Cosmetics
[strongswan.git] / src / libimcv / plugins / imv_attestation / imv_attestation_process.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_process.h"
17
18 #include <ietf/ietf_attr_pa_tnc_error.h>
19
20 #include <pts/pts.h>
21
22 #include <tcg/tcg_pts_attr_aik.h>
23 #include <tcg/tcg_pts_attr_dh_nonce_params_resp.h>
24 #include <tcg/tcg_pts_attr_file_meas.h>
25 #include <tcg/tcg_pts_attr_meas_algo.h>
26 #include <tcg/tcg_pts_attr_proto_caps.h>
27 #include <tcg/tcg_pts_attr_simple_comp_evid.h>
28 #include <tcg/tcg_pts_attr_simple_evid_final.h>
29 #include <tcg/tcg_pts_attr_tpm_version_info.h>
30 #include <tcg/tcg_pts_attr_unix_file_meta.h>
31
32 #include <debug.h>
33 #include <crypto/hashers/hasher.h>
34
35 bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
36 imv_attestation_state_t *attestation_state,
37 pts_meas_algorithms_t supported_algorithms,
38 pts_dh_group_t supported_dh_groups,
39 pts_database_t *pts_db,
40 credential_manager_t *pts_credmgr)
41 {
42 chunk_t attr_info;
43 pts_t *pts;
44
45 pts = attestation_state->get_pts(attestation_state);
46
47 switch (attr->get_type(attr))
48 {
49 case TCG_PTS_PROTO_CAPS:
50 {
51 tcg_pts_attr_proto_caps_t *attr_cast;
52 pts_proto_caps_flag_t flags;
53
54 attr_cast = (tcg_pts_attr_proto_caps_t*)attr;
55 flags = attr_cast->get_flags(attr_cast);
56 pts->set_proto_caps(pts, flags);
57 break;
58 }
59 case TCG_PTS_MEAS_ALGO_SELECTION:
60 {
61 tcg_pts_attr_meas_algo_t *attr_cast;
62 pts_meas_algorithms_t selected_algorithm;
63
64 attr_cast = (tcg_pts_attr_meas_algo_t*)attr;
65 selected_algorithm = attr_cast->get_algorithms(attr_cast);
66 if (!(selected_algorithm & supported_algorithms))
67 {
68 DBG1(DBG_IMV, "PTS-IMC selected unsupported measurement algorithm");
69 return FALSE;
70 }
71 pts->set_meas_algorithm(pts, selected_algorithm);
72 break;
73 }
74 case TCG_PTS_DH_NONCE_PARAMS_RESP:
75 {
76 tcg_pts_attr_dh_nonce_params_resp_t *attr_cast;
77 int nonce_len, min_nonce_len;
78 pts_dh_group_t dh_group;
79 pts_meas_algorithms_t offered_algorithms, selected_algorithm;
80 chunk_t responder_value, responder_nonce;
81
82 attr_cast = (tcg_pts_attr_dh_nonce_params_resp_t*)attr;
83 responder_nonce = attr_cast->get_responder_nonce(attr_cast);
84
85 /* check compliance of responder nonce length */
86 min_nonce_len = lib->settings->get_int(lib->settings,
87 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
88 nonce_len = responder_nonce.len;
89 if (nonce_len < PTS_MIN_NONCE_LEN ||
90 (min_nonce_len > 0 && nonce_len < min_nonce_len))
91 {
92 attr = pts_dh_nonce_error_create(
93 max(PTS_MIN_NONCE_LEN, min_nonce_len),
94 PTS_MAX_NONCE_LEN);
95 attr_list->insert_last(attr_list, attr);
96 break;
97 }
98
99 dh_group = attr_cast->get_dh_group(attr_cast);
100 if (!(dh_group & supported_dh_groups))
101 {
102 DBG1(DBG_IMV, "PTS-IMC selected unsupported DH group");
103 return FALSE;
104 }
105
106 offered_algorithms = attr_cast->get_hash_algo_set(attr_cast);
107 selected_algorithm = pts_meas_algo_select(supported_algorithms,
108 offered_algorithms);
109 if (selected_algorithm == PTS_MEAS_ALGO_NONE)
110 {
111 attr = pts_hash_alg_error_create(supported_algorithms);
112 attr_list->insert_last(attr_list, attr);
113 break;
114 }
115 pts->set_dh_hash_algorithm(pts, selected_algorithm);
116
117 if (!pts->create_dh_nonce(pts, dh_group, nonce_len))
118 {
119 return FALSE;
120 }
121
122 responder_value = attr_cast->get_responder_value(attr_cast);
123 pts->set_peer_public_value(pts, responder_value,
124 responder_nonce);
