diff options
| author | Andreas Steffen <andreas.steffen@strongswan.org> | 2014-04-10 10:25:39 +0200 |
|---|---|---|
| committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2014-04-15 09:21:06 +0200 |
| commit | 8c40609f9640d097575d098014fd64fe478519d2 (patch) | |
| tree | 214a82d262bb0b22745988634106ca1633d4494d | |
| parent | 8505ce1cc639a233c730b78957030cff96d3ff26 (diff) | |
| download | strongswan-8c40609f9640d097575d098014fd64fe478519d2.tar.bz2 strongswan-8c40609f9640d097575d098014fd64fe478519d2.tar.xz | |
Use python-based swidGenerator to generated SWID tags
38 files changed, 717 insertions, 232 deletions
diff --git a/conf/plugins/imc-swid.opt b/conf/plugins/imc-swid.opt index 67f7c79c4..e14c94aca 100644 --- a/conf/plugins/imc-swid.opt +++ b/conf/plugins/imc-swid.opt @@ -1,2 +1,11 @@ charon.plugins.imc-swid.swid_directory = ${prefix}/share Directory where SWID tags are located. + +charon.plugins.imc-swid.swid_generator = /usr/local/bin/swid_generator + SWID generator command to be executed. + +charon.plugins.imc-swid.pretty = FALSE + Generate XML-encoded SWID tags with pretty indentation. + +charon.plugins.imc-swid.full = FALSE + Include file information in the XML-encoded SWID tags. diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.c b/src/libimcv/ietf/ietf_attr_installed_packages.c index 462805e38..f33f643af 100644 --- a/src/libimcv/ietf/ietf_attr_installed_packages.c +++ b/src/libimcv/ietf/ietf_attr_installed_packages.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -41,8 +41,6 @@ typedef struct package_entry_t package_entry_t; * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -#define INSTALLED_PACKAGES_MIN_SIZE 4 - /** * Private data of an ietf_attr_installed_packages_t object. */ @@ -132,7 +130,7 @@ METHOD(pa_tnc_attr_t, build, void, { return; } - writer = bio_writer_create(INSTALLED_PACKAGES_MIN_SIZE); + writer = bio_writer_create(IETF_INSTALLED_PACKAGES_MIN_SIZE); writer->write_uint16(writer, 0x0000); writer->write_uint16(writer, this->packages->get_count(this->packages)); @@ -160,7 +158,7 @@ METHOD(pa_tnc_attr_t, process, status_t, *offset = 0; - if (this->value.len < INSTALLED_PACKAGES_MIN_SIZE) + if (this->value.len < IETF_INSTALLED_PACKAGES_MIN_SIZE) { DBG1(DBG_TNC, "insufficient data for IETF installed packages"); return FAILED; @@ -168,7 +166,7 @@ METHOD(pa_tnc_attr_t, process, status_t, reader = bio_reader_create(this->value); reader->read_uint16(reader, &reserved); reader->read_uint16(reader, &count); - *offset = INSTALLED_PACKAGES_MIN_SIZE; + *offset = IETF_INSTALLED_PACKAGES_MIN_SIZE; while (reader->remaining(reader)) { diff --git a/src/libimcv/ietf/ietf_attr_installed_packages.h b/src/libimcv/ietf/ietf_attr_installed_packages.h index b79c4040c..e19d0f47b 100644 --- a/src/libimcv/ietf/ietf_attr_installed_packages.h +++ b/src/libimcv/ietf/ietf_attr_installed_packages.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012 Andreas Steffen + * Copyright (C) 2012-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ typedef struct ietf_attr_installed_packages_t ietf_attr_installed_packages_t; #include "ietf_attr.h" #include "pa_tnc/pa_tnc_attr.h" +#define IETF_INSTALLED_PACKAGES_MIN_SIZE 4 /** * Class implementing the IETF PA-TNC Installed Packages attribute. diff --git a/src/libimcv/imv/data.sql b/src/libimcv/imv/data.sql index 3a1d76005..dfc8b27ca 100644 --- a/src/libimcv/imv/data.sql +++ b/src/libimcv/imv/data.sql @@ -216,6 +216,30 @@ INSERT INTO products ( /* 36 */ 'Ubuntu 14.04 x86_64' ); +INSERT INTO products ( /* 37 */ + name +) VALUES ( + 'Debian 7.3 i686' +); + +INSERT INTO products ( /* 38 */ + name +) VALUES ( + 'Debian 7.3 x86_64' +); + +INSERT INTO products ( /* 39 */ + name +) VALUES ( + 'Debian 7.4 i686' +); + +INSERT INTO products ( /* 40 */ + name +) VALUES ( + 'Debian 7.4 x86_64' +); + /* Directories */ INSERT INTO directories ( /* 1 */ @@ -669,6 +693,18 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 4, 37 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 4, 39 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 5, 2 ); @@ -699,6 +735,18 @@ INSERT INTO groups_product_defaults ( INSERT INTO groups_product_defaults ( group_id, product_id ) VALUES ( + 5, 38 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( + 5, 40 +); + +INSERT INTO groups_product_defaults ( + group_id, product_id +) VALUES ( 6, 9 ); diff --git a/src/libimcv/pa_tnc/pa_tnc_attr.h b/src/libimcv/pa_tnc/pa_tnc_attr.h index e2ce06ee4..1e0c339c9 100644 --- a/src/libimcv/pa_tnc/pa_tnc_attr.h +++ b/src/libimcv/pa_tnc/pa_tnc_attr.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2012 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -26,6 +26,8 @@ typedef struct pa_tnc_attr_t pa_tnc_attr_t; #include <library.h> #include <pen/pen.h> +#define PA_TNC_ATTR_HEADER_SIZE 12 + /** * Interface for an RFC 5792 PA-TNC Posture Attribute. * @@ -71,7 +73,7 @@ struct pa_tnc_attr_t { * @param relative error offset within attribute body * @return result status */ - status_t (*process)(pa_tnc_attr_t *this, u_int32_t *offset); + status_t (*process)(pa_tnc_attr_t *this, uint32_t *offset); /** * Get a new reference to the PA-TNC attribute diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.c b/src/libimcv/pa_tnc/pa_tnc_msg.c index 140463b83..77d383b93 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.c +++ b/src/libimcv/pa_tnc/pa_tnc_msg.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2012 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -23,7 +23,6 @@ #include <pen/pen.h> #include <utils/debug.h> - typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t; /** @@ -38,7 +37,6 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t; * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -#define PA_TNC_HEADER_SIZE 8 #define PA_TNC_RESERVED 0x000000 /** @@ -59,7 +57,6 @@ typedef struct private_pa_tnc_msg_t private_pa_tnc_msg_t; #define PA_TNC_ATTR_FLAG_NONE 0x00 #define PA_TNC_ATTR_FLAG_NOSKIP (1<<7) -#define PA_TNC_ATTR_HEADER_SIZE 12 #define PA_TNC_ATTR_INFO_SIZE 8 /** @@ -86,7 +83,7 @@ struct private_pa_tnc_msg_t { /** * Message identifier */ - u_int32_t identifier; + uint32_t identifier; /** * Current PA-TNC Message size @@ -139,13 +136,13 @@ METHOD(pa_tnc_msg_t, build, bool, pa_tnc_attr_t *attr; enum_name_t *pa_attr_names; pen_type_t type; - u_int8_t flags; + uint8_t flags; chunk_t value; nonce_gen_t *ng; /* generate a nonce as a message identifier */ ng = lib->crypto->create_nonce_gen(lib->crypto); - if (!ng || !ng->get_nonce(ng, 4, (u_int8_t*)&this->identifier)) + if (!ng || !ng->get_nonce(ng, 4, (uint8_t*)&this->identifier)) { DBG1(DBG_TNC, "failed to generate random PA-TNC message identifier"); DESTROY_IF(ng); @@ -205,8 +202,8 @@ METHOD(pa_tnc_msg_t, process, status_t, { bio_reader_t *reader; pa_tnc_attr_t *error; - u_int8_t version; - u_int32_t reserved, offset, attr_offset; + uint8_t version; + uint32_t reserved, offset, attr_offset; pen_type_t error_code = { PEN_IETF, PA_ERROR_INVALID_PARAMETER }; /* process message header */ @@ -237,8 +234,8 @@ METHOD(pa_tnc_msg_t, process, status_t, while (reader->remaining(reader) >= PA_TNC_ATTR_HEADER_SIZE) { pen_t vendor_id; - u_int8_t flags; - u_int32_t type, length; + uint8_t flags; + uint32_t type, length; chunk_t value, attr_info; pa_tnc_attr_t *attr; enum_name_t *pa_attr_names; @@ -372,7 +369,7 @@ METHOD(pa_tnc_msg_t, process_ietf_std_errors, bool, ietf_attr_pa_tnc_error_t *error_attr; pen_type_t error_code; chunk_t msg_info, attr_info; - u_int32_t offset; + uint32_t offset; error_attr = (ietf_attr_pa_tnc_error_t*)attr; error_code = error_attr->get_error_code(error_attr); diff --git a/src/libimcv/pa_tnc/pa_tnc_msg.h b/src/libimcv/pa_tnc/pa_tnc_msg.h index 218d3d673..84814b92b 100644 --- a/src/libimcv/pa_tnc/pa_tnc_msg.h +++ b/src/libimcv/pa_tnc/pa_tnc_msg.