diff options
Diffstat (limited to 'src/libpts')
55 files changed, 1229 insertions, 741 deletions
diff --git a/src/libpts/Makefile.am b/src/libpts/Makefile.am index 8137493ab..edf3f7416 100644 --- a/src/libpts/Makefile.am +++ b/src/libpts/Makefile.am @@ -3,7 +3,11 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libimcv ipseclib_LTLIBRARIES = libpts.la -libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la -ltspi +libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la + +if USE_TROUSERS + libpts_la_LIBADD += -ltspi +endif libpts_la_SOURCES = \ libpts.h libpts.c \ @@ -47,7 +51,7 @@ libpts_la_SOURCES = \ tcg/tcg_pts_attr_file_meas.h tcg/tcg_pts_attr_file_meas.c \ tcg/tcg_pts_attr_req_file_meta.h tcg/tcg_pts_attr_req_file_meta.c \ tcg/tcg_pts_attr_unix_file_meta.h tcg/tcg_pts_attr_unix_file_meta.c - + SUBDIRS = . if USE_IMC_ATTESTATION diff --git a/src/libpts/Makefile.in b/src/libpts/Makefile.in index 0b6451bcc..d275a8b2b 100644 --- a/src/libpts/Makefile.in +++ b/src/libpts/Makefile.in @@ -1,9 +1,9 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.11.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -34,8 +34,9 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@USE_IMC_ATTESTATION_TRUE@am__append_1 = plugins/imc_attestation -@USE_IMV_ATTESTATION_TRUE@am__append_2 = plugins/imv_attestation +@USE_TROUSERS_TRUE@am__append_1 = -ltspi +@USE_IMC_ATTESTATION_TRUE@am__append_2 = plugins/imc_attestation +@USE_IMV_ATTESTATION_TRUE@am__append_3 = plugins/imv_attestation subdir = src/libpts DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -75,9 +76,17 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } am__installdirs = "$(DESTDIR)$(ipseclibdir)" LTLIBRARIES = $(ipseclib_LTLIBRARIES) -libpts_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la +am__DEPENDENCIES_1 = +libpts_la_DEPENDENCIES = $(top_builddir)/src/libimcv/libimcv.la \ + $(am__DEPENDENCIES_1) am_libpts_la_OBJECTS = libpts.lo pts.lo pts_error.lo pts_pcr.lo \ pts_creds.lo pts_database.lo pts_dh_group.lo pts_file_meas.lo \ pts_file_meta.lo pts_file_type.lo pts_meas_algo.lo \ @@ -172,6 +181,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -199,6 +209,7 @@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ MYSQLCFLAG = @MYSQLCFLAG@ MYSQLCONFIG = @MYSQLCONFIG@ @@ -226,6 +237,7 @@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -238,6 +250,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -291,7 +304,6 @@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ maemo_CFLAGS = @maemo_CFLAGS@ maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ @@ -340,7 +352,8 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libimcv ipseclib_LTLIBRARIES = libpts.la -libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la -ltspi +libpts_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ + $(am__append_1) libpts_la_SOURCES = \ libpts.h libpts.c \ pts/pts.h pts/pts.c \ @@ -384,7 +397,7 @@ libpts_la_SOURCES = \ tcg/tcg_pts_attr_req_file_meta.h tcg/tcg_pts_attr_req_file_meta.c \ tcg/tcg_pts_attr_unix_file_meta.h tcg/tcg_pts_attr_unix_file_meta.c -SUBDIRS = . $(am__append_1) $(am__append_2) +SUBDIRS = . $(am__append_2) $(am__append_3) all: all-recursive .SUFFIXES: @@ -450,7 +463,7 @@ clean-ipseclibLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done -libpts.la: $(libpts_la_OBJECTS) $(libpts_la_DEPENDENCIES) +libpts.la: $(libpts_la_OBJECTS) $(libpts_la_DEPENDENCIES) $(EXTRA_libpts_la_DEPENDENCIES) $(LINK) -rpath $(ipseclibdir) $(libpts_la_OBJECTS) $(libpts_la_LIBADD) $(LIBS) mostlyclean-compile: @@ -987,10 +1000,15 @@ install-am: all-am installcheck: installcheck-recursive install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: diff --git a/src/libpts/libpts.c b/src/libpts/libpts.c index 384ee4ed7..95110823c 100644 --- a/src/libpts/libpts.c +++ b/src/libpts/libpts.c @@ -23,7 +23,7 @@ #include "pts/components/ita/ita_comp_tgrub.h" #include <imcv.h> -#include <debug.h> +#include <utils/debug.h> /** * PTS Functional Component manager diff --git a/src/libpts/plugins/imc_attestation/Makefile.in b/src/libpts/plugins/imc_attestation/Makefile.in index 4734379bf..15028d677 100644 --- a/src/libpts/plugins/imc_attestation/Makefile.in +++ b/src/libpts/plugins/imc_attestation/Makefile.in @@ -1,9 +1,9 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.11.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -73,6 +73,12 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } am__installdirs = "$(DESTDIR)$(imcvdir)" LTLIBRARIES = $(imcv_LTLIBRARIES) imc_attestation_la_DEPENDENCIES = \ @@ -122,6 +128,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -149,6 +156,7 @@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ MYSQLCFLAG = @MYSQLCFLAG@ MYSQLCONFIG = @MYSQLCONFIG@ @@ -176,6 +184,7 @@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -188,6 +197,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -241,7 +251,6 @@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ maemo_CFLAGS = @maemo_CFLAGS@ maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ @@ -367,7 +376,7 @@ clean-imcvLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done -imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) +imc-attestation.la: $(imc_attestation_la_OBJECTS) $(imc_attestation_la_DEPENDENCIES) $(EXTRA_imc_attestation_la_DEPENDENCIES) $(imc_attestation_la_LINK) -rpath $(imcvdir) $(imc_attestation_la_OBJECTS) $(imc_attestation_la_LIBADD) $(LIBS) mostlyclean-compile: @@ -506,10 +515,15 @@ install-am: all-am installcheck: installcheck-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c index 7cb2a0671..bb327e936 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation.c @@ -17,11 +17,13 @@ #include "imc_attestation_process.h" #include <imc/imc_agent.h> -#include <pa_tnc/pa_tnc_msg.h> +#include <imc/imc_msg.h> #include <ietf/ietf_attr.h> #include <ietf/ietf_attr_pa_tnc_error.h> #include <ietf/ietf_attr_product_info.h> +#include <ietf/ietf_attr_string_version.h> #include <ietf/ietf_attr_assess_result.h> +#include <os_info/os_info.h> #include <libpts.h> @@ -33,15 +35,16 @@ #include <tncif_pa_subtypes.h> #include <pen/pen.h> -#include <debug.h> -#include <utils/linked_list.h> +#include <utils/debug.h> +#include <collections/linked_list.h> /* IMC definitions */ static const char imc_name[] = "Attestation"; -#define IMC_VENDOR_ID PEN_TCG -#define IMC_SUBTYPE PA_SUBTYPE_TCG_PTS +static pen_type_t msg_types[] = { + { PEN_TCG, PA_SUBTYPE_TCG_PTS } +}; static imc_agent_t *imc_attestation; @@ -73,7 +76,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, { return TNC_RESULT_FATAL; } - imc_attestation = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE, + imc_attestation = imc_agent_create(imc_name, msg_types, countof(msg_types), imc_id, actual_version); if (!imc_attestation) { @@ -81,7 +84,7 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id, } libpts_init(); - + if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1) { DBG1(DBG_IMC, "no common IF-IMC version"); @@ -135,94 +138,35 @@ TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id, TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id, TNC_ConnectionID connection_id) { - imc_state_t *state; - imc_attestation_state_t *attestation_state; - pts_t *pts; - char *platform_info; - TNC_Result result = TNC_RESULT_SUCCESS; - if (!imc_attestation) { DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); return TNC_RESULT_NOT_INITIALIZED; } - /* get current IMC state */ - if (!imc_attestation->get_state(imc_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imc_attestation_state_t*)state; - pts = attestation_state->get_pts(attestation_state); - - platform_info = pts->get_platform_info(pts); - if (platform_info) - { - linked_list_t *attr_list; - pa_tnc_attr_t *attr; - - attr_list = linked_list_create(); - attr = ietf_attr_product_info_create(0, 0, platform_info); - attr_list->insert_last(attr_list, attr); - result = imc_attestation->send_message(imc_attestation, connection_id, - FALSE, 0, TNC_IMVID_ANY, attr_list); - attr_list->destroy(attr_list); - } - - return result; + return TNC_RESULT_SUCCESS; } -static TNC_Result receive_message(TNC_IMCID imc_id, - TNC_ConnectionID connection_id, - TNC_UInt32 msg_flags, - chunk_t msg, - TNC_VendorID msg_vid, - TNC_MessageSubtype msg_subtype, - TNC_UInt32 src_imv_id, - TNC_UInt32 dst_imc_id) +static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) { - pa_tnc_msg_t *pa_tnc_msg; - pa_tnc_attr_t *attr; - pen_type_t type; - linked_list_t *attr_list; - imc_state_t *state; + imc_msg_t *out_msg; imc_attestation_state_t *attestation_state; enumerator_t *enumerator; + pa_tnc_attr_t *attr; + pen_type_t type; TNC_Result result; - TNC_UInt32 target_imc_id; - - if (!imc_attestation) - { - DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); - return TNC_RESULT_NOT_INITIALIZED; - } - - /* get current IMC state */ - if (!imc_attestation->get_state(imc_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imc_attestation_state_t*)state; - - /* parse received PA-TNC message and automatically handle any errors */ - result = imc_attestation->receive_message(imc_attestation, state, msg, - msg_vid, msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg); + bool fatal_error = FALSE; - /* no parsed PA-TNC attributes available if an error occurred */ - if (!pa_tnc_msg) + /* parse received PA-TNC message and handle local and remote errors */ + result = in_msg->receive(in_msg, &fatal_error); + if (result != TNC_RESULT_SUCCESS) { return result; } - target_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? imc_id : dst_imc_id; - - /* preprocess any IETF standard error attributes */ - result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ? - TNC_RESULT_FATAL : TNC_RESULT_SUCCESS; - - attr_list = linked_list_create(); + out_msg = imc_msg_create_as_reply(in_msg); /* analyze PA-TNC attributes */ - enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg); + enumerator = in_msg->create_attribute_enumerator(in_msg); while (enumerator->enumerate(enumerator, &attr)) { type = attr->get_type(attr); @@ -249,18 +193,12 @@ static TNC_Result receive_message(TNC_IMCID imc_id, result = TNC_RESULT_FATAL; } } - else if (type.type == IETF_ATTR_ASSESSMENT_RESULT) - { - ietf_attr_assess_result_t *ietf_attr; - - ietf_attr = (ietf_attr_assess_result_t*)attr; - state->set_result(state, target_imc_id, - ietf_attr->get_result(ietf_attr)); - } } else if (type.vendor_id == PEN_TCG) { - if (!imc_attestation_process(attr, attr_list, attestation_state, + attestation_state = (imc_attestation_state_t*)state; + + if (!imc_attestation_process(attr, out_msg, attestation_state, supported_algorithms, supported_dh_groups)) { result = TNC_RESULT_FATAL; @@ -269,14 +207,13 @@ static TNC_Result receive_message(TNC_IMCID imc_id, } } enumerator->destroy(enumerator); - pa_tnc_msg->destroy(pa_tnc_msg); - if (result == TNC_RESULT_SUCCESS && attr_list->get_count(attr_list)) + if (result == TNC_RESULT_SUCCESS) { - result = imc_attestation->send_message(imc_attestation, connection_id, - FALSE, 0, TNC_IMVID_ANY, attr_list); + /* send PA-TNC message with the excl flag set */ + result = out_msg->send(out_msg, TRUE); } - attr_list->destroy(attr_list); + out_msg->destroy(out_msg); return result; } @@ -290,14 +227,26 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, TNC_UInt32 msg_len, TNC_MessageType msg_type) { - TNC_VendorID msg_vid; - TNC_MessageSubtype msg_subtype; + imc_state_t *state; + imc_msg_t *in_msg; + TNC_Result result; + + if (!imc_attestation) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imc_attestation->get_state(imc_attestation, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } - msg_vid = msg_type >> 8; - msg_subtype = msg_type & TNC_SUBTYPE_ANY; + in_msg = imc_msg_create_from_data(imc_attestation, state, connection_id, + msg_type, chunk_create(msg, msg_len)); + result = receive_message(state, in_msg); + in_msg->destroy(in_msg); - return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len), - msg_vid, msg_subtype, 0, TNC_IMCID_ANY); + return result; } /** @@ -313,9 +262,26 @@ TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id, TNC_UInt32 src_imv_id, TNC_UInt32 dst_imc_id) { - return receive_message(imc_id, connection_id, msg_flags, - chunk_create(msg, msg_len), msg_vid, msg_subtype, - src_imv_id, dst_imc_id); + imc_state_t *state; + imc_msg_t *in_msg; + TNC_Result result; + + if (!imc_attestation) + { + DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imc_attestation->get_state(imc_attestation, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imc_msg_create_from_long_data(imc_attestation, state, connection_id, + src_imv_id, dst_imc_id, msg_vid, msg_subtype, + chunk_create(msg, msg_len)); + result =receive_message(state, in_msg); + in_msg->destroy(in_msg); + + return result; } /** diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.c b/src/libpts/plugins/imc_attestation/imc_attestation_process.c index bd2fa649d..88d24dd88 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_process.