projects / strongswan.git / blob
? search:


a9bee44dd429b1d5dce8c27556dcc9286bba3d35
[strongswan.git] / src / libimcv / plugins / imv_attestation / imv_attestation_build.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_build.h"
17 #include "imv_attestation_state.h"
18
19 #include <libpts.h>
20 #include <tcg/tcg_pts_attr_proto_caps.h>
21 #include <tcg/tcg_pts_attr_meas_algo.h>
22 #include <tcg/tcg_pts_attr_dh_nonce_params_req.h>
23 #include <tcg/tcg_pts_attr_dh_nonce_finish.h>
24 #include <tcg/tcg_pts_attr_get_tpm_version_info.h>
25 #include <tcg/tcg_pts_attr_get_aik.h>
26 #include <tcg/tcg_pts_attr_req_funct_comp_evid.h>
27 #include <tcg/tcg_pts_attr_gen_attest_evid.h>
28 #include <tcg/tcg_pts_attr_req_file_meas.h>
29 #include <tcg/tcg_pts_attr_req_file_meta.h>
30
31 #include <debug.h>
32
33 bool imv_attestation_build(pa_tnc_msg_t *msg,
34 imv_attestation_state_t *attestation_state,
35 pts_meas_algorithms_t supported_algorithms,
36 pts_dh_group_t supported_dh_groups,
37 pts_database_t *pts_db)
38 {
39 imv_attestation_handshake_state_t handshake_state;
40 pts_t *pts;
41 pa_tnc_attr_t *attr;
42
43 handshake_state = attestation_state->get_handshake_state(attestation_state);
44 pts = attestation_state->get_pts(attestation_state);
45
46 /* D-H attributes are redundant */
47 /* when D-H Nonce Exchange is not selected on IMC side */
48 if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ &&
49 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
50 {
51 DBG1(DBG_IMV, "PTS-IMC is not using Diffie-Hellman Nonce negotiation,"
52 "advancing to TPM Initialization phase");
53 handshake_state = IMV_ATTESTATION_STATE_TPM_INIT;
54 }
55 /* TPM Version Info, AIK attributes are redundant */
56 /* when TPM is not available on IMC side */
57 if (handshake_state == IMV_ATTESTATION_STATE_TPM_INIT &&
58 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T))
59 {
60 DBG1(DBG_IMV, "PTS-IMC has not got TPM available,"
61 "advancing to File Measurement phase");
62 handshake_state = IMV_ATTESTATION_STATE_MEAS;
63 }
64 /* Component Measurement cannot be done without D-H Nonce Exchange */
65 /* or TPM on IMC side */
66 if (handshake_state == IMV_ATTESTATION_STATE_COMP_EVID &&
67 (!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T) ||
68 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D)) )
69 {
70 DBG1(DBG_IMV, "PTS-IMC has not got TPM available,"
71 "skipping Component Measurement phase");
72 handshake_state = IMV_ATTESTATION_STATE_END;
73 }
74
75 /* Switch on the attribute type IMV has received */
76 switch (handshake_state)
77 {
78 case IMV_ATTESTATION_STATE_INIT:
79 {
80 pts_proto_caps_flag_t flags;
81
82 /* Send Request Protocol Capabilities attribute */
83 flags = pts->get_proto_caps(pts);
84 attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
85 attr->set_noskip_flag(attr, TRUE);
86 msg->add_attribute(msg, attr);
87
88 /* Send Measurement Algorithms attribute */
89 attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
90 attr->set_noskip_flag(attr, TRUE);
91 msg->add_attribute(msg, attr);
92
93 attestation_state->set_handshake_state(attestation_state,
94 IMV_ATTESTATION_STATE_NONCE_REQ);
95 break;
96 }
97 case IMV_ATTESTATION_STATE_NONCE_REQ:
98 {
99 int min_nonce_len;
100
101 /* Send DH nonce parameters request attribute */
102 min_nonce_len = lib->settings->get_int(lib->settings,
103 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
104 attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
105 supported_dh_groups);
106 attr->set_noskip_flag(attr, TRUE);
107 msg->add_attribute(msg, attr);
108
109 attestation_state->set_handshake_state(attestation_state,
110 IMV_ATTESTATION_STATE_TPM_INIT);
111 break;
112 }
113 case IMV_ATTESTATION_STATE_TPM_INIT:
114 {
115 pts_meas_algorithms_t selected_algorithm;
116 chunk_t initiator_value, initiator_nonce;
117
118 if ((pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
119 {
120 /* Send DH nonce finish attribute */
121 selected_algorithm = pts->get_meas_algorithm(pts);
122 pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
123 attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
124 initiator_value, initiator_nonce);
125 attr->set_noskip_flag(attr, TRUE);
126 msg->add_attribute(msg, attr);
127 }
128
129 /* Send Get TPM Version attribute */
130 attr = tcg_pts_attr_get_tpm_version_info_create();
131 attr->set_noskip_flag(attr, TRUE);
132 msg->add_attribute(msg, attr);
133
134 /* Send Get AIK attribute */
135 attr = tcg_pts_attr_get_aik_create();
136 attr->set_noskip_flag(attr, TRUE);
137 msg->add_attribute(msg, attr);
138
