Catch AIK errors
This commit is contained in:
parent
fbddf52c80
commit
8b36021b5b
|
@ -293,10 +293,14 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
|
|||
imv_session_t *session;
|
||||
imv_attestation_state_t *attestation_state;
|
||||
imv_attestation_handshake_state_t handshake_state;
|
||||
imv_workitem_t *workitem;
|
||||
TNC_IMV_Action_Recommendation rec;
|
||||
TNC_IMV_Evaluation_Result eval;
|
||||
TNC_IMVID imv_id;
|
||||
TNC_Result result = TNC_RESULT_SUCCESS;
|
||||
pts_t *pts;
|
||||
char *platform_info;
|
||||
enumerator_t *enumerator;
|
||||
|
||||
if (!this->agent->get_state(this->agent, id, &state))
|
||||
{
|
||||
|
@ -369,13 +373,11 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
|
|||
(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO) &&
|
||||
!(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_FILE_MEAS))
|
||||
{
|
||||
imv_workitem_t *workitem;
|
||||
bool is_dir, no_workitems = TRUE;
|
||||
u_int32_t delimiter = SOLIDUS_UTF;
|
||||
u_int16_t request_id;
|
||||
pa_tnc_attr_t *attr;
|
||||
char *pathname;
|
||||
enumerator_t *enumerator;
|
||||
|
||||
attestation_state->set_handshake_state(attestation_state,
|
||||
IMV_ATTESTATION_STATE_END);
|
||||
|
@ -406,8 +408,6 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
|
|||
{
|
||||
pts_component_t *comp;
|
||||
pts_comp_func_name_t *comp_name;
|
||||
TNC_IMV_Action_Recommendation rec;
|
||||
TNC_IMV_Evaluation_Result eval;
|
||||
bool no_d_flag, no_t_flag;
|
||||
char result_str[BUF_LEN];
|
||||
|
||||
|
@ -535,22 +535,35 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
|
|||
}
|
||||
|
||||
/* check the IMV state for the next PA-TNC attributes to send */
|
||||
if (!imv_attestation_build(out_msg, state, this->supported_dh_groups,
|
||||
this->pts_db))
|
||||
enumerator = session->create_workitem_enumerator(session);
|
||||
while (enumerator->enumerate(enumerator, &workitem))
|
||||
{
|
||||
state->set_recommendation(state,
|
||||
TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
|
||||
TNC_IMV_EVALUATION_RESULT_ERROR);
|
||||
result = out_msg->send_assessment(out_msg);
|
||||
out_msg->destroy(out_msg);
|
||||
state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC);
|
||||
|
||||
if (result != TNC_RESULT_SUCCESS)
|
||||
if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST)
|
||||
{
|
||||
return result;
|
||||
if (!imv_attestation_build(out_msg, state,
|
||||
this->supported_dh_groups, this->pts_db))
|
||||
{
|
||||
imv_reason_string_t *reason_string;
|
||||
chunk_t result;
|
||||
char *result_str;
|
||||
|
||||
reason_string = imv_reason_string_create("en", ", ");
|
||||
attestation_state->add_comp_evid_reasons(attestation_state,
|
||||
reason_string);
|
||||
result = reason_string->get_encoding(reason_string);
|
||||
result_str = strndup(result.ptr, result.len);
|
||||
reason_string->destroy(reason_string);
|
||||
|
||||
eval = TNC_IMV_EVALUATION_RESULT_ERROR;
|
||||
session->remove_workitem(session, enumerator);
|
||||
rec = workitem->set_result(workitem, result_str, eval);
|
||||
state->update_recommendation(state, rec, eval);
|
||||
imcv_db->finalize_workitem(imcv_db, workitem);
|
||||
}
|
||||
break;
|
||||
}
|
||||
return this->agent->provide_recommendation(this->agent, state);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
|
||||
/* finalized all workitems? */
|
||||
if (session && session->get_policy_started(session) &&
|
||||
|
|
|
@ -98,20 +98,14 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
|
|||
attestation_state->set_handshake_state(attestation_state,
|
||||
IMV_ATTESTATION_STATE_END);
|
||||
|
||||
if (!pts->get_aik_keyid(pts, &keyid))
|
||||
{
|
||||
DBG1(DBG_IMV, "retrieval of AIK keyid failed");
|
||||
return FALSE;
|
||||
}
|
||||
if (!pts_db)
|
||||
{
|
||||
DBG1(DBG_IMV, "pts database not available");
|
||||
break;
|
||||
}
|
||||
if (pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
|
||||
if (!pts->get_aik_keyid(pts, &keyid) ||
|
||||
pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
|
||||
{
|
||||
attestation_state->set_measurement_error(attestation_state,
|
||||
IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
enumerator = attestation_state->create_component_enumerator(
|
||||
attestation_state);
|
||||
while (enumerator->enumerate(enumerator, &flags, &depth, &name))
|
||||
|
@ -146,15 +140,9 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