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.c @@ -43,12 +43,12 @@ #include <tcg/tcg_pts_attr_req_file_meta.h> #include <tcg/tcg_pts_attr_unix_file_meta.h> -#include <debug.h> +#include <utils/debug.h> #include <utils/lexparser.h> #define DEFAULT_NONCE_LEN 20 -bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, +bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg, imc_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups) @@ -76,7 +76,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, /* Send PTS Protocol Capabilities attribute */ attr = tcg_pts_attr_proto_caps_create(imc_caps & imv_caps, FALSE); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_MEAS_ALGO: @@ -91,14 +91,14 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (selected_algorithm == PTS_MEAS_ALGO_NONE) { attr = pts_hash_alg_error_create(supported_algorithms); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } /* Send Measurement Algorithm Selection attribute */ pts->set_meas_algorithm(pts, selected_algorithm); attr = tcg_pts_attr_meas_algo_create(selected_algorithm, TRUE); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_DH_NONCE_PARAMS_REQ: @@ -118,7 +118,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, (min_nonce_len > 0 && nonce_len < min_nonce_len)) { attr = pts_dh_nonce_error_create(nonce_len, PTS_MAX_NONCE_LEN); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } @@ -128,7 +128,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (selected_dh_group == PTS_DH_GROUP_NONE) { attr = pts_dh_group_error_create(supported_dh_groups); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } @@ -142,7 +142,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, /* Send DH Nonce Parameters Response attribute */ attr = tcg_pts_attr_dh_nonce_params_resp_create(selected_dh_group, supported_algorithms, responder_nonce, responder_value); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_DH_NONCE_FINISH: @@ -173,7 +173,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, "have differing lengths"); return FALSE; } - + pts->set_peer_public_value(pts, initiator_value, initiator_nonce); if (!pts->calculate_secret(pts)) { @@ -190,13 +190,13 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { attr_info = attr->get_value(attr); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } /* Send TPM Version Info attribute */ attr = tcg_pts_attr_tpm_version_info_create(tpm_version_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_GET_AIK: @@ -212,7 +212,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, /* Send AIK attribute */ attr = tcg_pts_attr_aik_create(aik); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_REQ_FILE_MEAS: @@ -237,7 +237,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { error_code = pen_type_create(PEN_TCG, pts_error); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } else if (!valid_path) @@ -250,7 +250,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, error_code = pen_type_create(PEN_TCG, TCG_PTS_INVALID_DELIMITER); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } @@ -268,7 +268,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } attr = tcg_pts_attr_file_meas_create(measurements); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } case TCG_PTS_REQ_FILE_META: @@ -291,7 +291,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { error_code = pen_type_create(PEN_TCG, pts_error); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } else if (!valid_path) @@ -303,7 +303,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, error_code = pen_type_create(PEN_TCG, TCG_PTS_INVALID_DELIMITER); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } /* Get File Metadata and send them to PTS-IMV */ @@ -319,8 +319,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } attr = tcg_pts_attr_unix_file_meta_create(metadata); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); - + msg->add_attribute(msg, attr); break; } case TCG_PTS_REQ_FUNC_COMP_EVID: @@ -335,7 +334,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, u_int8_t flags; status_t status; enumerator_t *e; - + attr_info = attr->get_value(attr); attr_cast = (tcg_pts_attr_req_func_comp_evid_t*)attr; @@ -351,9 +350,9 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (flags & PTS_REQ_FUNC_COMP_EVID_TTC) { error_code = pen_type_create(PEN_TCG, - TCG_PTS_UNABLE_DET_TTC); + TCG_PTS_UNABLE_DET_TTC); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } if (flags & PTS_REQ_FUNC_COMP_EVID_VER && @@ -362,7 +361,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, error_code = pen_type_create(PEN_TCG, TCG_PTS_UNABLE_LOCAL_VAL); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } if (flags & PTS_REQ_FUNC_COMP_EVID_CURR && @@ -371,7 +370,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, error_code = pen_type_create(PEN_TCG, TCG_PTS_UNABLE_CUR_EVID); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } if (flags & PTS_REQ_FUNC_COMP_EVID_PCR && @@ -380,7 +379,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, error_code = pen_type_create(PEN_TCG, TCG_PTS_UNABLE_DET_PCR); attr = ietf_attr_pa_tnc_error_create(error_code, attr_info); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } if (depth > 0) @@ -425,7 +424,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, while (attestation_state->next_evidence(attestation_state, &evid)) { attr = tcg_pts_attr_simple_comp_evid_create(evid); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); } use_quote2 = lib->settings->get_bool(lib->settings, @@ -443,7 +442,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, attr = tcg_pts_attr_simple_evid_final_create(flags, comp_hash_algorithm, pcr_composite, quote_sig); - attr_list->insert_last(attr_list, attr); + msg->add_attribute(msg, attr); break; } /* TODO: Not implemented yet */ diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_process.h b/src/libpts/plugins/imc_attestation/imc_attestation_process.h index b6dca1f56..5ada104fa 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_process.h +++ b/src/libpts/plugins/imc_attestation/imc_attestation_process.h @@ -26,6 +26,7 @@ #include <library.h> +#include <imc/imc_msg.h> #include <pa_tnc/pa_tnc_attr.h> #include <pts/pts_dh_group.h> @@ -35,13 +36,13 @@ * Process a TCG PTS attribute * * @param attr PA-TNC attribute to be processed - * @param attr_list list with PA-TNC error attributes + * @param msg outbound PA-TNC message to be assembled * @param attestation_state attestation state of a given connection * @param supported_algorithms supported PTS measurement algorithms * @param supported_dh_groups supported DH groups * @return TRUE if successful */ -bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, +bool imc_attestation_process(pa_tnc_attr_t *attr, imc_msg_t *msg, imc_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups); diff --git a/src/libpts/plugins/imc_attestation/imc_attestation_state.c b/src/libpts/plugins/imc_attestation/imc_attestation_state.c index 8ebabafa2..4fcbdfa8a 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation_state.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation_state.c @@ -19,8 +19,8 @@ #include <tncif_names.h> -#include <utils/linked_list.h> -#include <debug.h> +#include <collections/linked_list.h> +#include <utils/debug.h> typedef struct private_imc_attestation_state_t private_imc_attestation_state_t; typedef struct func_comp_t func_comp_t; @@ -129,8 +129,6 @@ METHOD(imc_state_t, set_result, void, private_imc_attestation_state_t *this, TNC_IMCID id, TNC_IMV_Evaluation_Result result) { - DBG1(DBG_IMC, "set assessment result for IMC %u to '%N'", - id, TNC_IMV_Evaluation_Result_names, result); this->result = result; } @@ -212,7 +210,6 @@ METHOD(imc_attestation_state_t, next_evidence, bool, imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id) { private_imc_attestation_state_t *this; - char *platform_info; INIT(this, .public = { @@ -241,13 +238,6 @@ imc_state_t *imc_attestation_state_create(TNC_ConnectionID connection_id) .list = linked_list_create(), ); - platform_info = lib->settings->get_str(lib->settings, - "libimcv.plugins.imc-attestation.platform_info", NULL); - if (platform_info) - { - this->pts->set_platform_info(this->pts, platform_info); - } - return &this->public.interface; } diff --git a/src/libpts/plugins/imv_attestation/Makefile.in b/src/libpts/plugins/imv_attestation/Makefile.in index afb4abed7..59ef5311e 100644 --- a/src/libpts/plugins/imv_attestation/Makefile.in +++ b/src/libpts/plugins/imv_attestation/Makefile.in @@ -1,9 +1,9 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. +# Makefile.in generated by automake 1.11.3 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software +# Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -75,6 +75,12 @@ am__nobase_list = $(am__nobase_strip_setup); \ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } am__installdirs = "$(DESTDIR)$(imcvdir)" "$(DESTDIR)$(ipsecdir)" LTLIBRARIES = $(imcv_LTLIBRARIES) imv_attestation_la_DEPENDENCIES = \ @@ -132,6 +138,7 @@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DLLIB = @DLLIB@ +DLLTOOL = @DLLTOOL@ DSYMUTIL = @DSYMUTIL@ DUMPBIN = @DUMPBIN@ ECHO_C = @ECHO_C@ @@ -159,6 +166,7 @@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ MKDIR_P = @MKDIR_P@ MYSQLCFLAG = @MYSQLCFLAG@ MYSQLCONFIG = @MYSQLCONFIG@ @@ -186,6 +194,7 @@ RANLIB = @RANLIB@ RTLIB = @RTLIB@ RUBY = @RUBY@ RUBYINCLUDE = @RUBYINCLUDE@ +RUBYLIB = @RUBYLIB@ SED = @SED@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ @@ -198,6 +207,7 @@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ ac_ct_CC = @ac_ct_CC@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ am__include = @am__include@ @@ -251,7 +261,6 @@ libexecdir = @libexecdir@ linux_headers = @linux_headers@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ maemo_CFLAGS = @maemo_CFLAGS@ maemo_LIBS = @maemo_LIBS@ manager_plugins = @manager_plugins@ @@ -393,7 +402,7 @@ clean-imcvLTLIBRARIES: echo "rm -f \"$${dir}/so_locations\""; \ rm -f "$${dir}/so_locations"; \ done -imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) +imv-attestation.la: $(imv_attestation_la_OBJECTS) $(imv_attestation_la_DEPENDENCIES) $(EXTRA_imv_attestation_la_DEPENDENCIES) $(imv_attestation_la_LINK) -rpath $(imcvdir) $(imv_attestation_la_OBJECTS) $(imv_attestation_la_LIBADD) $(LIBS) install-ipsecPROGRAMS: $(ipsec_PROGRAMS) @$(NORMAL_INSTALL) @@ -438,7 +447,7 @@ clean-ipsecPROGRAMS: list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ echo " rm -f" $$list; \ rm -f $$list -attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) +attest$(EXEEXT): $(attest_OBJECTS) $(attest_DEPENDENCIES) $(EXTRA_attest_DEPENDENCIES) @rm -f attest$(EXEEXT) $(LINK) $(attest_OBJECTS) $(attest_LDADD) $(LIBS) @@ -582,10 +591,15 @@ install-am: all-am installcheck: installcheck-am install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi mostlyclean-generic: clean-generic: diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c index a202d128f..1cdacaeeb 100644 --- a/src/libpts/plugins/imv_attestation/attest.c +++ b/src/libpts/plugins/imv_attestation/attest.c @@ -22,7 +22,7 @@ #include <syslog.h> #include <library.h> -#include <debug.h> +#include <utils/debug.h> #include <imcv.h> #include <libpts.h> @@ -99,9 +99,11 @@ static void do_args(int argc, char *argv[]) OP_USAGE, OP_KEYS, OP_COMPONENTS, + OP_DEVICES, OP_FILES, OP_HASHES, OP_MEASUREMENTS, + OP_PACKAGES, OP_PRODUCTS, OP_ADD, OP_DEL, @@ -117,8 +119,10 @@ static void do_args(int argc, char *argv[]) struct option long_opts[] = { { "help", no_argument, NULL, 'h' }, { "components", no_argument, NULL, 'c' }, + { "devices", no_argument, NULL, 'e' }, { "files", no_argument, NULL, 'f' }, { "keys", no_argument, NULL, 'k' }, + { "packages", no_argument, NULL, 'g' }, { "products", no_argument, NULL, 'p' }, { "hashes", no_argument, NULL, 'H' }, { "measurements", no_argument, NULL, 'm' }, @@ -126,12 +130,14 @@ static void do_args(int argc, char *argv[]) { "delete", no_argument, NULL, 'd' }, { "del", no_argument, NULL, 'd' }, { "aik", required_argument, NULL, 'A' }, + { "blacklist", no_argument, NULL, 'B' }, { "component", required_argument, NULL, 'C' }, { "comp", required_argument, NULL, 'C' }, { "directory", required_argument, NULL, 'D' }, { "dir", required_argument, NULL, 'D' }, { "file", required_argument, NULL, 'F' }, { "sha1-ima", no_argument, NULL, 'I' }, + { "package", required_argument, NULL, 'G' }, { "key", required_argument, NULL, 'K' }, { "owner", required_argument, NULL, 'O' }, { "product", required_argument, NULL, 'P' }, @@ -139,6 +145,9 @@ static void do_args(int argc, char *argv[]) { "rel", no_argument, NULL, 'R' }, { "sequence", required_argument, NULL, 'S' }, { "seq", required_argument, NULL, 'S' }, + { "utc", no_argument, NULL, 'U' }, + { "version", required_argument, NULL, 'V' }, + { "security", no_argument, NULL, 'Y' }, { "sha1", no_argument, NULL, '1' }, { "sha256", no_argument, NULL, '2' }, { "sha384", no_argument, NULL, '3' }, @@ -147,6 +156,7 @@ static void do_args(int argc, char *argv[]) { "pid", required_argument, NULL, '6' }, { "cid", required_argument, NULL, '7' }, { "kid", required_argument, NULL, '8' }, + { "gid", required_argument, NULL, '9' }, { 0,0,0,0 } }; @@ -161,9 +171,15 @@ static void do_args(int argc, char *argv[]) case 'c': op = OP_COMPONENTS; continue; + case 'e': + op = OP_DEVICES; + continue; case 'f': op = OP_FILES; continue; + case 'g': + op = OP_PACKAGES; + continue; case 'k': op = OP_KEYS; continue; @@ -219,6 +235,9 @@ static void do_args(int argc, char *argv[]) } continue; } + case 'B': + attest->set_security(attest, OS_PACKAGE_STATE_BLACKLIST); + continue; case 'C': if (!attest->set_component(attest, optarg, op == OP_ADD)) { @@ -237,6 +256,12 @@ static void do_args(int argc, char *argv[]) exit(EXIT_FAILURE); } continue; + case 'G': + if (!attest->set_package(attest, optarg, op == OP_ADD)) + { + exit(EXIT_FAILURE); + } + continue; case 'I': attest->set_algo(attest, PTS_MEAS_ALGO_SHA1_IMA); continue; @@ -266,6 +291,18 @@ static void do_args(int argc, char *argv[]) case 'S': attest->set_sequence(attest, atoi(optarg)); continue; + case 'U': + attest->set_utc(attest); + continue; + case 'V': + if (!attest->set_version(attest, optarg)) + { + exit(EXIT_FAILURE); + } + continue; + case 'Y': + attest->set_security(attest, OS_PACKAGE_STATE_SECURITY); + continue; case '1': attest->set_algo(attest, PTS_MEAS_ALGO_SHA1); continue; @@ -305,6 +342,12 @@ static void do_args(int argc, char *argv[]) exit(EXIT_FAILURE); } continue; + case '9': + if (!attest->set_gid(attest, atoi(optarg))) + { + exit(EXIT_FAILURE); + } + continue; } break; } @@ -314,6 +357,9 @@ static void do_args(int argc, char *argv[]) case OP_USAGE: usage(); break; + case OP_PACKAGES: + attest->list_packages(attest); + break; case OP_PRODUCTS: attest->list_products(attest); break; @@ -323,6 +369,9 @@ static void do_args(int argc, char *argv[]) case OP_COMPONENTS: attest->list_components(attest); break; + case OP_DEVICES: + attest->list_devices(attest); + break; case OP_FILES: attest->list_files(attest); break; diff --git a/src/libpts/plugins/imv_attestation/attest_db.c b/src/libpts/plugins/imv_attestation/attest_db.c index 55afbf701..91e9766d0 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.c +++ b/src/libpts/plugins/imv_attestation/attest_db.c @@ -21,6 +21,7 @@ #include "pts/components/pts_comp_func_name.h" #include <libgen.h> +#include <time.h> #define IMA_MAX_NAME_LEN 255 @@ -97,6 +98,21 @@ struct private_attest_db_t { bool key_set; /** + * Software package to be queried + */ + char *package; + + /** + * Primary key of software package to be queried + */ + int gid; + + /** + * TRUE if package has been set + */ + bool package_set; + + /** * Software product to be queried */ char *product; @@ -112,11 +128,31 @@ struct private_attest_db_t { bool product_set; /** + * Software package version to be queried + */ + char *version; + + /** + * TRUE if version has been set + */ + bool version_set; + + /** * TRUE if relative filenames are to be used */ bool relative; /** + * TRUE if dates are to be displayed in UTC + */ + bool utc; + + /** + * Package security state + */ + os_package_state_t security; + + /** * Sequence number for ordering entries */ int seq_no; @@ -588,6 +624,96 @@ METHOD(attest_db_t, set_pid, bool, return this->product_set; } +METHOD(attest_db_t, set_package, bool, + private_attest_db_t *this, char *package, bool create) +{ + enumerator_t *e; + + if (this->package_set) + { + printf("package has already been set\n"); + return FALSE; + } + this->package = strdup(package); + + e = this->db->query(this->db, "SELECT id FROM packages WHERE name = ?", + DB_TEXT, package, DB_INT); + if (e) + { + if (e->enumerate(e, &this->gid)) + { + this->package_set = TRUE; + } + e->destroy(e); + } + if (this->package_set) + { + return TRUE; + } + + if (!create) + { + printf("package '%s' not found in database\n", package); + return FALSE; + } + + /* Add a new database entry */ + this->package_set = this->db->execute(this->db, &this->gid, + "INSERT INTO packages (name) VALUES (?)", + DB_TEXT, package) == 1; + + printf("package '%s' %sinserted into database\n", package, + this->package_set ? "" : "could not be "); + + return this->package_set; +} + +METHOD(attest_db_t, set_gid, bool, + private_attest_db_t *this, int gid) +{ + enumerator_t *e; + char *package; + + if (this->package_set) + { + printf("package has already been set\n"); + return FALSE; + } + this->gid = gid; + + e = this->db->query(this->db, "SELECT name FROM packages WHERE id = ?", + DB_UINT, gid, DB_TEXT); + if (e) + { + if (e->enumerate(e, &package)) + { + this->package = strdup(package); + this->package_set = TRUE; + } + else + { + printf("no package found with gid %d in database\n", gid); + } + e->destroy(e); + } + return this->package_set; +} + +METHOD(attest_db_t, set_version, bool, + private_attest_db_t *this, char *version) +{ + if (this->version_set) + { + printf("version has already been set\n"); + return FALSE; + } + this->version = strdup(version); + this->version_set = TRUE; + + return TRUE; +} + + METHOD(attest_db_t, set_algo, void, private_attest_db_t *this, pts_meas_algorithms_t algo) { @@ -600,6 +726,12 @@ METHOD(attest_db_t, set_relative, void, this->relative = TRUE; } +METHOD(attest_db_t, set_security, void, + private_attest_db_t *this, os_package_state_t security) +{ + this->security = security; +} + METHOD(attest_db_t, set_sequence, void, private_attest_db_t *this, int seq_no) { @@ -613,6 +745,12 @@ METHOD(attest_db_t, set_owner, void, this->owner = strdup(owner); } +METHOD(attest_db_t, set_utc, void, + private_attest_db_t *this) +{ + this->utc = TRUE; +} + METHOD(attest_db_t, list_components, void, private_attest_db_t *this) { @@ -663,6 +801,46 @@ METHOD(attest_db_t, list_components, void, } } +METHOD(attest_db_t, list_devices, void, + private_attest_db_t *this) +{ + enumerator_t *e; + chunk_t value; + char *product; + time_t timestamp; + int id, last_id = 0, device_count = 0; + int count, count_update, count_blacklist; + u_int tstamp, flags = 0; + + e = this->db->query(this->db, + "SELECT d.id, d.value, i.time, i.count, i.count_update, " + "i.count_blacklist, i.flags, p.name FROM devices AS d " + "JOIN device_infos AS i ON d.id = i.device " + "JOIN products AS p ON p.id = i.product " + "ORDER BY d.value, i.time DESC", + DB_INT, DB_BLOB, DB_UINT, DB_INT, DB_INT, DB_INT, DB_UINT, DB_TEXT); + + if (e) + { + while (e->enumerate(e, &id, &value, &tstamp, &count, &count_update, + &count_blacklist, &flags, &product)) + { + if (id != last_id) + { + printf("%4d: %.