538ba423f1b2c82950e7dec0f14661f5d6af02f8
[strongswan.git] / src / libimcv / plugins / imv_attestation / imv_attestation_process.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_process.h"
17
18 #include <ietf/ietf_attr_pa_tnc_error.h>
19
20 #include <pts/pts.h>
21
22 #include <tcg/tcg_pts_attr_aik.h>
23 #include <tcg/tcg_pts_attr_dh_nonce_params_resp.h>
24 #include <tcg/tcg_pts_attr_file_meas.h>
25 #include <tcg/tcg_pts_attr_meas_algo.h>
26 #include <tcg/tcg_pts_attr_proto_caps.h>
27 #include <tcg/tcg_pts_attr_simple_comp_evid.h>
28 #include <tcg/tcg_pts_attr_simple_evid_final.h>
29 #include <tcg/tcg_pts_attr_tpm_version_info.h>
30 #include <tcg/tcg_pts_attr_unix_file_meta.h>
31
32 #include <debug.h>
33 #include <crypto/hashers/hasher.h>
34
35 #include <inttypes.h>
36
37 bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
38 imv_attestation_state_t *attestation_state,
39 pts_meas_algorithms_t supported_algorithms,
40 pts_dh_group_t supported_dh_groups,
41 pts_database_t *pts_db,
42 credential_manager_t *pts_credmgr)
43 {
44 chunk_t attr_info;
45 pts_t *pts;
46
47 pts = attestation_state->get_pts(attestation_state);
48
49 switch (attr->get_type(attr))
50 {
51 case TCG_PTS_PROTO_CAPS:
52 {
53 tcg_pts_attr_proto_caps_t *attr_cast;
54 pts_proto_caps_flag_t flags;
55
56 attr_cast = (tcg_pts_attr_proto_caps_t*)attr;
57 flags = attr_cast->get_flags(attr_cast);
58 pts->set_proto_caps(pts, flags);
59 break;
60 }
61 case TCG_PTS_MEAS_ALGO_SELECTION:
62 {
63 tcg_pts_attr_meas_algo_t *attr_cast;
64 pts_meas_algorithms_t selected_algorithm;
65
66 attr_cast = (tcg_pts_attr_meas_algo_t*)attr;
67 selected_algorithm = attr_cast->get_algorithms(attr_cast);
68 if (!(selected_algorithm & supported_algorithms))
69 {
70 DBG1(DBG_IMV, "PTS-IMC selected unsupported"
71 " measurement algorithm");
72 return FALSE;
73 }
74 pts->set_meas_algorithm(pts, selected_algorithm);
75 break;
76 }
77 case TCG_PTS_DH_NONCE_PARAMS_RESP:
78 {
79 tcg_pts_attr_dh_nonce_params_resp_t *attr_cast;
80 int nonce_len, min_nonce_len;
81 pts_dh_group_t dh_group;
82 pts_meas_algorithms_t offered_algorithms, selected_algorithm;
83 chunk_t responder_value, responder_nonce;
84
85 attr_cast = (tcg_pts_attr_dh_nonce_params_resp_t*)attr;
86 responder_nonce = attr_cast->get_responder_nonce(attr_cast);
87
88 /* check compliance of responder nonce length */
89 min_nonce_len = lib->settings->get_int(lib->settings,
90 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
91 nonce_len = responder_nonce.len;
92 if (nonce_len < PTS_MIN_NONCE_LEN ||
93 (min_nonce_len > 0 && nonce_len < min_nonce_len))
94 {
95 attr = pts_dh_nonce_error_create(
96 max(PTS_MIN_NONCE_LEN, min_nonce_len),
97 PTS_MAX_NONCE_LEN);
98 attr_list->insert_last(attr_list, attr);
99 break;
100 }
101
102 dh_group = attr_cast->get_dh_group(attr_cast);
103 if (!(dh_group & supported_dh_groups))
104 {
105 DBG1(DBG_IMV, "PTS-IMC selected unsupported DH group");
106 return FALSE;
107 }
108
109 offered_algorithms = attr_cast->get_hash_algo_set(attr_cast);
110 selected_algorithm = pts_meas_algo_select(supported_algorithms,
111 offered_algorithms);
112 if (selected_algorithm == PTS_MEAS_ALGO_NONE)
113 {
114 attr = pts_hash_alg_error_create(supported_algorithms);
115 attr_list->insert_last(attr_list, attr);