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011-2012 Andreas Steffen + * Copyright (C) 2011-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -24,6 +24,7 @@ typedef struct pa_tnc_msg_t pa_tnc_msg_t; #define PA_TNC_VERSION 0x01 +#define PA_TNC_HEADER_SIZE 8 #include "pa_tnc_attr.h" diff --git a/src/libimcv/plugins/imc_os/imc_os.c b/src/libimcv/plugins/imc_os/imc_os.c index 7d84249d0..ed2cfdd59 100644 --- a/src/libimcv/plugins/imc_os/imc_os.c +++ b/src/libimcv/plugins/imc_os/imc_os.c @@ -353,11 +353,12 @@ static void add_installed_packages(imc_state_t *state, imc_msg_t *msg) * Compute the maximum IETF Installed Packages attribute size * leaving space for an additional ITA Angel attribute */ - max_attr_size = state->get_max_msg_len(state) - 8 - 12; + max_attr_size = state->get_max_msg_len(state) - + PA_TNC_HEADER_SIZE - PA_TNC_ATTR_HEADER_SIZE; /* At least one IETF Installed Packages attribute is sent */ attr = ietf_attr_installed_packages_create(); - attr_size = 12 + 4; + attr_size = PA_TNC_ATTR_HEADER_SIZE + IETF_INSTALLED_PACKAGES_MIN_SIZE; enumerator = os->create_package_enumerator(os); if (enumerator) @@ -384,7 +385,8 @@ static void add_installed_packages(imc_state_t *state, imc_msg_t *msg) /* create the next IETF Installed Packages attribute */ attr = ietf_attr_installed_packages_create(); - attr_size = 12 + 4; + attr_size = PA_TNC_ATTR_HEADER_SIZE + + IETF_INSTALLED_PACKAGES_MIN_SIZE; } attr_cast = (ietf_attr_installed_packages_t*)attr; attr_cast->add(attr_cast, name, version); diff --git a/src/libpts/plugins/imc_swid/imc_swid.c b/src/libpts/plugins/imc_swid/imc_swid.c index d4aaeff4d..265f46724 100644 --- a/src/libpts/plugins/imc_swid/imc_swid.c +++ b/src/libpts/plugins/imc_swid/imc_swid.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -24,12 +24,15 @@ #include <imc/imc_agent.h> #include <imc/imc_msg.h> +#include <ita/ita_attr.h> +#include <ita/ita_attr_angel.h> #include <tncif_pa_subtypes.h> #include <pen/pen.h> #include <utils/debug.h> +#define SWID_GENERATOR "/usr/local/bin/swid_generator" /* IMC definitions */ @@ -128,12 +131,156 @@ TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id, return TNC_RESULT_SUCCESS; } -static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) +/** + * Add one or multiple SWID Inventory attributes to the send queue + */ +static bool add_swid_inventory(imc_state_t *state, imc_msg_t *msg, + uint32_t request_id, bool full_tags, + swid_inventory_t *targets) { - imc_msg_t *out_msg; + pa_tnc_attr_t *attr, *attr_angel; imc_swid_state_t *swid_state; + swid_inventory_t *swid_inventory; + char *swid_directory, *swid_generator; + uint32_t eid_epoch; + size_t max_attr_size, attr_size, entry_size; + bool first = TRUE, swid_pretty, swid_full; enumerator_t *enumerator; + + swid_directory = lib->settings->get_str(lib->settings, + "%s.plugins.imc-swid.swid_directory", + SWID_DIRECTORY, lib->ns); + swid_generator = lib->settings->get_str(lib->settings, + "%s.plugins.imc-swid.swid_generator", + SWID_GENERATOR, lib->ns); + swid_pretty = lib->settings->get_bool(lib->settings, + "%s.plugins.imc-swid.swid_pretty", + FALSE, lib->ns); + swid_full = lib->settings->get_bool(lib->settings, + "%s.plugins.imc-swid.swid_full", + FALSE, lib->ns); + + swid_inventory = swid_inventory_create(full_tags); + if (!swid_inventory->collect(swid_inventory, swid_directory, swid_generator, + targets, swid_pretty, swid_full)) + { + swid_inventory->destroy(swid_inventory); + attr = swid_error_create(TCG_SWID_ERROR, request_id, + 0, "error in SWID tag collection"); + msg->add_attribute(msg, attr); + return FALSE; + } + DBG1(DBG_IMC, "collected %d SWID tag%s%s", + swid_inventory->get_count(swid_inventory), full_tags ? "" : " ID", + swid_inventory->get_count(swid_inventory) == 1 ? "" : "s"); + + swid_state = (imc_swid_state_t*)state; + eid_epoch = swid_state->get_eid_epoch(swid_state); + + /** + * Compute the maximum TCG Tag [ID] Inventory attribute size + * leaving space for an additional ITA Angel attribute + */ + max_attr_size = state->get_max_msg_len(state) - + PA_TNC_HEADER_SIZE - PA_TNC_ATTR_HEADER_SIZE; + + if (full_tags) + { + tcg_swid_attr_tag_inv_t *swid_attr; + swid_tag_t *tag; + chunk_t encoding, tag_file_path; + + /* At least one TCG Tag Inventory attribute is sent */ + attr_size = PA_TNC_ATTR_HEADER_SIZE + TCG_SWID_TAG_INV_MIN_SIZE; + attr = tcg_swid_attr_tag_inv_create(request_id, eid_epoch, 1); + + enumerator = swid_inventory->create_enumerator(swid_inventory); + while (enumerator->enumerate(enumerator, &tag)) + { + tag_file_path = tag->get_tag_file_path(tag); + encoding = tag->get_encoding(tag); + entry_size = 2 + tag_file_path.len + 4 + encoding.len; + + if (attr_size + entry_size > max_attr_size) + { + if (first) + { + /** + * Send an ITA Start Angel attribute to the IMV signalling + * that multiple TGC SWID Tag Inventory attributes follow + */ + attr_angel = ita_attr_angel_create(TRUE); + msg->add_attribute(msg, attr_angel); + first = FALSE; + } + msg->add_attribute(msg, attr); + + /* create the next TCG SWID Tag Inventory attribute */ + attr_size = PA_TNC_ATTR_HEADER_SIZE + + TCG_SWID_TAG_INV_MIN_SIZE; + attr = tcg_swid_attr_tag_inv_create(request_id, eid_epoch, 1); + } + swid_attr = (tcg_swid_attr_tag_inv_t*)attr; + swid_attr->add(swid_attr, tag->get_ref(tag)); + attr_size += entry_size; + } + enumerator->destroy(enumerator); + } + else + { + tcg_swid_attr_tag_id_inv_t *swid_id_attr; + swid_tag_id_t *tag_id; + chunk_t tag_creator, unique_sw_id, tag_file_path; + + /* At least one TCG Tag ID Inventory attribute is sent */ + attr_size = PA_TNC_ATTR_HEADER_SIZE + TCG_SWID_TAG_ID_INV_MIN_SIZE; + attr = tcg_swid_attr_tag_id_inv_create(request_id, eid_epoch, 1); + swid_id_attr = (tcg_swid_attr_tag_id_inv_t*)attr; + + enumerator = swid_inventory->create_enumerator(swid_inventory); + while (enumerator->enumerate(enumerator, &tag_id)) + { + tag_creator = tag_id->get_tag_creator(tag_id); + unique_sw_id = tag_id->get_unique_sw_id(tag_id, &tag_file_path); + entry_size = 2 + tag_creator.len + 2 + unique_sw_id.len + + 2 + tag_file_path.len; + + if (attr_size + entry_size > max_attr_size) + { + if (first) + { + /** + * Send an ITA Start Angel attribute to the IMV signalling + * that multiple TGC SWID Tag ID Inventory attributes follow + */ + attr_angel = ita_attr_angel_create(TRUE); + msg->add_attribute(msg, attr_angel); + first = FALSE; + } + msg->add_attribute(msg, attr); + + /* create the next TCG SWID Tag ID Inventory attribute */ + attr_size = PA_TNC_ATTR_HEADER_SIZE + + TCG_SWID_TAG_ID_INV_MIN_SIZE; + attr = tcg_swid_attr_tag_id_inv_create(request_id, eid_epoch, 1); + } + swid_id_attr = (tcg_swid_attr_tag_id_inv_t*)attr; + swid_id_attr->add(swid_id_attr, tag_id->get_ref(tag_id)); + attr_size += entry_size; + } + enumerator->destroy(enumerator); + } + msg->add_attribute(msg, attr); + swid_inventory->destroy(swid_inventory); + + return TRUE; +} + +static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) +{ + imc_msg_t *out_msg; pa_tnc_attr_t *attr; + enumerator_t *enumerator; pen_type_t type; TNC_Result result; bool fatal_error = FALSE; @@ -145,18 +292,16 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) return result; } out_msg = imc_msg_create_as_reply(in_msg); - swid_state = (imc_swid_state_t*)state; /* analyze PA-TNC attributes */ enumerator = in_msg->create_attribute_enumerator(in_msg); while (enumerator->enumerate(enumerator, &attr)) { tcg_swid_attr_req_t *attr_req; - u_int8_t flags; - u_int32_t request_id, eid_epoch; - swid_inventory_t *swid_inventory, *targets; - char *swid_directory; + uint8_t flags; + uint32_t request_id; bool full_tags; + swid_inventory_t *targets; type = attr->get_type(attr); @@ -169,7 +314,6 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) flags = attr_req->get_flags(attr_req); request_id = attr_req->get_request_id(attr_req); targets = attr_req->get_targets(attr_req); - eid_epoch = swid_state->get_eid_epoch(swid_state); if (flags & (TCG_SWID_ATTR_REQ_FLAG_S | TCG_SWID_ATTR_REQ_FLAG_C)) { @@ -180,33 +324,10 @@ static TNC_Result receive_message(imc_state_t *state, imc_msg_t *in_msg) } full_tags = (flags & TCG_SWID_ATTR_REQ_FLAG_R) == 0; - swid_directory = lib->settings->get_str(lib->settings, - "%s.plugins.imc-swid.swid_directory", - SWID_DIRECTORY, lib->ns); - swid_inventory = swid_inventory_create(full_tags); - if (!swid_inventory->collect(swid_inventory, swid_directory, targets)) + if (!add_swid_inventory(state, out_msg, request_id, full_tags, targets)) { - swid_inventory->destroy(swid_inventory); - attr = swid_error_create(TCG_SWID_ERROR, request_id, - 0, "error in SWID tag collection"); - out_msg->add_attribute(out_msg, attr); break; } - DBG1(DBG_IMC, "collected %d SWID tag%s%s", - swid_inventory->get_count(swid_inventory), full_tags ? "" : " ID", - swid_inventory->get_count(swid_inventory) == 1 ? "" : "s"); - - if (full_tags) - { - attr = tcg_swid_attr_tag_inv_create(request_id, eid_epoch, 1, - swid_inventory); - } - else - { - attr = tcg_swid_attr_tag_id_inv_create(request_id, eid_epoch, 1, - swid_inventory); - } - out_msg->add_attribute(out_msg, attr); } enumerator->destroy(enumerator); diff --git a/src/libpts/plugins/imv_swid/imv_swid_agent.c b/src/libpts/plugins/imv_swid/imv_swid_agent.c index 743037ba5..70ff80e53 100644 --- a/src/libpts/plugins/imv_swid/imv_swid_agent.c +++ b/src/libpts/plugins/imv_swid/imv_swid_agent.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -27,6 +27,8 @@ #include <ietf/ietf_attr_pa_tnc_error.h> #include <imv/imv_agent.h> #include <imv/imv_msg.h> +#include <ita/ita_attr.h> +#include <ita/ita_attr_angel.h> #include <tncif_names.h> #include <tncif_pa_subtypes.h> @@ -89,6 +91,7 @@ METHOD(imv_agent_if_t, notify_connection_change, TNC_Result, static TNC_Result receive_msg(private_imv_swid_agent_t *this, imv_state_t *state, imv_msg_t *in_msg) { + imv_swid_state_t *swid_state; imv_msg_t *out_msg; imv_session_t *session; enumerator_t *enumerator; @@ -103,6 +106,7 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this, return result; } + swid_state = (imv_swid_state_t*)state; session = state->get_session(state); /* analyze PA-TNC attributes */ @@ -112,7 +116,7 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this, TNC_IMV_Evaluation_Result eval; TNC_IMV_Action_Recommendation rec; pen_type_t type; - u_int32_t request_id, last_eid, eid_epoch; + uint32_t request_id, last_eid, eid_epoch; swid_inventory_t *inventory; int tag_count; char result_str[BUF_LEN], *tag_item; @@ -127,7 +131,7 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this, pen_type_t error_code; chunk_t msg_info, description; bio_reader_t *reader; - u_int32_t request_id = 0, max_attr_size; + uint32_t request_id = 0, max_attr_size; bool success; error_attr = (ietf_attr_pa_tnc_error_t*)attr; @@ -166,6 +170,20 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this, reader->destroy(reader); } } + else if (type.vendor_id == PEN_ITA) + { + switch (type.type) + { + case ITA_ATTR_START_ANGEL: + swid_state->set_angel_count(swid_state, TRUE); + break; + case ITA_ATTR_STOP_ANGEL: + swid_state->set_angel_count(swid_state, FALSE); + break; + default: + break; + } + } else if (type.vendor_id != PEN_TCG) { continue; @@ -193,7 +211,7 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this, { tag_creator = tag_id->get_tag_creator(tag_id); unique_sw_id = tag_id->get_unique_sw_id(tag_id, NULL); - DBG3(DBG_IMV, " %.*s_%.*s.swidtag", + DBG3(DBG_IMV, " %.*s_%.*s", tag_creator.len, tag_creator.ptr, unique_sw_id.len, unique_sw_id.ptr); } @@ -239,6 +257,8 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this, default: continue; } + tag_count = inventory->get_count(inventory); + swid_state->set_count(swid_state, tag_count); ew = session->create_workitem_enumerator(session); while (ew->enumerate(ew, &workitem)) @@ -257,16 +277,20 @@ static TNC_Result receive_msg(private_imv_swid_agent_t *this, continue; } - eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT; - tag_count = inventory->get_count(inventory); - snprintf(result_str, BUF_LEN, "received inventory of %d SWID %s%s", - tag_count, tag_item, (tag_count == 1) ? "" : "s"); - session->remove_workitem(session, ew); - ew->destroy(ew); - rec = found->set_result(found, result_str, eval); - state->update_recommendation(state, rec, eval); - imcv_db->finalize_workitem(imcv_db, found); - found->destroy(found); + if (!swid_state->get_angel_count(swid_state)) + { + swid_state->get_count(swid_state, &tag_count); + snprintf(result_str, BUF_LEN, "received inventory of %d SWID %s%s", + tag_count, tag_item, (tag_count == 1) ? "" : "s"); + session->remove_workitem(session, ew); + ew->destroy(ew); + + eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT; + rec = found->set_result(found, result_str, eval); + state->update_recommendation(state, rec, eval); + imcv_db->finalize_workitem(imcv_db, found); + found->destroy(found); + } } enumerator->destroy(enumerator); @@ -342,8 +366,8 @@ METHOD(imv_agent_if_t, batch_ending, TNC_Result, TNC_IMVID imv_id; TNC_Result result = TNC_RESULT_SUCCESS; bool no_workitems = TRUE; - u_int32_t request_id; - u_int8_t flags; + uint32_t request_id; + uint8_t flags; enumerator_t *enumerator; if (!this->agent->get_state(this->agent, id, &state)) diff --git a/src/libpts/plugins/imv_swid/imv_swid_state.c b/src/libpts/plugins/imv_swid/imv_swid_state.c index 156a6bbe5..3afeaed53 100644 --- a/src/libpts/plugins/imv_swid/imv_swid_state.c +++ b/src/libpts/plugins/imv_swid/imv_swid_state.c @@ -95,6 +95,16 @@ struct private_imv_swid_state_t { */ imv_remediation_string_t *remediation_string; + /** + * Number of processed SWID Tags or SWID Tag IDs + */ + int count; + + /** + * Angel count + */ + int angel_count; + }; METHOD(imv_state_t, get_connection_id, TNC_ConnectionID, @@ -223,6 +233,33 @@ METHOD(imv_swid_state_t, get_handshake_state, imv_swid_handshake_state_t, return this->handshake_state; } +METHOD(imv_swid_state_t, set_count, void, + private_imv_swid_state_t *this, int count) +{ + this->count += count; +} + +METHOD(imv_swid_state_t, get_count, void, + private_imv_swid_state_t *this, int *count) +{ + if (count) + { + *count = this->count; + } +} + +METHOD(imv_swid_state_t, set_angel_count, void, + private_imv_swid_state_t *this, bool start) +{ + this->angel_count += start ? 