moved attribute processing to imv_attestation_process
[strongswan.git] / src / libimcv / plugins / imv_attestation / imv_attestation_process.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_process.h"
17
18 #include <ietf/ietf_attr_pa_tnc_error.h>
19
20 #include <pts/pts.h>
21
22 #include <tcg/tcg_pts_attr_aik.h>
23 #include <tcg/tcg_pts_attr_dh_nonce_params_resp.h>
24 #include <tcg/tcg_pts_attr_file_meas.h>
25 #include <tcg/tcg_pts_attr_meas_algo.h>
26 #include <tcg/tcg_pts_attr_proto_caps.h>
27 #include <tcg/tcg_pts_attr_simple_comp_evid.h>
28 #include <tcg/tcg_pts_attr_simple_evid_final.h>
29 #include <tcg/tcg_pts_attr_tpm_version_info.h>
30 #include <tcg/tcg_pts_attr_unix_file_meta.h>
31
32 #include <debug.h>
33
34 #define NONCE_LEN_LIMIT 16
35
36 bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
37 imv_attestation_state_t *attestation_state,
38 pts_meas_algorithms_t supported_algorithms,
39 pts_dh_group_t supported_dh_groups,
40 pts_database_t *pts_db,
41 credential_manager_t *pts_credmgr)
42 {
43 chunk_t attr_info;
44 pts_t *pts;
45
46 pts = attestation_state->get_pts(attestation_state);
47
48 switch (attr->get_type(attr))
49 {
50 case TCG_PTS_PROTO_CAPS:
51 {
52 tcg_pts_attr_proto_caps_t *attr_cast;
53 pts_proto_caps_flag_t flags;
54
55 attr_cast = (tcg_pts_attr_proto_caps_t*)attr;
56 flags = attr_cast->get_flags(attr_cast);
57 pts->set_proto_caps(pts, flags);
58 break;
59 }
60 case TCG_PTS_MEAS_ALGO_SELECTION:
61 {
62 tcg_pts_attr_meas_algo_t *attr_cast;
63 pts_meas_algorithms_t selected_algorithm;
64
65 attr_cast = (tcg_pts_attr_meas_algo_t*)attr;
66 selected_algorithm = attr_cast->get_algorithms(attr_cast);
67 if (!(selected_algorithm & supported_algorithms))
68 {
69 DBG1(DBG_IMV, "PTS-IMC selected unsupported measurement algorithm");
70 return FALSE;
71 }
72 pts->set_meas_algorithm(pts, selected_algorithm);
73 break;
74 }
75 case TCG_PTS_DH_NONCE_PARAMS_RESP:
76 {
77 tcg_pts_attr_dh_nonce_params_resp_t *attr_cast;
78 int nonce_len, min_nonce_len;
79 pts_dh_group_t dh_group;
80 pts_meas_algorithms_t offered_algorithms, selected_algorithm;
81 chunk_t responder_value, responder_nonce;
82
83 attr_cast = (tcg_pts_attr_dh_nonce_params_resp_t*)attr;
84 responder_nonce = attr_cast->get_responder_nonce(attr_cast);
85
86 /* check compliance of responder nonce length */
87 min_nonce_len = lib->settings->get_int(lib->settings,
88 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
89 nonce_len = responder_nonce.len;
90 if (nonce_len <= NONCE_LEN_LIMIT ||
91 (min_nonce_len > 0 && nonce_len < min_nonce_len))
92 {
93 attr_info = attr->get_value(attr);
94 attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
95 TCG_PTS_BAD_NONCE_LENGTH, attr_info);
96 attr_list->insert_last(attr_list, attr);
97 break;
98 }
99
100 dh_group = attr_cast->get_dh_group(attr_cast);
101 if (!(dh_group & supported_dh_groups))
102 {
103 DBG1(DBG_IMV, "PTS-IMC selected unsupported DH group");
104 return FALSE;
105 }
106
107 offered_algorithms = attr_cast->get_hash_algo_set(attr_cast);