116 break;
117 }
118 pts->set_dh_hash_algorithm(pts, selected_algorithm);
119
120 if (!pts->create_dh_nonce(pts, dh_group, nonce_len))
121 {
122 return FALSE;
123 }
124
125 responder_value = attr_cast->get_responder_value(attr_cast);
126 pts->set_peer_public_value(pts, responder_value,
127 responder_nonce);
128
129 /* Calculate secret assessment value */
130 if (!pts->calculate_secret(pts))
131 {
132 return FALSE;
133 }
134 break;
135 }
136 case TCG_PTS_TPM_VERSION_INFO:
137 {
138 tcg_pts_attr_tpm_version_info_t *attr_cast;
139 chunk_t tpm_version_info;
140
141 attr_cast = (tcg_pts_attr_tpm_version_info_t*)attr;
142 tpm_version_info = attr_cast->get_tpm_version_info(attr_cast);
143 pts->set_tpm_version_info(pts, tpm_version_info);
144 break;
145 }
146 case TCG_PTS_AIK:
147 {
148 tcg_pts_attr_aik_t *attr_cast;
149 certificate_t *aik, *issuer;
150 enumerator_t *e;
151 bool trusted = FALSE;
152
153 attr_cast = (tcg_pts_attr_aik_t*)attr;
154 aik = attr_cast->get_aik(attr_cast);
155 if (!aik)
156 {
157 DBG1(DBG_IMV, "AIK unavailable");
158 return FALSE;
159 }
160 if (aik->get_type(aik) == CERT_X509)
161 {
162 DBG1(DBG_IMV, "verifying AIK certificate");
163 e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
164 KEY_ANY, aik->get_issuer(aik), FALSE);
165 while (e->enumerate(e, &issuer))
166 {
167 if (aik->issued_by(aik, issuer))
168 {
169 trusted = TRUE;
170 break;
171 }
172 }
173 e->destroy(e);
174 DBG1(DBG_IMV, "AIK certificate is %strusted",
175 trusted ? "" : "not ");
176 }
177 pts->set_aik(pts, aik);
178 break;
179 }
180 case TCG_PTS_FILE_MEAS:
181 {
182 tcg_pts_attr_file_meas_t *attr_cast;
183 u_int16_t request_id;
184 int file_count, file_id;
185 pts_meas_algorithms_t algo;
186 pts_file_meas_t *measurements;
187 char *platform_info;
188 enumerator_t *e_hash;
189 bool is_dir;
190
191 platform_info = pts->get_platform_info(pts);
192 if (!pts_db || !platform_info)
193 {
194 DBG1(DBG_IMV, "%s%s%s not available",
195 (pts_db) ? "" : "pts database",
196 (!pts_db && !platform_info) ? "and" : "",
197 (platform_info) ? "" : "platform info");
198 break;
199 }
200
201 attr_cast = (tcg_pts_attr_file_meas_t*)attr;
202 measurements = attr_cast->get_measurements(attr_cast);
203 algo = pts->get_meas_algorithm(pts);
204 request_id = measurements->get_request_id(measurements);
205 file_count = measurements->get_file_count(measurements);
206
207 DBG1(DBG_IMV, "measurement request %d returned %d file%s:",
208 request_id, file_count, (file_count == 1) ? "":"s");
209
210 if (!attestation_state->check_off_file_meas_request(attestation_state,
211 request_id, &file_id, &is_dir))
212 {
213 DBG1(DBG_IMV, " no entry found for file measurement request %d",
214 request_id);
215 break;
216 }
217
218 /* check hashes from database against measurements */
219 e_hash = pts_db->create_file_hash_enumerator(pts_db,
220 platform_info, algo, file_id, is_dir);
221 if (!measurements->verify(measurements, e_hash, is_dir))
222 {
223 attestation_state->set_measurement_error(attestation_state);
224 }
225 e_hash->destroy(e_hash);
226 break;
227 }
228 case TCG_PTS_UNIX_FILE_META:
229 {
230 tcg_pts_attr_file_meta_t *attr_cast;
231 int file_count;
232 pts_file_meta_t *metadata;
233 pts_file_metadata_t *entry;
234 time_t created, modified, accessed;
