diff options
Diffstat (limited to 'src/libpts/plugins')
25 files changed, 3197 insertions, 2806 deletions
diff --git a/src/libpts/plugins/imc_attestation/Makefile.am b/src/libpts/plugins/imc_attestation/Makefile.am index 9d78b935a..18c756884 100644 --- a/src/libpts/plugins/imc_attestation/Makefile.am +++ b/src/libpts/plugins/imc_attestation/Makefile.am @@ -1,8 +1,11 @@ +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libtncif \ + -I$(top_srcdir)/src/libimcv \ + -I$(top_srcdir)/src/libpts -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \ - -I$(top_srcdir)/src/libimcv -I$(top_srcdir)/src/libpts - -AM_CFLAGS = -rdynamic +AM_CFLAGS = \ + -rdynamic imcv_LTLIBRARIES = imc-attestation.la @@ -15,4 +18,3 @@ imc_attestation_la_SOURCES = imc_attestation.c \ imc_attestation_process.h imc_attestation_process.c imc_attestation_la_LDFLAGS = -module -avoid-version - diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in index 583d2dfee..b129f9274 100644 --- a/src/libpts/plugins/imc_attestation/Makefile.in +++ b/src/libpts/plugins/imc_attestation/Makefile.in @@ -1,9 +1,9 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.11.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,6 +16,23 @@ @SET_MAKE@ VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \ + | grep '^AM OK$$' >/dev/null || am__dry=yes;; \ + *) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + *=*|--*) ;; \ + *n*) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -45,10 +62,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ $(top_srcdir)/m4/macros/add-plugin.m4 \ - $(top_srcdir)/configure.in + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; @@ -72,6 +90,12 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } am__installdirs = "$(DESTDIR)$(imcvdir)" LTLIBRARIES = $(imcv_LTLIBRARIES) imc_attestation_la_DEPENDENCIES = \ @@ -81,45 +105,74 @@ imc_attestation_la_DEPENDENCIES = \ am_imc_attestation_la_OBJECTS = imc_attestation.lo \ imc_attestation_state.lo imc_attestation_process.lo imc_attestation_la_OBJECTS = $(am_imc_attestation_la_OBJECTS) -imc_attestation_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(imc_attestation_la_LDFLAGS) $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I.@am__isrc@ +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +imc_attestation_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(imc_attestation_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ - $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ - $(LDFLAGS) -o $@ +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; SOURCES = $(imc_attestation_la_SOURCES) DIST_SOURCES = $(imc_attestation_la_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BFDLIB = @BFDLIB@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CHECK_CFLAGS = @CHECK_CFLAGS@ +CHECK_LIBS = @CHECK_LIBS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -128,13 +181,16 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +GENHTML = @GENHTML@ GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ @@ -147,6 +203,7 @@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ MYSQLCFLAG = @MYSQLCFLAG@ MYSQLCONFIG = @MYSQLCONFIG@ @@ -174,11 +231,13 @@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ VERSION = @VERSION@ YACC = @YACC@ YFLAGS = @YFLAGS@ @@ -186,6 +245,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -194,8 +254,6 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ -axis2c_CFLAGS = @axis2c_CFLAGS@ -axis2c_LIBS = @axis2c_LIBS@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -204,14 +262,19 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ -default_pkcs11 = @default_pkcs11@ +dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ @@ -225,17 +288,17 @@ imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ -libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ maemo_CFLAGS = @maemo_CFLAGS@ maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ @@ -245,16 +308,15 @@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ -p_plugins = @p_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ -pluto_plugins = @pluto_plugins@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ @@ -282,10 +344,15 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtncif \ - -I$(top_srcdir)/src/libimcv -I$(top_srcdir)/src/libpts +AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libtncif \ + -I$(top_srcdir)/src/libimcv \ + -I$(top_srcdir)/src/libpts + +AM_CFLAGS = \ + -rdynamic -AM_CFLAGS = -rdynamic imcv_LTLIBRARIES = imc-attestation.la imc_attestation_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ @@ -332,7 +399,6 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) $(am__aclocal_m4_deps): install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES) @$(NORMAL_INSTALL) - test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)" @list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \ list2=; for p in $$list; do \ if test -f $$p; then \ @@ -340,6 +406,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES) else :; fi; \ done; \ test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \ } @@ -361,8 +429,8 @@ clean-imcvLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done -imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) - $(imc_attestation_la_LINK) -rpath $(imcvdir) $(imc_attestation_la_OBJECTS) $(imc_attestation_la_LIBADD) $(LIBS) +imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) $(EXTRA_imc_attestation_la_DEPENDENCIES) + $(AM_V_CCLD)$(imc_attestation_la_LINK) -rpath $(imcvdir) $(imc_attestation_la_OBJECTS) $(imc_attestation_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -375,25 +443,25 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_attestation_state.Plo@am__quote@ .c.o: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< mostlyclean-libtool: -rm -f *.lo @@ -500,10 +568,15 @@ install-am: all-am installcheck: installcheck-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c index 4f77ba093..bb327e936 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -17,10 +17,13 @@ #include "imc_attestation_process.h" #include <imc/imc_agent.h> -#include <pa_tnc/pa_tnc_msg.h> +#include <imc/imc_msg.h> #include <ietf/ietf_attr.h> #include <ietf/ietf_attr_pa_tnc_error.h> #include <ietf/ietf_attr_product_info.h> +#include <ietf/ietf_attr_string_version.h> +#include <ietf/ietf_attr_assess_result.h> +#include <os_info/os_info.h> #include <libpts.h> @@ -32,15 +35,16 @@ #include <tncif_pa_subtypes.h> #include <pen/pen.h> -#include <debug.h> -#include <utils/linked_list.h> +#include <utils/debug.h> +#include <collections/linked_list.h> /* IMC definitions */ static const char imc_name[] = "Attestation"; -#define IMC_VENDOR_ID PEN_TCG -#define IMC_SUBTYPE PA_SUBTYPE_TCG_PTS +static pen_type_t msg_types[] = { + { PEN_TCG, PA_SUBTYPE_TCG_PTS } +}; static imc_agent_t *imc_attestation; @@ -72,7 +76,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, { return TNC_RESULT_FATAL; } - imc_attestation = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE, + imc_attestation = imc_agent_create(imc_name, msg_types, countof(msg_types), imc_id, actual_version); if (!imc_attestation) { @@ -80,7 +84,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, } libpts_init(); - + if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1) { DBG1(DBG_IMC, "no common IF-IMC version"); @@ -108,9 +112,17 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id, case TNC_CONNECTION_STATE_CREATE: state = imc_attestation_state_create(connection_id); return imc_attestation->create_state(imc_attestation, state); + case TNC_CONNECTION_STATE_HANDSHAKE: + if (imc_attestation->change_state(imc_attestation, connection_id, + new_state, &state) != TNC_RESULT_SUCCESS) + { + return TNC_RESULT_FATAL; + } + state->set_result(state, imc_id, + TNC_IMV_EVALUATION_RESULT_DONT_KNOW); + return TNC_RESULT_SUCCESS; case TNC_CONNECTION_STATE_DELETE: return imc_attestation->delete_state(imc_attestation, connection_id); - case TNC_CONNECTION_STATE_HANDSHAKE: case TNC_CONNECTION_STATE_ACCESS_ISOLATED: case TNC_CONNECTION_STATE_ACCESS_NONE: default: @@ -126,121 +138,67 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id, TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id, TNC_ConnectionID connection_id) { - imc_state_t *state; - imc_attestation_state_t *attestation_state; - pts_t *pts; - char *platform_info; - TNC_Result result = TNC_RESULT_SUCCESS; - if (!imc_attestation) { DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); return TNC_RESULT_NOT_INITIALIZED; } - /* get current IMC state */ - if (!imc_attestation->get_state(imc_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imc_attestation_state_t*)state; - pts = attestation_state->get_pts(attestation_state); - - platform_info = pts->get_platform_info(pts); - if (platform_info) - { - pa_tnc_msg_t *pa_tnc_msg; - pa_tnc_attr_t *attr; - - pa_tnc_msg = pa_tnc_msg_create(); - attr = ietf_attr_product_info_create(0, 0, platform_info); - pa_tnc_msg->add_attribute(pa_tnc_msg, attr); - pa_tnc_msg->build(pa_tnc_msg); - result = imc_attestation->send_message(imc_attestation, connection_id, - FALSE, 0, TNC_IMVID_ANY, - pa_tnc_msg->get_encoding(pa_tnc_msg)); - pa_tnc_msg->destroy(pa_tnc_msg); - } - - return result; + return TNC_RESULT_SUCCESS; } -static TNC_Result receive_message(TNC_IMCID imc_id, - TNC_ConnectionID connection_id, - TNC_UInt32 msg_flags, - chunk_t msg, - TNC_VendorID msg_vid, - TNC_MessageSubtype msg_subtype, - TNC_UInt32 src_imv_id, - TNC_UInt32 dst_imc_id) +static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) { - pa_tnc_msg_t *pa_tnc_msg; - pa_tnc_attr_t *attr; - linked_list_t *attr_list; - imc_state_t *state; + imc_msg_t *out_msg; imc_attestation_state_t *attestation_state; enumerator_t *enumerator; + pa_tnc_attr_t *attr; + pen_type_t type; TNC_Result result; + bool fatal_error = FALSE; - if (!imc_attestation) - { - DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); - return TNC_RESULT_NOT_INITIALIZED; - } - - /* get current IMC state */ - if (!imc_attestation->get_state(imc_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imc_attestation_state_t*)state; - - /* parse received PA-TNC message and automatically handle any errors */ - result = imc_attestation->receive_message(imc_attestation, state, msg, - msg_vid, msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg); - - /* no parsed PA-TNC attributes available if an error occurred */ - if (!pa_tnc_msg) + /* parse received PA-TNC message and handle local and remote errors */ + result = in_msg->receive(in_msg, &fatal_error); + if (result != TNC_RESULT_SUCCESS) { return result; } - - /* preprocess any IETF standard error attributes */ - result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ? - TNC_RESULT_FATAL : TNC_RESULT_SUCCESS; - - attr_list = linked_list_create(); + out_msg = imc_msg_create_as_reply(in_msg); /* analyze PA-TNC attributes */ - enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg); + enumerator = in_msg->create_attribute_enumerator(in_msg); while (enumerator->enumerate(enumerator, &attr)) { - if (attr->get_vendor_id(attr) == PEN_IETF && - attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR) - { - ietf_attr_pa_tnc_error_t *error_attr; - pen_t error_vendor_id; - pa_tnc_error_code_t error_code; - chunk_t msg_info; - - error_attr = (ietf_attr_pa_tnc_error_t*)attr; - error_vendor_id = error_attr->get_vendor_id(error_attr); + type = attr->get_type(attr); - if (error_vendor_id == PEN_TCG) + if (type.vendor_id == PEN_IETF) + { + if (type.type == IETF_ATTR_PA_TNC_ERROR) { + ietf_attr_pa_tnc_error_t *error_attr; + pen_type_t error_code; + chunk_t msg_info; + + error_attr = (ietf_attr_pa_tnc_error_t*)attr; error_code = error_attr->get_error_code(error_attr); - msg_info = error_attr->get_msg_info(error_attr); - DBG1(DBG_IMC, "received TCG-PTS error '%N'", - pts_error_code_names, error_code); - DBG1(DBG_IMC, "error information: %B", &msg_info); + if (error_code.vendor_id == PEN_TCG) + { + msg_info = error_attr->get_msg_info(error_attr); - result = TNC_RESULT_FATAL; + DBG1(DBG_IMC, "received TCG-PTS error '%N'", + pts_error_code_names, error_code.type); + DBG1(DBG_IMC, "error information: %B", &msg_info); + + result = TNC_RESULT_FATAL; + } } } - else if (attr->get_vendor_id(attr) == PEN_TCG) + else if (type.vendor_id == PEN_TCG) { - if (!imc_attestation_process(attr, attr_list, attestation_state, + attestation_state = (imc_attestation_state_t*)state; + + if (!imc_attestation_process(attr, out_msg, attestation_state, supported_algorithms, supported_dh_groups)) { result = TNC_RESULT_FATAL; @@ -249,27 +207,14 @@ static TNC_Result receive_message(TNC_IMCID imc_id, } } enumerator->destroy(enumerator); - pa_tnc_msg->destroy(pa_tnc_msg); - if (result == TNC_RESULT_SUCCESS && attr_list->get_count(attr_list)) + if (result == TNC_RESULT_SUCCESS) { - pa_tnc_msg = pa_tnc_msg_create(); - - enumerator = attr_list->create_enumerator(attr_list); - while (enumerator->enumerate(enumerator, &attr)) - { - pa_tnc_msg->add_attribute(pa_tnc_msg, attr); - } - enumerator->destroy(enumerator); - - pa_tnc_msg->build(pa_tnc_msg); - result = imc_attestation->send_message(imc_attestation, connection_id, - FALSE, 0, TNC_IMVID_ANY, - pa_tnc_msg->get_encoding(pa_tnc_msg)); - pa_tnc_msg->destroy(pa_tnc_msg); + /* send PA-TNC message with the excl flag set */ + result = out_msg->send(out_msg, TRUE); } + out_msg->destroy(out_msg); - attr_list->destroy(attr_list); return result; } @@ -282,14 +227,26 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, TNC_UInt32 msg_len, TNC_MessageType msg_type) { - TNC_VendorID msg_vid; - TNC_MessageSubtype msg_subtype; + imc_state_t *state; + imc_msg_t *in_msg; + TNC_Result result; + + if (!imc_attestation) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imc_attestation->get_state(imc_attestation, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } - msg_vid = msg_type >> 8; - msg_subtype = msg_type & TNC_SUBTYPE_ANY; + in_msg = imc_msg_create_from_data(imc_attestation, state, connection_id, + msg_type, chunk_create(msg, msg_len)); + result = receive_message(state, in_msg); + in_msg->destroy(in_msg); - return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len), - msg_vid, msg_subtype, 0, TNC_IMCID_ANY); + return result; } /** @@ -305,9 +262,26 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id, TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id) { - return receive_message(imc_id, connection_id, msg_flags, - chunk_create(msg, msg_len), msg_vid, msg_subtype, - src_imv_id, dst_imc_id); + imc_state_t *state; + imc_msg_t *in_msg; + TNC_Result result; + + if (!imc_attestation) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imc_attestation->get_state(imc_attestation, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imc_msg_create_from_long_data(imc_attestation, state, connection_id, + src_imv_id, dst_imc_id, msg_vid, msg_subtype, + chunk_create(msg, msg_len)); + result =receive_message(state, in_msg); + in_msg->destroy(in_msg); + + return result; } /** diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.c b/src/libpts/plugins/imc_attestation/imc_attestation_process.c index b70c05370..88d24dd88 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_process.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -23,7 +23,6 @@ #include <ietf/ietf_attr_pa_tnc_error.h> -#include <libpts.h> #include <pts/pts.h> #include <tcg/tcg_pts_attr_proto_caps.h> @@ -44,12 +43,12 @@ #include <tcg/tcg_pts_attr_req_file_meta.h> #include <tcg/tcg_pts_attr_unix_file_meta.h> -#include <debug.h> +#include <utils/debug.h> #include <utils/lexparser.h> #define DEFAULT_NONCE_LEN 20 -bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, +bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg, imc_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups) @@ -57,10 +56,13 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, chunk_t attr_info; pts_t *pts; pts_error_code_t pts_error; + pen_type_t attr_type; bool valid_path; pts = attestation_state->get_pts(attestation_state); - switch (attr->get_type(attr)) + attr_type = attr->get_type(attr); + + switch (attr_type.type) { case TCG_PTS_REQ_PROTO_CAPS: { @@ -74,7 +76,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, /* Send PTS Protocol Capabilities attribute */ attr = tcg_pts_attr_proto_caps_create(imc_caps & imv_caps, FALSE); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_MEAS_ALGO: @@ -89,14 +91,14 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (selected_algorithm == PTS_MEAS_ALGO_NONE) { attr = pts_hash_alg_error_create(supported_algorithms); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } /* Send Measurement Algorithm Selection attribute */ pts->set_meas_algorithm(pts, selected_algorithm); attr = tcg_pts_attr_meas_algo_create(selected_algorithm, TRUE); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_DH_NONCE_PARAMS_REQ: @@ -116,7 +118,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, (min_nonce_len > 0 && nonce_len < min_nonce_len)) { attr = pts_dh_nonce_error_create(nonce_len, PTS_MAX_NONCE_LEN); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } @@ -126,7 +128,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (selected_dh_group == PTS_DH_GROUP_NONE) { attr = pts_dh_group_error_create(supported_dh_groups); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } @@ -140,7 +142,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, /* Send DH Nonce Parameters Response attribute */ attr = tcg_pts_attr_dh_nonce_params_resp_create(selected_dh_group, supported_algorithms, responder_nonce, responder_value); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_DH_NONCE_FINISH: @@ -171,7 +173,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, "have differing lengths"); return FALSE; } - + pts->set_peer_public_value(pts, initiator_value, initiator_nonce); if (!pts->calculate_secret(pts)) { @@ -182,19 +184,19 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, case TCG_PTS_GET_TPM_VERSION_INFO: { chunk_t tpm_version_info, attr_info; + pen_type_t error_code = { PEN_TCG, TCG_PTS_TPM_VERS_NOT_SUPPORTED }; if (!pts->get_tpm_version_info(pts, &tpm_version_info)) { attr_info = attr->get_value(attr); - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_TPM_VERS_NOT_SUPPORTED, attr_info); - attr_list->insert_last(attr_list, attr); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); + msg->add_attribute(msg, attr); break; } /* Send TPM Version Info attribute */ attr = tcg_pts_attr_tpm_version_info_create(tpm_version_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_GET_AIK: @@ -210,7 +212,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, /* Send AIK attribute */ attr = tcg_pts_attr_aik_create(aik); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_REQ_FILE_MEAS: @@ -221,6 +223,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, bool is_directory; u_int32_t delimiter; pts_file_meas_t *measurements; + pen_type_t error_code; attr_info = attr->get_value(attr); attr_cast = (tcg_pts_attr_req_file_meas_t*)attr; @@ -232,9 +235,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (valid_path && pts_error) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - pts_error, attr_info); - attr_list->insert_last(attr_list, attr); + error_code = pen_type_create(PEN_TCG, pts_error); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); + msg->add_attribute(msg, attr); break; } else if (!valid_path) @@ -244,9 +247,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (delimiter != SOLIDUS_UTF && delimiter != REVERSE_SOLIDUS_UTF) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_INVALID_DELIMITER, attr_info); - attr_list->insert_last(attr_list, attr); + error_code = pen_type_create(PEN_TCG, + TCG_PTS_INVALID_DELIMITER); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); + msg->add_attribute(msg, attr); break; } @@ -254,8 +258,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, DBG2(DBG_IMC, "measurement request %d for %s '%s'", request_id, is_directory ? "directory" : "file", pathname); - measurements = pts->do_measurements(pts, request_id, - pathname, is_directory); + measurements = pts_file_meas_create_from_path(request_id, + pathname, is_directory, TRUE, + pts->get_meas_algorithm(pts)); if (!measurements) { /* TODO handle error codes from measurements */ @@ -263,7 +268,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } attr = tcg_pts_attr_file_meas_create(measurements); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_REQ_FILE_META: @@ -273,6 +278,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, bool is_directory; u_int8_t delimiter; pts_file_meta_t *metadata; + pen_type_t error_code; attr_info = attr->get_value(attr); attr_cast = (tcg_pts_attr_req_file_meta_t*)attr; @@ -283,9 +289,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, valid_path = pts->is_path_valid(pts, pathname, &pts_error); if (valid_path && pts_error) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - pts_error, attr_info); - attr_list->insert_last(attr_list, attr); + error_code = pen_type_create(PEN_TCG, pts_error); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); + msg->add_attribute(msg, attr); break; } else if (!valid_path) @@ -294,9 +300,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } if (delimiter != SOLIDUS_UTF && delimiter != REVERSE_SOLIDUS_UTF) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_INVALID_DELIMITER, attr_info); - attr_list->insert_last(attr_list, attr); + error_code = pen_type_create(PEN_TCG, + TCG_PTS_INVALID_DELIMITER); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); + msg->add_attribute(msg, attr); break; } /* Get File Metadata and send them to PTS-IMV */ @@ -312,8 +319,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } attr = tcg_pts_attr_unix_file_meta_create(metadata); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); - + msg->add_attribute(msg, attr); break; } case TCG_PTS_REQ_FUNC_COMP_EVID: @@ -323,11 +329,12 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, pts_comp_func_name_t *name; pts_comp_evidence_t *evid; pts_component_t *comp; + pen_type_t error_code; u_int32_t depth; u_int8_t flags; status_t status; enumerator_t *e; - + attr_info = attr->get_value(attr); attr_cast = (tcg_pts_attr_req_func_comp_evid_t*)attr; @@ -342,33 +349,37 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (flags & PTS_REQ_FUNC_COMP_EVID_TTC) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_UNABLE_DET_TTC, attr_info); - attr_list->insert_last(attr_list, attr); + error_code = pen_type_create(PEN_TCG, + TCG_PTS_UNABLE_DET_TTC); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); + msg->add_attribute(msg, attr); break; } if (flags & PTS_REQ_FUNC_COMP_EVID_VER && !(negotiated_caps & PTS_PROTO_CAPS_V)) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_UNABLE_LOCAL_VAL, attr_info); - attr_list->insert_last(attr_list, attr); + error_code = pen_type_create(PEN_TCG, + TCG_PTS_UNABLE_LOCAL_VAL); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); + msg->add_attribute(msg, attr); break; } if (flags & PTS_REQ_FUNC_COMP_EVID_CURR && !(negotiated_caps & PTS_PROTO_CAPS_C)) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_UNABLE_CUR_EVID, attr_info); - attr_list->insert_last(attr_list, attr); + error_code = pen_type_create(PEN_TCG, + TCG_PTS_UNABLE_CUR_EVID); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); + msg->add_attribute(msg, attr); break; } if (flags & PTS_REQ_FUNC_COMP_EVID_PCR && !(negotiated_caps & PTS_PROTO_CAPS_T)) { - attr = ietf_attr_pa_tnc_error_create(PEN_TCG, - TCG_PTS_UNABLE_DET_PCR, attr_info); - attr_list->insert_last(attr_list, attr); + error_code = pen_type_create(PEN_TCG, + TCG_PTS_UNABLE_DET_PCR); + attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); + msg->add_attribute(msg, attr); break; } if (depth > 0) @@ -377,17 +388,19 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, "support sub component measurements"); return FALSE; } - comp = pts_components->create(pts_components, name, depth, NULL); + comp = attestation_state->create_component(attestation_state, + name, depth); if (!comp) { DBG2(DBG_IMC, " not registered: no evidence provided"); continue; } - /* do the component evidence measurement[s] */ + /* do the component evidence measurement[s] and cache them */ do { - status = comp->measure(comp, pts, &evid); + status = comp->measure(comp, name->get_qualifier(name), + pts, &evid); if (status == FAILED) { break; @@ -395,7 +408,6 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, attestation_state->add_evidence(attestation_state, evid); } while (status == NEED_MORE); - comp->destroy(comp); } e->destroy(e); break; @@ -408,14 +420,11 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, chunk_t pcr_composite, quote_sig; bool use_quote2; - /* Send buffered Simple Component Evidences */ + /* Send cached Component Evidence entries */ while (attestation_state->next_evidence(attestation_state, &evid)) { - pts->select_pcr(pts, evid->get_extended_pcr(evid)); - - /* Send Simple Component Evidence */ attr = tcg_pts_attr_simple_comp_evid_create(evid); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); } use_quote2 = lib->settings->get_bool(lib->settings, @@ -433,7 +442,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, attr = tcg_pts_attr_simple_evid_final_create(flags, comp_hash_algorithm, pcr_composite, quote_sig); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } /* TODO: Not implemented yet */ diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.h b/src/libpts/plugins/imc_attestation/imc_attestation_process.h index b6dca1f56..a2f1b4e3c 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_process.h +++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.h @@ -14,9 +14,8 @@ */ /** - * * @defgroup imc_attestation_process_t imc_attestation_process - * @{ @ingroup imc_attestation_process + * @{ @ingroup imc_attestation */ #ifndef IMC_ATTESTATION_PROCESS_H_ @@ -26,6 +25,7 @@ #include <library.h> +#include <imc/imc_msg.h> #include <pa_tnc/pa_tnc_attr.h> #include <pts/pts_dh_group.h> @@ -35,13 +35,13 @@ * Process a TCG PTS attribute * * @param attr PA-TNC attribute to be processed - * @param attr_list list with PA-TNC error attributes + * @param msg outbound PA-TNC message to be assembled * @param attestation_state attestation state of a given connection * @param supported_algorithms supported PTS measurement algorithms * @param supported_dh_groups supported DH groups * @return TRUE if successful */ -bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, +bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg, imc_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups); diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_state.c b/src/libpts/plugins/imc_attestation/imc_attestation_state.c index 72a55f60e..4fcbdfa8a 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_state.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation_state.