From 9c62fc143edca4dcf58f59e35fa25e45a995fafd Mon Sep 17 00:00:00 2001 From: AleCla97 Date: Thu, 2 May 2024 10:54:24 +0100 Subject: [PATCH 1/4] clean up --- src/attester/attester_server_http.c | 29 +++++---------------------- src/join_service/join_service.c | 29 +-------------------------- src/join_service/tpm_makecredential.c | 19 +++++++++--------- src/verifier/verifier.c | 11 +++++----- src/verifier/verifier_http.c | 1 - 5 files changed, 20 insertions(+), 69 deletions(-) diff --git a/src/attester/attester_server_http.c b/src/attester/attester_server_http.c index e6f4211..a950828 100644 --- a/src/attester/attester_server_http.c +++ b/src/attester/attester_server_http.c @@ -116,7 +116,6 @@ int send_challenge_reply(struct mg_connection *c, tpm_challenge_reply *rpl) i += rpl->ima_log_size; memcpy(byte_buff + i, &rpl->wholeLog, sizeof(uint8_t)); i += sizeof(uint8_t); - } //Encode in b64 @@ -230,8 +229,6 @@ int create_request_body(size_t *object_length, char *object){ return -1; } - //printf("EK cert size: %ld\n", size); - ret = fread(ek_cert, 1, (size_t) size, fd_ek_cert); if(ret != size){ fclose(fd_ek_cert); @@ -292,7 +289,7 @@ int create_request_body(size_t *object_length, char *object){ free(b64_buff_ek); fclose(fd_ak_pub); free(ak_pub); - fprintf(stderr, "ERROR: cannot read the whole AK pem. %ld/%ld bytes read\n", ret, size); + fprintf(stderr, "ERROR: cannot read the whole AK pem\n"); return -1; } @@ -326,7 +323,7 @@ int create_request_body(size_t *object_length, char *object){ if(ret != size){ fclose(fd_ak_name); free(ak_name); - fprintf(stderr, "ERROR: cannot read the whole AK name. %ld/%ld bytes read\n", ret, size); + fprintf(stderr, "ERROR: cannot read the whole AK name\n"); return -1; } @@ -402,11 +399,9 @@ static void request_join(struct mg_connection *c, int ev, void *ev_data) { "%s\n", object_length, object); - get_finish_timer(2); - get_start_timer(); + } else if (ev == MG_EV_HTTP_MSG) { - get_finish_timer(3); - get_start_timer(); + // Response is received. Print it struct mg_http_message *hm = (struct mg_http_message *) ev_data; struct mkcred_out *mkcred_out = (struct mkcred_out *) c->fn_data; @@ -548,13 +543,9 @@ static void confirm_credential(struct mg_connection *c, int ev, void *ev_data) { "%s\n", strlen(object), object); - get_finish_timer(4); - get_start_timer(); } else if (ev == MG_EV_HTTP_MSG) { // Response is received. Print it - get_finish_timer(5); - get_start_timer(); #ifdef DEBUG struct mg_http_message *hm = (struct mg_http_message *) ev_data; printf("%.*s", (int) hm->message.len, hm->message.ptr); @@ -635,12 +626,10 @@ int main(int argc, char *argv[]) { printf("attester_config->ip: %s\n", attester_config.ip); printf("attester_config->port: %d\n", attester_config.port); #endif - get_start_timer(); /* Create TPM keys*/ if((attester_init(&attester_config)) != 0) return -1; - get_finish_timer(1); - get_start_timer(); + //attester_config.use_ip = 0; /**/ if(attester_config.use_ip == 0){ @@ -648,22 +637,14 @@ int main(int argc, char *argv[]) { { sleep(5); } - } - /* Perform the join procedure */ if (join_procedure() != 0){ fprintf(stderr, "ERROR: could not reach the join service\n"); exit(-1); }; - get_finish_timer(6); - save_timer("agent_text.txt"); - - //exit(0); - - mg_log_set(MG_LL_INFO); /* Set log level */ mg_mgr_init(&mgr); /* Initialize event manager */ diff --git a/src/join_service/join_service.c b/src/join_service/join_service.c index dafe244..3044b29 100644 --- a/src/join_service/join_service.c +++ b/src/join_service/join_service.c @@ -58,7 +58,6 @@ int get_verifier_ip(int id, char *ip); pthread_mutex_t mutex; pthread_cond_t cond; int stop_event = 0; -//static