235 bool utc = FALSE;
236 enumerator_t *e;
237
238 attr_cast = (tcg_pts_attr_file_meta_t*)attr;
239 metadata = attr_cast->get_metadata(attr_cast);
240 file_count = metadata->get_file_count(metadata);
241
242 DBG1(DBG_IMV, "metadata request returned %d file%s:",
243 file_count, (file_count == 1) ? "":"s");
244
245 e = metadata->create_enumerator(metadata);
246 while (e->enumerate(e, &entry))
247 {
248 DBG1(DBG_IMV, " '%s' (%"PRIu64" bytes)"
249 " owner %"PRIu64", group %"PRIu64", type %N",
250 entry->filename, entry->filesize, entry->owner,
251 entry->group, pts_file_type_names, entry->type);
252
253 created = entry->created;
254 modified = entry->modified;
255 accessed = entry->accessed;
256
257 DBG1(DBG_IMV, " created %T, modified %T, accessed %T",
258 &created, utc, &modified, utc, &accessed, utc);
259 }
260 e->destroy(e);
261 break;
262 }
263 case TCG_PTS_SIMPLE_COMP_EVID:
264 {
265 tcg_pts_attr_simple_comp_evid_t *attr_cast;
266 bool pcr_info_inclided, component_meas_error = FALSE;
267 pts_attr_simple_comp_evid_flag_t flags;
268 u_int32_t depth, comp_vendor_id, extended_pcr;
269 u_int8_t measurement_type;
270 pts_qualifier_t qualifier;
271 pts_ita_funct_comp_name_t name;
272 pts_meas_algorithms_t hash_algorithm;
273 pts_pcr_transform_t transformation;
274 chunk_t measurement_time, policy_uri;
275 chunk_t pcr_before, pcr_after, measurement, comp_hash;
276 enumerator_t *enumerator;
277 char *platform_info;
278 const char *component_name;
279
280 attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
281 attr_info = attr->get_value(attr);
282
283 pcr_info_inclided = attr_cast->is_pcr_info_included(attr_cast);
284 flags = attr_cast->get_flags(attr_cast);
285 depth = attr_cast->get_sub_component_depth(attr_cast);
286 if (depth != 0)
287 {
288 DBG1(DBG_IMV, "Current version of Attestation IMV does not"
289 " support sub component measurement deeper than zero");
290 }
291 comp_vendor_id = attr_cast->get_spec_comp_funct_name_vendor_id(
292 attr_cast);
293 if (comp_vendor_id != PEN_ITA)
294 {
295 DBG1(DBG_IMV, "Current version of Attestation IMV supports"
296 "only functional component namings by ITA ");
297 break;
298 }
299 family = attr_cast->get_family(attr_cast);
300 if (family)
301 {
302 attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
303 TCG_PTS_INVALID_NAME_FAM, attr_info);
304 attr_list->insert_last(attr_list, attr);
305 break;
306 }
307 qualifier = attr_cast->get_qualifier(attr_cast);
308
309 /* Check if Unknown or Wildcard was set for qualifier */
310 if (qualifier.kernel && qualifier.sub_component &&
311 (qualifier.type & PTS_ITA_FUNC_COMP_TYPE_ALL))
312 {
313 DBG1(DBG_IMV, "Wildcard was set for the qualifier "
314 "of functional component");
315 return FALSE;
316 }
317 else if (!qualifier.kernel && !qualifier.sub_component &&
318 (qualifier.type & PTS_ITA_FUNC_COMP_TYPE_UNKNOWN))
319 {
320 DBG1(DBG_IMV, "Unknown feature was set for the qualifier "
321 "of functional component");
322 return FALSE;
323 }
324
325 name = attr_cast->get_comp_funct_name(attr_cast);
326 if (!attestation_state->check_off_comp_evid_request(attestation_state,
327 comp_vendor_id, qualifier, name))
328 {
329 DBG1(DBG_IMV, " no entry found for component evidence request");
330 break;
331 }
332
333 measurement_type = attr_cast->get_measurement_type(attr_cast);
