2 * This file is part of the OpenPTS project.
4 * The Initial Developer of the Original Code is International
5 * Business Machines Corporation. Portions created by IBM
6 * Corporation are Copyright (C) 2010 International Business
7 * Machines Corporation. All Rights Reserved.
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the Common Public License as published by
11 * IBM Corporation; either version 1 of the License, or (at your option)
14 * This program is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * Common Public License for more details.
19 * You should have received a copy of the Common Public License
20 * along with this program; if not, a copy can be viewed at
21 * http://www.opensource.org/licenses/cpl1.0.php.
25 * \file src/verifier.c
26 * \brief TCG IF-M Verifier
27 * @author Seiji Munetoh <munetoh@users.sourceforge.jp>
29 * cleanup 2011-07-20 SM
40 #include <search.h> // hash table
42 #include <sys/types.h>
43 #include <sys/socket.h>
46 #include <netinet/in.h>
58 * @param conf_dir - base dir of collector configuration
59 * @param mode 0:normal 1:sync (update policy, ignorelist)
60 * 0 OPENPTS_VERIFY_MODE
61 * 1 OPENPTS_UPDATE_MODE -- note) do not update the RM, use updateRm()
67 * PTS_RULE_NOT_FOUND RM not found
72 * ----------------------------------
73 * check_ifm.c test_ifm
78 * Capability->Lookup->Setup
81 int verifierHandleCapability(
85 OPENPTS_IF_M_Capability *cap) {
86 OPENPTS_UUID *verifier_uuid = NULL;
89 char * collector_dir = NULL;
91 OPENPTS_CONFIG *target_conf = NULL;
92 OPENPTS_CONFIG *conf = NULL;
96 verifier_uuid = ctx->conf->uuid;
99 if (ctx->collector_uuid != NULL) freeOpenptsUuid(ctx->collector_uuid);
100 ctx->collector_uuid = newOpenptsUuid2(&cap->platform_uuid);
101 if (ctx->collector_uuid == NULL) {
102 ERROR("Bad collector uuid\n");
107 if (ctx->rm_uuid != NULL) freeOpenptsUuid(ctx->rm_uuid);
108 ctx->rm_uuid = newOpenptsUuid2(&cap->manifest_uuid);
109 if (ctx->rm_uuid == NULL) {
110 ERROR("Bad RM uuid\n");
114 /* check the Collector we already know */
115 collector_dir = getFullpathName(conf_dir, ctx->collector_uuid->str);
117 /* check the Local Collector Config */
118 rc = checkDir(collector_dir);
119 if (rc != PTS_SUCCESS) {
120 /* DIR is missing, unknwon collector */
121 ERROR("verifier() - Unknown collector, UUID= %s dir= %s, rc=%d\n",
122 ctx->collector_uuid->str, collector_dir, rc);
123 addReason(ctx, "Missing collector configuration");
124 addReason(ctx, "Collector hostname = %s", host);
125 addReason(ctx, "Collector UUID = %s", ctx->collector_uuid->str);
126 rc = PTS_NOT_INITIALIZED;
132 if (ctx->target_conf == NULL) {
133 /* no collector info, create new one for this */
134 ctx->target_conf = newPtsConfig();
136 target_conf = ctx->target_conf;
139 target_conf->uuid = newOpenptsUuid2(ctx->collector_uuid->uuid);
140 target_conf->config_file = getFullpathName(collector_dir, "target.conf");
142 rc = readTargetConf(target_conf, target_conf->config_file);
143 if (rc != PTS_SUCCESS) {
144 ERROR("verifier() - readTargetConf failed, %s\n", target_conf->config_file);
145 addReason(ctx, "Missing collector configuration file");
146 addReason(ctx, "Collector hostname = %s", host);
147 addReason(ctx, "Collector UUID = %s", ctx->collector_uuid->str);
148 rc = PTS_NOT_INITIALIZED;
153 /* collector info exist, check with */
154 target_conf = ctx->target_conf;
155 if (memcmp(target_conf->uuid->uuid, ctx->collector_uuid->uuid, 16) != 0) {
156 /* Miss, hostname or IP address was changed? */
157 ERROR("verifier() - Unexpected collector UUID= %s, must be %s\n",
158 ctx->collector_uuid->str, target_conf->uuid->uuid);
159 addReason(ctx, "Collector configuration was changed");
160 addReason(ctx, "Collector hostname = %s", host);
161 addReason(ctx, "Expected Collector UUID = %s", target_conf->uuid->uuid);
162 addReason(ctx, "Given Collector UUID = %s", ctx->collector_uuid->str);
163 rc = PTS_NOT_INITIALIZED;
166 /* Hit keep current collector info */
167 DEBUG("verifier() - use existing target conf\n");
168 DEBUG("Good Collector UUID\n");
174 memcpy(&target_conf->pts_flag, &cap->flag, 4);
175 memcpy(&target_conf->tpm_version, &cap->tpm_version, 4);
176 memcpy(&target_conf->tss_version, &cap->tss_version, 4);
177 memcpy(&target_conf->pts_version, &cap->pts_version, 4);
180 DEBUG("Verifier UUID : %s\n", verifier_uuid->str);
181 DEBUG("Collector UUID : %s\n", ctx->collector_uuid->str);
182 DEBUG("Collector RM UUID : %s\n", ctx->rm_uuid->str);
184 /* Check RM by UUID */
185 DEBUG("RM UUID : %s\n", target_conf->rm_uuid->str);
188 // if (target_conf->uuid->status == OPENPTS_UUID_CHANGED) {
189 if (memcmp(target_conf->rm_uuid->uuid, ctx->rm_uuid->uuid, 16) != 0) {
191 DEBUG("RM was changed\n");
192 // RM UUID was changed
193 // 1) NEW RM UUID => Good Reboot
194 // 2) past RM UUID => fallback?