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,10 +15,15 @@ #include "imc_attestation_state.h" -#include <utils/linked_list.h> -#include <debug.h> +#include <libpts.h> + +#include <tncif_names.h> + +#include <collections/linked_list.h> +#include <utils/debug.h> typedef struct private_imc_attestation_state_t private_imc_attestation_state_t; +typedef struct func_comp_t func_comp_t; /** * Private data of an imc_attestation_state_t object. @@ -41,6 +46,11 @@ struct private_imc_attestation_state_t { TNC_ConnectionState state; /** + * Assessment/Evaluation Result + */ + TNC_IMV_Evaluation_Result result; + + /** * Does the TNCCS connection support long message types? */ bool has_long; @@ -51,12 +61,22 @@ struct private_imc_attestation_state_t { bool has_excl; /** + * Maximum PA-TNC message size for this TNCCS connection + */ + u_int32_t max_msg_len; + + /** * PTS object */ pts_t *pts; /** - * PTS Component Evidence list + * List of Functional Components + */ + linked_list_t *components; + + /** + * Functional Component Evidence cache list */ linked_list_t *list; @@ -87,18 +107,50 @@ METHOD(imc_state_t, set_flags, void, this->has_excl = has_excl; } +METHOD(imc_state_t, set_max_msg_len, void, + private_imc_attestation_state_t *this, u_int32_t max_msg_len) +{ + this->max_msg_len = max_msg_len; +} + +METHOD(imc_state_t, get_max_msg_len, u_int32_t, + private_imc_attestation_state_t *this) +{ + return this->max_msg_len; +} + METHOD(imc_state_t, change_state, void, private_imc_attestation_state_t *this, TNC_ConnectionState new_state) { this->state = new_state; } +METHOD(imc_state_t, set_result, void, + private_imc_attestation_state_t *this, TNC_IMCID id, + TNC_IMV_Evaluation_Result result) +{ + this->result = result; +} + +METHOD(imc_state_t, get_result, bool, + private_imc_attestation_state_t *this, TNC_IMCID id, + TNC_IMV_Evaluation_Result *result) +{ + if (result) + { + *result = this->result; + } + return this->result != TNC_IMV_EVALUATION_RESULT_DONT_KNOW; +} METHOD(imc_state_t, destroy, void, private_imc_attestation_state_t *this) { this->pts->destroy(this->pts); - this->list->destroy_offset(this->list, offsetof(pts_comp_evidence_t, destroy)); + this->components->destroy_offset(this->components, + offsetof(pts_component_t, destroy)); + this->list->destroy_offset(this->list, + offsetof(pts_comp_evidence_t, destroy)); free(this); } @@ -108,10 +160,42 @@ METHOD(imc_attestation_state_t, get_pts, pts_t*, return this->pts; } +METHOD(imc_attestation_state_t, create_component, pts_component_t*, + private_imc_attestation_state_t *this, pts_comp_func_name_t *name, + u_int32_t depth) +{ + enumerator_t *enumerator; + pts_component_t *component; + bool found = FALSE; + + enumerator = this->components->create_enumerator(this->components); + while (enumerator->enumerate(enumerator, &component)) + { + if (name->equals(name, component->get_comp_func_name(component))) + { + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + if (!found) + { + component = pts_components->create(pts_components, name, depth, NULL); + if (!component) + { + return NULL; + } + this->components->insert_last(this->components, component); + + } + return component; +} + METHOD(imc_attestation_state_t, add_evidence, void, - private_imc_attestation_state_t *this, pts_comp_evidence_t *evidence) + private_imc_attestation_state_t *this, pts_comp_evidence_t *evid) { - this->list->insert_last(this->list, evidence); + this->list->insert_last(this->list, evid); } METHOD(imc_attestation_state_t, next_evidence, bool, @@ -126,7 +210,6 @@ METHOD(imc_attestation_state_t, next_evidence, bool, imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id) { private_imc_attestation_state_t *this; - char *platform_info; INIT(this, .public = { @@ -135,26 +218,26 @@ imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id) .has_long = _has_long, .has_excl = _has_excl, .set_flags = _set_flags, + .set_max_msg_len = _set_max_msg_len, + .get_max_msg_len = _get_max_msg_len, .change_state = _change_state, + .set_result = _set_result, + .get_result = _get_result, .destroy = _destroy, }, .get_pts = _get_pts, + .create_component = _create_component, .add_evidence = _add_evidence, .next_evidence = _next_evidence, }, .connection_id = connection_id, .state = TNC_CONNECTION_STATE_CREATE, + .result = TNC_IMV_EVALUATION_RESULT_DONT_KNOW, .pts = pts_create(TRUE), + .components = linked_list_create(), .list = linked_list_create(), ); - platform_info = lib->settings->get_str(lib->settings, - "libimcv.plugins.imc-attestation.platform_info", NULL); - if (platform_info) - { - this->pts->set_platform_info(this->pts, platform_info); - } - return &this->public.interface; } diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_state.h b/src/libpts/plugins/imc_attestation/imc_attestation_state.h index 22b0bba23..4b93931c3 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_state.h +++ b/src/libpts/plugins/imc_attestation/imc_attestation_state.h @@ -14,9 +14,11 @@ */ /** + * @defgroup imc_attestation imc_attestation + * @ingroup libpts_plugins * * @defgroup imc_attestation_state_t imc_attestation_state - * @{ @ingroup imc_attestation_state + * @{ @ingroup imc_attestation */ #ifndef IMC_ATTESTATION_STATE_H_ @@ -24,6 +26,7 @@ #include <imc/imc_state.h> #include <pts/pts.h> +#include <pts/components/pts_component.h> #include <pts/components/pts_comp_evidence.h> #include <library.h> @@ -47,14 +50,24 @@ struct imc_attestation_state_t { pts_t* (*get_pts)(imc_attestation_state_t *this); /** - * Add an entry to the Component Evidence list + * Create and add an entry to the list of Functional Components * - * @param entry Component Evidence entry + * @param name Component Functional Name + * @param depth Sub-component Depth + * @return created functional component instance or NULL */ - void (*add_evidence)(imc_attestation_state_t *this, pts_comp_evidence_t *entry); + pts_component_t* (*create_component)(imc_attestation_state_t *this, + pts_comp_func_name_t *name, u_int32_t depth); /** - * Removes next Component Evidence entry from list and returns it + * Add an entry to the Component Evidence cache list + * + * @param evid Component Evidence entry + */ + void (*add_evidence)(imc_attestation_state_t *this, pts_comp_evidence_t *evid); + + /** + * Removes next entry from the Component Evidence cache list and returns it * * @param evid Next Component Evidence entry * @return TRUE if next entry is available diff --git a/src/libpts/plugins/imv_attestation/Makefile.am b/src/libpts/plugins/imv_attestation/Makefile.am index a550a3552..ae5225ae3 100644 --- a/src/libpts/plugins/imv_attestation/Makefile.am +++ b/src/libpts/plugins/imv_attestation/Makefile.am @@ -1,11 +1,12 @@ - -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libtncif \ -I$(top_srcdir)/src/libimcv \ - -I$(top_srcdir)/src/libpts + -I$(top_srcdir)/src/libpts \ + -DPLUGINS=\""${attest_plugins}\"" -AM_CFLAGS = -rdynamic -DPLUGINS=\""${attest_plugins}\"" +AM_CFLAGS = \ + -rdynamic imcv_LTLIBRARIES = imv-attestation.la @@ -16,6 +17,7 @@ imv_attestation_la_LIBADD = \ imv_attestation_la_SOURCES = imv_attestation.c \ imv_attestation_state.h imv_attestation_state.c \ + imv_attestation_agent.h imv_attestation_agent.c \ imv_attestation_process.h imv_attestation_process.c \ imv_attestation_build.h imv_attestation_build.c @@ -24,10 +26,11 @@ imv_attestation_la_LDFLAGS = -module -avoid-version ipsec_PROGRAMS = attest attest_SOURCES = attest.c \ attest_usage.h attest_usage.c \ - attest_db.h attest_db.c \ - tables.sql data.sql + attest_db.h attest_db.c attest_LDADD = \ $(top_builddir)/src/libimcv/libimcv.la \ $(top_builddir)/src/libpts/libpts.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la attest.o : $(top_builddir)/config.status + +EXTRA_DIST = build-database.sh diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in index 989a173b5..36b440e82 100644 --- a/src/libpts/plugins/imv_attestation/Makefile.in +++ b/src/libpts/plugins/imv_attestation/Makefile.in @@ -1,9 +1,9 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.11.6 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -17,6 +17,23 @@ VPATH = @srcdir@ +am__make_dryrun = \ + { \ + am__dry=no; \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + echo 'am--echo: ; @echo "AM" OK' | $(MAKE) -f - 2>/dev/null \ + | grep '^AM OK$$' >/dev/null || am__dry=yes;; \ + *) \ + for am__flg in $$MAKEFLAGS; do \ + case $$am__flg in \ + *=*|--*) ;; \ + *n*) am__dry=yes; break;; \ + esac; \ + done;; \ + esac; \ + test $$am__dry = yes; \ + } pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -47,10 +64,11 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/macros/with.m4 \ $(top_srcdir)/m4/macros/enable-disable.m4 \ $(top_srcdir)/m4/macros/add-plugin.m4 \ - $(top_srcdir)/configure.in + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; @@ -74,6 +92,12 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)" LTLIBRARIES = $(imcv_LTLIBRARIES) imv_attestation_la_DEPENDENCIES = \ @@ -81,12 +105,16 @@ imv_attestation_la_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la \ $(top_builddir)/src/libpts/libpts.la am_imv_attestation_la_OBJECTS = imv_attestation.lo \ - imv_attestation_state.lo imv_attestation_process.lo \ - imv_attestation_build.lo + imv_attestation_state.lo imv_attestation_agent.lo \ + imv_attestation_process.lo imv_attestation_build.lo imv_attestation_la_OBJECTS = $(am_imv_attestation_la_OBJECTS) -imv_attestation_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(imv_attestation_la_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +imv_attestation_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(imv_attestation_la_LDFLAGS) \ + $(LDFLAGS) -o $@ PROGRAMS = $(ipsec_PROGRAMS) am_attest_OBJECTS = attest.$(OBJEXT) attest_usage.$(OBJEXT) \ attest_db.$(OBJEXT) @@ -94,42 +122,67 @@ attest_OBJECTS = $(am_attest_OBJECTS) attest_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \ $(top_builddir)/src/libpts/libpts.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la -DEFAULT_INCLUDES = -I.@am__isrc@ +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ - $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ - $(LDFLAGS) -o $@ +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; SOURCES = $(imv_attestation_la_SOURCES) $(attest_SOURCES) DIST_SOURCES = $(imv_attestation_la_SOURCES) $(attest_SOURCES) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ AR = @AR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ +BFDLIB = @BFDLIB@ BTLIB = @BTLIB@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ +CHECK_CFLAGS = @CHECK_CFLAGS@ +CHECK_LIBS = @CHECK_LIBS@ +COVERAGE_CFLAGS = @COVERAGE_CFLAGS@ +COVERAGE_LDFLAGS = @COVERAGE_LDFLAGS@ CPP = @CPP@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -138,13 +191,16 @@ ECHO_T = @ECHO_T@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ +GENHTML = @GENHTML@ GPERF = @GPERF@ +GPRBUILD = @GPRBUILD@ GREP = @GREP@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ LD = @LD@ LDFLAGS = @LDFLAGS@ LEX = @LEX@ @@ -157,6 +213,7 @@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ MYSQLCFLAG = @MYSQLCFLAG@ MYSQLCONFIG = @MYSQLCONFIG@ @@ -184,11 +241,13 @@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SOCKLIB = @SOCKLIB@ STRIP = @STRIP@ +UNWINDLIB = @UNWINDLIB@ VERSION = @VERSION@ YACC = @YACC@ YFLAGS = @YFLAGS@ @@ -196,6 +255,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -204,8 +264,6 @@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ attest_plugins = @attest_plugins@ -axis2c_CFLAGS = @axis2c_CFLAGS@ -axis2c_LIBS = @axis2c_LIBS@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ @@ -214,14 +272,19 @@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ c_plugins = @c_plugins@ +charon_natt_port = @charon_natt_port@ +charon_plugins = @charon_plugins@ +charon_udp_port = @charon_udp_port@ clearsilver_LIBS = @clearsilver_LIBS@ +cmd_plugins = @cmd_plugins@ datadir = @datadir@ datarootdir = @datarootdir@ dbusservicedir = @dbusservicedir@ -default_pkcs11 = @default_pkcs11@ +dev_headers = @dev_headers@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ +fips_mode = @fips_mode@ gtk_CFLAGS = @gtk_CFLAGS@ gtk_LIBS = @gtk_LIBS@ h_plugins = @h_plugins@ @@ -235,17 +298,17 @@ imcvdir = @imcvdir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ +ipsec_script = @ipsec_script@ +ipsec_script_upper = @ipsec_script_upper@ ipsecdir = @ipsecdir@ ipsecgroup = @ipsecgroup@ ipseclibdir = @ipseclibdir@ ipsecuser = @ipsecuser@ -libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ maemo_CFLAGS = @maemo_CFLAGS@ maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ @@ -255,16 +318,15 @@ mkdir_p = @mkdir_p@ nm_CFLAGS = @nm_CFLAGS@ nm_LIBS = @nm_LIBS@ nm_ca_dir = @nm_ca_dir@ +nm_plugins = @nm_plugins@ oldincludedir = @oldincludedir@ openac_plugins = @openac_plugins@ -p_plugins = @p_plugins@ pcsclite_CFLAGS = @pcsclite_CFLAGS@ pcsclite_LIBS = @pcsclite_LIBS@ pdfdir = @pdfdir@ piddir = @piddir@ pki_plugins = @pki_plugins@ plugindir = @plugindir@ -pluto_plugins = @pluto_plugins@ pool_plugins = @pool_plugins@ prefix = @prefix@ program_transform_name = @program_transform_name@ @@ -292,13 +354,16 @@ top_srcdir = @top_srcdir@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ -INCLUDES = \ +AM_CPPFLAGS = \ -I$(top_srcdir)/src/libstrongswan \ -I$(top_srcdir)/src/libtncif \ -I$(top_srcdir)/src/libimcv \ - -I$(top_srcdir)/src/libpts + -I$(top_srcdir)/src/libpts \ + -DPLUGINS=\""${attest_plugins}\"" + +AM_CFLAGS = \ + -rdynamic -AM_CFLAGS = -rdynamic -DPLUGINS=\""${attest_plugins}\"" imcv_LTLIBRARIES = imv-attestation.la imv_attestation_la_LIBADD = \ $(top_builddir)/src/libimcv/libimcv.la \ @@ -307,20 +372,21 @@ imv_attestation_la_LIBADD = \ imv_attestation_la_SOURCES = imv_attestation.c \ imv_attestation_state.h imv_attestation_state.c \ + imv_attestation_agent.h imv_attestation_agent.c \ imv_attestation_process.h imv_attestation_process.c \ imv_attestation_build.h imv_attestation_build.c imv_attestation_la_LDFLAGS = -module -avoid-version attest_SOURCES = attest.c \ attest_usage.h attest_usage.c \ - attest_db.h attest_db.c \ - tables.sql data.sql + attest_db.h attest_db.c attest_LDADD = \ $(top_builddir)/src/libimcv/libimcv.la \ $(top_builddir)/src/libpts/libpts.la \ $(top_builddir)/src/libstrongswan/libstrongswan.la +EXTRA_DIST = build-database.sh all: all-am .SUFFIXES: @@ -357,7 +423,6 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps) $(am__aclocal_m4_deps): install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES) @$(NORMAL_INSTALL) - test -z "$(imcvdir)" || $(MKDIR_P) "$(DESTDIR)$(imcvdir)" @list='$(imcv_LTLIBRARIES)'; test -n "$(imcvdir)" || list=; \ list2=; for p in $$list; do \ if test -f $$p; then \ @@ -365,6 +430,8 @@ install-imcvLTLIBRARIES: $(imcv_LTLIBRARIES) else :; fi; \ done; \ test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(imcvdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(imcvdir)" || exit 1; \ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(imcvdir)'"; \ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(imcvdir)"; \ } @@ -386,12 +453,15 @@ clean-imcvLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done -imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) - $(imv_attestation_la_LINK) -rpath $(imcvdir) $(imv_attestation_la_OBJECTS) $(imv_attestation_la_LIBADD) $(LIBS) +imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) $(EXTRA_imv_attestation_la_DEPENDENCIES) + $(AM_V_CCLD)$(imv_attestation_la_LINK) -rpath $(imcvdir) $(imv_attestation_la_OBJECTS) $(imv_attestation_la_LIBADD) $(LIBS) install-ipsecPROGRAMS: $(ipsec_PROGRAMS) @$(NORMAL_INSTALL) - test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \ + fi; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p || test -f $$p1; \ @@ -431,9 +501,9 @@ clean-ipsecPROGRAMS: list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list -attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) +attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) $(EXTRA_attest_DEPENDENCIES) @rm -f attest$(EXEEXT) - $(LINK) $(attest_OBJECTS) $(attest_LDADD) $(LIBS) + $(AM_V_CCLD)$(LINK) $(attest_OBJECTS) $(attest_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -445,30 +515,31 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attest_db.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attest_usage.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_agent.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_build.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_process.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_attestation_state.Plo@am__quote@ .c.o: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< .c.obj: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< mostlyclean-libtool: -rm -f *.lo @@ -575,10 +646,15 @@ install-am: all-am installcheck: installcheck-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c index 9200820e8..4d25df3f4 100644 --- a/src/libpts/plugins/imv_attestation/attest.c +++ b/src/libpts/plugins/imv_attestation/attest.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Andreas Steffen + * Copyright (C) 2011-2013 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -20,9 +20,10 @@ #include <string.h> #include <errno.h> #include <syslog.h> +#include <libgen.h> #include <library.h> -#include <debug.h> +#include <utils/debug.h> #include <imcv.h> #include <libpts.h> @@ -34,7 +35,7 @@ /** * global debug output variables */ -static int debug_level = 2; +static int debug_level = 1; static bool stderr_quiet = TRUE; /** @@ -81,6 +82,7 @@ static void attest_dbg(debug_t group, level_t level, char *fmt, ...) */ attest_db_t *attest; + /** * atexit handler to close db on shutdown */ @@ -99,10 +101,14 @@ static void do_args(int argc, char *argv[]) OP_USAGE, OP_KEYS, OP_COMPONENTS, + OP_DEVICES, + OP_DIRECTORIES, OP_FILES, OP_HASHES, OP_MEASUREMENTS, + OP_PACKAGES, OP_PRODUCTS, + OP_SESSIONS, OP_ADD, OP_DEL, } op = OP_UNDEF; @@ -117,23 +123,39 @@ static void do_args(int argc, char *argv[]) struct option long_opts[] = { { "help", no_argument, NULL, 'h' }, { "components", no_argument, NULL, 'c' }, + { "devices", no_argument, NULL, 'e' }, + { "directories", no_argument, NULL, 'd' }, + { "dirs", no_argument, NULL, 'd' }, { "files", no_argument, NULL, 'f' }, { "keys", no_argument, NULL, 'k' }, + { "packages", no_argument, NULL, 'g' }, { "products", no_argument, NULL, 'p' }, { "hashes", no_argument, NULL, 'H' }, { "measurements", no_argument, NULL, 'm' }, + { "sessions", no_argument, NULL, 's' }, { "add", no_argument, NULL, 'a' }, - { "delete", no_argument, NULL, 'd' }, - { "del", no_argument, NULL, 'd' }, + { "delete", no_argument, NULL, 'r' }, + { "del", no_argument, NULL, 'r' }, + { "remove", no_argument, NULL, 'r' }, { "aik", required_argument, NULL, 'A' }, + { "blacklist", no_argument, NULL, 'B' }, { "component", required_argument, NULL, 'C' }, { "comp", required_argument, NULL, 'C' }, { "directory", required_argument, NULL, 'D' }, { "dir", required_argument, NULL, 'D' }, { "file", required_argument, NULL, 'F' }, + { "sha1-ima", no_argument, NULL, 'I' }, + { "package", required_argument, NULL, 'G' }, { "key", required_argument, NULL, 'K' }, { "owner", required_argument, NULL, 'O' }, { "product", required_argument, NULL, 'P' }, + { "relative", no_argument, NULL, 'R' }, + { "rel", no_argument, NULL, 'R' }, + { "sequence", required_argument, NULL, 'S' }, + { "seq", required_argument, NULL, 'S' }, + { "utc", no_argument, NULL, 'U' }, + { "version", required_argument, NULL, 'V' }, + { "security", no_argument, NULL, 'Y' }, { "sha1", no_argument, NULL, '1' }, { "sha256", no_argument, NULL, '2' }, { "sha384", no_argument, NULL, '3' }, @@ -142,6 +164,7 @@ static void do_args(int argc, char *argv[]) { "pid", required_argument, NULL, '6' }, { "cid", required_argument, NULL, '7' }, { "kid", required_argument, NULL, '8' }, + { "gid", required_argument, NULL, '9' }, { 0,0,0,0 } }; @@ -156,9 +179,18 @@ static void do_args(int argc, char *argv[]) case 'c': op = OP_COMPONENTS; continue; + case 'd': + op = OP_DIRECTORIES; + continue; + case 'e': + op = OP_DEVICES; + continue; case 'f': op = OP_FILES; continue; + case 'g': + op = OP_PACKAGES; + continue; case 'k': op = OP_KEYS; continue; @@ -171,10 +203,13 @@ static void do_args(int argc, char *argv[]) case 'm': op = OP_MEASUREMENTS; continue; + case 's': + op = OP_SESSIONS; + continue; case 'a': op = OP_ADD; continue; - case 'd': + case 'r': op = OP_DEL; continue; case 'A': @@ -214,6 +249,9 @@ static void do_args(int argc, char *argv[]) } continue; } + case 'B': + attest->set_package_state(attest, OS_PACKAGE_STATE_BLACKLIST); + continue; case 'C': if (!attest->set_component(attest, optarg, op == OP_ADD)) { @@ -227,11 +265,35 @@ static void do_args(int argc, char *argv[]) } continue; case 'F': - if (!attest->set_file(attest, optarg, op == OP_ADD)) + { + char *path = strdup(optarg); + char *dir = dirname(path); + char *file = basename(optarg); + + if (*dir != '.') + { + if (!attest->set_directory(attest, dir, op == OP_ADD)) + { + free(path); + exit(EXIT_FAILURE); + } + } + free(path); + if (!attest->set_file(attest, file, op == OP_ADD)) + { + exit(EXIT_FAILURE); + } + continue; + } + case 'G': + if (!attest->set_package(attest, optarg, op == OP_ADD)) { exit(EXIT_FAILURE); } continue; + case 'I': + attest->set_algo(attest, PTS_MEAS_ALGO_SHA1_IMA); + continue; case 'K': { chunk_t aik; @@ -252,6 +314,24 @@ static void do_args(int argc, char *argv[]) exit(EXIT_FAILURE); } continue; + case 'R': + attest->set_relative(attest); + continue; + case 'S': + attest->set_sequence(attest, atoi(optarg)); + continue; + case 'U': + attest->set_utc(attest); + continue; + case 'V': + if (!attest->set_version(attest, optarg)) + { + exit(EXIT_FAILURE); + } + continue; + case 'Y': + attest->set_package_state(attest, OS_PACKAGE_STATE_SECURITY); + continue; case '1': attest->set_algo(attest, PTS_MEAS_ALGO_SHA1); continue; @@ -291,6 +371,12 @@ static void do_args(int argc, char *argv[]) exit(EXIT_FAILURE); } continue; + case '9': + if (!attest->set_gid(attest, atoi(optarg))) + { + exit(EXIT_FAILURE); + } + continue; } break; } @@ -300,6 +386,9 @@ static void do_args(int argc, char *argv[]) case OP_USAGE: usage(); break; + case OP_PACKAGES: + attest->list_packages(attest); + break; case OP_PRODUCTS: attest->list_products(attest); break; @@ -309,6 +398,12 @@ static void do_args(int argc, char *argv[]) case OP_COMPONENTS: attest->list_components(attest); break; + case OP_DEVICES: + attest->list_devices(attest); + break; + case OP_DIRECTORIES: + attest->list_directories(attest); + break; case OP_FILES: attest->list_files(attest); break; @@ -318,6 +413,9 @@ static void do_args(int argc, char *argv[]) case OP_MEASUREMENTS: attest->list_measurements(attest); break; + case OP_SESSIONS: + attest->list_sessions(attest); + break; case OP_ADD: attest->add(attest); break; @@ -345,7 +443,7 @@ int main(int argc, char *argv[]) { exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); } - if (!lib->plugins->load(lib->plugins, NULL, + if (!lib->plugins->load(lib->plugins, lib->settings->get_str(lib->settings, "attest.load", PLUGINS))) { exit(SS_RC_INITIALIZATION_FAILED); @@ -363,7 +461,7 @@ int main(int argc, char *argv[]) exit(SS_RC_INITIALIZATION_FAILED); } atexit(cleanup); - libimcv_init(); + libimcv_init(FALSE); libpts_init(); do_args(argc, argv); diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c index 88d19eee1..d7654ab43 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ b/src/libpts/plugins/imv_attestation/attest_db.