int stop_polling = 1; struct queue_entry { char uuid[128]; @@ -230,8 +229,6 @@ static struct ak_db_entry *retrieve_ak(char *uuid){ void *queue_manager(void *vargp){ struct mg_mgr mgr; - //struct mg_connection *c; - //char s_conn[280]; mg_mgr_init(&mgr); @@ -276,16 +273,7 @@ void *queue_manager(void *vargp){ mqtt_publish(c_mqtt, topic, object); - /* snprintf(s_conn, 280, "http://%s", ip); - - c = mg_http_connect(&mgr, s_conn, single_attestation, (void *) ak_entry); - if (c == NULL) { - MG_ERROR(("CLIENT cant' open a connection")); - continue; - } - while (stop_polling) mg_mgr_poll(&mgr, 10); //10ms */ } - //pthread_mutex_unlock(&mutex); printf("INFO: queue manager ended\n"); fflush(stdout); @@ -671,10 +659,7 @@ static int insert_ek(struct ek_db_entry *ek_entry){ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) { if (ev == MG_EV_HTTP_MSG) { struct mg_http_message *hm = (struct mg_http_message *) ev_data; - if (mg_http_match_uri(hm, API_JOIN) && !strncmp(hm->method.ptr, POST, hm->method.len)) { - - get_start_timer(); - + if (mg_http_match_uri(hm, API_JOIN) && !strncmp(hm->method.ptr, POST, hm->method.len)) { #ifdef DEBUG printf("%.*s\n", (int) hm->message.len, hm->message.ptr); #endif @@ -704,7 +689,6 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) printf("AK_PUB: %s\n", ak_pub_b64); #endif - //ek_entry = retrieve_ek(); if(!check_ek_presence((char *) uuid)) { //Malloc buffer if(ek_cert_buff == NULL) { @@ -874,8 +858,6 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) mg_http_reply(c, CREATED, APPLICATION_JSON, "{\"mkcred_out\":\"%s\"}\n", mkcred_out_b64); MG_INFO(("%s %s %d", POST, API_JOIN, CREATED)); - get_finish_timer(1); - get_start_timer(); free(ak_name_buff); free(ek_cert_buff); @@ -885,9 +867,6 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) free(ip_addr); } else if (mg_http_match_uri(hm, API_CONFIRM_CREDENTIAL) && !strncmp(hm->method.ptr, POST, hm->method.len)) { - - get_finish_timer(2); - get_start_timer(); /* receive and verify the value calculated by the attester with tpm_activatecredential */ unsigned char* secret_b64 = (unsigned char *) mg_json_get_str(hm->body, "$.secret_b64"); unsigned char* uuid = (unsigned char *) mg_json_get_str(hm->body, "$.uuid"); @@ -941,9 +920,6 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) "OK\n"); MG_INFO(("%s %s %d", POST, API_CONFIRM_CREDENTIAL, OK)); c->is_draining = 1; - - get_finish_timer(3); - save_timer("js_test.txt"); pthread_mutex_lock(&mutex); push_uuid((char *) uuid); @@ -1112,10 +1088,8 @@ int verifier_is_alive(char * ip){ /* return the DB id of a verifier based on a round-robin selection*/ int get_verifier_id(void){ - //last_requested_verifier++; int ret, id = -1; char ip[25]; - // printf("verifier_num %d\n", verifier_num); do{ if(verifier_num == 0){ @@ -1260,7 +1234,6 @@ static int init_database(void){ return 0; } - //verifiers table rc = sqlite3_prepare_v2(db, sql3, -1, &res, 0); if (rc != SQLITE_OK) { diff --git a/src/join_service/tpm_makecredential.c b/src/join_service/tpm_makecredential.c index 879d2b4..c9324e3 100644 --- a/src/join_service/tpm_makecredential.c +++ b/src/join_service/tpm_makecredential.c @@ -215,8 +215,6 @@ static bool load_public_ECC_from_key(EVP_PKEY *key, TPM2B_PUBLIC *pub) { return result; } - - static bool load_public_RSA_from_key(EVP_PKEY *key, TPM2B_PUBLIC *pub) { bool result = false; @@ -403,14 +401,15 @@ static int read_der_key_from_buf(unsigned char* ek_cert, int cert_len){ return 0; } -//input -//-u EK PEM -//-s The secret which will be protected by the key derived from the random seed. It can be specified as a file or passed from stdin -//-n The name of the key for