|
|||
}
|
||||
break;
|
||||
}
|
||||
case IMV_ATTESTATION_STATE_EVID_FINAL:
|
||||
if (attestation_state->components_finalized(attestation_state))
|
||||
{
|
||||
attestation_state->set_handshake_state(attestation_state,
|
||||
IMV_ATTESTATION_STATE_END);
|
||||
}
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
|
|
@ -163,7 +163,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
|
|||
if (!aik)
|
||||
{
|
||||
DBG1(DBG_IMV, "AIK unavailable");
|
||||
return FALSE;
|
||||
attestation_state->set_measurement_error(attestation_state,
|
||||
IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
|
||||
break;
|
||||
}
|
||||
if (aik->get_type(aik) == CERT_X509)
|
||||
{
|
||||
|
@ -187,7 +189,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
|
|||
trusted ? "" : "not ");
|
||||
if (!trusted)
|
||||
{
|
||||
return FALSE;
|
||||
attestation_state->set_measurement_error(attestation_state,
|
||||
IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
|
||||
break;
|
||||
}
|
||||
}
|
||||
pts->set_aik(pts, aik);
|
||||
|
@ -485,6 +489,8 @@ quote_error:
|
|||
imcv_db->finalize_workitem(imcv_db, workitem);
|
||||
workitem->destroy(workitem);
|
||||
free(result_str);
|
||||
attestation_state->set_handshake_state(attestation_state,
|
||||
IMV_ATTESTATION_STATE_END);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
|
|
@ -162,6 +162,12 @@ static imv_lang_string_t reason_file_meas_pend[] = {
|
|||
{ NULL, NULL }
|
||||
};
|
||||
|
||||
static imv_lang_string_t reason_no_trusted_aik[] = {
|
||||
{ "en", "No trusted AIK available" },
|
||||
{ "de", "Kein vetrauenswürdiger AIK verfügbar" },
|
||||
{ NULL, NULL }
|
||||
};
|
||||
|
||||
static imv_lang_string_t reason_comp_evid_fail[] = {
|
||||
{ "en", "Incorrect component evidence" },
|
||||
{ "de", "Falsche Komponenten-Evidenz" },
|
||||
|
@ -307,6 +313,10 @@ METHOD(imv_attestation_state_t, add_file_meas_reasons, void,
|
|||
METHOD(imv_attestation_state_t, add_comp_evid_reasons, void,
|
||||
private_imv_attestation_state_t *this, imv_reason_string_t *reason_string)
|
||||
{
|
||||
if (this->measurement_error & IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK)
|
||||
{
|
||||
reason_string->add_reason(reason_string, reason_no_trusted_aik);
|
||||
}
|
||||
if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL)
|
||||
{
|
||||
reason_string->add_reason(reason_string, reason_comp_evid_fail);
|
||||
|
@ -501,12 +511,6 @@ METHOD(imv_attestation_state_t, finalize_components, void,
|
|||
}
|
||||
}
|
||||
|
||||
METHOD(imv_attestation_state_t, components_finalized, bool,
|
||||
private_imv_attestation_state_t *this)
|
||||
{
|
||||
return this->components->get_count(this->components) == 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Described in header.
|
||||
*/
|
||||
|
@ -544,7 +548,6 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
|
|||
.create_component_enumerator = _create_component_enumerator,
|
||||
.get_component = _get_component,
|
||||
.finalize_components = _finalize_components,
|
||||
.components_finalized = _components_finalized,
|
||||
.get_measurement_error = _get_measurement_error,
|
||||
.set_measurement_error = _set_measurement_error,
|
||||
.add_file_meas_reasons = _add_file_meas_reasons,
|
||||
|
|
|
@ -65,9 +65,10 @@ enum imv_attestation_handshake_state_t {
|
|||
enum imv_meas_error_t {
|
||||
IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL = 1,
|
||||
IMV_ATTESTATION_ERROR_FILE_MEAS_PEND = 2,
|
||||
IMV_ATTESTATION_ERROR_COMP_EVID_FAIL = 4,
|
||||
IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 8,
|
||||
IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16
|
||||
IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK = 4,
|
||||
IMV_ATTESTATION_ERROR_COMP_EVID_FAIL = 8,
|
||||
IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 16,
|
||||
IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 32
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -138,11 +139,6 @@ struct imv_attestation_state_t {
|
|||
*/
|
||||
void (*finalize_components)(imv_attestation_state_t *this);
|
||||
|
||||
/**
|
||||
* Have the Functional Component measurements been finalized?
|
||||
*/
|
||||
bool (*components_finalized)(imv_attestation_state_t *this);
|
||||
|
||||
/**
|
||||
* Indicates the types of measurement errors that occurred
|
||||
*
|
||||
|
|
Loading…
Reference in New Issue