projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Do TPM measurements only if there is a TPMRA workitem
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation_build.c
1 /*
2 * Copyright (C) 2011-2012 Sansar Choinyambuu
3 * Copyright (C) 2011-2014 Andreas Steffen
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "imv_attestation_build.h"
18 #include "imv_attestation_state.h"
19
20 #include <tcg/pts/tcg_pts_attr_dh_nonce_params_req.h>
21 #include <tcg/pts/tcg_pts_attr_dh_nonce_finish.h>
22 #include <tcg/pts/tcg_pts_attr_get_tpm_version_info.h>
23 #include <tcg/pts/tcg_pts_attr_get_aik.h>
24 #include <tcg/pts/tcg_pts_attr_req_func_comp_evid.h>
25 #include <tcg/pts/tcg_pts_attr_gen_attest_evid.h>
26
27 #include <utils/debug.h>
28
29 bool imv_attestation_build(imv_msg_t *out_msg, imv_state_t *state,
30 pts_dh_group_t supported_dh_groups,
31 pts_database_t *pts_db)
32 {
33 imv_attestation_state_t *attestation_state;
34 imv_attestation_handshake_state_t handshake_state;
35 pts_t *pts;
36 pa_tnc_attr_t *attr = NULL;
37
38 attestation_state = (imv_attestation_state_t*)state;
39 handshake_state = attestation_state->get_handshake_state(attestation_state);
40 pts = attestation_state->get_pts(attestation_state);
41
42 switch (handshake_state)
43 {
44 case IMV_ATTESTATION_STATE_NONCE_REQ:
45 {
46 int min_nonce_len;
47
48 /* Send DH nonce parameters request attribute */
49 min_nonce_len = lib->settings->get_int(lib->settings,
50 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
51 attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
52 supported_dh_groups);
53 attr->set_noskip_flag(attr, TRUE);
54 out_msg->add_attribute(out_msg, attr);
55
56 attestation_state->set_handshake_state(attestation_state,
57 IMV_ATTESTATION_STATE_TPM_INIT);
58 break;
59 }
60 case IMV_ATTESTATION_STATE_TPM_INIT:
61 {
62 pts_meas_algorithms_t selected_algorithm;
63 chunk_t initiator_value, initiator_nonce;
64
65 /* Send DH nonce finish attribute */
66 selected_algorithm = pts->get_meas_algorithm(pts);
67 pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
68 attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
69 initiator_value, initiator_nonce);
70 attr->set_noskip_flag(attr, TRUE);
71 out_msg->add_attribute(out_msg, attr);
72
73 /* Send Get TPM Version attribute */
74 attr = tcg_pts_attr_get_tpm_version_info_create();
75 attr->set_noskip_flag(attr, TRUE);
76 out_msg->add_attribute(out_msg, attr);
77
78 /* Send Get AIK attribute */
79 attr = tcg_pts_attr_get_aik_create();
80 attr->set_noskip_flag(attr, TRUE);
81 out_msg->add_attribute(out_msg, attr);
82
83 attestation_state->set_handshake_state(attestation_state,
84 IMV_ATTESTATION_STATE_COMP_EVID);
85 break;
86 }
87 case IMV_ATTESTATION_STATE_COMP_EVID:
88 {
89 tcg_pts_attr_req_func_comp_evid_t *attr_cast;
90 enumerator_t *enumerator;
91 pts_comp_func_name_t *name;
92 chunk_t keyid;
93 int kid;
94 u_int8_t flags;
95 u_int32_t depth;
96 bool first_component = TRUE;
97
98 attestation_state->set_handshake_state(attestation_state,
99 IMV_ATTESTATION_STATE_END);
100
101 if (!pts->get_aik_keyid(pts, &keyid))
102 {
103 DBG1(DBG_IMV, "retrieval of AIK keyid failed");
104 return FALSE;
105 }
106 if (!pts_db)
107 {
108 DBG1(DBG_IMV, "pts database not available");
109 break;
110 }
111 if (pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
112 {
113 return FALSE;
114 }
115 enumerator = attestation_state->create_component_enumerator(
116 attestation_state);
117 while (enumerator->enumerate(enumerator, &flags, &depth, &name))
118 {
119 if (first_component)
120 {
121 attr = tcg_pts_attr_req_func_comp_evid_create();
122 attr->set_noskip_flag(attr, TRUE);
123 first_component = FALSE;
124 DBG2(DBG_IMV, "evidence request by");
125 }
126 name->log(name, " ");
127
128 /* TODO check flags against negotiated_caps */
129 attr_cast = (tcg_pts_attr_req_func_comp_evid_t *)attr;
130 attr_cast->add_component(attr_cast, flags, depth, name);
131 }
132 enumerator->destroy(enumerator);
133
134 if (attr)
135 {
136 /* Send Request Functional Component Evidence attribute */
137 out_msg->add_attribute(out_msg, attr);
138
139 /* Send Generate Attestation Evidence attribute */
140 attr = tcg_pts_attr_gen_attest_evid_create();
141 attr->set_noskip_flag(attr, TRUE);
142 out_msg->add_attribute(out_msg, attr);
143
144 attestation_state->set_handshake_state(attestation_state,
145 IMV_ATTESTATION_STATE_EVID_FINAL);
146 }
147 break;
148 }
149 case IMV_ATTESTATION_STATE_EVID_FINAL:
150 if (attestation_state->components_finalized(attestation_state))
151 {
152 attestation_state->set_handshake_state(attestation_state,
153 IMV_ATTESTATION_STATE_END);
154 }
155 break;
156 default:
157 break;
158 }
159 return TRUE;
160 }
strongSwan - IPsec VPN