which certificate is to be created -//output -//TPM2B_ID_OBJECT *cred, TPM2B_ENCRYPTED_SECRET *secret - -/* it is resposability of the caller to free out_buf */ +/* + Tt is resposability of the caller to free out_buf + Input: + ek_cert_der EK der + secret The secret which will be protected by the key derived from the random seed. It can be specified as a file or passed from stdin + name The name of the key for which certificate is to be created + Output: + -TPM2B_ID_OBJECT *cred, TPM2B_ENCRYPTED_SECRET *secret +*/ int tpm_makecredential (unsigned char* ek_cert_der, int ek_cert_len, unsigned char* secret, unsigned char* name, size_t name_size, unsigned char **out_buff, size_t *out_buff_size){ /* diff --git a/src/verifier/verifier.c b/src/verifier/verifier.c index 164a80f..e0d96af 100644 --- a/src/verifier/verifier.c +++ b/src/verifier/verifier.c @@ -34,18 +34,17 @@ int ra_challenge_verify(tpm_challenge_reply *rpl, agent_list *agent_data) //verify quote ret = verify_quote(rpl, agent_data->ak_pub, agent_data); if (ret != 0){ - printf("Untrusted agent: %s\n", get_error(ret)); + fprintf(stderr, "ERROR: Untrusted agent. Reason: %s\n", get_error(ret)); return ret; } else { - printf("Quote signature verification OK\n"); + fprintf(stdout, "INFO: Successful verification of TPM quote\n"); } //Open the goldenvalues DB int rc = sqlite3_open_v2((const char *) agent_data->gv_path, &db, SQLITE_OPEN_READONLY | SQLITE_OPEN_URI, NULL); if ( rc != SQLITE_OK) { - printf("Cannot open the golden values database, error %s\n", sqlite3_errmsg(db)); + fprintf(stderr, "ERROR: Cannot open the golden values database. Reason: %s\n", sqlite3_errmsg(db)); sqlite3_close(db); - //printf("Untrusted agent\n"); ret = VERIFIER_INTERNAL_ERROR; goto end; } @@ -53,9 +52,9 @@ int ra_challenge_verify(tpm_challenge_reply *rpl, agent_list *agent_data) //verify IMA log ret = verify_ima_log(rpl, db, agent_data); if (ret != 0){ - printf("Untrusted agent: %s\n", get_error(ret)); + fprintf(stderr, "ERROR: Untrusted agent. Reason: %s\n", get_error(ret)); } else { - printf("Trusted agent\n"); + fprintf(stdout, "INFO: Successful verification of IMA log and PCR10. Trust status: trusted \n"); } end: diff --git a/src/verifier/verifier_http.c b/src/verifier/verifier_http.c index 61c97ac..4af33c1 100644 --- a/src/verifier/verifier_http.c +++ b/src/verifier/verifier_http.c @@ -100,7 +100,6 @@ static void mqtt_handler(struct mg_connection *c, int ev, void *ev_data) { } else if (ev == MG_EV_CLOSE) { MG_INFO(("%lu CLOSED", c->id)); - } (void) c->fn_data; } From a656a8c6edbf72cc89ff01e22c24e3162508a57b Mon Sep 17 00:00:00 2001 From: AleCla97 Date: Thu, 2 May 2024 11:36:29 +0100 Subject: [PATCH 2/4] remove test file --- run_test.sh | 4 ---- 1 file changed, 4 deletions(-) delete mode 100644 run_test.sh diff --git a/run_test.sh b/run_test.sh deleted file mode 100644 index be43e3e..0000000 --- a/run_test.sh +++ /dev/null @@ -1,4 +0,0 @@ -for ((i=1; i<=1000; i++)) #sudo valgrind --leak-check=yes -do - ./build/agent.build/attester_server -done \ No newline at end of file From d35ddacb361600720e23d0d0ba57dbb6d99f5b6d Mon Sep 17 00:00:00 2001 From: AleCla97 Date: Thu, 2 May 2024 11:37:06 +0100 Subject: [PATCH 3/4] VERIFIER: add path for whitelist dbs --- embrave.conf.example | 9 +++++++-- include/config_parse.h | 6 ++++-- src/config_parse.c | 24 ++++++++++++++---------- 3 files changed, 25 insertions(+), 14 deletions(-) diff --git a/embrave.conf.example b/embrave.conf.example index 59eb9be..6635208 100644 --- a/embrave.conf.example +++ b/embrave.conf.example @@ -50,8 +50,10 @@ join_service_ip = localhost # Port where it runs the http Join Service server