diff options
author | Sansar Choinyambuu <schoinya@hsr.ch> | 2011-08-26 10:08:16 +0200 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2011-09-08 12:08:14 +0200 |
commit | f36ef96ed492765ef6e8712ab99b6042f2a59f5b (patch) | |
tree | d1ab29136196a7455ab8279cc70893f589cc44f5 /src/libimcv | |
parent | 08a7bd530ee86e929fc886d8900136389bcefcb5 (diff) | |
download | strongswan-f36ef96ed492765ef6e8712ab99b6042f2a59f5b.tar.bz2 strongswan-f36ef96ed492765ef6e8712ab99b6042f2a59f5b.tar.xz |
Added create_meas_enumerator function to pts_database object
Implemented handling part of File Measurement attributes reception
Ending the exchange and allowing access if all measurements match with database isolate if not
Diffstat (limited to 'src/libimcv')
-rw-r--r-- | src/libimcv/plugins/imv_attestation/imv_attestation.c | 53 | ||||
-rw-r--r-- | src/libimcv/tcg/pts/pts_database.c | 30 | ||||
-rw-r--r-- | src/libimcv/tcg/pts/pts_database.h | 11 |
3 files changed, 92 insertions, 2 deletions
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation.c b/src/libimcv/plugins/imv_attestation/imv_attestation.c index 851efb9ec..7e0b13a6b 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation.c @@ -422,17 +422,66 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, u_int64_t num_of_files; u_int16_t request_id; u_int16_t meas_len; + enumerator_t *meas_enumerator; + file_meas_entry_t *meas_entry; + bool comparisons_succeeded = true; attr_cast = (tcg_pts_attr_file_meas_t*)attr; num_of_files = attr_cast->get_number_of_files(attr_cast); request_id = attr_cast->get_request_id(attr_cast); meas_len = attr_cast->get_meas_len(attr_cast); - /* TODO: Start working here */ + meas_enumerator = attr_cast->create_file_meas_enumerator(attr_cast); + while (meas_enumerator->enumerate(meas_enumerator, &meas_entry)) + { + enumerator_t *hash_enumerator; + pts_meas_algorithms_t selected_algorithm; + char *product = "Ubuntu 10.10 x86_64"; + chunk_t db_measurement; + + DBG3(DBG_IMV, "Received measurement: %B", &meas_entry->measurement); + + if (!pts_db) + { + break; + } + selected_algorithm = pts->get_meas_algorithm(pts); + + hash_enumerator = pts_db->create_meas_enumerator(pts_db, product, request_id, selected_algorithm); + if (!hash_enumerator) + { + break; + } + while (hash_enumerator->enumerate(hash_enumerator, &db_measurement)) + { + DBG3(DBG_IMV, "Expected measurement: %B", &db_measurement); + + /* Compare the received hash measurement with one saved in db */ + if(chunk_compare(db_measurement, meas_entry->measurement) == 0) + { + DBG1(DBG_IMV, "Measurement comparison succeeded for: %s", meas_entry->file_name.ptr); + } + else + { + DBG1(DBG_IMV, "Measurement comparison failed for: %s", meas_entry->file_name.ptr); + comparisons_succeeded = false; + } + } + hash_enumerator->destroy(hash_enumerator); + + } attestation_state->set_handshake_state(attestation_state, IMV_ATTESTATION_STATE_END); - break; + + (comparisons_succeeded) ? state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_ALLOW, + TNC_IMV_EVALUATION_RESULT_COMPLIANT) : + state->set_recommendation(state, + TNC_IMV_ACTION_RECOMMENDATION_ISOLATE, + TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR); + + return imv_attestation->provide_recommendation(imv_attestation, connection_id); } /* TODO: Not implemented yet */ diff --git a/src/libimcv/tcg/pts/pts_database.c b/src/libimcv/tcg/pts/pts_database.c index bcfa8c885..00ec97739 100644 --- a/src/libimcv/tcg/pts/pts_database.c +++ b/src/libimcv/tcg/pts/pts_database.c @@ -54,6 +54,35 @@ METHOD(pts_database_t, create_file_enumerator, enumerator_t*, return e; } +METHOD(pts_database_t, create_meas_enumerator, enumerator_t*, + private_pts_database_t *this, char *product, int id, pts_meas_algorithms_t algorithm) +{ + enumerator_t *e; + int algo = 0; + + switch(algorithm) + { + case PTS_MEAS_ALGO_SHA1: + algo = 32768; + break; + case PTS_MEAS_ALGO_SHA256: + algo = 16384; + break; + case PTS_MEAS_ALGO_SHA384: + algo = 8192; + break; + } + + /* look for all entries belonging to a product and file in file_hashes table */ + e = this->db->query(this->db, + "SELECT fh.hash FROM file_hashes AS fh " + "JOIN files AS f ON fh.file = f.id " + "JOIN products AS p ON fh.product = p.id " + "WHERE p.name = ? AND f.id = ? AND fh.algo = ?", + DB_TEXT, product, DB_INT, id, DB_INT, algo, DB_BLOB); + return e; +} + METHOD(pts_database_t, destroy, void, private_pts_database_t *this) { @@ -71,6 +100,7 @@ pts_database_t *pts_database_create(char *uri) INIT(this, .public = { .create_file_enumerator = _create_file_enumerator, + .create_meas_enumerator = _create_meas_enumerator, .destroy = _destroy, }, .db = lib->db->create(lib->db, uri), diff --git a/src/libimcv/tcg/pts/pts_database.h b/src/libimcv/tcg/pts/pts_database.h index 9675d60c4..778ea8ae5 100644 --- a/src/libimcv/tcg/pts/pts_database.h +++ b/src/libimcv/tcg/pts/pts_database.h @@ -23,6 +23,7 @@ typedef struct pts_database_t pts_database_t; +#include "pts_meas_algo.h" #include <library.h> /** @@ -38,6 +39,16 @@ struct pts_database_t { * @return enumerator over all files matching a given release */ enumerator_t* (*create_file_enumerator)(pts_database_t *this, char *product); + + /** + * Get Hash measurement of a file with given id and hashing algorithm type + * + * @product software product (os, vpn client, etc.) + * @id primary key in files table + * @algorithm measurement algorithm type + * @return enumerator over all measurements matching a given release + */ + enumerator_t* (*create_meas_enumerator)(pts_database_t *this, char *product, int id, pts_meas_algorithms_t algorithm); /** * Destroys a pts_database_t object. |