1 : -1; +} + +METHOD(imv_swid_state_t, get_angel_count, int, + private_imv_swid_state_t *this) +{ + return this->angel_count; +} + /** * Described in header. */ @@ -253,6 +290,10 @@ imv_state_t *imv_swid_state_create(TNC_ConnectionID connection_id) }, .set_handshake_state = _set_handshake_state, .get_handshake_state = _get_handshake_state, + .set_count = _set_count, + .get_count = _get_count, + .set_angel_count = _set_angel_count, + .get_angel_count = _get_angel_count, }, .state = TNC_CONNECTION_STATE_CREATE, .rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, diff --git a/src/libpts/plugins/imv_swid/imv_swid_state.h b/src/libpts/plugins/imv_swid/imv_swid_state.h index d6e5840df..7263fe966 100644 --- a/src/libpts/plugins/imv_swid/imv_swid_state.h +++ b/src/libpts/plugins/imv_swid/imv_swid_state.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -64,6 +64,34 @@ struct imv_swid_state_t { */ imv_swid_handshake_state_t (*get_handshake_state)(imv_swid_state_t *this); + /** + * Increase/Decrease the ITA Angel count + * + * @param start TRUE increases and FALSE decreases count by one + */ + void (*set_angel_count)(imv_swid_state_t *this, bool start); + + /** + * Set [or with multiple attributes increment] SWID Tag [ID] counters + * + * @param count Number of received SWID Tags or SWID Tag IDs + */ + void (*set_count)(imv_swid_state_t *this, int count); + + /** + * Set [or with multiple attributes increment] SWID Tag [ID] counters + * + * @param count Number of received SWID Tags or SWID Tag IDs + */ + void (*get_count)(imv_swid_state_t *this, int *count); + + /** + * Get the ITA Angel count + * + * @return ITA Angel count + */ + int (*get_angel_count)(imv_swid_state_t *this); + }; /** diff --git a/src/libpts/swid/swid_inventory.c b/src/libpts/swid/swid_inventory.c index a71682f43..9e85647bc 100644 --- a/src/libpts/swid/swid_inventory.c +++ b/src/libpts/swid/swid_inventory.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -18,6 +18,7 @@ #include "swid_tag_id.h" #include <collections/linked_list.h> +#include <bio/bio_writer.h> #include <utils/debug.h> #include <stdio.h> @@ -51,6 +52,123 @@ struct private_swid_inventory_t { linked_list_t *list; }; +static status_t generate_tags(private_swid_inventory_t *this, char *generator, + swid_inventory_t *targets, bool pretty, bool full) +{ + FILE *file; + char command[512], line[2048]; + chunk_t tag_creator, unique_sw_id, tag_file_path = chunk_empty; + swid_tag_id_t *tag_id; + swid_tag_t *tag; + status_t status = SUCCESS; + + /* Assemble the SWID generator command */ + snprintf(command, sizeof(command), "%s %s%s%s\n", generator, + (this->full_tags) ? "swid" : "software-id", + (this->full_tags && pretty) ? " --pretty" : "", + (this->full_tags && full) ? " --full" : ""); + + /* Open a pipe stream for reading the output of the dpkg-query commmand */ + file = popen(command, "r"); + if (!file) + { + DBG1(DBG_IMC, "failed to run swid_generator command"); + return NOT_SUPPORTED; + } + if (this->full_tags) + { + bio_writer_t *writer; + chunk_t tag_encoding; + bool more_tags = TRUE, end_of_tag; + + DBG2(DBG_IMC, "SWID tags generated by package manager:"); + while (more_tags) + { + end_of_tag = FALSE; + writer = bio_writer_create(512); + do + { + if (fgets(line, sizeof(line), file) <= 0) + { + more_tags = FALSE; + end_of_tag = TRUE; + break; + } + if (line[0] == '\n') + { + end_of_tag = TRUE; + break; + } + else + { + writer->write_data(writer, chunk_from_str(line)); + } + } + while (!end_of_tag); + + tag_encoding = writer->get_buf(writer); + + /* remove trailing newline if present */ + if (tag_encoding.len > 0 && + tag_encoding.ptr[tag_encoding.len - 1] == '\n') + { + tag_encoding.len--; + } + DBG2(DBG_IMC, " %.*s", tag_encoding.len, tag_encoding.ptr); + + tag = swid_tag_create(tag_encoding, tag_file_path); + this->list->insert_last(this->list, tag); + writer->destroy(writer); + } + } + else + { + DBG2(DBG_IMC, "SWID tag IDs generated by package manager:"); + while (TRUE) + { + char *separator; + size_t len; + + if (fgets(line, sizeof(line), file) <= 0) + { + goto end; + } + len = strlen(line); + + /* remove trailing newline if present */ + if (len > 0 && line[len - 1] == '\n') + { + len--; + } + DBG2(DBG_IMC, " %.*s", len, line); + + separator = strchr(line, '_'); + if (!separator) + { + DBG1(DBG_IMC, "separatation of regid from unique software ID " + "failed"); + status = FAILED; + goto end; + } + tag_creator = chunk_create(line, separator - line); + separator++; + + unique_sw_id = chunk_create(separator, len - (separator - line)); + tag_id = swid_tag_id_create(tag_creator, unique_sw_id, tag_file_path); + this->list->insert_last(this->list, tag_id); + + if (fgets(line, sizeof(line), file) <= 0) + { + goto end; + } + } + } + +end: + pclose(file); + return status; +} + static bool collect_tags(private_swid_inventory_t *this, char *pathname, swid_inventory_t *targets) { @@ -72,7 +190,7 @@ static bool collect_tags(private_swid_inventory_t *this, char *pathname, { char * start, *stop; chunk_t tag_creator; - chunk_t unique_sw_id = chunk_empty, unique_seq_id = chunk_empty; + chunk_t unique_sw_id = chunk_empty, tag_file_path = chunk_empty; if (!strstr(rel_name, "regid.")) { continue; @@ -121,14 +239,7 @@ static bool collect_tags(private_swid_inventory_t *this, char *pathname, goto end; } tag_creator = chunk_create(start, stop-start); - start = stop + 1; - stop = strchr(start, '_'); - if (stop) - { - unique_sw_id = chunk_create(start, stop-start); - start = stop + 1; - } stop = strstr(start, ".swidtag"); if (!stop) @@ -137,14 +248,8 @@ static bool collect_tags(private_swid_inventory_t *this, char *pathname, DBG1(DBG_IMC, " swidtag postfix not found"); goto end; } - if (unique_sw_id.ptr) - { - unique_seq_id = chunk_create(start, stop-start); - } - else - { - unique_sw_id = chunk_create(start, stop-start); - } + unique_sw_id = chunk_create(start, stop-start); + tag_file_path = chunk_from_str(abs_name); /* In case of a targeted request */ if (targets->get_count(targets)) @@ -187,7 +292,7 @@ static bool collect_tags(private_swid_inventory_t *this, char *pathname, goto end; } - tag = swid_tag_create(*xml_tag, unique_seq_id); + tag = swid_tag_create(*xml_tag, tag_file_path); this->list->insert_last(this->list, tag); chunk_unmap(xml_tag); } @@ -195,10 +300,9 @@ static bool collect_tags(private_swid_inventory_t *this, char *pathname, { swid_tag_id_t *tag_id; - tag_id = swid_tag_id_create(tag_creator, unique_sw_id, unique_seq_id); + tag_id = swid_tag_id_create(tag_creator, unique_sw_id, tag_file_path); this->list->insert_last(this->list, tag_id); } - } success = TRUE; @@ -210,8 +314,18 @@ end: } METHOD(swid_inventory_t, collect, bool, - private_swid_inventory_t *this, char *directory, swid_inventory_t *targets) + private_swid_inventory_t *this, char *directory, char *generator, + swid_inventory_t *targets, bool pretty, bool full) { + /** + * Tags are generated by a package manager + */ + generate_tags(this, generator, targets, pretty, full); + + /** + * Collect swidtag files by iteratively entering all directories in + * the tree under the "directory" path. + */ return collect_tags(this, directory, targets); } diff --git a/src/libpts/swid/swid_inventory.h b/src/libpts/swid/swid_inventory.h index 68d3047aa..7de8bb221 100644 --- a/src/libpts/swid/swid_inventory.h +++ b/src/libpts/swid/swid_inventory.