*s\n", id, (int)value.len, value.ptr); + device_count++; + last_id = id; + } + timestamp = tstamp; + printf(" %T, %4d, %3d, %3d, %1u, '%s'\n", ×tamp, this->utc, + count, count_update, count_blacklist, flags, product); + } + e->destroy(e); + printf("%d device%s found\n", device_count, + (device_count == 1) ? "" : "s"); + } +} + METHOD(attest_db_t, list_keys, void, private_attest_db_t *this) { @@ -765,6 +943,70 @@ METHOD(attest_db_t, list_files, void, printf("\n"); } +METHOD(attest_db_t, list_packages, void, + private_attest_db_t *this) +{ + enumerator_t *e; + char *package, *version; + os_package_state_t security; + int gid, gid_old = 0, spaces, count = 0; + time_t t; + + if (this->pid) + { + e = this->db->query(this->db, + "SELECT p.id, p.name, v.release, v.security, v.time " + "FROM packages AS p JOIN versions AS v ON v.package = p.id " + "WHERE v.product = ? ORDER BY p.name, v.release", + DB_INT, this->pid, DB_INT, DB_TEXT, DB_TEXT, DB_INT, DB_INT); + if (e) + { + while (e->enumerate(e, &gid, &package, &version, &security, &t)) + { + if (gid != gid_old) + { + printf("%5d: %s,", gid, package); + gid_old = gid; + } + else + { + spaces = 8 + strlen(package); + while (spaces--) + { + printf(" "); + } + } + printf(" %T (%s)%N\n", &t, this->utc, version, + os_package_state_names, security); + count++; + } + e->destroy(e); + } + } + else + { + e = this->db->query(this->db, "SELECT id, name FROM packages " + "ORDER BY name", + DB_INT, DB_TEXT); + if (e) + { + while (e->enumerate(e, &gid, &package)) + { + printf("%4d: %s\n", gid, package); + count++; + } + e->destroy(e); + } + } + + printf("%d package%s found", count, (count == 1) ? "" : "s"); + if (this->product_set) + { + printf(" for product '%s'", this->product); + } + printf("\n"); +} + METHOD(attest_db_t, list_products, void, private_attest_db_t *this) { @@ -858,7 +1100,7 @@ METHOD(attest_db_t, list_hashes, void, dir = strdup(""); - if (this->pid && this->fid) + if (this->pid && this->fid & this->did) { e = this->db->query(this->db, "SELECT hash FROM file_hashes " @@ -885,6 +1127,32 @@ METHOD(attest_db_t, list_hashes, void, (count == 1) ? "" : "s", this->product); } } + else if (this->pid && this->fid) + { + e = this->db->query(this->db, + "SELECT f.path, fh.hash FROM file_hashes AS fh " + "JOIN files AS f ON f.id = fh.file " + "WHERE algo = ? AND file = ? AND product = ?", + DB_INT, this->algo, DB_INT, this->fid, DB_INT, this->pid, + DB_TEXT, DB_BLOB); + if (e) + { + free(dir); + while (e->enumerate(e, &dir, &hash)) + { + printf("%4d: %s%s%s\n", this->fid, dir, + slash(dir, this->file) ? "/" : "", this->file); + printf(" %#B\n", &hash); + count++; + } + e->destroy(e); + + printf("%d %N value%s found for product '%s'\n", count, + pts_meas_algorithm_names, this->algo, + (count == 1) ? "" : "s", this->product); + dir = NULL; + } + } else if (this->pid) { e = this->db->query(this->db, @@ -1089,7 +1357,7 @@ METHOD(attest_db_t, list_measurements, void, bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo, chunk_t measurement, int fid, int did, bool ima, - int *hashes_added) + int *hashes_added, int *hashes_updated) { enumerator_t *e; chunk_t hash; @@ -1108,8 +1376,22 @@ bool insert_file_hash(private_attest_db_t *this, pts_meas_algorithms_t algo, } if (e->enumerate(e, &hash)) { - label = chunk_equals(measurement, hash) ? - "exists and equals" : "exists and differs"; + if (chunk_equals(measurement, hash)) + { + label = "exists and equals"; + } + else + { + if (this->db->execute(this->db, NULL, + "UPDATE file_hashes SET hash = ? WHERE algo = ? " + "AND file = ? AND directory = ? AND product = ? and key = 0", + DB_BLOB, measurement, DB_INT, algo, DB_UINT, fid, DB_UINT, did, + DB_UINT, this->pid) == 1) + { + label = "updated"; + (*hashes_updated)++; + } + } } else { @@ -1161,7 +1443,8 @@ METHOD(attest_db_t, add, bool, hasher_t *hasher = NULL; bool ima = FALSE; int fid, did; - int files_added = 0, hashes_added = 0, ima_hashes_added = 0; + int files_added = 0, hashes_added = 0, hashes_updated = 0; + int ima_hashes_added = 0, ima_hashes_updated = 0; enumerator_t *enumerator, *e; if (this->algo == PTS_MEAS_ALGO_SHA1_IMA) @@ -1225,7 +1508,8 @@ METHOD(attest_db_t, add, bool, /* compute file measurement hash */ if (!insert_file_hash(this, this->algo, measurement, - fid, did, FALSE, &hashes_added)) + fid, did, FALSE, + &hashes_added, &hashes_updated)) { break; } @@ -1246,25 +1530,49 @@ METHOD(attest_db_t, add, bool, break; } if (!insert_file_hash(this, PTS_MEAS_ALGO_SHA1_IMA, measurement, - fid, did, TRUE, &ima_hashes_added)) + fid, did, TRUE, + &ima_hashes_added, &ima_hashes_updated)) { break; } } enumerator->destroy(enumerator); - printf("%d measurements, added %d new files, %d new file hashes", - measurements->get_file_count(measurements), - files_added, hashes_added); + printf("%d measurements, added %d new files, %d file hashes", + measurements->get_file_count(measurements), files_added, + hashes_added); if (ima) { - printf(" , %d new ima hashes", ima_hashes_added); + printf(", %d ima hashes", ima_hashes_added); hasher->destroy(hasher); } + printf(", updated %d file hashes", hashes_updated); + if (ima) + { + printf(", %d ima hashes", ima_hashes_updated); + } printf("\n"); measurements->destroy(measurements); success = TRUE; } + + /* insert package version */ + if (this->version_set && this->gid && this->pid) + { + time_t t = time(NULL); + + success = this->db->execute(this->db, NULL, + "INSERT INTO versions " + "(package, product, release, security, time) " + "VALUES (?, ?, ?, ?, ?)", + DB_UINT, this->gid, DB_UINT, this->pid, DB_TEXT, + this->version, DB_UINT, this->security, DB_INT, t) == 1; + + printf("'%s' package %s (%s)%N %sinserted into database\n", + this->product, this->package, this->version, + os_package_state_names, this->security, + success ? "" : "could not be "); + } return success; } @@ -1384,7 +1692,9 @@ METHOD(attest_db_t, destroy, void, { DESTROY_IF(this->db); DESTROY_IF(this->cfn); + free(this->package); free(this->product); + free(this->version); free(this->file); free(this->dir); free(this->owner); @@ -1409,15 +1719,22 @@ attest_db_t *attest_db_create(char *uri) .set_fid = _set_fid, .set_key = _set_key, .set_kid = _set_kid, + .set_package = _set_package, + .set_gid = _set_gid, .set_product = _set_product, .set_pid = _set_pid, + .set_version = _set_version, .set_algo = _set_algo, .set_relative = _set_relative, + .set_security = _set_security, .set_sequence = _set_sequence, .set_owner = _set_owner, + .set_utc = _set_utc, + .list_packages = _list_packages, .list_products = _list_products, .list_files = _list_files, .list_components = _list_components, + .list_devices = _list_devices, .list_keys = _list_keys, .list_hashes = _list_hashes, .list_measurements = _list_measurements, diff --git a/src/libpts/plugins/imv_attestation/attest_db.h b/src/libpts/plugins/imv_attestation/attest_db.h index e32a368d8..e2297d0c4 100644 --- a/src/libpts/plugins/imv_attestation/attest_db.h +++ b/src/libpts/plugins/imv_attestation/attest_db.h @@ -23,7 +23,7 @@ #define ATTEST_DB_H_ #include <pts/pts_meas_algo.h> - +#include <os_info/os_info.h> #include <library.h> typedef struct attest_db_t attest_db_t; @@ -102,6 +102,23 @@ struct attest_db_t { bool (*set_kid)(attest_db_t *this, int kid); /** + * Set software package to be queried + * + * @param product software package + * @param create if TRUE create database entry if it doesn't exist + * @return TRUE if successful + */ + bool (*set_package)(attest_db_t *this, char *package, bool create); + + /** + * Set primary key of the software package to be queried + * + * @param gid primary key of software package + * @return TRUE if successful + */ + bool (*set_gid)(attest_db_t *this, int gid); + + /** * Set software product to be queried * * @param product software product @@ -119,6 +136,14 @@ struct attest_db_t { bool (*set_pid)(attest_db_t *this, int pid); /** + * Set software package version to be queried + * + * @param version software package version + * @return TRUE if successful + */ + bool (*set_version)(attest_db_t *this, char *version); + + /** * Set measurement hash algorithm * * @param algo hash algorithm @@ -136,6 +161,11 @@ struct attest_db_t { void (*set_relative)(attest_db_t *this); /** + * Set the package security state + */ + void (*set_security)(attest_db_t *this, os_package_state_t security); + + /** * Set the sequence number */ void (*set_sequence)(attest_db_t *this, int seq_no); @@ -149,6 +179,16 @@ struct attest_db_t { void (*set_owner)(attest_db_t *this, char *owner); /** + * Display all dates in UTC + */ + void (*set_utc)(attest_db_t *this); + + /** + * List all packages stored in the database + */ + void (*list_packages)(attest_db_t *this); + + /** * List all products stored in the database */ void (*list_products)(attest_db_t *this); @@ -164,6 +204,11 @@ struct attest_db_t { void (*list_components)(attest_db_t *this); /** + * List all devices stored in the database + */ + void (*list_devices)(attest_db_t *this); + + /** * List all AIKs stored in the database */ void (*list_keys)(attest_db_t *this); diff --git a/src/libpts/plugins/imv_attestation/attest_usage.c b/src/libpts/plugins/imv_attestation/attest_usage.c index f7040f7ad..324fcafc3 100644 --- a/src/libpts/plugins/imv_attestation/attest_usage.c +++ b/src/libpts/plugins/imv_attestation/attest_usage.c @@ -24,16 +24,19 @@ void usage(void) { printf("\ Usage:\n\ - ipsec attest --files|--products|--keys|--hashes [options]\n\ + ipsec attest --components|--devices|--files|--hashes|--keys [options]\n\ \n\ - ipsec attest --components|-keys|--measurements|--add|--del [options]\n\ + ipsec attest --measurements|--packages|--products|--add|--del [options]\n\ \n\ - ipsec attest --files [--product <name>|--pid <id>]\n\ - Show a list of files with a software product name or\n\ + ipsec attest --components [--key <digest>|--kid <id>]\n\ + Show a list of components with an AIK digest or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --products [--file <path>|--fid <id>]\n\ - Show a list of supported software products with a file path or\n\ + ipsec attest --devices [--utc]\n\ + Show a list of registered devices and associated collected information\n\ + \n\ + ipsec attest --files [--product <name>|--pid <id>]\n\ + Show a list of files with a software product name or\n\ its primary key as an optional selector.\n\ \n\ ipsec attest --hashes [--sha1|--sha256|--sha384] [--product <name>|--pid <id>]\n\ @@ -44,10 +47,6 @@ Usage:\n\ Show a list of measurement hashes for a given file or\n\ its primary key as an optional selector.\n\ \n\ - ipsec attest --components [--key <digest>|--kid <id>]\n\ - Show a list of components with an AIK digest or\n\ - its primary key as an optional selector.\n\ - \n\ ipsec attest --keys [--components <cfn>|--cid <id>]\n\ Show a list of AIK key digests with a component or\n\ its primary key as an optional selector.\n\ @@ -60,6 +59,14 @@ Usage:\n\ Show a list of component measurements for a given AIK or\n\ its primary key as an optional selector.\n\ \n\ + ipsec attest --packages [--product <name>|--pid <id>] [--utc]\n\ + Show a list of software packages for a given product or\n\ + its primary key as an optional selector.\n\ + \n\ + ipsec attest --products [--file <path>|--fid <id>]\n\ + Show a list of supported software products with a file path or\n\ + its primary key as an optional selector.\n\ + \n\ ipsec attest --add --file <path>|--dir <path>|--product <name>|--component <cfn>\n\ Add a file, directory, product or component entry\n\ Component <cfn> entries must be of the form <vendor_id>/<name>-<qualifier>\n\ @@ -74,6 +81,10 @@ Usage:\n\ ipsec attest --add --key <digest|--kid <id> --component <cfn>|--cid <id> --sequence <no>|--seq <no>\n\ Add an ordered key/component entry\n\ \n\ + ipsec attest --add --package <name> --version <string> [--security|--blacklist]\n\ + [--product <name>|--pid <id>]\n\ + Add a package version for a given product optionally with security or blacklist flag\n\ + \n\ ipsec attest --del --file <path>|--fid <id>|--dir <path>|--did <id>\n\ Delete a file or directory entry referenced either by value or primary key\n\ \n\ diff --git a/src/libpts/plugins/imv_attestation/build-database.sh b/src/libpts/plugins/imv_attestation/build-database.sh index a89258e1d..be1024de0 100755 --- a/src/libpts/plugins/imv_attestation/build-database.sh +++ b/src/libpts/plugins/imv_attestation/build-database.sh @@ -1,6 +1,6 @@ #!/bin/sh -p="Ubuntu 12.04.1 LTS i686" +p="Ubuntu 12.04 i686" ipsec attest --add --product "$p" --sha1-ima --dir /sbin ipsec attest --add --product "$p" --sha1-ima --dir /usr/sbin diff --git a/src/libpts/plugins/imv_attestation/data.sql b/src/libpts/plugins/imv_attestation/data.sql index b1646b724..60c312e30 100644 --- a/src/libpts/plugins/imv_attestation/data.sql +++ b/src/libpts/plugins/imv_attestation/data.sql @@ -51,7 +51,7 @@ INSERT INTO products ( INSERT INTO products ( name ) VALUES ( - 'Ubuntu 12.04.1 LTS i686' + 'Ubuntu 12.04 i686' ); /* Files */ diff --git a/src/libpts/plugins/imv_attestation/imv_attestation.c b/src/libpts/plugins/imv_attestation/imv_attestation.c index 201496e8a..3c5488eba 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation.c @@ -18,10 +18,11 @@ #include "imv_attestation_build.h" #include <imv/imv_agent.h> -#include <pa_tnc/pa_tnc_msg.h> +#include <imv/imv_msg.h> #include <ietf/ietf_attr.h> #include <ietf/ietf_attr_pa_tnc_error.h> #include <ietf/ietf_attr_product_info.h> +#include <ietf/ietf_attr_string_version.h> #include <libpts.h> @@ -34,16 +35,18 @@ #include <tncif_pa_subtypes.h> #include <pen/pen.h> -#include <debug.h> +#include <utils/debug.h> #include <credentials/credential_manager.