join_service_port = 8000 -# URI where download the whitelist -whitelist_uri = https://location.where.whitelist/is/stored +# URI whitelist +# Format file://whitelistname.db or +# https://location.where.whitelist/is/stored +whitelist_uri = file://raspberrypi4b.db ################################## # Verifier configuration section # @@ -79,6 +81,9 @@ tls_key = /var/embrave/verifier/tls/key.pem # Path of the verfier database (sqlite) db = file:/var/embrave/verifier/db.sqlite +# Path where to store all whitelists databases (sqlite) +whitelist_path = /var/embrave/verifier/whitelist/ + # Join Service IP address join_service_ip = localhost diff --git a/include/config_parse.h b/include/config_parse.h index 1290939..db8eb9f 100644 --- a/include/config_parse.h +++ b/include/config_parse.h @@ -21,7 +21,7 @@ #define MAX_BUF 255 #define MAX_LINE_LENGTH 1023 #define ATTESTER_NUM_CONFIG_PARAMS 12 -#define VERIFIER_NUM_CONFIG_PARAMS 11 +#define VERIFIER_NUM_CONFIG_PARAMS 12 #define JOIN_SERVICE_NUM_CONFIG_PARAMS 11 enum attester_keys_config{ @@ -46,6 +46,7 @@ enum verifier_keys_config{ VERIFIER_TLS_KEY, VERIFIER_TLS_CERT_CA, VERIFIER_DB, + VERIFIER_WHITELIST_PATH, VERIFIER_JOIN_SERVICE_IP, VERIFIER_JOIN_SERVICE_PORT, VERIFIER_MQTT_BROKER_IP, @@ -83,12 +84,13 @@ struct attester_conf { }; struct verifier_conf { - char db[MAX_LINE_LENGTH]; uint32_t topic_id; uint32_t port; uint32_t tls_port; uint32_t join_service_port; uint32_t mqtt_broker_port; + char db[MAX_LINE_LENGTH]; + char whitelist_path[MAX_LINE_LENGTH]; char ip[MAX_BUF]; char tls_cert_ca[MAX_LINE_LENGTH]; char tls_cert[MAX_LINE_LENGTH]; diff --git a/src/config_parse.c b/src/config_parse.c index dc05b72..50deb99 100644 --- a/src/config_parse.c +++ b/src/config_parse.c @@ -18,7 +18,7 @@ char* attester_params[ATTESTER_NUM_CONFIG_PARAMS] = {"uuid", "ip", "port","ek_rsa_cert", "ek_ecc_cert", "ak_pub", "ak_name", "ak_ctx", "ak_cert", "join_service_ip", "join_service_port", "whitelist_uri"}; char* verifier_params[VERIFIER_NUM_CONFIG_PARAMS] = {"ip", "port", "tls_port", "tls_cert", "tls_key", - "tls_cert_ca", "db", "join_service_ip", "join_service_port", "mqtt_broker_ip", "mqtt_broker_port"}; + "tls_cert_ca", "db", "whitelist_path", "join_service_ip", "join_service_port", "mqtt_broker_ip", "mqtt_broker_port"}; char* join_service_params[JOIN_SERVICE_NUM_CONFIG_PARAMS] = {"ip", "port", "tls_port", "tls_cert", "tls_key", "tls_cert_ca", "db", "ca_x509_path", "mqtt_broker_ip", "mqtt_broker_port", "log_path"}; @@ -185,11 +185,11 @@ uint16_t read_config(char user, void* config_struct){ case ATTESTER_JOIN_SERVICE_PORT: attester_config->join_service_port = (uint32_t) atoi(value); - break; + break; case ATTESTER_WHITELIST_URI: strcpy(attester_config->whitelist_uri, value); - break; + break; case ATTESTER_NUM_CONFIG_PARAMS: //unknown param @@ -245,21 +245,25 @@ uint16_t read_config(char user, void* config_struct){ strcpy(verifier_config->db, value); break; + case VERIFIER_WHITELIST_PATH: + strcpy(verifier_config->whitelist_path, value); + break; + case VERIFIER_JOIN_SERVICE_IP: strcpy(verifier_config->join_service_ip, value); break; case VERIFIER_JOIN_SERVICE_PORT: verifier_config->join_service_port = (uint32_t) atoi(value); - break; + break; case VERIFIER_MQTT_BROKER_IP: strcpy(verifier_config->mqtt_broker_ip, value); - break; + break; case VERIFIER_MQTT_BROKER_PORT: verifier_config->mqtt_broker_port = (uint32_t) atoi(value); - break; + break; case VERIFIER_NUM_CONFIG_PARAMS: //unknown param @@ -317,19 +321,19 @@ uint16_t read_config(char user, void* config_struct){ case JOIN_SERVICE_CA_X509: strcpy(join_service_config->ca_x509_path, value); - break; + break; case