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -34,11 +34,14 @@ struct swid_inventory_t { * Collect the SWID tags stored on the endpoint * * @param directory SWID directory path + * @param generator Path to SWID generator * @param targets List of target tag IDs + * @param pretty Generate indented XML SWID tags + * @param full Include file information in SWID tags * @return TRUE if successful */ - bool (*collect)(swid_inventory_t *this, char *directory, - swid_inventory_t *targets); + bool (*collect)(swid_inventory_t *this, char *directory, char *generator, + swid_inventory_t *targets, bool pretty, bool full); /** * Collect the SWID tags stored on the endpoint diff --git a/src/libpts/swid/swid_tag.c b/src/libpts/swid/swid_tag.c index 0b6519693..c71d5d2bd 100644 --- a/src/libpts/swid/swid_tag.c +++ b/src/libpts/swid/swid_tag.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -34,10 +34,14 @@ struct private_swid_tag_t { chunk_t encoding; /** - * Optional Unique Sequence ID + * Optional Tag File Path */ - chunk_t unique_seq_id; + chunk_t tag_file_path; + /** + * Reference count + */ + refcount_t ref; }; METHOD(swid_tag_t, get_encoding, chunk_t, @@ -46,39 +50,51 @@ METHOD(swid_tag_t, get_encoding, chunk_t, return this->encoding; } -METHOD(swid_tag_t, get_unique_seq_id, chunk_t, +METHOD(swid_tag_t, get_tag_file_path, chunk_t, private_swid_tag_t *this) { - return this->unique_seq_id; + return this->tag_file_path; +} + +METHOD(swid_tag_t, get_ref, swid_tag_t*, + private_swid_tag_t *this) +{ + ref_get(&this->ref); + return &this->public; } METHOD(swid_tag_t, destroy, void, private_swid_tag_t *this) { - free(this->encoding.ptr); - free(this->unique_seq_id.ptr); - free(this); + if (ref_put(&this->ref)) + { + free(this->encoding.ptr); + free(this->tag_file_path.ptr); + free(this); + } } /** * See header */ -swid_tag_t *swid_tag_create(chunk_t encoding, chunk_t unique_seq_id) +swid_tag_t *swid_tag_create(chunk_t encoding, chunk_t tag_file_path) { private_swid_tag_t *this; INIT(this, .public = { .get_encoding = _get_encoding, - .get_unique_seq_id = _get_unique_seq_id, + .get_tag_file_path = _get_tag_file_path, + .get_ref = _get_ref, .destroy = _destroy, }, .encoding = chunk_clone(encoding), + .ref = 1, ); - if (unique_seq_id.len > 0) + if (tag_file_path.len > 0) { - this->unique_seq_id = chunk_clone(unique_seq_id); + this->tag_file_path = chunk_clone(tag_file_path); } return &this->public; diff --git a/src/libpts/swid/swid_tag.h b/src/libpts/swid/swid_tag.h index 9d3f86333..e20c538ea 100644 --- a/src/libpts/swid/swid_tag.h +++ b/src/libpts/swid/swid_tag.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -39,11 +39,18 @@ struct swid_tag_t { chunk_t (*get_encoding)(swid_tag_t *this); /** - * Get th Optional Unique Sequence ID + * Get th Optional Tag File Path * - * @return Optional Unique Sequence ID + * @return Optional Tag File Path */ - chunk_t (*get_unique_seq_id)(swid_tag_t *this); + chunk_t (*get_tag_file_path)(swid_tag_t *this); + + /** + * Get a new reference to the swid_tag object + * + * @return this, with an increased refcount + */ + swid_tag_t* (*get_ref)(swid_tag_t *this); /** * Destroys a swid_tag_t object. @@ -56,8 +63,8 @@ struct swid_tag_t { * Creates a swid_tag_t object * * @param encoding XML encoding of SWID tag - * @param unique_seq_id Unique Sequence ID or empty chunk + * @param tag_file_path Tag File Path or empty chunk */ -swid_tag_t* swid_tag_create(chunk_t encoding, chunk_t unique_seq_id); +swid_tag_t* swid_tag_create(chunk_t encoding, chunk_t tag_file_path); #endif /** SWID_TAG_H_ @}*/ diff --git a/src/libpts/swid/swid_tag_id.c b/src/libpts/swid/swid_tag_id.c index 7ad486d4b..8bede28a0 100644 --- a/src/libpts/swid/swid_tag_id.c +++ b/src/libpts/swid/swid_tag_id.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -39,10 +39,14 @@ struct private_swid_tag_id_t { chunk_t unique_sw_id; /** - * Optional Unique Sequence ID + * Tag File Path */ - chunk_t unique_seq_id; + chunk_t tag_file_path; + /** + * Reference count + */ + refcount_t ref; }; METHOD(swid_tag_id_t, get_tag_creator, chunk_t, @@ -52,29 +56,39 @@ METHOD(swid_tag_id_t, get_tag_creator, chunk_t, } METHOD(swid_tag_id_t, get_unique_sw_id, chunk_t, - private_swid_tag_id_t *this, chunk_t *unique_seq_id) + private_swid_tag_id_t *this, chunk_t *tag_file_path) { - if (unique_seq_id) + if (tag_file_path) { - *unique_seq_id = this->unique_seq_id; + *tag_file_path = this->tag_file_path; } return this->unique_sw_id; } +METHOD(swid_tag_id_t, get_ref, swid_tag_id_t*, + private_swid_tag_id_t *this) +{ + ref_get(&this->ref); + return &this->public; +} + METHOD(swid_tag_id_t, destroy, void, private_swid_tag_id_t *this) { - free(this->tag_creator.ptr); - free(this->unique_sw_id.ptr); - free(this->unique_seq_id.ptr); - free(this); + if (ref_put(&this->ref)) + { + free(this->tag_creator.ptr); + free(this->unique_sw_id.ptr); + free(this->tag_file_path.ptr); + free(this); + } } /** * See header */ swid_tag_id_t *swid_tag_id_create(chunk_t tag_creator, chunk_t unique_sw_id, - chunk_t unique_seq_id) + chunk_t tag_file_path) { private_swid_tag_id_t *this; @@ -82,15 +96,17 @@ swid_tag_id_t *swid_tag_id_create(chunk_t tag_creator, chunk_t unique_sw_id, .public = { .get_tag_creator = _get_tag_creator, .get_unique_sw_id = _get_unique_sw_id, + .get_ref = _get_ref, .destroy = _destroy, }, .tag_creator = chunk_clone(tag_creator), .unique_sw_id = chunk_clone(unique_sw_id), + .ref = 1, ); - if (unique_seq_id.len > 0) + if (tag_file_path.len > 0) { - this->unique_seq_id = chunk_clone(unique_seq_id); + this->tag_file_path = chunk_clone(tag_file_path); } return &this->public; diff --git a/src/libpts/swid/swid_tag_id.h b/src/libpts/swid/swid_tag_id.h index d4715967d..d2a783b35 100644 --- a/src/libpts/swid/swid_tag_id.h +++ b/src/libpts/swid/swid_tag_id.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -39,12 +39,19 @@ struct swid_tag_id_t { chunk_t (*get_tag_creator)(swid_tag_id_t *this); /** - * Get the Unique Software ID and optional Unique Sequence ID + * Get the Unique Software ID and optional Tag File Path * - * @param Optional Unique Sequence ID + * @param Optional Tag File Path * @return Unique Software ID */ - chunk_t (*get_unique_sw_id)(swid_tag_id_t *this, chunk_t *unique_seq_id); + chunk_t (*get_unique_sw_id)(swid_tag_id_t *this, chunk_t *tag_file_path); + + /** + * Get a new reference to the swid_tag_id object + * + * @return this, with an increased refcount + */ + swid_tag_id_t* (*get_ref)(swid_tag_id_t *this); /** * Destroys a swid_tag_id_t object. @@ -58,9 +65,9 @@ struct swid_tag_id_t { * * @param tag_creator Tag Creator * @param unique_sw_id Unique Software ID - * @param unique_seq_id Unique Sequence ID or empty chunk + * @param tag_file_path Tag File Path or empty chunk */ swid_tag_id_t* swid_tag_id_create(chunk_t tag_creator, chunk_t unique_sw_id, - chunk_t unique_seq_id); + chunk_t tag_file_path); #endif /** SWID_TAG_ID_H_ @}*/ diff --git a/src/libpts/tcg/swid/tcg_swid_attr_tag_id_inv.c b/src/libpts/tcg/swid/tcg_swid_attr_tag_id_inv.c index 429919edd..33aa16d53 100644 --- a/src/libpts/tcg/swid/tcg_swid_attr_tag_id_inv.c +++ b/src/libpts/tcg/swid/tcg_swid_attr_tag_id_inv.