, + "SELECT i.type, i.value FROM identities AS i " + "JOIN sessions_identities AS si ON si.identity_id = i.id " + "WHERE si.session_id = ? AND (i.type = ? OR i.type = ?)", + DB_INT, session_id, DB_INT, TNC_ID_IPV4_ADDR, DB_INT, + TNC_ID_IPV6_ADDR, DB_INT, DB_BLOB); + if (e) + { + if (e->enumerate(e, &id_type, &id_value)) + { + ip_address = strndup(id_value.ptr, id_value.len); + } + else + { + success = FALSE; + } + e->destroy(e); + } + else + { + success = FALSE; + } + + fprintf(stderr, "recommendation for access requestor %s is %N\n", + ip_address ? ip_address : "0.0.0.0", + TNC_IMV_Action_Recommendation_names, final_rec); + free(ip_address); + + return success; } int main(int argc, char *argv[]) diff --git a/src/libimcv/imv/imv_session.c b/src/libimcv/imv/imv_session.c index 1f0d8cf14..bc6b5a8d1 100644 --- a/src/libimcv/imv/imv_session.c +++ b/src/libimcv/imv/imv_session.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,6 +15,8 @@ #include "imv_session.h" +#include <tncif_identity.h> + #include <utils/debug.h> typedef struct private_imv_session_t private_imv_session_t; @@ -55,14 +57,9 @@ struct private_imv_session_t { time_t created; /** - * Access Requestor ID type - */ - uint32_t ar_id_type; - - /** - * Access Requestor ID value + * List of Access Requestor identities */ - chunk_t ar_id_value; + linked_list_t *ar_identities; /** * OS information @@ -130,14 +127,10 @@ METHOD(imv_session_t, get_creation_time, time_t, return this->created; } -METHOD(imv_session_t, get_ar_id, chunk_t, - private_imv_session_t *this, uint32_t *ar_id_type) +METHOD(imv_session_t, create_ar_identities_enumerator, enumerator_t*, + private_imv_session_t *this) { - if (ar_id_type) - { - *ar_id_type = this->ar_id_type; - } - return this->ar_id_value; + return this->ar_identities->create_enumerator(this->ar_identities); } METHOD(imv_session_t, get_os_info, imv_os_info_t*, @@ -256,7 +249,8 @@ METHOD(imv_session_t, destroy, void, this->workitems->destroy_offset(this->workitems, offsetof(imv_workitem_t, destroy)); this->os_info->destroy(this->os_info); - free(this->ar_id_value.ptr); + this->ar_identities->destroy_offset(this->ar_identities, + offsetof(tncif_identity_t, destroy)); free(this->device_id.ptr); free(this); } @@ -266,7 +260,7 @@ METHOD(imv_session_t, destroy, void, * See header */ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created, - uint32_t ar_id_type, chunk_t ar_id_value) + linked_list_t *ar_identities) { private_imv_session_t *this; @@ -276,7 +270,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created, .get_session_id = _get_session_id, .get_connection_id = _get_connection_id, .get_creation_time = _get_creation_time, - .get_ar_id = _get_ar_id, + .create_ar_identities_enumerator = _create_ar_identities_enumerator, .get_os_info = _get_os_info, .set_device_id = _set_device_id, .get_device_id = _get_device_id, @@ -293,8 +287,7 @@ imv_session_t *imv_session_create(TNC_ConnectionID conn_id, time_t created, }, .conn_id = conn_id, .created = created, - .ar_id_type = ar_id_type, - .ar_id_value = chunk_clone(ar_id_value), + .ar_identities = ar_identities, .os_info = imv_os_info_create(), .workitems = linked_list_create(), .ref = 1, diff --git a/src/libimcv/imv/imv_session.h b/src/libimcv/imv/imv_session.h index 42b9118a6..107716f30 100644 --- a/src/libimcv/imv/imv_session.h +++ b/src/libimcv/imv/imv_session.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013-2014 Andreas Steffen + * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -70,12 +70,11 @@ struct imv_session_t { time_t (*get_creation_time)(imv_session_t *this); /** - * Get Access Requestor ID + * Get list of Access Requestor identities * - * @param id_type Access Requestor TCG Standard ID Type - * @return Access Requestor TCG Standard ID Value + * @return List of Access Requestor identities */ - chunk_t (*get_ar_id)(imv_session_t *this, uint32_t *id_type); + enumerator_t* (*create_ar_identities_enumerator)(imv_session_t *this); /** * Get OS Information @@ -172,10 +171,9 @@ struct imv_session_t { * * @param id Associated Connection ID * @param created Session creation time - * @param ar_id_type Access Requestor ID type - * @param ar_id_value Access Requestor ID value + * @param ar_identities List of Access Requestor identities */ imv_session_t* imv_session_create(TNC_ConnectionID id, time_t created, - uint32_t ar_id_type, chunk_t ar_id_value); + linked_list_t *ar_identities); #endif /** IMV_SESSION_H_ @}*/ diff --git a/src/libimcv/imv/imv_session_manager.c b/src/libimcv/imv/imv_session_manager.c index 0fb8de45e..c97602998 100644 --- a/src/libimcv/imv/imv_session_manager.c +++ b/src/libimcv/imv/imv_session_manager.