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Andreas Steffen + * Copyright (C) 2011-2012 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -13,11 +13,24 @@ * for more details. */ +#define _GNU_SOURCE + +#include <stdio.h> +#include <libgen.h> +#include <time.h> + +#include <tncif_names.h> + #include "attest_db.h" #include "libpts.h" +#include "pts/pts_meas_algo.h" +#include "pts/pts_file_meas.h" #include "pts/components/pts_comp_func_name.h" +#define IMA_MAX_NAME_LEN 255 +#define DEVICE_MAX_LEN 20 + typedef struct private_attest_db_t private_attest_db_t; /** @@ -56,11 +69,6 @@ struct private_attest_db_t { int did; /** - * TRUE if directory has been set - */ - bool dir_set; - - /** * Measurement file to be queried */ char *file; @@ -71,11 +79,6 @@ struct private_attest_db_t { int fid; /** - * TRUE if file has been set - */ - bool file_set; - - /** * AIK to be queried */ chunk_t key; @@ -91,6 +94,21 @@ struct private_attest_db_t { bool key_set; /** + * Software package to be queried + */ + char *package; + + /** + * Primary key of software package to be queried + */ + int gid; + + /** + * TRUE if package has been set + */ + bool package_set; + + /** * Software product to be queried */ char *product; @@ -106,6 +124,36 @@ struct private_attest_db_t { bool product_set; /** + * Software package version to be queried + */ + char *version; + + /** + * TRUE if version has been set + */ + bool version_set; + + /** + * TRUE if relative filenames are to be used + */ + bool relative; + + /** + * TRUE if dates are to be displayed in UTC + */ + bool utc; + + /** + * Package security or blacklist state + */ + os_package_state_t package_state; + + /** + * Sequence number for ordering entries + */ + int seq_no; + + /** * File measurement hash algorithm */ pts_meas_algorithms_t algo; @@ -175,7 +223,7 @@ METHOD(attest_db_t, set_component, bool, e = this->db->query(this->db, "SELECT id FROM components " "WHERE vendor_id = ? AND name = ? AND qualifier = ?", - DB_INT, vid, DB_INT, name, DB_INT, qualifier, DB_INT); + DB_UINT, vid, DB_INT, name, DB_INT, qualifier, DB_INT); if (e) { if (e->enumerate(e, &this->cid)) @@ -231,7 +279,7 @@ METHOD(attest_db_t, set_cid, bool, e = this->db->query(this->db, "SELECT vendor_id, name, qualifier " "FROM components WHERE id = ?", - DB_INT, cid, DB_INT, DB_INT, DB_INT); + DB_UINT, cid, DB_INT, DB_INT, DB_INT); if (e) { if (e->enumerate(e, &vid, &name, &qualifier)) @@ -252,27 +300,35 @@ METHOD(attest_db_t, set_directory, bool, private_attest_db_t *this, char *dir, bool create) { enumerator_t *e; + int did; + size_t len; - if (this->dir_set) + if (this->did) { printf("directory has already been set\n"); return FALSE; } - free(this->dir); + + /* remove trailing '/' character if not root directory */ + len = strlen(dir); + if (len > 1 && dir[len-1] == '/') + { + dir[len-1] = '\0'; + } this->dir = strdup(dir); e = this->db->query(this->db, - "SELECT id FROM files WHERE type = 1 AND path = ?", + "SELECT id FROM directories WHERE path = ?", DB_TEXT, dir, DB_INT); if (e) { - if (e->enumerate(e, &this->did)) + if (e->enumerate(e, &did)) { - this->dir_set = TRUE; + this->did = did; } e->destroy(e); } - if (this->dir_set) + if (this->did) { return TRUE; } @@ -284,14 +340,15 @@ METHOD(attest_db_t, set_directory, bool, } /* Add a new database entry */ - this->dir_set = this->db->execute(this->db, &this->did, - "INSERT INTO files (type, path) VALUES (1, ?)", - DB_TEXT, dir) == 1; - + if (1 == this->db->execute(this->db, &did, + "INSERT INTO directories (path) VALUES (?)", DB_TEXT, dir)) + { + this->did = did; + } printf("directory '%s' %sinserted into database\n", dir, - this->dir_set ? "" : "could not be "); + this->did ? "" : "could not be "); - return this->dir_set; + return this->did > 0; } METHOD(attest_db_t, set_did, bool, @@ -300,22 +357,20 @@ METHOD(attest_db_t, set_did, bool, enumerator_t *e; char *dir; - if (this->dir_set) + if (this->did) { printf("directory has already been set\n"); return FALSE; } - this->did = did; - e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?", - DB_INT, did, DB_TEXT); + e = this->db->query(this->db, "SELECT path FROM directories WHERE id = ?", + DB_UINT, did, DB_TEXT); if (e) { if (e->enumerate(e, &dir)) { - free(this->dir); this->dir = strdup(dir); - this->dir_set = TRUE; + this->did = did; } else { @@ -323,74 +378,88 @@ METHOD(attest_db_t, set_did, bool, } e->destroy(e); } - return this->dir_set; + return this->did > 0; } METHOD(attest_db_t, set_file, bool, private_attest_db_t *this, char *file, bool create) { + int fid; + char *sep; enumerator_t *e; - if (this->file_set) + if (this->file) { printf("file has already been set\n"); return FALSE; } this->file = strdup(file); - e = this->db->query(this->db, "SELECT id FROM files WHERE path = ?", - DB_TEXT, file, DB_INT); + if (!this->did) + { + return TRUE; + } + sep = streq(this->dir, "/") ? "" : "/"; + e = this->db->query(this->db, "SELECT id FROM files " + "WHERE dir = ? AND name = ?", + DB_INT, this->did, DB_TEXT, file, DB_INT); if (e) { - if (e->enumerate(e, &this->fid)) + if (e->enumerate(e, &fid)) { - this->file_set = TRUE; + this->fid = fid; } e->destroy(e); } - if (this->file_set) + if (this->fid) { return TRUE; } if (!create) { - printf("file '%s' not found in database\n", file); + printf("file '%s%s%s' not found in database\n", this->dir, sep, file); return FALSE; } /* Add a new database entry */ - this->file_set = this->db->execute(this->db, &this->fid, - "INSERT INTO files (type, path) VALUES (0, ?)", - DB_TEXT, file) == 1; - - printf("file '%s' %sinserted into database\n", file, - this->file_set ? "" : "could not be "); + if (1 == this->db->execute(this->db, &fid, + "INSERT INTO files (dir, name) VALUES (?, ?)", + DB_INT, this->did, DB_TEXT, file)) + { + this->fid = fid; + } + printf("file '%s%s%s' %sinserted into database\n", this->dir, sep, file, + this->fid ? "" : "could not be "); - return this->file_set; + return this->fid > 0; } METHOD(attest_db_t, set_fid, bool, private_attest_db_t *this, int fid) { enumerator_t *e; + int did; char *file; - if (this->file_set) + if (this->fid) { printf("file has already been set\n"); return FALSE; } - this->fid = fid; - e = this->db->query(this->db, "SELECT path FROM files WHERE id = ?", - DB_INT, fid, DB_TEXT); + e = this->db->query(this->db, "SELECT dir, name FROM files WHERE id = ?", + DB_UINT, fid, DB_INT, DB_TEXT); if (e) { - if (e->enumerate(e, &file)) + if (e->enumerate(e, &did, &file)) { + if (did) + { + set_did(this, did); + } this->file = strdup(file); - this->file_set = TRUE; + this->fid = fid; } else { @@ -398,7 +467,7 @@ METHOD(attest_db_t, set_fid, bool, } e->destroy(e); } - return this->file_set; + return this->fid > 0; } METHOD(attest_db_t, set_key, bool, @@ -468,7 +537,7 @@ METHOD(attest_db_t, set_kid, bool, this->kid = kid; e = this->db->query(this->db, "SELECT keyid, owner FROM keys WHERE id = ?", - DB_INT, kid, DB_BLOB, DB_TEXT); + DB_UINT, kid, DB_BLOB, DB_TEXT); if (e) { if (e->enumerate(e, &key, &owner)) @@ -545,7 +614,7 @@ METHOD(attest_db_t, set_pid, bool, this->pid = pid; e = this->db->query(this->db, "SELECT name FROM products WHERE id = ?", - DB_INT, pid, DB_TEXT); + DB_UINT, pid, DB_TEXT); if (e) { if (e->enumerate(e, &product)) @@ -562,12 +631,120 @@ METHOD(attest_db_t, set_pid, bool, return this->product_set; } +METHOD(attest_db_t, set_package, bool, + private_attest_db_t *this, char *package, bool create) +{ + enumerator_t *e; + + if (this->package_set) + { + printf("package has already been set\n"); + return FALSE; + } + this->package = strdup(package); + + e = this->db->query(this->db, "SELECT id FROM packages WHERE name = ?", + DB_TEXT, package, DB_INT); + if (e) + { + if (e->enumerate(e, &this->gid)) + { + this->package_set = TRUE; + } + e->destroy(e); + } + if (this->package_set) + { + return TRUE; + } + + if (!create) + { + printf("package '%s' not found in database\n", package); + return FALSE; + } + + /* Add a new database entry */ + this->package_set = this->db->execute(this->db, &this->gid, + "INSERT INTO packages (name) VALUES (?)", + DB_TEXT, package) == 1; + + printf("package '%s' %sinserted into database\n", package, + this->package_set ? "" : "could not be "); + + return this->package_set; +} + +METHOD(attest_db_t, set_gid, bool, + private_attest_db_t *this, int gid) +{ + enumerator_t *e; + char *package; + + if (this->package_set) + { + printf("package has already been set\n"); + return FALSE; + } + this->gid = gid; + + e = this->db->query(this->db, "SELECT name FROM packages WHERE id = ?", + DB_UINT, gid, DB_TEXT); + if (e) + { + if (e->enumerate(e, &package)) + { + this->package = strdup(package); + this->package_set = TRUE; + } + else + { + printf("no package found with gid %d in database\n", gid); + } + e->destroy(e); + } + return this->package_set; +} + +METHOD(attest_db_t, set_version, bool, + private_attest_db_t *this, char *version) +{ + if (this->version_set) + { + printf("version has already been set\n"); + return FALSE; + } + this->version = strdup(version); + this->version_set = TRUE; + + return TRUE; +} + + METHOD(attest_db_t, set_algo, void, private_attest_db_t *this, pts_meas_algorithms_t algo) { this->algo = algo; } +METHOD(attest_db_t, set_relative, void, + private_attest_db_t *this) +{ + this->relative = TRUE; +} + +METHOD(attest_db_t, set_package_state, void, + private_attest_db_t *this, os_package_state_t package_state) +{ + this->package_state = package_state; +} + +METHOD(attest_db_t, set_sequence, void, + private_attest_db_t *this, int seq_no) +{ + this->seq_no = seq_no; +} + METHOD(attest_db_t, set_owner, void, private_attest_db_t *this, char *owner) { @@ -575,21 +752,40 @@ METHOD(attest_db_t, set_owner, void, this->owner = strdup(owner); } +METHOD(attest_db_t, set_utc, void, + private_attest_db_t *this) +{ + this->utc = TRUE; +} + METHOD(attest_db_t, list_components, void, private_attest_db_t *this) { enumerator_t *e; pts_comp_func_name_t *cfn; - int cid, vid, name, qualifier, count = 0; + int seq_no, cid, vid, name, qualifier, count = 0; if (this->kid) { e = this->db->query(this->db, - "SELECT c.id, c.vendor_id, c.name, c.qualifier " + "SELECT kc.seq_no, c.id, c.vendor_id, c.name, c.qualifier " "FROM components AS c " "JOIN key_component AS kc ON c.id = kc.component " - "WHERE kc.key = ? ORDER BY c.vendor_id, c.name, c.qualifier", - DB_INT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT); + "WHERE kc.key = ? ORDER BY kc.seq_no", + DB_UINT, this->kid, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT); + if (e) + { + while (e->enumerate(e, &cid, &seq_no, &vid, &name, &qualifier)) + { + cfn = pts_comp_func_name_create(vid, name, qualifier); + printf("%4d: #%-2d %s\n", seq_no, cid, print_cfn(cfn)); + cfn->destroy(cfn); + count++; + } + e->destroy(e); + printf("%d component%s found for key %#B\n", count, + (count == 1) ? "" : "s", &this->key); + } } else { @@ -597,24 +793,82 @@ METHOD(attest_db_t, list_components, void, "SELECT id, vendor_id, name, qualifier FROM components " "ORDER BY vendor_id, name, qualifier", DB_INT, DB_INT, DB_INT, DB_INT); + if (e) + { + while (e->enumerate(e, &cid, &vid, &name, &qualifier)) + { + cfn = pts_comp_func_name_create(vid, name, qualifier); + printf("%4d: %s\n", cid, print_cfn(cfn)); + cfn->destroy(cfn); + count++; + } + e->destroy(e); + printf("%d component%s found\n", count, (count == 1) ? "" : "s"); + } } +} + +METHOD(attest_db_t, list_devices, void, + private_attest_db_t *this) +{ + enumerator_t *e, *e_ar; + chunk_t ar_id_value = chunk_empty; + char *product, *device; + time_t timestamp; + int id, last_id = 0, ar_id = 0, last_ar_id = 0, device_count = 0; + int session_id, rec; + u_int32_t ar_id_type; + u_int tstamp; + + e = this->db->query(this->db, + "SELECT d.id, d.value, s.id, s.time, s.identity, s.rec, p.name " + "FROM devices AS d " + "JOIN sessions AS s ON d.id = s.device " + "JOIN products AS p ON p.id = s.product " + "ORDER BY d.value, s.time DESC", DB_INT, DB_TEXT, DB_INT, DB_UINT, + DB_INT, DB_INT, DB_TEXT); + if (e) { - while (e->enumerate(e, &cid, &vid, &name, &qualifier)) + while (e->enumerate(e, &id, &device, &session_id, &tstamp, &ar_id, &rec, + &product)) { - cfn = pts_comp_func_name_create(vid, name, qualifier); - printf("%3d: %s\n", cid, print_cfn(cfn)); - cfn->destroy(cfn); - count++; + if (id != last_id) + { + printf("%4d: %s - %s\n", id, device, product); + device_count++; + last_id = id; + } + timestamp = tstamp; + printf("%4d: %T", session_id, ×tamp, this->utc); + if (ar_id) + { + if (ar_id != last_ar_id) + { + chunk_free(&ar_id_value); + e_ar = this->db->query(this->db, + "SELECT type, value FROM identities " + "WHERE id = ?", DB_INT, ar_id, DB_INT, DB_BLOB); + if (e_ar) + { + e_ar->enumerate(e_ar, &ar_id_type, &ar_id_value); + ar_id_value = chunk_clone(ar_id_value); + e_ar->destroy(e_ar); + } + } + if (ar_id_value.len) + { + printf(" %.*s", (int)ar_id_value.len, ar_id_value.ptr); + } + last_ar_id = ar_id; + } + printf(" - %N\n", TNC_IMV_Action_Recommendation_names, rec); } e->destroy(e); + free(ar_id_value.ptr); - printf("%d component%s found", count, (count == 1) ? "" : "s"); - if (this->key_set) - { - printf(" for key %#B", &this->key); - } - printf("\n"); + printf("%d device%s found\n", device_count, + (device_count == 1) ? "" : "s"); } } @@ -632,12 +886,12 @@ METHOD(attest_db_t, list_keys, void, "SELECT k.id, k.keyid, k.owner FROM keys AS k " "JOIN key_component AS kc ON k.id = kc.key " "WHERE kc.component = ? ORDER BY k.keyid", - DB_INT, this->cid, DB_INT, DB_BLOB, DB_TEXT); + DB_UINT, this->cid, DB_INT, DB_BLOB, DB_TEXT); if (e) { while (e->enumerate(e, &kid, &keyid, &owner)) { - printf("%3d: %#B '%s'\n", kid, &keyid, owner); + printf("%4d: %#B '%s'\n", kid, &keyid, owner); count++; } e->destroy(e); @@ -652,7 +906,7 @@ METHOD(attest_db_t, list_keys, void, { while (e->enumerate(e, &kid, &keyid, &owner)) { - printf("%3d: %#B '%s'\n", kid, &keyid, owner); + printf("%4d: %#B '%s'\n", kid, &keyid, owner); count++; } e->destroy(e); @@ -671,48 +925,164 @@ METHOD(attest_db_t, list_files, void, private_attest_db_t *this) { enumerator_t *e; - char *file, *file_type[] = { " ", "d", "r" }; - int fid, type, meas, meta, count = 0; + char *dir, *file; + int did, last_did = 0, fid, count = 0; - if (this->pid) + if (this->did) { e = this->db->query(this->db, - "SELECT f.id, f.type, f.path, pf.measurement, pf.metadata " - "FROM files AS f " - "JOIN product_file AS pf ON f.id = pf.file " - "WHERE pf.product = ? ORDER BY f.path", - DB_INT, this->pid, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_INT); + "SELECT id, name FROM files WHERE dir = ? ORDER BY name", + DB_INT, this->did, DB_INT, DB_TEXT); if (e) { - while (e->enumerate(e, &fid, &type, &file, &meas, &meta)) + while (e->enumerate(e, &fid, &file)) { - type = (type < 0 || type > 2) ? 0 : type; - printf("%3d: |%s%s| %s %s\n", fid, meas ? "M":" ", meta ? "T":" ", - file_type[type], file); + printf("%4d: %s\n", fid, file); count++; } e->destroy(e); } + printf("%d file%s found in directory '%s'\n", count, + (count == 1) ? "" : "s", this->dir); } else { e = this->db->query(this->db, - "SELECT id, type, path FROM files " - "ORDER BY path", - DB_INT, DB_INT, DB_TEXT); + "SELECT d.id, d.path, f.id, f.name FROM files AS f " + "JOIN directories AS d ON f.dir = d.id " + "ORDER BY d.path, f.name", + DB_INT, DB_TEXT, DB_INT, DB_TEXT); if (e) { - while (e->enumerate(e, &fid, &type, &file)) + while (e->enumerate(e, &did, &dir, &fid, &file)) { - type = (type < 0 || type > 2) ? 0 : type; - printf("%3d: %s %s\n", fid, file_type[type], file); + if (did != last_did) + { + printf("%4d: %s\n", did, dir); + last_did = did; + } + printf("%4d: %s\n", fid, file); count++; } e->destroy(e); } + printf("%d file%s found\n", count, (count == 1) ? "" : "s"); } +} - printf("%d file%s found", count, (count == 1) ? "" : "s"); +METHOD(attest_db_t, list_directories, void, + private_attest_db_t *this) +{ + enumerator_t *e; + char *dir; + int did, count = 0; + + if (this->file) + { + e = this->db->query(this->db, + "SELECT d.id, d.path FROM directories AS d " + "JOIN files AS f ON f.dir = d.id WHERE f.name = ? " + "ORDER BY path", DB_TEXT, this->file, DB_INT, DB_TEXT); + if (e) + { + while (e->enumerate(e, &did, &dir)) + { + printf("%4d: %s\n", did, dir); + count++; + } + e->destroy(e); + } + printf("%d director%s found containing file '%s'\n", count, + (count == 1) ? "y" : "ies", this->file); + } + else + { + e = this->db->query(this->db, + "SELECT id, path FROM directories ORDER BY path", + DB_INT, DB_TEXT); + if (e) + { + while (e->enumerate(e, &did, &dir)) + { + printf("%4d: %s\n", did, dir); + count++; + } + e->destroy(e); + } + printf("%d director%s found\n", count, (count == 1) ? "y" : "ies"); + } +} + +METHOD(attest_db_t, list_packages, void, + private_attest_db_t *this) +{ + enumerator_t *e; + char *package, *version; + os_package_state_t package_state; + int blacklist, security, gid, gid_old = 0, spaces, count = 0, t; + time_t timestamp; + + if (this->pid) + { + e = this->db->query(this->db, + "SELECT p.id, p.name, " + "v.release, v.security, v.blacklist, v.time " + "FROM packages AS p JOIN versions AS v ON v.package = p.id " + "WHERE v.product = ? ORDER BY p.name, v.release", + DB_INT, this->pid, + DB_INT, DB_TEXT, DB_TEXT, DB_INT, DB_INT, DB_INT); + if (e) + { + while (e->enumerate(e, &gid, &package, + &version, &security, &blacklist, &t)) + { + if (gid != gid_old) + { + printf("%5d: %s,", gid, package); + gid_old = gid; + } + else + { + spaces = 8 + strlen(package); + while (spaces--) + { + printf(" "); + } + } + timestamp = t; + if (blacklist) + { + package_state = OS_PACKAGE_STATE_BLACKLIST; + } + else + { + package_state = security ? OS_PACKAGE_STATE_SECURITY : + OS_PACKAGE_STATE_UPDATE; + } + printf(" %T (%s)%N\n", ×tamp, this->utc, version, + os_package_state_names, package_state); + count++; + } + e->destroy(e); + } + } + else + { + e = this->db->query(this->db, "SELECT id, name FROM packages " + "ORDER BY name", + DB_INT, DB_TEXT); + if (e) + { + while (e->enumerate(e, &gid, &package)) + { + printf("%4d: %s\n", gid, package); + count++; + } + e->destroy(e); + } + } + + printf("%d package%s found", count, (count == 1) ? "" : "s"); if (this->product_set) { printf(" for product '%s'", this->product); @@ -734,12 +1104,12 @@ METHOD(attest_db_t, list_products, void, "FROM products AS p " "JOIN product_file AS pf ON p.id = pf.product " "WHERE pf.file = ? ORDER BY p.name", - DB_INT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT); + DB_UINT, this->fid, DB_INT, DB_TEXT, DB_INT, DB_INT); if (e) { while (e->enumerate(e, &pid, &product, &meas, &meta)) { - printf("%3d: |%s%s| %s\n", pid, meas ? "M":" ", meta ? "T":" ", + printf("%4d: |%s%s| %s\n", pid, meas ? "M":" ", meta ? "T":" ", product); count++; } @@ -755,7 +1125,7 @@ METHOD(attest_db_t, list_products, void, { while (e->enumerate(e, &pid, &product)) { - printf("%3d: %s\n", pid, product); + printf("%4d: %s\n", pid, product); count++; } e->destroy(e); @@ -763,179 +1133,293 @@ METHOD(attest_db_t, list_products, void, } printf("%d product%s found", count, (count == 1) ? "" : "s"); - if (this->file_set) + if (this->fid) { printf(" for file '%s'", this->file); } printf("\n"); } -/** - * get the directory if there is one from the files tables - */ -static void get_directory(private_attest_db_t *this, int did, char **directory) +METHOD(attest_db_t, list_hashes, void, + private_attest_db_t *this) { enumerator_t *e; - char *dir; - - free(*directory); - *directory = strdup(""); + chunk_t hash; + char *file, *dir, *product; + int id, fid, fid_old = 0, did, did_old = 0, pid, pid_old = 0, count = 0; - if (did) + if (this->pid && this->fid && this->did) { + printf("%4d: %s\n", this->did, this->dir); + printf("%4d: %s\n", this->fid, this->file); e = this->db->query(this->db, - "SELECT path from files WHERE id = ?", - DB_INT, did, DB_TEXT); + "SELECT id, hash FROM file_hashes " + "WHERE algo = ? AND file = ? AND product = ?", + DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->pid, + DB_INT, DB_BLOB); if (e) { - if (e->enumerate(e, &dir)) + while (e->enumerate(e, &id, &hash)) { - free(*directory); - *directory = strdup(dir); + printf("%4d: %#B\n", id, &hash); + count++; } e->destroy(e); + + printf("%d %N value%s found for product '%s'\n", count, + pts_meas_algorithm_names, this->algo, + (count == 1) ? "" : "s", this->product); } } -} - -static bool slash(char *directory, char *file) -{ - return *file != '/' && directory[max(0, strlen(directory)-1)] != '/'; -} - -METHOD(attest_db_t, list_hashes, void, - private_attest_db_t *this) -{ - enumerator_t *e; - chunk_t hash; - char *file, *dir, *product; - int fid, fid_old = 0, did, did_old = 0, count = 0; - - dir = strdup(""); + else if (this->pid && this->file) + { + e = this->db->query(this->db, + "SELECT h.id, h.hash, f.id, d.id, d.path " + "FROM file_hashes AS h " + "JOIN files AS f ON h.file = f.id " + "JOIN directories AS d ON f.dir = d.id " + "WHERE h.algo = ? AND h.product = ? AND f.name = ? " + "ORDER BY d.path, f.name, h.hash", + DB_INT, this->algo, DB_INT, this->pid, DB_TEXT, this->file, + DB_INT, DB_BLOB, DB_INT, DB_INT, DB_TEXT); + if (e) + { + while (e->enumerate(e, &id, &hash, &fid, &did, &dir)) + { + if (did != did_old) + { + printf("%4d: %s\n", did, dir); + did_old = did; + } + if (fid != fid_old) + { + printf("%4d: %s\n", fid, this->file); + fid_old = fid; + } + printf("%4d: %#B\n", id, &hash); + count++; + } + e->destroy(e); - if (this->pid && this->fid) + printf("%d %N value%s found for product '%s'\n", count, + pts_meas_algorithm_names, this->algo, + (count == 1) ? "" : "s", this->product); + } + } + else if (this->pid && this->did) { + printf("%4d: %s\n", this->did, this->dir); e = this->db->query(this->db, - "SELECT hash FROM file_hashes " - "WHERE algo = ? AND file = ? AND directory = ? AND product = ?", - DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->did, - DB_INT, this->pid, DB_BLOB); + "SELECT h.id, h.hash, f.id, f.name " + "FROM file_hashes AS h " + "JOIN files AS f ON h.file = f.id " + "WHERE h.algo = ? AND h.product = ? AND f.dir = ? " + "ORDER BY f.name, h.hash", + DB_INT, this->algo, DB_INT, this->pid, DB_INT, this->did, + DB_INT, DB_BLOB, DB_INT, DB_TEXT); if (e) { - while (e->enumerate(e, &hash)) + while (e->enumerate(e, &id, &hash, &fid, &file)) { - if (this->fid != fid_old) + if (fid != fid_old) { - printf("%3d: %s%s%s\n", this->fid, this->dir, - slash(this->dir, this->file) ? "/" : "", this->file); - fid_old = this->fid; + printf("%4d: %s\n", fid, file); + fid_old = fid; } - printf(" %#B\n", &hash); + printf("%4d: %#B\n", id, &hash); count++; } e->destroy(e); printf("%d %N value%s found for product '%s'\n", count, - hash_algorithm_names, pts_meas_algo_to_hash(this->algo), + pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", this->product); } } else if (this->pid) { e = this->db->query(this->db, - "SELECT f.id, f. f.path, fh.hash, fh.directory " - "FROM file_hashes AS fh " - "JOIN files AS f ON f.id = fh.file " - "WHERE fh.algo = ? AND fh.product = ? " - "ORDER BY fh.directory, f.path", + "SELECT h.id, h.hash, f.id, f.name, d.id, d.path " + "FROM file_hashes AS h " + "JOIN files AS f ON h.file = f.id " + "JOIN directories AS d ON f.dir = d.id " + "WHERE h.algo = ? AND h.product = ? " + "ORDER BY d.path, f.name, h.hash", DB_INT, this->algo, DB_INT, this->pid, - DB_INT, DB_TEXT, DB_BLOB, DB_INT); + DB_INT, DB_BLOB, DB_INT, DB_TEXT, DB_INT, DB_TEXT); if (e) { - while (e->enumerate(e, &fid, &file, &hash, &did)) + while (e->enumerate(e, &id, &hash, &fid, &file, &did, &dir)) { - if (fid != fid_old || did != did_old) + if (did != did_old) { - if (did != did_old) - { - get_directory(this, did, &dir); - } - printf("%3d: %s%s%s\n", fid, - dir, slash(dir, file) ? "/" : "", file); - fid_old = fid; + printf("%4d: %s\n", did, dir); did_old = did; } - printf(" %#B\n", &hash); + if (fid != fid_old) + { + printf("%4d: %s\n", fid, file); + fid_old = fid; + } + printf("%4d: %#B\n", id, &hash); count++; } e->destroy(e); printf("%d %N value%s found for product '%s'\n", count, - hash_algorithm_names, pts_meas_algo_to_hash(this->algo), + pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", this->product); } } - else if (this->fid) + else if (this->fid && this->did) { e = this->db->query(this->db, - "SELECT p.name, fh.hash, fh.directory " - "FROM file_hashes AS fh " - "JOIN products AS p ON p.id = fh.product " - "WHERE fh.algo = ? AND fh.file = ? AND fh.directory = ?" - "ORDER BY p.name", - DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->did, - DB_TEXT, DB_BLOB, DB_INT); + "SELECT h.id, h.hash, p.id, p.name FROM file_hashes AS h " + "JOIN products AS p ON h.product = p.id " + "WHERE h.algo = ? AND h.file = ? " + "ORDER BY p.name, h.hash", + DB_INT, this->algo, DB_INT, this->fid, + DB_INT, DB_BLOB, DB_INT, DB_TEXT); if (e) { - while (e->enumerate(e, &product, &hash, &did)) + while (e->enumerate(e, &id, &hash, &pid, &product)) { - printf("%#B '%s'\n", &hash, product); + if (pid != pid_old) + { + printf("%4d: %s\n", pid, product); + pid_old = pid; + } + printf("%4d: %#B\n", id, &hash); count++; } e->destroy(e); - printf("%d %N value%s found for file '%s%s%s'\n", - count, hash_algorithm_names, pts_meas_algo_to_hash(this->algo), + printf("%d %N value%s found for file '%s%s%s'\n", count, + pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", this->dir, - slash(this->dir, this->file) ? "/" : "", this->file); + streq(this->dir, "/") ? "" : "/", this->file); + } + } + else if (this->file) + { + e = this->db->query(this->db, + "SELECT h.id, h.hash, f.id, d.id, d.path, p.id, p.name " + "FROM file_hashes AS h " + "JOIN files AS f ON h.file = f.id " + "JOIN directories AS d ON f.dir = d.id " + "JOIN products AS p ON h.product = p.id " + "WHERE h.algo = ? AND f.name = ? " + "ORDER BY d.path, f.name, p.name, h.hash", + DB_INT, this->algo, DB_TEXT, this->file, + DB_INT, DB_BLOB, DB_INT, DB_INT, DB_TEXT, DB_INT, DB_TEXT); + if (e) + { + while (e->enumerate(e, &id, &hash, &fid, &did, &dir, &pid, &product)) + { + if (did != did_old) + { + printf("%4d: %s\n", did, dir); + did_old = did; + } + if (fid != fid_old) + { + printf("%4d: %s\n", fid, this->file); + fid_old = fid; + pid_old = 0; + } + if (pid != pid_old) + { + printf("%4d: %s\n", pid, product); + pid_old = pid; + } + printf("%4d: %#B\n", id, &hash); + count++; + } + e->destroy(e); + + printf("%d %N value%s found\n", count, pts_meas_algorithm_names, + this->algo, (count == 1) ? "" : "s"); + } + + } + else if (this->did) + { + e = this->db->query(this->db, + "SELECT h.id, h.hash, f.id, f.name, p.id, p.name " + "FROM file_hashes AS h " + "JOIN files AS f ON h.file = f.id " + "JOIN products AS p ON h.product = p.id " + "WHERE h.algo = ? AND f.dir = ? " + "ORDER BY f.name, p.name, h.hash", + DB_INT, this->algo, DB_INT, this->did, + DB_INT, DB_BLOB, DB_INT, DB_TEXT, DB_INT, DB_TEXT); + if (e) + { + while (e->enumerate(e, &id, &hash, &fid, &file, &pid, &product)) + { + if (fid != fid_old) + { + printf("%4d: %s\n", fid, file); + fid_old = fid; + pid_old = 0; + } + if (pid != pid_old) + { + printf("%4d: %s\n", pid, product); + pid_old = pid; + } + printf("%4d: %#B\n", id, &hash); + count++; + } + e->destroy(e); + + printf("%d %N value%s found for directory '%s'\n", count, + pts_meas_algorithm_names, this->algo, + (count == 1) ? "" : "s", this->dir); } } else { e = this->db->query(this->db, - "SELECT f.id, f.path, p.name, fh.hash, fh.directory " - "FROM file_hashes AS fh " - "JOIN files AS f ON f.id = fh.file " - "JOIN products AS p ON p.id = fh.product " - "WHERE fh.algo = ? " - "ORDER BY fh.directory, f.path, p.name", - DB_INT, this->algo, - DB_INT, DB_TEXT, DB_TEXT, DB_BLOB, DB_INT); + "SELECT h.id, h.hash, f.id, f.name, d.id, d.path, p.id, p.name " + "FROM file_hashes AS h " + "JOIN files AS f ON h.file = f.id " + "JOIN directories AS d ON f.dir = d.id " + "JOIN products AS p on h.product = p.id " + "WHERE h.algo = ? " + "ORDER BY d.path, f.name, p.name, h.hash", + DB_INT, this->algo, DB_INT, DB_BLOB, DB_INT, DB_TEXT, + DB_INT, DB_TEXT, DB_INT, DB_TEXT); if (e) { - while (e->enumerate(e, &fid, &file, &product, &hash, &did)) + while (e->enumerate(e, &id, &hash, &fid, &file, &did, &dir, &pid, + &product)) { - if (fid != fid_old || did != did_old) + if (did != did_old) { - if (did != did_old) - { - get_directory(this, did, &dir); - did_old = did; - } - printf("%3d: %s%s%s\n", fid, - dir, slash(dir, file) ? "/" : "", file); + printf("%4d: %s\n", did, dir); + did_old = did; + } + if (fid != fid_old) + { + printf("%4d: %s\n", fid, file); fid_old = fid; + pid_old = 0; } - printf(" %#B '%s'\n", &hash, product); + if (pid != pid_old) + { + printf("%4d: %s\n", pid, product); + pid_old = pid; + } + printf("%4d: %#B\n", id, &hash); count++; } e->destroy(e); - printf("%d %N value%s found\n", count, hash_algorithm_names, - pts_meas_algo_to_hash(this->algo), (count == 1) ? "" : "s"); + printf("%d %N value%s found\n", count, pts_meas_algorithm_names, + this->algo, (count == 1) ? "" : "s"); } } - free(dir); } METHOD(attest_db_t, list_measurements, void, @@ -956,7 +1440,7 @@ METHOD(attest_db_t, list_measurements, void, "JOIN keys AS k ON k.id = ch.key " "WHERE ch.algo = ? AND ch.key = ? AND ch.component = ? " "ORDER BY seq_no", - DB_INT, this->algo, DB_INT, this->kid, DB_INT, this->cid, + DB_INT, this->algo, DB_UINT, this->kid, DB_UINT, this->cid, DB_INT, DB_INT, DB_BLOB, DB_TEXT); if (e) { @@ -964,16 +1448,16 @@ METHOD(attest_db_t, list_measurements, void, { if (this->kid != kid_old) { - printf("%3d: %#B '%s'\n", this->kid, &this->key, owner); + printf("%4d: %#B '%s'\n", this->kid, &this->key, owner); kid_old = this->kid; } - printf("%5d %02d %#B\n", seq_no, pcr, &hash); + printf("%7d %02d %#B\n", seq_no, pcr, &hash); count++; } e->destroy(e); printf("%d %N value%s found for component '%s'\n", count, - hash_algorithm_names, pts_meas_algo_to_hash(this->algo), + pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", print_cfn(this->cfn)); } } @@ -985,7 +1469,7 @@ METHOD(attest_db_t, list_measurements, void, "JOIN keys AS k ON k.id = ch.key " "WHERE ch.algo = ? AND ch.component = ? " "ORDER BY keyid, seq_no", - DB_INT, this->algo, DB_INT, this->cid, + DB_INT, this->algo, DB_UINT, this->cid, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_BLOB, DB_TEXT); if (e) { @@ -993,16 +1477,16 @@ METHOD(attest_db_t, list_measurements, void, { if (kid != kid_old) { - printf("%3d: %#B '%s'\n", kid, &keyid, owner); + printf("%4d: %#B '%s'\n", kid, &keyid, owner); kid_old = kid; } - printf("%5d %02d %#B\n", seq_no, pcr, &hash); + printf("%7d %02d %#B\n", seq_no, pcr, &hash); count++; } e->destroy(e); printf("%d %N value%s found for component '%s'\n", count, - hash_algorithm_names, pts_meas_algo_to_hash(this->algo), + pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", print_cfn(this->cfn)); } @@ -1016,7 +1500,7 @@ METHOD(attest_db_t, list_measurements, void, "JOIN components AS c ON c.id = ch.component " "WHERE ch.algo = ? AND ch.key = ? " "ORDER BY vendor_id, name, qualifier, seq_no", - DB_INT, this->algo, DB_INT, this->kid, DB_INT, DB_INT, DB_BLOB, + DB_INT, this->algo, DB_UINT, this->kid, DB_INT, DB_INT, DB_BLOB, DB_INT, DB_INT, DB_INT, DB_INT); if (e) { @@ -1026,7 +1510,7 @@ METHOD(attest_db_t, list_measurements, void, if (cid != cid_old) { cfn = pts_comp_func_name_create(vid, name, qualifier); - printf("%3d: %s\n", cid, print_cfn(cfn)); + printf("%4d: %s\n", cid, print_cfn(cfn)); cfn->destroy(cfn); cid_old = cid; } @@ -1036,25 +1520,309 @@ METHOD(attest_db_t, list_measurements, void, e->destroy(e); printf("%d %N value%s found for key %#B '%s'\n", count, - hash_algorithm_names, pts_meas_algo_to_hash(this->algo), + pts_meas_algorithm_names, this->algo, (count == 1) ? "" : "s", &this->key, this->owner); } } } +METHOD(attest_db_t, list_sessions, void, + private_attest_db_t *this) +{ + enumerator_t *e; + chunk_t identity; + char *product, *device; + int session_id, conn_id, rec, device_len; + time_t created; + u_int t; + + e = this->db->query(this->db, + "SELECT s.id, s.time, s.connection, s.rec, p.name, d.value, i.value " + "FROM sessions AS s " + "LEFT JOIN products AS p ON s.product = p.id " + "LEFT JOIN devices AS d ON s.device = d.id " + "LEFT JOIN identities AS i ON s.identity = i.id " + "ORDER BY s.time DESC", + DB_INT, DB_UINT, DB_INT, DB_INT, DB_TEXT, DB_TEXT, DB_BLOB); + if (e) + { + while (e->enumerate(e, &session_id, &t, &conn_id, &rec, &product, + &device, &identity)) + { + created = t; + product = product ? product : "-"; + device = strlen(device) ? device : "-"; + device_len = min(strlen(device), DEVICE_MAX_LEN); + identity = identity.len ? identity : chunk_from_str("-"); + printf("%4d: %T %2d %-20s %.