108 selected_algorithm = pts_meas_algo_select(supported_algorithms,
109 offered_algorithms);
110 if (selected_algorithm == PTS_MEAS_ALGO_NONE)
111 {
112 attr = pts_hash_alg_error_create(supported_algorithms);
113 attr_list->insert_last(attr_list, attr);
114 break;
115 }
116 pts->set_dh_hash_algorithm(pts, selected_algorithm);
117
118 if (!pts->create_dh_nonce(pts, dh_group, nonce_len))
119 {
120 return FALSE;
121 }
122
123 responder_value = attr_cast->get_responder_value(attr_cast);
124 pts->set_peer_public_value(pts, responder_value,
125 responder_nonce);
126
127 /* Calculate secret assessment value */
128 if (!pts->calculate_secret(pts))
129 {
130 return FALSE;
131 }
132 break;
133 }
134 case TCG_PTS_TPM_VERSION_INFO:
135 {
136 tcg_pts_attr_tpm_version_info_t *attr_cast;
137 chunk_t tpm_version_info;
138
139 attr_cast = (tcg_pts_attr_tpm_version_info_t*)attr;
140 tpm_version_info = attr_cast->get_tpm_version_info(attr_cast);
141 pts->set_tpm_version_info(pts, tpm_version_info);
142 break;
143 }
144 case TCG_PTS_AIK:
145 {
146 tcg_pts_attr_aik_t *attr_cast;
147 certificate_t *aik, *issuer;
148 enumerator_t *e;
149 bool trusted = FALSE;
150
151 attr_cast = (tcg_pts_attr_aik_t*)attr;
152 aik = attr_cast->get_aik(attr_cast);
153 if (!aik)
154 {
155 /* TODO generate error attribute */
156 break;
157 }
158 if (aik->get_type(aik) == CERT_X509)
159 {
160 DBG1(DBG_IMV, "verifying AIK certificate");
161 e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
162 KEY_ANY, aik->get_issuer(aik), FALSE);
163 while (e->enumerate(e, &issuer))
164 {
165 if (aik->issued_by(aik, issuer))
166 {
167 trusted = TRUE;
168 break;
169 }
170 }
171 e->destroy(e);
172 DBG1(DBG_IMV, "AIK certificate is %strusted",
173 trusted ? "" : "not ");
174 }
175 pts->set_aik(pts, aik);
176 break;
177 }
178 case TCG_PTS_SIMPLE_COMP_EVID:
179 {
180 tcg_pts_attr_simple_comp_evid_t *attr_cast;
181 pts_attr_simple_comp_evid_flag_t flags;
182 u_int32_t depth, comp_vendor_id, extended_pcr;
183 u_int8_t family, measurement_type;
184 pts_qualifier_t qualifier;
185 pts_funct_comp_name_t name;
186 pts_meas_algorithms_t hash_algorithm;
187 pts_pcr_transform_t transformation;
188 chunk_t measurement_time, policy_uri;
189 chunk_t pcr_before, pcr_after, measurement;
190
191 attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
192 attr_info = attr->get_value(attr);
193
194 flags = attr_cast->get_flags(attr_cast);
195 depth = attr_cast->get_sub_component_depth(attr_cast);
196 /* TODO: Implement checking of components with its sub-components */
197 if (depth != 0)
198 {
199 DBG1(DBG_IMV, "Current version of Attestation IMV does not support"
200 "sub component measurement deeper than zero");
201 }
202 comp_vendor_id = attr_cast->get_spec_comp_funct_name_vendor_id(attr_cast);
203 if (comp_vendor_id != PEN_TCG)
204 {
205 DBG1(DBG_IMV, "Current version of Attestation IMV supports"
206 "only functional component namings by TCG ");
207 break;
208 }
209 family = attr_cast->get_family(attr_cast);
210 if (family)
211 {