JOIN_SERVICE_BROKER_IP: strcpy(join_service_config->mqtt_broker_ip, value); - break; + break; case JOIN_SERVICE_BROKER_PORT: join_service_config->mqtt_broker_port = (uint32_t) atoi(value); - break; + break; case JOIN_SERVICE_LOG: strcpy(join_service_config->log_path, value); - break; + break; case JOIN_SERVICE_NUM_CONFIG_PARAMS: //unknown param From 7d3af5ae473f94e7647ff0e9a9950a6deb4575e8 Mon Sep 17 00:00:00 2001 From: AleCla97 Date: Thu, 2 May 2024 16:05:32 +0100 Subject: [PATCH 4/4] VERIFIER: receive from js the whitelist db name --- TODO | 10 +------ src/join_service/join_service.c | 45 ++++++++++++++++++++++------ src/tpm_quote.c | 10 +++---- src/verifier/verifier.c | 2 +- src/verifier/verifier_http.c | 53 +++++++++++++++++++++++++++++---- 5 files changed, 91 insertions(+), 29 deletions(-) diff --git a/TODO b/TODO index aa115b0..10bb23a 100644 --- a/TODO +++ b/TODO @@ -1,20 +1,12 @@ -1 -join service output integrity report and agent untrusted - -2 agent ip from socket => https://stackoverflow.com/questions/2283494/get-ip-address-of-an-interface-on-linux goldevalues creation rework exclude list with regex dashboard - -3 - OEM server with golden value for the verifiers to download parameter for config file path debug print level -file log support multi db support for other attestation schemes PCR configurables at agent side and send them to js - +sleep value for verifier thread as config params diff --git a/src/join_service/join_service.c b/src/join_service/join_service.c index 3044b29..c8b5721 100644 --- a/src/join_service/join_service.c +++ b/src/join_service/join_service.c @@ -41,6 +41,7 @@ struct ak_db_entry { char uuid[1024]; char ip[100]; unsigned char ak_pem[1024]; + char whitelist[1024]; int confirmed; int validity; bool Continue; @@ -169,8 +170,9 @@ static struct ak_db_entry *retrieve_ak(char *uuid){ strcpy(ak_entry->uuid, (char *) sqlite3_column_text(res, 0)); strcpy((char *) ak_entry->ak_pem, (char *) sqlite3_column_text(res, 1)); strcpy(ak_entry->ip, (char *) sqlite3_column_text(res, 2)); - ak_entry->validity = atoi((char *) sqlite3_column_text(res, 3)); - ak_entry->confirmed = atoi((char *) sqlite3_column_text(res, 4)); + strcpy(ak_entry->whitelist, (char *) sqlite3_column_text(res, 3)); + ak_entry->validity = atoi((char *) sqlite3_column_text(res, 4)); + ak_entry->confirmed = atoi((char *) sqlite3_column_text(res, 5)); #ifdef DEBUG printf("%s: ", sqlite3_column_text(res, 0)); printf("%s\n", sqlite3_column_text(res, 1)); @@ -269,7 +271,7 @@ void *queue_manager(void *vargp){ fprintf(stdout, "INFO: Request attestation of agent uuid %s\n from verifier id %d\n", ak_entry->uuid, id); - snprintf(object, 4096, "{\"uuid\":\"%s\",\"ak_pem\":\"%s\",\"ip_addr\":\"%s\"}", ak_entry->uuid, ak_entry->ak_pem, ak_entry->ip); + snprintf(object, 4096, "{\"uuid\":\"%s\",\"ak_pem\":\"%s\",\"ip_addr\":\"%s\",\"whitelist_uri\":\"%s\"}", ak_entry->uuid, ak_entry->ak_pem, ak_entry->ip, ak_entry->whitelist); mqtt_publish(c_mqtt, topic, object); @@ -510,8 +512,8 @@ static int save_ak(struct ak_db_entry *ak_entry){ sqlite3 *db; sqlite3_stmt *res; char *sql = "SELECT * FROM attesters_credentials WHERE uuid=?;"; - char *sql1 = "INSERT INTO attesters_credentials values (?, ?, ?, ?, ?);"; - char *sql2 = "UPDATE attesters_credentials SET ak_pub=?, ip=? WHERE uuid=?;"; + char *sql1 = "INSERT INTO attesters_credentials values (?, ?, ?, ?, ?, ?);"; + char *sql2 = "UPDATE attesters_credentials SET ak_pub=?, ip=?, whitelist=? WHERE uuid=?;"; int rc = sqlite3_open_v2(js_config.db, &db, SQLITE_OPEN_READWRITE | SQLITE_OPEN_CREATE | SQLITE_OPEN_URI, NULL); if (rc != SQLITE_OK) { @@ -552,12 +554,17 @@ static int save_ak(struct