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -42,12 +42,11 @@ typedef struct private_tcg_swid_attr_tag_id_inv_t private_tcg_swid_attr_tag_id_i * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Unique Software ID Length |Unique Software ID (var length)| * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - * | Unique Sequence ID Length |Unique Sequence ID (var length)| + * | Tag File Path Length | Tag File Path (var. length) | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -#define SWID_TAG_ID_INV_SIZE 16 -#define SWID_TAG_ID_INV_RESERVED 0x00 +#define TCG_SWID_TAG_ID_INV_RESERVED 0x00 /** * Private data of an tcg_swid_attr_tag_id_inv_t object. @@ -77,17 +76,17 @@ struct private_tcg_swid_attr_tag_id_inv_t { /** * Request ID */ - u_int32_t request_id; + uint32_t request_id; /** * Event ID Epoch */ - u_int32_t eid_epoch; + uint32_t eid_epoch; /** * Last Event ID */ - u_int32_t last_eid; + uint32_t last_eid; /** * SWID Tag ID Inventory @@ -129,7 +128,7 @@ METHOD(pa_tnc_attr_t, build, void, { bio_writer_t *writer; swid_tag_id_t *tag_id; - chunk_t tag_creator, unique_sw_id, unique_seq_id; + chunk_t tag_creator, unique_sw_id, tag_file_path; enumerator_t *enumerator; if (this->value.ptr) @@ -137,8 +136,8 @@ METHOD(pa_tnc_attr_t, build, void, return; } - writer = bio_writer_create(SWID_TAG_ID_INV_SIZE); - writer->write_uint8 (writer, SWID_TAG_ID_INV_RESERVED); + writer = bio_writer_create(TCG_SWID_TAG_ID_INV_MIN_SIZE); + writer->write_uint8 (writer, TCG_SWID_TAG_ID_INV_RESERVED); writer->write_uint24(writer, this->inventory->get_count(this->inventory)); writer->write_uint32(writer, this->request_id); writer->write_uint32(writer, this->eid_epoch); @@ -148,10 +147,10 @@ METHOD(pa_tnc_attr_t, build, void, while (enumerator->enumerate(enumerator, &tag_id)) { tag_creator = tag_id->get_tag_creator(tag_id); - unique_sw_id = tag_id->get_unique_sw_id(tag_id, &unique_seq_id); + unique_sw_id = tag_id->get_unique_sw_id(tag_id, &tag_file_path); writer->write_data16(writer, tag_creator); writer->write_data16(writer, unique_sw_id); - writer->write_data16(writer, unique_seq_id); + writer->write_data16(writer, tag_file_path); } enumerator->destroy(enumerator); @@ -160,15 +159,15 @@ METHOD(pa_tnc_attr_t, build, void, } METHOD(pa_tnc_attr_t, process, status_t, - private_tcg_swid_attr_tag_id_inv_t *this, u_int32_t *offset) + private_tcg_swid_attr_tag_id_inv_t *this, uint32_t *offset) { bio_reader_t *reader; - u_int32_t tag_id_count; - u_int8_t reserved; - chunk_t tag_creator, unique_sw_id, unique_seq_id; + uint32_t tag_id_count; + uint8_t reserved; + chunk_t tag_creator, unique_sw_id, tag_file_path; swid_tag_id_t *tag_id; - if (this->value.len < SWID_TAG_ID_INV_SIZE) + if (this->value.len < TCG_SWID_TAG_ID_INV_MIN_SIZE) { DBG1(DBG_TNC, "insufficient data for SWID Tag Identifier Inventory"); *offset = 0; @@ -181,7 +180,7 @@ METHOD(pa_tnc_attr_t, process, status_t, reader->read_uint32(reader, &this->request_id); reader->read_uint32(reader, &this->eid_epoch); reader->read_uint32(reader, &this->last_eid); - *offset = SWID_TAG_ID_INV_SIZE; + *offset = TCG_SWID_TAG_ID_INV_MIN_SIZE; while (tag_id_count--) { @@ -199,14 +198,14 @@ METHOD(pa_tnc_attr_t, process, status_t, } *offset += 2 + unique_sw_id.len; - if (!reader->read_data16(reader, &unique_seq_id)) + if (!reader->read_data16(reader, &tag_file_path)) { - DBG1(DBG_TNC, "insufficient data for Unique Sequence ID"); + DBG1(DBG_TNC, "insufficient data for Tag File Path"); return FAILED; } - *offset += 2 + unique_seq_id.len; + *offset += 2 + tag_file_path.len; - tag_id = swid_tag_id_create(tag_creator, unique_sw_id, unique_seq_id); + tag_id = swid_tag_id_create(tag_creator, unique_sw_id, tag_file_path); this->inventory->add(this->inventory, tag_id); } reader->destroy(reader); @@ -232,14 +231,20 @@ METHOD(pa_tnc_attr_t, destroy, void, } } -METHOD(tcg_swid_attr_tag_id_inv_t, get_request_id, u_int32_t, +METHOD(tcg_swid_attr_tag_id_inv_t, add, void, + private_tcg_swid_attr_tag_id_inv_t *this, swid_tag_id_t *tag_id) +{ + this->inventory->add(this->inventory, tag_id); +} + +METHOD(tcg_swid_attr_tag_id_inv_t, get_request_id, uint32_t, private_tcg_swid_attr_tag_id_inv_t *this) { return this->request_id; } -METHOD(tcg_swid_attr_tag_id_inv_t, get_last_eid, u_int32_t, - private_tcg_swid_attr_tag_id_inv_t *this, u_int32_t *eid_epoch) +METHOD(tcg_swid_attr_tag_id_inv_t, get_last_eid, uint32_t, + private_tcg_swid_attr_tag_id_inv_t *this, uint32_t *eid_epoch) { if (eid_epoch) { @@ -257,10 +262,9 @@ METHOD(tcg_swid_attr_tag_id_inv_t, get_inventory, swid_inventory_t*, /** * Described in header. */ -pa_tnc_attr_t *tcg_swid_attr_tag_id_inv_create(u_int32_t request_id, - u_int32_t eid_epoch, - u_int32_t eid, - swid_inventory_t *inventory) +pa_tnc_attr_t *tcg_swid_attr_tag_id_inv_create(uint32_t request_id, + uint32_t eid_epoch, + uint32_t eid) { private_tcg_swid_attr_tag_id_inv_t *this; @@ -276,6 +280,7 @@ pa_tnc_attr_t *tcg_swid_attr_tag_id_inv_create(u_int32_t request_id, .get_ref = _get_ref, .destroy = _destroy, }, + .add = _add, .get_request_id = _get_request_id, .get_last_eid = _get_last_eid, .get_inventory = _get_inventory, @@ -284,7 +289,7 @@ pa_tnc_attr_t *tcg_swid_attr_tag_id_inv_create(u_int32_t request_id, .request_id = request_id, .eid_epoch = eid_epoch, .last_eid = eid, - .inventory = inventory, + .inventory = swid_inventory_create(FALSE), .ref = 1, ); @@ -311,6 +316,7 @@ pa_tnc_attr_t *tcg_swid_attr_tag_id_inv_create_from_data(chunk_t data) .get_ref = _get_ref, .destroy = _destroy, }, + .add = _add, .get_request_id = _get_request_id, .get_last_eid = _get_last_eid, .get_inventory = _get_inventory, diff --git a/src/libpts/tcg/swid/tcg_swid_attr_tag_id_inv.h b/src/libpts/tcg/swid/tcg_swid_attr_tag_id_inv.h index 1a0cbe7d2..9072ddcfe 100644 --- a/src/libpts/tcg/swid/tcg_swid_attr_tag_id_inv.h +++ b/src/libpts/tcg/swid/tcg_swid_attr_tag_id_inv.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -29,6 +29,8 @@ typedef struct tcg_swid_attr_tag_id_inv_t tcg_swid_attr_tag_id_inv_t; #include <pa_tnc/pa_tnc_attr.h> +#define TCG_SWID_TAG_ID_INV_MIN_SIZE 16 + /** * Class implementing the TCG SWID Tag Identifier Inventory attribute * @@ -41,11 +43,18 @@ struct tcg_swid_attr_tag_id_inv_t { pa_tnc_attr_t pa_tnc_attribute; /** + * Add a Tag ID to the attribute + * + * @tag_id SWID Tag ID to be added + */ + void (*add)(tcg_swid_attr_tag_id_inv_t *this, swid_tag_id_t *tag_id); + + /** * Get Request ID * * @return Request ID */ - u_int32_t (*get_request_id)(tcg_swid_attr_tag_id_inv_t *this); + uint32_t (*get_request_id)(tcg_swid_attr_tag_id_inv_t *this); /** * Get Last Event ID @@ -53,8 +62,8 @@ struct tcg_swid_attr_tag_id_inv_t { * @param eid_epoch Event ID Epoch * @return Last Event ID */ - u_int32_t (*get_last_eid)(tcg_swid_attr_tag_id_inv_t *this, - u_int32_t *eid_epoch); + uint32_t (*get_last_eid)(tcg_swid_attr_tag_id_inv_t *this, + uint32_t *eid_epoch); /** * Get Inventory of SWID tag IDs @@ -71,12 +80,10 @@ struct tcg_swid_attr_tag_id_inv_t { * @param request_id Copy of the Request ID * @param eid_epoch Event ID Epoch * @param eid Last Event ID - * @param inventory SWID Tag Inventory */ -pa_tnc_attr_t* tcg_swid_attr_tag_id_inv_create(u_int32_t request_id, - u_int32_t eid_epoch, - u_int32_t eid, - swid_inventory_t *inventory); +pa_tnc_attr_t* tcg_swid_attr_tag_id_inv_create(uint32_t request_id, + uint32_t eid_epoch, + uint32_t eid); /** * Creates an tcg_swid_attr_tag_id_inv_t object from received data diff --git a/src/libpts/tcg/swid/tcg_swid_attr_tag_inv.c b/src/libpts/tcg/swid/tcg_swid_attr_tag_inv.c index 82b9ef958..fbb94c6c2 100644 --- a/src/libpts/tcg/swid/tcg_swid_attr_tag_inv.c +++ b/src/libpts/tcg/swid/tcg_swid_attr_tag_inv.