From: Sansar Choinyambuu Date: Fri, 11 Nov 2011 11:52:43 +0000 (+0100) Subject: Add/CheckOff/Check pending functional component evidence requests X-Git-Tag: 4.6.2~207 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=413922ff609fb3b2ce9f9e5ab812ebe04aead00f;p=thirdparty%2Fstrongswan.git Add/CheckOff/Check pending functional component evidence requests --- diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation.c b/src/libimcv/plugins/imv_attestation/imv_attestation.c index 2dffa211cf..cbcff319aa 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation.c @@ -550,10 +550,16 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, if (attestation_state->get_handshake_state(attestation_state) == IMV_ATTESTATION_STATE_END) { - if (attestation_state->get_request_count(attestation_state)) + if (attestation_state->get_file_meas_request_count(attestation_state)) { DBG1(DBG_IMV, "failure due to %d pending file measurements", - attestation_state->get_request_count(attestation_state)); + attestation_state->get_file_meas_request_count(attestation_state)); + attestation_state->set_measurement_error(attestation_state); + } + if (attestation_state->get_comp_evid_request_count(attestation_state)) + { + DBG1(DBG_IMV, "failure due to %d pending simple component evidences", + attestation_state->get_comp_evid_request_count(attestation_state)); attestation_state->set_measurement_error(attestation_state); } if (attestation_state->get_measurement_error(attestation_state)) diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c index 570bc8652c..83568fe2b3 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c @@ -193,8 +193,8 @@ bool imv_attestation_build(pa_tnc_msg_t *msg, while (enumerator->enumerate(enumerator, &id, &type, &pathname)) { is_dir = (type != 0); - request_id = attestation_state->add_request(attestation_state, - id, is_dir); + request_id = attestation_state->add_file_meas_request( + attestation_state, id, is_dir); DBG2(DBG_IMV, "measurement request %d for %s '%s'", request_id, is_dir ? "directory" : "file", pathname); attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id, @@ -227,6 +227,8 @@ bool imv_attestation_build(pa_tnc_msg_t *msg, sub_comp_depth, PEN_ITA, qualifier, name); attr->set_noskip_flag(attr, TRUE); msg->add_attribute(msg, attr); + attestation_state->add_comp_evid_request( attestation_state, + PEN_ITA, qualifier, name); /* Send Request Functional Component Evidence attribute */ name = PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE; @@ -234,6 +236,8 @@ bool imv_attestation_build(pa_tnc_msg_t *msg, sub_comp_depth, PEN_ITA, qualifier, name); attr->set_noskip_flag(attr, TRUE); msg->add_attribute(msg, attr); + attestation_state->add_comp_evid_request(attestation_state, + PEN_ITA, qualifier, name); /* Send Generate Attestation Evidence attribute */ attr = tcg_pts_attr_gen_attest_evid_create(); diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c index 5c9cb987db..6c19d6bee2 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c @@ -237,6 +237,13 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, } name = attr_cast->get_comp_funct_name(attr_cast); + if (!attestation_state->check_off_comp_evid_request(attestation_state, + comp_vendor_id, qualifier, name)) + { + DBG1(DBG_IMV, " no entry found for component evidence request"); + break; + } + measurement_type = attr_cast->get_measurement_type(attr_cast); hash_algorithm = attr_cast->get_hash_algorithm(attr_cast); transformation = attr_cast->get_pcr_trans(attr_cast); @@ -385,10 +392,11 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, DBG1(DBG_IMV, "measurement request %d returned %d file%s:", request_id, file_count, (file_count == 1) ? "":"s"); - if (!attestation_state->check_off_request(attestation_state, + if (!attestation_state->check_off_file_meas_request(attestation_state, request_id, &file_id, &is_dir)) { - DBG1(DBG_IMV, " no entry found for this request"); + DBG1(DBG_IMV, " no entry found for file measurement request %d", + request_id); break; } diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_state.c b/src/libimcv/plugins/imv_attestation/imv_attestation_state.c index 59ae434b89..db2bad1f4f 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_state.