212 attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
213 TCG_PTS_INVALID_NAME_FAM, attr_info);
214 attr_list->insert_last(attr_list, attr);
215 break;
216 }
217 qualifier = attr_cast->get_qualifier(attr_cast);
218
219 /* Check if Unknown or Wildcard was set for qualifier */
220 if (qualifier.kernel && qualifier.sub_component &&
221 (qualifier.type & PTS_FUNC_COMP_TYPE_ALL))
222 {
223 DBG1(DBG_IMV, "Wildcard was set for the qualifier "
224 "of functional component");
225 return FALSE;
226 }
227 else if (!qualifier.kernel && !qualifier.sub_component &&
228 (qualifier.type & PTS_FUNC_COMP_TYPE_UNKNOWN))
229 {
230 DBG1(DBG_IMV, "Unknown feature was set for the qualifier "
231 "of functional component");
232 return FALSE;
233 }
234 else
235 {
236 /* TODO: Implement what todo with received qualifier */
237 }
238
239 name = attr_cast->get_comp_funct_name(attr_cast);
240 measurement_type = attr_cast->get_measurement_type(attr_cast);
241 hash_algorithm = attr_cast->get_hash_algorithm(attr_cast);
242 transformation = attr_cast->get_pcr_trans(attr_cast);
243 measurement_time = attr_cast->get_measurement_time(attr_cast);
244
245 /* Call getters of optional fields when corresponding flag is set */
246 if (flags & PTS_SIMPLE_COMP_EVID_FLAG_PCR)
247 {
248 extended_pcr = attr_cast->get_extended_pcr(attr_cast);
249 pcr_before = attr_cast->get_pcr_before_value(attr_cast);
250 pcr_after = attr_cast->get_pcr_after_value(attr_cast);
251 measurement = attr_cast->get_comp_measurement(attr_cast);
252 }
253 if (!(flags & PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID))
254 {
255 policy_uri = attr_cast->get_policy_uri(attr_cast);
256 }
257
258 /** TODO: Implement saving the PCR number, Hash Algo = communicated one,
259 * PCR transform (truncate SHA256, SHA384), PCR before and after values
260 */
261 break;
262 }
263 case TCG_PTS_SIMPLE_EVID_FINAL:
264 {
265 tcg_pts_attr_simple_evid_final_t *attr_cast;
266 pts_simple_evid_final_flag_t flags;
267 chunk_t pcr_comp = chunk_empty;
268 chunk_t tpm_quote_sign = chunk_empty;
269 chunk_t evid_sign = chunk_empty;
270
271 /** TODO: Ignoring Composite Hash Algorithm field
272 * No flag defined which indicates the precense of it
273 */
274 attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
275 flags = attr_cast->get_flags(attr_cast);
276
277 if ((flags >> 6) & PTS_SIMPLE_EVID_FINAL_FLAG_NO)
278 {
279 pcr_comp = attr_cast->get_pcr_comp(attr_cast);
280 tpm_quote_sign = attr_cast->get_tpm_quote_sign(attr_cast);
281
282 /** TODO: Construct PCR Composite */
283 }
284 if (flags & PTS_SIMPLE_EVID_FINAL_FLAG_EVID)
285 {
286 /** TODO: What to do with Evidence Signature */
287 evid_sign = attr_cast->get_evid_sign(attr_cast);
288 }
289
290 break;
291 }
292 case TCG_PTS_FILE_MEAS:
293 {
294 tcg_pts_attr_file_meas_t *attr_cast;
295 u_int16_t request_id;
296 int file_count, file_id;
297 pts_meas_algorithms_t algo;
298 pts_file_meas_t *measurements;
299 char *platform_info;
300 enumerator_t *e_hash;
301 bool is_dir;
302
