From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Thu, 26 Dec 2013 16:39:05 +0000 (+0100)
Subject: Attestation IMV processes TPMRA workitem
X-Git-Tag: 5.1.2dr3~6
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=6009b6e0dd2ea3dbb033958b09448b5c602d6fc0;p=thirdparty%2Fstrongswan.git

Attestation IMV processes TPMRA workitem
---

diff --git a/src/libimcv/imv/imv_workitem.c b/src/libimcv/imv/imv_workitem.c
index 8d3c031649..8784a0ccf8 100644
--- a/src/libimcv/imv/imv_workitem.c
+++ b/src/libimcv/imv/imv_workitem.c
@@ -20,7 +20,7 @@
 
 typedef struct private_imv_workitem_t private_imv_workitem_t;
 
-ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_SWID_TAGS,
+ENUM(imv_workitem_type_names, IMV_WORKITEM_PACKAGES, IMV_WORKITEM_TPM_ATTEST,
 	"PCKGS",
 	"UNSRC",
 	"FWDEN",
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
index 978c74001d..0b960acced 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_agent.c
@@ -374,10 +374,37 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 					case IMV_WORKITEM_DIR_META:
 						is_dir = TRUE;
 						break;
+					case IMV_WORKITEM_TPM_ATTEST:
+					{
+						TNC_IMV_Action_Recommendation rec;
+						TNC_IMV_Evaluation_Result eval;
+						bool no_d_flag, no_t_flag;
+						char result_str[BUF_LEN];
+
+						workitem->set_imv_id(workitem, imv_id);
+						no_workitems = FALSE;
+						no_d_flag = !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D);
+						no_t_flag = !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T);
+						if (no_d_flag || no_t_flag)
+						{
+							snprintf(result_str, BUF_LEN, "%s%s%s",
+									(no_t_flag) ? "no TPM available" : "",
+									(no_t_flag && no_d_flag) ? ", " : "",
+									(no_d_flag) ? "no DH nonce negotiation" : "");
+							eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+							session->remove_workitem(session, enumerator);
+							rec = workitem->set_result(workitem, result_str, eval);
+							state->update_recommendation(state, rec, eval);
+							imcv_db->finalize_workitem(imcv_db, workitem);
+							workitem->destroy(workitem);
+						}
+						continue;
+					}
 					default:
 						continue;
 				}
 
+				/* initiate file and directory measurements */
 				pathname = this->pts_db->get_pathname(this->pts_db, is_dir,
 											workitem->get_arg_int(workitem));
 				if (!pathname)
diff --git a/src/libpts/plugins/imv_attestation/imv_attestation_process.c b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
index 5137d64fe2..f5f11627c7 100644
--- a/src/libpts/plugins/imv_attestation/imv_attestation_process.c
+++ b/src/libpts/plugins/imv_attestation/imv_attestation_process.c
@@ -366,6 +366,7 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 			pts_comp_evidence_t *evidence;
 			pts_component_t *comp;
 			u_int32_t depth;
+			status_t status;
 
 			attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
 			evidence = attr_cast->get_comp_evidence(attr_cast);
@@ -377,8 +378,8 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 				DBG1(DBG_IMV, "  no entry found for component evidence request");
 				break;
 			}
-			if (comp->verify(comp, name->get_qualifier(name), pts,
-							 evidence) != SUCCESS)
+			status = comp->verify(comp, name->get_qualifier(name), pts, evidence);
+			if (status == VERIFY_ERROR || status == FAILED)
 			{
 				state->update_recommendation(state,
 							TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
@@ -396,6 +397,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 			pts_meas_algorithms_t comp_hash_algorithm;
 			chunk_t pcr_comp, tpm_quote_sig, evid_sig;
 			chunk_t pcr_composite, quote_info;
+			imv_session_t *session;
+			imv_workitem_t *workitem;
+			enumerator_t *enumerator;
 			bool use_quote2, use_ver_info;
 
 			attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
@@ -449,6 +453,41 @@ quote_error:
 				 * if all expected component measurements were received
 				 */
 				attestation_state->finalize_components(attestation_state);
+
+				session = state->get_session(state);
+				enumerator = session->create_workitem_enumerator(session);
+				while (enumerator->enumerate(enumerator, &workitem))
+				{
+					if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST)
+					{
+						TNC_IMV_Action_Recommendation rec;
+						TNC_IMV_Evaluation_Result eval;
+						char *result_str;
+						u_int32_t error;
+
+						error = attestation_state->get_measurement_error(
+														attestation_state);
+						if (error & (IMV_ATTESTATION_ERROR_COMP_EVID_FAIL |
+									 IMV_ATTESTATION_ERROR_COMP_EVID_PEND |
+									 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL))
+						{
+							result_str = "attestation failed";
+							eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+						}
+						else
+						{
+							result_str = "attestation successful";
+							eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
+						}
+						session->remove_workitem(session, enumerator);
+						rec = workitem->set_result(workitem, result_str, eval);
+						state->update_recommendation(state, rec, eval);
+						imcv_db->finalize_workitem(imcv_db, workitem);
+						workitem->destroy(workitem);
+						break;
+					}
+				}
+				enumerator->destroy(enumerator);
 			}
 
 			if (attr_cast->get_evid_sig(attr_cast, &evid_sig))