*s%*s%.*s - %N\n", session_id, &created, + FALSE, conn_id, product, device_len, device, + DEVICE_MAX_LEN - device_len + 1, " ", (int)identity.len, + identity.ptr, TNC_IMV_Action_Recommendation_names, rec); + } + e->destroy(e); + } +} + +/** + * Insert a file hash into the database + */ +static bool insert_file_hash(private_attest_db_t *this, + pts_meas_algorithms_t algo, + chunk_t measurement, int fid, bool ima, + int *hashes_added, int *hashes_updated) +{ + enumerator_t *e; + chunk_t hash; + char *label; + + label = "could not be created"; + + e = this->db->query(this->db, + "SELECT hash FROM file_hashes WHERE algo = ? " + "AND file = ? AND product = ? AND device = 0", + DB_INT, algo, DB_UINT, fid, DB_UINT, this->pid, DB_BLOB); + if (!e) + { + printf("file_hashes query failed\n"); + return FALSE; + } + if (e->enumerate(e, &hash)) + { + if (chunk_equals(measurement, hash)) + { + label = "exists and equals"; + } + else + { + if (this->db->execute(this->db, NULL, + "UPDATE file_hashes SET hash = ? WHERE algo = ? " + "AND file = ? AND product = ? and device = 0", + DB_BLOB, measurement, DB_INT, algo, DB_UINT, fid, + DB_UINT, this->pid) == 1) + { + label = "updated"; + (*hashes_updated)++; + } + } + } + else + { + if (this->db->execute(this->db, NULL, + "INSERT INTO file_hashes " + "(file, product, device, algo, hash) " + "VALUES (?, ?, 0, ?, ?)", + DB_UINT, fid, DB_UINT, this->pid, + DB_INT, algo, DB_BLOB, measurement) == 1) + { + label = "created"; + (*hashes_added)++; + } + } + e->destroy(e); + + printf(" %#B - %s%s\n", &measurement, ima ? "ima - " : "", label); + return TRUE; +} + +/** + * Add hash measurement for a single file or all files in a directory + */ +static bool add_hash(private_attest_db_t *this) +{ + char *pathname, *filename, *sep, *label, *pos; + char ima_buffer[IMA_MAX_NAME_LEN + 1]; + chunk_t measurement, ima_template; + pts_file_meas_t *measurements; + hasher_t *hasher = NULL; + bool ima = FALSE; + int fid, files_added = 0, hashes_added = 0, hashes_updated = 0; + int len, ima_hashes_added = 0, ima_hashes_updated = 0; + enumerator_t *enumerator, *e; + + if (this->algo == PTS_MEAS_ALGO_SHA1_IMA) + { + ima = TRUE; + this->algo = PTS_MEAS_ALGO_SHA1; + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (!hasher) + { + printf("could not create hasher\n"); + return FALSE; + } + } + sep = streq(this->dir, "/") ? "" : "/"; + + if (this->fid) + { + /* build pathname from directory path and relative filename */ + if (asprintf(&pathname, "%s%s%s", this->dir, sep, this->file) == -1) + { + return FALSE; + } + measurements = pts_file_meas_create_from_path(0, pathname, FALSE, + TRUE, this->algo); + free(pathname); + } + else + { + measurements = pts_file_meas_create_from_path(0, this->dir, TRUE, + TRUE, this->algo); + } + if (!measurements) + { + printf("file measurement failed\n"); + DESTROY_IF(hasher); + return FALSE; + } + + enumerator = measurements->create_enumerator(measurements); + while (enumerator->enumerate(enumerator, &filename, &measurement)) + { + if (this->fid) + { + /* a single file already exists */ + filename = this->file; + fid = this->fid; + label = "exists"; + } + else + { + /* retrieve or create filename */ + label = "could not be created"; + + e = this->db->query(this->db, + "SELECT id FROM files WHERE name = ? AND dir = ?", + DB_TEXT, filename, DB_INT, this->did, DB_INT); + if (!e) + { + printf("files query failed\n"); + break; + } + if (e->enumerate(e, &fid)) + { + label = "exists"; + } + else + { + if (this->db->execute(this->db, &fid, + "INSERT INTO files (name, dir) VALUES (?, ?)", + DB_TEXT, filename, DB_INT, this->did) == 1) + { + label = "created"; + files_added++; + } + } + e->destroy(e); + } + printf("%4d: %s - %s\n", fid, filename, label); + + /* compute file measurement hash */ + if (!insert_file_hash(this, this->algo, measurement, fid, FALSE, + &hashes_added, &hashes_updated)) + { + break; + } + if (!ima) + { + continue; + } + + /* compute IMA template hash */ + pos = ima_buffer; + len = IMA_MAX_NAME_LEN; + if (!this->relative) + { + strncpy(pos, this->dir, len); + len = max(0, len - strlen(this->dir)); + pos = ima_buffer + IMA_MAX_NAME_LEN - len; + strncpy(pos, sep, len); + len = max(0, len - strlen(sep)); + pos = ima_buffer + IMA_MAX_NAME_LEN - len; + } + strncpy(pos, filename, len); + ima_buffer[IMA_MAX_NAME_LEN] = '\0'; + ima_template = chunk_create(ima_buffer, sizeof(ima_buffer)); + if (!hasher->get_hash(hasher, measurement, NULL) || + !hasher->get_hash(hasher, ima_template, measurement.ptr)) + { + printf("could not compute IMA template hash\n"); + break; + } + if (!insert_file_hash(this, PTS_MEAS_ALGO_SHA1_IMA, measurement, fid, + TRUE, &ima_hashes_added, &ima_hashes_updated)) + { + break; + } + } + enumerator->destroy(enumerator); + + printf("%d measurements, added %d new files, %d file hashes", + measurements->get_file_count(measurements), files_added, + hashes_added); + if (ima) + { + printf(", %d ima hashes", ima_hashes_added); + hasher->destroy(hasher); + } + printf(", updated %d file hashes", hashes_updated); + if (ima) + { + printf(", %d ima hashes", ima_hashes_updated); + } + printf("\n"); + measurements->destroy(measurements); + + return TRUE; +} + METHOD(attest_db_t, add, bool, private_attest_db_t *this) { bool success = FALSE; + /* add key/component pair */ if (this->kid && this->cid) { success = this->db->execute(this->db, NULL, - "INSERT INTO key_component (key, component) VALUES (?, ?)", - DB_UINT, this->kid, DB_UINT, this->cid) == 1; + "INSERT INTO key_component (key, component, seq_no) " + "VALUES (?, ?, ?)", + DB_UINT, this->kid, DB_UINT, this->cid, + DB_UINT, this->seq_no) == 1; - printf("key/component pair (%d/%d) %sinserted into database\n", - this->kid, this->cid, success ? "" : "could not be "); + printf("key/component pair (%d/%d) %sinserted into database at " + "position %d\n", this->kid, this->cid, + success ? "" : "could not be ", this->seq_no); + + return success; + } + + /* add directory or file hash measurement for a given product */ + if (this->did && this->pid) + { + return add_hash(this); + } + + /* insert package version */ + if (this->version_set && this->gid && this->pid) + { + time_t t = time(NULL); + int security, blacklist; + + security = this->package_state == OS_PACKAGE_STATE_SECURITY; + blacklist = this->package_state == OS_PACKAGE_STATE_BLACKLIST; + + success = this->db->execute(this->db, NULL, + "INSERT INTO versions " + "(package, product, release, security, blacklist, time) " + "VALUES (?, ?, ?, ?, ?, ?)", + DB_UINT, this->gid, DB_INT, this->pid, DB_TEXT, + this->version, DB_INT, security, DB_INT, blacklist, + DB_INT, t) == 1; + + printf("'%s' package %s (%s)%N %sinserted into database\n", + this->product, this->package, this->version, + os_package_state_names, this->package_state, + success ? "" : "could not be "); } return success; } @@ -1063,13 +1831,45 @@ METHOD(attest_db_t, delete, bool, private_attest_db_t *this) { bool success; + int id, count = 0; + char *name; + enumerator_t *e; + + /* delete a file measurement hash for a given product */ + if (this->algo && this->pid && this->fid) + { + success = this->db->execute(this->db, NULL, + "DELETE FROM file_hashes " + "WHERE algo = ? AND product = ? AND file = ?", + DB_UINT, this->algo, DB_UINT, this->pid, + DB_UINT, this->fid) > 0; + + printf("%4d: %s%s%s\n", this->fid, this->dir, + streq(this->dir, "/") ? "" : "/", this->file); + printf("%N value for product '%s' %sdeleted from database\n", + pts_meas_algorithm_names, this->algo, this->product, + success ? "" : "could not be "); + + return success; + } + /* delete product/file entries */ if (this->pid && (this->fid || this->did)) { - printf("deletion of product/file entries not supported yet\n"); - return FALSE; + success = this->db->execute(this->db, NULL, + "DELETE FROM product_file " + "WHERE product = ? AND file = ?", + DB_UINT, this->pid, + DB_UINT, this->fid ? this->fid : this->did) > 0; + + printf("product/file pair (%d/%d) %sdeleted from database\n", + this->pid, this->fid ? this->fid : this->did, + success ? "" : "could not be "); + + return success; } + /* delete key/component pair */ if (this->kid && this->cid) { success = this->db->execute(this->db, NULL, @@ -1093,24 +1893,44 @@ METHOD(attest_db_t, delete, bool, return success; } - if (this->did) + if (this->fid) { success = this->db->execute(this->db, NULL, - "DELETE FROM files WHERE type = 1 AND id = ?", - DB_UINT, this->did) > 0; + "DELETE FROM files WHERE id = ?", + DB_UINT, this->fid) > 0; - printf("directory '%s' %sdeleted from database\n", this->dir, + printf("file '%s%s%s' %sdeleted from database\n", this->dir, + streq(this->dir, "/") ? "" : "/", this->file, success ? "" : "could not be "); return success; } - if (this->fid) + if (this->did) { - success = this->db->execute(this->db, NULL, - "DELETE FROM files WHERE id = ?", - DB_UINT, this->fid) > 0; + e = this->db->query(this->db, + "SELECT id, name FROM files WHERE dir = ? ORDER BY name", + DB_INT, this->did, DB_INT, DB_TEXT); + if (e) + { + while (e->enumerate(e, &id, &name)) + { + printf("%4d: %s\n", id, name); + count++; + } + e->destroy(e); - printf("file '%s' %sdeleted from database\n", this->file, + if (count) + { + printf("%d dependent file%s found, " + "directory '%s' could not deleted\n", + count, (count == 1) ? "" : "s", this->dir); + return FALSE; + } + } + success = this->db->execute(this->db, NULL, + "DELETE FROM directories WHERE id = ?", + DB_UINT, this->did) > 0; + printf("directory '%s' %sdeleted from database\n", this->dir, success ? "" : "could not be "); return success; } @@ -1145,7 +1965,9 @@ METHOD(attest_db_t, destroy, void, { DESTROY_IF(this->db); DESTROY_IF(this->cfn); + free(this->package); free(this->product); + free(this->version); free(this->file); free(this->dir); free(this->owner); @@ -1170,22 +1992,31 @@ attest_db_t *attest_db_create(char *uri) .set_fid = _set_fid, .set_key = _set_key, .set_kid = _set_kid, + .set_package = _set_package, + .set_gid = _set_gid, .set_product = _set_product, .set_pid = _set_pid, + .set_version = _set_version, .set_algo = _set_algo, + .set_relative = _set_relative, + .set_package_state = _set_package_state, + .set_sequence = _set_sequence, .set_owner = _set_owner, + .set_utc = _set_utc, + .list_packages = _list_packages, .list_products = _list_products, .list_files = _list_files, + .list_directories = _list_directories, .list_components = _list_components, + .list_devices = _list_devices, .list_keys = _list_keys, .list_hashes = _list_hashes, .list_measurements = _list_measurements, + .list_sessions = _list_sessions, .add = _add, .delete = _delete, .destroy = _destroy, }, - .dir = strdup(""), - .algo = PTS_MEAS_ALGO_SHA256, .db = lib->db->create(lib->db, uri), ); diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h index 9c9a9dcba..d0a48d844 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.h +++ b/src/libpts/plugins/imv_attestation/attest_db.h @@ -14,16 +14,15 @@ */ /** - * * @defgroup attest_db_t attest_db - * @{ @ingroup attest_db + * @{ @ingroup libpts */ #ifndef ATTEST_DB_H_ #define ATTEST_DB_H_ #include <pts/pts_meas_algo.h> - +#include <os_info/os_info.h> #include <library.h> typedef struct attest_db_t attest_db_t; @@ -102,6 +101,23 @@ struct attest_db_t { bool (*set_kid)(attest_db_t *this, int kid); /** + * Set software package to be queried + * + * @param product software package + * @param create if TRUE create database entry if it doesn't exist + * @return TRUE if successful + */ + bool (*set_package)(attest_db_t *this, char *package, bool create); + + /** + * Set primary key of the software package to be queried + * + * @param gid primary key of software package + * @return TRUE if successful + */ + bool (*set_gid)(attest_db_t *this, int gid); + + /** * Set software product to be queried * * @param product software product @@ -119,6 +135,14 @@ struct attest_db_t { bool (*set_pid)(attest_db_t *this, int pid); /** + * Set software package version to be queried + * + * @param version software package version + * @return TRUE if successful + */ + bool (*set_version)(attest_db_t *this, char *version); + + /** * Set measurement hash algorithm * * @param algo hash algorithm @@ -126,6 +150,26 @@ struct attest_db_t { void (*set_algo)(attest_db_t *this, pts_meas_algorithms_t algo); /** + * Set that the IMA-specific SHA-1 template hash be computed + */ + void (*set_ima)(attest_db_t *this); + + /** + * Set that relative filenames are to be used + */ + void (*set_relative)(attest_db_t *this); + + /** + * Set the package security or blacklist state + */ + void (*set_package_state)(attest_db_t *this, os_package_state_t package_state); + + /** + * Set the sequence number + */ + void (*set_sequence)(attest_db_t *this, int seq_no); + + /** * Set owner [user/host] of an AIK * * @param owner user/host name @@ -134,11 +178,26 @@ struct attest_db_t { void (*set_owner)(attest_db_t *this, char *owner); /** + * Display all dates in UTC + */ + void (*set_utc)(attest_db_t *this); + + /** + * List all packages stored in the database + */ + void (*list_packages)(attest_db_t *this); + + /** * List all products stored in the database */ void (*list_products)(attest_db_t *this); /** + * List all directories stored in the database + */ + void (*list_directories)(attest_db_t *this); + + /** * List selected files stored in the database */ void (*list_files)(attest_db_t *this); @@ -149,6 +208,11 @@ struct attest_db_t { void (*list_components)(attest_db_t *this); /** + * List all devices stored in the database + */ + void (*list_devices)(attest_db_t *this); + + /** * List all AIKs stored in the database */ void (*list_keys)(attest_db_t *this); @@ -164,6 +228,11 @@ struct attest_db_t { void (*list_measurements)(attest_db_t *this); /** + * List sessions stored in the database + */ + void (*list_sessions)(attest_db_t *this); + + /** * Add an entry to the database */ bool (*add)(attest_db_t *this); diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c index e58f821e0..324fcafc3 100644 --- a/src/libpts/plugins/imv_attestation/attest_usage.c +++ b/src/libpts/plugins/imv_attestation/attest_usage.c @@ -24,42 +24,49 @@ void usage(void) { printf("\ Usage:\n\ - ipsec attest --files|--products|--keys|--hashes [options]\n\ + ipsec attest --components|--devices|--files|--hashes|--keys [options]\n\ \n\ - ipsec attest --components|-keys|--measurements|--add|--del [options]\n\ + ipsec attest --measurements|--packages|--products|--add|--del [options]\n\ \n\ - ipsec attest --files [--product <name>|--pid <id>]\n\ - Show a list of files with a software product name or\n\ + ipsec attest --components [--key <digest>|--kid <id>]\n\ + Show a list of components with an AIK digest or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --products [--file <path>|--fid <id>]\n\ - Show a list of supported software products with a file path or\n\ + ipsec attest --devices [--utc]\n\ + Show a list of registered devices and associated collected information\n\ + \n\ + ipsec attest --files [--product <name>|--pid <id>]\n\ + Show a list of files with a software product name or\n\ its primary key as an optional selector.\n\ \n\ ipsec attest --hashes [--sha1|--sha256|--sha384] [--product <name>|--pid <id>]\n\ Show a list of measurement hashes for a given software product or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --hashes [--sha1|--sha256|--sha384] [--file <path>|--fid <id>]\n\ + ipsec attest --hashes [--sha1|--sha1-ima|--sha256|--sha384] [--file <path>|--fid <id>]\n\ Show a list of measurement hashes for a given file or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --components [--key <digest>|--kid <id>]\n\ - Show a list of components with an AIK digest or\n\ - its primary key as an optional selector.\n\ - \n\ ipsec attest --keys [--components <cfn>|--cid <id>]\n\ Show a list of AIK key digests with a component or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --measurements [--sha1|--sha256|--sha384] [--component <cfn>|--cid <id>]\n\ + ipsec attest --measurements --sha1|--sha256|--sha384 [--component <cfn>|--cid <id>]\n\ Show a list of component measurements for a given component or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --measurements [--sha1|--sha256|--sha384] [--key <digest>|--kid <id>|--aik <path>]\n\ + ipsec attest --measurements --sha1|--sha256|--sha384 [--key <digest>|--kid <id>|--aik <path>]\n\ Show a list of component measurements for a given AIK or\n\ its primary key as an optional selector.\n\ \n\ + ipsec attest --packages [--product <name>|--pid <id>] [--utc]\n\ + Show a list of software packages for a given product or\n\ + its primary key as an optional selector.\n\ + \n\ + ipsec attest --products [--file <path>|--fid <id>]\n\ + Show a list of supported software products with a file path or\n\ + its primary key as an optional selector.\n\ + \n\ ipsec attest --add --file <path>|--dir <path>|--product <name>|--component <cfn>\n\ Add a file, directory, product or component entry\n\ Component <cfn> entries must be of the form <vendor_id>/<name>-<qualifier>\n\ @@ -67,14 +74,35 @@ Usage:\n\ ipsec attest --add [--owner <name>] --key <digest>|--aik <path>\n\ Add an AIK public key digest entry preceded by an optional owner name\n\ \n\ + ipsec attest --add --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\ + [--relative|--rel] --dir <path>|--file <path>\n\ + Add hashes of a single file or all files in a directory under absolute or relative filenames\n\ + \n\ + ipsec attest --add --key <digest|--kid <id> --component <cfn>|--cid <id> --sequence <no>|--seq <no>\n\ + Add an ordered key/component entry\n\ + \n\ + ipsec attest --add --package <name> --version <string> [--security|--blacklist]\n\ + [--product <name>|--pid <id>]\n\ + Add a package version for a given product optionally with security or blacklist flag\n\ + \n\ ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\ Delete a file or directory entry referenced either by value or primary key\n\ \n\ ipsec attest --del --product <name>|--pid <id>|--component <cfn>|--cid <id>\n\ Delete a product or component entry referenced either by value or primary key\n\ \n\ + ipsec attest --del --product <name>|--pid <id> --file <path>|--fid <id>|--dir <path>|--did <id>\n\ + Delete a product/file entry referenced either by value or primary key\n\ + \n\ ipsec attest --del --key <digest>|--kid <id>|--aik <path>\n\ Delete an AIK entry referenced either by value or primary key\n\ + \n\ + ipsec attest --del --key <digest|--kid <id> --component <cfn>|--cid <id>\n\ + Delete a key/component entry\n\ + \n\ + ipsec attest --del --product <name>|--pid <id> --sha1|--sha1-ima|--sha256|--sha384\n\ + [--dir <path>|--did <id>] --file <path>|--fid <id>\n\ + Delete a file hash given an absolute or relative filename\n\ \n"); } diff --git a/src/libpts/plugins/imv_attestation/build-database.sh b/src/libpts/plugins/imv_attestation/build-database.sh new file mode 100755 index 000000000..be1024de0 --- /dev/null +++ b/src/libpts/plugins/imv_attestation/build-database.sh @@ -0,0 +1,221 @@ +#!/bin/sh + +p="Ubuntu 12.04 i686" + +ipsec attest --add --product "$p" --sha1-ima --dir /sbin +ipsec attest --add --product "$p" --sha1-ima --dir /usr/sbin +ipsec attest --add --product "$p" --sha1-ima --dir /bin +ipsec attest --add --product "$p" --sha1-ima --dir /usr/bin +ipsec attest --add --product "$p" --sha1-ima --dir /etc/acpi +ipsec attest --add --product "$p" --sha1-ima --file /etc/init.d/rc +ipsec attest --add --product "$p" --sha1-ima --file /etc/init.d/rcS +ipsec attest --add --product "$p" --sha1-ima --dir /etc/network/if-post-down.d +ipsec attest --add --product "$p" --sha1-ima --dir /etc/network/if-pre-up.d +ipsec attest --add --product "$p" --sha1-ima --dir /etc/network/if-up.d +ipsec attest --add --product "$p" --sha1-ima --file /etc/NetworkManager/dispatcher.d/01ifupdown +ipsec attest --add --product "$p" --sha1-ima --dir /etc/ppp/ip-down.d +ipsec attest --add --product "$p" --sha1-ima --dir /etc/rc2.d +ipsec attest --add --product "$p" --sha1-ima --dir /etc/rcS.d +ipsec attest --add --product "$p" --sha1-ima --file /etc/rc.local +ipsec attest --add --product "$p" --sha1-ima --dir /etc/resolvconf/update.d +ipsec attest --add --product "$p" --sha1-ima --file /etc/resolvconf/update-libc.d/avahi-daemon +ipsec attest --add --product "$p" --sha1-ima --dir /etc/update-motd.d +ipsec attest --add --product "$p" --sha1-ima --file /lib/crda/setregdomain +ipsec attest --add --product "$p" --sha1-ima --file /lib/init/apparmor-profile-load +ipsec attest --add --product "$p" --sha1-ima --file /lib/resolvconf/list-records +ipsec attest --add --product "$p" --sha1-ima --dir /lib/udev +ipsec attest --add --product "$p" --sha1-ima --file /lib/ufw/ufw-init +ipsec attest --add --product "$p" --sha1-ima --file /opt/Adobe/Reader9/Reader/intellinux/bin/acroread +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/accountsservice/accounts-daemon +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/apt/methods +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/at-spi2-core +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/avahi/avahi-daemon-check-dns.sh +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/bamf/bamfdaemon +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ConsoleKit +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ConsoleKit/run-seat.d +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ConsoleKit/run-session.d +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/cups/notifier +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/dconf/dconf-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/dbus-1.0/dbus-daemon-launch-helper +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/deja-dup/deja-dup/deja-dup-monitor +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/evolution/3.2/evolution-alarm-notify +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/firefox/firefox +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/firefox/plugin-container +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gcc/i686-linux-gnu/4.6/cc1 +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gcc/i686-linux-gnu/4.6/collect2 +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/geoclue/geoclue-master +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/git-core +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-desktop3/check_gl_texture_size +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-disk-utility/gdu-notification-daemon +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-online-accounts/goa-daemon +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/gnome-settings-daemon +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-user-share/gnome-user-share +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gnome-screensaver/gnome-screensaver-dialog +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/gvfs +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/gvfs//gvfs-fuse-daemon +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/i386-linux-gnu/colord/colord +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/i386-linux-gnu/gconf +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-application/indicator-application-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-appmenu/hud-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-datetime/indicator-datetime-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-messages/indicator-messages-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-printers/indicator-printers-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-session/indicator-session-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/indicator-sound/indicator-sound-service +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/lightdm +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/NetworkManager/nm-dhcp-client.action +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/NetworkManager/nm-dispatcher.action +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/notify-osd/notify-osd +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/nux/unity_support_test +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/pm-utils/power.d +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/pm-utils/sleep.d +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/policykit-1/polkitd +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1 +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/pulseaudio/pulse/gconf-helper +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/rtkit/rtkit-daemon +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/system-service/system-service-d +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/telepathy/mission-control-5 +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/thunderbird/thunderbird +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ubuntuone-client +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/ubuntu-geoip/ubuntu-geoip-provider +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/ubuntu-sso-client +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/udisks +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity/unity-panel-service +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-lens-applications/unity-applications-daemon +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-lens-files/unity-files-daemon +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/unity-lens-music +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-lens-video/unity-lens-video +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/unity-scope-video-remote/unity-scope-video-remote +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/update-manager/release-upgrade-motd +ipsec attest --add --product "$p" --sha1-ima --dir /usr/lib/update-notifier +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/upower/upowerd +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/libvte-2.90-9/gnome-pty-helper +ipsec attest --add --product "$p" --sha1-ima --file /usr/lib/zeitgeist/zeitgeist-fts +ipsec attest --add --product "$p" --sha1-ima --file /usr/share/apport/apport +ipsec attest --add --product "$p" --sha1-ima --file /usr/share/apport/apport-checkreports +ipsec attest --add --product "$p" --sha1-ima --file /usr/share/apport/apport-gtk +ipsec attest --add --product "$p" --sha1-ima --dir /usr/share/language-tools +ipsec attest --add --product "$p" --sha1-ima --file /usr/share/virtualbox/VBoxCreateUSBNode.sh +ipsec attest --add --product "$p" --sha1-ima --relative --file /etc/ld.so.cache +ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib +ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/i386-linux-gnu +ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/i386-linux-gnu/security +for file in `find /lib/modules/3.2.21ima/kernel -name *.ko` +do +ipsec attest --add --product "$p" --sha1-ima --relative --file $file +done +ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/plymouth +ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/plymouth/renderers +ipsec attest --add --product "$p" --sha1-ima --relative --dir /lib/security +ipsec attest --add --product "$p" --sha1-ima --relative --dir /opt/Adobe/Reader9/Reader/intellinux/lib +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/apache2/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/compiz +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/compizconfig/backends/ +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/enchant +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/evolution/3.2/libemiscwidgets.so.0.0.0 +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/evolution/3.2/libeutil.so.0.0.0 +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/evolution/3.2/libgnomecanvas.so.0.0.0 +for file in /usr/lib/firefox/*.so +do +ipsec attest --add --product "$p" --sha1-ima --relative --file $file +done +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox/components/libbrowsercomps.