303 platform_info = pts->get_platform_info(pts);
304 if (!pts_db || !platform_info)
305 {
306 break;
307 }
308
309 attr_cast = (tcg_pts_attr_file_meas_t*)attr;
310 measurements = attr_cast->get_measurements(attr_cast);
311 algo = pts->get_meas_algorithm(pts);
312 request_id = measurements->get_request_id(measurements);
313 file_count = measurements->get_file_count(measurements);
314
315 DBG1(DBG_IMV, "measurement request %d returned %d file%s:",
316 request_id, file_count, (file_count == 1) ? "":"s");
317
318 if (!attestation_state->check_off_request(attestation_state,
319 request_id, &file_id, &is_dir))
320 {
321 DBG1(DBG_IMV, " no entry found for this request");
322 break;
323 }
324
325 /* check hashes from database against measurements */
326 e_hash = pts_db->create_hash_enumerator(pts_db,
327 platform_info, algo, file_id, is_dir);
328 if (!measurements->verify(measurements, e_hash, is_dir))
329 {
330 attestation_state->set_measurement_error(attestation_state);
331 }
332 e_hash->destroy(e_hash);
333 break;
334 }
335 case TCG_PTS_UNIX_FILE_META:
336 {
337 tcg_pts_attr_file_meta_t *attr_cast;
338 int file_count;
339 pts_file_meta_t *metadata;
340 enumerator_t *e;
341 pts_file_metadata_t *entry;
342
343 attr_cast = (tcg_pts_attr_file_meta_t*)attr;
344 metadata = attr_cast->get_metadata(attr_cast);
345 file_count = metadata->get_file_count(metadata);
346
347 DBG1(DBG_IMV, "metadata request returned %d file%s:",
348 file_count, (file_count == 1) ? "":"s");
349
350 e = metadata->create_enumerator(metadata);
351 while(e->enumerate(e, &entry))
352 {
353 DBG1(DBG_IMV, "File name: %s", entry->filename);
354 DBG1(DBG_IMV, " type: %d", entry->type);
355 DBG1(DBG_IMV, " size: %d", entry->filesize);
356 DBG1(DBG_IMV, " create time: %s", ctime(&entry->create_time));
357 DBG1(DBG_IMV, " last modified: %s", ctime(&entry->last_modify_time));
358 DBG1(DBG_IMV, " last accessed: %s", ctime(&entry->last_access_time));
359 DBG1(DBG_IMV, " owner id: %d", entry->owner_id);
360 DBG1(DBG_IMV, " group id: %d", entry->group_id);
361 }
362 e->destroy(e);
363
364 break;
365 }
366
367 /* TODO: Not implemented yet */
368 case TCG_PTS_INTEG_MEAS_LOG:
369 /* Attributes using XML */
370 case TCG_PTS_TEMPL_REF_MANI_SET_META:
371 case TCG_PTS_VERIFICATION_RESULT:
372 case TCG_PTS_INTEG_REPORT:
373 /* On Windows only*/
374 case TCG_PTS_WIN_FILE_META:
375 case TCG_PTS_REGISTRY_VALUE:
376 /* Received on IMC side only*/
377 case TCG_PTS_REQ_PROTO_CAPS:
378 case TCG_PTS_DH_NONCE_PARAMS_REQ:
379 case TCG_PTS_DH_NONCE_FINISH:
380 case TCG_PTS_MEAS_ALGO:
381 case TCG_PTS_GET_TPM_VERSION_INFO:
382 case TCG_PTS_REQ_TEMPL_REF_MANI_SET_META:
383 case TCG_PTS_UPDATE_TEMPL_REF_MANI:
384 case TCG_PTS_GET_AIK:
385 case TCG_PTS_REQ_FUNCT_COMP_EVID:
386 case TCG_PTS_GEN_ATTEST_EVID:
387 case TCG_PTS_REQ_FILE_META:
388 case TCG_PTS_REQ_FILE_MEAS:
389 case TCG_PTS_REQ_INTEG_MEAS_LOG:
390 default:
391 DBG1(DBG_IMV, "received unsupported attribute '%N'",
392 tcg_attr_names, attr->get_type(attr));
393 break;
394 }
395 return TRUE;
396 }
397