334 hash_algorithm = attr_cast->get_hash_algorithm(attr_cast);
335 transformation = attr_cast->get_pcr_trans(attr_cast);
336 measurement_time = attr_cast->get_measurement_time(attr_cast);
337 measurement = attr_cast->get_comp_measurement(attr_cast);
338
339 platform_info = pts->get_platform_info(pts);
340 if (!pts_db || !platform_info)
341 {
342 DBG1(DBG_IMV, "%s%s%s not available",
343 (pts_db) ? "" : "pts database",
344 (!pts_db && !platform_info) ? "and" : "",
345 (platform_info) ? "" : "platform info");
346 break;
347 }
348
349 if (name == PTS_ITA_FUNC_COMP_NAME_TBOOT_POLICY)
350 {
351 component_name = TBOOT_POLICY_STR;
352 }
353 else if (name == PTS_ITA_FUNC_COMP_NAME_TBOOT_MLE)
354 {
355 component_name = TBOOT_MLE_STR;
356 }
357 else
358 {
359 DBG1(DBG_IMV, "Unknown functional component name: \"%d\"",
360 name);
361 return FALSE;
362 }
363 enumerator = pts_db->create_comp_hash_enumerator(pts_db,
364 platform_info, PTS_MEAS_ALGO_SHA1, (char *)component_name);
365 if (!enumerator)
366 {
367 break;
368 }
369 while (enumerator->enumerate(enumerator, &comp_hash))
370 {
371 if (!chunk_equals(comp_hash, measurement))
372 {
373 DBG1(DBG_IMV, "Unmatching Functional Component Measurement:"
374 "%B, expected: %B", &measurement, &comp_hash);
375 component_meas_error = TRUE;
376 }
377 else
378 {
379 DBG2(DBG_IMV, "Matching Functional Component Measurement:"
380 "%B", &measurement);
381 }
382 }
383 enumerator->destroy(enumerator);
384
385 if (component_meas_error)
386 {
387 attestation_state->set_measurement_error(attestation_state);
388 }
389
390 /* Call getters of optional fields when corresponding flag is set */
391 if (pcr_info_inclided)
392 {
393 pcr_entry_t *entry;
394
395 extended_pcr = attr_cast->get_extended_pcr(attr_cast);
396 pcr_before = attr_cast->get_pcr_before_value(attr_cast);
397 pcr_after = attr_cast->get_pcr_after_value(attr_cast);
398
399 DBG3(DBG_IMV,"PCR: %d was extended with %B",
400 extended_pcr, &measurement);
401 DBG3(DBG_IMV,"PCR: %d before value: %B",
402 extended_pcr, &pcr_before);
403 DBG3(DBG_IMV,"PCR: %d after value: %B",
404 extended_pcr, &pcr_after);
405
406 entry = malloc_thing(pcr_entry_t);
407 entry->pcr_number = extended_pcr;
408 memcpy(entry->pcr_value, pcr_after.ptr, PCR_LEN);
409 pts->add_pcr_entry(pts, entry);
410 }
411 if (flags != PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID)
412 {
413 policy_uri = attr_cast->get_policy_uri(attr_cast);
414 DBG1(DBG_IMV, "This version of Attestation IMV can not handle"
415 " Verification Policies");
416 }
417
418 break;
419 }
420 case TCG_PTS_SIMPLE_EVID_FINAL:
421 {
422 tcg_pts_attr_simple_evid_final_t *attr_cast;
423 pts_simple_evid_final_flag_t flags;
424 pts_meas_algorithms_t composite_algorithm;
425 chunk_t pcr_comp;
426 chunk_t tpm_quote_sign;
427 chunk_t evid_sign;
428 bool evid_signature_included = FALSE, use_quote2 = FALSE,
429 ver_info_included = FALSE;
430 chunk_t pcr_composite, quote_info;
431
432 attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
433 evid_signature_included = attr_cast->is_evid_sign_included(attr_cast);
434 flags = attr_cast->get_flags(attr_cast);
435
436 /** Optional Composite Hash Algorithm field is always present
437 * Field has value of all zeroes if not used.