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_state.c @@ -20,17 +20,27 @@ #include typedef struct private_imv_attestation_state_t private_imv_attestation_state_t; -typedef struct request_t request_t; +typedef struct file_meas_request_t file_meas_request_t; +typedef struct comp_evid_request_t comp_evid_request_t; /** * PTS File/Directory Measurement request entry */ -struct request_t { +struct file_meas_request_t { u_int16_t id; int file_id; bool is_dir; }; +/** + * Functional Component Evidence Request entry + */ +struct comp_evid_request_t { + u_int32_t vendor_id; + pts_qualifier_t qualifier; + pts_ita_funct_comp_name_t name; +}; + /** * Private data of an imv_attestation_state_t object. */ @@ -67,14 +77,19 @@ struct private_imv_attestation_state_t { TNC_IMV_Evaluation_Result eval; /** - * Request counter + * File Measurement Request counter */ - u_int16_t request_counter; + u_int16_t file_meas_request_counter; /** * List of PTS File/Directory Measurement requests */ - linked_list_t *requests; + linked_list_t *file_meas_requests; + + /** + * List of Functional Component Evidence requests + */ + linked_list_t *comp_evid_requests; /** * PTS object @@ -82,7 +97,7 @@ struct private_imv_attestation_state_t { pts_t *pts; /** - * File Measurement error + * Measurement error */ bool measurement_error; @@ -182,7 +197,8 @@ METHOD(imv_state_t, get_reason_string, bool, METHOD(imv_state_t, destroy, void, private_imv_attestation_state_t *this) { - this->requests->destroy_function(this->requests, free); + this->file_meas_requests->destroy_function(this->file_meas_requests, free); + this->comp_evid_requests->destroy_function(this->comp_evid_requests, free); this->pts->destroy(this->pts); free(this); } @@ -206,29 +222,29 @@ METHOD(imv_attestation_state_t, get_pts, pts_t*, return this->pts; } -METHOD(imv_attestation_state_t, add_request, u_int16_t, +METHOD(imv_attestation_state_t, add_file_meas_request, u_int16_t, private_imv_attestation_state_t *this, int file_id, bool is_dir) { - request_t *request; + file_meas_request_t *request; - request = malloc_thing(request_t); - request->id = ++this->request_counter; + request = malloc_thing(file_meas_request_t); + request->id = ++this->file_meas_request_counter; request->file_id = file_id; request->is_dir = is_dir; - this->requests->insert_last(this->requests, request); + this->file_meas_requests->insert_last(this->file_meas_requests, request); - return this->request_counter; + return this->file_meas_request_counter; } -METHOD(imv_attestation_state_t, check_off_request, bool, +METHOD(imv_attestation_state_t, check_off_file_meas_request, bool, private_imv_attestation_state_t *this, u_int16_t id, int *file_id, bool* is_dir) { enumerator_t *enumerator; - request_t *request; + file_meas_request_t *request; bool found = FALSE; - enumerator = this->requests->create_enumerator(this->requests); + enumerator = this->file_meas_requests->create_enumerator(this->file_meas_requests); while (enumerator->enumerate(enumerator, &request)) { if (request->id == id) @@ -236,7 +252,53 @@ METHOD(imv_attestation_state_t, check_off_request, bool, found = TRUE; *file_id = request->file_id; *is_dir = request->is_dir; - this->requests->remove_at(this->requests, enumerator); + this->file_meas_requests->remove_at(this->file_meas_requests, enumerator); + free(request); + break; + } + } + enumerator->destroy(enumerator); + return found; +} + +METHOD(imv_attestation_state_t, get_file_meas_request_count, int, + private_imv_attestation_state_t *this) +{ + return this->file_meas_requests->get_count(this->file_meas_requests); +} + +METHOD(imv_attestation_state_t, add_comp_evid_request, void, + private_imv_attestation_state_t *this, u_int32_t vendor_id, + pts_qualifier_t qualifier, pts_ita_funct_comp_name_t comp_name) +{ + comp_evid_request_t *request; + + request = malloc_thing(comp_evid_request_t); + request->vendor_id = vendor_id; + request->qualifier = qualifier; + request->name = comp_name; + this->comp_evid_requests->insert_last(this->comp_evid_requests, request); +} + +METHOD(imv_attestation_state_t, check_off_comp_evid_request, bool, + private_imv_attestation_state_t *this, u_int32_t vendor_id, + pts_qualifier_t qualifier, pts_ita_funct_comp_name_t comp_name) +{ + enumerator_t *enumerator; + comp_evid_request_t *request; + bool found = FALSE; + + enumerator = this->comp_evid_requests->create_enumerator(this->comp_evid_requests); + while (enumerator->enumerate(enumerator, &request)) + { + if (request->vendor_id == vendor_id && + request->qualifier.kernel == qualifier.kernel && + request->qualifier.sub_component == qualifier.sub_component && + request->qualifier.type == qualifier.type && + request->name == comp_name) + { + found = TRUE; + this->comp_evid_requests->remove_at(this->comp_evid_requests, enumerator); free(request); break; } @@ -245,10 +307,10 @@ METHOD(imv_attestation_state_t, check_off_request, bool, return found; } -METHOD(imv_attestation_state_t, get_request_count, int, +METHOD(imv_attestation_state_t, get_comp_evid_request_count, int, private_imv_attestation_state_t *this) { - return this->requests->get_count(this->requests); + return this->comp_evid_requests->get_count(this->comp_evid_requests); } METHOD(imv_attestation_state_t, get_measurement_error, bool, @@ -284,9 +346,12 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) .get_handshake_state = _get_handshake_state, .set_handshake_state = _set_handshake_state, .get_pts = _get_pts, - .add_request = _add_request, - .check_off_request = _check_off_request, - .get_request_count = _get_request_count, + .add_file_meas_request = _add_file_meas_request, + .check_off_file_meas_request = _check_off_file_meas_request, + .get_file_meas_request_count = _get_file_meas_request_count, + .add_comp_evid_request = _add_comp_evid_request, + .check_off_comp_evid_request = _check_off_comp_evid_request, + .get_comp_evid_request_count = _get_comp_evid_request_count, .get_measurement_error = _get_measurement_error, .set_measurement_error = _set_measurement_error, }, @@ -295,7 +360,8 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id) .handshake_state = IMV_ATTESTATION_STATE_INIT, .rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, .eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW, - .requests = linked_list_create(), + .file_meas_requests = linked_list_create(), + .comp_evid_requests = linked_list_create(), .pts = pts_create(FALSE), ); diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_state.h b/src/libimcv/plugins/imv_attestation/imv_attestation_state.h index f1ab616bbe..c329b89deb 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_state.h +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_state.h @@ -81,7 +81,7 @@ struct imv_attestation_state_t { * @param is_dir TRUE if directory * @return unique request ID */ - u_int16_t (*add_request)(imv_attestation_state_t *this, int file_id, + u_int16_t (*add_file_meas_request)(imv_attestation_state_t *this, int file_id, bool is_dir); /** @@ -89,7 +89,7 @@ struct imv_attestation_state_t { * * @return number of pending requests */ - int (*get_request_count)(imv_attestation_state_t *this); + int (*get_file_meas_request_count)(imv_attestation_state_t *this); /** * Check for presence of request_id and if found remove it from the list @@ -99,8 +99,38 @@ struct imv_attestation_state_t { * @param is_dir return TRUE if request was for a directory * @return TRUE if request ID found, FALSE otherwise */ - bool (*check_off_request)(imv_attestation_state_t *this, u_int16_t id, - int *file_id, bool *is_dir); + bool (*check_off_file_meas_request)(imv_attestation_state_t *this, + u_int16_t id, int *file_id, bool *is_dir); + + /** + * Add an entry to the list of pending Function Component Evidences + * + * @param vendor_id Functional Component Name Vendor ID + * @param qualifier Qualifier of the requested Functional Component + * @param comp_name Name of the requested Functional Component + */ + void (*add_comp_evid_request)(imv_attestation_state_t *this, + u_int32_t vendor_id, pts_qualifier_t qualifier, + pts_ita_funct_comp_name_t comp_name); + + /** + * Returns the number of pending Function Component Evidences + * + * @return number of pending evidences + */ + int (*get_comp_evid_request_count)(imv_attestation_state_t *this); + + /** + * Check for presence of Component Evidence Request and remove if exists + * + * @param vendor_id Functional Component Name Vendor ID + * @param qualifier Qualifier of the requested Functional Component + * @param comp_name Name of the requested Functional Component + * @return TRUE if component request found, FALSE otherwise + */ + bool (*check_off_comp_evid_request)(imv_attestation_state_t *this, + u_int32_t vendor_id, pts_qualifier_t qualifier, + pts_ita_funct_comp_name_t comp_name); /** * Indicates if a file measurement error occurred diff --git a/src/libpts/pts/pts.h b/src/libpts/pts/pts.h index b3298b0e4e..6028e2e5aa 100644 --- a/src/libpts/pts/pts.h +++ b/src/libpts/pts/pts.h @@ -30,6 +30,7 @@ typedef struct pcr_entry_t pcr_entry_t; #include "pts_file_meas.h" #include "pts_file_meta.h" #include "pts_dh_group.h" +#include "pts_funct_comp_name.h" #include #include