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -38,7 +38,7 @@ typedef struct private_tcg_swid_attr_tag_inv_t private_tcg_swid_attr_tag_inv_t; * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Last EID | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - * | Unique Sequence ID Length |Unique Sequence ID (var length)| + * | Tag File Path Length | Tag File Path (var length) | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ * | Tag Length | * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ @@ -46,8 +46,7 @@ typedef struct private_tcg_swid_attr_tag_inv_t private_tcg_swid_attr_tag_inv_t; * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -#define SWID_TAG_INV_SIZE 16 -#define SWID_TAG_INV_RESERVED 0x00 +#define TCG_SWID_TAG_INV_RESERVED 0x00 /** * Private data of an tcg_swid_attr_tag_inv_t object. @@ -77,17 +76,17 @@ struct private_tcg_swid_attr_tag_inv_t { /** * Request ID */ - u_int32_t request_id; + uint32_t request_id; /** * Event ID Epoch */ - u_int32_t eid_epoch; + uint32_t eid_epoch; /** * Last Event ID */ - u_int32_t last_eid; + uint32_t last_eid; /** * SWID Tag Inventory @@ -136,8 +135,8 @@ METHOD(pa_tnc_attr_t, build, void, return; } - writer = bio_writer_create(SWID_TAG_INV_SIZE); - writer->write_uint8 (writer, SWID_TAG_INV_RESERVED); + writer = bio_writer_create(TCG_SWID_TAG_INV_MIN_SIZE); + writer->write_uint8 (writer, TCG_SWID_TAG_INV_RESERVED); writer->write_uint24(writer, this->inventory->get_count(this->inventory)); writer->write_uint32(writer, this->request_id); writer->write_uint32(writer, this->eid_epoch); @@ -146,7 +145,7 @@ METHOD(pa_tnc_attr_t, build, void, enumerator = this->inventory->create_enumerator(this->inventory); while (enumerator->enumerate(enumerator, &tag)) { - writer->write_data16(writer, tag->get_unique_seq_id(tag)); + writer->write_data16(writer, tag->get_tag_file_path(tag)); writer->write_data32(writer, tag->get_encoding(tag)); } enumerator->destroy(enumerator); @@ -156,15 +155,15 @@ METHOD(pa_tnc_attr_t, build, void, } METHOD(pa_tnc_attr_t, process, status_t, - private_tcg_swid_attr_tag_inv_t *this, u_int32_t *offset) + private_tcg_swid_attr_tag_inv_t *this, uint32_t *offset) { bio_reader_t *reader; - u_int32_t tag_count; - u_int8_t reserved; - chunk_t tag_encoding, unique_seq_id; + uint32_t tag_count; + uint8_t reserved; + chunk_t tag_encoding, tag_file_path; swid_tag_t *tag; - if (this->value.len < SWID_TAG_INV_SIZE) + if (this->value.len < TCG_SWID_TAG_INV_MIN_SIZE) { DBG1(DBG_TNC, "insufficient data for SWID Tag Inventory"); *offset = 0; @@ -177,16 +176,16 @@ METHOD(pa_tnc_attr_t, process, status_t, reader->read_uint32(reader, &this->request_id); reader->read_uint32(reader, &this->eid_epoch); reader->read_uint32(reader, &this->last_eid); - *offset = SWID_TAG_INV_SIZE; + *offset = TCG_SWID_TAG_INV_MIN_SIZE; while (tag_count--) { - if (!reader->read_data16(reader, &unique_seq_id)) + if (!reader->read_data16(reader, &tag_file_path)) { - DBG1(DBG_TNC, "insufficient data for Unique Sequence ID"); + DBG1(DBG_TNC, "insufficient data for Tag File Path"); return FAILED; } - *offset += 2 + unique_seq_id.len; + *offset += 2 + tag_file_path.len; if (!reader->read_data32(reader, &tag_encoding)) { @@ -195,7 +194,7 @@ METHOD(pa_tnc_attr_t, process, status_t, } *offset += 4 + tag_encoding.len; - tag = swid_tag_create(tag_encoding, unique_seq_id); + tag = swid_tag_create(tag_encoding, tag_file_path); this->inventory->add(this->inventory, tag); } reader->destroy(reader); @@ -221,14 +220,20 @@ METHOD(pa_tnc_attr_t, destroy, void, } } -METHOD(tcg_swid_attr_tag_inv_t, get_request_id, u_int32_t, +METHOD(tcg_swid_attr_tag_inv_t, add, void, + private_tcg_swid_attr_tag_inv_t *this, swid_tag_t *tag) +{ + this->inventory->add(this->inventory, tag); +} + +METHOD(tcg_swid_attr_tag_inv_t, get_request_id, uint32_t, private_tcg_swid_attr_tag_inv_t *this) { return this->request_id; } -METHOD(tcg_swid_attr_tag_inv_t, get_last_eid, u_int32_t, - private_tcg_swid_attr_tag_inv_t *this, u_int32_t *eid_epoch) +METHOD(tcg_swid_attr_tag_inv_t, get_last_eid, uint32_t, + private_tcg_swid_attr_tag_inv_t *this, uint32_t *eid_epoch) { if (eid_epoch) { @@ -246,9 +251,8 @@ METHOD(tcg_swid_attr_tag_inv_t, get_inventory, swid_inventory_t*, /** * Described in header. */ -pa_tnc_attr_t *tcg_swid_attr_tag_inv_create(u_int32_t request_id, - u_int32_t eid_epoch, u_int32_t eid, - swid_inventory_t *inventory) +pa_tnc_attr_t *tcg_swid_attr_tag_inv_create(uint32_t request_id, + uint32_t eid_epoch, uint32_t eid) { private_tcg_swid_attr_tag_inv_t *this; @@ -264,6 +268,7 @@ pa_tnc_attr_t *tcg_swid_attr_tag_inv_create(u_int32_t request_id, .get_ref = _get_ref, .destroy = _destroy, }, + .add = _add, .get_request_id = _get_request_id, .get_last_eid = _get_last_eid, .get_inventory = _get_inventory, @@ -272,7 +277,7 @@ pa_tnc_attr_t *tcg_swid_attr_tag_inv_create(u_int32_t request_id, .request_id = request_id, .eid_epoch = eid_epoch, .last_eid = eid, - .inventory = inventory, + .inventory = swid_inventory_create(TRUE), .ref = 1, ); @@ -299,6 +304,7 @@ pa_tnc_attr_t *tcg_swid_attr_tag_inv_create_from_data(chunk_t data) .get_ref = _get_ref, .destroy = _destroy, }, + .add = _add, .get_request_id = _get_request_id, .get_last_eid = _get_last_eid, .get_inventory = _get_inventory, diff --git a/src/libpts/tcg/swid/tcg_swid_attr_tag_inv.h b/src/libpts/tcg/swid/tcg_swid_attr_tag_inv.h index 433f55ee0..fcb49b26a 100644 --- a/src/libpts/tcg/swid/tcg_swid_attr_tag_inv.h +++ b/src/libpts/tcg/swid/tcg_swid_attr_tag_inv.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2013 Andreas Steffen + * Copyright (C) 2013-2014 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -29,6 +29,8 @@ typedef struct tcg_swid_attr_tag_inv_t tcg_swid_attr_tag_inv_t; #include <pa_tnc/pa_tnc_attr.h> +#define TCG_SWID_TAG_INV_MIN_SIZE 16 + /** * Class implementing the TCG SWID Tag Inventory attribute * @@ -41,11 +43,17 @@ struct tcg_swid_attr_tag_inv_t { pa_tnc_attr_t pa_tnc_attribute; /** + * Add a Tag ID to the attribute + * + * @tag SWID Tag to be added + */ + void (*add)(tcg_swid_attr_tag_inv_t *this, swid_tag_t *tag); + /** * Get Request ID * * @return Request ID */ - u_int32_t (*get_request_id)(tcg_swid_attr_tag_inv_t *this); + uint32_t (*get_request_id)(tcg_swid_attr_tag_inv_t *this); /** * Get Last Event ID @@ -53,8 +61,8 @@ struct tcg_swid_attr_tag_inv_t { * @param eid_epoch Event ID Epoch * @return Last Event ID */ - u_int32_t (*get_last_eid)(tcg_swid_attr_tag_inv_t *this, - u_int32_t *eid_epoch); + uint32_t (*get_last_eid)(tcg_swid_attr_tag_inv_t *this, + uint32_t *eid_epoch); /** * Get Inventory of SWID tags @@ -71,12 +79,10 @@ struct tcg_swid_attr_tag_inv_t { * @param request_id Copy of the Request ID * @param eid_epoch Event ID Epoch * @param eid Last Event ID - * @param inventory SWID Tag Inventory */ -pa_tnc_attr_t* tcg_swid_attr_tag_inv_create(u_int32_t request_id, - u_int32_t eid_epoch, - u_int32_t eid, - swid_inventory_t *inventory); +pa_tnc_attr_t* tcg_swid_attr_tag_inv_create(uint32_t request_id, + uint32_t eid_epoch, + uint32_t eid); /** * Creates an tcg_swid_attr_tag_inv_t object from received data diff --git a/testing/scripts/build-baseimage b/testing/scripts/build-baseimage index b6b8854ab..549bbc77b 100755 --- a/testing/scripts/build-baseimage +++ b/testing/scripts/build-baseimage @@ -17,7 +17,8 @@ INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libxerces-c2-dev,libltdl-dev INC=$INC,liblog4cxx10-dev,libboost-thread-dev,libboost-system-dev,git-core INC=$INC,less,acpid,acpi-support-base,libldns-dev,libunbound-dev,dnsutils,screen INC=$INC,gnat,gprbuild,libahven3-dev,libxmlada4.1-dev,libgmpada3-dev -INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev +INC=$INC,libalog0.4.1-base-dev,hostapd,libsoup2.4-dev,ca-certificates,unzip +INC=$INC,python,python-setuptools SERVICES="apache2 dbus isc-dhcp-server slapd bind9" INC=$INC,${SERVICES// /,} diff --git a/testing/scripts/recipes/014_swid_generator.mk b/testing/scripts/recipes/014_swid_generator.mk new file mode 100644 index 000000000..ab7e562e9 --- /dev/null +++ b/testing/scripts/recipes/014_swid_generator.mk @@ -0,0 +1,16 @@ +#!