From 8b36021b5b4d104fe623a7eb015810878d1887fe Mon Sep 17 00:00:00 2001 From: Andreas Steffen Date: Mon, 13 Jan 2014 08:19:10 +0100 Subject: [PATCH] Catch AIK errors --- .../imv_attestation/imv_attestation_agent.c | 45 ++++++++++++++-------- .../imv_attestation/imv_attestation_build.c | 24 +++--------- .../imv_attestation/imv_attestation_process.c | 10 ++++- .../imv_attestation/imv_attestation_state.c | 17 ++++---- .../imv_attestation/imv_attestation_state.h | 12 ++---- 5 files changed, 57 insertions(+), 51 deletions(-) diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c index 74e903c..084d838 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c @@ -293,10 +293,14 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, imv_session_t *session; imv_attestation_state_t *attestation_state; imv_attestation_handshake_state_t handshake_state; + imv_workitem_t *workitem; + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; TNC_IMVID imv_id; TNC_Result result = TNC_RESULT_SUCCESS; pts_t *pts; char *platform_info; + enumerator_t *enumerator; if (!this->agent->get_state(this->agent, id, &state)) { @@ -369,13 +373,11 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO) && !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_FILE_MEAS)) { - imv_workitem_t *workitem; bool is_dir, no_workitems = TRUE; u_int32_t delimiter = SOLIDUS_UTF; u_int16_t request_id; pa_tnc_attr_t *attr; char *pathname; - enumerator_t *enumerator; attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_END); @@ -406,8 +408,6 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, { pts_component_t *comp; pts_comp_func_name_t *comp_name; - TNC_IMV_Action_Recommendation rec; - TNC_IMV_Evaluation_Result eval; bool no_d_flag, no_t_flag; char result_str[BUF_LEN]; @@ -535,22 +535,35 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, } /* check the IMV state for the next PA-TNC attributes to send */ - if (!imv_attestation_build(out_msg, state, this->supported_dh_groups, - this->pts_db)) + enumerator = session->create_workitem_enumerator(session); + while (enumerator->enumerate(enumerator, &workitem)) { - state->set_recommendation(state, - TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, - TNC_IMV_EVALUATION_RESULT_ERROR); - result = out_msg->send_assessment(out_msg); - out_msg->destroy(out_msg); - state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC); - - if (result != TNC_RESULT_SUCCESS) + if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST) { - return result; + if (!imv_attestation_build(out_msg, state, + this->supported_dh_groups, this->pts_db)) + { + imv_reason_string_t *reason_string; + chunk_t result; + char *result_str; + + reason_string = imv_reason_string_create("en", ", "); + attestation_state->add_comp_evid_reasons(attestation_state, + reason_string); + result = reason_string->get_encoding(reason_string); + result_str = strndup(result.ptr, result.len); + reason_string->destroy(reason_string); + + eval = TNC_IMV_EVALUATION_RESULT_ERROR; + session->remove_workitem(session, enumerator); + rec = workitem->set_result(workitem, result_str, eval); + state->update_recommendation(state, rec, eval); + imcv_db->finalize_workitem(imcv_db, workitem); + } + break; } - return this->agent->provide_recommendation(this->agent, state); } + enumerator->destroy(enumerator); /* finalized all workitems? */ if (session && session->get_policy_started(session) && diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_build.c b/src/libpts/plugins/imv_attestation/imv_attestation_build.c index a0d1765..f3b13d3 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_build.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_build.c @@ -98,20 +98,14 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state, attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_END); - if (!pts->get_aik_keyid(pts, &keyid)) - { - DBG1(DBG_IMV, "retrieval of AIK keyid failed"); - return FALSE; - } - if (!pts_db) - { - DBG1(DBG_IMV, "pts database not available"); - break; - } - if (pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS) + if (!pts->get_aik_keyid(pts, &keyid) || + pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS) { + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK); return FALSE; } + enumerator = attestation_state->create_component_enumerator( attestation_state); while (enumerator->enumerate(enumerator, &flags, &depth, &name)) @@ -146,15 +140,9 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state, } break; } - case IMV_ATTESTATION_STATE_EVID_FINAL: - if (attestation_state->components_finalized(attestation_state)) - { - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_END); - } - break; default: break; } + return TRUE; } diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c index 9422cf4..b99b84f 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c @@ -163,7 +163,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, if (!aik) { DBG1(DBG_IMV, "AIK unavailable"); - return FALSE; + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK); + break; } if (aik->get_type(aik) == CERT_X509) { @@ -187,7 +189,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, trusted ? "" : "not "); if (!trusted) { - return FALSE; + attestation_state->set_measurement_error(attestation_state, + IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK); + break; } } pts->set_aik(pts, aik); @@ -485,6 +489,8 @@ quote_error: imcv_db->finalize_workitem(imcv_db, workitem); workitem->destroy(workitem); free(result_str); + attestation_state->set_handshake_state(attestation_state, + IMV_ATTESTATION_STATE_END); break; } } diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c index c2adbf5..9304b9a 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c @@ -162,6 +162,12 @@ static imv_lang_string_t reason_file_meas_pend[] = { { NULL, NULL } }; +static imv_lang_string_t reason_no_trusted_aik[] = { + { "en", "No trusted AIK available" }, + { "de", "Kein vetrauenswürdiger AIK verfügbar" }, + { NULL, NULL } +}; + static imv_lang_string_t reason_comp_evid_fail[] = { { "en", "Incorrect component evidence" }, { "de", "Falsche Komponenten-Evidenz" }, @@ -307,6 +313,10 @@ METHOD(imv_attestation_state_t, add_file_meas_reasons, void, METHOD(imv_attestation_state_t, add_comp_evid_reasons, void, private_imv_attestation_state_t *this, imv_reason_string_t *reason_string) { + if (this->measurement_error & IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK) + { + reason_string->add_reason(reason_string, reason_no_trusted_aik); + } if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL) { reason_string->add_reason(reason_string, reason_comp_evid_fail); @@ -501,12 +511,6 @@ METHOD(imv_attestation_state_t, finalize_components, void, } } -METHOD(imv_attestation_state_t, components_finalized, bool, - private_imv_attestation_state_t *this) -{ - return this->components->get_count(this->components) == 0; -} - /** * Described in header. */ @@ -544,7 +548,6 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) .create_component_enumerator = _create_component_enumerator, .get_component = _get_component, .finalize_components = _finalize_components, - .components_finalized = _components_finalized, .get_measurement_error = _get_measurement_error, .set_measurement_error = _set_measurement_error, .add_file_meas_reasons = _add_file_meas_reasons, diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h index 3636b56..9369d30 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h @@ -65,9 +65,10 @@ enum imv_attestation_handshake_state_t { enum imv_meas_error_t { IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL = 1, IMV_ATTESTATION_ERROR_FILE_MEAS_PEND = 2, - IMV_ATTESTATION_ERROR_COMP_EVID_FAIL = 4, - IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 8, - IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16 + IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK = 4, + IMV_ATTESTATION_ERROR_COMP_EVID_FAIL = 8, + IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 16, + IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 32 }; /** @@ -139,11 +140,6 @@ struct imv_attestation_state_t { void (*finalize_components)(imv_attestation_state_t *this); /** - * Have the Functional Component measurements been finalized? - */ - bool (*components_finalized)(imv_attestation_state_t *this); - - /** * Indicates the types of measurement errors that occurred * * @return Measurement error flags -- 2.7.4