125
126 /* Calculate secret assessment value */
127 if (!pts->calculate_secret(pts))
128 {
129 return FALSE;
130 }
131 break;
132 }
133 case TCG_PTS_TPM_VERSION_INFO:
134 {
135 tcg_pts_attr_tpm_version_info_t *attr_cast;
136 chunk_t tpm_version_info;
137
138 attr_cast = (tcg_pts_attr_tpm_version_info_t*)attr;
139 tpm_version_info = attr_cast->get_tpm_version_info(attr_cast);
140 pts->set_tpm_version_info(pts, tpm_version_info);
141 break;
142 }
143 case TCG_PTS_AIK:
144 {
145 tcg_pts_attr_aik_t *attr_cast;
146 certificate_t *aik, *issuer;
147 enumerator_t *e;
148 bool trusted = FALSE;
149
150 attr_cast = (tcg_pts_attr_aik_t*)attr;
151 aik = attr_cast->get_aik(attr_cast);
152 if (!aik)
153 {
154 /* TODO generate error attribute */
155 break;
156 }
157 if (aik->get_type(aik) == CERT_X509)
158 {
159 DBG1(DBG_IMV, "verifying AIK certificate");
160 e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
161 KEY_ANY, aik->get_issuer(aik), FALSE);
162 while (e->enumerate(e, &issuer))
163 {
164 if (aik->issued_by(aik, issuer))
165 {
166 trusted = TRUE;
167 break;
168 }
169 }
170 e->destroy(e);
171 DBG1(DBG_IMV, "AIK certificate is %strusted",
172 trusted ? "" : "not ");
173 }
174 pts->set_aik(pts, aik);
175 break;
176 }
177 case TCG_PTS_SIMPLE_COMP_EVID:
178 {
179 tcg_pts_attr_simple_comp_evid_t *attr_cast;
180 bool pcr_info_inclided;
181 pts_attr_simple_comp_evid_flag_t flags;
182 u_int32_t depth, comp_vendor_id, extended_pcr;
183 u_int8_t family, measurement_type;
184 pts_qualifier_t qualifier;
185 pts_funct_comp_name_t name;
186 pts_meas_algorithms_t hash_algorithm;
187 pts_pcr_transform_t transformation;
188 chunk_t measurement_time, policy_uri;
189 chunk_t pcr_before, pcr_after, measurement;
190
191 attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
192 attr_info = attr->get_value(attr);
193
194 pcr_info_inclided = attr_cast->is_pcr_info_included(attr_cast);
195 flags = attr_cast->get_flags(attr_cast);
196 depth = attr_cast->get_sub_component_depth(attr_cast);
197 /* TODO: Implement checking of components with its sub-components */
198 if (depth != 0)
199 {
200 DBG1(DBG_IMV, "Current version of Attestation IMV does not support"
201 "sub component measurement deeper than zero");
202 }
203 comp_vendor_id = attr_cast->get_spec_comp_funct_name_vendor_id(attr_cast);
204 if (comp_vendor_id != PEN_TCG)
205 {
206 DBG1(DBG_IMV, "Current version of Attestation IMV supports"
207 "only functional component namings by TCG ");
208 break;
209 }
210 family = attr_cast->get_family(attr_cast);
211 if (family)
212 {
213 attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
214 TCG_PTS_INVALID_NAME_FAM, attr_info);
215 attr_list->insert_last(attr_list, attr);
216 break;
217 }
218 qualifier = attr_cast->get_qualifier(attr_cast);
219
220 /* Check if Unknown or Wildcard was set for qualifier */
221 if (qualifier.kernel && qualifier.sub_component &&
222 (qualifier.type & PTS_FUNC_COMP_TYPE_ALL))
223 {
224 DBG1(DBG_IMV, "Wildcard was set for the qualifier "
225 "of functional component");
226 return FALSE;
227 }
228 else if (!qualifier.kernel && !qualifier.sub_component &&
229 (qualifier.type & PTS_FUNC_COMP_TYPE_UNKNOWN))
230 {
231 DBG1(DBG_IMV, "Unknown feature was set for the qualifier "
232 "of functional component");
233 return FALSE;
234 }
235 else
236 {
237 /* TODO: Implement what todo with received qualifier */
238 }
239
240 name = attr_cast->get_comp_funct_name(attr_cast);
241 measurement_type = attr_cast->get_measurement_type(attr_cast);