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox/components/libdbusservice.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox/components/libmozgnome.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox-addons/extensions/globalmenu@ubuntu.com/components/libglobalmenu.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/firefox-addons/plugins/nppdf.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/flashplugin-installer/libflashplayer.so +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gedit/plugins +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gnome-bluetooth +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gnome-settings-daemon-3.0 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gtk-2.0/2.10.0/menuproxies +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gtk-3.0/3.0.0/menuproxies +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/gtk-3.0/3.0.0/theming-engines +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/alsa-lib +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/dri +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gconf/2 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gconv +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gio/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-2.0/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-2.0/2.10.0/engines +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-2.0/2.10.0/immodules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-3.0/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gtk-3.0/3.0.0/immodules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/gvfs +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/libcanberra-0.28 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/mesa +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/mit-krb5 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/openssl-1.0.0/engines +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/pango/1.6.0/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/pkcs11 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/polkit-1/extensions +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/nss +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/sane +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/i386-linux-gnu/sse2 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/indicators3/7 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/indicator-messages/status-providers/1 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/libpeas-1.0/loaders +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/man-db/libman-2.6.1.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/man-db/libmandb-2.6.1.so +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/mission-control-plugins.0 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/ModemManager +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/nautilus/extensions-3.0 +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/NetworkManager/libnm-settings-plugin-ifupdown.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/perl/5.14.2/auto/File/Glob/Glob.so +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/pulse-1.1/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/python2.7/lib-dynload +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/apt_inst.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/apt_pkg.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/cairo/_cairo.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/dbus/mainloop/qt.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/_dbus_bindings.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/_dbus_glib_bindings.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/duplicity/_librsync.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gi/_gi.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gi/_gobject/_gobject.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gi/_glib/_glib.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/glib/_glib.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gobject/_gobject.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/atk.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/gtk/_gtk.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/gio/_gio.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/gio/unix.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/pango.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/pangocairo.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/gtk-2.0/pynotify/_pynotify.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/OpenSSL/crypto.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/OpenSSL/rand.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/OpenSSL/SSL.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/PyQt4/QtCore.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/simplejson/_speedups.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/sip.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/twisted/internet/_sigchld.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/twisted/python/_initgroups.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/xapian/_xapian.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/python2.7/dist-packages/zope/interface/_zope_interface_coptimizations.so +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/rsyslog +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/sane +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/sse2 +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/sudo +for file in /usr/lib/thunderbird/*.so +do +ipsec attest --add --product "$p" --sha1-ima --relative --file $file +done +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/thunderbird/components/libdbusservice.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/thunderbird/components/libmozgnome.so +ipsec attest --add --product "$p" --sha1-ima --relative --file /usr/lib/thunderbird-addons/extensions/globalmenu@ubuntu.com/components/libglobalmenu.so +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/xorg/modules +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/xorg/modules/drivers +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/xorg/modules/extensions +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/lib/xorg/modules/input +ipsec attest --add --product "$p" --sha1-ima --relative --dir /usr/share/fonts/truetype/ubuntu-font-family +ipsec attest --del --product "$p" --sha1 --file /lib/resolvconf/list-records +ipsec attest --del --product "$p" --sha1-ima --file /lib/resolvconf/list-records +ipsec attest --del --product "$p" --sha1 --file /usr/bin/lsb_release +ipsec attest --del --product "$p" --sha1-ima --file /usr/bin/lsb_release +ipsec attest --del --product "$p" --sha1 --file /usr/share/language-tools/language-options +ipsec attest --del --product "$p" --sha1-ima --file /usr/share/language-tools/language-options + diff --git a/src/libpts/plugins/imv_attestation/data.sql b/src/libpts/plugins/imv_attestation/data.sql deleted file mode 100644 index e6e03627a..000000000 --- a/src/libpts/plugins/imv_attestation/data.sql +++ /dev/null @@ -1,1305 +0,0 @@ -/* Products */ - -INSERT INTO products ( - name -) VALUES ( - 'Ubuntu 11.04 i686' -); - -INSERT INTO products ( - name -) VALUES ( - 'Ubuntu 11.04 x86_64' -); - -INSERT INTO products ( - name -) VALUES ( - 'CentOS release 5.6 (Final) x86_64' -); - -INSERT INTO products ( - name -) VALUES ( - 'Ubuntu 10.10 x86_64' -); - -INSERT INTO products ( - name -) VALUES ( - 'Ubuntu 10.10 i686' -); - -INSERT INTO products ( - name -) VALUES ( - 'Gentoo Base System release 1.12.11.1 i686' -); - -INSERT INTO products ( - name -) VALUES ( - 'Ubuntu 11.10 i686' -); - -/* Files */ - -INSERT INTO files ( /* 1 */ - type, path -) VALUES ( - 0, '/lib/i386-linux-gnu/libdl.so.2' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, '/lib/x86_64-linux-gnu/libdl.so.2' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, '/lib/libdl.so.2' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, '/sbin/iptables' -); - -INSERT INTO files ( /* 5 */ - type, path -) VALUES ( - 0, '/lib/libxtables.so.5' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, '/lib/libxtables.so.2' -); - -INSERT INTO files ( - type, path -) VALUES ( - 1, '/lib/xtables/' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, 'libxt_udp.so' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, 'libxt_tcp.so' -); - -INSERT INTO files ( /* 10 */ - type, path -) VALUES ( - 0, 'libxt_esp.so' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, 'libxt_policy.so' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, 'libxt_conntrack.so' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, 'libipt_SNAT.so' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, 'libipt_DNAT.so' -); - -INSERT INTO files ( /* 15 */ - type, path -) VALUES ( - 0, 'libipt_MASQUERADE.so' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, 'libipt_LOG.so' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, '/sbin/ip6tables' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, 'libip6t_LOG.so' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, 'libxt_mark.so' -); - -INSERT INTO files ( /* 20 */ - type, path -) VALUES ( - 0, 'libxt_MARK.so' -); - -INSERT INTO files ( - type, path -) VALUES ( - 1, '/lib/iptables' -); - -INSERT INTO files ( - type, path -) VALUES ( - 0, '/etc/tnc_config' -); - -/* Product-File */ - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 1, 1, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 1, 4, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 1, 5, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 1, 7, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 1, 17, 1 -); - -INSERT INTO product_file ( - product, file, metadata -) VALUES ( - 1, 22, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 2, 2, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 2, 4, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 2, 5, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 2, 7, 1 -); - -INSERT INTO product_file ( - product, file, metadata -) VALUES ( - 2, 22, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 3, 3, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 3, 4, 1 -); - -INSERT INTO product_file ( - product, file, metadata -) VALUES ( - 3, 22, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 4, 3, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 4, 4, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 4, 6, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 4, 7, 1 -); - -INSERT INTO product_file ( - product, file, metadata -) VALUES ( - 4, 22, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 5, 3, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 5, 4, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 5, 6, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 5, 7, 1 -); - -INSERT INTO product_file ( - product, file, metadata -) VALUES ( - 5, 22, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 6, 3, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 6, 4, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 6, 17, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 6, 21, 1 -); - -INSERT INTO product_file ( - product, file, metadata -) VALUES ( - 6, 22, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 7, 1, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 7, 4, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 7, 5, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 7, 7, 1 -); - -INSERT INTO product_file ( - product, file, measurement -) VALUES ( - 7, 17, 1 -); - -INSERT INTO product_file ( - product, file, metadata -) VALUES ( - 7, 22, 1 -); - -/* File Hashes */ - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 1, 1, 32768, X'409bb1a97e26ea1144cdd6801b8159f17f376b8f' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 1, 1, 16384, X'675172775cfd2b73ed1e249e4a730921f06c2f86fffdce4c71674cc654f37ed7' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 1, 1, 8192, X'abc8ce3fc99b6dcec6745ffc2f59e35372b9b126491480d04b0f93076beded06cccb27b61f1170868fada8cddefa7be4' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 1, 7, 32768, X'40763935cdea25119002c42f984b994d8d2a6d75' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 1, 7, 16384, X'27c4f867d3f994a361e0b25d7846b3698d29f82b38662f233a97cafc60c44189' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 1, 7, 8192, X'301dad8829308f5a68c603a87bf961b91365f0346ac2f322de3ddcbb4645f56c0e6d2dc503ec2abff8fe8e895ce9304d' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 2, 2, 32768, X'2a4047437e6fb346e2d854fc415e16b80e75bf6b' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 2, 2, 16384, X'86aa0bf93dade999277d963338402ed437271f3436f594a49ffca85b6c487523' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 2, 2, 8192, X'6090441219c0b478d294ae88e006d85ac0d94464573bcca7d180618a612bd170e3ee47c1545861b0f06fe0db85544c59' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 3, 3, 32768, X'07d8c0218a5b3469b409dc95cf8f77a341a595fb' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 3, 3, 16384, X'b083699fbc4c9f9e0d463361118904a3832670ad2fe3d6b42f811061188d509f' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 3, 3, 8192, X'b14908de476467a11a7a98835d1cf8317c7b80a684692426ddd7b0014e00b70b3d1b4fc1dd02ad440447612ee9dadb52' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 3, 4, 32768, X'4350f082511c742cc05050d18a23d1da9fb09340' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 3, 4, 16384, X'f9e12408828b5842c45503342dc2af78bc74d701a19c5fd5483df0e203315e0a' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 3, 4, 8192, X'1a5ea36e4ab0cda550c0da2af6a62d9310981d2f170c9e75bff1770be2efb9ddccc451743ff4c3d76876364f19fdf8c1' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 3, 6, 32768, X'91f4bb52404ca26b3a797152076ca5d233b93c1d' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 3, 6, 16384, X'59bced619eabbde5dd3ef74b92ba660349e105d36be9756c8d1598abd4bc066c' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 3, 6, 8192, X'fc6b1350067d23fca711b8a674e0367ad255bae0ddb2efe10dca1b18b18985bd09a7459937fda729d349874bb2701df3' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 1, 32768, X'ff6deca0eeb7a257205c5f0ab5f5d821ea184098' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 1, 16384, X'5c84fdf7c529d3c65a001587eda641fe489f83961a621fe514e7852a842690d6' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 1, 8192, X'8bd699f85f5b3efb27204b4699c518f871ef245d03b4bf8d1cc00456025017546030c2f493525754cffcd24cdbc03b21' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 2, 32768, X'1118805b490051637e93e592f4c71e0ee78a2422' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 2, 16384, X'5ea7229ebef5dc8f9fb2118676b773dd62cf89dc21657e3b8fbbcbc70ee24bd3' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 2, 8192, X'3b8da9e704e644eb7b196981624a2f6826c401d689e00ba47e42ff46351d27c6b9e91b1e8351ee01f66e5244b4c2a9b0' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 3, 32768, X'b5cd500ec15d6bfcae15e0af1dc121df7114b97d' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 3, 16384, X'b94f1cba12abb0ec79d207142526388ec0d127c4f2aad4a46a623a1f69bac84f' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 3, 8192, X'6663d66ff0e93b1b8a1edcdbe45d64834e29dc9c2b1d23126fd370a85b2c56da5cadcbc65b6e8afbb1e18bea8e413bd1' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 4, 32768, X'86c4463293859874243d8374f7f3ef60f44f9309' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 4, 16384, X'348b711f16ee9810738857c8ffbc54f8e16a393df8635cb29b02fc62daeefc14' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 4, 8192, X'0cb6b7d91148b1bb1b9333bc71de01509cb6d12c646a6756e6942647046286fbbca92b25dc1999e8f81be1264061ee4d' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 6, 32768, X'e3cf3ef2ee5df0117972808bfa93b7795f5da873' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 6, 16384, X'fde81f544e49c44aabe0e312a00a7f8af01a0e3123dc5c54c65e3e78ba475b22' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 6, 8192, X'e0cc89d1f229f9f35109bef3b163badc0941ca0a957d09e397a8d06e2b32e737f1f1135ebf0c0546d3d4c5354aaca40f' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 7, 32768, X'ff6deca0eeb7a257205c5f0ab5f5d821ea184098' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 7, 16384, X'5c84fdf7c529d3c65a001587eda641fe489f83961a621fe514e7852a842690d6' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 4, 7, 8192, X'8bd699f85f5b3efb27204b4699c518f871ef245d03b4bf8d1cc00456025017546030c2f493525754cffcd24cdbc03b21' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 5, 1, 32768, X'7a3ca72158e60b0c91e48a420848f1b693aea26c' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 5, 1, 16384, X'f9693c7d36c087d51f5012897fa0e8bb94081854d080c84f831f4d693d22f645' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 5, 1, 8192, X'4ec135e54c8840ab575fcdf00c66f996f763863ad30800b0f0a0b02e7899697d6ab9ccfe185ccbc16c19f38d0a27becb' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 5, 2, 32768, X'5d36a26856021d68a42f8bd7ca22365579d43891' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 5, 2, 16384, X'411be0558ad0cef33b437dafeed40104917e2079646524145abf9d05ddc6c1c5' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 5, 2, 8192, X'237f4691f9b780bec7aff217d64a9780ceed2973a41e86c92e0d6dab81cc5d13a9b99ba408302264f5665de1f42ef6e1' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 5, 7, 32768, X'7a3ca72158e60b0c91e48a420848f1b693aea26c' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 5, 7, 16384, X'f9693c7d36c087d51f5012897fa0e8bb94081854d080c84f831f4d693d22f645' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 5, 7, 8192, X'4ec135e54c8840ab575fcdf00c66f996f763863ad30800b0f0a0b02e7899697d6ab9ccfe185ccbc16c19f38d0a27becb' -); - - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 6, 4, 32768, X'92e66ae282947f66544682039a33fd1dbd402244' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 6, 4, 16384, X'dc6bad544f72c4538fb92f777646fd734b49ce95f41b2c96b74a21addbc86ed8' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 6, 4, 8192, X'08fd91f9017763212d1491f178e4d7e41d34a21b0117ee3321d832f5b8e02d4c7152a6cdc53bb4ca7e8aad5b1f279d1f' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 8, 7, 1, 32768, X'11ce3b45feb3e66a75490d42ba95071ac6f40a7f' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 8, 7, 1, 16384, X'468ef70f19372bc4a2b1805ffa3621515061fc19fa361374788bd362d638ac02' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 8, 7, 1, 8192, X'63076ae505ce52c37878c9b6891ac516320046403aec25bf347c7011c2d28d5db7e2946d1fae3006ab4ef43716ff4558' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 8, 7, 4, 32768, X'200eab67377bf3d5a25372838c38841658a718e4' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 8, 7, 4, 16384, X'31045af9a12efdc58155a177e9391dd28b93fa38af58ce00f49259cc26e97687' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 8, 7, 4, 8192, X'e8c64b508171d947069382da58dc7e39a97ce878a07f494a6fb370efb09116d32f1d4cdddeef85f22e14d1c5d5a37625' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 8, 7, 7, 32768, X'11ce3b45feb3e66a75490d42ba95071ac6f40a7f' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 8, 7, 7, 16384, X'468ef70f19372bc4a2b1805ffa3621515061fc19fa361374788bd362d638ac02' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 8, 7, 7, 8192, X'63076ae505ce52c37878c9b6891ac516320046403aec25bf347c7011c2d28d5db7e2946d1fae3006ab4ef43716ff4558' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 8, 21, 6, 32768, X'010873de0d682a26e1c6795dd4992248cc47cdd1' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 8, 21, 6, 16384, X'bfb45524d81a3645bf216a6cf52cd5624aadf6717012bf722afce2db3e31f712' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 8, 21, 6, 8192, X'f69b3f60b904f2deb39ea1fb9b0132638f0aea27357e365297f6b2ec895d42b260143b5e912d00df1a4a1d75a1b508fa' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 9, 7, 1, 32768, X'1d740abd38f9f4bc81ca434a0e25b6e21704248b' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 9, 7, 1, 16384, X'e26bb7175956dc8747a81431e810f830413b6c63756bf5156ab51367fe4f48a0' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 9, 7, 1, 8192, X'5d3637413b9e318d0e0be6a9da86121062b99d1bdb084dfda4222baa71b250de644b4024281760b4eae926e03fac4fdb' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 9, 7, 4, 32768, X'd2bf3556a0b38cfba2962d058fa8ea777397e82d' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 9, 7, 4, 16384, X'4ec845e828af69dcbde3ecb981096ac1e25c9e3e607e9a24b27da7e44527edf9' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 9, 7, 4, 8192, X'3204a34ca409730298f60361865dace24900827ee9f3bc87884d50827911b4b17beb4c09bad77e43f28938f10bc5138a' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 9, 7, 7, 32768, X'1d740abd38f9f4bc81ca434a0e25b6e21704248b' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 9, 7, 7, 16384, X'e26bb7175956dc8747a81431e810f830413b6c63756bf5156ab51367fe4f48a0' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 9, 7, 7, 8192, X'5d3637413b9e318d0e0be6a9da86121062b99d1bdb084dfda4222baa71b250de644b4024281760b4eae926e03fac4fdb' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 9, 21, 6, 32768, X'e1df4f3949b09c25e15b9c9b7088a60d683903a8' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 9, 21, 6, 16384, X'46f0ec6b0a2c3a24157019ed60f03de2ec9160d07f12b7e0b3d3f02b609a151d' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 9, 21, 6, 8192, X'4f73eae305e01e9ad57b5b1271a16bb8518fb82135aeb27311aa390d0d3a564b596adb723137f15bbf1db38b8dcbbdae' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 10, 7, 1, 32768, X'339a58a1b313830c3cc74cb3fb52a5b8152f44e6' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 10, 7, 1, 16384, X'789f2c6a9382bb342964a12947ddf84735d3e3ed3aefbae407098738cdf7c686' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 10, 7, 1, 8192, X'858310a6e4b6311c491c4370990bfd6b9f03a49bb5ddf45b0d788f7043f130016e11be6bd95db66e49e2906a87adf8cb' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 10, 7, 7, 32768, X'339a58a1b313830c3cc74cb3fb52a5b8152f44e6' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 10, 7, 7, 16384, X'789f2c6a9382bb342964a12947ddf84735d3e3ed3aefbae407098738cdf7c686' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 10, 7, 7, 8192, X'858310a6e4b6311c491c4370990bfd6b9f03a49bb5ddf45b0d788f7043f130016e11be6bd95db66e49e2906a87adf8cb' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 10, 21, 6, 32768, X'87df2d01b85d8354819b431bae0a0a65bfc5d2db' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 10, 21, 6, 16384, X'a25fef11c899d826ea61996f0bc05330bc88428eafb792be0182ad97b6283aae' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 10, 21, 6, 8192, X'357e5756dbfa22c21d3666521e644eefdf532b7d371cca62fc099579f3c98b97cb51d005dcbaf805f8a7def26dfde142' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 11, 7, 1, 32768, X'2d32ef93126abf8c660d57c67e5076c6394cabe8' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 11, 7, 1, 16384, X'ced29aca7fc2dd0b01d5d544dfb2e1640a6a79c657f589e7dd6636cfd63eda3b' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 11, 7, 1, 8192, X'a2d33fa2d0ee7bffa5e628f88ccb83cd61bb4c5fe6d2edb8b853b83d8c43f498fa6e8da70510f0a1a3ddb36060bbd4d8' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 11, 7, 7, 32768, X'2d32ef93126abf8c660d57c67e5076c6394cabe8' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 11, 7, 7, 16384, X'ced29aca7fc2dd0b01d5d544dfb2e1640a6a79c657f589e7dd6636cfd63eda3b' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 11, 7, 7, 8192, X'a2d33fa2d0ee7bffa5e628f88ccb83cd61bb4c5fe6d2edb8b853b83d8c43f498fa6e8da70510f0a1a3ddb36060bbd4d8' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 12, 7, 1, 32768, X'6c0b2df4fc4c9122b5762ae140d53fdd1cf9e89b' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 12, 7, 1, 16384, X'53c3f2bd5aaf8ef4c40f9af92a67621f5e67840b5ff2db67d1bccbcb56f7eef1' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 12, 7, 1, 8192, X'1a4a6d91bda3ce59e6c444ccc1e758c9c6f0e223fd8c5aac369260cdfa83081c0e8f3753f100490910ec161902f10ba7' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 12, 7, 7, 32768, X'6c0b2df4fc4c9122b5762ae140d53fdd1cf9e89b' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 