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> /* IMV definitions */ static const char imv_name[] = "Attestation"; -#define IMV_VENDOR_ID PEN_TCG -#define IMV_SUBTYPE PA_SUBTYPE_TCG_PTS +static pen_type_t msg_types[] = { + { PEN_TCG, PA_SUBTYPE_TCG_PTS }, + { PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM } +}; static imv_agent_t *imv_attestation; @@ -92,7 +95,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, { return TNC_RESULT_FATAL; } - imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE, + imv_attestation = imv_agent_create(imv_name, msg_types, countof(msg_types), imv_id, actual_version); if (!imv_attestation) { @@ -100,7 +103,7 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, } libpts_init(); - + if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1) { DBG1(DBG_IMV, "no common IF-IMV version"); @@ -166,133 +169,106 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id, } } -static TNC_Result send_message(TNC_ConnectionID connection_id) +static TNC_Result send_message(imv_state_t *state, imv_msg_t *out_msg) { - linked_list_t *attr_list; - imv_state_t *state; imv_attestation_state_t *attestation_state; TNC_Result result; - if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } attestation_state = (imv_attestation_state_t*)state; - attr_list = linked_list_create(); - if (imv_attestation_build(attr_list, attestation_state, supported_algorithms, + if (imv_attestation_build(out_msg, attestation_state, supported_algorithms, supported_dh_groups, pts_db)) { - if (attr_list->get_count(attr_list)) - { - result = imv_attestation->send_message(imv_attestation, - connection_id, FALSE, 0, TNC_IMCID_ANY, attr_list); - } - else - { - result = TNC_RESULT_SUCCESS; - } - attr_list->destroy(attr_list); + result = out_msg->send(out_msg, TRUE); } else { - attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy)); result = TNC_RESULT_FATAL; } return result; } -static TNC_Result receive_message(TNC_IMVID imv_id, - TNC_ConnectionID connection_id, - TNC_UInt32 msg_flags, - chunk_t msg, - TNC_VendorID msg_vid, - TNC_MessageSubtype msg_subtype, - TNC_UInt32 src_imc_id, - TNC_UInt32 dst_imv_id) +static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg) { - pa_tnc_msg_t *pa_tnc_msg; - pa_tnc_attr_t *attr; - pen_type_t type; - linked_list_t *attr_list; - imv_state_t *state; imv_attestation_state_t *attestation_state; - pts_t *pts; + imv_msg_t *out_msg; enumerator_t *enumerator; + pa_tnc_attr_t *attr; + pen_type_t type; TNC_Result result; + pts_t *pts; + chunk_t os_name = chunk_empty; + chunk_t os_version = chunk_empty; + bool fatal_error = FALSE; - if (!imv_attestation) + /* parse received PA-TNC message and handle local and remote errors */ + result = in_msg->receive(in_msg, &fatal_error); + if (result != TNC_RESULT_SUCCESS) { - DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); - return TNC_RESULT_NOT_INITIALIZED; + return result; } - /* get current IMV state */ - if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } attestation_state = (imv_attestation_state_t*)state; pts = attestation_state->get_pts(attestation_state); - /* parse received PA-TNC message and automatically handle any errors */ - result = imv_attestation->receive_message(imv_attestation, state, msg, - msg_vid, msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg); - - /* no parsed PA-TNC attributes available if an error occurred */ - if (!pa_tnc_msg) - { - return result; - } - - /* preprocess any IETF standard error attributes */ - result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ? - TNC_RESULT_FATAL : TNC_RESULT_SUCCESS; - - attr_list = linked_list_create(); + out_msg = imv_msg_create_as_reply(in_msg); + out_msg->set_msg_type(out_msg, msg_types[0]); /* analyze PA-TNC attributes */ - enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg); + enumerator = in_msg->create_attribute_enumerator(in_msg); while (enumerator->enumerate(enumerator, &attr)) { type = attr->get_type(attr); if (type.vendor_id == PEN_IETF) { - if (type.type == IETF_ATTR_PA_TNC_ERROR) + switch (type.type) { - ietf_attr_pa_tnc_error_t *error_attr; - pen_type_t error_code; - chunk_t msg_info; + case IETF_ATTR_PA_TNC_ERROR: + { + ietf_attr_pa_tnc_error_t *error_attr; + pen_type_t error_code; + chunk_t msg_info; - error_attr = (ietf_attr_pa_tnc_error_t*)attr; - error_code = error_attr->get_error_code(error_attr); + error_attr = (ietf_attr_pa_tnc_error_t*)attr; + error_code = error_attr->get_error_code(error_attr); - if (error_code.vendor_id == PEN_TCG) - { - msg_info = error_attr->get_msg_info(error_attr); + if (error_code.vendor_id == PEN_TCG) + { + msg_info = error_attr->get_msg_info(error_attr); - DBG1(DBG_IMV, "received TCG-PTS error '%N'", - pts_error_code_names, error_code.type); - DBG1(DBG_IMV, "error information: %B", &msg_info); + DBG1(DBG_IMV, "received TCG-PTS error '%N'", + pts_error_code_names, error_code.type); + DBG1(DBG_IMV, "error information: %B", &msg_info); - result = TNC_RESULT_FATAL; + result = TNC_RESULT_FATAL; + } + break; } - } - else if (type.type == IETF_ATTR_PRODUCT_INFORMATION) - { - ietf_attr_product_info_t *attr_cast; - char *platform_info; + case IETF_ATTR_PRODUCT_INFORMATION: + { + ietf_attr_product_info_t *attr_cast; - attr_cast = (ietf_attr_product_info_t*)attr; - platform_info = attr_cast->get_info(attr_cast, NULL, NULL); - pts->set_platform_info(pts, platform_info); + attr_cast = (ietf_attr_product_info_t*)attr; + os_name = attr_cast->get_info(attr_cast, NULL, NULL); + break; + } + case IETF_ATTR_STRING_VERSION: + { + ietf_attr_string_version_t *attr_cast; + + attr_cast = (ietf_attr_string_version_t*)attr; + os_version = attr_cast->get_version(attr_cast, NULL, NULL); + break; + } + default: + break; } } else if (type.vendor_id == PEN_TCG) { - if (!imv_attestation_process(attr, attr_list, attestation_state, + if (!imv_attestation_process(attr, out_msg, attestation_state, supported_algorithms,supported_dh_groups, pts_db, pts_credmgr)) { result = TNC_RESULT_FATAL; @@ -301,36 +277,50 @@ static TNC_Result receive_message(TNC_IMVID imv_id, } } enumerator->destroy(enumerator); - pa_tnc_msg->destroy(pa_tnc_msg); - if (result != TNC_RESULT_SUCCESS) + if (os_name.len && os_version.len) + { + pts->set_platform_info(pts, os_name, os_version); + } + + if (fatal_error || result != TNC_RESULT_SUCCESS) { - attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy)); state->set_recommendation(state, - TNC_IMV_ACTION_RECOMMENDATION_ISOLATE, + TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, TNC_IMV_EVALUATION_RESULT_ERROR); - return imv_attestation->provide_recommendation(imv_attestation, - connection_id, src_imc_id); + result = out_msg->send_assessment(out_msg); + out_msg->destroy(out_msg); + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + return imv_attestation->provide_recommendation(imv_attestation, state); } - if (attr_list->get_count(attr_list)) + /* send PA-TNC message with excl flag set */ + result = out_msg->send(out_msg, TRUE); + + if (result != TNC_RESULT_SUCCESS) { - result = imv_attestation->send_message(imv_attestation, connection_id, - FALSE, 0, TNC_IMCID_ANY, attr_list); - attr_list->destroy(attr_list); + out_msg->destroy(out_msg); return result; } - attr_list->destroy(attr_list); /* check the IMV state for the next PA-TNC attributes to send */ - result = send_message(connection_id); + result = send_message(state, out_msg); + if (result != TNC_RESULT_SUCCESS) { state->set_recommendation(state, TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, TNC_IMV_EVALUATION_RESULT_ERROR); - return imv_attestation->provide_recommendation(imv_attestation, - connection_id, src_imc_id); + result = out_msg->send_assessment(out_msg); + out_msg->destroy(out_msg); + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + return imv_attestation->provide_recommendation(imv_attestation, state); } if (attestation_state->get_handshake_state(attestation_state) == @@ -340,7 +330,8 @@ static TNC_Result receive_message(TNC_IMVID imv_id, { DBG1(DBG_IMV, "failure due to %d pending file measurements", attestation_state->get_file_meas_request_count(attestation_state)); - attestation_state->set_measurement_error(attestation_state); + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_FILE_MEAS_PEND); } if (attestation_state->get_measurement_error(attestation_state)) { @@ -354,9 +345,15 @@ static TNC_Result receive_message(TNC_IMVID imv_id, TNC_IMV_ACTION_RECOMMENDATION_ALLOW, TNC_IMV_EVALUATION_RESULT_COMPLIANT); } - return imv_attestation->provide_recommendation(imv_attestation, - connection_id, src_imc_id); + result = out_msg->send_assessment(out_msg); + out_msg->destroy(out_msg); + if (result != TNC_RESULT_SUCCESS) + { + return result; + } + return imv_attestation->provide_recommendation(imv_attestation, state); } + out_msg->destroy(out_msg); return result; } @@ -370,14 +367,25 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, TNC_UInt32 msg_len, TNC_MessageType msg_type) { - TNC_VendorID msg_vid; - TNC_MessageSubtype msg_subtype; + imv_state_t *state; + imv_msg_t *in_msg; + TNC_Result result; - msg_vid = msg_type >> 8; - msg_subtype = msg_type & TNC_SUBTYPE_ANY; + if (!imv_attestation) + { + DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imv_msg_create_from_data(imv_attestation, state, connection_id, + msg_type, chunk_create(msg, msg_len)); + result = receive_message(state, in_msg); + in_msg->destroy(in_msg); - return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len), - msg_vid, msg_subtype, 0, TNC_IMVID_ANY); + return result; } /** @@ -393,9 +401,26 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id, TNC_UInt32 src_imc_id, TNC_UInt32 dst_imv_id) { - return receive_message(imv_id, connection_id, msg_flags, - chunk_create(msg, msg_len), msg_vid, msg_subtype, - src_imc_id, dst_imv_id); + imv_state_t *state; + imv_msg_t *in_msg; + TNC_Result result; + + if (!imv_attestation) + { + DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); + return TNC_RESULT_NOT_INITIALIZED; + } + if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + in_msg = imv_msg_create_from_long_data(imv_attestation, state, connection_id, + src_imc_id, dst_imv_id, msg_vid, msg_subtype, + chunk_create(msg, msg_len)); + result =receive_message(state, in_msg); + in_msg->destroy(in_msg); + + return result; } /** @@ -404,13 +429,18 @@ TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id, TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id, TNC_ConnectionID connection_id) { + imv_state_t *state; + if (!imv_attestation) { DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); return TNC_RESULT_NOT_INITIALIZED; } - return imv_attestation->provide_recommendation(imv_attestation, - connection_id, TNC_IMCID_ANY); + if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) + { + return TNC_RESULT_FATAL; + } + return imv_attestation->provide_recommendation(imv_attestation, state); } /** @@ -419,27 +449,11 @@ TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id, TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id, TNC_ConnectionID connection_id) { - imv_state_t *state; - imv_attestation_state_t *attestation_state; - if (!imv_attestation) { DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name); return TNC_RESULT_NOT_INITIALIZED; } - /* get current IMV state */ - if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) - { - return TNC_RESULT_FATAL; - } - attestation_state = (imv_attestation_state_t*)state; - - /* Check if IMV has to initiate the PA-TNC exchange */ - if (attestation_state->get_handshake_state(attestation_state) == - IMV_ATTESTATION_STATE_INIT) - { - return send_message(connection_id); - } return TNC_RESULT_SUCCESS; } diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c index 23195d6e3..b4feec7cd 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c @@ -27,9 +27,9 @@ #include <tcg/tcg_pts_attr_req_file_meas.h> #include <tcg/tcg_pts_attr_req_file_meta.h> -#include <debug.h> +#include <utils/debug.h> -bool imv_attestation_build(linked_list_t *attr_list, +bool imv_attestation_build(imv_msg_t *out_msg, imv_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups, @@ -76,12 +76,12 @@ bool imv_attestation_build(linked_list_t *attr_list, flags = pts->get_proto_caps(pts); attr = tcg_pts_attr_proto_caps_create(flags, TRUE); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); /* Send Measurement Algorithms attribute */ attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_NONCE_REQ); @@ -97,7 +97,7 @@ bool imv_attestation_build(linked_list_t *attr_list, attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len, supported_dh_groups); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_TPM_INIT); @@ -116,18 +116,18 @@ bool imv_attestation_build(linked_list_t *attr_list, attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm, initiator_value, initiator_nonce); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); } /* Send Get TPM Version attribute */ attr = tcg_pts_attr_get_tpm_version_info_create(); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); /* Send Get AIK attribute */ attr = tcg_pts_attr_get_aik_create(); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_MEAS); @@ -140,7 +140,7 @@ bool imv_attestation_build(linked_list_t *attr_list, char *platform_info, *pathname; u_int16_t request_id; int id, type; - bool is_dir; + bool is_dir, have_request = FALSE; attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_COMP_EVID); @@ -173,10 +173,11 @@ bool imv_attestation_build(linked_list_t *attr_list, attr = tcg_pts_attr_req_file_meta_create(is_dir, delimiter, pathname); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); + have_request = TRUE; } enumerator->destroy(enumerator); - + /* Send Request File Measurement attribute */ enumerator = pts_db->create_file_meas_enumerator(pts_db, platform_info); @@ -194,12 +195,13 @@ bool imv_attestation_build(linked_list_t *attr_list, attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id, delimiter, pathname); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); + have_request = TRUE; } enumerator->destroy(enumerator); /* do we have any file metadata or measurement requests? */ - if (attr_list->get_count(attr_list)) + if (have_request) { break; } @@ -282,12 +284,12 @@ bool imv_attestation_build(linked_list_t *attr_list, if (attr) { /* Send Request Functional Component Evidence attribute */ - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); /* Send Generate Attestation Evidence attribute */ attr = tcg_pts_attr_gen_attest_evid_create(); attr->set_noskip_flag(attr, TRUE); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_EVID_FINAL); diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.h b/src/libpts/plugins/imv_attestation/imv_attestation_build.h index 7f934fd09..0fc10f0ce 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_build.