438 * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011
439 */
440 composite_algorithm = attr_cast->get_comp_hash_algorithm(attr_cast);
441
442 if (flags != PTS_SIMPLE_EVID_FINAL_FLAG_NO)
443 {
444 if ((flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO2) ||
445 (flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO2_CAP_VER))
446 {
447 use_quote2 = TRUE;
448 }
449 if (flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO2_CAP_VER)
450 {
451 ver_info_included = TRUE;
452 }
453
454 pcr_comp = attr_cast->get_pcr_comp(attr_cast);
455 tpm_quote_sign = attr_cast->get_tpm_quote_sign(attr_cast);
456
457 if (!pcr_comp.ptr || !tpm_quote_sign.ptr)
458 {
459 DBG1(DBG_IMV, "PCR composite: %B", &pcr_comp);
460 DBG1(DBG_IMV, "TPM Quote Signature: %B", &tpm_quote_sign);
461 DBG1(DBG_IMV, "Either PCR Composite or Quote Signature missing");
462 return FALSE;
463 }
464
465 /* Construct PCR Composite and TPM Quote Info structures */
466 if (!pts->get_quote_info(pts, use_quote2, ver_info_included,
467 composite_algorithm, &pcr_composite, &quote_info))
468 {
469 DBG1(DBG_IMV, "unable to contruct TPM Quote Info");
470 return FALSE;
471 }
472
473 /* Check calculated PCR composite matches with received */
474 if (!chunk_equals(pcr_comp, pcr_composite))
475 {
476 DBG1(DBG_IMV, "received PCR Compsosite didn't match"
477 " with constructed");
478 chunk_clear(&pcr_composite);
479 chunk_clear(&quote_info);
480 return FALSE;
481 }
482 DBG2(DBG_IMV, "received PCR Composite matches with constructed");
483 chunk_clear(&pcr_composite);
484
485 if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sign))
486 {
487 chunk_clear(&quote_info);
488 return FALSE;
489 }
490
491 DBG2(DBG_IMV, "signature verification succeeded for "
492 "TPM Quote Info");
493 chunk_clear(&quote_info);
494 }
495
496 if (evid_signature_included)
497 {
498 /** TODO: What to do with Evidence Signature */
499 evid_sign = attr_cast->get_evid_sign(attr_cast);
500 DBG1(DBG_IMV, "This version of Attestation IMV can not handle"
501 " Optional Evidence Signature field");
502 }
503
504 break;
505 }
506
507 /* TODO: Not implemented yet */
508 case TCG_PTS_INTEG_MEAS_LOG:
509 /* Attributes using XML */
510 case TCG_PTS_TEMPL_REF_MANI_SET_META:
511 case TCG_PTS_VERIFICATION_RESULT:
512 case TCG_PTS_INTEG_REPORT:
513 /* On Windows only*/
514 case TCG_PTS_WIN_FILE_META:
515 case TCG_PTS_REGISTRY_VALUE:
516 /* Received on IMC side only*/
517 case TCG_PTS_REQ_PROTO_CAPS:
518 case TCG_PTS_DH_NONCE_PARAMS_REQ:
519 case TCG_PTS_DH_NONCE_FINISH:
520 case TCG_PTS_MEAS_ALGO:
521 case TCG_PTS_GET_TPM_VERSION_INFO:
522 case TCG_PTS_REQ_TEMPL_REF_MANI_SET_META:
523 case TCG_PTS_UPDATE_TEMPL_REF_MANI:
524 case TCG_PTS_GET_AIK:
525 case TCG_PTS_REQ_FUNCT_COMP_EVID:
526 case TCG_PTS_GEN_ATTEST_EVID:
527 case TCG_PTS_REQ_FILE_META:
528 case TCG_PTS_REQ_FILE_MEAS:
529 case TCG_PTS_REQ_INTEG_MEAS_LOG:
530 default:
531 DBG1(DBG_IMV, "received unsupported attribute '%N'",
532 tcg_attr_names, attr->get_type(attr));
533 break;
534 }
535 return TRUE;
536 }
537