From: Andreas Steffen Date: Sun, 13 Oct 2013 20:17:18 +0000 (+0200) Subject: Set recommendation in the case of PCR measurement failures X-Git-Tag: 5.1.1rc1~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a37ab690cc4be0696b61b25b8b48dae35c9980a8;p=thirdparty%2Fstrongswan.git Set recommendation in the case of PCR measurement failures --- diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c index f127a96829..978c74001d 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c @@ -502,8 +502,11 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result, if (session) { + TNC_IMV_Evaluation_Result eval; + TNC_IMV_Action_Recommendation rec; imv_workitem_t *workitem; enumerator_t *enumerator; + char *result_str; int pending_file_meas = 0; enumerator = session->create_workitem_enumerator(session); @@ -521,6 +524,13 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result, case IMV_WORKITEM_FILE_MEAS: case IMV_WORKITEM_DIR_REF_MEAS: case IMV_WORKITEM_DIR_MEAS: + session->remove_workitem(session, enumerator); + result_str = "pending file measurements"; + eval = TNC_IMV_EVALUATION_RESULT_ERROR; + rec = workitem->set_result(workitem, result_str, eval); + state->update_recommendation(state, rec, eval); + imcv_db->finalize_workitem(imcv_db, workitem); + workitem->destroy(workitem); pending_file_meas++; break; default: diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c index 7319c0b6bd..5137d64fe2 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c @@ -380,6 +380,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, if (comp->verify(comp, name->get_qualifier(name), pts, evidence) != SUCCESS) { + state->update_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_ISOLATE, + TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR); attestation_state->set_measurement_error(attestation_state, IMV_ATTESTATION_ERROR_COMP_EVID_FAIL); name->log(name, " measurement mismatch for "); @@ -417,23 +420,28 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, { DBG1(DBG_IMV, "received PCR Composite does not match " "constructed one"); + state->update_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_ISOLATE, + TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR); attestation_state->set_measurement_error(attestation_state, IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL); - free(pcr_composite.ptr); - free(quote_info.ptr); - break; + goto quote_error; } DBG2(DBG_IMV, "received PCR Composite matches constructed one"); - free(pcr_composite.ptr); if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig)) { + state->update_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_ISOLATE, + TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR); attestation_state->set_measurement_error(attestation_state, IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL); - free(quote_info.ptr); - break; + goto quote_error; } DBG2(DBG_IMV, "TPM Quote Info signature verification successful"); + +quote_error: + free(pcr_composite.ptr); free(quote_info.ptr); /** diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c index 27b2655f8c..47011751dd 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c @@ -461,6 +461,9 @@ METHOD(imv_attestation_state_t, finalize_components, void, if (!entry->comp->finalize(entry->comp, entry->qualifier)) { set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND); + update_recommendation(this, + TNC_IMV_ACTION_RECOMMENDATION_ISOLATE, + TNC_IMV_EVALUATION_RESULT_ERROR); } free_func_comp(entry); }