195 // 3) Unknown UUID => PTS_RULE_NOT_FOUND
197 /* compare stored NEWRM UUID and given RM UUID */
198 if ((target_conf->newrm_uuid != NULL) &&
199 (target_conf->newrm_uuid->uuid != NULL) &&
200 (memcmp(target_conf->newrm_uuid->uuid, ctx->rm_uuid->uuid, 16) == 0)) {
201 /* HIT - Good Reboot */
202 /* NEWRM -> RM -> OLDRM */
203 DEBUG("RM changed %s -> %s (good reboot)\n",
204 target_conf->rm_uuid->str, target_conf->newrm_uuid->str);
206 printf("Collector's manifest has been changed to new manifest (expected reboot)\n");
207 printf(" current manifest UUID : %s\n", target_conf->newrm_uuid->str);
208 printf(" old manifest UUID : %s\n", target_conf->rm_uuid->str);
211 if (target_conf->oldrm_uuid != NULL) {
212 if (target_conf->oldrm_uuid->uuid != NULL) free(target_conf->oldrm_uuid->uuid);
213 if (target_conf->oldrm_uuid->str != NULL) free(target_conf->oldrm_uuid->str);
214 if (target_conf->oldrm_uuid->time != NULL) free(target_conf->oldrm_uuid->time);
216 target_conf->oldrm_uuid = newOpenptsUuid();
217 // TODO create this before?
218 target_conf->oldrm_uuid->filename = getFullpathName(target_conf->config_dir, "oldrm_uuid");
221 /* Copy RM UUID pointers to Old RM's UUID ptrs */
222 target_conf->oldrm_uuid->uuid = target_conf->rm_uuid->uuid;
223 target_conf->oldrm_uuid->str = target_conf->rm_uuid->str;
224 target_conf->oldrm_uuid->time = target_conf->rm_uuid->time;
225 target_conf->oldrm_uuid->status = OPENPTS_UUID_FILLED;
228 rc = writeOpenptsUuidFile(target_conf->oldrm_uuid, 1);
229 if (rc != PTS_SUCCESS) {
230 ERROR("writeOpenptsUuidFile fail\n");
233 /* Copy NEWRM to RM */
234 target_conf->rm_uuid->uuid = target_conf->newrm_uuid->uuid;
235 target_conf->rm_uuid->str = target_conf->newrm_uuid->str;
236 target_conf->rm_uuid->time = target_conf->newrm_uuid->time;
237 target_conf->rm_uuid->status = OPENPTS_UUID_FILLED;
240 rc = writeOpenptsUuidFile(target_conf->rm_uuid, 1);
241 if (rc != PTS_SUCCESS) {
242 ERROR("writeOpenptsUuidFile fail\n");
246 target_conf->newrm_uuid->uuid = NULL;
247 target_conf->newrm_uuid->str = NULL;
248 target_conf->newrm_uuid->time = NULL;
249 target_conf->newrm_uuid->status = OPENPTS_UUID_FILENAME_ONLY;
250 rc = remove(target_conf->newrm_uuid->filename);
253 } else if ((target_conf->oldrm_uuid != NULL) &&
254 (target_conf->oldrm_uuid->uuid != NULL) &&
255 (memcmp(target_conf->oldrm_uuid->uuid, ctx->rm_uuid->uuid, 16) == 0)) {
256 /* HIT - fallback ? */
257 TODO("Fallback - TBD\n");
258 rc = PTS_RULE_NOT_FOUND; // TODO
262 /* MISS no RM for the client(collector) */
266 ERROR("RM changed %s -> %s (not new rm)\n",
267 target_conf->rm_uuid->str, ctx->rm_uuid->str);
269 // TODO DEBUG("RM changed %s -> %s\n", target_conf->rm_uuid->str, rm_uuid->str);
272 addReason(ctx, "Collector uses another Reference Manifest(RM)");
273 addReason(ctx, "Collector hostname = %s", host);
274 addReason(ctx, "Collector UUID = %s", ctx->collector_uuid->str);
276 t0 = getDateTimeOfUuid(target_conf->rm_uuid->uuid);
277 t1 = getDateTimeOfUuid(ctx->rm_uuid->uuid);
279 addReason(ctx, "Previous RM UUID = %s, timestamp = %04d-%02d-%02d-%02d:%02d:%02d",
280 target_conf->rm_uuid->str,
288 addReason(ctx, "Current RM UUID = %s, timestamp = %04d-%02d-%02d-%02d:%02d:%02d",
