From: Andreas Steffen Date: Sat, 12 Apr 2014 08:56:16 +0000 (+0200) Subject: Added result information to TPMRA workitems X-Git-Tag: 5.2.0dr1~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=975472e42f2b1cc0fd375b6d9240089697d2e2bf;p=thirdparty%2Fstrongswan.git Added result information to TPMRA workitems On the occasion got rid of complicated functional component stuff --- diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c index 397f14636c..9e597092f8 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c @@ -767,8 +767,10 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result, TNC_IMV_Action_Recommendation rec; imv_workitem_t *workitem; enumerator_t *enumerator; - char *result_str; int pending_file_meas = 0; + char *result_str; + chunk_t result_buf; + bio_writer_t *result; enumerator = session->create_workitem_enumerator(session); if (enumerator) @@ -779,18 +781,25 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result, { continue; } + result = bio_writer_create(128); + switch (workitem->get_type(workitem)) { case IMV_WORKITEM_FILE_REF_MEAS: case IMV_WORKITEM_FILE_MEAS: case IMV_WORKITEM_DIR_REF_MEAS: case IMV_WORKITEM_DIR_MEAS: - result_str = "Pending file measurements"; + result_str = "pending file measurements"; pending_file_meas++; break; case IMV_WORKITEM_TPM_ATTEST: - attestation_state->finalize_components(attestation_state); - result_str = "Pending component evidence"; + attestation_state->finalize_components(attestation_state, + result); + result->write_data(result, + chunk_from_str("; Pending component evidence")); + result->write_uint8(result, '\0'); + result_buf = result->get_buf(result); + result_str = result_buf.ptr; break; default: continue; @@ -801,6 +810,7 @@ METHOD(imv_agent_if_t, solicit_recommendation, TNC_Result, state->update_recommendation(state, rec, eval); imcv_db->finalize_workitem(imcv_db, workitem); workitem->destroy(workitem); + result->destroy(result); } enumerator->destroy(enumerator); diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c index 03834c71f5..9af07de40d 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c @@ -419,10 +419,12 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg, uint8_t flags; pts_meas_algorithms_t comp_hash_algorithm; chunk_t pcr_comp, tpm_quote_sig, evid_sig; - chunk_t pcr_composite, quote_info; + chunk_t pcr_composite, quote_info, result_buf; imv_workitem_t *workitem; + imv_reason_string_t *reason_string; enumerator_t *enumerator; bool use_quote2, use_ver_info; + bio_writer_t *result; attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr; flags = attr_cast->get_quote_info(attr_cast, &comp_hash_algorithm, @@ -468,7 +470,9 @@ quote_error: * Finalize any pending measurement registrations and check * if all expected component measurements were received */ - attestation_state->finalize_components(attestation_state); + result = bio_writer_create(128); + attestation_state->finalize_components(attestation_state, + result); enumerator = session->create_workitem_enumerator(session); while (enumerator->enumerate(enumerator, &workitem)) @@ -477,7 +481,6 @@ quote_error: { TNC_IMV_Action_Recommendation rec; TNC_IMV_Evaluation_Result eval; - char *result_str; uint32_t error; error = attestation_state->get_measurement_error( @@ -486,32 +489,33 @@ quote_error: IMV_ATTESTATION_ERROR_COMP_EVID_PEND | IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL)) { - imv_reason_string_t *reason_string; - chunk_t result; - reason_string = imv_reason_string_create("en", ", "); attestation_state->add_comp_evid_reasons( attestation_state, reason_string); - result = reason_string->get_encoding(reason_string); - result_str = strndup(result.ptr, result.len); + result->write_data(result, chunk_from_str("; ")); + result->write_data(result, + reason_string->get_encoding(reason_string)); reason_string->destroy(reason_string); eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR; } else { - result_str = strdup("attestation successful"); eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT; } session->remove_workitem(session, enumerator); - rec = workitem->set_result(workitem, result_str, eval); + + result->write_uint8(result, '\0'); + result_buf = result->get_buf(result); + rec = workitem->set_result(workitem, result_buf.ptr, + eval); state->update_recommendation(state, rec, eval); imcv_db->finalize_workitem(imcv_db, workitem); workitem->destroy(workitem); - free(result_str); attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_END); break; } + result->destroy(result); } enumerator->destroy(enumerator); } diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.c