Set recommendation in the case of PCR measurement failures

author Andreas Steffen <andreas.steffen@strongswan.org>

Sun, 13 Oct 2013 20:17:18 +0000 (22:17 +0200)

committer Andreas Steffen <andreas.steffen@strongswan.org>

Sun, 13 Oct 2013 20:17:18 +0000 (22:17 +0200)
author Andreas Steffen <andreas.steffen@strongswan.org>
Sun, 13 Oct 2013 20:17:18 +0000 (22:17 +0200)
committer Andreas Steffen <andreas.steffen@strongswan.org>
Sun, 13 Oct 2013 20:17:18 +0000 (22:17 +0200)
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c

index f127a96..978c740 100644 (file)
--- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
@@ -502,8 +502,11 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
  
         if (session)
         {
+               TNC_IMV_Evaluation_Result eval;
+               TNC_IMV_Action_Recommendation rec;
                 imv_workitem_t *workitem;
                 enumerator_t *enumerator;
+               char *result_str;
                 int pending_file_meas = 0;
  
                 enumerator = session->create_workitem_enumerator(session);
@@ -521,6 +524,13 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result,
                                         case IMV_WORKITEM_FILE_MEAS:
                                         case IMV_WORKITEM_DIR_REF_MEAS:
                                         case IMV_WORKITEM_DIR_MEAS:
+                                               session->remove_workitem(session, enumerator);
+                                               result_str = "pending file measurements";
+                                               eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+                                               rec = workitem->set_result(workitem, result_str, eval);
+                                               state->update_recommendation(state, rec, eval);
+                                               imcv_db->finalize_workitem(imcv_db, workitem);
+                                               workitem->destroy(workitem);
                                                 pending_file_meas++;
                                                 break;
                                         default:
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c

index 7319c0b..5137d64 100644 (file)
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
@@ -380,6 +380,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                         if (comp->verify(comp, name->get_qualifier(name), pts,
                                                          evidence) != SUCCESS)
                         {
+                               state->update_recommendation(state,
+                                                       TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
+                                                       TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
                                 attestation_state->set_measurement_error(attestation_state,
                                                                         IMV_ATTESTATION_ERROR_COMP_EVID_FAIL);
                                 name->log(name, "  measurement mismatch for ");
@@ -417,23 +420,28 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
                                 {
                                         DBG1(DBG_IMV, "received PCR Composite does not match "
                                                                   "constructed one");
+                                       state->update_recommendation(state,
+                                                               TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
+                                                               TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
                                         attestation_state->set_measurement_error(attestation_state,
                                                                                 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
-                                       free(pcr_composite.ptr);
-                                       free(quote_info.ptr);
-                                       break;
+                                       goto quote_error;
                                 }
                                 DBG2(DBG_IMV, "received PCR Composite matches constructed one");
-                               free(pcr_composite.ptr);
  
                                 if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig))
                                 {
+                                       state->update_recommendation(state,
+                                                               TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
+                                                               TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
                                         attestation_state->set_measurement_error(attestation_state,
                                                                                 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
-                                       free(quote_info.ptr);
-                                       break;
+                                       goto quote_error;
                                 }
                                 DBG2(DBG_IMV, "TPM Quote Info signature verification successful");
+
+quote_error:
+                               free(pcr_composite.ptr);
                                 free(quote_info.ptr);
  
                                 /**
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c

index 27b2655..4701175 100644 (file)
--- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c
@@ -461,6 +461,9 @@ METHOD(imv_attestation_state_t, finalize_components, void,
                 if (!entry->comp->finalize(entry->comp, entry->qualifier))
                 {
                         set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND);
+                       update_recommendation(this,
+                                        TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
+                                        TNC_IMV_EVALUATION_RESULT_ERROR);
                 }
                 free_func_comp(entry);
         }
author	Andreas Steffen <andreas.steffen@strongswan.org>
	Sun, 13 Oct 2013 20:17:18 +0000 (22:17 +0200)
committer	Andreas Steffen <andreas.steffen@strongswan.org>
	Sun, 13 Oct 2013 20:17:18 +0000 (22:17 +0200)
src/libpts/plugins/imv_attestation/imv_attestation_agent.c		patch \| blob \| history
src/libpts/plugins/imv_attestation/imv_attestation_process.c		patch \| blob \| history
src/libpts/plugins/imv_attestation/imv_attestation_state.c		patch \| blob \| history