242 hash_algorithm = attr_cast->get_hash_algorithm(attr_cast);
243 transformation = attr_cast->get_pcr_trans(attr_cast);
244 measurement_time = attr_cast->get_measurement_time(attr_cast);
245
246 /* Call getters of optional fields when corresponding flag is set */
247 if (pcr_info_inclided)
248 {
249 pcr_entry_t *entry;
250
251 extended_pcr = attr_cast->get_extended_pcr(attr_cast);
252 pcr_before = attr_cast->get_pcr_before_value(attr_cast);
253 pcr_after = attr_cast->get_pcr_after_value(attr_cast);
254 measurement = attr_cast->get_comp_measurement(attr_cast);
255
256 DBG4(DBG_IMV,"PCR: %d was extended with %B", extended_pcr, &measurement);
257 DBG4(DBG_IMV,"PCR: %d before value: %B", extended_pcr, &pcr_before);
258 DBG4(DBG_IMV,"PCR: %d after value: %B", extended_pcr, &pcr_after);
259
260 entry = malloc_thing(pcr_entry_t);
261 entry->pcr_number = extended_pcr;
262 strcpy(entry->pcr_value, pcr_after.ptr);
263 pts->add_pcr_entry(pts, entry);
264
265 }
266 if (flags != PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID)
267 {
268 policy_uri = attr_cast->get_policy_uri(attr_cast);
269 DBG1(DBG_IMV, "This version of Attestation IMV can not handle"
270 " Verification Policies");
271 }
272
273 break;
274 }
275 case TCG_PTS_SIMPLE_EVID_FINAL:
276 {
277 tcg_pts_attr_simple_evid_final_t *attr_cast;
278 pts_simple_evid_final_flag_t flags;
279 chunk_t pcr_comp;
280 chunk_t tpm_quote_sign;
281 chunk_t evid_sign;
282 bool evid_signature_included;
283
284 /** TODO: Ignoring Composite Hash Algorithm field
285 * No flag defined which indicates the precense of it
286 */
287 attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
288 evid_signature_included = attr_cast->is_evid_sign_included(attr_cast);
289 flags = attr_cast->get_flags(attr_cast);
290
291 if ((flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO2) ||
292 (flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO2_CAP_VER))
293 {
294 DBG1(DBG_IMV, "This version of Attestation IMV can not handle"
295 " TPM Quote Info2 structure");
296 break;
297 }
298 if (flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO)
299 {
300 chunk_t pcr_composite, quote_info, quote_digest;
301 hasher_t *hasher;
302 pcr_comp = attr_cast->get_pcr_comp(attr_cast);
303 tpm_quote_sign = attr_cast->get_tpm_quote_sign(attr_cast);
304
305 /* Construct PCR Composite and TPM Quote Info structures*/
306 if (!pts->get_quote_info(pts, &pcr_composite, &quote_info))
307 {
308 DBG1(DBG_IMV, "unable to contruct TPM Quote Info");
309 return FALSE;
310 }
311
312 /* Check calculated PCR composite structure matches with received */
313 if (pcr_comp.ptr && !chunk_equals(pcr_comp, pcr_composite))
314 {
315 DBG1(DBG_IMV, "received PCR Compsosite didn't match with constructed");
316 chunk_clear(&pcr_composite);
317 chunk_clear(&quote_info);
318 return FALSE;
319 }
320 DBG2(DBG_IMV, "received PCR Composite matches with constructed");
321 chunk_clear(&pcr_composite);
322
323 /* SHA1(TPM Quote Info) expected from IMC */
324 hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
325 hasher->allocate_hash(hasher, quote_info, &quote_digest);
326 hasher->destroy(hasher);
327 chunk_clear(&quote_info);
328
329 if (tpm_quote_sign.ptr &&
330 !pts->verify_quote_signature(pts, quote_digest, tpm_quote_sign))
331 {
332 chunk_clear(&quote_digest);
333 return FALSE;
334 }
335
336 DBG2(DBG_IMV, "signature verification succeeded for TPM Quote Info");
337 chunk_clear(&quote_digest);
338 }
339
340 if (evid_signature_included)
341 {
342 /** TODO: What to do with Evidence Signature */
