diff options
Diffstat (limited to 'src/libimcv')
| -rw-r--r-- | src/libimcv/ietf/ietf_attr_attr_request.c | 27 | ||||
| -rw-r--r-- | src/libimcv/ietf/ietf_attr_fwd_enabled.h | 2 | ||||
| -rw-r--r-- | src/libimcv/ietf/ietf_attr_numeric_version.h | 2 | ||||
| -rw-r--r-- | src/libimcv/ietf/ietf_attr_op_status.h | 2 | ||||
| -rw-r--r-- | src/libimcv/imc/imc_os_info.c | 4 | ||||
| -rw-r--r-- | src/libimcv/imv/imv_policy_manager.c | 22 | ||||
| -rw-r--r-- | src/libimcv/pa_tnc/pa_tnc_msg.c | 9 | ||||
| -rw-r--r-- | src/libimcv/plugins/imc_os/imc_os.c | 6 | ||||
| -rw-r--r-- | src/libimcv/plugins/imv_attestation/imv_attestation_process.c | 7 | ||||
| -rw-r--r-- | src/libimcv/pts/components/ita/ita_comp_ima.c | 9 | ||||
| -rw-r--r-- | src/libimcv/pts/components/ita/ita_comp_tboot.c | 3 | ||||
| -rw-r--r-- | src/libimcv/pts/components/ita/ita_comp_tgrub.c | 2 | ||||
| -rw-r--r-- | src/libimcv/pts/pts_database.c | 4 | ||||
| -rw-r--r-- | src/libimcv/pts/pts_file_meas.c | 8 |
14 files changed, 67 insertions, 40 deletions
diff --git a/src/libimcv/ietf/ietf_attr_attr_request.c b/src/libimcv/ietf/ietf_attr_attr_request.c index 3862a0aa8..08658e2f7 100644 --- a/src/libimcv/ietf/ietf_attr_attr_request.c +++ b/src/libimcv/ietf/ietf_attr_attr_request.c @@ -138,8 +138,21 @@ METHOD(pa_tnc_attr_t, build, void, METHOD(ietf_attr_attr_request_t, add, void, private_ietf_attr_attr_request_t *this, pen_t vendor_id, u_int32_t type) { + enum_name_t *pa_attr_names; pen_type_t *entry; + pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes, + vendor_id); + if (pa_attr_names) + { + DBG2(DBG_TNC, " 0x%06x/0x%08x '%N/%N'", vendor_id, type, + pen_names, vendor_id, pa_attr_names, type); + } + else + { + DBG2(DBG_TNC, " 0x%06x/0x%08x '%N'", vendor_id, type, + pen_names, vendor_id); + } entry = malloc_thing(pen_type_t); entry->vendor_id = vendor_id; entry->type = type; @@ -150,7 +163,6 @@ METHOD(pa_tnc_attr_t, process, status_t, private_ietf_attr_attr_request_t *this, u_int32_t *offset) { bio_reader_t *reader; - enum_name_t *pa_attr_names; pen_t vendor_id; u_int32_t type; u_int8_t reserved; @@ -176,19 +188,6 @@ METHOD(pa_tnc_attr_t, process, status_t, reader->read_uint8 (reader, &reserved); reader->read_uint24(reader, &vendor_id); reader->read_uint32(reader, &type); - - pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes, - vendor_id); - if (pa_attr_names) - { - DBG2(DBG_TNC, " 0x%06x/0x%08x '%N/%N'", vendor_id, type, - pen_names, vendor_id, pa_attr_names, type); - } - else - { - DBG2(DBG_TNC, " 0x%06x/0x%08x '%N'", vendor_id, type, - pen_names, vendor_id); - } add(this, vendor_id, type); } reader->destroy(reader); diff --git a/src/libimcv/ietf/ietf_attr_fwd_enabled.h b/src/libimcv/ietf/ietf_attr_fwd_enabled.h index c4b6c1547..3d554369b 100644 --- a/src/libimcv/ietf/ietf_attr_fwd_enabled.h +++ b/src/libimcv/ietf/ietf_attr_fwd_enabled.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-14 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it diff --git a/src/libimcv/ietf/ietf_attr_numeric_version.h b/src/libimcv/ietf/ietf_attr_numeric_version.h index 34393c673..8808d48ed 100644 --- a/src/libimcv/ietf/ietf_attr_numeric_version.h +++ b/src/libimcv/ietf/ietf_attr_numeric_version.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-14 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it diff --git a/src/libimcv/ietf/ietf_attr_op_status.h b/src/libimcv/ietf/ietf_attr_op_status.h index f19185f0a..ceb13fe75 100644 --- a/src/libimcv/ietf/ietf_attr_op_status.h +++ b/src/libimcv/ietf/ietf_attr_op_status.