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,6 +15,9 @@ #include "imv_session_manager.h" +#include <tncif_names.h> +#include <tncif_identity.h> + #include <threading/mutex.h> typedef struct private_imv_session_manager_t private_imv_session_manager_t; @@ -43,9 +46,10 @@ struct private_imv_session_manager_t { METHOD(imv_session_manager_t, add_session, imv_session_t*, private_imv_session_manager_t *this, TNC_ConnectionID conn_id, - uint32_t ar_id_type, chunk_t ar_id_value) + linked_list_t *ar_identities) { enumerator_t *enumerator; + tncif_identity_t *tnc_id; imv_session_t *current, *session = NULL; time_t created; @@ -66,13 +70,43 @@ METHOD(imv_session_manager_t, add_session, imv_session_t*, /* session already exists */ if (session) { + ar_identities->destroy_offset(ar_identities, + offsetof(tncif_identity_t, destroy)); this->mutex->unlock(this->mutex); return session->get_ref(session); } + /* Output list of Access Requestor identities */ + enumerator = ar_identities->create_enumerator(ar_identities); + while (enumerator->enumerate(enumerator, &tnc_id)) + { + pen_type_t id_type, subject_type, auth_type; + uint32_t tcg_id_type, tcg_subject_type, tcg_auth_type; + chunk_t id_value; + + id_type = tnc_id->get_identity_type(tnc_id); + id_value = tnc_id->get_identity_value(tnc_id); + subject_type = tnc_id->get_subject_type(tnc_id); + auth_type = tnc_id->get_auth_type(tnc_id); + + tcg_id_type = (subject_type.vendor_id == PEN_TCG) ? + id_type.type : TNC_SUBJECT_UNKNOWN; + tcg_subject_type = (subject_type.vendor_id == PEN_TCG) ? + subject_type.type : TNC_SUBJECT_UNKNOWN; + tcg_auth_type = (auth_type.vendor_id == PEN_TCG) ? + auth_type.type : TNC_AUTH_UNKNOWN; + + DBG2(DBG_IMV, " %N AR identity '%.*s' of type %N authenticated by %N", + TNC_Subject_names, tcg_subject_type, + id_value.len, id_value.ptr, + TNC_Identity_names, tcg_id_type, + TNC_Authentication_names, tcg_auth_type); + } + enumerator->destroy(enumerator); + /* create a new session entry */ created = time(NULL); - session = imv_session_create(conn_id, created, ar_id_type, ar_id_value); + session = imv_session_create(conn_id, created, ar_identities); this->sessions->insert_last(this->sessions, session); this->mutex->unlock(this->mutex); diff --git a/src/libimcv/imv/imv_session_manager.h b/src/libimcv/imv/imv_session_manager.h index 8a733accb..cfae23bc9 100644 --- a/src/libimcv/imv/imv_session_manager.h +++ b/src/libimcv/imv/imv_session_manager.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014 Andreas Steffen + * Copyright (C) 2014-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -39,13 +39,12 @@ struct imv_session_manager_t { * Create or get a session associated with a TNCCS connection * * @param conn_id TNCCS Connection ID - * @param ar_id_type Access Requestor identity type - * @param ar_id_value Access Requestor identity value + * @param ar_identities List of Access Requestor identities * @return Session associated with TNCCS Connection */ imv_session_t* (*add_session)(imv_session_manager_t *this, TNC_ConnectionID conn_id, - uint32_t ar_id_type, chunk_t ar_id_value); + linked_list_t *ar_identities); /** * Remove a session diff --git a/src/libimcv/imv/tables-mysql.sql b/src/libimcv/imv/tables-mysql.sql index 47ee41c86..cf50742c3 100644 --- a/src/libimcv/imv/tables-mysql.sql +++ b/src/libimcv/imv/tables-mysql.sql @@ -99,6 +99,14 @@ CREATE TABLE `sessions` ( `rec` INTEGER DEFAULT 3 ); +DROP TABLE IF EXISTS `sessions_identities`; +CREATE