Catch AIK errors

src/libpts/plugins/imv_attestation/imv_attestation_agent.c

@@ -293,10 +293,14 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 	imv_session_t *session;
 	imv_attestation_state_t *attestation_state;
 	imv_attestation_handshake_state_t handshake_state;
+	imv_workitem_t *workitem;
+	TNC_IMV_Action_Recommendation rec;
+	TNC_IMV_Evaluation_Result eval;
 	TNC_IMVID imv_id;
 	TNC_Result result = TNC_RESULT_SUCCESS;
 	pts_t *pts;
 	char *platform_info;
+	enumerator_t *enumerator;
 
 	if (!this->agent->get_state(this->agent, id, &state))
 	{
@@ -369,13 +373,11 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 	   (state->get_action_flags(state) & IMV_ATTESTATION_FLAG_ALGO) &&
 	  !(state->get_action_flags(state) & IMV_ATTESTATION_FLAG_FILE_MEAS))
 	{
-		imv_workitem_t *workitem;
 		bool is_dir, no_workitems = TRUE;
 		u_int32_t delimiter = SOLIDUS_UTF;
 		u_int16_t request_id;
 		pa_tnc_attr_t *attr;
 		char *pathname;
-		enumerator_t *enumerator;
 
 		attestation_state->set_handshake_state(attestation_state,
 											   IMV_ATTESTATION_STATE_END);
@@ -406,8 +408,6 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 					{
 						pts_component_t *comp;
 						pts_comp_func_name_t *comp_name;
-						TNC_IMV_Action_Recommendation rec;
-						TNC_IMV_Evaluation_Result eval;
 						bool no_d_flag, no_t_flag;
 						char result_str[BUF_LEN];
 
@@ -535,22 +535,35 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result,
 	}
 
 	/* check the IMV state for the next PA-TNC attributes to send */
-	if (!imv_attestation_build(out_msg, state, this->supported_dh_groups,
-							   this->pts_db))
+	enumerator = session->create_workitem_enumerator(session);
+	while (enumerator->enumerate(enumerator, &workitem))
 	{
-		state->set_recommendation(state,
-								TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
-								TNC_IMV_EVALUATION_RESULT_ERROR);
-		result = out_msg->send_assessment(out_msg);
-		out_msg->destroy(out_msg);
-		state->set_action_flags(state, IMV_ATTESTATION_FLAG_REC);
-
-		if (result != TNC_RESULT_SUCCESS)
+		if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST)
 		{
-			return result;
+			if (!imv_attestation_build(out_msg, state,
+									   this->supported_dh_groups, this->pts_db))
+			{
+				imv_reason_string_t *reason_string;
+				chunk_t result;
+				char *result_str;
+
+				reason_string = imv_reason_string_create("en", ", ");
+				attestation_state->add_comp_evid_reasons(attestation_state,
+													 reason_string);
+				result = reason_string->get_encoding(reason_string);
+				result_str = strndup(result.ptr, result.len);
+				reason_string->destroy(reason_string);
+
+				eval = TNC_IMV_EVALUATION_RESULT_ERROR;
+				session->remove_workitem(session, enumerator);
+				rec = workitem->set_result(workitem, result_str, eval);
+				state->update_recommendation(state, rec, eval);
+				imcv_db->finalize_workitem(imcv_db, workitem);
+			}
+			break;
 		}
-		return this->agent->provide_recommendation(this->agent, state);
 	}
+	enumerator->destroy(enumerator);
 
 	/* finalized all workitems? */
 	if (session && session->get_policy_started(session) &&

src/libpts/plugins/imv_attestation/imv_attestation_build.c

@@ -98,20 +98,14 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
 			attestation_state->set_handshake_state(attestation_state,
 										IMV_ATTESTATION_STATE_END);
 
-			if (!pts->get_aik_keyid(pts, &keyid))
-			{
-				DBG1(DBG_IMV, "retrieval of AIK keyid failed");
-				return FALSE;
-			}
-			if (!pts_db)
-			{
-				DBG1(DBG_IMV, "pts database not available");
-				break;
-			}
-			if (pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
+			if (!pts->get_aik_keyid(pts, &keyid) ||
+				 pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
 			{
+				attestation_state->set_measurement_error(attestation_state,
+									IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
 				return FALSE;
 			}
+
 			enumerator = attestation_state->create_component_enumerator(
 													attestation_state);
 			while (enumerator->enumerate(enumerator, &flags, &depth, &name))
@@ -146,15 +140,9 @@ bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
 			}
 			break;
 		}
-		case IMV_ATTESTATION_STATE_EVID_FINAL:
-			if (attestation_state->components_finalized(attestation_state))
-			{
-				attestation_state->set_handshake_state(attestation_state,
-										IMV_ATTESTATION_STATE_END);
-			}
-			break;
 		default:
 			break;
 	}
+
 	return TRUE;
 }