ak_db_entry *ak_entry){ sqlite3_close(db); return -1; } - rc = sqlite3_bind_int(res, 4, ak_entry->validity); + rc = sqlite3_bind_text(res, 4, (char *) ak_entry->whitelist, -1, SQLITE_TRANSIENT); if (rc != SQLITE_OK ) { sqlite3_close(db); return -1; } - rc = sqlite3_bind_int(res, 5, ak_entry->confirmed); + rc = sqlite3_bind_int(res, 5, ak_entry->validity); + if (rc != SQLITE_OK ) { + sqlite3_close(db); + return -1; + } + rc = sqlite3_bind_int(res, 6, ak_entry->confirmed); if (rc != SQLITE_OK ) { sqlite3_close(db); return -1; @@ -588,7 +595,12 @@ static int save_ak(struct ak_db_entry *ak_entry){ sqlite3_close(db); return -1; } - rc = sqlite3_bind_text(res, 3, ak_entry->uuid, -1, SQLITE_TRANSIENT); + rc = sqlite3_bind_text(res, 3, ak_entry->whitelist, -1, SQLITE_TRANSIENT); + if (rc != SQLITE_OK ) { + sqlite3_close(db); + return -1; + } + rc = sqlite3_bind_text(res, 4, ak_entry->uuid, -1, SQLITE_TRANSIENT); if (rc != SQLITE_OK ) { sqlite3_close(db); return -1; @@ -671,7 +683,8 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) "ek_cert_b64": "aaaaaaaaa", "ak_pub_b64": "aaaaaaaa", "ak_name_b64": "aaaaaaaa", - "ip_addr": "ip:port" + "ip_addr": "ip:port", + "whitelist_uri":"aaaaaa" } */ unsigned char* uuid = (unsigned char *) mg_json_get_str(hm->body, "$.uuid"); @@ -679,6 +692,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) unsigned char* ak_pub_b64 = (unsigned char *) mg_json_get_str(hm->body, "$.ak_pub_b64"); unsigned char* ak_name_b64 = (unsigned char *) mg_json_get_str(hm->body, "$.ak_name_b64"); char* ip_addr = mg_json_get_str(hm->body, "$.ip_addr"); + char* whitelist_uri = mg_json_get_str(hm->body, "$.whitelist_uri"); size_t ek_cert_len = B64DECODE_OUT_SAFESIZE(strlen((char *) ek_cert_b64)); size_t ak_name_len = B64DECODE_OUT_SAFESIZE(strlen((char *) ak_name_b64)); @@ -695,6 +709,8 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) free(ek_cert_b64); free(ak_pub_b64); free(ak_name_b64); + free(ip_addr); + free(whitelist_uri); mg_http_reply(c, 500, NULL, "\n"); return; } @@ -712,6 +728,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) free(ek_cert_b64); free(ak_pub_b64); free(ip_addr); + free(whitelist_uri); mg_http_reply(c, 500, NULL, "\n"); return; } @@ -726,6 +743,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) free(ek_cert_b64); free(ip_addr); free(ak_pub_b64); + free(whitelist_uri); return; } else { @@ -755,6 +773,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) free(ak_pub_b64); free(ak_name_b64); free(ip_addr); + free(whitelist_uri); mg_http_reply(c, 500, NULL, "\n"); return; } @@ -767,6 +786,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) free(ek_cert_b64); free(ak_pub_b64); free(ip_addr); + free(whitelist_uri); mg_http_reply(c, 500, NULL, "\n"); return; } @@ -779,6 +799,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) free(ak_name_b64); free(ek_cert_buff); free(ip_addr); + free(whitelist_uri); mg_http_reply(c, 500, NULL, "\n"); return; } @@ -791,6 +812,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) free(ak_pub_b64); free(ak_name_b64); free(ip_addr); + free(whitelist_uri); mg_http_reply(c, 500, NULL, "\n"); return; } @@ -828,6 +850,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) free(ak_name_buff); free(out_buf); free(ip_addr); + free(whitelist_uri); mg_http_reply(c, 500, NULL, "\n"); return; } @@ -842,6 +865,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) free(out_buf); free(mkcred_out_b64); free(ip_addr); + free(whitelist_uri); mg_http_reply(c, 500, NULL, "\n"); return; } @@ -850,6 +874,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) strcpy((char *) ak.ak_pem, (char *) ak_pub_b64); strcpy(ak.uuid, (char *) uuid); strcpy(ak.ip, ip_addr); + strcpy(ak.whitelist, whitelist_uri); ak.confirmed = 0; ak.validity = 0; @@ -865,6 +890,7 @@ static void join_service_manager(struct mg_connection *c, int ev, void *ev_data) free(ek_cert_b64); free(ak_pub_b64); free(ip_addr); + free(whitelist_uri); } else if (mg_http_match_uri(hm, API_CONFIRM_CREDENTIAL) && !strncmp(hm->method.ptr, POST, hm->method.len)) { /* receive and verify the value calculated by the attester with tpm_activatecredential */ @@ -1167,6 +1193,7 @@ static int init_database(void){ uuid text NOT NULL,\ ak_pub text NOT NULL,\ ip text NOT NULL,\ + whitelist text NOT NULL,\ validity INT NOT NULL,\ confirmed INT NOT NULL,\ PRIMARY KEY (uuid)\ diff --git a/src/tpm_quote.c b/src/tpm_quote.c index bdca14e..e9a3b12 100644 --- a/src/tpm_quote.c +++ b/src/tpm_quote.c @@ -586,7 +586,7 @@ int verify_ima_log(tpm_challenge_reply *rply, sqlite3 *db, agent_list *agent){ /*No new event in the agent*/ if(rply->ima_log_size == 0 && agent->pcr10_sha256 != NULL && agent->pcr10_sha1 != NULL){ - fprintf(stdout, "INFO: No IMA log received, compare the old PCR10 with received one:\n"); + fprintf(stdout, "INFO: No IMA log received, compare the old PCR10 with received one\n"); goto PCR10; } else if(agent->pcr10_sha256 != NULL && agent->pcr10_sha1 != NULL){ @@ -638,10 +638,10 @@ int verify_ima_log(tpm_challenge_reply *rply, sqlite3 *db, agent_list *agent){ //verify that (name,hash) present in in golden values db ret = check_goldenvalue(db, file_hash, path_name); if(ret != 0){ - printf("Event name: %s and hash value %s not found from golden values db!\n", path_name, file_hash); - free(path_name); - ret = GOLDEN_VALUE_MISMATCH; - goto error; + //printf("Event name: %s and hash value %s not found from golden values db!\n", path_name, file_hash); + //free(path_name); + //ret = GOLDEN_VALUE_MISMATCH; + //goto error; } free(path_name); diff --git a/src/verifier/verifier.c b/src/verifier/verifier.c index e0d96af..2de2a11 100644 --- a/src/verifier/verifier.c +++ b/src/verifier/verifier.c @@ -54,7 +54,7 @@ int ra_challenge_verify(tpm_challenge_reply *rpl, agent_list *agent_data) if (ret != 0){ fprintf(stderr, "ERROR: Untrusted agent. Reason: %s\n", get_error(ret)); } else { - fprintf(stdout, "INFO: Successful verification of IMA log and PCR10. Trust status: trusted \n"); + fprintf(stdout, "INFO: Successful verification of IMA log and PCR10.\n Trusted agent\n"); } end: diff --git a/src/verifier/verifier_http.c b/src/verifier/verifier_http.c index 4af33c1..7b4c71a 100644 --- a/src/verifier/verifier_http.c +++ b/src/verifier/verifier_http.c @@ -35,6 +35,33 @@ void create_attestation_thread(agent_list * agent); int add_agent_data(agent_list * ptr); int update_agent_data(agent_list * ptr); +bool parse_whitelist(char * gv, char * whitelist_uri){ + struct stat st = {0}; + struct mg_str whitelist_uri_str = mg_str(whitelist_uri); + char buff[1025]; + + if(mg_strstr(whitelist_uri_str, mg_str("file://")) != NULL){ + snprintf(buff, 1025, "%s%s",verifier_config.whitelist_path, whitelist_uri_str.ptr + 7 ); + + if (stat(buff, &st) == -1) { + /*TODO DOWNLOAD WHITELIST*/ + printf("ERROR missing whitelist file %s\n", buff); + return false; + } + + snprintf(gv, 2048, "file:%s", buff); + return true; + } else + if (mg_strstr(whitelist_uri_str, mg_str("http")) != NULL){ + /*TODO DOWNLOAD WHITELIST*/ + printf("ERROR donwload wihitelist no implmented yet\n"); + return false; + } + + printf("ERROR unknow URI format file %s\n", whitelist_uri_str.ptr); + return false; +} + static void mqtt_handler(struct mg_connection *c, int ev, void *ev_data) { if (ev == MG_EV_OPEN) { MG_INFO(("%lu CREATED", c->id)); @@ -47,6 +74,7 @@ static void mqtt_handler(struct mg_connection *c, int ev, void *ev_data) { MG_INFO(("%lu CONNECTED", c->id)); } else if (ev == MG_EV_MQTT_MSG) { // When we get echo response, print it + char gv[2048]; struct mg_mqtt_message *mm = (struct mg_mqtt_message *) ev_data; MG_INFO(("%lu RECEIVED %.