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.h @@ -24,7 +24,7 @@ #include "imv_attestation_state.h" -#include <pa_tnc/pa_tnc_msg.h> +#include <imv/imv_msg.h> #include <library.h> #include <pts/pts_database.h> @@ -34,14 +34,14 @@ /** * Process a TCG PTS attribute * - * @param attr_list list of PA-TNC attriubutes to be built + * @param out_msg outbound PA-TNC message to be built * @param attestation_state attestation state of a given connection * @param supported_algorithms supported PTS measurement algorithms * @param supported_dh_groups supported DH groups * @param pts_db PTS configuration database * @return TRUE if successful */ -bool imv_attestation_build(linked_list_t *attr_list, +bool imv_attestation_build(imv_msg_t *out_msg, imv_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups, diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c index 37e9ac77a..4541075ef 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c @@ -29,12 +29,12 @@ #include <tcg/tcg_pts_attr_tpm_version_info.h> #include <tcg/tcg_pts_attr_unix_file_meta.h> -#include <debug.h> +#include <utils/debug.h> #include <crypto/hashers/hasher.h> #include <inttypes.h> -bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, +bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, imv_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups, @@ -43,7 +43,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { pen_type_t attr_type; pts_t *pts; - + pts = attestation_state->get_pts(attestation_state); attr_type = attr->get_type(attr); @@ -96,7 +96,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, attr = pts_dh_nonce_error_create( max(PTS_MIN_NONCE_LEN, min_nonce_len), PTS_MAX_NONCE_LEN); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); break; } @@ -113,7 +113,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (selected_algorithm == PTS_MEAS_ALGO_NONE) { attr = pts_hash_alg_error_create(supported_algorithms); - attr_list->insert_last(attr_list, attr); + out_msg->add_attribute(out_msg, attr); break; } pts->set_dh_hash_algorithm(pts, selected_algorithm); @@ -233,7 +233,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, platform_info, algo, file_id, is_dir); if (!measurements->verify(measurements, e_hash, is_dir)) { - attestation_state->set_measurement_error(attestation_state); + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL); } e_hash->destroy(e_hash); } @@ -299,7 +300,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (comp->verify(comp, name->get_qualifier(name), pts, evidence) != SUCCESS) { - attestation_state->set_measurement_error(attestation_state); + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_COMP_EVID_FAIL); name->log(name, " measurement mismatch for "); } break; @@ -335,17 +337,21 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { DBG1(DBG_IMV, "received PCR Composite does not match " "constructed one"); + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL); free(pcr_composite.ptr); free(quote_info.ptr); - return FALSE; + break; } DBG2(DBG_IMV, "received PCR Composite matches constructed one"); free(pcr_composite.ptr); if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig)) { + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL); free(quote_info.ptr); - return FALSE; + break; } DBG2(DBG_IMV, "TPM Quote Info signature verification successful"); free(quote_info.ptr); diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.h b/src/libpts/plugins/imv_attestation/imv_attestation_process.h index 4d4eeefbb..73b4251e0 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.h @@ -25,10 +25,11 @@ #include "imv_attestation_state.h" #include <library.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> #include <credentials/credential_manager.h> #include <crypto/hashers/hasher.h> +#include <imv/imv_msg.h> #include <pa_tnc/pa_tnc_attr.h> #include <pts/pts_database.h> @@ -39,7 +40,7 @@ * Process a TCG PTS attribute * * @param attr PA-TNC attribute to be processed - * @param attr_list list with PA-TNC error attributes + * @param out_msg PA-TNC message containing error messages * @param attestation_state attestation state of a given connection * @param supported_algorithms supported PTS measurement algorithms * @param supported_dh_groups supported DH groups @@ -47,7 +48,7 @@ * @param pts_credmgr PTS credential manager * @return TRUE if successful */ -bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, +bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, imv_attestation_state_t *attestation_state, pts_meas_algorithms_t supported_algorithms, pts_dh_group_t supported_dh_groups, diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c index 1dbc88309..93da9aee5 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c @@ -17,9 +17,11 @@ #include <libpts.h> -#include <utils/lexparser.h> -#include <utils/linked_list.h> -#include <debug.h> +#include <imv/imv_lang_string.h> +#include "imv/imv_reason_string.h" + +#include <collections/linked_list.h> +#include <utils/debug.h> typedef struct private_imv_attestation_state_t private_imv_attestation_state_t; typedef struct file_meas_request_t file_meas_request_t; @@ -44,7 +46,7 @@ struct private_imv_attestation_state_t { * TNCCS connection state */ TNC_ConnectionState state; - + /** * Does the TNCCS connection support long message types? */ @@ -96,9 +98,14 @@ struct private_imv_attestation_state_t { pts_t *pts; /** - * Measurement error + * Measurement error flags + */ + u_int32_t measurement_error; + + /** + * TNC Reason String */ - bool measurement_error; + imv_reason_string_t *reason_string; }; @@ -128,26 +135,47 @@ static void free_func_comp(func_comp_t *this) free(this); } -typedef struct entry_t entry_t; - /** - * Define an internal reason string entry + * Supported languages */ -struct entry_t { - char *lang; - char *string; -}; +static char* languages[] = { "en", "de", "mn" }; /** - * Table of multi-lingual reason string entries + * Table of reason strings */ -static entry_t reasons[] = { - { "en", "IMV Attestation: Incorrect/pending file measurement/component" - " evidence or invalid TPM Quote signature received" }, - { "mn", "IMV Attestation: Буруу/хүлээгдэж байгаа файл/компонент хэмжилт " - "эсвэл буруу TPM Quote гарын үсэг" }, - { "de", "IMV Attestation: Falsche/Fehlende Dateimessung/Komponenten Beweis " - "oder ungültige TPM Quote Unterschrift ist erhalten" }, +static imv_lang_string_t reason_file_meas_fail[] = { + { "en", "Incorrect file measurement" }, + { "de", "Falsche Dateimessung" }, + { "mn", "Буруу байгаа файл" }, + { NULL, NULL } +}; + +static imv_lang_string_t reason_file_meas_pend[] = { + { "en", "Pending file measurement" }, + { "de", "Ausstehende Dateimessung" }, + { "mn", "Xүлээгдэж байгаа файл" }, + { NULL, NULL } +}; + +static imv_lang_string_t reason_comp_evid_fail[] = { + { "en", "Incorrect component evidence" }, + { "de", "Falsche Komponenten-Evidenz" }, + { "mn", "Буруу компонент хэмжилт" }, + { NULL, NULL } +}; + +static imv_lang_string_t reason_comp_evid_pend[] = { + { "en", "Pending component evidence" }, + { "de", "Ausstehende Komponenten-Evidenz" }, + { "mn", "Xүлээгдэж компонент хэмжилт" }, + { NULL, NULL } +}; + +static imv_lang_string_t reason_tpm_quote_fail[] = { + { "en", "Invalid TPM Quote signature received" }, + { "de", "Falsche TPM Quote Signature erhalten" }, + { "mn", "Буруу TPM Quote гарын үсэг" }, + { NULL, NULL } }; METHOD(imv_state_t, get_connection_id, TNC_ConnectionID, @@ -210,52 +238,57 @@ METHOD(imv_state_t, set_recommendation, void, } METHOD(imv_state_t, get_reason_string, bool, - private_imv_attestation_state_t *this, chunk_t preferred_language, - chunk_t *reason_string, chunk_t *reason_language) + private_imv_attestation_state_t *this, enumerator_t *language_enumerator, + chunk_t *reason_string, char **reason_language) { - chunk_t pref_lang, lang; - u_char *pos; - int i; + *reason_language = imv_lang_string_select_lang(language_enumerator, + languages, countof(languages)); - while (eat_whitespace(&preferred_language)) - { - if (!extract_token(&pref_lang, ',', &preferred_language)) - { - /* last entry in a comma-separated list or single entry */ - pref_lang = preferred_language; - } + /* Instantiate a TNC Reason String object */ + DESTROY_IF(this->reason_string); + this->reason_string = imv_reason_string_create(*reason_language); - /* eat trailing whitespace */ - pos = pref_lang.ptr + pref_lang.len - 1; - while (pref_lang.len && *pos-- == ' ') - { - pref_lang.len--; - } - - for (i = 0 ; i < countof(reasons); i++) - { - lang = chunk_create(reasons[i].lang, strlen(reasons[i].lang)); - if (chunk_equals(lang, pref_lang)) - { - *reason_language = lang; - *reason_string = chunk_create(reasons[i].string, - strlen(reasons[i].string)); - return TRUE; - } - } + if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL) + { + this->reason_string->add_reason(this->reason_string, + reason_file_meas_fail); + } + if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_PEND) + { + this->reason_string->add_reason(this->reason_string, + reason_file_meas_pend); + } + if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL) + { + this->reason_string->add_reason(this->reason_string, + reason_comp_evid_fail); + } + if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_PEND) + { + this->reason_string->add_reason(this->reason_string, + reason_comp_evid_pend); } + if (this->measurement_error & IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL) + { + this->reason_string->add_reason(this->reason_string, + reason_tpm_quote_fail); + } + *reason_string = this->reason_string->get_encoding(this->reason_string); - /* no preferred language match found - use the default language */ - *reason_string = chunk_create(reasons[0].string, - strlen(reasons[0].string)); - *reason_language = chunk_create(reasons[0].lang, - strlen(reasons[0].lang)); return TRUE; } +METHOD(imv_state_t, get_remediation_instructions, bool, + private_imv_attestation_state_t *this, enumerator_t *language_enumerator, + chunk_t *string, char **lang_code, char **uri) +{ + return FALSE; +} + METHOD(imv_state_t, destroy, void, private_imv_attestation_state_t *this) { + DESTROY_IF(this->reason_string); this->file_meas_requests->destroy_function(this->file_meas_requests, free); this->components->destroy_function(this->components, (void *)free_func_comp); this->pts->destroy(this->pts); @@ -302,7 +335,7 @@ METHOD(imv_attestation_state_t, check_off_file_meas_request, bool, enumerator_t *enumerator; file_meas_request_t *request; bool found = FALSE; - + enumerator = this->file_meas_requests->create_enumerator(this->file_meas_requests); while (enumerator->enumerate(enumerator, &request)) { @@ -396,16 +429,16 @@ METHOD(imv_attestation_state_t, get_component, pts_component_t*, return found; } -METHOD(imv_attestation_state_t, get_measurement_error, bool, +METHOD(imv_attestation_state_t, get_measurement_error, u_int32_t, private_imv_attestation_state_t *this) { return this->measurement_error; } METHOD(imv_attestation_state_t, set_measurement_error, void, - private_imv_attestation_state_t *this) + private_imv_attestation_state_t *this, u_int32_t error) { - this->measurement_error = TRUE; + this->measurement_error |= error; } METHOD(imv_attestation_state_t, finalize_components, void, @@ -418,7 +451,7 @@ METHOD(imv_attestation_state_t, finalize_components, void, { if (!entry->comp->finalize(entry->comp, entry->qualifier)) { - _set_measurement_error(this); + set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND); } free_func_comp(entry); } @@ -436,7 +469,6 @@ METHOD(imv_attestation_state_t, components_finalized, bool, imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) { private_imv_attestation_state_t *this; - char *platform_info; INIT(this, .public = { @@ -451,6 +483,7 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) .get_recommendation = _get_recommendation, .set_recommendation = _set_recommendation, .get_reason_string = _get_reason_string, + .get_remediation_instructions = _get_remediation_instructions, .destroy = _destroy, }, .get_handshake_state = _get_handshake_state, @@ -476,12 +509,5 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) .pts = pts_create(FALSE), ); - platform_info = lib->settings->get_str(lib->settings, - "libimcv.plugins.imv-attestation.platform_info", NULL); - if (platform_info) - { - this->pts->set_platform_info(this->pts, platform_info); - } - return &this->public.interface; } diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h index 901d4b19d..f64314e71 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h @@ -30,6 +30,7 @@ typedef struct imv_attestation_state_t imv_attestation_state_t; typedef enum imv_attestation_handshake_state_t imv_attestation_handshake_state_t; +typedef enum imv_meas_error_t imv_meas_error_t; /** * IMV Attestation Handshake States (state machine) @@ -45,6 +46,17 @@ enum imv_attestation_handshake_state_t { }; /** + * IMV Measurement Error Types + */ +enum imv_meas_error_t { + IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL = 1, + IMV_ATTESTATION_ERROR_FILE_MEAS_PEND = 2, + IMV_ATTESTATION_ERROR_COMP_EVID_FAIL = 4, + IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 8, + IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16 +}; + +/** * Internal state of an imv_attestation_t connection instance */ struct imv_attestation_state_t { @@ -139,16 +151,19 @@ struct imv_attestation_state_t { bool (*components_finalized)(imv_attestation_state_t *this); /** - * Indicates if a file measurement error occurred + * Indicates the types of measurement errors that occurred * - * @return TRUE in case of measurement error + * @return Measurement error flags */ - bool (*get_measurement_error)(imv_attestation_state_t *this); + u_int32_t (*get_measurement_error)(imv_attestation_state_t *this); /** - * Call if a file measurement error is encountered + * Call if a measurement error is encountered + * + * @param error Measurement error type */ - void (*set_measurement_error)(imv_attestation_state_t *this); + void (*set_measurement_error)(imv_attestation_state_t *this, + u_int32_t error); }; diff --git a/src/libpts/plugins/imv_attestation/tables.sql b/src/libpts/plugins/imv_attestation/tables.sql index 42553bef0..8a79ea7cf 100644 --- a/src/libpts/plugins/imv_attestation/tables.sql +++ b/src/libpts/plugins/imv_attestation/tables.sql @@ -85,3 +85,54 @@ CREATE TABLE component_hashes ( hash BLOB NOT NULL, PRIMARY KEY(component, key, seq_no, algo) ); + +DROP TABLE IF EXISTS packages; +CREATE TABLE packages ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name TEXT NOT NULL +); +DROP INDEX IF EXISTS packages_name; +CREATE INDEX packages_name ON packages ( + name +); + +DROP TABLE IF EXISTS versions; +CREATE TABLE versions ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + package INTEGER NOT NULL, + product INTEGER NOT NULL, + release TEXT NOT NULL, + security INTEGER DEFAULT 0, + time INTEGER DEFAULT 0 +); +DROP INDEX IF EXISTS versions_release; +CREATE INDEX versions_release ON versions ( + release +); +DROP INDEX IF EXISTS versions_package_product; +CREATE INDEX versions_package_product