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-14 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it diff --git a/src/libimcv/imc/imc_os_info.c b/src/libimcv/imc/imc_os_info.c index b01a14c01..47697f1a3 100644 --- a/src/libimcv/imc/imc_os_info.c +++ b/src/libimcv/imc/imc_os_info.c @@ -586,9 +586,9 @@ imc_os_info_t *imc_os_info_create(void) /* As an option OS name and OS version can be configured manually */ name.ptr = lib->settings->get_str(lib->settings, - "%s.imcv.imc_os_info.name", NULL, lib->ns); + "%s.imcv.os_info.name", NULL, lib->ns); version.ptr = lib->settings->get_str(lib->settings, - "%s.imcv.imc_os_info.version", NULL, lib->ns); + "%s.imcv.os_info.version", NULL, lib->ns); if (name.ptr && version.ptr) { name.len = strlen(name.ptr); diff --git a/src/libimcv/imv/imv_policy_manager.c b/src/libimcv/imv/imv_policy_manager.c index 9f7e4e8f4..b730f8c41 100644 --- a/src/libimcv/imv/imv_policy_manager.c +++ b/src/libimcv/imv/imv_policy_manager.c @@ -255,7 +255,8 @@ static bool policy_stop(database_t *db, int session_id) enumerator_t *e; int rec, policy, final_rec, id_type; chunk_t id_value; - char *result, *ip_address = NULL; + char *result, *format, *ip_address = NULL; + char command[512]; bool success = TRUE; /* store all workitem results for this session in the results table */ @@ -334,6 +335,25 @@ static bool policy_stop(database_t *db, int session_id) fprintf(stderr, "recommendation for access requestor %s is %N\n", ip_address ? ip_address : "0.0.0.0", TNC_IMV_Action_Recommendation_names, final_rec); + + if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_ALLOW) + { + format = lib->settings->get_str(lib->settings, + "imv_policy_manager.command_allow", NULL); + } + else + { + format = lib->settings->get_str(lib->settings, + "imv_policy_manager.command_block", NULL); + } + if (format && ip_address) + { + /* the IP address can occur at most twice in the command string */ + snprintf(command, sizeof(command), format, ip_address, ip_address); + success = system(command) == 0; + fprintf(stderr, "%s system command: %s\n", + success ? "successful" : "failed", command); + } free(ip_address); return success; diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c index d9b441707..ea4dee950 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.c +++ b/src/libimcv/pa_tnc/pa_tnc_msg.c @@ -226,7 +226,14 @@ METHOD(pa_tnc_msg_t, process, status_t, reader, FALSE, &offset, this->encoding, &error); if (!attr) { - goto err; + if (error) + { + goto err; + } + else + { + continue; + } } attr_value = attr->get_value(attr); attr_type = attr->get_type(attr); diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c index 86d2e09ca..4fe8856e6 100644 --- a/src/libimcv/plugins/imc_os/imc_os.c +++ b/src/libimcv/plugins/imc_os/imc_os.c @@ -345,9 +345,13 @@ static void add_installed_packages(imc_state_t *state, imc_msg_t *msg) enumerator_t *enumerator; chunk_t name, version; + enumerator = os->create_package_enumerator(os); + if (!enumerator) + { + return; + } attr = ietf_attr_installed_packages_create(); - enumerator = os->create_package_enumerator(os); while (enumerator->enumerate(enumerator, &name, &version)) { DBG2(DBG_IMC, "package '%.*s' (%.*s)", diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c index fbeb6618e..c3e053d9b 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c @@ -181,7 +181,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, DBG1(DBG_IMV, "verifying AIK with keyid %#B", &keyid); keyid_hex = chunk_to_hex(keyid, NULL, FALSE); if (session->get_device_id(session, &device_id) && - chunk_equals(keyid_hex, device_id)) + chunk_equals_const(keyid_hex, device_id)) { trusted = session->get_device_trust(session); } @@ -290,7 +290,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, /* check hashes from database against measurements */ e = pts_db->create_file_hash_enumerator(pts_db, - pts->get_platform_id(pts), + pts->get_platform_id(pts), algo, is_dir, arg_int); if (!e) { @@ -446,7 +446,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, return FALSE; } - if (!chunk_equals(pcr_comp, pcr_composite)) + if (!chunk_equals_const(pcr_comp, pcr_composite)) { DBG1(DBG_IMV, "received PCR Composite does not match " "constructed one"); @@ -564,4 +564,3 @@ quote_error: } return TRUE; } - diff --git a/src/libimcv/pts/components/ita/ita_comp_ima.c b/src/libimcv/pts/components/ita/ita_comp_ima.c index 3f92b04b1..448ca9ffb 100644 --- a/src/libimcv/pts/components/ita/ita_comp_ima.c +++ b/src/libimcv/pts/components/ita/ita_comp_ima.c @@ -307,7 +307,7 @@ static bool check_boot_aggregate(pts_pcr_t *pcrs, chunk_t