src/libpts/plugins/imv_attestation/imv_attestation_process.c

@@ -163,7 +163,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 			if (!aik)
 			{
 				DBG1(DBG_IMV, "AIK unavailable");
-				return FALSE;
+				attestation_state->set_measurement_error(attestation_state,
+									IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
+				break;
 			}
 			if (aik->get_type(aik) == CERT_X509)
 			{
@@ -187,7 +189,9 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
 							   trusted ? "" : "not ");
 				if (!trusted)
 				{
-					return FALSE;
+					attestation_state->set_measurement_error(attestation_state,
+										IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
+					break;
 				}
 			}
 			pts->set_aik(pts, aik);
@@ -485,6 +489,8 @@ quote_error:
 						imcv_db->finalize_workitem(imcv_db, workitem);
 						workitem->destroy(workitem);
 						free(result_str);
+						attestation_state->set_handshake_state(attestation_state,
+													IMV_ATTESTATION_STATE_END);
 						break;
 					}
 				}

src/libpts/plugins/imv_attestation/imv_attestation_state.c

@@ -162,6 +162,12 @@ static imv_lang_string_t reason_file_meas_pend[] = {
 	{ NULL, NULL }
 };
 
+static imv_lang_string_t reason_no_trusted_aik[] = {
+	{ "en", "No trusted AIK available" },
+	{ "de", "Kein vetrauenswürdiger AIK verfügbar" },
+	{ NULL, NULL }
+};
+
 static imv_lang_string_t reason_comp_evid_fail[] = {
 	{ "en", "Incorrect component evidence" },
 	{ "de", "Falsche Komponenten-Evidenz" },
@@ -307,6 +313,10 @@ METHOD(imv_attestation_state_t, add_file_meas_reasons, void,
 METHOD(imv_attestation_state_t, add_comp_evid_reasons, void,
 	private_imv_attestation_state_t *this, imv_reason_string_t *reason_string)
 {
+	if (this->measurement_error & IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK)
+	{
+		reason_string->add_reason(reason_string, reason_no_trusted_aik);
+	}
 	if (this->measurement_error & IMV_ATTESTATION_ERROR_COMP_EVID_FAIL)
 	{
 		reason_string->add_reason(reason_string, reason_comp_evid_fail);
@@ -501,12 +511,6 @@ METHOD(imv_attestation_state_t, finalize_components, void,
 	}
 }
 
-METHOD(imv_attestation_state_t, components_finalized, bool,
-	private_imv_attestation_state_t *this)
-{
-	return this->components->get_count(this->components) == 0;
-}
-
 /**
  * Described in header.
  */
@@ -544,7 +548,6 @@ imv_state_t *imv_attestation_state_create(TNC_ConnectionID connection_id)
 			.create_component_enumerator = _create_component_enumerator,
 			.get_component = _get_component,
 			.finalize_components = _finalize_components,
-			.components_finalized = _components_finalized,
 			.get_measurement_error = _get_measurement_error,
 			.set_measurement_error = _set_measurement_error,
 			.add_file_meas_reasons = _add_file_meas_reasons,

src/libpts/plugins/imv_attestation/imv_attestation_state.h

@@ -65,9 +65,10 @@ enum imv_attestation_handshake_state_t {
 enum imv_meas_error_t {
 	IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL =  1,
 	IMV_ATTESTATION_ERROR_FILE_MEAS_PEND =  2,
-	IMV_ATTESTATION_ERROR_COMP_EVID_FAIL =  4,
-	IMV_ATTESTATION_ERROR_COMP_EVID_PEND =  8,
-	IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 16
+	IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK =  4,
+	IMV_ATTESTATION_ERROR_COMP_EVID_FAIL =  8,
+	IMV_ATTESTATION_ERROR_COMP_EVID_PEND = 16,
+	IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL = 32
 };
 
 /**
@@ -138,11 +139,6 @@ struct imv_attestation_state_t {
 	 */
 	void (*finalize_components)(imv_attestation_state_t *this);
 
-	/**
-	 * Have the Functional Component measurements been finalized?
-	 */
-	bool (*components_finalized)(imv_attestation_state_t *this);
-
 	/**
 	 * Indicates the types of measurement errors that occurred
 	 *