12, 7, 7, 16384, X'53c3f2bd5aaf8ef4c40f9af92a67621f5e67840b5ff2db67d1bccbcb56f7eef1' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 12, 7, 7, 8192, X'1a4a6d91bda3ce59e6c444ccc1e758c9c6f0e223fd8c5aac369260cdfa83081c0e8f3753f100490910ec161902f10ba7' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 13, 7, 1, 32768, X'e2f7b92abda769f82796f57a29801870585dcea3' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 13, 7, 1, 16384, X'6d3fe67a040dbb469ef498b26cece45806cb7ca04787bba53b7ba1c18e2abd0a' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 13, 7, 1, 8192, X'014852b73cd3eabfa955b7bd56b269d5a0590a2770cf3d656b3d68dbad30884327fc81ff96c6f661c9c4189c3aefa346' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 13, 7, 7, 32768, X'e2f7b92abda769f82796f57a29801870585dcea3' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 13, 7, 7, 16384, X'6d3fe67a040dbb469ef498b26cece45806cb7ca04787bba53b7ba1c18e2abd0a' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 13, 7, 7, 8192, X'014852b73cd3eabfa955b7bd56b269d5a0590a2770cf3d656b3d68dbad30884327fc81ff96c6f661c9c4189c3aefa346' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 14, 7, 1, 32768, X'160d2b04d11eb225fb148615b699081869e15b6c' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 14, 7, 1, 16384, X'1f5a2ceae1418f9c1fbf51eb7d84f74d488908cde5931a5461746d1e24682a25' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 14, 7, 1, 8192, X'f701cb25b0e9a9f32d3bba9b274ca0e8838363d13b7283b842d6c9673442890e538127c3b64ca4b177de1d243b44cf0d' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 14, 7, 7, 32768, X'160d2b04d11eb225fb148615b699081869e15b6c' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 14, 7, 7, 16384, X'1f5a2ceae1418f9c1fbf51eb7d84f74d488908cde5931a5461746d1e24682a25' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 14, 7, 7, 8192, X'f701cb25b0e9a9f32d3bba9b274ca0e8838363d13b7283b842d6c9673442890e538127c3b64ca4b177de1d243b44cf0d' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 15, 7, 1, 32768, X'5a0d07ab036603a76759e5f61f7d04f2d3c056cc' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 15, 7, 1, 16384, X'85491714e860062c441ff50d93ad79350449596b89b2e409b513c2d883321c9d' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 15, 7, 1, 8192, X'8038830a994c779bc200e844d8768280feca9dd5d58de6cd359b87cc68846799edfd16e36e83002da4bb309cfd3b353d' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 15, 7, 7, 32768, X'5a0d07ab036603a76759e5f61f7d04f2d3c056cc' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 15, 7, 7, 16384, X'85491714e860062c441ff50d93ad79350449596b89b2e409b513c2d883321c9d' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 15, 7, 7, 8192, X'8038830a994c779bc200e844d8768280feca9dd5d58de6cd359b87cc68846799edfd16e36e83002da4bb309cfd3b353d' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 16, 7, 1, 32768, X'd6c8dfbaae7ab28b5cef2626a2af3f99a6ea4365' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 16, 7, 1, 16384, X'd0d6f784e937227cce99e3be860be078d0397a6fb5a5bc9d95a19ef855609dbc' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 16, 7, 1, 8192, X'4be6e7978a6e4fb8a792815f2bbe28c2e66276401fb98ca90e49a5c2f2c94a1c7aac635d501d35d1db0fd53a0cb9d0fa' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 16, 7, 7, 32768, X'd6c8dfbaae7ab28b5cef2626a2af3f99a6ea4365' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 16, 7, 7, 16384, X'd0d6f784e937227cce99e3be860be078d0397a6fb5a5bc9d95a19ef855609dbc' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 16, 7, 7, 8192, X'4be6e7978a6e4fb8a792815f2bbe28c2e66276401fb98ca90e49a5c2f2c94a1c7aac635d501d35d1db0fd53a0cb9d0fa' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 17, 1, 32768, X'8a7c41167bc0fcc1dec8329a868ba265c23857f5' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 17, 1, 16384, X'f8eb857d7bb850f44c15363ba699442c2810663ac5a83a5f49e06e0fd8144b0e' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 17, 1, 8192, X'f40cb6e557ab18d70080e7995e3f96cc272842e822bf52bc1c59075313c2cd832f96cf03a8524905f3d3f7a61441c651' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 17, 6, 32768, X'8178f18dcb836e7f7432c4ad568bfd66b7ef4a96' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 17, 6, 16384, X'2d6aaed577bfac626ff4958ee1076bc343f8db46538aa6c381521bac94c5ca9e' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 17, 6, 8192, X'747bbaee322f9bf1849308f8907e2a43868eae8559a7be718113abb4ce535f6d509d005e51788cf3e83e148487fe7bf3' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 17, 7, 32768, X'8a7c41167bc0fcc1dec8329a868ba265c23857f5' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 17, 7, 16384, X'f8eb857d7bb850f44c15363ba699442c2810663ac5a83a5f49e06e0fd8144b0e' -); - -INSERT INTO file_hashes ( - file, product, algo, hash -) VALUES ( - 17, 7, 8192, X'f40cb6e557ab18d70080e7995e3f96cc272842e822bf52bc1c59075313c2cd832f96cf03a8524905f3d3f7a61441c651' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 18, 7, 1, 32768, X'23296f48276e160b6d99b1b42a9114df720bb1ab' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 18, 7, 1, 16384, X'78cd0a598080e31453f477e8d8a12ec794e859f4076ed92e53d2053d6d16762c' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 18, 7, 1, 8192, X'4da3955f1fd968ecf95cff825d42715b544e577f28f411a020a270834235125bc0c8872bac8dd3466349ac8ab0aa2d74' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 18, 7, 7, 32768, X'23296f48276e160b6d99b1b42a9114df720bb1ab' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 18, 7, 7, 16384, X'78cd0a598080e31453f477e8d8a12ec794e859f4076ed92e53d2053d6d16762c' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 18, 7, 7, 8192, X'4da3955f1fd968ecf95cff825d42715b544e577f28f411a020a270834235125bc0c8872bac8dd3466349ac8ab0aa2d74' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 19, 7, 1, 32768, X'd537d437f058136eb3d7be517dbe7647b623c619' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 19, 7, 1, 16384, X'6a837037ad3fc4d06270d99cee2714dcf96b91aeb54d3483009219337961f834' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 19, 7, 1, 8192, X'7b5b16840da590a995fab23533f41982c5b136bff8e9b9a90b3c919a12cee20d312091455057a8bba9d9fbe314e6203d' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 19, 7, 7, 32768, X'd537d437f058136eb3d7be517dbe7647b623c619' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 19, 7, 7, 16384, X'6a837037ad3fc4d06270d99cee2714dcf96b91aeb54d3483009219337961f834' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 19, 7, 7, 8192, X'7b5b16840da590a995fab23533f41982c5b136bff8e9b9a90b3c919a12cee20d312091455057a8bba9d9fbe314e6203d' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 20, 7, 1, 32768, X'f9e3531abb67a020cf667d46ca823675dd0a0dd4' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 20, 7, 1, 16384, X'569bafa2dabbcfa0ba9c7c411eacfeb8930f9d856a1a43cf8aa3662a67c13e35' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 20, 7, 1, 8192, X'84200bd318bb022915150842ddf4002e061ef593604ad0d07021dc662cc40bfa749cce084ddf25d0e5137f6380f613d8' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 20, 7, 7, 32768, X'f9e3531abb67a020cf667d46ca823675dd0a0dd4' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 20, 7, 7, 16384, X'569bafa2dabbcfa0ba9c7c411eacfeb8930f9d856a1a43cf8aa3662a67c13e35' -); - -INSERT INTO file_hashes ( - file, directory, product, algo, hash -) VALUES ( - 20, 7, 7, 8192, X'84200bd318bb022915150842ddf4002e061ef593604ad0d07021dc662cc40bfa749cce084ddf25d0e5137f6380f613d8' -); - -/* AIKs */ - -INSERT INTO keys ( - keyid, owner -) VALUES ( - X'b772a6730776b9f028e5adfccd40b55c320a13b6', 'Andreas, merthyr (Fujitsu Siemens Lifebook S6420)' -); - -/* Components */ - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 1, 33 /* ITA TGRUB */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 2, 33 /* ITA TBOOT */ -); - -INSERT INTO components ( - vendor_id, name, qualifier -) VALUES ( - 36906, 3, 33 /* ITA IMA */ -); - -/* AIK Component */ - -INSERT INTO key_component ( - key, component, depth, seq_no -) VALUES ( - 2, 2, 0, 1 -); - -INSERT INTO key_component ( - key, component, depth, seq_no -) VALUES ( - 1, 3, 0, 1 -); - -INSERT INTO key_component ( - key, component, depth, seq_no -) VALUES ( - 1, 2, 0, 2 -); - diff --git a/src/libpts/plugins/imv_attestation/imv_attestation.c b/src/libpts/plugins/imv_attestation/imv_attestation.c index 51069b02d..542a561aa 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2013 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -13,508 +13,12 @@ * for more details. */ -#include "imv_attestation_state.h" -#include "imv_attestation_process.h" -#include "imv_attestation_build.h" - -#include <imv/imv_agent.h> -#include <pa_tnc/pa_tnc_msg.h> -#include <ietf/ietf_attr.h> -#include <ietf/ietf_attr_pa_tnc_error.h> -#include <ietf/ietf_attr_product_info.h> - -#include <libpts.h> - -#include <pts/pts.h> -#include <pts/pts_database.h> -#include <pts/pts_creds.h> - -#include <tcg/tcg_attr.h> - -#include <tncif_pa_subtypes.h> - -#include <pen/pen.h> -#include <debug.h> -#include <credentials/credential_manager.h> -#include <utils/linked_list.h> - -/* IMV definitions */ +#include "imv_attestation_agent.h" static const char imv_name[] = "Attestation"; +static const imv_agent_create_t imv_agent_create = imv_attestation_agent_create; -#define IMV_VENDOR_ID PEN_TCG -#define IMV_SUBTYPE PA_SUBTYPE_TCG_PTS - -static imv_agent_t *imv_attestation; - -/** - * Supported PTS measurement algorithms - */ -static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE; - -/** - * Supported PTS Diffie Hellman Groups - */ -static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE; - -/** - * PTS file measurement database - */ -static pts_database_t *pts_db; - -/** - * PTS credentials - */ -static pts_creds_t *pts_creds; - -/** - * PTS credential manager - */ -static credential_manager_t *pts_credmgr; - -/** - * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3 - */ -TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, - TNC_Version min_version, - TNC_Version max_version, - TNC_Version *actual_version) -{ - char *hash_alg, *dh_group, *uri, *cadir; - - if (imv_attestation) - { - DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name); - return TNC_RESULT_ALREADY_INITIALIZED; - } - if (!pts_meas_algo_probe(&supported_algorithms) || - !pts_dh_group_probe(&supported_dh_groups)) - { - return TNC_RESULT_FATAL; - } - imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE, - imv_id, actual_version); - if (!imv_attestation) - { - return TNC_RESULT_FATAL; - } - - libpts_init(); - - if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1) - { - DBG1(DBG_IMV, "no common IF-IMV version"); - return TNC_RESULT_NO_COMMON_VERSION; - } - - hash_alg = lib->settings->get_str(lib->settings, - "libimcv.plugins.imv-attestation.hash_algorithm", "sha256"); - dh_group = lib->settings->get_str(lib->settings, - "libimcv.plugins.imv-attestation.dh_group", "ecp256"); - - if (!pts_meas_algo_update(hash_alg, &supported_algorithms) || - !pts_dh_group_update(dh_group, &supported_dh_groups)) - { - return TNC_RESULT_FATAL; - } - - /* create a PTS credential manager */ - pts_credmgr = credential_manager_create(); - - /* create PTS credential set */ - cadir = lib->settings->get_str(lib->settings, - "libimcv.plugins.imv-attestation.cadir", NULL); - pts_creds = pts_creds_create(cadir); - if (pts_creds) - { - pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds)); - } - - /* attach file measurement database */ - uri = lib->settings->get_str(lib->settings, - "libimcv.plugins.imv-attestation.database", NULL); - pts_db = pts_database_create(uri); - - return TNC_RESULT_SUCCESS; -} - -/** - * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3 - */ -TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id, - TNC_ConnectionID connection_id, - TNC_ConnectionState new_state) -{ - imv_state_t *state; - - if (!imv_attestation) - { - DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); - return TNC_RESULT_NOT_INITIALIZED; - } - switch (new_state) - { - case TNC_CONNECTION_STATE_CREATE: - state = imv_attestation_state_create(connection_id); - return imv_attestation->create_state(imv_attestation, state); - case TNC_CONNECTION_STATE_DELETE: - return imv_attestation->delete_state(imv_attestation, connection_id); - case TNC_CONNECTION_STATE_HANDSHAKE: - default: - return imv_attestation->change_state(imv_attestation, connection_id, - new_state, NULL); - } -} - -static TNC_Result send_message(TNC_ConnectionID connection_id) -{ - pa_tnc_msg_t *msg; - pa_tnc_attr_t *attr; - imv_state_t *state; - imv_attestation_state_t *attestation_state; - TNC_Result result; - linked_list_t *attr_list; - enumerator_t *enumerator; - - if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imv_attestation_state_t*)state; - attr_list = linked_list_create(); - - if (imv_attestation_build(attr_list, attestation_state, supported_algorithms, - supported_dh_groups, pts_db)) - { - if (attr_list->get_count(attr_list)) - { - msg = pa_tnc_msg_create(); - - /* move PA-TNC attributes to PA-TNC message */ - enumerator = attr_list->create_enumerator(attr_list); - while (enumerator->enumerate(enumerator, &attr)) - { - msg->add_attribute(msg, attr); - } - enumerator->destroy(enumerator); - - msg->build(msg); - result = imv_attestation->send_message(imv_attestation, - connection_id, FALSE, 0, TNC_IMCID_ANY, - msg->get_encoding(msg)); - msg->destroy(msg); - } - else - { - result = TNC_RESULT_SUCCESS; - } - attr_list->destroy(attr_list); - } - else - { - attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy)); - result = TNC_RESULT_FATAL; - } - - return result; -} +/* include generic TGC TNC IF-IMV API code below */ -static TNC_Result receive_message(TNC_IMVID imv_id, - TNC_ConnectionID connection_id, - TNC_UInt32 msg_flags, - chunk_t msg, - TNC_VendorID msg_vid, - TNC_MessageSubtype msg_subtype, - TNC_UInt32 src_imc_id, - TNC_UInt32 dst_imv_id) -{ - pa_tnc_msg_t *pa_tnc_msg; - pa_tnc_attr_t *attr; - linked_list_t *attr_list; - imv_state_t *state; - imv_attestation_state_t *attestation_state; - pts_t *pts; - enumerator_t *enumerator; - TNC_Result result; +#include <imv/imv_if.h> - if (!imv_attestation) - { - DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); - return TNC_RESULT_NOT_INITIALIZED; - } - - /* get current IMV state */ - if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imv_attestation_state_t*)state; - pts = attestation_state->get_pts(attestation_state); - - /* parse received PA-TNC message and automatically handle any errors */ - result = imv_attestation->receive_message(imv_attestation, state, msg, - msg_vid, msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg); - - /* no parsed PA-TNC attributes available if an error occurred */ - if (!pa_tnc_msg) - { - return result; - } - - /* preprocess any IETF standard error attributes */ - result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ? - TNC_RESULT_FATAL : TNC_RESULT_SUCCESS; - - attr_list = linked_list_create(); - - /* analyze PA-TNC attributes */ - enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg); - while (enumerator->enumerate(enumerator, &attr)) - { - if (attr->get_vendor_id(attr) == PEN_IETF) - { - if (attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR) - { - ietf_attr_pa_tnc_error_t *error_attr; - pen_t error_vendor_id; - pa_tnc_error_code_t error_code; - chunk_t msg_info; - - error_attr = (ietf_attr_pa_tnc_error_t*)attr; - error_vendor_id = error_attr->get_vendor_id(error_attr); - - if (error_vendor_id == PEN_TCG) - { - error_code = error_attr->get_error_code(error_attr); - msg_info = error_attr->get_msg_info(error_attr); - - DBG1(DBG_IMV, "received TCG-PTS error '%N'", - pts_error_code_names, error_code); - DBG1(DBG_IMV, "error information: %B", &msg_info); - - result = TNC_RESULT_FATAL; - } - } - else if (attr->get_type(attr) == IETF_ATTR_PRODUCT_INFORMATION) - { - ietf_attr_product_info_t *attr_cast; - char *platform_info; - - attr_cast = (ietf_attr_product_info_t*)attr; - platform_info = attr_cast->get_info(attr_cast, NULL, NULL); - pts->set_platform_info(pts, platform_info); - } - } - else if (attr->get_vendor_id(attr) == PEN_TCG) - { - if (!imv_attestation_process(attr, attr_list, attestation_state, - supported_algorithms,supported_dh_groups, pts_db, pts_credmgr)) - { - result = TNC_RESULT_FATAL; - break; - } - } - } - enumerator->destroy(enumerator); - pa_tnc_msg->destroy(pa_tnc_msg); - - if (result != TNC_RESULT_SUCCESS) - { - attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy)); - state->set_recommendation(state, - TNC_IMV_ACTION_RECOMMENDATION_ISOLATE, - TNC_IMV_EVALUATION_RESULT_ERROR); - return imv_attestation->provide_recommendation(imv_attestation, - connection_id); - } - - if (attr_list->get_count(attr_list)) - { - pa_tnc_msg = pa_tnc_msg_create(); - - /* move PA-TNC attributes to PA-TNC message */ - enumerator = attr_list->create_enumerator(attr_list); - while (enumerator->enumerate(enumerator, &attr)) - { - pa_tnc_msg->add_attribute(pa_tnc_msg, attr); - } - enumerator->destroy(enumerator); - - pa_tnc_msg->build(pa_tnc_msg); - result = imv_attestation->send_message(imv_attestation, connection_id, - FALSE, 0, TNC_IMCID_ANY, - pa_tnc_msg->get_encoding(pa_tnc_msg)); - - pa_tnc_msg->destroy(pa_tnc_msg); - attr_list->destroy(attr_list); - - return result; - } - attr_list->destroy(attr_list); - - /* check the IMV state for the next PA-TNC attributes to send */ - result = send_message(connection_id); - if (result != TNC_RESULT_SUCCESS) - { - state->set_recommendation(state, - TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, - TNC_IMV_EVALUATION_RESULT_ERROR); - return imv_attestation->provide_recommendation(imv_attestation, - connection_id); - } - - if (attestation_state->get_handshake_state(attestation_state) == - IMV_ATTESTATION_STATE_END) - { - if (attestation_state->get_file_meas_request_count(attestation_state)) - { - DBG1(DBG_IMV, "failure due to %d pending file measurements", - attestation_state->get_file_meas_request_count(attestation_state)); - attestation_state->set_measurement_error(attestation_state); - } - if (attestation_state->get_component_count(attestation_state)) - { - DBG1(DBG_IMV, "failure due to %d components waiting for evidence", - attestation_state->get_component_count(attestation_state)); - attestation_state->set_measurement_error(attestation_state); - } - if (attestation_state->get_measurement_error(attestation_state)) - { - state->set_recommendation(state, - TNC_IMV_ACTION_RECOMMENDATION_ISOLATE, - TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR); - } - else - { - state->set_recommendation(state, - TNC_IMV_ACTION_RECOMMENDATION_ALLOW, - TNC_IMV_EVALUATION_RESULT_COMPLIANT); - } - return imv_attestation->provide_recommendation(imv_attestation, - connection_id); - } - - return result; -} - -/** - * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3 - */ -TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, - TNC_ConnectionID connection_id, - TNC_BufferReference msg, - TNC_UInt32 msg_len, - TNC_MessageType msg_type) -{ - TNC_VendorID msg_vid; - TNC_MessageSubtype msg_subtype; - - msg_vid = msg_type >> 8; - msg_subtype = msg_type & TNC_SUBTYPE_ANY; - - return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len), - msg_vid, msg_subtype, 0, TNC_IMVID_ANY); -} - -/** - * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3 - */ -TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id, - TNC_ConnectionID connection_id, - TNC_UInt32 msg_flags, - TNC_BufferReference msg, - TNC_UInt32 msg_len, - TNC_VendorID msg_vid, - TNC_MessageSubtype msg_subtype, - TNC_UInt32 src_imc_id, - TNC_UInt32 dst_imv_id) -{ - return receive_message(imv_id, connection_id, msg_flags, - chunk_create(msg, msg_len), msg_vid, msg_subtype, - src_imc_id, dst_imv_id); -} - -/** - * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3 - */ -TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id, - TNC_ConnectionID connection_id) -{ - if (!imv_attestation) - { - DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); - return TNC_RESULT_NOT_INITIALIZED; - } - return imv_attestation->provide_recommendation(imv_attestation, - connection_id); -} - -/** - * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3 - */ -TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id, - TNC_ConnectionID connection_id) -{ - imv_state_t *state; - imv_attestation_state_t *attestation_state; - - if (!imv_attestation) - { - DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); - return TNC_RESULT_NOT_INITIALIZED; - } - /* get current IMV state */ - if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imv_attestation_state_t*)state; - - /* Check if IMV has to initiate the PA-TNC exchange */ - if (attestation_state->get_handshake_state(attestation_state) == - IMV_ATTESTATION_STATE_INIT) - { - return send_message(connection_id); - } - return TNC_RESULT_SUCCESS; -} - -/** - * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3 - */ -TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id) -{ - if (!imv_attestation) - { - DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); - return TNC_RESULT_NOT_INITIALIZED; - } - if (pts_creds) - { - pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds)); - pts_creds->destroy(pts_creds); - } - DESTROY_IF(pts_db); - DESTROY_IF(pts_credmgr); - - libpts_deinit(); - - imv_attestation->destroy(imv_attestation); - imv_attestation = NULL; - - return TNC_RESULT_SUCCESS; -} - -/** - * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3 - */ -TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id, - TNC_TNCS_BindFunctionPointer bind_function) -{ - if (!imv_attestation) - { - DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); - return TNC_RESULT_NOT_INITIALIZED; - } - return imv_attestation->bind_functions(imv_attestation, bind_function); -} diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c new file mode 100644 index 000000000..fb934127e --- /dev/null +++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c @@ -0,0 +1,616 @@ +/* + * Copyright (C) 2011-2012 Sansar Choinyambuu + * Copyright (C) 2011-2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_attestation_agent.h" +#include "imv_attestation_state.h" +#include "imv_attestation_process.h" +#include "imv_attestation_build.h" + +#include <imcv.h> +#include <imv/imv_agent.h> +#include <imv/imv_msg.h> +#include <ietf/ietf_attr.h> +#include <ietf/ietf_attr_attr_request.h> +#include <ietf/ietf_attr_pa_tnc_error.h> +#include <ietf/ietf_attr_product_info.h> +#include <ietf/ietf_attr_string_version.h> + +#include <libpts.h> + +#include <pts/pts.h> +#include <pts/pts_database.h> +#include <pts/pts_creds.h> + +#include <tcg/tcg_attr.h> +#include <tcg/tcg_pts_attr_req_file_meas.h> +#include <tcg/tcg_pts_attr_req_file_meta.h> + +#include <tncif_pa_subtypes.h> + +#include <pen/pen.h> +#include <utils/debug.h> +#include <credentials/credential_manager.h> +#include <collections/linked_list.h> + +typedef struct private_imv_attestation_agent_t private_imv_attestation_agent_t; + +/* Subscribed PA-TNC message subtypes */ +static pen_type_t msg_types[] = { + { PEN_TCG, PA_SUBTYPE_TCG_PTS }, + { PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM } +}; + +/** + * Private data of an imv_attestation_agent_t object. + */ +struct private_imv_attestation_agent_t { + + /** + * Public members of imv_attestation_agent_t + */ + imv_agent_if_t public; + + /** + * IMV agent responsible for generic functions + */ + imv_agent_t *agent; + + /** + * Supported PTS measurement algorithms + */ + pts_meas_algorithms_t supported_algorithms; + + /** + * Supported PTS Diffie Hellman Groups + */ + pts_dh_group_t supported_dh_groups; + + /** + * PTS file measurement database + */ + pts_database_t *pts_db; + + /** + * PTS credentials + */ + pts_creds_t *pts_creds; + + /** + * PTS credential manager + */ + credential_manager_t *pts_credmgr; + +}; + +METHOD(imv_agent_if_t, bind_functions, TNC_Result, + private_imv_attestation_agent_t *this, TNC_TNCS_BindFunctionPointer bind_function) +{ + return this->agent->bind_functions(this->agent, bind_function); +} + +METHOD(imv_agent_if_t, notify_connection_change, TNC_Result, + private_imv_attestation_agent_t *this, TNC_ConnectionID id, + TNC_ConnectionState new_state) +{ + imv_state_t *state; + + switch (new_state) + { + case TNC_CONNECTION_STATE_CREATE: + state = imv_attestation_state_create(id); + return this->agent->create_state(this->agent, state); + case TNC_CONNECTION_STATE_DELETE: + return this->agent->delete_state(this->agent, id); + default: + return this->agent->change_state(this->agent, id, new_state, NULL); + } +} + +/** + * Process a received message + */ +static TNC_Result receive_msg(private_imv_attestation_agent_t *this, + imv_state_t *state, imv_msg_t *in_msg) +{ + imv_attestation_state_t *attestation_state; + imv_msg_t *out_msg; + enumerator_t *enumerator; + pa_tnc_attr_t *attr; + pen_type_t type; + TNC_Result result; + pts_t *pts; + chunk_t os_name = chunk_empty; + chunk_t os_version = chunk_empty; + bool fatal_error = FALSE; + + /* parse received PA-TNC message and handle local and remote errors */ + result = in_msg->receive(in_msg, &fatal_error); + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + + attestation_state = (imv_attestation_state_t*)state; + pts = attestation_state->get_pts(attestation_state); + + out_msg = imv_msg_create_as_reply(in_msg); + out_msg->set_msg_type(out_msg, msg_types[0]); + + /* analyze PA-TNC attributes */ + enumerator = in_msg->create_attribute_enumerator(in_msg); + while (enumerator->enumerate(enumerator, &attr)) + { + type = attr->get_type(attr); + + if (type.vendor_id == PEN_IETF) + { + switch (type.type) + { + case IETF_ATTR_PA_TNC_ERROR: + { + ietf_attr_pa_tnc_error_t *error_attr; + pen_type_t error_code; + chunk_t msg_info; + + error_attr = (ietf_attr_pa_tnc_error_t*)attr; + error_code = error_attr->get_error_code(error_attr); + + if (error_code.vendor_id == PEN_TCG) + { + msg_info = error_attr->get_msg_info(error_attr); + + DBG1(DBG_IMV, "received TCG-PTS error '%N'", + pts_error_code_names, error_code.type); + DBG1(DBG_IMV, "error information: %B", &msg_info); + fatal_error = TRUE; + } + break; + } + case IETF_ATTR_PRODUCT_INFORMATION: + { + ietf_attr_product_info_t *attr_cast; + + attr_cast = (ietf_attr_product_info_t*)attr; + os_name = attr_cast->get_info(attr_cast, NULL, NULL); + break; + } + case IETF_ATTR_STRING_VERSION: + { + ietf_attr_string_version_t *attr_cast; + + attr_cast = (ietf_attr_string_version_t*)attr; + os_version = attr_cast->get_version(attr_cast, NULL, NULL); + break; + } + default: + break; + } + } + else if (type.vendor_id == PEN_TCG) + { + if (!imv_attestation_process(attr, out_msg, state, + this->supported_algorithms, this->supported_dh_groups, + this->pts_db, this->pts_credmgr)) + { + result = TNC_RESULT_FATAL; + break; + } + } + } + enumerator->destroy(enumerator); + + /** + * The IETF Product Information and String Version attributes + * are supposed to arrive in the same PA-TNC message + */ + if (os_name.len && os_version.len) + { + pts->set_platform_info(pts, os_name, os_version); + } + + if (fatal_error || result != TNC_RESULT_SUCCESS) + { + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, + TNC_IMV_EVALUATION_RESULT_ERROR); + result = out_msg->send_assessment(out_msg); + out_msg->destroy(out_msg); + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + return this->agent->provide_recommendation(this->agent, state); + } + + /* send PA-TNC message with excl flag set */ + result = out_msg->send(out_msg, TRUE); + out_msg->destroy(out_msg); + + return result; +} + +METHOD(imv_agent_if_t, receive_message, TNC_Result, + private_imv_attestation_agent_t *this, TNC_ConnectionID id, + TNC_MessageType msg_type, chunk_t msg) +{ + imv_state_t *state; + imv_msg_t *in_msg; + TNC_Result result; + + if (!this->agent->get_state(this->agent, id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imv_msg_create_from_data(this->agent, state, id, msg_type, msg); + result = receive_msg(this, state, in_msg); + in_msg->destroy(in_msg); + + return result; +} + +METHOD(imv_agent_if_t, receive_message_long, TNC_Result, + private_imv_attestation_agent_t *this, TNC_ConnectionID id, + TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id, + TNC_VendorID msg_vid, TNC_MessageSubtype msg_subtype, chunk_t msg) +{ + imv_state_t *state; + imv_msg_t *in_msg; + TNC_Result result; + + if (!this->agent->get_state(this->agent, id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imv_msg_create_from_long_data(this->agent, state, id, + src_imc_id, dst_imv_id, msg_vid, msg_subtype, msg); + result = receive_msg(this, state, in_msg); + in_msg->destroy(in_msg); + + return result; +} + +METHOD(imv_agent_if_t, batch_ending, TNC_Result, + private_imv_attestation_agent_t *this, TNC_ConnectionID id) +{ + imv_msg_t *out_msg; + imv_state_t *state; + imv_session_t *session; + imv_attestation_state_t *attestation_state; + TNC_IMVID imv_id; + TNC_Result result = TNC_RESULT_SUCCESS; + pts_t *pts; + char *platform_info; + + if (!this->agent->get_state(this->agent, id, &state)) + { + return TNC_RESULT_FATAL; + } + attestation_state = (imv_attestation_state_t*)state; + pts = attestation_state->get_pts(attestation_state); + platform_info = pts->get_platform_info(pts); + session = state->get_session(state); + imv_id = this->agent->get_id(this->agent); + + /* exit if a recommendation has already been provided */ + if (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_REC) + { + return TNC_RESULT_SUCCESS; + } + + /* send an IETF attribute request if no platform info was received */ + if (!platform_info && + !