attest displays dates either in local time or UTC
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation_build.c
1 /*
2 * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_build.h"
17 #include "imv_attestation_state.h"
18
19 #include <tcg/tcg_pts_attr_proto_caps.h>
20 #include <tcg/tcg_pts_attr_meas_algo.h>
21 #include <tcg/tcg_pts_attr_dh_nonce_params_req.h>
22 #include <tcg/tcg_pts_attr_dh_nonce_finish.h>
23 #include <tcg/tcg_pts_attr_get_tpm_version_info.h>
24 #include <tcg/tcg_pts_attr_get_aik.h>
25 #include <tcg/tcg_pts_attr_req_func_comp_evid.h>
26 #include <tcg/tcg_pts_attr_gen_attest_evid.h>
27 #include <tcg/tcg_pts_attr_req_file_meas.h>
28 #include <tcg/tcg_pts_attr_req_file_meta.h>
29
30 #include <utils/debug.h>
31
32 bool imv_attestation_build(imv_msg_t *out_msg,
33 imv_attestation_state_t *attestation_state,
34 pts_meas_algorithms_t supported_algorithms,
35 pts_dh_group_t supported_dh_groups,
36 pts_database_t *pts_db)
37 {
38 imv_attestation_handshake_state_t handshake_state;
39 pts_t *pts;
40 pa_tnc_attr_t *attr = NULL;
41
42 handshake_state = attestation_state->get_handshake_state(attestation_state);
43 pts = attestation_state->get_pts(attestation_state);
44
45 /**
46 * Skip DH Nonce Parameters Request attribute when
47 * DH Nonce Exchange is not selected by PTS-IMC side
48 */
49 if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ &&
50 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
51 {
52 DBG2(DBG_IMV, "PTS-IMC does not support DH Nonce negotiation - "
53 "advancing to TPM Initialization");
54 handshake_state = IMV_ATTESTATION_STATE_TPM_INIT;
55 }
56
57 /**
58 * Skip TPM Version Info and AIK attributes when
59 * no TPM is available on the PTS-IMC side
60 */
61 if (handshake_state == IMV_ATTESTATION_STATE_TPM_INIT &&
62 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T))
63 {
64 DBG2(DBG_IMV, "PTS-IMC made no TPM available - "
65 "advancing to File Measurements");
66 handshake_state = IMV_ATTESTATION_STATE_MEAS;
67 }
68
69 switch (handshake_state)
70 {
71 case IMV_ATTESTATION_STATE_INIT:
72 {
73 pts_proto_caps_flag_t flags;
74
75 /* Send Request Protocol Capabilities attribute */
76 flags = pts->get_proto_caps(pts);
77 attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
78 attr->set_noskip_flag(attr, TRUE);
79 out_msg->add_attribute(out_msg, attr);
80
81 /* Send Measurement Algorithms attribute */
82 attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
83 attr->set_noskip_flag(attr, TRUE);
84 out_msg->add_attribute(out_msg, attr);
85
86 attestation_state->set_handshake_state(attestation_state,
87 IMV_ATTESTATION_STATE_NONCE_REQ);
88 break;
89 }
90 case IMV_ATTESTATION_STATE_NONCE_REQ:
91 {
92 int min_nonce_len;
93
94 /* Send DH nonce parameters request attribute */
95 min_nonce_len = lib->settings->get_int(lib->settings,
96 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
97 attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
98 supported_dh_groups);
99 attr->set_noskip_flag(attr, TRUE);
100 out_msg->add_attribute(out_msg, attr);
101
102 attestation_state->set_handshake_state(attestation_state,
103 IMV_ATTESTATION_STATE_TPM_INIT);
104 break;
105 }
106 case IMV_ATTESTATION_STATE_TPM_INIT:
107 {
108 pts_meas_algorithms_t selected_algorithm;
109 chunk_t initiator_value, initiator_nonce;
110
111 if ((pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
112 {
113 /* Send DH nonce finish attribute */
114 selected_algorithm = pts->get_meas_algorithm(pts);
115 pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
116 attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
117 initiator_value, initiator_nonce);
118 attr->set_noskip_flag(attr, TRUE);
119 out_msg->add_attribute(out_msg, attr);
120 }
121
122 /* Send Get TPM Version attribute */
123 attr = tcg_pts_attr_get_tpm_version_info_create();
124 attr->set_noskip_flag(attr, TRUE);
125 out_msg->add_attribute(out_msg, attr);
126