/usr/bin/make + +PKG = swidGenerator +ZIP = $(PKG)-master.zip +SRC = https://github.com/tnc-ba/$(PKG)/archive/master.zip + +all: install + +$(ZIP): + wget --ca-directory="/usr/share/ca-certificates/mozilla" $(SRC) -O $(ZIP) + +$(PKG)-master: $(ZIP) + unzip $(ZIP) + +install: $(PKG)-master + cd $(PKG)-master && python setup.py install diff --git a/testing/testing.conf b/testing/testing.conf index 8e0c81e53..9b9b7d09a 100644 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -24,14 +24,14 @@ fi : ${TESTDIR=/srv/strongswan-testing} # Kernel configuration -: ${KERNELVERSION=3.13.2} +: ${KERNELVERSION=3.13.5} : ${KERNEL=linux-$KERNELVERSION} : ${KERNELTARBALL=$KERNEL.tar.xz} : ${KERNELCONFIG=$DIR/../config/kernel/config-3.13} : ${KERNELPATCH=ha-3.13-abicompat.patch.bz2} # strongSwan version used in tests -: ${SWANVERSION=5.1.2} +: ${SWANVERSION=5.2.0} # Build directory where the guest kernel and images will be built : ${BUILDDIR=$TESTDIR/build} @@ -54,7 +54,7 @@ fi : ${BASEIMGSUITE=wheezy} : ${BASEIMGARCH=amd64} : ${BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT} -: ${BASEIMGMIRROR=http://cdn.debian.net/debian} +: ${BASEIMGMIRROR=http://http.debian.net/debian} # Root image settings # The root image is the origin of all guest images. It is a clone of the base diff --git a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql index 2bb7e7924..b33933e4f 100644 --- a/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-11-radius-pts/hosts/alice/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 40, 1372330615 ); /* Groups Members */ diff --git a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat index 5eb944055..78e74d5e0 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os-pts/evaltest.dat @@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.4 x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.4 x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES diff --git a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql index 2bb7e7924..b33933e4f 100644 --- a/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-20-os-pts/hosts/moon/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 40, 1372330615 ); /* Groups Members */ diff --git a/testing/tests/tnc/tnccs-20-os/evaltest.dat b/testing/tests/tnc/tnccs-20-os/evaltest.dat index 21a7278d7..da7591e2e 100644 --- a/testing/tests/tnc/tnccs-20-os/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-os/evaltest.dat @@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: ipsec attest --sessions 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES +moon:: ipsec attest --sessions 2> /dev/null::Debian 7.4 x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec attest --sessions 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES +moon:: ipsec attest --sessions 2> /dev/null::Debian 7.4 x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES diff --git a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql index 6682a5a1c..26cce3125 100644 --- a/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-20-os/hosts/moon/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 40, 1372330615 ); /* Groups Members */ @@ -27,7 +27,7 @@ INSERT INTO identities ( INSERT INTO sessions ( time, connection, identity, device, product, rec ) VALUES ( - NOW, 1, 1, 1, 28, 0 + NOW, 1, 1, 1, 40, 0 ); /* Results */ diff --git a/testing/tests/tnc/tnccs-20-os/pretest.dat b/testing/tests/tnc/tnccs-20-os/pretest.dat index 0ac88dd8d..d991ee325 100644 --- a/testing/tests/tnc/tnccs-20-os/pretest.dat +++ b/testing/tests/tnc/tnccs-20-os/pretest.dat @@ -15,6 +15,6 @@ carol::sleep 1 carol::ipsec up home dave::ipsec up home dave::sleep 1 -moon::ipsec attest --packages --product 'Debian 7.2 x86_64' +moon::ipsec attest --packages --product 'Debian 7.4 x86_64' moon::ipsec attest --sessions moon::ipsec attest --devices diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql index 71592211b..b70fb6ae5 100644 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/alice/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 40, 1372330615 ); /* Groups Members */ @@ -27,7 +27,7 @@ INSERT INTO identities ( INSERT INTO sessions ( time, connection, identity, device, product, rec ) VALUES ( - NOW, 1, 1, 1, 28, 0 + NOW, 1, 1, 1, 40, 0 ); /* Results */ diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf index de2fea244..685a65250 100644 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/carol/etc/strongswan.conf @@ -20,6 +20,10 @@ libtnccs { } } +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +} + pt-tls-client { load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 } diff --git a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf index 39b2577ae..0fa2acb14 100644 --- a/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pt-tls/hosts/dave/etc/strongswan.conf @@ -17,6 +17,10 @@ libtnccs { } } +libtls { + suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 +} + pt-tls-client { load = curl revocation constraints pem openssl nonce tnc-tnccs tnc-imc tnccs-20 } diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat index 5eb944055..78e74d5e0 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/evaltest.dat @@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::Y dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.4 x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.4 x86_64.*dave@strongswan.org - isolate::YES moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql index 2bb7e7924..b33933e4f 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/hosts/moon/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 40, 1372330615 ); /* Groups Members */ diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat index fd8bba404..da61afd78 100644 --- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat @@ -6,10 +6,10 @@ dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed' dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/28::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.4 x86_64.*carol@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - allow::YES +moon:: ipsec attest --session 2> /dev/null::Debian 7.4 x86_64.*dave@strongswan.org - allow::YES moon:: cat /var/log/daemon.log::added group membership 'allow'::YES moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql index 2bb7e7924..b33933e4f 100644 --- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql +++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql @@ -3,7 +3,7 @@ INSERT INTO devices ( /* 1 */ value, product, created ) VALUES ( - 'aabbccddeeff11223344556677889900', 28, 1372330615 + 'aabbccddeeff11223344556677889900', 40, 1372330615 ); /* Groups Members */ |