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ATTR_REQ)) + { + pa_tnc_attr_t *attr; + ietf_attr_attr_request_t *attr_cast; + imv_msg_t *os_msg; + + attr = ietf_attr_attr_request_create(PEN_IETF, + IETF_ATTR_PRODUCT_INFORMATION); + attr_cast = (ietf_attr_attr_request_t*)attr; + attr_cast->add(attr_cast, PEN_IETF, IETF_ATTR_STRING_VERSION); + + os_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY, + msg_types[1]); + os_msg->add_attribute(os_msg, attr); + result = os_msg->send(os_msg, FALSE); + os_msg->destroy(os_msg); + + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + state->set_action_flags(state, IMV_ATTESTATION_FLAG_ATTR_REQ); + } + + /* create an empty out message - we might need it */ + out_msg = imv_msg_create(this->agent, state, id, imv_id, TNC_IMCID_ANY, + msg_types[0]); + + if (platform_info && session && + (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO) && + !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_FILE_MEAS)) + { + imv_workitem_t *workitem; + bool is_dir, no_workitems = TRUE; + u_int32_t delimiter = SOLIDUS_UTF; + u_int16_t request_id; + pa_tnc_attr_t *attr; + char *pathname; + enumerator_t *enumerator; + + enumerator = session->create_workitem_enumerator(session); + if (enumerator) + { + while (enumerator->enumerate(enumerator, &workitem)) + { + if (workitem->get_imv_id(workitem) != TNC_IMVID_ANY) + { + continue; + } + + switch (workitem->get_type(workitem)) + { + case IMV_WORKITEM_FILE_REF_MEAS: + case IMV_WORKITEM_FILE_MEAS: + case IMV_WORKITEM_FILE_META: + is_dir = FALSE; + break; + case IMV_WORKITEM_DIR_REF_MEAS: + case IMV_WORKITEM_DIR_MEAS: + case IMV_WORKITEM_DIR_META: + is_dir = TRUE; + break; + default: + continue; + } + + pathname = this->pts_db->get_pathname(this->pts_db, is_dir, + workitem->get_arg_int(workitem)); + if (!pathname) + { + continue; + } + workitem->set_imv_id(workitem, imv_id); + no_workitems = FALSE; + + if (workitem->get_type(workitem) == IMV_WORKITEM_FILE_META) + { + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + char result_str[BUF_LEN]; + + DBG2(DBG_IMV, "IMV %d requests metadata for %s '%s'", + imv_id, is_dir ? "directory" : "file", pathname); + + /* currently just fire and forget metadata requests */ + attr = tcg_pts_attr_req_file_meta_create(is_dir, + delimiter, pathname); + snprintf(result_str, BUF_LEN, "%s metadata requested", + is_dir ? "directory" : "file"); + eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT; + session->remove_workitem(session, enumerator); + rec = workitem->set_result(workitem, result_str, eval); + state->update_recommendation(state, rec, eval); + imcv_db->finalize_workitem(imcv_db, workitem); + workitem->destroy(workitem); + } + else + { + /* use lower 16 bits of the workitem ID as request ID */ + request_id = workitem->get_id(workitem) & 0xffff; + + DBG2(DBG_IMV, "IMV %d requests measurement %d for %s '%s'", + imv_id, request_id, is_dir ? "directory" : "file", + pathname); + attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id, + delimiter, pathname); + } + free(pathname); + attr->set_noskip_flag(attr, TRUE); + out_msg->add_attribute(out_msg, attr); + } + enumerator->destroy(enumerator); + + /* sent all file and directory measurement and metadata requests */ + state->set_action_flags(state, IMV_ATTESTATION_FLAG_FILE_MEAS); + + if (no_workitems) + { + DBG2(DBG_IMV, "IMV %d has no workitems - " + "no evaluation requested", imv_id); + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_ALLOW, + TNC_IMV_EVALUATION_RESULT_DONT_KNOW); + } + } + } + + /* check the IMV state for the next PA-TNC attributes to send */ + if (!imv_attestation_build(out_msg, attestation_state, + this->supported_algorithms, + this->supported_dh_groups, this->pts_db)) + { + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, + TNC_IMV_EVALUATION_RESULT_ERROR); + result = out_msg->send_assessment(out_msg); + out_msg->destroy(out_msg); + state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC); + + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + return this->agent->provide_recommendation(this->agent, state); + } + + /* finalized all workitems? */ + if (session && session->get_policy_started(session) && + session->get_workitem_count(session, imv_id) == 0 && + attestation_state->get_handshake_state(attestation_state) == + IMV_ATTESTATION_STATE_END) + { + result = out_msg->send_assessment(out_msg); + out_msg->destroy(out_msg); + state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC); + + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + return this->agent->provide_recommendation(this->agent, state); + } + + /* send non-empty PA-TNC message with excl flag not set */ + if (out_msg->get_attribute_count(out_msg)) + { + result = out_msg->send(out_msg, FALSE); + } + out_msg->destroy(out_msg); + + return result; +} + +METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result, + private_imv_attestation_agent_t *this, TNC_ConnectionID id) +{ + TNC_IMVID imv_id; + imv_state_t *state; + imv_attestation_state_t *attestation_state; + imv_session_t *session; + + if (!this->agent->get_state(this->agent, id, &state)) + { + return TNC_RESULT_FATAL; + } + attestation_state = (imv_attestation_state_t*)state; + session = state->get_session(state); + imv_id = this->agent->get_id(this->agent); + + if (session) + { + imv_workitem_t *workitem; + enumerator_t *enumerator; + int pending_file_meas = 0; + + enumerator = session->create_workitem_enumerator(session); + if (enumerator) + { + while (enumerator->enumerate(enumerator, &workitem)) + { + if (workitem->get_imv_id(workitem) != imv_id) + { + continue; + } + switch (workitem->get_type(workitem)) + { + case IMV_WORKITEM_FILE_REF_MEAS: + case IMV_WORKITEM_FILE_MEAS: + case IMV_WORKITEM_DIR_REF_MEAS: + case IMV_WORKITEM_DIR_MEAS: + pending_file_meas++; + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + if (pending_file_meas) + { + DBG1(DBG_IMV, "failure due to %d pending file measurements", + pending_file_meas); + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_FILE_MEAS_PEND); + } + } + } + return this->agent->provide_recommendation(this->agent, state); +} + +METHOD(imv_agent_if_t, destroy, void, + private_imv_attestation_agent_t *this) +{ + if (this->pts_creds) + { + this->pts_credmgr->remove_set(this->pts_credmgr, + this->pts_creds->get_set(this->pts_creds)); + this->pts_creds->destroy(this->pts_creds); + } + DESTROY_IF(this->pts_db); + DESTROY_IF(this->pts_credmgr); + DESTROY_IF(this->agent); + free(this); + libpts_deinit(); +} + +/** + * Described in header. + */ +imv_agent_if_t *imv_attestation_agent_create(const char *name, TNC_IMVID id, + TNC_Version *actual_version) +{ + private_imv_attestation_agent_t *this; + char *hash_alg, *dh_group, *cadir; + + hash_alg = lib->settings->get_str(lib->settings, + "libimcv.plugins.imv-attestation.hash_algorithm", "sha256"); + dh_group = lib->settings->get_str(lib->settings, + "libimcv.plugins.imv-attestation.dh_group", "ecp256"); + cadir = lib->settings->get_str(lib->settings, + "libimcv.plugins.imv-attestation.cadir", NULL); + + INIT(this, + .public = { + .bind_functions = _bind_functions, + .notify_connection_change = _notify_connection_change, + .receive_message = _receive_message, + .receive_message_long = _receive_message_long, + .batch_ending = _batch_ending, + .solicit_recommendation = _solicit_recommendation, + .destroy = _destroy, + }, + .agent = imv_agent_create(name, msg_types, countof(msg_types), id, + actual_version), + .supported_algorithms = PTS_MEAS_ALGO_NONE, + .supported_dh_groups = PTS_DH_GROUP_NONE, + .pts_credmgr = credential_manager_create(), + .pts_creds = pts_creds_create(cadir), + .pts_db = pts_database_create(imcv_db), + ); + + libpts_init(); + + if (!this->agent || + !pts_meas_algo_probe(&this->supported_algorithms) || + !pts_dh_group_probe(&this->supported_dh_groups) || + !pts_meas_algo_update(hash_alg, &this->supported_algorithms) || + !pts_dh_group_update(dh_group, &this->supported_dh_groups)) + { + destroy(this); + return NULL; + } + + if (this->pts_creds) + { + this->pts_credmgr->add_set(this->pts_credmgr, + this->pts_creds->get_set(this->pts_creds)); + } + + return &this->public; +} + diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.h b/src/libpts/plugins/imv_attestation/imv_attestation_agent.h new file mode 100644 index 000000000..cc421a29a --- /dev/null +++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2013 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imv_attestation_agent_t imv_attestation_agent + * @{ @ingroup imv_attestation + */ + +#ifndef IMV_ATTESTATION_AGENT_H_ +#define IMV_ATTESTATION_AGENT_H_ + +#include <imv/imv_agent_if.h> + +/** + * Creates a Attestation IMV agent + * + * @param name Name of the IMV + * @param id ID of the IMV + * @param actual_version TNC IF-IMV version + */ +imv_agent_if_t* imv_attestation_agent_create(const char* name, TNC_IMVID id, + TNC_Version *actual_version); + +#endif /** IMV_ATTESTATION_AGENT_H_ @}*/ diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c index 4f2cc1e95..3e09f7204 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -16,7 +16,6 @@ #include "imv_attestation_build.h" #include "imv_attestation_state.h" -#include <libpts.h> #include <tcg/tcg_pts_attr_proto_caps.h> #include <tcg/tcg_pts_attr_meas_algo.h> #include <tcg/tcg_pts_attr_dh_nonce_params_req.h> @@ -25,12 +24,10 @@ #include <tcg/tcg_pts_attr_get_aik.h> #include <tcg/tcg_pts_attr_req_func_comp_evid.h> #include <tcg/tcg_pts_attr_gen_attest_evid.h> -#include <tcg/tcg_pts_attr_req_file_meas.h> -#include <tcg/tcg_pts_attr_req_file_meta.h> -#include <debug.h> +#include <utils/debug.h> -bool imv_attestation_build(linked_list_t *attr_list, +bool imv_attestation_build(imv_msg_t *out_msg, imv_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups, @@ -50,8 +47,7 @@ bool imv_attestation_build(linked_list_t *attr_list, if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ && !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D)) { - DBG2(DBG_IMV, "PTS-IMC does not support DH Nonce negotiation - " - "advancing to TPM Initialization"); + DBG2(DBG_IMV, "PTS-IMC does not support DH Nonce negotiation"); handshake_state = IMV_ATTESTATION_STATE_TPM_INIT; } @@ -62,9 +58,8 @@ bool imv_attestation_build(linked_list_t *attr_list, if (handshake_state == IMV_ATTESTATION_STATE_TPM_INIT && !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T)) { - DBG2(DBG_IMV, "PTS-IMC made no TPM available - " - "advancing to File Measurements"); - handshake_state = IMV_ATTESTATION_STATE_MEAS; + DBG2(DBG_IMV, "PTS-IMC made no TPM available"); + handshake_state = IMV_ATTESTATION_STATE_END; } switch (handshake_state) @@ -77,12 +72,12 @@ bool imv_attestation_build(linked_list_t *attr_list, flags = pts->get_proto_caps(pts); attr = tcg_pts_attr_proto_caps_create(flags, TRUE); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); /* Send Measurement Algorithms attribute */ attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_NONCE_REQ); @@ -98,7 +93,7 @@ bool imv_attestation_build(linked_list_t *attr_list, attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len, supported_dh_groups); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_TPM_INIT); @@ -117,87 +112,21 @@ bool imv_attestation_build(linked_list_t *attr_list, attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm, initiator_value, initiator_nonce); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); } /* Send Get TPM Version attribute */ attr = tcg_pts_attr_get_tpm_version_info_create(); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); /* Send Get AIK attribute */ attr = tcg_pts_attr_get_aik_create(); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_MEAS); - break; - } - case IMV_ATTESTATION_STATE_MEAS: - { - enumerator_t *enumerator; - u_int32_t delimiter = SOLIDUS_UTF; - char *platform_info, *pathname; - u_int16_t request_id; - int id, type; - bool is_dir; + out_msg->add_attribute(out_msg, attr); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_COMP_EVID); - - /* Get Platform and OS of the PTS-IMC */ - platform_info = pts->get_platform_info(pts); - - if (!pts_db || !platform_info) - { - DBG1(DBG_IMV, "%s%s%s not available", - (pts_db) ? "" : "pts database", - (!pts_db && !platform_info) ? "and" : "", - (platform_info) ? "" : "platform info"); - break; - } - DBG1(DBG_IMV, "platform is '%s'", platform_info); - - /* Send Request File Metadata attribute */ - enumerator = pts_db->create_file_meta_enumerator(pts_db, - platform_info); - if (!enumerator) - { - break; - } - while (enumerator->enumerate(enumerator, &type, &pathname)) - { - is_dir = (type != 0); - DBG2(DBG_IMV, "metadata request for %s '%s'", - is_dir ? "directory" : "file", pathname); - attr = tcg_pts_attr_req_file_meta_create(is_dir, delimiter, - pathname); - attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); - } - enumerator->destroy(enumerator); - - /* Send Request File Measurement attribute */ - enumerator = pts_db->create_file_meas_enumerator(pts_db, - platform_info); - if (!enumerator) - { - break; - } - while (enumerator->enumerate(enumerator, &id, &type, &pathname)) - { - is_dir = (type != 0); - request_id = attestation_state->add_file_meas_request( - attestation_state, id, is_dir); - DBG2(DBG_IMV, "measurement request %d for %s '%s'", - request_id, is_dir ? "directory" : "file", pathname); - attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id, - delimiter, pathname); - attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); - } - enumerator->destroy(enumerator); break; } case IMV_ATTESTATION_STATE_COMP_EVID: @@ -252,15 +181,15 @@ bool imv_attestation_build(linked_list_t *attr_list, comp_name = pts_comp_func_name_create(vid, name, qualifier); comp_name->log(comp_name, " "); - comp = pts_components->create(pts_components, comp_name, - depth, pts_db); + comp = attestation_state->create_component(attestation_state, + comp_name, depth, pts_db); if (!comp) { - DBG2(DBG_IMV, " not registered: removed from request"); + DBG2(DBG_IMV, " not registered or duplicate" + " - removed from request"); comp_name->destroy(comp_name); continue; } - attestation_state->add_component(attestation_state, comp); if (first_component) { attr = tcg_pts_attr_req_func_comp_evid_create(); @@ -277,12 +206,12 @@ bool imv_attestation_build(linked_list_t *attr_list, if (attr) { /* Send Request Functional Component Evidence attribute */ - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); /* Send Generate Attestation Evidence attribute */ attr = tcg_pts_attr_gen_attest_evid_create(); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_EVID_FINAL); @@ -290,10 +219,15 @@ bool imv_attestation_build(linked_list_t *attr_list, break; } case IMV_ATTESTATION_STATE_EVID_FINAL: - attestation_state->set_handshake_state(attestation_state, + if (attestation_state->components_finalized(attestation_state)) + { + attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_END); + } break; case IMV_ATTESTATION_STATE_END: + attestation_state->set_handshake_state(attestation_state, + IMV_ATTESTATION_STATE_END); break; } return TRUE; diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.h b/src/libpts/plugins/imv_attestation/imv_attestation_build.h index 7f934fd09..108f6f923 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_build.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.h @@ -14,9 +14,8 @@ */ /** - * * @defgroup imv_attestation_build_t imv_attestation_build - * @{ @ingroup imv_attestation_build + * @{ @ingroup imv_attestation */ #ifndef IMV_ATTESTATION_BUILD_H_ @@ -24,7 +23,7 @@ #include "imv_attestation_state.h" -#include <pa_tnc/pa_tnc_msg.h> +#include <imv/imv_msg.h> #include <library.h> #include <pts/pts_database.h> @@ -34,14 +33,14 @@ /** * Process a TCG PTS attribute * - * @param attr_list list of PA-TNC attriubutes to be built + * @param out_msg outbound PA-TNC message to be built * @param attestation_state attestation state of a given connection * @param supported_algorithms supported PTS measurement algorithms * @param supported_dh_groups supported DH groups * @param pts_db PTS configuration database * @return TRUE if successful */ -bool imv_attestation_build(linked_list_t *attr_list, +bool imv_attestation_build(imv_msg_t *out_msg, imv_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups, diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c index a742b6697..d422ebcda 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2013 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,6 +15,7 @@ #include "imv_attestation_process.h" +#include <imcv.h> #include <ietf/ietf_attr_pa_tnc_error.h> #include <pts/pts.h> @@ -29,23 +30,27 @@ #include <tcg/tcg_pts_attr_tpm_version_info.h> #include <tcg/tcg_pts_attr_unix_file_meta.h> -#include <debug.h> +#include <utils/debug.h> #include <crypto/hashers/hasher.h> #include <inttypes.h> -bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, - imv_attestation_state_t *attestation_state, +bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, + imv_state_t *state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups, pts_database_t *pts_db, credential_manager_t *pts_credmgr) { + imv_attestation_state_t *attestation_state; + pen_type_t attr_type; pts_t *pts; + attestation_state = (imv_attestation_state_t*)state; pts = attestation_state->get_pts(attestation_state); - - switch (attr->get_type(attr)) + attr_type = attr->get_type(attr); + + switch (attr_type.type) { case TCG_PTS_PROTO_CAPS: { @@ -71,6 +76,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, return FALSE; } pts->set_meas_algorithm(pts, selected_algorithm); + state->set_action_flags(state, IMV_ATTESTATION_FLAG_ALGO); break; } case TCG_PTS_DH_NONCE_PARAMS_RESP: @@ -94,7 +100,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, attr = pts_dh_nonce_error_create( max(PTS_MIN_NONCE_LEN, min_nonce_len), PTS_MAX_NONCE_LEN); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); break; } @@ -111,7 +117,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (selected_algorithm == PTS_MEAS_ALGO_NONE) { attr = pts_hash_alg_error_create(supported_algorithms); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); break; } pts->set_dh_hash_algorithm(pts, selected_algorithm); @@ -169,7 +175,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, KEY_ANY, aik->get_issuer(aik), FALSE); while (e->enumerate(e, &issuer)) { - if (aik->issued_by(aik, issuer)) + if (aik->issued_by(aik, issuer, NULL)) { trusted = TRUE; break; @@ -188,50 +194,134 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } case TCG_PTS_FILE_MEAS: { + TNC_IMV_Evaluation_Result eval; + TNC_IMV_Action_Recommendation rec; tcg_pts_attr_file_meas_t *attr_cast; u_int16_t request_id; - int file_count, file_id; + int arg_int, file_count; pts_meas_algorithms_t algo; pts_file_meas_t *measurements; - char *platform_info; - enumerator_t *e_hash; - bool is_dir; - + imv_session_t *session; + imv_workitem_t *workitem, *found = NULL; + imv_workitem_type_t type; + char result_str[BUF_LEN], *platform_info; + bool is_dir, correct; + enumerator_t *enumerator; + + eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT; + session = state->get_session(state); + algo = pts->get_meas_algorithm(pts); platform_info = pts->get_platform_info(pts); - if (!pts_db || !platform_info) - { - DBG1(DBG_IMV, "%s%s%s not available", - (pts_db) ? "" : "pts database", - (!pts_db && !platform_info) ? "and" : "", - (platform_info) ? "" : "platform info"); - break; - } - attr_cast = (tcg_pts_attr_file_meas_t*)attr; measurements = attr_cast->get_measurements(attr_cast); - algo = pts->get_meas_algorithm(pts); request_id = measurements->get_request_id(measurements); file_count = measurements->get_file_count(measurements); DBG1(DBG_IMV, "measurement request %d returned %d file%s:", request_id, file_count, (file_count == 1) ? "":"s"); - if (!attestation_state->check_off_file_meas_request(attestation_state, - request_id, &file_id, &is_dir)) + if (request_id) { - DBG1(DBG_IMV, " no entry found for file measurement request %d", - request_id); - break; - } + enumerator = session->create_workitem_enumerator(session); + while (enumerator->enumerate(enumerator, &workitem)) + { + /* request ID consist of lower 16 bits of workitem ID */ + if ((workitem->get_id(workitem) & 0xffff) == request_id) + { + found = workitem; + break; + } + } - /* check hashes from database against measurements */ - e_hash = pts_db->create_file_hash_enumerator(pts_db, - platform_info, algo, file_id, is_dir); - if (!measurements->verify(measurements, e_hash, is_dir)) + if (!found) + { + DBG1(DBG_IMV, " no entry found for file measurement " + "request %d", request_id); + enumerator->destroy(enumerator); + break; + } + type = found->get_type(found); + arg_int = found->get_arg_int(found); + + switch (type) + { + default: + case IMV_WORKITEM_FILE_REF_MEAS: + case IMV_WORKITEM_FILE_MEAS: + is_dir = FALSE; + break; + case IMV_WORKITEM_DIR_REF_MEAS: + case IMV_WORKITEM_DIR_MEAS: + is_dir = TRUE; + } + + switch (type) + { + case IMV_WORKITEM_FILE_MEAS: + case IMV_WORKITEM_DIR_MEAS: + { + enumerator_t *e; + + /* check hashes from database against measurements */ + e = pts_db->create_file_hash_enumerator(pts_db, + platform_info, algo, is_dir, arg_int); + if (!e) + { + eval = TNC_IMV_EVALUATION_RESULT_ERROR; + break; + } + correct = measurements->verify(measurements, e, is_dir); + if (!correct) + { + attestation_state->set_measurement_error( + attestation_state, + IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL); + eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR; + } + e->destroy(e); + + snprintf(result_str, BUF_LEN, "%s measurement%s correct", + is_dir ? "directory" : "file", + correct ? "" : " not"); + break; + } + case IMV_WORKITEM_FILE_REF_MEAS: + case IMV_WORKITEM_DIR_REF_MEAS: + { + enumerator_t *e; + char *filename; + chunk_t measurement; + + e = measurements->create_enumerator(measurements); + while (e->enumerate(e, &filename, &measurement)) + { + if (pts_db->add_file_measurement(pts_db, + platform_info, algo, measurement, filename, + is_dir, arg_int) != SUCCESS) + { + eval = TNC_IMV_EVALUATION_RESULT_ERROR; + } + } + e->destroy(e); + snprintf(result_str, BUF_LEN, "%s reference measurement " + "successful", is_dir ? "directory" : "file"); + break; + } + default: + break; + } + + session->remove_workitem(session, enumerator); + enumerator->destroy(enumerator); + rec = found->set_result(found, result_str, eval); + state->update_recommendation(state, rec, eval); + imcv_db->finalize_workitem(imcv_db, found); + found->destroy(found); + } + else { - attestation_state->set_measurement_error(attestation_state); + measurements->check(measurements, pts_db, platform_info, algo); } - e_hash->destroy(e_hash); break; } case TCG_PTS_UNIX_FILE_META: @@ -276,34 +366,23 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, pts_comp_evidence_t *evidence; pts_component_t *comp; u_int32_t depth; - status_t status; attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr; evidence = attr_cast->get_comp_evidence(attr_cast); name = evidence->get_comp_func_name(evidence, &depth); - comp = attestation_state->check_off_component(attestation_state, name); + comp = attestation_state->get_component(attestation_state, name); if (!comp) { DBG1(DBG_IMV, " no entry found for component evidence request"); break; } - status = comp->verify(comp, pts, evidence); - - switch (status) + if (comp->verify(comp, name->get_qualifier(name), pts, + evidence) != SUCCESS) { - default: - case FAILED: - attestation_state->set_measurement_error(attestation_state); - comp->destroy(comp); - break; - case SUCCESS: - name->log(name, " successfully measured "); - comp->destroy(comp); - break; - case NEED_MORE: - /* re-enter component into list */ - attestation_state->add_component(attestation_state, comp); + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_COMP_EVID_FAIL); + name->log(name, " measurement mismatch for "); } break; } @@ -338,23 +417,30 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { DBG1(DBG_IMV, "received PCR Composite does not match " "constructed one"); + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL); free(pcr_composite.ptr); free(quote_info.ptr); - return FALSE; + break; } DBG2(DBG_IMV, "received PCR Composite matches constructed one"); free(pcr_composite.ptr); if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig)) { + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL); free(quote_info.ptr); - return FALSE; + break; } DBG2(DBG_IMV, "TPM Quote Info signature verification successful"); free(quote_info.ptr); - /* Finalize any pending measurement registrations */ - attestation_state->check_off_registrations(attestation_state); + /** + * Finalize any pending measurement registrations and check + * if all expected component measurements were received + */ + attestation_state->finalize_components(attestation_state); } if (attr_cast->get_evid_sig(attr_cast, &evid_sig)) diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.h b/src/libpts/plugins/imv_attestation/imv_attestation_process.h index 4d4eeefbb..af8666b66 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.h @@ -14,9 +14,8 @@ */ /** - * * @defgroup imv_attestation_process_t imv_attestation_process - * @{ @ingroup imv_attestation_process + * @{ @ingroup imv_attestation */ #ifndef IMV_ATTESTATION_PROCESS_H_ @@ -25,10 +24,11 @@ #include "imv_attestation_state.h" #include <library.