139 attestation_state->set_handshake_state(attestation_state,
140 IMV_ATTESTATION_STATE_MEAS);
141 break;
142 }
143 case IMV_ATTESTATION_STATE_MEAS:
144 {
145 enumerator_t *enumerator;
146 u_int32_t delimiter = SOLIDUS_UTF;
147 char *platform_info, *pathname;
148 u_int16_t request_id;
149 int id, type;
150 bool is_dir;
151
152 attestation_state->set_handshake_state(attestation_state,
153 IMV_ATTESTATION_STATE_COMP_EVID);
154
155 /* Get Platform and OS of the PTS-IMC */
156 platform_info = pts->get_platform_info(pts);
157
158 if (!pts_db || !platform_info)
159 {
160 DBG1(DBG_IMV, "%s%s%s not available",
161 (pts_db) ? "" : "pts database",
162 (!pts_db && !platform_info) ? "and" : "",
163 (platform_info) ? "" : "platform info");
164 break;
165 }
166 DBG1(DBG_IMV, "platform is '%s'", platform_info);
167
168 /* Send Request File Metadata attribute */
169 enumerator = pts_db->create_file_meta_enumerator(pts_db,
170 platform_info);
171 if (!enumerator)
172 {
173 break;
174 }
175 while (enumerator->enumerate(enumerator, &type, &pathname))
176 {
177 is_dir = (type != 0);
178 DBG2(DBG_IMV, "metadata request for %s '%s'",
179 is_dir ? "directory" : "file", pathname);
180 attr = tcg_pts_attr_req_file_meta_create(is_dir, delimiter,
181 pathname);
182 attr->set_noskip_flag(attr, TRUE);
183 msg->add_attribute(msg, attr);
184 }
185 enumerator->destroy(enumerator);
186
187 /* Send Request File Measurement attribute */
188 enumerator = pts_db->create_file_meas_enumerator(pts_db,
189 platform_info);
190 if (!enumerator)
191 {
192 break;
193 }
194 while (enumerator->enumerate(enumerator, &id, &type, &pathname))
195 {
196 is_dir = (type != 0);
197 request_id = attestation_state->add_file_meas_request(
198 attestation_state, id, is_dir);
199 DBG2(DBG_IMV, "measurement request %d for %s '%s'",
200 request_id, is_dir ? "directory" : "file", pathname);
201 attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
202 delimiter, pathname);
203 attr->set_noskip_flag(attr, TRUE);
204 msg->add_attribute(msg, attr);
205 }
206 enumerator->destroy(enumerator);
207 break;
208 }
209 case IMV_ATTESTATION_STATE_COMP_EVID:
210 {
211 enumerator_t *enumerator;
212 char flags[8];
213 char *platform_info;
214 pts_funct_comp_evid_req_t *requests = NULL;
215 funct_comp_evid_req_entry_t *entry;
216 int vid, name, qualifier, type;
217 enum_name_t *names, *types;
218 bool first = TRUE;
219
220 attestation_state->set_handshake_state(attestation_state,
221 IMV_ATTESTATION_STATE_END);
222
223 /* Get Platform and OS of the PTS-IMC */
224 platform_info = pts->get_platform_info(pts);
225 if (!pts_db || !platform_info)
226 {
227 DBG1(DBG_IMV, "%s%s%s not available",
228 (pts_db) ? "" : "pts database",
229 (!pts_db && !platform_info) ? "and" : "",
230 (platform_info) ? "" : "platform info");
231 break;
232 }
233 DBG1(DBG_IMV, "platform is '%s'", platform_info);
234
235
236 enumerator = pts_db->create_comp_evid_enumerator(pts_db, platform_info);
237 if (!enumerator)
238 {
239 break;
240 }
241 while (enumerator->enumerate(enumerator, &vid, &name, &qualifier))
242 {
243 entry = malloc_thing(funct_comp_evid_req_entry_t);
244 entry->flags = PTS_REQ_FUNC_COMP_FLAG_PCR;
245 entry->sub_comp_depth = 0;
246 entry->name = pts_comp_func_name_create(vid, name, qualifier);
247
248 names = pts_components->get_comp_func_names(pts_components, vid);
249 types = pts_components->get_qualifier_type_names(pts_components, vid);
250 if (names && types)
251 {
252 type = pts_components->get_qualifier(pts_components,
253 entry->name, &flags);
254 DBG2(DBG_TNC, "%N component evidence request '%N' [%s] '%N'",
255 pen_names, vid, names, name, flags, types, type);
256 }
257 else
258 {
259 DBG2(DBG_TNC, "0x%06x component evidence request 0x%08x 0x%02x",
260 vid, name, qualifier);
261 }
262 if (first)
263 {
264 /* Create a requests object */
265 requests = pts_funct_comp_evid_req_create();
266 first = FALSE;
267 }
268 requests->add(requests, entry);
269 attestation_state->add_comp_evid_request(attestation_state, entry);
270 }
271 enumerator->destroy(enumerator);
272
273 /* Send Request Functional Component Evidence attribute */
274 attr = tcg_pts_attr_req_funct_comp_evid_create(requests);
275 attr->set_noskip_flag(attr, TRUE);
276 msg->add_attribute(msg, attr);
277
278 /* Send Generate Attestation Evidence attribute */
279 attr = tcg_pts_attr_gen_attest_evid_create();
280 attr->set_noskip_flag(attr, TRUE);
281 msg->add_attribute(msg, attr);
282
283 break;
284 }
285 default:
286 DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"",
287 handshake_state);
288 return FALSE;
289 }
290 return TRUE;
291 }
strongSwan - IPsec VPN