Catch AIK errors
authorAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 13 Jan 2014 07:19:10 +0000 (08:19 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 13 Jan 2014 11:06:18 +0000 (12:06 +0100)
src/libpts/plugins/imv_attestation/imv_attestation_agent.c
src/libpts/plugins/imv_attestation/imv_attestation_build.c
src/libpts/plugins/imv_attestation/imv_attestation_process.c
src/libpts/plugins/imv_attestation/imv_attestation_state.c
src/libpts/plugins/imv_attestation/imv_attestation_state.h

index 74e903c..084d838 100644 (file)
@@ -293,10 +293,14 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
        imv_session_t *session;
        imv_attestation_state_t *attestation_state;
        imv_attestation_handshake_state_t handshake_state;
+       imv_workitem_t *workitem;
+       TNC_IMV_Action_Recommendation rec;
+       TNC_IMV_Evaluation_Result eval;
        TNC_IMVID imv_id;
        TNC_Result result = TNC_RESULT_SUCCESS;
        pts_t *pts;
        char *platform_info;
+       enumerator_t *enumerator;
 
        if (!this->agent->get_state(this->agent, id, &state))
        {
@@ -369,13 +373,11 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
           (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO) &&
          !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_FILE_MEAS))
        {
-               imv_workitem_t *workitem;
                bool is_dir, no_workitems = TRUE;
                u_int32_t delimiter = SOLIDUS_UTF;
                u_int16_t request_id;
                pa_tnc_attr_t *attr;
                char *pathname;
-               enumerator_t *enumerator;
 
                attestation_state->set_handshake_state(attestation_state,
                                                                                           IMV_ATTESTATION_STATE_END);
@@ -406,8 +408,6 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
                                        {
                                                pts_component_t *comp;
                                                pts_comp_func_name_t *comp_name;
-                                               TNC_IMV_Action_Recommendation rec;
-                                               TNC_IMV_Evaluation_Result eval;
                                                bool no_d_flag, no_t_flag;
                                                char result_str[BUF_LEN];
 
@@ -535,22 +535,35 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
        }
 
        /* check the IMV state for the next PA-TNC attributes to send */
-       if (!imv_attestation_build(out_msg, state, this->supported_dh_groups,
-                                                          this->pts_db))
+       enumerator = session->create_workitem_enumerator(session);
+       while (enumerator->enumerate(enumerator, &workitem))
        {
-               state->set_recommendation(state,
-                                                               TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-                                                               TNC_IMV_EVALUATION_RESULT_ERROR);
-               result = out_msg->send_assessment(out_msg);
-               out_msg->destroy(out_msg);
-               state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC);
-
-               if (result != TNC_RESULT_SUCCESS)
+               if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST)
                {
-                       return result;
+                       if (!imv_attestation_build(out_msg, state,
+                                                                          this->supported_dh_groups, this->pts_db))
+                       {
+                               imv_reason_string_t *reason_string;
+                               chunk_t result;
+                               char *result_str;
+
+                               reason_string = imv_reason_string_create("en", ", ");
+                               attestation_state->add_comp_evid_reasons(attestation_state,
+                                                                                                        reason_string);
+                               result = reason_string->get_encoding(reason_string);
+                               result_str = strndup(result.ptr, result.len);
+                               reason_string->destroy(reason_string);
+
+                               eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+                               session->remove_workitem(session, enumerator);
+                               rec = workitem->set_result(workitem, result_str, eval);
+                               state->update_recommendation(state, rec, eval);
+                               imcv_db->finalize_workitem(imcv_db, workitem);
+                       }
+                       break;
                }
-               return this->agent->provide_recommendation(this->agent, state);
        }
+       enumerator->destroy(enumerator);
 
        /* finalized all workitems? */
        if (session && session->get_policy_started(session) &&
index a0d1765..f3b13d3 100644 (file)
@@ -98,20 +98,14 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
                        attestation_state->set_handshake_state(attestation_state,
                                                                                IMV_ATTESTATION_STATE_END);
 