297 rc = PTS_RULE_NOT_FOUND; // TODO
302 DEBUG("RM UUID is HIT\n");
308 rm_dir = getFullpathName(collector_dir, target_conf->rm_uuid->str);
309 rc = checkDir(rm_dir);
310 if (rc != PTS_SUCCESS) {
312 ERROR("verifier() - Unknown RM, (RM dir = %s)\n", rm_dir);
313 addReason(ctx, "Missing Reference Manifest(RM)");
314 addReason(ctx, "Collector hostname = %s", host);
315 addReason(ctx, "Collector UUID = %s", target_conf->uuid->str);
316 addReason(ctx, "Collector RM UUID = %s", target_conf->rm_uuid->str);
317 addReason(ctx, "Missing RM dir = %s", rm_dir);
318 rc = PTS_RULE_NOT_FOUND;
324 rc = getRmSetDir(target_conf); // ctx->conf);
326 DEBUG("logging dir : %s\n", collector_dir);
327 for (i = 0; i < conf->rm_num; i++) {
328 DEBUG("RM[%d] : %s\n", i, target_conf->rm_filename[i]);
331 DEBUG("AIDE DB : %s\n", target_conf->aide_database_filename);
333 DEBUG("AIDE SQLITE DB : %s\n", target_conf->aide_sqlite_filename);
335 DEBUG("AIDE ignore list : %s\n", target_conf->aide_ignorelist_filename);
337 DEBUG("IR : %s\n", target_conf->ir_filename);
338 DEBUG("Prop : %s\n", target_conf->prop_filename);
339 DEBUG("Policy : %s\n", target_conf->policy_filename);
342 for (i = 0; i< target_conf->rm_num; i++) {
344 if (lstat(target_conf->rm_filename[i], &st) == -1) {
345 ERROR("verifier - RM (%s) is missing. Get RM from target. enroll(init) first\n",
346 target_conf->rm_filename[i]);
347 rc = PTS_INTERNAL_ERROR;
363 int verifierHandleRimmSet(
364 OPENPTS_CONTEXT *ctx,
366 int rc = PTS_SUCCESS;
367 OPENPTS_CONFIG *target_conf;
378 ERROR("verifierHandleRimmSet() - ctx is NULL\n");
383 if (ctx->target_conf == NULL) {
384 ERROR("verifierHandleRimmSet() - target_conf is NULL\n");
388 target_conf = ctx->target_conf;
391 ERROR("verifierHandleRimmSet() - value is NULL\n");
398 num = getUint32(value);
399 DEBUG_IFM("RM num : %d\n", num);
401 target_conf->rm_num = num;
406 if (lstat(target_conf->rm_basedir, &st) == -1) {
407 /* Missing rm_basedir => create */
408 rc = mkdir(target_conf->rm_basedir, S_IRUSR | S_IWUSR | S_IXUSR);
410 ERROR("create conf directory, %s was failed\n", target_conf->rm_basedir);
411 rc = PTS_INTERNAL_ERROR;
414 } else if ((st.st_mode & S_IFMT) != S_IFDIR) {
415 ERROR("RM directory, %s is not a directory %x %x\n", buf, (st.st_mode & S_IFMT), S_IFDIR);
416 rc = PTS_INTERNAL_ERROR;
421 ctx->conf->rm_num = num;
422 for (i = 0; i < num; i++) {
423 snprintf(buf, BUF_SIZE, "%s/rm%d.xml",
424 target_conf->rm_basedir,
427 if (target_conf->rm_filename[i] != NULL) {
428 DEBUG("enroll() - free conf->rm_filename[%d] %s\n", i, target_conf->rm_filename[i]);
429 free(target_conf->rm_filename[i]);
432 target_conf->rm_filename[i] = smalloc(buf);
435 len = getUint32(value);
436 DEBUG("RM[%d] size : %d\n", i, len);
437 DEBUG("RM[%d] filename : %s\n", i, target_conf->rm_filename[i]);
441 rc = saveToFile(target_conf->rm_filename[i], len, value);
443 ERROR("enroll - save RM[%d], %s failed\n", i, target_conf->rm_filename[i]);
444 rc = PTS_INTERNAL_ERROR;
451 /* Save RM UUID file */
452 target_conf->rm_uuid->filename = getFullpathName(target_conf->config_dir, "./rm_uuid");
453 target_conf->rm_uuid->status = OPENPTS_UUID_FILLED;
455 rc = writeOpenptsUuidFile(target_conf->rm_uuid, 1); // TODO do not overwite?