TABLE `sessions_identities` ( + `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, + `session_id` INTEGER NOT NULL REFERENCES `sessions`(`id`), + `identity_id` INTEGER NOT NULL REFERENCES `identities`(`id`), + UNIQUE (`session_id`, `identity_id`) +); + DROP TABLE IF EXISTS `workitems`; CREATE TABLE `workitems` ( `id` INTEGER NOT NULL PRIMARY KEY AUTO_INCREMENT, diff --git a/src/libimcv/imv/tables.sql b/src/libimcv/imv/tables.sql index f7324896e..5c2a6563b 100644 --- a/src/libimcv/imv/tables.sql +++ b/src/libimcv/imv/tables.sql @@ -104,6 +104,14 @@ CREATE TABLE sessions ( rec INTEGER DEFAULT 3 ); +DROP TABLE IF EXISTS sessions_identities; +CREATE TABLE sessions_identities ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + session_id INTEGER NOT NULL REFERENCES sessions(id), + identity_id INTEGER NOT NULL REFERENCES identities(id), + UNIQUE (session_id, identity_id) +); + DROP TABLE IF EXISTS workitems; CREATE TABLE workitems ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, diff --git a/src/libimcv/plugins/imc_attestation/Makefile.in b/src/libimcv/plugins/imc_attestation/Makefile.in index 3c5017f32..8ad56181e 100644 --- a/src/libimcv/plugins/imc_attestation/Makefile.in +++ b/src/libimcv/plugins/imc_attestation/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c index 2fc2998e1..f24aec881 100644 --- a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c +++ b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c @@ -137,7 +137,11 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg, { return FALSE; } - pts->get_my_public_value(pts, &responder_value, &responder_nonce); + if (!pts->get_my_public_value(pts, &responder_value, + &responder_nonce)) + { + return FALSE; + } /* Send DH Nonce Parameters Response attribute */ attr = tcg_pts_attr_dh_nonce_params_resp_create(selected_dh_group, @@ -174,8 +178,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg, return FALSE; } - pts->set_peer_public_value(pts, initiator_value, initiator_nonce); - if (!pts->calculate_secret(pts)) + + if (!pts->set_peer_public_value(pts, initiator_value, + initiator_nonce) || + !pts->calculate_secret(pts)) { return FALSE; } diff --git a/src/libimcv/plugins/imc_os/Makefile.in b/src/libimcv/plugins/imc_os/Makefile.in index 3f4cf41a9..3b7538688 100644 --- a/src/libimcv/plugins/imc_os/Makefile.in +++ b/src/libimcv/plugins/imc_os/Makefile.in @@ -224,6 +224,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -284,10 +285,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -361,6 +364,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imc_scanner/Makefile.in b/src/libimcv/plugins/imc_scanner/Makefile.in index a192b0a41..7b696896f 100644 --- a/src/libimcv/plugins/imc_scanner/Makefile.in +++ b/src/libimcv/plugins/imc_scanner/Makefile.in @@ -225,6 +225,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imc_swid/Makefile.in b/src/libimcv/plugins/imc_swid/Makefile.in index f1859a2cb..2847f09b4 100644 --- a/src/libimcv/plugins/imc_swid/Makefile.in +++ b/src/libimcv/plugins/imc_swid/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imc_test/Makefile.in b/src/libimcv/plugins/imc_test/Makefile.in index 3e1d0232f..2048caa4d 100644 --- a/src/libimcv/plugins/imc_test/Makefile.in +++ b/src/libimcv/plugins/imc_test/Makefile.in @@ -224,6 +224,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -284,10 +285,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -361,6 +364,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imv_attestation/Makefile.in b/src/libimcv/plugins/imv_attestation/Makefile.in index 3ba7c8c88..09a0ab0ce 100644 --- a/src/libimcv/plugins/imv_attestation/Makefile.in +++ b/src/libimcv/plugins/imv_attestation/Makefile.in @@ -236,6 +236,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -296,10 +297,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -373,6 +376,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imv_attestation/attest_db.c b/src/libimcv/plugins/imv_attestation/attest_db.c index f85a02b3d..f1a1f923e 100644 --- a/src/libimcv/plugins/imv_attestation/attest_db.c +++ b/src/libimcv/plugins/imv_attestation/attest_db.c @@ -849,29 +849,31 @@ METHOD(attest_db_t, list_devices, void, { enumerator_t *e, *e_ar; chunk_t ar_id_value = chunk_empty; - char *product, *device; + char *product, *device, *description; time_t timestamp; - int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0; + int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0, trusted; int session_id, rec; u_int32_t ar_id_type; u_int tstamp; e = this->db->query(this->db, - "SELECT d.id, d.value, s.id, s.time, s.identity, s.rec, p.name " + "SELECT d.id, d.value, d.trusted, d.description, " + "s.id, s.time, s.identity, s.rec, p.name " "FROM devices AS d " "JOIN sessions AS s ON d.id = s.device " "JOIN products AS p ON p.id = s.product " - "ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_UINT, - DB_INT, DB_INT, DB_TEXT); + "ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_TEXT, + DB_INT, DB_UINT, DB_INT, DB_INT, DB_TEXT); if (e) { - while (e->enumerate(e, &id, &device, &session_id, &tstamp, &ar_id, &rec, - &product)) + while (e->enumerate(e, &id, &device, &trusted, &description, + &session_id, &tstamp, &ar_id, &rec, &product)) { if (id != last_id) { - printf("%4d: %s - %s\n", id, device, product); + printf("%4d: %s %s - %s - %s\n", id, trusted ? "+" : "-", + device, product, description); device_count++; last_id = id; } diff --git a/src/libimcv/plugins/imv_attestation/build-database.sh b/src/libimcv/plugins/imv_attestation/build-database.sh index ca2939b49..0babb5366 100755 --- a/src/libimcv/plugins/imv_attestation/build-database.sh +++ b/src/libimcv/plugins/imv_attestation/build-database.sh @@ -2,7 +2,7 @@ p="Ubuntu 14.04 x86_64" a="x86_64-linux-gnu" -k="3.13.0-37-generic" +k="3.13.0-46-generic" for hash in sha1 sha256 do diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c index c39fe8d47..db93ac45f 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c @@ -69,7 +69,11 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state, /* Send DH nonce finish attribute */ selected_algorithm = pts->get_meas_algorithm(pts); - pts->get_my_public_value(pts, &initiator_value, &initiator_nonce); + if (!pts->get_my_public_value(pts, &initiator_value, + &initiator_nonce)) + { + return FALSE; + } attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm, initiator_value, initiator_nonce); attr->set_noskip_flag(attr, TRUE); diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c index 89a1f02cf..fbeb6618e 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c @@ -134,11 +134,11 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, } responder_value = attr_cast->get_responder_value(attr_cast); - pts->set_peer_public_value(pts, responder_value, - responder_nonce); /* Calculate secret assessment value */ - if (!pts->calculate_secret(pts)) + if (!pts->set_peer_public_value(pts, responder_value, + responder_nonce) || + !pts->calculate_secret(pts)) { return FALSE; } @@ -198,7 +198,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, e = pts_credmgr->create_trusted_enumerator(pts_credmgr, KEY_ANY, aik->get_issuer(aik), FALSE); - while (e->enumerate(e, &issuer)) + while (e->enumerate(e, &issuer, NULL)) { if (aik->issued_by(aik, issuer, NULL)) { diff --git a/src/libimcv/plugins/imv_os/Makefile.in b/src/libimcv/plugins/imv_os/Makefile.in index 36e708fc9..ec3488992 100644 --- a/src/libimcv/plugins/imv_os/Makefile.in +++ b/src/libimcv/plugins/imv_os/Makefile.in @@ -232,6 +232,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -292,10 +293,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -369,6 +372,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imv_scanner/Makefile.in b/src/libimcv/plugins/imv_scanner/Makefile.in index 2677b339a..08abbf596 100644 --- a/src/libimcv/plugins/imv_scanner/Makefile.in +++ b/src/libimcv/plugins/imv_scanner/Makefile.in @@ -226,6 +226,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -286,10 +287,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -363,6 +366,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imv_swid/Makefile.in b/src/libimcv/plugins/imv_swid/Makefile.in