measurement, } if (pcr_ok) { - success = chunk_equals(boot_aggregate, measurement); + success = chunk_equals_const(boot_aggregate, measurement); DBG1(DBG_PTS, "boot aggregate value is %scorrect", success ? "":"in"); return success; @@ -693,7 +693,7 @@ METHOD(pts_component_t, verify, status_t, status = FAILED; break; } - if (chunk_equals(measurement, hash)) + if (chunk_equals_const(measurement, hash)) { status = SUCCESS; break; @@ -748,7 +748,7 @@ METHOD(pts_component_t, verify, status_t, has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after); if (has_pcr_info) { - if (!chunk_equals(pcr_before, pcrs->get(pcrs, pcr))) + if (!chunk_equals_const(pcr_before, pcrs->get(pcrs, pcr))) { DBG1(DBG_PTS, "PCR %2u: pcr_before is not equal to register value", pcr); @@ -876,7 +876,7 @@ METHOD(pts_component_t, destroy, void, DESTROY_IF(this->bios_list); DESTROY_IF(this->ima_list); this->name->destroy(this->name); - + free(this); } } @@ -911,4 +911,3 @@ pts_component_t *pts_ita_comp_ima_create(uint32_t depth, return &this->public; } - diff --git a/src/libimcv/pts/components/ita/ita_comp_tboot.c b/src/libimcv/pts/components/ita/ita_comp_tboot.c index ce318ec84..3d990f6f2 100644 --- a/src/libimcv/pts/components/ita/ita_comp_tboot.c +++ b/src/libimcv/pts/components/ita/ita_comp_tboot.c @@ -249,7 +249,7 @@ METHOD(pts_component_t, verify, status_t, has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after); if (has_pcr_info) { - if (!chunk_equals(pcr_before, pcrs->get(pcrs, extended_pcr))) + if (!chunk_equals_const(pcr_before, pcrs->get(pcrs, extended_pcr))) { DBG1(DBG_PTS, "PCR %2u: pcr_before is not equal to register value", extended_pcr); @@ -354,4 +354,3 @@ pts_component_t *pts_ita_comp_tboot_create(u_int32_t depth, return &this->public; } - diff --git a/src/libimcv/pts/components/ita/ita_comp_tgrub.c b/src/libimcv/pts/components/ita/ita_comp_tgrub.c index 097e4c89c..e9555726a 100644 --- a/src/libimcv/pts/components/ita/ita_comp_tgrub.c +++ b/src/libimcv/pts/components/ita/ita_comp_tgrub.c @@ -141,7 +141,7 @@ METHOD(pts_component_t, verify, status_t, has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after); if (has_pcr_info) { - if (!chunk_equals(pcr_before, pcrs->get(pcrs, extended_pcr))) + if (!chunk_equals_const(pcr_before, pcrs->get(pcrs, extended_pcr))) { DBG1(DBG_PTS, "PCR %2u: pcr_before is not equal to pcr value"); } diff --git a/src/libimcv/pts/pts_database.c b/src/libimcv/pts/pts_database.c index d7b85c138..1a4c4212d 100644 --- a/src/libimcv/pts/pts_database.c +++ b/src/libimcv/pts/pts_database.c @@ -187,7 +187,7 @@ METHOD(pts_database_t, add_file_measurement, status_t, } if (e->enumerate(e, &hash_id, &hash_value)) { - if (!chunk_equals(measurement, hash_value)) + if (!chunk_equals_const(measurement, hash_value)) { /* update hash measurement value */ if (this->db->execute(this->db, &hash_id, @@ -289,7 +289,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t, while (e->enumerate(e, &hash)) { - if (chunk_equals(hash, measurement)) + if (chunk_equals_const(hash, measurement)) { status = SUCCESS; break; diff --git a/src/libimcv/pts/pts_file_meas.c b/src/libimcv/pts/pts_file_meas.c index 478892aea..966d54ba2 100644 --- a/src/libimcv/pts/pts_file_meas.c +++ b/src/libimcv/pts/pts_file_meas.c @@ -133,7 +133,7 @@ METHOD(pts_file_meas_t, check, bool, { while (e->enumerate(e, &hash)) { - if (chunk_equals(entry->measurement, hash)) + if (chunk_equals_const(entry->measurement, hash)) { status = SUCCESS; break; @@ -223,7 +223,7 @@ METHOD(pts_file_meas_t, verify, bool, } } - /* no PTS measurement returned for this filename */ + /* no PTS measurement returned for this filename */ if (!found) { success = FALSE; @@ -234,7 +234,7 @@ METHOD(pts_file_meas_t, verify, bool, if (found && !match) { - if (chunk_equals(measurement, entry->measurement)) + if (chunk_equals_const(measurement, entry->measurement)) { match = TRUE; DBG2(DBG_PTS, " %#B for '%s' is ok", @@ -252,7 +252,7 @@ METHOD(pts_file_meas_t, verify, bool, &entry->measurement, entry->filename); enumerator->destroy(enumerator); } - + return success; } |