456 if (rc != PTS_SUCCESS) {
457 ERROR("writeOpenptsUuidFile fail\n");
467 * Write policy.conf from current prop
469 * return num of polocy
473 * TODO move to prop.c
475 int writePolicyConf(OPENPTS_CONTEXT *ctx, char *filename) {
477 OPENPTS_PROPERTY *prop;
480 DEBUG("writePolicyConf : %s\n", filename);
482 if ((fp = fopen(filename, "w")) == NULL) {
483 ERROR("writePolicyConf() - File %s open was failed\n", filename);
488 prop = ctx->prop_start;
490 fprintf(fp, "# OpenPTS validation policy, name=value\n");
491 while (prop != NULL) {
492 if (!strncmp(prop->name, "ima.aggregate", 13)) {
493 /* IMA aggregate validation policy */
494 fprintf(fp, "%s=%s\n", prop->name, prop->value);
496 } else if (!strncmp(prop->name, "ima.", 4)) {
497 /* IMA measurement - SKIP */
499 fprintf(fp, "%s=%s\n", prop->name, prop->value);
504 fprintf(fp, "# %d reference props\n", i);
512 #define HASH_TABLE_SIZE ((size_t) 2048)
515 * Write writeAideIgnoreList from current prop
516 * IMA measurment with OPENPTS_RESULT_UNKNOWN flag ->
522 * ima.0.integrty=unknown
525 * TODO move to prop.c?
526 * TODO use hash table, name:count?
528 int writeAideIgnoreList(OPENPTS_CONTEXT *ctx, char *filename) {
530 OPENPTS_SNAPSHOT * ss;
531 OPENPTS_PCR_EVENT_WRAPPER *ew;
532 TSS_PCR_EVENT *event;
536 struct hsearch_data hd;
541 DEBUG("writeAideIgnoreList : %s\n", filename);
543 if ((fp = fopen(filename, "w")) == NULL) {
544 ERROR("File %s open was failed\n", filename);
549 ss = getSnapshotFromTable(ctx->ss_table, 10, 1); // Linux-IMA, TODO define by CONF?
551 ERROR("Snapshot at PCR[10] level 1 is missing\n");
556 /* look over the event chain */
557 fprintf(fp, "# OpenPTS AIDE ignore name list\n");
560 memset(&hd, 0, sizeof(hd));
562 rc = hcreate_r(HASH_TABLE_SIZE, &hd);
564 if (errno == ENOMEM) {
569 ERROR("ERROR rc=%d\n", rc);
576 if (ew->status == OPENPTS_RESULT_UNKNOWN) {
578 name = (char *)event->rgbEvent;
579 name += SHA1_DIGEST_SIZE;
581 name = snmalloc(name, (event->ulEventLength - SHA1_DIGEST_SIZE));
588 rc = hsearch_r(e, FIND, &ep, &hd);
591 e.data = (void*) ecnt;
592 rc = hsearch_r(e, ENTER, &ep, &hd);
594 fprintf(fp, "# %d \n", cnt);
595 fprintf(fp, "%s\n", name);
610 fprintf(fp, "# %d props\n", cnt);
617 #endif // CONFIG_AIDE
623 int verifierHandleIR(
624 OPENPTS_CONTEXT *ctx,
629 int rc = PTS_SUCCESS;
630 OPENPTS_CONFIG *target_conf;
635 ERROR("verifierHandleRimmSet() - ctx is NULL\n");
640 if (ctx->target_conf == NULL) {
641 ERROR("verifierHandleRimmSet() - target_conf is NULL\n");
645 target_conf = ctx->target_conf;
648 ERROR("verifierHandleRimmSet() - value is NULL\n");
654 /* save IR to file */
656 rc = saveToFile(target_conf->ir_filename, length, value);
658 ERROR("verifier - save IR failed\n");
659 rc = PTS_INTERNAL_ERROR;
663 ERROR("verifier - collector can not send IR\n");
664 rc = PTS_INTERNAL_ERROR;
668 /* load Reference Manifest (BIN-BHV) */
669 DEBUG("Load RM -------------------------------- \n");
671 for (i = 0; i < target_conf->rm_num; i++) {
672 rc = readRmFile(ctx, target_conf->rm_filename[i], i);
674 ERROR("readRmFile fail\n");
675 rc = PTS_INTERNAL_ERROR;
681 /* Load Policy to validate properties */
682 DEBUG("Load Policy -------------------------------- \n");
683 rc = loadPolicyFile(ctx, target_conf->policy_filename);
685 ERROR("loadPolicyFile fail\n");
686 rc = PTS_INTERNAL_ERROR;