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> #include <credentials/credential_manager.h> #include <crypto/hashers/hasher.h> +#include <imv/imv_msg.h> #include <pa_tnc/pa_tnc_attr.h> #include <pts/pts_database.h> @@ -39,16 +39,16 @@ * Process a TCG PTS attribute * * @param attr PA-TNC attribute to be processed - * @param attr_list list with PA-TNC error attributes - * @param attestation_state attestation state of a given connection + * @param out_msg PA-TNC message containing error messages + * @param state state of a given connection * @param supported_algorithms supported PTS measurement algorithms * @param supported_dh_groups supported DH groups * @param pts_db PTS configuration database * @param pts_credmgr PTS credential manager * @return TRUE if successful */ -bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, - imv_attestation_state_t *attestation_state, +bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, + imv_state_t *state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups, pts_database_t *pts_db, diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c index a58fd3ec3..27b2655f8 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu + * Copyright (C) 2011-2013 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -15,21 +16,19 @@ #include "imv_attestation_state.h" -#include <utils/lexparser.h> -#include <utils/linked_list.h> -#include <debug.h> +#include <libpts.h> + +#include <imv/imv_lang_string.h> +#include "imv/imv_reason_string.h" + +#include <tncif_policy.h> + +#include <collections/linked_list.h> +#include <utils/debug.h> typedef struct private_imv_attestation_state_t private_imv_attestation_state_t; typedef struct file_meas_request_t file_meas_request_t; - -/** - * PTS File/Directory Measurement request entry - */ -struct file_meas_request_t { - u_int16_t id; - int file_id; - bool is_dir; -}; +typedef struct func_comp_t func_comp_t; /** * Private data of an imv_attestation_state_t object. @@ -50,7 +49,7 @@ struct private_imv_attestation_state_t { * TNCCS connection state */ TNC_ConnectionState state; - + /** * Does the TNCCS connection support long message types? */ @@ -62,29 +61,44 @@ struct private_imv_attestation_state_t { bool has_excl; /** - * IMV Attestation handshake state + * Maximum PA-TNC message size for this TNCCS connection */ - imv_attestation_handshake_state_t handshake_state; + u_int32_t max_msg_len; /** - * IMV action recommendation + * Flags set for completed actions */ - TNC_IMV_Action_Recommendation rec; + u_int32_t action_flags; /** - * IMV evaluation result + * Access Requestor ID Type */ - TNC_IMV_Evaluation_Result eval; + u_int32_t ar_id_type; /** - * File Measurement Request counter + * Access Requestor ID Value */ - u_int16_t file_meas_request_counter; + chunk_t ar_id_value; /** - * List of PTS File/Directory Measurement requests + * IMV database session associated with TNCCS connection */ - linked_list_t *file_meas_requests; + imv_session_t *session; + + /** + * IMV Attestation handshake state + */ + imv_attestation_handshake_state_t handshake_state; + + /** + * IMV action recommendation + */ + TNC_IMV_Action_Recommendation rec; + + /** + * IMV evaluation result + */ + TNC_IMV_Evaluation_Result eval; /** * List of Functional Components @@ -97,32 +111,75 @@ struct private_imv_attestation_state_t { pts_t *pts; /** - * Measurement error + * Measurement error flags */ - bool measurement_error; + u_int32_t measurement_error; -}; + /** + * TNC Reason String + */ + imv_reason_string_t *reason_string; -typedef struct entry_t entry_t; +}; /** - * Define an internal reason string entry + * PTS Functional Component entry */ -struct entry_t { - char *lang; - char *string; +struct func_comp_t { + pts_component_t *comp; + u_int8_t qualifier; }; /** - * Table of multi-lingual reason string entries + * Frees a func_comp_t object + */ +static void free_func_comp(func_comp_t *this) +{ + this->comp->destroy(this->comp); + free(this); +} + +/** + * Supported languages + */ +static char* languages[] = { "en", "de", "mn" }; + +/** + * Table of reason strings */ -static entry_t reasons[] = { - { "en", "IMV Attestation: Incorrect/pending file measurement/component" - " evidence or invalid TPM Quote signature received" }, - { "mn", "IMV Attestation: Буруу/хүлээгдэж байгаа файл/компонент хэмжилт " - "эсвэл буруу TPM Quote гарын үсэг" }, - { "de", "IMV Attestation: Falsche/Fehlende Dateimessung/Komponenten Beweis " - "oder ungültige TPM Quote Unterschrift ist erhalten" }, +static imv_lang_string_t reason_file_meas_fail[] = { + { "en", "Incorrect file measurement" }, + { "de", "Falsche Dateimessung" }, + { "mn", "Буруу байгаа файл" }, + { NULL, NULL } +}; + +static imv_lang_string_t reason_file_meas_pend[] = { + { "en", "Pending file measurement" }, + { "de", "Ausstehende Dateimessung" }, + { "mn", "Xүлээгдэж байгаа файл" }, + { NULL, NULL } +}; + +static imv_lang_string_t reason_comp_evid_fail[] = { + { "en", "Incorrect component evidence" }, + { "de", "Falsche Komponenten-Evidenz" }, + { "mn", "Буруу компонент хэмжилт" }, + { NULL, NULL } +}; + +static imv_lang_string_t reason_comp_evid_pend[] = { + { "en", "Pending component evidence" }, + { "de", "Ausstehende Komponenten-Evidenz" }, + { "mn", "Xүлээгдэж компонент хэмжилт" }, + { NULL, NULL } +}; + +static imv_lang_string_t reason_tpm_quote_fail[] = { + { "en", "Invalid TPM Quote signature received" }, + { "de", "Falsche TPM Quote Signature erhalten" }, + { "mn", "Буруу TPM Quote гарын үсэг" }, + { NULL, NULL } }; METHOD(imv_state_t, get_connection_id, TNC_ConnectionID, @@ -150,6 +207,59 @@ METHOD(imv_state_t, set_flags, void, this->has_excl = has_excl; } +METHOD(imv_state_t, set_max_msg_len, void, + private_imv_attestation_state_t *this, u_int32_t max_msg_len) +{ + this->max_msg_len = max_msg_len; +} + +METHOD(imv_state_t, get_max_msg_len, u_int32_t, + private_imv_attestation_state_t *this) +{ + return this->max_msg_len; +} + +METHOD(imv_state_t, set_action_flags, void, + private_imv_attestation_state_t *this, u_int32_t flags) +{ + this->action_flags |= flags; +} + +METHOD(imv_state_t, get_action_flags, u_int32_t, + private_imv_attestation_state_t *this) +{ + return this->action_flags; +} + +METHOD(imv_state_t, set_ar_id, void, + private_imv_attestation_state_t *this, u_int32_t id_type, chunk_t id_value) +{ + this->ar_id_type = id_type; + this->ar_id_value = chunk_clone(id_value); +} + +METHOD(imv_state_t, get_ar_id, chunk_t, + private_imv_attestation_state_t *this, u_int32_t *id_type) +{ + if (id_type) + { + *id_type = this->ar_id_type; + } + return this->ar_id_value; +} + +METHOD(imv_state_t, set_session, void, + private_imv_attestation_state_t *this, imv_session_t *session) +{ + this->session = session; +} + +METHOD(imv_state_t, get_session, imv_session_t*, + private_imv_attestation_state_t *this) +{ + return this->session; +} + METHOD(imv_state_t, change_state, void, private_imv_attestation_state_t *this, TNC_ConnectionState new_state) { @@ -158,7 +268,7 @@ METHOD(imv_state_t, change_state, void, METHOD(imv_state_t, get_recommendation, void, private_imv_attestation_state_t *this, TNC_IMV_Action_Recommendation *rec, - TNC_IMV_Evaluation_Result *eval) + TNC_IMV_Evaluation_Result *eval) { *rec = this->rec; *eval = this->eval; @@ -166,63 +276,76 @@ METHOD(imv_state_t, get_recommendation, void, METHOD(imv_state_t, set_recommendation, void, private_imv_attestation_state_t *this, TNC_IMV_Action_Recommendation rec, - TNC_IMV_Evaluation_Result eval) + TNC_IMV_Evaluation_Result eval) { this->rec = rec; this->eval = eval; } -METHOD(imv_state_t, get_reason_string, bool, - private_imv_attestation_state_t *this, chunk_t preferred_language, - chunk_t *reason_string, chunk_t *reason_language) +METHOD(imv_state_t, update_recommendation, void, + private_imv_attestation_state_t *this, TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval) { - chunk_t pref_lang, lang; - u_char *pos; - int i; + this->rec = tncif_policy_update_recommendation(this->rec, rec); + this->eval = tncif_policy_update_evaluation(this->eval, eval); +} - while (eat_whitespace(&preferred_language)) - { - if (!extract_token(&pref_lang, ',', &preferred_language)) - { - /* last entry in a comma-separated list or single entry */ - pref_lang = preferred_language; - } +METHOD(imv_state_t, get_reason_string, bool, + private_imv_attestation_state_t *this, enumerator_t *language_enumerator, + chunk_t *reason_string, char **reason_language) +{ + *reason_language = imv_lang_string_select_lang(language_enumerator, + languages, countof(languages)); - /* eat trailing whitespace */ - pos = pref_lang.ptr + pref_lang.len - 1; - while (pref_lang.len && *pos-- == ' ') - { - pref_lang.len--; - } + /* Instantiate a TNC Reason String object */ + DESTROY_IF(this->reason_string); + this->reason_string = imv_reason_string_create(*reason_language); - for (i = 0 ; i < countof(reasons); i++) - { - lang = chunk_create(reasons[i].lang, strlen(reasons[i].lang)); - if (chunk_equals(lang, pref_lang)) - { - *reason_language = lang; - *reason_string = chunk_create(reasons[i].string, - strlen(reasons[i].string)); - return TRUE; - } - } + if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL) + { + this->reason_string->add_reason(this->reason_string, + reason_file_meas_fail); } + if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_PEND) + { + this->reason_string->add_reason(this->reason_string, + reason_file_meas_pend); + } + if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL) + { + this->reason_string->add_reason(this->reason_string, + reason_comp_evid_fail); + } + if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_PEND) + { + this->reason_string->add_reason(this->reason_string, + reason_comp_evid_pend); + } + if (this->measurement_error & IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL) + { + this->reason_string->add_reason(this->reason_string, + reason_tpm_quote_fail); + } + *reason_string = this->reason_string->get_encoding(this->reason_string); - /* no preferred language match found - use the default language */ - *reason_string = chunk_create(reasons[0].string, - strlen(reasons[0].string)); - *reason_language = chunk_create(reasons[0].lang, - strlen(reasons[0].lang)); return TRUE; } +METHOD(imv_state_t, get_remediation_instructions, bool, + private_imv_attestation_state_t *this, enumerator_t *language_enumerator, + chunk_t *string, char **lang_code, char **uri) +{ + return FALSE; +} + METHOD(imv_state_t, destroy, void, private_imv_attestation_state_t *this) { - this->file_meas_requests->destroy_function(this->file_meas_requests, free); - this->components->destroy_offset(this->components, - offsetof(pts_component_t, destroy)); + DESTROY_IF(this->session); + DESTROY_IF(this->reason_string); + this->components->destroy_function(this->components, (void *)free_func_comp); this->pts->destroy(this->pts); + free(this->ar_id_value.ptr); free(this); } @@ -245,70 +368,69 @@ METHOD(imv_attestation_state_t, get_pts, pts_t*, return this->pts; } -METHOD(imv_attestation_state_t, add_file_meas_request, u_int16_t, - private_imv_attestation_state_t *this, int file_id, bool is_dir) -{ - file_meas_request_t *request; - - request = malloc_thing(file_meas_request_t); - request->id = ++this->file_meas_request_counter; - request->file_id = file_id; - request->is_dir = is_dir; - this->file_meas_requests->insert_last(this->file_meas_requests, request); - - return this->file_meas_request_counter; -} - -METHOD(imv_attestation_state_t, check_off_file_meas_request, bool, - private_imv_attestation_state_t *this, u_int16_t id, int *file_id, - bool* is_dir) +METHOD(imv_attestation_state_t, create_component, pts_component_t*, + private_imv_attestation_state_t *this, pts_comp_func_name_t *name, + u_int32_t depth, pts_database_t *pts_db) { enumerator_t *enumerator; - file_meas_request_t *request; + func_comp_t *entry, *new_entry; + pts_component_t *component; bool found = FALSE; - - enumerator = this->file_meas_requests->create_enumerator(this->file_meas_requests); - while (enumerator->enumerate(enumerator, &request)) + + enumerator = this->components->create_enumerator(this->components); + while (enumerator->enumerate(enumerator, &entry)) { - if (request->id == id) + if (name->equals(name, entry->comp->get_comp_func_name(entry->comp))) { found = TRUE; - *file_id = request->file_id; - *is_dir = request->is_dir; - this->file_meas_requests->remove_at(this->file_meas_requests, enumerator); - free(request); break; } } enumerator->destroy(enumerator); - return found; -} -METHOD(imv_attestation_state_t, get_file_meas_request_count, int, - private_imv_attestation_state_t *this) -{ - return this->file_meas_requests->get_count(this->file_meas_requests); -} - -METHOD(imv_attestation_state_t, add_component, void, - private_imv_attestation_state_t *this, pts_component_t *entry) -{ - this->components->insert_last(this->components, entry); + if (found) + { + if (name->get_qualifier(name) == entry->qualifier) + { + /* duplicate entry */ + return NULL; + } + new_entry = malloc_thing(func_comp_t); + new_entry->qualifier = name->get_qualifier(name); + new_entry->comp = entry->comp->get_ref(entry->comp); + this->components->insert_last(this->components, new_entry); + return entry->comp; + } + else + { + component = pts_components->create(pts_components, name, depth, pts_db); + if (!component) + { + /* unsupported component */ + return NULL; + } + new_entry = malloc_thing(func_comp_t); + new_entry->qualifier = name->get_qualifier(name); + new_entry->comp = component; + this->components->insert_last(this->components, new_entry); + return component; + } } -METHOD(imv_attestation_state_t, check_off_component, pts_component_t*, +METHOD(imv_attestation_state_t, get_component, pts_component_t*, private_imv_attestation_state_t *this, pts_comp_func_name_t *name) { enumerator_t *enumerator; - pts_component_t *entry, *found = NULL; + func_comp_t *entry; + pts_component_t *found = NULL; enumerator = this->components->create_enumerator(this->components); while (enumerator->enumerate(enumerator, &entry)) { - if (name->equals(name, entry->get_comp_func_name(entry))) + if (name->equals(name, entry->comp->get_comp_func_name(entry->comp)) && + name->get_qualifier(name) == entry->qualifier) { - found = entry; - this->components->remove_at(this->components, enumerator); + found = entry->comp; break; } } @@ -316,40 +438,38 @@ METHOD(imv_attestation_state_t, check_off_component, pts_component_t*, return found; } -METHOD(imv_attestation_state_t, check_off_registrations, void, +METHOD(imv_attestation_state_t, get_measurement_error, u_int32_t, private_imv_attestation_state_t *this) { - enumerator_t *enumerator; - pts_component_t *entry; - - enumerator = this->components->create_enumerator(this->components); - while (enumerator->enumerate(enumerator, &entry)) - { - if (entry->check_off_registrations(entry)) - { - this->components->remove_at(this->components, enumerator); - entry->destroy(entry); - } - } - enumerator->destroy(enumerator); + return this->measurement_error; } -METHOD(imv_attestation_state_t, get_component_count, int, - private_imv_attestation_state_t *this) +METHOD(imv_attestation_state_t, set_measurement_error, void, + private_imv_attestation_state_t *this, u_int32_t error) { - return this->components->get_count(this->components); + this->measurement_error |= error; } -METHOD(imv_attestation_state_t, get_measurement_error, bool, +METHOD(imv_attestation_state_t, finalize_components, void, private_imv_attestation_state_t *this) { - return this->measurement_error; + func_comp_t *entry; + + while (this->components->remove_last(this->components, + (void**)&entry) == SUCCESS) + { + if (!entry->comp->finalize(entry->comp, entry->qualifier)) + { + set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND); + } + free_func_comp(entry); + } } -METHOD(imv_attestation_state_t, set_measurement_error, void, +METHOD(imv_attestation_state_t, components_finalized, bool, private_imv_attestation_state_t *this) { - this->measurement_error = TRUE; + return this->components->get_count(this->components) == 0; } /** @@ -358,7 +478,6 @@ METHOD(imv_attestation_state_t, set_measurement_error, void, imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) { private_imv_attestation_state_t *this; - char *platform_info; INIT(this, .public = { @@ -367,22 +486,29 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) .has_long = _has_long, .has_excl = _has_excl, .set_flags = _set_flags, + .set_max_msg_len = _set_max_msg_len, + .get_max_msg_len = _get_max_msg_len, + .set_action_flags = _set_action_flags, + .get_action_flags = _get_action_flags, + .set_ar_id = _set_ar_id, + .get_ar_id = _get_ar_id, + .set_session = _set_session, + .get_session = _get_session, .change_state = _change_state, .get_recommendation = _get_recommendation, .set_recommendation = _set_recommendation, + .update_recommendation = _update_recommendation, .get_reason_string = _get_reason_string, + .get_remediation_instructions = _get_remediation_instructions, .destroy = _destroy, }, .get_handshake_state = _get_handshake_state, .set_handshake_state = _set_handshake_state, .get_pts = _get_pts, - .add_file_meas_request = _add_file_meas_request, - .check_off_file_meas_request = _check_off_file_meas_request, - .get_file_meas_request_count = _get_file_meas_request_count, - .add_component = _add_component, - .check_off_component = _check_off_component, - .check_off_registrations = _check_off_registrations, - .get_component_count = _get_component_count, + .create_component = _create_component, + .get_component = _get_component, + .finalize_components = _finalize_components, + .components_finalized = _components_finalized, .get_measurement_error = _get_measurement_error, .set_measurement_error = _set_measurement_error, }, @@ -391,17 +517,9 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) .handshake_state = IMV_ATTESTATION_STATE_INIT, .rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, .eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW, - .file_meas_requests = linked_list_create(), .components = linked_list_create(), .pts = pts_create(FALSE), ); - platform_info = lib->settings->get_str(lib->settings, - "libimcv.plugins.imv-attestation.platform_info", NULL); - if (platform_info) - { - this->pts->set_platform_info(this->pts, platform_info); - } - return &this->public.interface; } diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h index 0e2c04da4..f3edd5fa1 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 Sansar Choinyambuu + * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -14,9 +14,11 @@ */ /** + * @defgroup imv_attestation imv_attestation + * @ingroup libpts_plugins * * @defgroup imv_attestation_state_t imv_attestation_state - * @{ @ingroup imv_attestation_state + * @{ @ingroup imv_attestation */ #ifndef IMV_ATTESTATION_STATE_H_ @@ -24,11 +26,24 @@ #include <imv/imv_state.h> #include <pts/pts.h> +#include <pts/pts_database.h> #include <pts/components/pts_component.h> #include <library.h> typedef struct imv_attestation_state_t imv_attestation_state_t; +typedef enum imv_attestation_flag_t imv_attestation_flag_t; typedef enum imv_attestation_handshake_state_t imv_attestation_handshake_state_t; +typedef enum imv_meas_error_t imv_meas_error_t; + +/** + * IMV Attestation Flags set for completed actions + */ +enum imv_attestation_flag_t { + IMV_ATTESTATION_FLAG_ATTR_REQ = (1<<0), + IMV_ATTESTATION_FLAG_ALGO = (1<<1), + IMV_ATTESTATION_FLAG_FILE_MEAS = (1<<2), + IMV_ATTESTATION_FLAG_REC = (1<<3) +}; /** * IMV Attestation Handshake States (state machine) @@ -37,13 +52,23 @@ enum imv_attestation_handshake_state_t { IMV_ATTESTATION_STATE_INIT, IMV_ATTESTATION_STATE_NONCE_REQ, IMV_ATTESTATION_STATE_TPM_INIT, - IMV_ATTESTATION_STATE_MEAS, IMV_ATTESTATION_STATE_COMP_EVID, IMV_ATTESTATION_STATE_EVID_FINAL, IMV_ATTESTATION_STATE_END, }; /** + * IMV Measurement Error Types + */ +enum imv_meas_error_t { + IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL = 1, + IMV_ATTESTATION_ERROR_FILE_MEAS_PEND = 2, + IMV_ATTESTATION_ERROR_COMP_EVID_FAIL = 4, + IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 8, + IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16 +}; + +/** * Internal state of an imv_attestation_t connection instance */ struct imv_attestation_state_t { @@ -60,7 +85,7 @@ struct imv_attestation_state_t { */ imv_attestation_handshake_state_t (*get_handshake_state)( imv_attestation_state_t *this); - + /** * Set state of the handshake * @@ -77,72 +102,52 @@ struct imv_attestation_state_t { pts_t* (*get_pts)(imv_attestation_state_t *this); /** - * Add an entry to the list of pending file/directory measurement requests - * - * @param file_id primary key into file table - * @param is_dir TRUE if directory - * @return unique request ID - */ - u_int16_t (*add_file_meas_request)(imv_attestation_state_t *this, - int file_id, bool is_dir); - - /** - * Returns the number of pending file/directory measurement requests + * Create and add an entry to the list of Functional Components * - * @return number of pending requests + * @param name Component Functional Name + * @param depth Sub-component Depth + * @param pts_db PTS measurement database + * @return created functional component instance or NULL */ - int (*get_file_meas_request_count)(imv_attestation_state_t *this); + pts_component_t* (*create_component)(imv_attestation_state_t *this, + pts_comp_func_name_t *name, + u_int32_t depth, + pts_database_t *pts_db); /** - * Check for presence of request_id and if found remove it from the list + * Get a Functional Component with a given name * - * @param id unique request ID - * @param file_id primary key into file table - * @param is_dir return TRUE if request was for a directory - * @return TRUE if request ID found, FALSE otherwise + * @param name Name of the requested Functional Component + * @return Functional Component if found, NULL otherwise */ - bool (*check_off_file_meas_request)(imv_attestation_state_t *this, - u_int16_t id, int *file_id, bool *is_dir); + pts_component_t* (*get_component)(imv_attestation_state_t *this, + pts_comp_func_name_t *name); /** - * Add an entry to the list of Functional Components waiting for evidence - * - * @param entry Functional Component + * Tell the Functional Components to finalize any measurement registrations + * and to check if all expected measurements were received */ - void (*add_component)(imv_attestation_state_t *this, pts_component_t *entry); + void (*finalize_components)(imv_attestation_state_t *this); /** - * Returns the number of Functional Component waiting for evidence - * - * @return Number of waiting Functional Components + * Have the Functional Component measurements been finalized? */ - int (*get_component_count)(imv_attestation_state_t *this); + bool (*components_finalized)(imv_attestation_state_t *this); /** - * Check for presence of Functional Component and remove and return it + * Indicates the types of measurement errors that occurred * - * @param name Name of the requested Functional Component - * @return Functional Component if found, NULL otherwise - */ - pts_component_t* (*check_off_component)(imv_attestation_state_t *this, - pts_comp_func_name_t *name); - - /** - * Tell the Functional Components to finalize any measurement registrations + * @return Measurement error flags */ - void (*check_off_registrations)(imv_attestation_state_t *this); + u_int32_t (*get_measurement_error)(imv_attestation_state_t *this); /** - * Indicates if a file measurement error occurred + * Call if a measurement error is encountered * - * @return TRUE in case of measurement error - */ - bool (*get_measurement_error)(imv_attestation_state_t *this); - - /** - * Call if a file measurement error is encountered + * @param error Measurement error type */ - void (*set_measurement_error)(imv_attestation_state_t *this); + void (*set_measurement_error)(imv_attestation_state_t *this, + u_int32_t error); }; diff --git a/src/libpts/plugins/imv_attestation/tables.sql b/src/libpts/plugins/imv_attestation/tables.sql deleted file mode 100644 index 703557a07..000000000 --- a/src/libpts/plugins/imv_attestation/tables.sql +++ /dev/null @@ -1,82 +0,0 @@ -/* PTS SQLite database */ - -DROP TABLE IF EXISTS files; -CREATE TABLE files ( - id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, - type INTEGER NOT NULL, - path TEXT NOT NULL -); - -DROP TABLE IF EXISTS products; -CREATE TABLE products ( - id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, - name TEXT NOT NULL -); -DROP INDEX IF EXISTS products_name; -CREATE INDEX products_name ON products ( - name -); - -DROP TABLE IF EXISTS product_file; -CREATE TABLE product_file ( - product INTEGER NOT NULL, - file INTEGER NOT NULL, - measurement INTEGER DEFAULT 0, - metadata INTEGER DEFAULT 0, - PRIMARY KEY (product, file) -); - -DROP TABLE IF EXISTS file_hashes; -CREATE TABLE file_hashes ( - file INTEGER NOT NULL, - directory INTEGER DEFAULT 0, - product INTEGER NOT NULL, - algo INTEGER NOT NULL, - hash BLOB NOT NULL, - PRIMARY KEY(file, directory, product, algo) -); - -DROP TABLE IF EXISTS keys; -CREATE TABLE keys ( - id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, - keyid BLOB NOT NULL, - owner TEXT NOT NULL -); -DROP INDEX IF EXISTS keys_keyid; -CREATE INDEX keys_keyid ON keys ( - keyid -); -DROP INDEX IF EXISTS keys_owner; -CREATE INDEX keys_owner ON keys ( - owner -); - -DROP TABLE IF EXISTS components; -CREATE TABLE components ( - id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, - vendor_id INTEGER NOT NULL, - name INTEGER NOT NULL, - qualifier INTEGER DEFAULT 0 -); - - -DROP TABLE IF EXISTS key_component; -CREATE TABLE key_component ( - key INTEGER NOT NULL, - component INTEGER NOT NULL, - depth INTEGER DEFAULT 0, - seq_no INTEGER DEFAULT 0, - PRIMARY KEY (key, component) -); - - -DROP TABLE IF EXISTS component_hashes; -CREATE TABLE component_hashes ( - component INTEGER NOT NULL, - key INTEGER NOT NULL, - seq_no INTEGER NOT NULL, - pcr INTEGER NOT NULL, - algo INTEGER NOT NULL, - hash BLOB NOT NULL, - PRIMARY KEY(component, key, seq_no, algo) -); |