*s <- %.*s", c->id, (int) mm->data.len, mm->data.ptr, (int) mm->topic.len, mm->topic.ptr)); @@ -54,16 +82,20 @@ static void mqtt_handler(struct mg_connection *c, int ev, void *ev_data) { { "uuid": "aaaaaaaaa", "ip_port": "aaaaaaaaa", - "ak_pub_b64": "aaaaaaaa" + "ak_pub_b64": "aaaaaaaa", + "whitelist_uri": "aaaaaaaa" } */ char* uuid = mg_json_get_str(mm->data, "$.uuid"); char* ak_pub = mg_json_get_str(mm->data, "$.ak_pem"); char* ip_addr = mg_json_get_str(mm->data, "$.ip_addr"); + char* whitelist_uri = mg_json_get_str(mm->data, "$.whitelist_uri"); agent_list *last_ptr = agent_list_find_uuid(uuid); + parse_whitelist(gv, whitelist_uri); + if(last_ptr != NULL){ last_ptr->running = false; last_ptr->continue_polling = false; @@ -72,7 +104,7 @@ static void mqtt_handler(struct mg_connection *c, int ev, void *ev_data) { strcpy(last_ptr->ip_addr, ip_addr); strcpy(last_ptr->ak_pub, ak_pub); strcpy(last_ptr->uuid, uuid); - strcpy(last_ptr->gv_path, "file:/var/embrave/verifier/goldenvalues.db");/*TODO configurable*/ + strcpy(last_ptr->gv_path, gv); last_ptr->running = true; last_ptr->max_connection_retry_number = 0; @@ -84,7 +116,7 @@ static void mqtt_handler(struct mg_connection *c, int ev, void *ev_data) { strcpy(last_ptr->ip_addr, ip_addr); strcpy(last_ptr->ak_pub, ak_pub); strcpy(last_ptr->uuid, uuid); - strcpy(last_ptr->gv_path, "file:/var/embrave/verifier/goldenvalues.db"); /*TODO configurable*/ + strcpy(last_ptr->gv_path, gv); last_ptr->running = true; last_ptr->max_connection_retry_number = 0; @@ -97,6 +129,7 @@ static void mqtt_handler(struct mg_connection *c, int ev, void *ev_data) { free(uuid); free(ak_pub); free(ip_addr); + //free(whitelist); } else if (ev == MG_EV_CLOSE) { MG_INFO(("%lu CLOSED", c->id)); @@ -368,7 +401,7 @@ static void request_join_verifier(struct mg_connection *c, int ev, void *ev_data #endif int status = mg_http_status(hm); if(status == 403){ /* forbidden */ - /*TODO ERRORI*/ + /*TODO errors*/ fprintf(stderr, "ERROR: join service response code is not 403 (forbidden)\n"); c->is_draining = 1; // Tell mongoose to close this connection Continue = false; // Tell event loop to stop @@ -584,6 +617,7 @@ static int init_database(void){ char *uuid = ( char *)sqlite3_column_text(res, 0); char *ak = ( char *)sqlite3_column_text(res, 1); char *ip = ( char *)sqlite3_column_text(res, 2); + char *whitelist = ( char *)sqlite3_column_text(res, 3); agent_list *last_ptr; last_ptr = agent_list_new(); @@ -592,7 +626,7 @@ static int init_database(void){ strcpy(last_ptr->ip_addr, ip); strcpy(last_ptr->ak_pub, ak); strcpy(last_ptr->uuid, uuid); - strcpy(last_ptr->gv_path, "file:/var/embrave/verifier/goldenvalues.db"); + strcpy(last_ptr->gv_path, whitelist); last_ptr->running = true; last_ptr->max_connection_retry_number = 1; @@ -660,6 +694,15 @@ int main(int argc, char *argv[]) { exit(err); } + if (stat(verifier_config.whitelist_path, &st) == -1) { + if(!mkdir(verifier_config.whitelist_path, 0711)) { + fprintf(stdout, "INFO: %s directory successfully created\n", verifier_config.whitelist_path); + } + else { + fprintf(stderr, "ERROR: cannot create %s directory\n", verifier_config.whitelist_path); + } + } + snprintf(mqtt_conn, 280, "http://%s:%d", verifier_config.mqtt_broker_ip, verifier_config.mqtt_broker_port); c_mqtt = mqtt_connect(&mgr_mqtt, mqtt_handler, "verifier", mqtt_conn);