691 // ctx->conf->aide_ignorelist_filename = NULL;
694 /* Validate IR by FSM */
695 *result = validateIr(ctx, target_conf->ir_filename); /* ir.c */
698 if (mode == OPENPTS_VERIFY_MODE) {
699 /* save properties */
700 DEBUG("save property : %s\n", target_conf->prop_filename);
702 rc = saveProperties(ctx, target_conf->prop_filename);
703 if (rc != PTS_SUCCESS) {
704 ERROR("saveProperties was failed %s\n", target_conf->prop_filename);
707 } else if (mode == OPENPTS_UPDATE_MODE) {
708 /* gen policy and ignore list */
709 DEBUG("update policy and ignore list %s\n", target_conf->policy_filename);
710 rc = writePolicyConf(ctx, target_conf->policy_filename);
711 DEBUG("policy num : %d policies\n", rc);
713 if (ctx->ima_unknown > 0) {
714 rc = writeAideIgnoreList(ctx, target_conf->aide_ignorelist_filename);
715 DEBUG("%d ignore list of AIDE\n", rc);
719 ERROR("unknown mode %d\n", mode);
740 * ----------------------------------
744 OPENPTS_CONTEXT *ctx,
751 int rc = PTS_SUCCESS;
753 PTS_IF_M_Attribute *read_tlv = NULL;
756 OPENPTS_UUID *verifier_uuid = NULL;
757 OPENPTS_CONFIG *target_conf;
758 OPENPTS_IF_M_Capability *cap;
763 DEBUG("enroll() - start, force = %d (1:overwite) --------------------------------------\n", force);
765 if (ctx->conf == NULL) {
766 ERROR("ctx->conf\n");
767 return PTS_INTERNAL_ERROR;
770 /* new target_conf */
771 if (ctx->target_conf != NULL) {
772 ERROR("enroll() - target_conf of %s already exist?\n", host);
776 ctx->target_conf = newPtsConfig();
777 target_conf = ctx->target_conf;
778 target_conf->hostname = smalloc(host);
780 /* verifier (my) UUID */
781 verifier_uuid = ctx->conf->uuid;
783 /* connect to the target collector */
784 ssh_pid = ssh_connect(host,
791 ERROR("connection to %s failed.\n", host);
796 /* V->C capability (hello) */
797 len = writePtsTlv(ctx, sock, OPENPTS_CAPABILITIES);
799 ERROR("send OPENPTS_CAPABILITIES was failed\n");
800 rc = PTS_INTERNAL_ERROR;
804 /* C->V capability (hello) */
805 read_tlv = readPtsTlv(sock);
806 if (read_tlv == NULL) {
807 ERROR("Can not get the message from collector\n");
808 rc = PTS_INTERNAL_ERROR;
811 if (read_tlv->type != OPENPTS_CAPABILITIES) {
813 rc = PTS_INTERNAL_ERROR;
816 if (read_tlv->length != sizeof(OPENPTS_IF_M_Capability)) { // TODO set name
817 ERROR("UUID length = %d != 36\n", read_tlv->length);
818 rc = PTS_INTERNAL_ERROR;
821 cap = (OPENPTS_IF_M_Capability *)read_tlv->value;
824 memcpy(&target_conf->pts_flag, &cap->flag, 4);
825 memcpy(&target_conf->tpm_version, &cap->tpm_version, 4);
826 memcpy(&target_conf->tss_version, &cap->tss_version, 4);
827 memcpy(&target_conf->pts_version, &cap->pts_version, 4);
830 target_conf->uuid = newOpenptsUuid2(&cap->platform_uuid);
831 if (target_conf->uuid == NULL) {
832 ERROR("Bad collector uuid\n");
837 target_conf->rm_uuid = newOpenptsUuid2(&cap->manifest_uuid);
838 if (target_conf->rm_uuid == NULL) {
839 ERROR("Bad collector uuid\n");
844 DEBUG("Verifier UUID : %s\n", verifier_uuid->str);
845 DEBUG("Collector UUID : %s\n", target_conf->uuid->str);
846 DEBUG("RM UUID : %s\n", target_conf->rm_uuid->str);
848 target_conf->config_dir =
849 getFullpathName(conf_dir, target_conf->uuid->str);
850 target_conf->config_file =
851 getFullpathName(target_conf->config_dir, "target.conf");
852 target_conf->uuid->filename =
853 getFullpathName(target_conf->config_dir, "uuid");
854 target_conf->rm_basedir =
