transfer IMA file measurements via PA-TNC
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation_process.c
index a50810b..2ad5d78 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011 Sansar Choinyambuu
+ * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -44,7 +44,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
        pts_t *pts;
 
        pts = attestation_state->get_pts(attestation_state);
+
        switch (attr->get_type(attr))
        {
                case TCG_PTS_PROTO_CAPS:
@@ -169,7 +169,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                                        KEY_ANY, aik->get_issuer(aik), FALSE);
                                while (e->enumerate(e, &issuer))
                                {
-                                       if (aik->issued_by(aik, issuer))
+                                       if (aik->issued_by(aik, issuer, NULL))
                                        {
                                                trusted = TRUE;
                                                break;
@@ -178,6 +178,10 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                e->destroy(e);
                                DBG1(DBG_IMV, "AIK certificate is %strusted",
                                                           trusted ? "" : "not ");
+                               if (!trusted)
+                               {
+                                       return FALSE;
+                               }
                        }
                        pts->set_aik(pts, aik);
                        break;
@@ -189,8 +193,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        int file_count, file_id;
                        pts_meas_algorithms_t algo;
                        pts_file_meas_t *measurements;
-                       char *platform_info;
-                       enumerator_t *e_hash;
+                       char *platform_info, *filename;
+                       chunk_t measurement;
+                       enumerator_t *e, *e_hash;
                        bool is_dir;
 
                        platform_info = pts->get_platform_info(pts);
@@ -212,22 +217,34 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        DBG1(DBG_IMV, "measurement request %d returned %d file%s:",
                                 request_id, file_count, (file_count == 1) ? "":"s");
 
-                       if (!attestation_state->check_off_file_meas_request(attestation_state,
-                               request_id, &file_id, &is_dir))
+                       if (request_id)
                        {
-                               DBG1(DBG_IMV, "  no entry found for file measurement request %d",
-                                        request_id);
-                               break;
-                       }
+                               if (!attestation_state->check_off_file_meas_request(
+                                       attestation_state, request_id, &file_id, &is_dir))
+                               {
+                                       DBG1(DBG_IMV, "  no entry found for file measurement "
+                                                                 "request %d", request_id);
+                                       break;
+                               }
 
-                       /* check hashes from database against measurements */
-                       e_hash = pts_db->create_file_hash_enumerator(pts_db,
-                                                       platform_info, algo, file_id, is_dir);
-                       if (!measurements->verify(measurements, e_hash, is_dir))
+                               /* check hashes from database against measurements */
+                               e_hash = pts_db->create_file_hash_enumerator(pts_db,
+                                                               platform_info, algo, file_id, is_dir);
+                               if (!measurements->verify(measurements, e_hash, is_dir))
+                               {
+                                       attestation_state->set_measurement_error(attestation_state);
+                               }
+                               e_hash->destroy(e_hash);
+                       }
+                       else
                        {
-                               attestation_state->set_measurement_error(attestation_state);
+                               e = measurements->create_enumerator(measurements);
+                               while (e->enumerate(e, &filename, &measurement))
+                               {
+                                       DBG2(DBG_PTS, "  %#B for '%s'", &measurement, filename);
+                               }
+                               e->destroy(e);
                        }
-                       e_hash->destroy(e_hash);
                        break;
                }
                case TCG_PTS_UNIX_FILE_META:
@@ -272,34 +289,21 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        pts_comp_evidence_t *evidence;
                        pts_component_t *comp;
                        u_int32_t depth;
-                       status_t status;
 
                        attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
                        evidence = attr_cast->get_comp_evidence(attr_cast);
                        name = evidence->get_comp_func_name(evidence, &depth);
 
-                       comp = attestation_state->check_off_component(attestation_state, name);
+                       comp = attestation_state->get_component(attestation_state, name);
                        if (!comp)
                        {
                                DBG1(DBG_IMV, "  no entry found for component evidence request");
                                break;
                        }
-                       status = comp->verify(comp, pts, pts_db, evidence);
-                       
-                       switch (status)
+                       if (comp->verify(comp, pts, evidence) != SUCCESS)
                        {
-                               default:
-                               case FAILED:
-                                       attestation_state->set_measurement_error(attestation_state);
-                                       comp->destroy(comp);
-                                       break;
-                               case SUCCESS:
-                                       name->log(name, "  successfully measured ");
-                                       comp->destroy(comp);
-                                       break;
-                               case NEED_MORE:
-                                       /* re-enter component into list */
-                                       attestation_state->add_component(attestation_state, comp);
+                               attestation_state->set_measurement_error(attestation_state);
+                               name->log(name, "  measurement mismatch for ");
                        }
                        break;
                }
@@ -348,12 +352,18 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                }
                                DBG2(DBG_IMV, "TPM Quote Info signature verification successful");
                                free(quote_info.ptr);
+
+                               /**
+                                * Finalize any pending measurement registrations and check
+                                * if all expected component measurements were received
+                                */
+                               attestation_state->finalize_components(attestation_state);
                        }
 
                        if (attr_cast->get_evid_sig(attr_cast, &evid_sig))
                        {
                                /** TODO: What to do with Evidence Signature */
-                               DBG1(DBG_IMV, "This version of the Attestation IMV can not "
+                               DBG1(DBG_IMV, "this version of the Attestation IMV can not "
                                                          "handle Evidence Signatures");
                        }
                        break;