index 815722f9c..936bee86e 100644 --- a/src/libimcv/plugins/imv_swid/Makefile.in +++ b/src/libimcv/plugins/imv_swid/Makefile.in @@ -227,6 +227,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -287,10 +288,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -364,6 +367,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/plugins/imv_test/Makefile.in b/src/libimcv/plugins/imv_test/Makefile.in index 66da75a1e..8e0e22353 100644 --- a/src/libimcv/plugins/imv_test/Makefile.in +++ b/src/libimcv/plugins/imv_test/Makefile.in @@ -225,6 +225,7 @@ DLLIB = @DLLIB@ DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ +EASY_INSTALL = @EASY_INSTALL@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ @@ -285,10 +286,12 @@ PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ PLUGIN_CFLAGS = @PLUGIN_CFLAGS@ PTHREADLIB = @PTHREADLIB@ PYTHON = @PYTHON@ +PYTHONEGGINSTALLDIR = @PYTHONEGGINSTALLDIR@ PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ PYTHON_PLATFORM = @PYTHON_PLATFORM@ PYTHON_PREFIX = @PYTHON_PREFIX@ PYTHON_VERSION = @PYTHON_VERSION@ +PY_TEST = @PY_TEST@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ @@ -362,6 +365,8 @@ json_CFLAGS = @json_CFLAGS@ json_LIBS = @json_LIBS@ libdir = @libdir@ libexecdir = @libexecdir@ +libiptc_CFLAGS = @libiptc_CFLAGS@ +libiptc_LIBS = @libiptc_LIBS@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ diff --git a/src/libimcv/pts/components/ita/ita_comp_tboot.c b/src/libimcv/pts/components/ita/ita_comp_tboot.c index 273c18f31..ce318ec84 100644 --- a/src/libimcv/pts/components/ita/ita_comp_tboot.c +++ b/src/libimcv/pts/components/ita/ita_comp_tboot.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2014 Andreas Steffen + * Copyright (C) 2011-2015 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -61,11 +61,6 @@ struct pts_ita_comp_tboot_t { int cid; /** - * Primary key for AIK database entry - */ - int kid; - - /** * Component is registering measurements */ bool is_registering; @@ -243,7 +238,7 @@ METHOD(pts_component_t, verify, status_t, else { status = this->pts_db->check_comp_measurement(this->pts_db, - measurement, this->cid, this->kid, + measurement, this->cid, this->aik_id, ++this->seq_no, extended_pcr, algo); if (status != SUCCESS) { diff --git a/src/libimcv/pts/pts.c b/src/libimcv/pts/pts.c index 2fff4c901..1ca72098e 100644 --- a/src/libimcv/pts/pts.c +++ b/src/libimcv/pts/pts.c @@ -224,17 +224,24 @@ METHOD(pts_t, create_dh_nonce, bool, return TRUE; } -METHOD(pts_t, get_my_public_value, void, +METHOD(pts_t, get_my_public_value, bool, private_pts_t *this, chunk_t *value, chunk_t *nonce) { - this->dh->get_my_public_value(this->dh, value); + if (!this->dh->get_my_public_value(this->dh, value)) + { + return FALSE; + } *nonce = this->is_imc ? this->responder_nonce : this->initiator_nonce; + return TRUE; } -METHOD(pts_t, set_peer_public_value, void, +METHOD(pts_t, set_peer_public_value, bool, private_pts_t *this, chunk_t value, chunk_t nonce) { - this->dh->set_other_public_value(this->dh, value); + if (!this->dh->set_other_public_value(this->dh, value)) + { + return FALSE; + } nonce = chunk_clone(nonce); if (this->is_imc) @@ -245,6 +252,7 @@ METHOD(pts_t, set_peer_public_value, void, { this->responder_nonce = nonce; } + return TRUE; } METHOD(pts_t, calculate_secret, bool, @@ -264,7 +272,7 @@ METHOD(pts_t, calculate_secret, bool, DBG3(DBG_PTS, "responder nonce: %B", &this->responder_nonce); /* Calculate the DH secret */ - if (this->dh->get_shared_secret(this->dh, &shared_secret) != SUCCESS) + if (!this->dh->get_shared_secret(this->dh, &shared_secret)) { DBG1(DBG_PTS, "shared DH secret computation failed"); return FALSE; diff --git a/src/libimcv/pts/pts.h b/src/libimcv/pts/pts.h index be32a3464..d525306dd 100644 --- a/src/libimcv/pts/pts.h +++ b/src/libimcv/pts/pts.h @@ -143,16 +143,18 @@ struct pts_t { * * @param value My public DH value * @param nonce My DH nonce + * @return TRUE if public value retrieved successfully */ - void (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce); + bool (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce); /** * Set peer Diffie.Hellman public value * * @param value Peer public DH value * @param nonce Peer DH nonce + * @return TRUE if public value set successfully */ - void (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce); + bool (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce); /** * Calculates assessment secret to be used for TPM Quote as ExternalData diff --git a/src/libimcv/seg/seg_env.c b/src/libimcv/seg/seg_env.c index c47ce2934..f38419248 100644 --- a/src/libimcv/seg/seg_env.c +++ b/src/libimcv/seg/seg_env.c @@ -219,6 +219,7 @@ seg_env_t *seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr, if (max_seg_size < PA_TNC_ATTR_HEADER_SIZE || max_seg_size >= PA_TNC_ATTR_HEADER_SIZE + value.len) { + base_attr->destroy(base_attr); return NULL; } @@ -233,7 +234,7 @@ seg_env_t *seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr, .destroy = _destroy, }, .base_attr_id = base_attr_id, - .base_attr = base_attr->get_ref(base_attr), + .base_attr = base_attr, .max_seg_size = max_seg_size, .data = base_attr->get_value(base_attr), ); diff --git a/src/libimcv/seg/seg_env.h b/src/libimcv/seg/seg_env.h index 08d33d752..611f9a98a 100644 --- a/src/libimcv/seg/seg_env.h +++ b/src/libimcv/seg/seg_env.h @@ -98,7 +98,7 @@ struct seg_env_t { * Create a PA-TNC attribute segment envelope object * * @param base_attr_id Base Attribute ID - * @param base_attr Base Attribute to be segmented + * @param base_attr Base Attribute to be segmented, owned by seg_env_t * @param max_seg_size Maximum segment size */ seg_env_t* seg_env_create(uint32_t base_attr_id, pa_tnc_attr_t *base_attr, diff --git a/src/libimcv/suites/test_imcv_seg.c b/src/libimcv/suites/test_imcv_seg.c index 469b1110d..8b51eda05 100644 --- a/src/libimcv/suites/test_imcv_seg.c +++ b/src/libimcv/suites/test_imcv_seg.c @@ -64,10 +64,11 @@ START_TEST(test_imcv_seg_env) libimcv_init(FALSE); max_seg_size = seg_env_tests[_i].max_seg_size; last_seg_size = seg_env_tests[_i].last_seg_size; + base_attr = ita_attr_command_create(command); base_attr->build(base_attr); - seg_env = seg_env_create(id, base_attr, max_seg_size); + if (seg_env_tests[_i].next_segs == 0) { ck_assert(seg_env == NULL); @@ -156,7 +157,6 @@ START_TEST(test_imcv_seg_env) seg_env1->destroy(seg_env1); base_attr1->destroy(base_attr1); } - base_attr->destroy(base_attr); libimcv_deinit(); } END_TEST @@ -226,7 +226,6 @@ START_TEST(test_imcv_seg_env_special) /* cleanup */ attr->destroy(attr); seg_env->destroy(seg_env); - base_attr->destroy(base_attr); } END_TEST @@ -306,7 +305,8 @@ START_TEST(test_imcv_seg_contract) TRUE, issuer_id, FALSE); contract_r = seg_contract_create(msg_type, max_attr_size, max_seg_size, FALSE, issuer_id, TRUE); - attr = contract_r->first_segment(contract_r, base_attr_r); + attr = contract_r->first_segment(contract_r, + base_attr_r->get_ref(base_attr_r)); if (seg_env_tests[_i].next_segs == 0) { @@ -422,8 +422,8 @@ START_TEST(test_imcv_seg_contract_special) ck_assert(!oversize); /* get first segment of each base attribute */ - attr1_f = contract_r->first_segment(contract_r, base_attr1_r); - attr2_f = contract_r->first_segment(contract_r, base_attr2_r); + attr1_f = contract_r->first_segment(contract_r, base_attr1_r->get_ref(base_attr1_r)); + attr2_f = contract_r->first_segment(contract_r, base_attr2_r->get_ref(base_attr2_r)); ck_assert(attr1_f); ck_assert(attr2_f); seg_env_attr1 = (tcg_seg_attr_seg_env_t*)attr1_f; diff --git a/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c b/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c index 5b4cc273b..397882926 100644 --- a/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c +++ b/src/libimcv/tcg/pts/tcg_pts_attr_file_meas.c @@ -242,6 +242,8 @@ METHOD(pa_tnc_attr_t, process, status_t, this->count--; } + status = SUCCESS; + if (this->length != this->offset) { DBG1(DBG_TNC, "inconsistent length for %N/%N", pen_names, PEN_TCG, @@ -249,7 +251,6 @@ METHOD(pa_tnc_attr_t, process, status_t, *offset = this->offset; status = FAILED; } - status = SUCCESS; end: reader->destroy(reader); |