855 getFullpathName(target_conf->config_dir, target_conf->rm_uuid->str);
858 target_conf->aide_database_filename =
859 getFullpathName(target_conf->config_dir, "aide.db.gz");
860 target_conf->aide_ignorelist_filename =
861 getFullpathName(target_conf->config_dir, "aide.ignore");
863 target_conf->aide_sqlite_filename =
864 getFullpathName(target_conf->config_dir, "aide.sqlite.db");
870 rc = makeDir(target_conf->config_dir);
873 DEBUG("conf dir : %s\n", target_conf->config_dir);
874 DEBUG("rm dir : %s\n", target_conf->rm_basedir);
875 DEBUG("AIDE DB : %s\n", target_conf->aide_database_filename);
877 DEBUG("AIDE SQLite DB : %s\n", target_conf->aide_sqlite_filename);
881 /* delete existing info */
882 // DEBUG("enroll - force=1 NA. Sorry\n");
884 /* check existing info */
886 if (lstat(target_conf->config_file , &st) == -1) {
888 DEBUG("%s is missing. Get RM from target\n", target_conf->config_file);
891 fprintf(stderr, "%s exist. if you want to override, use -f option\n", target_conf->config_file);
892 rc = PTS_INTERNAL_ERROR;
900 // read_tlv->value -= 16; // TODO
901 freePtsTlv(read_tlv);
903 /* get the Reference Manifest from target(collector) */
906 /* V->C template RIMM req */
907 len = writePtsTlv(ctx, sock, REQUEST_RIMM_SET);
909 ERROR("template RIMM req was failed\n");
910 rc = PTS_INTERNAL_ERROR;
914 /* C->V template RIMM (RIMM embedded to CTX) */
915 read_tlv = readPtsTlv(sock);
916 if (read_tlv->type == OPENPTS_ERROR) {
917 ERROR("Request RIMM_SET was failed. collector returns error message");
918 rc = PTS_INTERNAL_ERROR;
920 } else if (read_tlv->type != RIMM_SET) {
921 ERROR("Bad return message, %X != %X", read_tlv->type, RIMM_SET);
922 rc = PTS_INTERNAL_ERROR;
926 rc = verifierHandleRimmSet(ctx, (BYTE*) read_tlv->value);
927 if (rc != PTS_SUCCESS) {
928 ERROR("Bad RIMM_SET?");
929 rc = PTS_INTERNAL_ERROR;
934 freePtsTlv(read_tlv);
938 // TODO(munetoh) capability defile validation mode of collector
939 /* V->C AIDE_DATABASE req */
940 len = writePtsTlv(ctx, sock, REQUEST_AIDE_DATABASE);
943 ERROR("template RIMM req was failed\n");
944 rc = PTS_INTERNAL_ERROR;
948 /* C->V AIDE DATABASE */
949 read_tlv = readPtsTlv(sock);
950 if (read_tlv->type != AIDE_DATABASE) {
951 if (read_tlv->type == OPENPTS_ERROR) {
953 /* AIDE DB is missing */
954 target_conf->ima_validation_mode = OPENPTS_VALIDATION_MODE_NONE;
955 DEBUG("enroll - AIDE DB is missing. do not validate IMA's IMLs\n");
958 rc = PTS_INTERNAL_ERROR;
963 if (read_tlv->length > 0) {
964 /* AIDE_DATABASE -> CTX */
965 DEBUG("AIDE_DATABASE size : %d\n", read_tlv->length);
967 rc = saveToFile(target_conf->aide_database_filename, read_tlv->length, read_tlv->value);
969 ERROR("enroll - save AIDE DB failed\n");
970 rc = PTS_INTERNAL_ERROR;
975 DEBUG("conv to sqlite %s\n", target_conf->aide_sqlite_filename);
976 rc = convertAideDbfileToSQLiteDbFile(
977 ctx->conf->aide_database_filename,
978 ctx->conf->aide_sqlite_filename);
979 if (rc != PTS_SUCCESS) {
980 ERROR("enroll - convert AIDE DB to SQLiteDB was failed\n");
981 rc = PTS_INTERNAL_ERROR;
985 target_conf->ima_validation_mode = OPENPTS_VALIDATION_MODE_AIDE;
988 target_conf->ima_validation_mode = OPENPTS_VALIDATION_MODE_NONE;
989 DEBUG("enroll - AIDE DB is missing. do not validate IMA's IMLs\n");
994 freePtsTlv(read_tlv);
997 #endif // CONFIG_AIDE
1001 /* V->C TPM PUBKEY req */