ON versions ( + package, product +); + +DROP TABLE IF EXISTS devices; +CREATE TABLE devices ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + value BLOB NOT NULL +); +DROP INDEX IF EXISTS devices_id; +CREATE INDEX devices_value ON devices ( + value +); + +DROP TABLE IF EXISTS device_infos; +CREATE TABLE device_infos ( + device INTEGER NOT NULL, + time INTEGER NOT NULL, + product INTEGER DEFAULT 0, + count INTEGER DEFAULT 0, + count_update INTEGER DEFAULT 0, + count_blacklist INTEGER DEFAULT 0, + flags INTEGER DEFAULT 0, + PRIMARY KEY (device, time) +); + diff --git a/src/libpts/pts/components/ita/ita_comp_ima.c b/src/libpts/pts/components/ita/ita_comp_ima.c index a59732428..02470f5f5 100644 --- a/src/libpts/pts/components/ita/ita_comp_ima.c +++ b/src/libpts/pts/components/ita/ita_comp_ima.c @@ -20,7 +20,7 @@ #include "pts/pts_pcr.h" #include "pts/components/pts_component.h" -#include <debug.h> +#include <utils/debug.h> #include <pen/pen.h> #include <sys/types.h> @@ -96,12 +96,12 @@ struct pts_ita_comp_ima_t { int ima_cid; /** - * Component is registering IMA BIOS measurements + * Component is registering IMA BIOS measurements */ bool is_bios_registering; /** - * Component is registering IMA boot aggregate measurement + * Component is registering IMA boot aggregate measurement */ bool is_ima_registering; @@ -184,7 +184,7 @@ struct bios_entry_t { /** * SHA1 measurement hash - */ + */ chunk_t measurement; }; @@ -291,6 +291,7 @@ static bool load_bios_measurements(char *file, linked_list_t *list, DBG1(DBG_PTS, "loading bios measurements '%s' failed: %s", file, strerror(errno)); + free_bios_entry(entry); close(fd); return FALSE; } @@ -377,6 +378,7 @@ static bool load_runtime_measurements(char *file, linked_list_t *list, DBG1(DBG_PTS, "loading ima measurements '%s' failed: %s", file, strerror(errno)); + free_ima_entry(entry); close(fd); return FALSE; } @@ -526,7 +528,7 @@ METHOD(pts_component_t, measure, status_t, evid = extend_pcr(this, qualifier, pcrs, bios_entry->pcr, bios_entry->measurement); free(bios_entry); - + this->state = this->bios_list->get_count(this->bios_list) ? IMA_STATE_BIOS : IMA_STATE_INIT; break; @@ -821,7 +823,7 @@ METHOD(pts_component_t, finalize, bool, u_int32_t vid, name; enum_name_t *names; bool success = TRUE; - + this->name->set_qualifier(this->name, qualifier); vid = this->name->get_vendor_id(this->name); name = this->name->get_name(this->name); @@ -915,7 +917,7 @@ METHOD(pts_component_t, destroy, void, } this->bios_list->destroy_function(this->bios_list, (void *)free_bios_entry); - this->ima_list->destroy_function(this->ima_list, + this->ima_list->destroy_function(this->ima_list, (void *)free_ima_entry); this->name->destroy(this->name); free(this->keyid.ptr); diff --git a/src/libpts/pts/components/ita/ita_comp_tboot.c b/src/libpts/pts/components/ita/ita_comp_tboot.c index 9deeb19b5..8fb5abddf 100644 --- a/src/libpts/pts/components/ita/ita_comp_tboot.c +++ b/src/libpts/pts/components/ita/ita_comp_tboot.c @@ -19,7 +19,7 @@ #include "libpts.h" #include "pts/components/pts_component.h" -#include <debug.h> +#include <utils/debug.h> #include <pen/pen.h> typedef struct pts_ita_comp_tboot_t pts_ita_comp_tboot_t; @@ -66,7 +66,7 @@ struct pts_ita_comp_tboot_t { int kid; /** - * Component is registering measurements + * Component is registering measurements */ bool is_registering; @@ -123,7 +123,7 @@ METHOD(pts_component_t, measure, status_t, char *meas_hex, *pcr_before_hex, *pcr_after_hex; chunk_t measurement, pcr_before, pcr_after; u_int32_t extended_pcr; - + switch (this->seq_no++) { case 0: @@ -286,7 +286,7 @@ METHOD(pts_component_t, finalize, bool, { u_int32_t vid, name; enum_name_t *names; - + vid = this->name->get_vendor_id(this->name); name = this->name->get_name(this->name); names = pts_components->get_comp_func_names(pts_components, vid); diff --git a/src/libpts/pts/components/ita/ita_comp_tgrub.c b/src/libpts/pts/components/ita/ita_comp_tgrub.c index 986f7ace2..e3acd8774 100644 --- a/src/libpts/pts/components/ita/ita_comp_tgrub.c +++ b/src/libpts/pts/components/ita/ita_comp_tgrub.c @@ -18,7 +18,7 @@ #include "pts/components/pts_component.h" -#include <debug.h> +#include <utils/debug.h> #include <pen/pen.h> typedef struct pts_ita_comp_tgrub_t pts_ita_comp_tgrub_t; @@ -90,7 +90,7 @@ METHOD(pts_component_t, measure, status_t, /* Provisional implementation for TGRUB */ extended_pcr = PCR_DEBUG; time(&measurement_time); - + if (!pts->read_pcr(pts, extended_pcr, &pcr_after)) { DBG1(DBG_PTS, "error occurred while reading PCR: %d", extended_pcr); @@ -103,7 +103,7 @@ METHOD(pts_component_t, measure, status_t, measurement = chunk_alloc(pcr_len); memset(measurement.ptr, 0x00, measurement.len); - + pcr_before = chunk_alloc(pcr_len); memset(pcr_before.ptr, 0x00, pcr_before.len); @@ -150,7 +150,7 @@ METHOD(pts_component_t, verify, status_t, return SUCCESS; } } - + return SUCCESS; } diff --git a/src/libpts/pts/components/pts_comp_evidence.c b/src/libpts/pts/components/pts_comp_evidence.c index 050717472..08c3d5e9a 100644 --- a/src/libpts/pts/components/pts_comp_evidence.c +++ b/src/libpts/pts/components/pts_comp_evidence.c @@ -15,7 +15,7 @@ #include "pts/components/pts_comp_evidence.h" -#include <debug.h> +#include <utils/debug.h> typedef struct private_pts_comp_evidence_t private_pts_comp_evidence_t; @@ -148,7 +148,7 @@ METHOD(pts_comp_evidence_t, get_pcr_info, bool, METHOD(pts_comp_evidence_t, set_pcr_info, void, private_pts_comp_evidence_t *this, chunk_t pcr_before, chunk_t pcr_after) { - this->has_pcr_info = TRUE; + this->has_pcr_info = TRUE; this->pcr_before = pcr_before; this->pcr_after = pcr_after; diff --git a/src/libpts/pts/components/pts_comp_func_name.c b/src/libpts/pts/components/pts_comp_func_name.c index 7501be044..6c630f8fb 100644 --- a/src/libpts/pts/components/pts_comp_func_name.c +++ b/src/libpts/pts/components/pts_comp_func_name.c @@ -17,7 +17,7 @@ #include "libpts.h" #include "pts/components/pts_comp_func_name.h" -#include <debug.h> +#include <utils/debug.h> typedef struct private_pts_comp_func_name_t private_pts_comp_func_name_t; diff --git a/src/libpts/pts/components/pts_component_manager.c b/src/libpts/pts/components/pts_component_manager.c index e330aeebf..9c1375b79 100644 --- a/src/libpts/pts/components/pts_component_manager.c +++ b/src/libpts/pts/components/pts_component_manager.c @@ -15,8 +15,8 @@ #include "pts/components/pts_component_manager.h" -#include <utils/linked_list.h> -#include <debug.h> +#include <collections/linked_list.h> +#include <utils/debug.h> typedef struct private_pts_component_manager_t private_pts_component_manager_t; typedef struct vendor_entry_t vendor_entry_t; @@ -56,7 +56,7 @@ struct vendor_entry_t { /** * List of vendor-specific registered Functional Components - */ + */ linked_list_t *components; }; @@ -103,7 +103,7 @@ struct private_pts_component_manager_t { }; METHOD(pts_component_manager_t, add_vendor, void, - private_pts_component_manager_t *this, pen_t vendor_id, + private_pts_component_manager_t *this, pen_t vendor_id, enum_name_t *comp_func_names, int qualifier_type_size, char *qualifier_flag_names, enum_name_t *qualifier_type_names) { @@ -285,7 +285,7 @@ METHOD(pts_component_manager_t, create, pts_component_t*, METHOD(pts_component_manager_t, destroy, void, private_pts_component_manager_t *this) { - this->list->destroy_function(this->list, (void *)vendor_entry_destroy); + this->list->destroy_function(this->list, (void *)vendor_entry_destroy); free(this); } diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c index 4c6c5bc22..84a9961c8 100644 --- a/src/libpts/pts/pts.c +++ b/src/libpts/pts/pts.c @@ -15,13 +15,22 @@ #include "pts.h" -#include <debug.h> +#include <utils/debug.h> #include <crypto/hashers/hasher.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> +#ifdef TSS_TROUSERS #include <trousers/tss.h> #include <trousers/trousers.h> +#else +#ifndef TPM_TAG_QUOTE_INFO2 +#define TPM_TAG_QUOTE_INFO2 0x0036 +#endif +#ifndef TPM_LOC_ZERO +#define TPM_LOC_ZERO 0x01 +#endif +#endif #include <sys/types.h> #include <sys/stat.h> @@ -280,6 +289,8 @@ METHOD(pts_t, calculate_secret, bool, return TRUE; } +#ifdef TSS_TROUSERS + /** * Print TPM 1.2 Version Info */ @@ -299,14 +310,26 @@ static void print_tpm_version_info(private_pts_t *this) else { DBG2(DBG_PTS, "TPM 1.2 Version Info: Chip Version: %hhu.%hhu.%hhu.%hhu," - " Spec Level: %hu, Errata Rev: %hhu, Vendor ID: %.4s", + " Spec Level: %hu, Errata Rev: %hhu, Vendor ID: %.4s [%.*s]", versionInfo.version.major, versionInfo.version.minor, versionInfo.version.revMajor, versionInfo.version.revMinor, versionInfo.specLevel, versionInfo.errataRev, - versionInfo.tpmVendorID); + versionInfo.tpmVendorID, versionInfo.vendorSpecificSize, + versionInfo.vendorSpecificSize ? + (char*)versionInfo.vendorSpecific : ""); } + free(versionInfo.vendorSpecific); +} + +#else + +static void print_tpm_version_info(private_pts_t *this) +{ + DBG1(DBG_PTS, "unknown TPM version: no TSS implementation available"); } +#endif /* TSS_TROUSERS */ + METHOD(pts_t, get_platform_info, char*, private_pts_t *this) { @@ -314,10 +337,15 @@ METHOD(pts_t, get_platform_info, char*, } METHOD(pts_t, set_platform_info, void, - private_pts_t *this, char *info) + private_pts_t *this, chunk_t name, chunk_t version) { + int len = name.len + 1 + version.len + 1; + + /* platform info is a concatenation of OS name and OS version */ free(this->platform_info); - this->platform_info = strdup(info); + this->platform_info = malloc(len); + snprintf(this->platform_info, len, "%.*s %.*s", (int)name.len, name.ptr, + (int)version.len, version.ptr); } METHOD(pts_t, get_tpm_version_info, bool, @@ -606,6 +634,9 @@ METHOD(pts_t, get_metadata, pts_file_meta_t*, return metadata; } + +#ifdef TSS_TROUSERS + METHOD(pts_t, read_pcr, bool, private_pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value) { @@ -857,21 +888,35 @@ err2: err1: Tspi_Context_Close(hContext); - if (!success) { DBG1(DBG_PTS, "TPM not available: tss error 0x%x", result); } - return success; } -METHOD(pts_t, get_pcrs, pts_pcr_t*, - private_pts_t *this) +#else /* TSS_TROUSERS */ + +METHOD(pts_t, read_pcr, bool, + private_pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value) { - return this->pcrs; + return FALSE; } +METHOD(pts_t, extend_pcr, bool, + private_pts_t *this, u_int32_t pcr_num, chunk_t input, chunk_t *output) +{ + return FALSE; +} + +METHOD(pts_t, quote_tpm, bool, + private_pts_t *this, bool use_quote2, chunk_t *pcr_comp, chunk_t *quote_sig) +{ + return FALSE; +} + +#endif /* TSS_TROUSERS */ + /** * TPM_QUOTE_INFO structure: * 4 bytes of version @@ -1032,6 +1077,12 @@ METHOD(pts_t, verify_quote_signature, bool, return TRUE; } +METHOD(pts_t, get_pcrs, pts_pcr_t*, + private_pts_t *this) +{ + return this->pcrs; +} + METHOD(pts_t, destroy, void, private_pts_t *this) { @@ -1047,121 +1098,8 @@ METHOD(pts_t, destroy, void, free(this); } -#define RELEASE_LSB 0 -#define RELEASE_DEBIAN 1 -/** - * Determine Linux distribution and hardware platform - */ -static char* extract_platform_info(void) -{ - FILE *file; - char buf[BUF_LEN], *pos = buf, *value = NULL; - int i, len = BUF_LEN - 1; - struct utsname uninfo; - - /* Linux/Unix distribution release info (from http://linuxmafia.com) */ - const char* releases[] = { - "/etc/lsb-release", "/etc/debian_version", - "/etc/SuSE-release", "/etc/novell-release", - "/etc/sles-release", "/etc/redhat-release", - "/etc/fedora-release", "/etc/gentoo-release", - "/etc/slackware-version", "/etc/annvix-release", - "/etc/arch-release", "/etc/arklinux-release", - "/etc/aurox-release", "/etc/blackcat-release", - "/etc/cobalt-release", "/etc/conectiva-release", - "/etc/debian_release", "/etc/immunix-release", - "/etc/lfs-release", "/etc/linuxppc-release", - "/etc/mandrake-release", "/etc/mandriva-release", - "/etc/mandrakelinux-release", "/etc/mklinux-release", - "/etc/pld-release", "/etc/redhat_version", - "/etc/slackware-release", "/etc/e-smith-release", - "/etc/release", "/etc/sun-release", - "/etc/tinysofa-release", "/etc/turbolinux-release", - "/etc/ultrapenguin-release", "/etc/UnitedLinux-release", - "/etc/va-release", "/etc/yellowdog-release" - }; - - const char description[] = "DISTRIB_DESCRIPTION=\""; - const char str_debian[] = "Debian "; - - for (i = 0; i < countof(releases); i++) - { - file = fopen(releases[i], "r"); - if (!file) - { - continue; - } - - if (i == RELEASE_DEBIAN) - { - strcpy(buf, str_debian); - pos += strlen(str_debian); - len -= strlen(str_debian); - } - - fseek(file, 0, SEEK_END); - len = min(ftell(file), len); - rewind(file); - pos[len] = '\0'; - if (fread(pos, 1, len, file) != len) - { - DBG1(DBG_PTS, "failed to read file '%s'", releases[i]); - fclose(file); - return NULL; - } - fclose(file); - - if (i == RELEASE_LSB) - { - pos = strstr(buf, description); - if (!pos) - { - DBG1(DBG_PTS, "failed to find begin of lsb-release " - "DESCRIPTION field"); - return NULL; - } - value = pos + strlen(description); - pos = strchr(value, '"'); - if (!pos) - { - DBG1(DBG_PTS, "failed to find end of lsb-release " - "DESCRIPTION field"); - return NULL; - } - } - else - { - value = buf; - pos = strchr(pos, '\n'); - if (!pos) - { - DBG1(DBG_PTS, "failed to find end of release string"); - return NULL; - } - } - break; - } - - if (!value) - { - DBG1(DBG_PTS, "no distribution release file found"); - return NULL; - } - - if (uname(&uninfo) < 0) - { - DBG1(DBG_PTS, "could not retrieve machine architecture"); - return NULL; - } - - *pos++ = ' '; - len = sizeof(buf)-1 + (pos - buf); - strncpy(pos, uninfo.machine, len); - - DBG1(DBG_PTS, "platform is '%s'", value); - return strdup(value); -} +#ifdef TSS_TROUSERS /** * Check for a TPM by querying for TPM Version Info @@ -1211,6 +1149,16 @@ static bool has_tpm(private_pts_t *this) return FALSE; } +#else /* TSS_TROUSERS */ + +static bool has_tpm(private_pts_t *this) +{ + return FALSE; +} + +#endif /* TSS_TROUSERS */ + + /** * See header */ @@ -1264,8 +1212,6 @@ pts_t *pts_create(bool is_imc) if (is_imc) { - this->platform_info = extract_platform_info(); - if (has_tpm(this)) { this->has_tpm = TRUE; diff --git a/src/libpts/pts/pts.h b/src/libpts/pts/pts.h index 5f88cd15c..423a4c802 100644 --- a/src/libpts/pts/pts.h +++ b/src/libpts/pts/pts.h @@ -35,7 +35,7 @@ typedef struct pts_t pts_t; #include "components/pts_comp_func_name.h" #include <library.h> -#include <utils/linked_list.h> +#include <collections/linked_list.h> /** * UTF-8 encoding of the character used to delimiter the filename @@ -171,9 +171,10 @@ struct pts_t { /** * Set Platform and OS Info * - * @param info Platform and OS info + * @param name OS name + * @param version OS version */ - void (*set_platform_info)(pts_t *this, char *info); + void (*set_platform_info)(pts_t *this, chunk_t name, chunk_t version); /** * Get TPM 1.2 Version Info diff --git a/src/libpts/pts/pts_creds.c b/src/libpts/pts/pts_creds.c index 5a6197bdb..bc483eb84 100644 --- a/src/libpts/pts/pts_creds.c +++ b/src/libpts/pts/pts_creds.c @@ -15,7 +15,7 @@ #include "pts_creds.h" -#include <debug.h> +#include <utils/debug.h> #include <credentials/certificates/x509.h> #include <credentials/sets/mem_cred.h> diff --git a/src/libpts/pts/pts_database.c b/src/libpts/pts/pts_database.c index 