b/src/libpts/plugins/imv_attestation/imv_attestation_state.c index 253b8f66f1..11afbc29d3 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.c @@ -467,15 +467,25 @@ METHOD(imv_attestation_state_t, set_measurement_error, void, } METHOD(imv_attestation_state_t, finalize_components, void, - private_imv_attestation_state_t *this) + private_imv_attestation_state_t *this, bio_writer_t *result) { func_comp_t *entry; + bool first = TRUE; while (this->components->remove_last(this->components, (void**)&entry) == SUCCESS) { + if (first) + { + first = FALSE; + } + else + { + result->write_data(result, chunk_from_str("; ")); + } if (!entry->comp->finalize(entry->comp, - entry->name->get_qualifier(entry->name))) + entry->name->get_qualifier(entry->name), + result)) { set_measurement_error(this, IMV_ATTESTATION_ERROR_COMP_EVID_PEND); } diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_state.h b/src/libpts/plugins/imv_attestation/imv_attestation_state.h index 49cdee3ca5..c3aea048cb 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation_state.h +++ b/src/libpts/plugins/imv_attestation/imv_attestation_state.h @@ -29,7 +29,9 @@ #include #include #include + #include +#include typedef struct imv_attestation_state_t imv_attestation_state_t; typedef enum imv_attestation_flag_t imv_attestation_flag_t; @@ -140,8 +142,11 @@ struct imv_attestation_state_t { /** * Tell the Functional Components to finalize any measurement registrations * and to check if all expected measurements were received + * + * @param result Writer appending component measurement results */ - void (*finalize_components)(imv_attestation_state_t *this); + void (*finalize_components)(imv_attestation_state_t *this, + bio_writer_t *result); /** * Indicates the types of measurement errors that occurred diff --git a/src/libpts/pts/components/ita/ita_comp_ima.c b/src/libpts/pts/components/ita/ita_comp_ima.c index 04bc84eef5..e913dcc74a 100644 --- a/src/libpts/pts/components/ita/ita_comp_ima.c +++ b/src/libpts/pts/components/ita/ita_comp_ima.c @@ -798,16 +798,12 @@ METHOD(pts_component_t, verify, status_t, } METHOD(pts_component_t, finalize, bool, - pts_ita_comp_ima_t *this, u_int8_t qualifier) + pts_ita_comp_ima_t *this, u_int8_t qualifier, bio_writer_t *result) { - u_int32_t vid, name; - enum_name_t *names; + char result_buf[BUF_LEN]; bool success = TRUE; this->name->set_qualifier(this->name, qualifier); - vid = this->name->get_vendor_id(this->name); - name = this->name->get_name(this->name); - names = pts_components->get_comp_func_names(pts_components, vid); if (qualifier == (PTS_ITA_QUALIFIER_FLAG_KERNEL | PTS_ITA_QUALIFIER_TYPE_TRUSTED)) @@ -818,16 +814,21 @@ METHOD(pts_component_t, finalize, bool, /* close registration */ this->is_bios_registering = FALSE; - DBG1(DBG_PTS, "registered %d %N '%N' BIOS evidence measurements", - this->seq_no, pen_names, vid, names, name); + snprintf(result_buf, BUF_LEN, "registered %d BIOS evidence " + "measurements", this->seq_no); } else if (this->seq_no < this->bios_count) { - DBG1(DBG_PTS, "%d of %d %N '%N' BIOS evidence measurements missing", - this->bios_count - this->seq_no, this->bios_count, - pen_names, vid, names, name); + snprintf(result_buf, BUF_LEN, "%d of %d BIOS evidence " + "measurements missing", this->bios_count - this->seq_no, + this->bios_count); success = FALSE; } + else + { + snprintf(result_buf, BUF_LEN, "%d BIOS evidence " + "measurements are ok", this->bios_count); + } } else if (qualifier == (PTS_ITA_QUALIFIER_FLAG_KERNEL | PTS_ITA_QUALIFIER_TYPE_OS)) @@ -838,26 +839,29 @@ METHOD(pts_component_t, finalize, bool, /* close registration */ this->is_ima_registering = FALSE; - DBG1(DBG_PTS, "registered %N '%N' boot aggregate evidence " - "measurement", pen_names, vid, names, name); + snprintf(result_buf, BUF_LEN, "registered boot aggregate " + "evidence measurement"); } - if (this->count) + else if (this->count) { - DBG1(DBG_PTS, "processed %d %N '%N' file evidence measurements: " - "%d ok, %d unknown, %d differ, %d failed", - this->count, pen_names, vid, names, name, - this->count_ok, this->count_unknown, - this->count_differ, this->count_failed); + snprintf(result_buf, BUF_LEN, "processed %d file evidence " + "measurements: %d ok, %d unknown, %d differ, %d failed", + this->count, this->count_ok, this->count_unknown, + this->count_differ, this->count_failed); success = !this->count_differ && !this->count_failed; } } else { - DBG1(DBG_PTS, "unsupported