1002 len = writePtsTlv(ctx, sock, REQUEST_TPM_PUBKEY); // ifm.c
1005 ERROR("enroll() - REQUEST_TPM_PUBKEY was failed, len=%d\n", rc);
1006 rc = PTS_INTERNAL_ERROR;
1010 /* C->V TPM PUBKEY */
1011 read_tlv = readPtsTlv(sock);
1012 if (read_tlv->type == OPENPTS_ERROR) {
1014 TODO("Target did not have TPM_PUBKEY");
1015 addReason(ctx, "Target did not have TPM_PUBKEY\n");
1016 rc = PTS_INTERNAL_ERROR;
1018 } else if (read_tlv->type != TPM_PUBKEY) {
1019 ERROR("read_tlv->type != TPM_PUBKEY, but %d", read_tlv->type);
1020 rc = PTS_INTERNAL_ERROR;
1024 if (read_tlv->length > 0) {
1025 /* TPM_PUBKEY -> CTX */
1026 DEBUG("TPM_PUBKEY size : %d\n", read_tlv->length);
1029 if (target_conf->pubkey != NULL) {
1030 DEBUG("enroll() - reset the PUBKEY\n");
1031 free(target_conf->pubkey);
1034 target_conf->pubkey_length = read_tlv->length;
1035 target_conf->pubkey = malloc(target_conf->pubkey_length);
1038 target_conf->pubkey,
1040 target_conf->pubkey_length);
1041 /* save to the target.conf */
1043 DEBUG("enroll - TPM_PUBKEY is missing.\n");
1046 /* save target conf */
1047 writeTargetConf(target_conf, target_conf->uuid->uuid, target_conf->config_file); // ctx.c
1054 waitpid(ssh_pid, &ssh_status, 0);
1059 if (read_tlv != NULL) freePtsTlv(read_tlv);
1061 freePtsConfig(ctx->target_conf);
1062 ctx->target_conf = NULL;
1064 DEBUG("enroll() - done, force = %d (1:overwite) --------------------------------------\n", force);
1071 * Standalone IF-M verifier
1074 OPENPTS_CONTEXT *ctx,
1080 int rc = PTS_SUCCESS;
1082 int result = OPENPTS_RESULT_VALID;
1088 PTS_IF_M_Attribute *read_tlv = NULL;
1089 OPENPTS_CONFIG *conf;
1090 char * collector_dir = NULL;
1091 char * rm_dir = NULL;
1092 OPENPTS_IF_M_Capability *cap;
1094 DEBUG("verifier() - start\n");
1095 DEBUG(" conf_dir : %s\n", conf_dir);
1096 DEBUG(" mode : %d (0:just verify, 1:update the policy)\n", mode);
1099 ERROR("ctx is null\n");
1100 return PTS_INTERNAL_ERROR;
1104 ERROR("conf is null\n");
1105 return PTS_INTERNAL_ERROR;
1108 /* connect to the target collector */
1109 ssh_pid = ssh_connect(host,
1115 if (ssh_pid == -1) {
1116 ERROR("connection failed (server = %s)\n", host);
1117 addReason(ctx, "connection failed (server = %s)\n", host);
1124 /* V->C capability (hello) */
1125 len = writePtsTlv(ctx, sock, OPENPTS_CAPABILITIES);
1127 ERROR("Send OPENPTS_CAPABILITIES was failed\n");
1131 /* C->V capability (hello) */
1132 read_tlv = readPtsTlv(sock);
1133 if (read_tlv == NULL) {
1134 ERROR("can't connect to target, %s\n", host);
1135 rc = PTS_INTERNAL_ERROR;
1137 } else if (read_tlv->type != OPENPTS_CAPABILITIES) {
1139 } else if (read_tlv->length != sizeof(OPENPTS_IF_M_Capability)) {
1140 // TODO PTS_CAPABILITIES_SIZE
1141 ERROR("UUID length = %d != 36\n", read_tlv->length);
1142 rc = PTS_INTERNAL_ERROR;
1145 cap = (OPENPTS_IF_M_Capability *)read_tlv->value;
1147 rc = verifierHandleCapability(ctx, conf_dir, host, cap);
1148 if (rc != PTS_SUCCESS) goto close;
1150 /* V->C D-H nonce param req ---------------------------------- */
1152 ctx->nonce->req->reserved = 0;
1153 ctx->nonce->req->min_nonce_len = 16;
1154 ctx->nonce->req->dh_group_set = DH_GROUP_2;
1157 len = writePtsTlv(ctx, sock, DH_NONCE_PARAMETERS_REQUEST);
1159 ERROR("Send DH_NONCE_PARAMETERS_REQUEST was failed\n");
1163 /* C->V D-H nonce param res ---------------------------------- */
1164 freePtsTlv(read_tlv);
