platform_info, algo, file_id, is_dir);
if (!measurements->verify(measurements, e_hash, is_dir))
{
- attestation_state->set_measurement_error(attestation_state);
+ attestation_state->set_measurement_error(attestation_state,
+ IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL);
}
e_hash->destroy(e_hash);
}
if (comp->verify(comp, name->get_qualifier(name), pts,
evidence) != SUCCESS)
{
- attestation_state->set_measurement_error(attestation_state);
+ attestation_state->set_measurement_error(attestation_state,
+ IMV_ATTESTATION_ERROR_COMP_EVID_FAIL);
name->log(name, " measurement mismatch for ");
}
break;
{
DBG1(DBG_IMV, "received PCR Composite does not match "
"constructed one");
+ attestation_state->set_measurement_error(attestation_state,
+ IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
free(pcr_composite.ptr);
free(quote_info.ptr);
- return FALSE;
+ break;
}
DBG2(DBG_IMV, "received PCR Composite matches constructed one");
free(pcr_composite.ptr);
if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig))
{
+ attestation_state->set_measurement_error(attestation_state,
+ IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
free(quote_info.ptr);
- return FALSE;
+ break;
}
DBG2(DBG_IMV, "TPM Quote Info signature verification successful");
free(quote_info.ptr);
pts_t *pts;
/**
- * Measurement error
+ * Measurement error flags
*/
- bool measurement_error;
+ u_int32_t measurement_error;
/**
* TNC Reason String
/**
* Table of reason strings
*/
-static imv_lang_string_t reasons[] = {
- { "en", "IMV Attestation: Incorrect/pending file measurement/component"
- " evidence or invalid TPM Quote signature received" },
- { "mn", "IMV Attestation: Буруу/хүлээгдэж байгаа файл/компонент хэмжилт "
- "эсвэл буруу TPM Quote гарын үсэг" },
- { "de", "IMV Attestation: Falsche/Fehlende Dateimessung/Komponenten Beweis "
- "oder ungültige TPM Quote Unterschrift ist erhalten" },
+static imv_lang_string_t reason_file_meas_fail[] = {
+ { "en", "Incorrect file measurement" },
+ { "de", "Falsche Dateimessung" },
+ { "mn", "Буруу байгаа файл" },
+ { NULL, NULL }
+};
+
+static imv_lang_string_t reason_file_meas_pend[] = {
+ { "en", "Pending file measurement" },
+ { "de", "Ausstehende Dateimessung" },
+ { "mn", "Xүлээгдэж байгаа файл" },
+ { NULL, NULL }
+};
+
+static imv_lang_string_t reason_comp_evid_fail[] = {
+ { "en", "Incorrect component evidence" },
+ { "de", "Falsche Komponenten-Evidenz" },
+ { "mn", "Буруу компонент хэмжилт" },
+ { NULL, NULL }
+};
+
+static imv_lang_string_t reason_comp_evid_pend[] = {
+ { "en", "Pending component evidence" },
+ { "de", "Ausstehende Komponenten-Evidenz" },
+ { "mn", "Xүлээгдэж компонент хэмжилт" },
+ { NULL, NULL }
+};
+
+static imv_lang_string_t reason_tpm_quote_fail[] = {
+ { "en", "Invalid TPM Quote signature received" },
+ { "de", "Falsche TPM Quote Signature erhalten" },
+ { "mn", "Буруу TPM Quote гарын үсэг" },
{ NULL, NULL }
};
/* Instantiate a TNC Reason String object */
DESTROY_IF(this->reason_string);
this->reason_string = imv_reason_string_create(*reason_language);
- this->reason_string->add_reason(this->reason_string, reasons);
+
+ if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL)
+ {
+ this->reason_string->add_reason(this->reason_string,
+ reason_file_meas_fail);
+ }
+ if (this->measurement_error & IMV_ATTESTATION_ERROR_FILE_MEAS_PEND)
+ {
+ this->reason_string->add_reason(this->reason_string,
+ reason_file_meas_pend);
+ }
+ if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL)
+ {
+ this->reason_string->add_reason(this->reason_string,
+ reason_comp_evid_fail);
+ }
+ if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_PEND)
+ {
+ this->reason_string->add_reason(this->reason_string,
+ reason_comp_evid_pend);
+ }
+ if (this->measurement_error & IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL)
+ {
+ this->reason_string->add_reason(this->reason_string,
+ reason_tpm_quote_fail);
+ }
*reason_string = this->reason_string->get_encoding(this->reason_string);
return TRUE;
return found;
}
-METHOD(imv_attestation_state_t, get_measurement_error, bool,
+METHOD(imv_attestation_state_t, get_measurement_error, u_int32_t,
private_imv_attestation_state_t *this)
{
return this->measurement_error;
}
METHOD(imv_attestation_state_t, set_measurement_error, void,
- private_imv_attestation_state_t *this)
+ private_imv_attestation_state_t *this, u_int32_t error)
{
- this->measurement_error = TRUE;
+ this->measurement_error |= error;
}
METHOD(imv_attestation_state_t, finalize_components, void,
{
if (!entry->comp->finalize(entry->comp, entry->qualifier))
{
- _set_measurement_error(this);
+ set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND);
}
free_func_comp(entry);
}
typedef struct imv_attestation_state_t imv_attestation_state_t;
typedef enum imv_attestation_handshake_state_t imv_attestation_handshake_state_t;
+typedef enum imv_meas_error_t imv_meas_error_t;
/**
* IMV Attestation Handshake States (state machine)
};
/**
+ * IMV Measurement Error Types
+ */
+enum imv_meas_error_t {
+ IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL = 1,
+ IMV_ATTESTATION_ERROR_FILE_MEAS_PEND = 2,
+ IMV_ATTESTATION_ERROR_COMP_EVID_FAIL = 4,
+ IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 8,
+ IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16
+};
+
+/**
* Internal state of an imv_attestation_t connection instance
*/
struct imv_attestation_state_t {
bool (*components_finalized)(imv_attestation_state_t *this);
/**
- * Indicates if a file measurement error occurred
+ * Indicates the types of measurement errors that occurred
*
- * @return TRUE in case of measurement error
+ * @return Measurement error flags
*/
- bool (*get_measurement_error)(imv_attestation_state_t *this);
+ u_int32_t (*get_measurement_error)(imv_attestation_state_t *this);
/**
- * Call if a file measurement error is encountered
+ * Call if a measurement error is encountered
+ *
+ * @param error Measurement error type
*/
- void (*set_measurement_error)(imv_attestation_state_t *this);
+ void (*set_measurement_error)(imv_attestation_state_t *this,
+ u_int32_t error);
};