functional component name qualifier"); + snprintf(result_buf, BUF_LEN, "unsupported functional component name " + "qualifier"); success = FALSE; } this->name->set_qualifier(this->name, PTS_QUALIFIER_UNKNOWN); + DBG1(DBG_PTS, "%s", result_buf); + result->write_data(result, chunk_from_str(result_buf)); + return success; } @@ -872,34 +876,30 @@ METHOD(pts_component_t, destroy, void, pts_ita_comp_ima_t *this) { int count; - u_int32_t vid, name; - enum_name_t *names; if (ref_put(&this->ref)) { - vid = this->name->get_vendor_id(this->name); - name = this->name->get_name(this->name); - names = pts_components->get_comp_func_names(pts_components, vid); if (this->is_bios_registering) { count = this->pts_db->delete_comp_measurements(this->pts_db, this->bios_cid, this->aik_id); - DBG1(DBG_PTS, "deleted %d registered %N '%N' BIOS evidence " - "measurements", count, pen_names, vid, names, name); + DBG1(DBG_PTS, "deleted %d registered BIOS evidence measurements", + count); } if (this->is_ima_registering) { count = this->pts_db->delete_comp_measurements(this->pts_db, this->ima_cid, this->aik_id); - DBG1(DBG_PTS, "deleted registered %N '%N' boot aggregate evidence " - "measurement", pen_names, vid, names, name); + DBG1(DBG_PTS, "deleted registered boot aggregate evidence " + "measurement"); } this->bios_list->destroy_function(this->bios_list, (void *)free_bios_entry); this->ima_list->destroy_function(this->ima_list, (void *)free_ima_entry); this->name->destroy(this->name); + free(this); } } diff --git a/src/libpts/pts/components/ita/ita_comp_tboot.c b/src/libpts/pts/components/ita/ita_comp_tboot.c index 05cbb9f1df..67be1ca3ac 100644 --- a/src/libpts/pts/components/ita/ita_comp_tboot.c +++ b/src/libpts/pts/components/ita/ita_comp_tboot.c @@ -269,30 +269,31 @@ METHOD(pts_component_t, verify, status_t, } METHOD(pts_component_t, finalize, bool, - pts_ita_comp_tboot_t *this, u_int8_t qualifier) + pts_ita_comp_tboot_t *this, u_int8_t qualifier, bio_writer_t *result) { - u_int32_t vid, name; - enum_name_t *names; - - vid = this->name->get_vendor_id(this->name); - name = this->name->get_name(this->name); - names = pts_components->get_comp_func_names(pts_components, vid); + char result_buf[BUF_LEN]; if (this->is_registering) { /* close registration */ this->is_registering = FALSE; - DBG1(DBG_PTS, "registered %d %N '%N' functional component evidence " - "measurements", this->seq_no, pen_names, vid, names, name); + snprintf(result_buf, BUF_LEN, "registered %d evidence measurements", + this->seq_no); } else if (this->seq_no < this->count) { - DBG1(DBG_PTS, "%d of %d %N '%N' functional component evidence " - "measurements missing", this->count - this->seq_no, - this->count, pen_names, vid, names, name); + snprintf(result_buf, BUF_LEN, "%d of %d evidence measurements " + "missing", this->count - this->seq_no, this->count); return FALSE; } + else + { + snprintf(result_buf, BUF_LEN, "%d evidence measurements are ok", + this->count); + } + DBG1(DBG_PTS, "%s", result_buf); + result->write_data(result, chunk_from_str(result_buf)); return TRUE; } diff --git a/src/libpts/pts/components/ita/ita_comp_tgrub.c b/src/libpts/pts/components/ita/ita_comp_tgrub.c index e3acd87746..7d8da7f3d2 100644 --- a/src/libpts/pts/components/ita/ita_comp_tgrub.c +++ b/src/libpts/pts/components/ita/ita_comp_tgrub.c @@ -49,7 +49,6 @@ struct pts_ita_comp_tgrub_t { */ pts_database_t *pts_db; - /** * Reference count */ @@ -155,7 +154,7 @@ METHOD(pts_component_t, verify, status_t, } METHOD(pts_component_t, finalize, bool, - pts_ita_comp_tgrub_t *this, u_int8_t qualifier) + pts_ita_comp_tgrub_t *this, u_int8_t qualifier, bio_writer_t *result) { return FALSE; } diff --git a/src/libpts/pts/components/pts_component.h b/src/libpts/pts/components/pts_component.h index da339a55f9..71b1ad59c1 100644 --- a/src/libpts/pts/components/pts_component.h +++ b/src/libpts/pts/components/pts_component.h @@ -30,6 +30,7 @@ typedef struct pts_component_t pts_component_t; #include "pts/components/pts_comp_evidence.h" #include +#include /** * PTS Functional Component Interface @@ -85,9 +86,11 @@ struct pts_component_t { * and check for missing measurements * * @param qualifier PTS Component Functional Name Qualifier + * @param result writer appending concise measurement result * @return TRUE if finalization successful */ - bool (*finalize)(pts_component_t *this, u_int8_t qualifier); + bool (*finalize)(pts_component_t *this, u_int8_t qualifier, + bio_writer_t *result); /** * Get a new reference to the PTS Functional Component