1166 read_tlv = readPtsTlv(sock);
1167 if (read_tlv == NULL) {
1168 ERROR("[IF-M] DH_NONCE_PARAMETERS_REQUEST was failed, check the collector");
1169 rc = PTS_INTERNAL_ERROR;
1171 } else if (read_tlv->type != DH_NONCE_PARAMETORS_RESPONSE) {
1174 // DEBUG("new read_tlv %p\n",read_tlv);
1177 ctx->nonce->res->reserved[0] = read_tlv->value[0];
1178 ctx->nonce->res->reserved[1] = read_tlv->value[1];
1179 ctx->nonce->res->reserved[2] = read_tlv->value[2];
1180 ctx->nonce->res->nonce_length = read_tlv->value[3];
1181 ctx->nonce->res->selected_dh_group = (read_tlv->value[4]<<8) | read_tlv->value[5];
1182 ctx->nonce->res->hash_alg_set = (read_tlv->value[6]<<8) | read_tlv->value[7];
1184 /* set pubkey length */
1185 setDhPubkeylength(ctx->nonce);
1188 ctx->nonce->res->dh_respondor_nonce = malloc(ctx->nonce->res->nonce_length);
1190 ctx->nonce->res->dh_respondor_nonce,
1191 &read_tlv->value[8],
1192 ctx->nonce->res->nonce_length);
1195 ctx->nonce->res->dh_respondor_public = malloc(ctx->nonce->pubkey_length);
1197 ctx->nonce->res->dh_respondor_public,
1198 &read_tlv->value[8 + ctx->nonce->res->nonce_length],
1199 ctx->nonce->pubkey_length);
1200 ctx->nonce->pubkey = ctx->nonce->res->dh_respondor_public; // link
1202 rc = calcDh(ctx->nonce);
1204 ERROR("calcDh failed\n");
1208 /* V->C D-H nonce finish --------------------------------------------- */
1209 len = writePtsTlv(ctx, sock, DH_NONCE_FINISH);
1211 ERROR("Send DH_NONCE_FINISH was failed\n");
1216 /* V->C IR req -------------------------------------------------------- */
1217 len = writePtsTlv(ctx, sock, REQUEST_INTEGRITY_REPORT);
1219 ERROR("Send REQUEST_INTEGRITY_REPORT was failed\n");
1223 /* C->V IR ------------------------------------------------------------ */
1224 freePtsTlv(read_tlv);
1225 read_tlv = readPtsTlv(sock);
1226 if (read_tlv == NULL) {
1227 ERROR("REQUEST_INTEGRITY_REPORT was failed, check the collector");
1228 rc = PTS_INTERNAL_ERROR;
1230 } else if (read_tlv->type != INTEGRITY_REPORT) {
1231 rc = PTS_INTERNAL_ERROR;
1235 rc = verifierHandleIR(ctx, read_tlv->length, read_tlv->value, mode, &result);
1238 len = writePtsTlv(ctx, sock, VERIFICATION_RESULT);
1240 rc = PTS_INTERNAL_ERROR;
1244 /* return validateIr() result */
1246 // OPENPTS_RESULT_INVALID
1247 if (result == OPENPTS_RESULT_VALID) {
1248 DEBUG("verifier() result : VALID");
1249 rc = PTS_SUCCESS; // 0 -> 0
1250 } else if (result == OPENPTS_RESULT_UNVERIFIED) {
1251 DEBUG("verifier() result : UNVERIFIED");
1252 rc = PTS_VERIFY_FAILED; // 101 -> 34
1253 } else if (result == OPENPTS_RESULT_INVALID) {
1254 DEBUG("verifier() result : INVALID");
1255 rc = PTS_VERIFY_FAILED; // 102 -> 34
1256 } else if (result == OPENPTS_RESULT_UNKNOWN) {
1257 DEBUG("verifier() result : UNKNOWN");
1258 rc = PTS_VERIFY_FAILED; // 104 -> 34
1259 } else if (result == OPENPTS_RESULT_IGNORE) {
1260 DEBUG("verifier() result : IGNORE");
1261 rc = PTS_VERIFY_FAILED; // 103 -> 34
1263 DEBUG("verifier() result : ERROR");
1264 rc = PTS_INTERNAL_ERROR;
1270 waitpid(ssh_pid, &ssh_status, 0);
1274 if (read_tlv != NULL) freePtsTlv(read_tlv);
1275 if (collector_dir != NULL) free(collector_dir);
1276 if (rm_dir != NULL) free(rm_dir);
1277 if ((rc == PTS_VERIFY_FAILED) && (mode == 1)) {
1278 DEBUG("verifier() - update the policy");
1282 DEBUG("verifier() - done (rc = %d)\n", rc);
OSDN Git Service
