diff options
Diffstat (limited to 'src/libpts/plugins/imv_attestation/attest_db.c')
| -rw-r--r-- | src/libpts/plugins/imv_attestation/attest_db.c | 207 |
1 files changed, 85 insertions, 122 deletions
diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c index 7a8a1135a..d7f45ad29 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ b/src/libpts/plugins/imv_attestation/attest_db.c @@ -79,6 +79,11 @@ struct private_attest_db_t { int fid; /** + * Directory where file measurement are to be taken + */ + char *meas_dir; + + /** * AIK to be queried */ chunk_t key; @@ -193,6 +198,21 @@ char* print_cfn(pts_comp_func_name_t *cfn) return buf; } +/** + * Get the directory separator to append to a path + */ +static const char* get_separator(const char *path) +{ + if (streq(path, DIRECTORY_SEPARATOR)) + { /* root directory on Unix file system, no separator */ + return ""; + } + else + { /* non-root or Windows path, use system specific separator */ + return DIRECTORY_SEPARATOR; + } +} + METHOD(attest_db_t, set_component, bool, private_attest_db_t *this, char *comp, bool create) { @@ -309,9 +329,9 @@ METHOD(attest_db_t, set_directory, bool, return FALSE; } - /* remove trailing '/' character if not root directory */ + /* remove trailing '/' or '\' character if not root directory */ len = strlen(dir); - if (len > 1 && dir[len-1] == '/') + if (len > 1 && dir[len-1] == DIRECTORY_SEPARATOR[0]) { dir[len-1] = '\0'; } @@ -385,7 +405,6 @@ METHOD(attest_db_t, set_file, bool, private_attest_db_t *this, char *file, bool create) { int fid; - char *sep; enumerator_t *e; if (this->file) @@ -399,7 +418,6 @@ METHOD(attest_db_t, set_file, bool, { return TRUE; } - sep = streq(this->dir, "/") ? "" : "/"; e = this->db->query(this->db, "SELECT id FROM files " "WHERE dir = ? AND name = ?", DB_INT, this->did, DB_TEXT, file, DB_INT); @@ -418,7 +436,8 @@ METHOD(attest_db_t, set_file, bool, if (!create) { - printf("file '%s%s%s' not found in database\n", this->dir, sep, file); + printf("file '%s%s%s' not found in database\n", + this->dir, get_separator(this->dir), file); return FALSE; } @@ -429,8 +448,8 @@ METHOD(attest_db_t, set_file, bool, { this->fid = fid; } - printf("file '%s%s%s' %sinserted into database\n", this->dir, sep, file, - this->fid ? "" : "could not be "); + printf("file '%s%s%s' %sinserted into database\n", this->dir, + get_separator(this->dir), file, this->fid ? "" : "could not be "); return this->fid > 0; } @@ -470,6 +489,22 @@ METHOD(attest_db_t, set_fid, bool, return this->fid > 0; } +METHOD(attest_db_t, set_meas_directory, bool, + private_attest_db_t *this, char *dir) +{ + size_t len; + + /* remove trailing '/' character if not root directory */ + len = strlen(dir); + if (len > 1 && dir[len-1] == '/') + { + dir[len-1] = '\0'; + } + this->meas_dir = strdup(dir); + + return TRUE; +} + METHOD(attest_db_t, set_key, bool, private_attest_db_t *this, chunk_t key, bool create) { @@ -1297,7 +1332,7 @@ METHOD(attest_db_t, list_hashes, void, printf("%d %N value%s found for file '%s%s%s'\n", count, pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", this->dir, - streq(this->dir, "/") ? "" : "/", this->file); + get_separator(this->dir), this->file); } } else if (this->file) @@ -1568,12 +1603,13 @@ METHOD(attest_db_t, list_sessions, void, */ static bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo, - chunk_t measurement, int fid, bool ima, + chunk_t measurement, int fid, int *hashes_added, int *hashes_updated) { enumerator_t *e; chunk_t hash; char *label; + bool