343 evid_sign = attr_cast->get_evid_sign(attr_cast);
344 DBG1(DBG_IMV, "This version of Attestation IMV can not handle"
345 " Optional Evidence Signature field");
346 }
347
348 break;
349 }
350 case TCG_PTS_FILE_MEAS:
351 {
352 tcg_pts_attr_file_meas_t *attr_cast;
353 u_int16_t request_id;
354 int file_count, file_id;
355 pts_meas_algorithms_t algo;
356 pts_file_meas_t *measurements;
357 char *platform_info;
358 enumerator_t *e_hash;
359 bool is_dir;
360
361 platform_info = pts->get_platform_info(pts);
362 if (!pts_db || !platform_info)
363 {
364 break;
365 }
366
367 attr_cast = (tcg_pts_attr_file_meas_t*)attr;
368 measurements = attr_cast->get_measurements(attr_cast);
369 algo = pts->get_meas_algorithm(pts);
370 request_id = measurements->get_request_id(measurements);
371 file_count = measurements->get_file_count(measurements);
372
373 DBG1(DBG_IMV, "measurement request %d returned %d file%s:",
374 request_id, file_count, (file_count == 1) ? "":"s");
375
376 if (!attestation_state->check_off_request(attestation_state,
377 request_id, &file_id, &is_dir))
378 {
379 DBG1(DBG_IMV, " no entry found for this request");
380 break;
381 }
382
383 /* check hashes from database against measurements */
384 e_hash = pts_db->create_hash_enumerator(pts_db,
385 platform_info, algo, file_id, is_dir);
386 if (!measurements->verify(measurements, e_hash, is_dir))
387 {
388 attestation_state->set_measurement_error(attestation_state);
389 }
390 e_hash->destroy(e_hash);
391 break;
392 }
393 case TCG_PTS_UNIX_FILE_META:
394 {
395 tcg_pts_attr_file_meta_t *attr_cast;
396 int file_count;
397 pts_file_meta_t *metadata;
398 enumerator_t *e;
399 pts_file_metadata_t *entry;
400
401 attr_cast = (tcg_pts_attr_file_meta_t*)attr;
402 metadata = attr_cast->get_metadata(attr_cast);
403 file_count = metadata->get_file_count(metadata);
404
405 DBG1(DBG_IMV, "metadata request returned %d file%s:",
406 file_count, (file_count == 1) ? "":"s");
407
408 e = metadata->create_enumerator(metadata);
409 while(e->enumerate(e, &entry))
410 {
411 DBG1(DBG_IMV, "File name: %s", entry->filename);
412 DBG1(DBG_IMV, " type: %d", entry->type);
413 DBG1(DBG_IMV, " size: %d", entry->filesize);
414 DBG1(DBG_IMV, " create time: %s", ctime(&entry->create_time));
415 DBG1(DBG_IMV, " last modified: %s", ctime(&entry->last_modify_time));
416 DBG1(DBG_IMV, " last accessed: %s", ctime(&entry->last_access_time));
417 DBG1(DBG_IMV, " owner id: %d", entry->owner_id);
418 DBG1(DBG_IMV, " group id: %d", entry->group_id);
419 }
420 e->destroy(e);
421
422 break;
423 }
424
425 /* TODO: Not implemented yet */
426 case TCG_PTS_INTEG_MEAS_LOG:
427 /* Attributes using XML */
428 case TCG_PTS_TEMPL_REF_MANI_SET_META:
429 case TCG_PTS_VERIFICATION_RESULT:
430 case TCG_PTS_INTEG_REPORT:
431 /* On Windows only*/
432 case TCG_PTS_WIN_FILE_META:
433 case TCG_PTS_REGISTRY_VALUE:
434 /* Received on IMC side only*/
435 case TCG_PTS_REQ_PROTO_CAPS:
436 case TCG_PTS_DH_NONCE_PARAMS_REQ:
437 case TCG_PTS_DH_NONCE_FINISH:
438 case TCG_PTS_MEAS_ALGO:
439 case TCG_PTS_GET_TPM_VERSION_INFO:
440 case TCG_PTS_REQ_TEMPL_REF_MANI_SET_META:
441 case TCG_PTS_UPDATE_TEMPL_REF_MANI:
442 case TCG_PTS_GET_AIK:
443 case TCG_PTS_REQ_FUNCT_COMP_EVID:
444 case TCG_PTS_GEN_ATTEST_EVID:
445 case TCG_PTS_REQ_FILE_META:
446 case TCG_PTS_REQ_FILE_MEAS:
447 case TCG_PTS_REQ_INTEG_MEAS_LOG:
448 default:
449 DBG1(DBG_IMV, "received unsupported attribute '%N'",
450 tcg_attr_names, attr->get_type(attr));
451 break;
452 }
453 return TRUE;
454 }
455