946f37e1e..e0778aaef 100644 --- a/src/libpts/pts/pts_database.c +++ b/src/libpts/pts/pts_database.c @@ -15,7 +15,7 @@ #include "pts_database.h" -#include <debug.h> +#include <utils/debug.h> #include <crypto/hashers/hasher.h> @@ -151,7 +151,7 @@ METHOD(pts_database_t, check_file_measurement, status_t, { status = VERIFY_ERROR; } - } + } e->destroy(e); return status; @@ -179,7 +179,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t, enumerator_t *e; chunk_t hash; status_t status = NOT_FOUND; - + e = this->db->query(this->db, "SELECT hash FROM component_hashes " "WHERE component = ? AND key = ? " @@ -188,7 +188,7 @@ METHOD(pts_database_t, check_comp_measurement, status_t, DB_INT, pcr, DB_INT, algo, DB_BLOB); if (!e) { - DBG1(DBG_PTS, "no database query enumerator returned"); + DBG1(DBG_PTS, "no database query enumerator returned"); return FAILED; } @@ -225,7 +225,7 @@ METHOD(pts_database_t, insert_comp_measurement, status_t, int seq_no, int pcr, pts_meas_algorithms_t algo) { int id; - + if (this->db->execute(this->db, &id, "INSERT INTO component_hashes " "(component, key, seq_no, pcr, algo, hash) " diff --git a/src/libpts/pts/pts_dh_group.c b/src/libpts/pts/pts_dh_group.c index fb141327f..41a436036 100644 --- a/src/libpts/pts/pts_dh_group.c +++ b/src/libpts/pts/pts_dh_group.c @@ -15,7 +15,7 @@ #include "pts_dh_group.h" -#include <debug.h> +#include <utils/debug.h> /** * Described in header. @@ -27,7 +27,7 @@ bool pts_dh_group_probe(pts_dh_group_t *dh_groups) const char *plugin_name; char format1[] = " %s PTS DH group %N[%s] available"; char format2[] = " %s PTS DH group %N not available"; - + *dh_groups = PTS_DH_GROUP_NONE; enumerator = lib->crypto->create_dh_enumerator(lib->crypto); diff --git a/src/libpts/pts/pts_file_meas.c b/src/libpts/pts/pts_file_meas.c index 4fece6b3c..e69c32443 100644 --- a/src/libpts/pts/pts_file_meas.c +++ b/src/libpts/pts/pts_file_meas.c @@ -15,8 +15,8 @@ #include "pts_file_meas.h" -#include <utils/linked_list.h> -#include <debug.h> +#include <collections/linked_list.h> +#include <utils/debug.h> #include <sys/stat.h> #include <libgen.h> @@ -179,7 +179,7 @@ METHOD(pts_file_meas_t, verify, bool, } } enumerator->destroy(enumerator); - + if (!found) { DBG1(DBG_PTS, " no measurement found for '%s'", filename); @@ -200,7 +200,7 @@ METHOD(pts_file_meas_t, verify, bool, break; } } - return success; + return success; } METHOD(pts_file_meas_t, destroy, void, diff --git a/src/libpts/pts/pts_file_meta.c b/src/libpts/pts/pts_file_meta.c index 6ed1c01b4..9cca0a5a5 100644 --- a/src/libpts/pts/pts_file_meta.c +++ b/src/libpts/pts/pts_file_meta.c @@ -15,8 +15,8 @@ #include "pts_file_meta.h" -#include <utils/linked_list.h> -#include <debug.h> +#include <collections/linked_list.h> +#include <utils/debug.h> typedef struct private_pts_file_meta_t private_pts_file_meta_t; diff --git a/src/libpts/pts/pts_meas_algo.c b/src/libpts/pts/pts_meas_algo.c index fbc9c6959..16a66e7b3 100644 --- a/src/libpts/pts/pts_meas_algo.c +++ b/src/libpts/pts/pts_meas_algo.c @@ -15,7 +15,7 @@ #include "pts_meas_algo.h" -#include <debug.h> +#include <utils/debug.h> ENUM_BEGIN(pts_meas_algorithm_names, PTS_MEAS_ALGO_NONE, PTS_MEAS_ALGO_NONE, "None"); @@ -43,7 +43,7 @@ bool pts_meas_algo_probe(pts_meas_algorithms_t *algorithms) const char *plugin_name; char format1[] = " %s PTS measurement algorithm %N[%s] available"; char format2[] = " %s PTS measurement algorithm %N not available"; - + *algorithms = 0; enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); diff --git a/src/libpts/pts/pts_pcr.c b/src/libpts/pts/pts_pcr.c index a7a2f5fae..0af93b608 100644 --- a/src/libpts/pts/pts_pcr.c +++ b/src/libpts/pts/pts_pcr.c @@ -15,7 +15,7 @@ #include "pts_pcr.h" -#include <debug.h> +#include <utils/debug.h> #include <stdarg.h> diff --git a/src/libpts/tcg/tcg_pts_attr_aik.c b/src/libpts/tcg/tcg_pts_attr_aik.c index 75f3f179c..d5bbdc9cd 100644 --- a/src/libpts/tcg/tcg_pts_attr_aik.c +++ b/src/libpts/tcg/tcg_pts_attr_aik.c @@ -18,7 +18,7 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_aik_t private_tcg_pts_attr_aik_t; @@ -57,7 +57,7 @@ struct private_tcg_pts_attr_aik_t { * Attribute value */ chunk_t value; - + /** * Noskip flag */ @@ -135,7 +135,7 @@ METHOD(pa_tnc_attr_t, process, status_t, u_int8_t flags; certificate_type_t type; chunk_t aik_blob; - + if (this->value.len < PTS_AIK_SIZE) { DBG1(DBG_TNC, "insufficient data for Attestation Identity Key"); diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c index 3ca255cba..4d7281243 100644 --- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c +++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_finish.c @@ -18,7 +18,7 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_dh_nonce_finish_t private_tcg_pts_attr_dh_nonce_finish_t; @@ -36,7 +36,7 @@ typedef struct private_tcg_pts_attr_dh_nonce_finish_t * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | D-H Initiator Nonce ... | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - * + * */ #define PTS_DH_NONCE_FINISH_SIZE 12 @@ -66,7 +66,7 @@ struct private_tcg_pts_attr_dh_nonce_finish_t { * Noskip flag */ bool noskip_flag; - + /** * Selected Hashing Algorithm */ @@ -127,7 +127,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint16(writer, this->hash_algo); writer->write_data (writer, this->initiator_value); writer->write_data (writer, this->initiator_nonce); - + this->value = chunk_clone(writer->get_buf(writer)); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c index 828c09605..7796dbaab 100644 --- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c +++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_req.c @@ -18,7 +18,7 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_dh_nonce_params_req_t private_tcg_pts_attr_dh_nonce_params_req_t; @@ -32,7 +32,7 @@ typedef struct private_tcg_pts_attr_dh_nonce_params_req_t * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Reserved | Min. Nonce Len | D-H Group Set | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - * + * */ #define PTS_DH_NONCE_PARAMS_REQ_SIZE 4 @@ -62,7 +62,7 @@ struct private_tcg_pts_attr_dh_nonce_params_req_t { * Noskip flag */ bool noskip_flag; - + /** * Minimum acceptable length of nonce */ @@ -116,7 +116,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint8 (writer, PTS_DH_NONCE_PARAMS_REQ_RESERVED); writer->write_uint8 (writer, this->min_nonce_len); writer->write_uint16(writer, this->dh_groups); - + this->value = chunk_clone(writer->get_buf(writer)); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c index 66ac185b3..1e82e7098 100644 --- a/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c +++ b/src/libpts/tcg/tcg_pts_attr_dh_nonce_params_resp.c @@ -18,7 +18,7 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_dh_nonce_params_resp_t private_tcg_pts_attr_dh_nonce_params_resp_t; @@ -38,7 +38,7 @@ typedef struct private_tcg_pts_attr_dh_nonce_params_resp_t * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | D-H Responder Public Value ... | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - * + * */ #define PTS_DH_NONCE_PARAMS_RESP_SIZE 16 @@ -68,7 +68,7 @@ struct private_tcg_pts_attr_dh_nonce_params_resp_t { * Noskip flag */ bool noskip_flag; - + /** * Selected Diffie Hellman group */ @@ -135,7 +135,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint16(writer, this->hash_algo_set); writer->write_data (writer, this->responder_nonce); writer->write_data (writer, this->responder_value); - + this->value = chunk_clone(writer->get_buf(writer)); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_file_meas.c b/src/libpts/tcg/tcg_pts_attr_file_meas.c index 01c4361e1..1daac70e5 100644 --- a/src/libpts/tcg/tcg_pts_attr_file_meas.c +++ b/src/libpts/tcg/tcg_pts_attr_file_meas.c @@ -18,15 +18,15 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <utils/linked_list.h> -#include <debug.h> +#include <collections/linked_list.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_file_meas_t private_tcg_pts_attr_file_meas_t; /** * File Measurement * see section 3.19.2 of PTS Protocol: Binding to TNC IF-M Specification - * + * * 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -72,12 +72,12 @@ struct private_tcg_pts_attr_file_meas_t { * Attribute value */ chunk_t value; - + /** * Noskip flag */ bool noskip_flag; - + /** * PTS File Measurements */ @@ -123,7 +123,7 @@ METHOD(pa_tnc_attr_t, build, void, char *filename; chunk_t measurement; bool first = TRUE; - + if (this->value.ptr) { return; @@ -144,8 +144,7 @@ METHOD(pa_tnc_attr_t, build, void, first = FALSE; } writer->write_data (writer, measurement); - writer->write_uint16(writer, strlen(filename)); - writer->write_data (writer, chunk_create(filename, strlen(filename))); + writer->write_data16(writer, chunk_create(filename, strlen(filename))); } enumerator->destroy(enumerator); @@ -164,12 +163,12 @@ METHOD(pa_tnc_attr_t, process, status_t, { bio_reader_t *reader; u_int64_t number_of_files; - u_int16_t request_id, meas_len, filename_len; - size_t len; + u_int16_t request_id, meas_len; chunk_t measurement, filename; + size_t len; char buf[BUF_LEN]; status_t status = FAILED; - + if (this->value.len < PTS_FILE_MEAS_SIZE) { DBG1(DBG_TNC, "insufficient data for PTS file measurement header"); @@ -181,9 +180,10 @@ METHOD(pa_tnc_attr_t, process, status_t, reader->read_uint64(reader, &number_of_files); reader->read_uint16(reader, &request_id); reader->read_uint16(reader, &meas_len); - + *offset = PTS_FILE_MEAS_SIZE; + this->measurements = pts_file_meas_create(request_id); - + while (number_of_files--) { if (!reader->read_data(reader, meas_len, &measurement)) @@ -191,16 +191,14 @@ METHOD(pa_tnc_attr_t, process, status_t, DBG1(DBG_TNC, "insufficient data for PTS file measurement"); goto end; } - if (!reader->read_uint16(reader, &filename_len)) - { - DBG1(DBG_TNC, "insufficient data for filename length"); - goto end; - } - if (!reader->read_data(reader, filename_len, &filename)) + *offset += meas_len; + + if (!reader->read_data16(reader, &filename)) { DBG1(DBG_TNC, "insufficient data for filename"); goto end; } + *offset += 2 + filename.len; len = min(filename.len, BUF_LEN-1); memcpy(buf, filename.ptr, len); @@ -225,7 +223,7 @@ METHOD(pa_tnc_attr_t, destroy, void, { if (ref_put(&this->ref)) { - this->measurements->destroy(this->measurements); + DESTROY_IF(this->measurements); free(this->value.ptr); free(this); } diff --git a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c index 5eac5ecae..9103e06b2 100644 --- a/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c +++ b/src/libpts/tcg/tcg_pts_attr_gen_attest_evid.c @@ -18,7 +18,7 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_gen_attest_evid_t private_tcg_pts_attr_gen_attest_evid_t; @@ -33,7 +33,7 @@ typedef struct private_tcg_pts_attr_gen_attest_evid_t * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Reserved | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - * + * */ #define PTS_GEN_ATTEST_EVID_SIZE 4 @@ -115,7 +115,7 @@ METHOD(pa_tnc_attr_t, process, status_t, { bio_reader_t *reader; u_int32_t reserved; - + if (this->value.len < PTS_GEN_ATTEST_EVID_SIZE) { DBG1(DBG_TNC, "insufficient data for Generate Attestation Evidence"); diff --git a/src/libpts/tcg/tcg_pts_attr_get_aik.c b/src/libpts/tcg/tcg_pts_attr_get_aik.c index 4b5eae7a7..6f35f5419 100644 --- a/src/libpts/tcg/tcg_pts_attr_get_aik.c +++ b/src/libpts/tcg/tcg_pts_attr_get_aik.c @@ -18,7 +18,7 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_get_aik_t private_tcg_pts_attr_get_aik_t; @@ -112,7 +112,7 @@ METHOD(pa_tnc_attr_t, process, status_t, { bio_reader_t *reader; u_int32_t reserved; - + if (this->value.len < PTS_GET_AIK_SIZE) { DBG1(DBG_TNC, "insufficient data for Get AIK"); diff --git a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c index 0cfc7efa9..4dd64e3a7 100644 --- a/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c +++ b/src/libpts/tcg/tcg_pts_attr_get_tpm_version_info.c @@ -18,7 +18,7 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_get_tpm_version_info_t private_tcg_pts_attr_get_tpm_version_info_t; @@ -33,7 +33,7 @@ typedef struct private_tcg_pts_attr_get_tpm_version_info_t * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Reserved | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - * + * */ #define PTS_GET_TPM_VER_INFO_SIZE 4 @@ -115,7 +115,7 @@ METHOD(pa_tnc_attr_t, process, status_t, { bio_reader_t *reader; u_int32_t reserved; - + if (this->value.len < PTS_GET_TPM_VER_INFO_SIZE) { DBG1(DBG_TNC, "insufficient data for Get TPM Version Information"); diff --git a/src/libpts/tcg/tcg_pts_attr_meas_algo.c b/src/libpts/tcg/tcg_pts_attr_meas_algo.c index bb95adc9e..abef45bdd 100644 --- a/src/libpts/tcg/tcg_pts_attr_meas_algo.c +++ b/src/libpts/tcg/tcg_pts_attr_meas_algo.c @@ -18,12 +18,12 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_meas_algo_t private_tcg_pts_attr_meas_algo_t; /** - * PTS Measurement Algorithm + * PTS Measurement Algorithm * see section 3.9.1 of PTS Protocol: Binding to TNC IF-M Specification * * 1 2 3 @@ -31,7 +31,7 @@ typedef struct private_tcg_pts_attr_meas_algo_t private_tcg_pts_attr_meas_algo_t * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Reserved | Hash Algorithm Set | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - * + * */ #define PTS_MEAS_ALGO_SIZE 4 @@ -61,7 +61,7 @@ struct private_tcg_pts_attr_meas_algo_t { * Noskip flag */ bool noskip_flag; - + /** * Set of algorithms */ diff --git a/src/libpts/tcg/tcg_pts_attr_proto_caps.c b/src/libpts/tcg/tcg_pts_attr_proto_caps.c index 83665ff69..360883282 100644 --- a/src/libpts/tcg/tcg_pts_attr_proto_caps.c +++ b/src/libpts/tcg/tcg_pts_attr_proto_caps.c @@ -18,7 +18,7 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_proto_caps_t private_tcg_pts_attr_proto_caps_t; @@ -31,7 +31,7 @@ typedef struct private_tcg_pts_attr_proto_caps_t private_tcg_pts_attr_proto_caps * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Reserved |C|V|D|T|X| * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - * + * */ #define PTS_PROTO_CAPS_SIZE 4 @@ -61,7 +61,7 @@ struct private_tcg_pts_attr_proto_caps_t { * Noskip flag */ bool noskip_flag; - + /** * Set of flags */ @@ -109,7 +109,7 @@ METHOD(pa_tnc_attr_t, build, void, writer = bio_writer_create(PTS_PROTO_CAPS_SIZE); writer->write_uint16(writer, PTS_PROTO_CAPS_RESERVED); writer->write_uint16(writer, this->flags); - + this->value = chunk_clone(writer->get_buf(writer)); writer->destroy(writer); } diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meas.c b/src/libpts/tcg/tcg_pts_attr_req_file_meas.c index 65bdff579..8b4bfe54d 100644 --- a/src/libpts/tcg/tcg_pts_attr_req_file_meas.c +++ b/src/libpts/tcg/tcg_pts_attr_req_file_meas.c @@ -18,14 +18,16 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> + +#include <string.h> typedef struct private_tcg_pts_attr_req_file_meas_t private_tcg_pts_attr_req_file_meas_t; /** * Request File Measurement * see section 3.19.1 of PTS Protocol: Binding to TNC IF-M Specification - * + * * 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -62,12 +64,12 @@ struct private_tcg_pts_attr_req_file_meas_t { * Attribute value */ chunk_t value; - + /** * Noskip flag */ bool noskip_flag; - + /** * Directory Contents flag */ @@ -77,12 +79,12 @@ struct private_tcg_pts_attr_req_file_meas_t { * Request ID */ u_int16_t request_id; - + /** * UTF8 Encoding of Delimiter Character */ u_int32_t delimiter; - + /** * Fully Qualified File Pathname */ @@ -124,7 +126,7 @@ METHOD(pa_tnc_attr_t, build, void, u_int8_t flags = PTS_REQ_FILE_MEAS_NO_FLAGS; chunk_t pathname; bio_writer_t *writer; - + if (this->value.ptr) { return; @@ -152,7 +154,7 @@ METHOD(pa_tnc_attr_t, process, status_t, u_int8_t flags; u_int8_t reserved; chunk_t pathname; - + if (this->value.len < PTS_REQ_FILE_MEAS_SIZE) { DBG1(DBG_TNC, "insufficient data for Request File Measurement"); @@ -169,10 +171,7 @@ METHOD(pa_tnc_attr_t, process, status_t, this->directory_flag = (flags & DIRECTORY_CONTENTS_FLAG) != PTS_REQ_FILE_MEAS_NO_FLAGS; - - this->pathname = malloc(pathname.len + 1); - memcpy(this->pathname, pathname.ptr, pathname.len); - this->pathname[pathname.len] = '\0'; + this->pathname = strndup(pathname.ptr, pathname.len); reader->destroy(reader); return SUCCESS; diff --git a/src/libpts/tcg/tcg_pts_attr_req_file_meta.c b/src/libpts/tcg/tcg_pts_attr_req_file_meta.c index eb5114172..ff5581435 100644 --- a/src/libpts/tcg/tcg_pts_attr_req_file_meta.c +++ b/src/libpts/tcg/tcg_pts_attr_req_file_meta.c @@ -18,14 +18,16 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> + +#include <string.h> typedef struct private_tcg_pts_attr_req_file_meta_t private_tcg_pts_attr_req_file_meta_t; /** * Request File Metadata * see section 3.17.1 of PTS Protocol: Binding to TNC IF-M Specification - * + * * 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -60,22 +62,22 @@ struct private_tcg_pts_attr_req_file_meta_t { * Attribute value */ chunk_t value; - + /** * Noskip flag */ bool noskip_flag; - + /** * Directory Contents flag */ bool directory_flag; - + /** * UTF8 Encoding of Delimiter Character */ u_int8_t delimiter; - + /** * Fully Qualified File Pathname */ @@ -117,7 +119,7 @@ METHOD(pa_tnc_attr_t, build, void, u_int8_t flags = PTS_REQ_FILE_META_NO_FLAGS; chunk_t pathname; bio_writer_t *writer; - + if (this->value.ptr) { return; @@ -132,7 +134,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint8 (writer, flags); writer->write_uint8 (writer, this->delimiter); writer->write_uint16(writer, PTS_REQ_FILE_META_RESERVED); - + writer->write_data (writer, pathname); this->value = chunk_clone(writer->get_buf(writer)); writer->destroy(writer); @@ -145,7 +147,7 @@ METHOD(pa_tnc_attr_t, process, status_t, u_int8_t flags; u_int16_t reserved; chunk_t pathname; - + if (this->value.len < PTS_REQ_FILE_META_SIZE) { DBG1(DBG_TNC, "insufficient data for Request File Metadata"); @@ -157,15 +159,12 @@ METHOD(pa_tnc_attr_t, process, status_t, reader->read_uint8 (reader, &flags); reader->read_uint8 (reader, &this->delimiter); reader->read_uint16(reader, &reserved); - + reader->read_data (reader, reader->remaining(reader), &pathname); this->directory_flag = (flags & DIRECTORY_CONTENTS_FLAG) != PTS_REQ_FILE_META_NO_FLAGS; - - this->pathname = malloc(pathname.len + 1); - memcpy(this->pathname, pathname.ptr, pathname.len); - this->pathname[pathname.len] = '\0'; + this->pathname = strndup(pathname.ptr, pathname.len); reader->destroy(reader); return SUCCESS; diff --git a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c index a631e9891..8bb43aef8 100644 --- a/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c +++ b/src/libpts/tcg/tcg_pts_attr_req_func_comp_evid.c @@ -18,8 +18,8 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <utils/linked_list.h> -#include <debug.h> +#include <collections/linked_list.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_req_func_comp_evid_t private_tcg_pts_attr_req_func_comp_evid_t; @@ -47,7 +47,7 @@ typedef struct private_tcg_pts_attr_req_func_comp_evid_t private_tcg_pts_attr_re */ /** - * Component Functional Name Structure + * Component Functional Name Structure * (see section 5.1 of PTS Protocol: Binding to TNC IF-M Specification) * * 1 2 3 @@ -58,7 +58,7 @@ typedef struct private_tcg_pts_attr_req_func_comp_evid_t private_tcg_pts_attr_re * | Component Functional Name | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ - + #define PTS_REQ_FUNC_COMP_EVID_SIZE 12 #define PTS_REQ_FUNC_COMP_FAMILY_MASK 0xC0 @@ -81,7 +81,7 @@ struct private_tcg_pts_attr_req_func_comp_evid_t { * Attribute value */ chunk_t value; - + /** * Noskip flag */ @@ -249,7 +249,7 @@ METHOD(pa_tnc_attr_t, process, status_t, entry->flags = flags; entry->depth = depth; entry->name = pts_comp_func_name_create(vendor_id, name, qualifier); - + this->list->insert_last(this->list, entry); } status = SUCCESS; diff --git a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c index 387f4a115..c659443b7 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c +++ b/src/libpts/tcg/tcg_pts_attr_simple_comp_evid.c @@ -18,16 +18,16 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> #include <time.h> typedef struct private_tcg_pts_attr_simple_comp_evid_t private_tcg_pts_attr_simple_comp_evid_t; /** - * Simple Component Evidence + * Simple Component Evidence * see section 3.15.1 of PTS Protocol: Binding to TNC IF-M Specification - * + * * 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -66,7 +66,7 @@ typedef struct private_tcg_pts_attr_simple_comp_evid_t private_tcg_pts_attr_simp */ /** - * Specific Functional Component -> Component Functional Name Structure + * Specific Functional Component -> Component Functional Name Structure * see section 5.1 of PTS Protocol: Binding to TNC IF-M Specification * * 1 2 3 @@ -108,12 +108,12 @@ struct private_tcg_pts_attr_simple_comp_evid_t { * Attribute value */ chunk_t value; - + /** * Noskip flag */ bool noskip_flag; - + /** * PTS Component Evidence */ @@ -184,7 +184,7 @@ METHOD(pa_tnc_attr_t, build, void, pts_comp_evid_validation_t validation; time_t measurement_time; chunk_t measurement, utc_time, pcr_before, pcr_after; - + if (this->value.ptr) { return; @@ -200,7 +200,7 @@ METHOD(pa_tnc_attr_t, build, void, &pcr_before, &pcr_after); validation = this->evidence->get_validation(this->evidence, &policy_uri); - + /* Determine the flags to set*/ flags = validation; if (has_pcr_info) @@ -208,7 +208,7 @@ METHOD(pa_tnc_attr_t, build, void, flags |= PTS_SIMPLE_COMP_EVID_FLAG_PCR; } - utc_time = chunk_create(utc_time_buf, PTS_SIMPLE_COMP_EVID_MEAS_TIME_SIZE); + utc_time = chunk_create(utc_time_buf, PTS_SIMPLE_COMP_EVID_MEAS_TIME_SIZE); measurement_time_to_utc(measurement_time, &utc_time); writer = bio_writer_create(PTS_SIMPLE_COMP_EVID_SIZE); @@ -224,7 +224,7 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint8 (writer, transform); writer->write_uint8 (writer, PTS_SIMPLE_COMP_EVID_RESERVED); writer->write_data (writer, utc_time); - + /* Optional fields */ if (validation == PTS_COMP_EVID_VALIDATION_FAILED || validation == PTS_COMP_EVID_VALIDATION_PASSED) @@ -241,7 +241,7 @@ METHOD(pa_tnc_attr_t, build, void, } writer->write_data(writer, measurement); - + this->value = chunk_clone(writer->get_buf(writer)); writer->destroy(writer); } @@ -250,7 +250,7 @@ static const int days[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 33 static const int tm_leap_1970 = 477; /** - * Convert Simple Component Evidence UTS string format to time_t + * Convert Simple Component Evidence UTS string format to time_t */ bool measurement_time_from_utc(time_t *measurement_time, chunk_t utc_time) { @@ -314,7 +314,7 @@ METHOD(pa_tnc_attr_t, process, status_t, return FAILED; } reader = bio_reader_create(this->value); - + reader->read_uint8 (reader, &flags); reader->read_uint24(reader, &depth); reader->read_uint24(reader, &vendor_id); @@ -364,7 +364,7 @@ METHOD(pa_tnc_attr_t, process, status_t, } has_validation = TRUE; } - + /* Are optional PCR value fields included? */ if (flags & PTS_SIMPLE_COMP_EVID_FLAG_PCR) { @@ -389,11 +389,11 @@ METHOD(pa_tnc_attr_t, process, status_t, has_pcr_info = TRUE; } - /* Measurement field comes at the very end */ + /* Measurement field comes at the very end */ reader->read_data(reader,reader->remaining(reader), &measurement); reader->destroy(reader); - /* Create Component Functional Name object */ + /* Create Component Functional Name object */ name = pts_comp_func_name_create(vendor_id, comp_name, qualifier); /* Create Component Evidence object */ @@ -439,7 +439,7 @@ METHOD(pa_tnc_attr_t, destroy, void, { if (ref_put(&this->ref)) { - this->evidence->destroy(this->evidence); + DESTROY_IF(this->evidence); free(this->value.ptr); free(this); } @@ -457,7 +457,7 @@ METHOD(tcg_pts_attr_simple_comp_evid_t, get_comp_evidence, pts_comp_evidence_t*, pa_tnc_attr_t *tcg_pts_attr_simple_comp_evid_create(pts_comp_evidence_t *evid) { private_tcg_pts_attr_simple_comp_evid_t *this; - + INIT(this, .public = { .pa_tnc_attribute = { diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c index 8d2d4f82d..8c76651d6 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c +++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c @@ -19,14 +19,14 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_simple_evid_final_t private_tcg_pts_attr_simple_evid_final_t; /** * Simple Evidence Final * see section 3.15.2 of PTS Protocol: Binding to TNC IF-M Specification - * + * * 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -66,7 +66,7 @@ struct private_tcg_pts_attr_simple_evid_final_t { * Attribute value */ chunk_t value; - + /** * Noskip flag */ @@ -81,22 +81,22 @@ struct private_tcg_pts_attr_simple_evid_final_t { * Optional Composite Hash Algorithm */ pts_meas_algorithms_t comp_hash_algorithm; - + /** * Optional TPM PCR Composite */ chunk_t pcr_comp; - + /** * Optional TPM Quote Signature */ chunk_t tpm_quote_sig; - + /** * Is Evidence Signature included? */ bool has_evid_sig; - + /** * Optional Evidence Signature */ @@ -157,7 +157,7 @@ METHOD(pa_tnc_attr_t, build, void, { bio_writer_t *writer; u_int8_t flags; - + if (this->value.ptr) { return; @@ -172,7 +172,7 @@ METHOD(pa_tnc_attr_t, build, void, writer = bio_writer_create(PTS_SIMPLE_EVID_FINAL_SIZE); writer->write_uint8 (writer, flags); writer->write_uint8 (writer, PTS_SIMPLE_EVID_FINAL_RESERVED); - + /** Optional Composite Hash Algorithm field is always present * Field has value of all zeroes if not used. * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011 @@ -193,7 +193,7 @@ METHOD(pa_tnc_attr_t, build, void, { writer->write_data (writer, this->evid_sig); } - + this->value = chunk_clone(writer->get_buf(writer)); writer->destroy(writer); } @@ -206,7 +206,7 @@ METHOD(pa_tnc_attr_t, process, status_t, u_int16_t algorithm; u_int32_t pcr_comp_len, tpm_quote_sig_len, evid_sig_len; status_t status = FAILED; - + if (this->value.len < PTS_SIMPLE_EVID_FINAL_SIZE) { DBG1(DBG_TNC, "insufficient data for Simple Evidence Final"); @@ -214,7 +214,7 @@ METHOD(pa_tnc_attr_t, process, status_t, return FAILED; } reader = bio_reader_create(this->value); - + reader->read_uint8(reader, &flags); reader->read_uint8(reader, &reserved); @@ -226,10 +226,10 @@ METHOD(pa_tnc_attr_t, process, status_t, * Field has value of all zeroes if not used. * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011 */ - + reader->read_uint16(reader, &algorithm); this->comp_hash_algorithm = algorithm; - + /* Optional Composite Hash Algorithm and TPM PCR Composite fields */ if (this->flags != PTS_SIMPLE_EVID_FINAL_NO) { @@ -246,7 +246,7 @@ METHOD(pa_tnc_attr_t, process, status_t, goto end; } this->pcr_comp = chunk_clone(this->pcr_comp); - + if (!reader->read_uint32(reader, &tpm_quote_sig_len)) { DBG1(DBG_TNC, "insufficient data for PTS Simple Evidence Final " @@ -261,7 +261,7 @@ METHOD(pa_tnc_attr_t, process, status_t, } this->tpm_quote_sig = chunk_clone(this->tpm_quote_sig); } - + /* Optional Evidence Signature field */ if (this->has_evid_sig) { @@ -269,7 +269,7 @@ METHOD(pa_tnc_attr_t, process, status_t, reader->read_data(reader, evid_sig_len, &this->evid_sig); this->evid_sig = chunk_clone(this->evid_sig); } - + reader->destroy(reader); return SUCCESS; diff --git a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c index 8d1e78f18..5143e1676 100644 --- a/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c +++ b/src/libpts/tcg/tcg_pts_attr_tpm_version_info.c @@ -18,7 +18,7 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <debug.h> +#include <utils/debug.h> typedef struct private_tcg_pts_attr_tpm_version_info_t private_tcg_pts_attr_tpm_version_info_t; @@ -62,7 +62,7 @@ struct private_tcg_pts_attr_tpm_version_info_t { * Noskip flag */ bool noskip_flag; - + /** * TPM Version Information */ @@ -118,7 +118,7 @@ METHOD(pa_tnc_attr_t, process, status_t, private_tcg_pts_attr_tpm_version_info_t *this, u_int32_t *offset) { bio_reader_t *reader; - + if (this->value.len < PTS_TPM_VER_INFO_SIZE) { DBG1(DBG_TNC, "insufficient data for TPM Version Information"); diff --git a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c index 4f93ee885..56686d8ca 100644 --- a/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c +++ b/src/libpts/tcg/tcg_pts_attr_unix_file_meta.c @@ -18,15 +18,17 @@ #include <pa_tnc/pa_tnc_msg.h> #include <bio/bio_writer.h> #include <bio/bio_reader.h> -#include <utils/linked_list.h> -#include <debug.h> +#include <collections/linked_list.h> +#include <utils/debug.h> + +#include <string.h> typedef struct private_tcg_pts_attr_file_meta_t private_tcg_pts_attr_file_meta_t; /** * Unix-Style File Metadata * see section 3.17.3 of PTS Protocol: Binding to TNC IF-M Specification - * + * * 1 2 3 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -88,12 +90,12 @@ struct private_tcg_pts_attr_file_meta_t { * Attribute value */ chunk_t value; - + /** * Noskip flag */ bool noskip_flag; - + /** * PTS File Metadata */ @@ -136,7 +138,7 @@ METHOD(pa_tnc_attr_t, build, void, enumerator_t *enumerator; pts_file_metadata_t *entry; u_int64_t number_of_files; - + if (this->value.ptr) { return; @@ -163,7 +165,7 @@ METHOD(pa_tnc_attr_t, build, void, strlen(entry->filename))); } enumerator->destroy(enumerator); - + this->value = chunk_clone(writer->get_buf(writer)); writer->destroy(writer); } @@ -179,7 +181,7 @@ METHOD(pa_tnc_attr_t, process, status_t, u_int64_t owner, group; chunk_t filename; status_t status = FAILED; - + if (this->value.len < PTS_FILE_META_SIZE) { DBG1(DBG_TNC, "insufficient data for PTS Unix-Style file metadata header"); @@ -190,7 +192,7 @@ METHOD(pa_tnc_attr_t, process, status_t, reader->read_uint64(reader, &number_of_files); this->metadata = pts_file_meta_create(); - + while (number_of_files--) { if (!reader->read_uint16(reader, &len)) @@ -243,7 +245,7 @@ METHOD(pa_tnc_attr_t, process, status_t, DBG1(DBG_TNC, "insufficient data for filename"); goto end; } - + entry = malloc_thing(pts_file_metadata_t); entry->type = type; entry->filesize = filesize; @@ -252,9 +254,7 @@ METHOD(pa_tnc_attr_t, process, status_t, entry->accessed = accessed; entry->owner = owner; entry->group = group; - entry->filename = malloc(filename.len + 1); - entry->filename[filename.len] = '\0'; - memcpy(entry->filename, filename.ptr, filename.len); + entry->filename = strndup(filename.ptr, filename.len); this->metadata->add(this->metadata, entry); } @@ -277,7 +277,7 @@ METHOD(pa_tnc_attr_t, destroy, void, { if (ref_put(&this->ref)) { - this->metadata->destroy(this->metadata); + DESTROY_IF(this->metadata); free(this->value.ptr); free(this); } |