-                       if (!pts->get_aik_keyid(pts, &keyid))
-                       {
-                               DBG1(DBG_IMV, "retrieval of AIK keyid failed");
-                               return FALSE;
-                       }
-                       if (!pts_db)
-                       {
-                               DBG1(DBG_IMV, "pts database not available");
-                               break;
-                       }
-                       if (pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
+                       if (!pts->get_aik_keyid(pts, &keyid) ||
+                                pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
                        {
+                               attestation_state->set_measurement_error(attestation_state,
+                                                                       IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
                                return FALSE;
                        }
+
                        enumerator = attestation_state->create_component_enumerator(
                                                                                                        attestation_state);
                        while (enumerator->enumerate(enumerator, &flags, &depth, &name))
@@ -146,15 +140,9 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
                        }
                        break;
                }
-               case IMV_ATTESTATION_STATE_EVID_FINAL:
-                       if (attestation_state->components_finalized(attestation_state))
-                       {
-                               attestation_state->set_handshake_state(attestation_state,
-                                                                               IMV_ATTESTATION_STATE_END);
-                       }
-                       break;
                default:
                        break;
        }
+
        return TRUE;
 }
index 9422cf4..b99b84f 100644 (file)
@@ -163,7 +163,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                        if (!aik)
                        {
                                DBG1(DBG_IMV, "AIK unavailable");
-                               return FALSE;
+                               attestation_state->set_measurement_error(attestation_state,
+                                                                       IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
+                               break;
                        }
                        if (aik->get_type(aik) == CERT_X509)
                        {
@@ -187,7 +189,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                                                           trusted ? "" : "not ");
                                if (!trusted)
                                {
-                                       return FALSE;
+                                       attestation_state->set_measurement_error(attestation_state,
+                                                                               IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
+                                       break;
                                }
                        }
                        pts->set_aik(pts, aik);
@@ -485,6 +489,8 @@ quote_error:
                                                imcv_db->finalize_workitem(imcv_db, workitem);
                                                workitem->destroy(workitem);
                                                free(result_str);
+                                               attestation_state->set_handshake_state(attestation_state,
+                                                                                                       IMV_ATTESTATION_STATE_END);
                                                break;
                                        }
                                }
index c2adbf5..9304b9a 100644 (file)
@@ -162,6 +162,12 @@ static imv_lang_string_t reason_file_meas_pend[] = {
        { NULL, NULL }
 };
 
+static imv_lang_string_t reason_no_trusted_aik[] = {
+       { "en", "No trusted AIK available" },
+       { "de", "Kein vetrauensw├╝rdiger AIK verf├╝gbar" },
+       { NULL, NULL }
+};
+
 static imv_lang_string_t reason_comp_evid_fail[] = {
        { "en", "Incorrect component evidence" },
        { "de", "Falsche Komponenten-Evidenz" },
@@ -307,6 +313,10 @@ METHOD(imv_attestation_state_t, add_file_meas_reasons, void,
 METHOD(imv_attestation_state_t, add_comp_evid_reasons, void,
        private_imv_attestation_state_t *this, imv_reason_string_t *reason_string)
 {
+       if (this->measurement_error & IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK)
+       {
+               reason_string->add_reason(reason_string, reason_no_trusted_aik);
+       }
        if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL)
        {
                reason_string->add_reason(reason_string, reason_comp_evid_fail);
@@ -501,12 +511,6 @@ METHOD(imv_attestation_state_t, finalize_components, void,
        }
 }
 
-METHOD(imv_attestation_state_t, components_finalized, bool,
-       private_imv_attestation_state_t *this)
-{
-       return this->components->get_count(this->components) == 0;
-}
-
 /**
  * Described in header.
  */
@@ -544,7 +548,6 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
                        .create_component_enumerator = _create_component_enumerator,
                        .get_component = _get_component,
                        .finalize_components = _finalize_components,
-                       .components_finalized = _components_finalized,
                        .get_measurement_error = _get_measurement_error,
                        .set_measurement_error = _set_measurement_error,
                        .add_file_meas_reasons = _add_file_meas_reasons,
index 3636b56..9369d30 100644 (file)
@@ -65,9 +65,10 @@ enum imv_attestation_handshake_state_t {
 enum imv_meas_error_t {
        IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL =  1,
        IMV_ATTESTATION_ERROR_FILE_MEAS_PEND =  2,
-       IMV_ATTESTATION_ERROR_COMP_EVID_FAIL =  4,
-       IMV_ATTESTATION_ERROR_COMP_EVID_PEND =  8,
-       IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16
+       IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK =  4,
+       IMV_ATTESTATION_ERROR_COMP_EVID_FAIL =  8,
+       IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 16,
+       IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 32
 };
 
 /**
@@ -139,11 +140,6 @@ struct imv_attestation_state_t {
        void (*finalize_components)(imv_attestation_state_t *this);
 
        /**
-        * Have the Functional Component measurements been finalized?
-        */
-       bool (*components_finalized)(imv_attestation_state_t *this);
-
-       /**
         * Indicates the types of measurement errors that occurred
         *
         * @return                                      Measurement error flags