insert = TRUE, update = FALSE; label = "could not be created"; @@ -1581,46 +1617,50 @@ static bool insert_file_hash(private_attest_db_t *this, "SELECT hash FROM file_hashes WHERE algo = ? " "AND file = ? AND product = ? AND device = 0", DB_INT, algo, DB_UINT, fid, DB_UINT, this->pid, DB_BLOB); + if (!e) { printf("file_hashes query failed\n"); return FALSE; } - if (e->enumerate(e, &hash)) + + while (e->enumerate(e, &hash)) { + update = TRUE; + if (chunk_equals(measurement, hash)) { label = "exists and equals"; - } - else - { - if (this->db->execute(this->db, NULL, - "UPDATE file_hashes SET hash = ? WHERE algo = ? " - "AND file = ? AND product = ? and device = 0", - DB_BLOB, measurement, DB_INT, algo, DB_UINT, fid, - DB_UINT, this->pid) == 1) - { - label = "updated"; - (*hashes_updated)++; - } + insert = FALSE; + break; } } - else + e->destroy(e); + + if (insert) { if (this->db->execute(this->db, NULL, "INSERT INTO file_hashes " "(file, product, device, algo, hash) " "VALUES (?, ?, 0, ?, ?)", DB_UINT, fid, DB_UINT, this->pid, - DB_INT, algo, DB_BLOB, measurement) == 1) + DB_INT, algo, DB_BLOB, measurement) != 1) + { + printf("file_hash insertion failed\n"); + return FALSE; + } + if (update) + { + label = "updated"; + (*hashes_updated)++; + } + else { label = "created"; (*hashes_added)++; } } - e->destroy(e); - - printf(" %#B - %s%s\n", &measurement, ima ? "ima - " : "", label); + printf(" %#B - %s\n", &measurement, label); return TRUE; } @@ -1629,33 +1669,24 @@ static bool insert_file_hash(private_attest_db_t *this, */ static bool add_hash(private_attest_db_t *this) { - char *pathname, *filename, *sep, *label, *pos; - char ima_buffer[IMA_MAX_NAME_LEN + 1]; - chunk_t measurement, ima_template; + char *pathname, *filename, *label; + const char *sep; pts_file_meas_t *measurements; + chunk_t measurement; hasher_t *hasher = NULL; - bool ima = FALSE; int fid, files_added = 0, hashes_added = 0, hashes_updated = 0; - int len, ima_hashes_added = 0, ima_hashes_updated = 0; enumerator_t *enumerator, *e; - if (this->algo == PTS_MEAS_ALGO_SHA1_IMA) + if (!this->meas_dir) { - ima = TRUE; - this->algo = PTS_MEAS_ALGO_SHA1; - hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); - if (!hasher) - { - printf("could not create hasher\n"); - return FALSE; - } + this->meas_dir = strdup(this->dir); } - sep = streq(this->dir, "/") ? "" : "/"; + sep = get_separator(this->meas_dir); if (this->fid) { /* build pathname from directory path and relative filename */ - if (asprintf(&pathname, "%s%s%s", this->dir, sep, this->file) == -1) + if (asprintf(&pathname, "%s%s%s", this->meas_dir, sep, this->file) == -1) { return FALSE; } @@ -1665,7 +1696,7 @@ static bool add_hash(private_attest_db_t *this) } else { - measurements = pts_file_meas_create_from_path(0, this->dir, TRUE, + measurements = pts_file_meas_create_from_path(0, this->meas_dir, TRUE, TRUE, this->algo); } if (!measurements) @@ -1717,59 +1748,18 @@ static bool add_hash(private_attest_db_t *this) printf("%4d: %s - %s\n", fid, filename, label); /* compute file measurement hash */ - if (!insert_file_hash(this, this->algo, measurement, fid, FALSE, + if (!insert_file_hash(this, this->algo, measurement, fid, &hashes_added, &hashes_updated)) { break; } - if (!ima) - { - continue; - } - - /* compute IMA template hash */ - pos = ima_buffer; - len = IMA_MAX_NAME_LEN; - if (!this->relative) - { - strncpy(pos, this->dir, len); - len = max(0, len - strlen(this->dir)); - pos = ima_buffer + IMA_MAX_NAME_LEN - len; - strncpy(pos, sep, len); - len = max(0, len - strlen(sep)); - pos = ima_buffer + IMA_MAX_NAME_LEN - len; - } - strncpy(pos, filename, len); - ima_buffer[IMA_MAX_NAME_LEN] = '\0'; - ima_template = chunk_create(ima_buffer, sizeof(ima_buffer)); - if (!hasher->get_hash(hasher, measurement, NULL) || - !hasher->get_hash(hasher, ima_template, measurement.ptr)) - { - printf("could not compute IMA template hash\n"); - break; - } - if (!insert_file_hash(this, PTS_MEAS_ALGO_SHA1_IMA, measurement, fid, - TRUE, &ima_hashes_added, &ima_hashes_updated)) - { - break; - } } enumerator->destroy(enumerator); - printf("%d measurements, added %d new files, %d file hashes", - measurements->get_file_count(measurements), files_added, - hashes_added); - if (ima) - { - printf(", %d ima hashes", ima_hashes_added); - hasher->destroy(hasher); - } - printf(", updated %d file hashes", hashes_updated); - if (ima) - { - printf(", %d ima hashes", ima_hashes_updated); - } - printf("\n"); + printf("%d measurements, added %d new files, %d file hashes, " + "updated %d file hashes\n", + measurements->get_file_count(measurements), + files_added, hashes_added, hashes_updated); measurements->destroy(measurements); return TRUE; @@ -1780,22 +1770,6 @@ METHOD(attest_db_t, add, bool, { bool success = FALSE; - /* add key/component pair */ - if (this->kid && this->cid) - { - success = this->db->execute(this->db, NULL, - "INSERT INTO key_component (key, component, seq_no) " - "VALUES (?, ?, ?)", - DB_UINT, this->kid, DB_UINT, this->cid, - DB_UINT, this->seq_no) == 1; - - printf("key/component pair (%d/%d) %sinserted into database at " - "position %d\n", this->kid, this->cid, - success ? "" : "could not be ", this->seq_no); - - return success; - } - /* add directory or file hash measurement for a given product */ if (this->did && this->pid) { @@ -1844,8 +1818,8 @@ METHOD(attest_db_t, delete, bool, DB_UINT, this->algo, DB_UINT, this->pid, DB_UINT, this->fid) > 0; - printf("%4d: %s%s%s\n", this->fid, this->dir, - streq(this->dir, "/") ? "" : "/", this->file); + printf("%4d: %s%s%s\n", this->fid, this->dir, get_separator(this->dir), + this->file); printf("%N value for product '%s' %sdeleted from database\n", pts_meas_algorithm_names, this->algo, this->product, success ? "" : "could not be "); @@ -1869,19 +1843,6 @@ METHOD(attest_db_t, delete, bool, return success; } - /* delete key/component pair */ - if (this->kid && this->cid) - { - success = this->db->execute(this->db, NULL, - "DELETE FROM key_component " - "WHERE key = ? AND component = ?", - DB_UINT, this->kid, DB_UINT, this->cid) > 0; - - printf("key/component pair (%d/%d) %sdeleted from database\n", - this->kid, this->cid, success ? "" : "could not be "); - return success; - } - if (this->cid) { success = this->db->execute(this->db, NULL, @@ -1900,7 +1861,7 @@ METHOD(attest_db_t, delete, bool, DB_UINT, this->fid) > 0; printf("file '%s%s%s' %sdeleted from database\n", this->dir, - streq(this->dir, "/") ? "" : "/", this->file, + get_separator(this->dir), this->file, success ? "" : "could not be "); return success; } @@ -1970,6 +1931,7 @@ METHOD(attest_db_t, destroy, void, free(this->version); free(this->file); free(this->dir); + free(this->meas_dir); free(this->owner); free(this->key.ptr); free(this); @@ -1990,6 +1952,7 @@ attest_db_t *attest_db_create(char *uri) .set_did = _set_did, .set_file = _set_file, .set_fid = _set_fid, + .set_meas_directory = _set_meas_directory, .set_key = _set_key, .set_kid = _set_kid, .set_package = _set_package, |