127 /* Send Get AIK attribute */
128 attr = tcg_pts_attr_get_aik_create();
129 attr->set_noskip_flag(attr, TRUE);
130 out_msg->add_attribute(out_msg, attr);
131
132 attestation_state->set_handshake_state(attestation_state,
133 IMV_ATTESTATION_STATE_MEAS);
134 break;
135 }
136 case IMV_ATTESTATION_STATE_MEAS:
137 {
138 enumerator_t *enumerator;
139 u_int32_t delimiter = SOLIDUS_UTF;
140 char *platform_info, *pathname;
141 u_int16_t request_id;
142 int id, type;
143 bool is_dir, have_request = FALSE;
144
145 attestation_state->set_handshake_state(attestation_state,
146 IMV_ATTESTATION_STATE_COMP_EVID);
147
148 /* Get Platform and OS of the PTS-IMC */
149 platform_info = pts->get_platform_info(pts);
150
151 if (!pts_db || !platform_info)
152 {
153 DBG1(DBG_IMV, "%s%s%s not available",
154 (pts_db) ? "" : "pts database",
155 (!pts_db && !platform_info) ? "and" : "",
156 (platform_info) ? "" : "platform info");
157 break;
158 }
159 DBG1(DBG_IMV, "platform is '%s'", platform_info);
160
161 /* Send Request File Metadata attribute */
162 enumerator = pts_db->create_file_meta_enumerator(pts_db,
163 platform_info);
164 if (!enumerator)
165 {
166 break;
167 }
168 while (enumerator->enumerate(enumerator, &type, &pathname))
169 {
170 is_dir = (type != 0);
171 DBG2(DBG_IMV, "metadata request for %s '%s'",
172 is_dir ? "directory" : "file", pathname);
173 attr = tcg_pts_attr_req_file_meta_create(is_dir, delimiter,
174 pathname);
175 attr->set_noskip_flag(attr, TRUE);
176 out_msg->add_attribute(out_msg, attr);
177 have_request = TRUE;
178 }
179 enumerator->destroy(enumerator);
180
181 /* Send Request File Measurement attribute */
182 enumerator = pts_db->create_file_meas_enumerator(pts_db,
183 platform_info);
184 if (!enumerator)
185 {
186 break;
187 }
188 while (enumerator->enumerate(enumerator, &id, &type, &pathname))
189 {
190 is_dir = (type != 0);
191 request_id = attestation_state->add_file_meas_request(
192 attestation_state, id, is_dir);
193 DBG2(DBG_IMV, "measurement request %d for %s '%s'",
194 request_id, is_dir ? "directory" : "file", pathname);
195 attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
196 delimiter, pathname);
197 attr->set_noskip_flag(attr, TRUE);
198 out_msg->add_attribute(out_msg, attr);
199 have_request = TRUE;
200 }
201 enumerator->destroy(enumerator);
202
203 /* do we have any file metadata or measurement requests? */
204 if (have_request)
205 {
206 break;
207 }
208 /* fall through to next state */
209 }
210 case IMV_ATTESTATION_STATE_COMP_EVID:
211 {
212 tcg_pts_attr_req_func_comp_evid_t *attr_cast;
213 enumerator_t *enumerator;
214 pts_component_t *comp;
215 pts_comp_func_name_t *comp_name;
216 chunk_t keyid;
217 int kid, vid, name, qualifier;
218 u_int8_t flags;
219 u_int32_t depth;
220 bool first = TRUE, first_component = TRUE;
221
222 attestation_state->set_handshake_state(attestation_state,
223 IMV_ATTESTATION_STATE_END);
224
225 if (!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T) ||
226 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
227 {
228 DBG2(DBG_IMV, "PTS-IMC made no TPM available - "
229 "skipping Component Measurements");
230 break;
231 }
232 if (!pts->get_aik_keyid(pts, &keyid))
233 {
234 DBG1(DBG_IMV, "retrieval of AIK keyid failed");
235 return FALSE;
236 }
237 if (!pts_db)
238 {
239 DBG1(DBG_IMV, "pts database not available");
240 break;
241 }
242 if (pts_db->check_aik_keyid(pts_db, keyid, &kid) != SUCCESS)
243 {
244 return FALSE;
245 }
246 enumerator = pts_db->create_comp_evid_enumerator(pts_db, kid);
247 if (!enumerator)
248 {
249 break;
250 }
251 while (enumerator->enumerate(enumerator, &vid, &name,
252 &qualifier, &depth))
253 {
254 if (first)
255 {
256 DBG2(DBG_IMV, "evidence request by");
257 first = FALSE;
258 }
259 comp_name = pts_comp_func_name_create(vid, name, qualifier);
260 comp_name->log(comp_name, " ");
261
262 comp = attestation_state->create_component(attestation_state,
263 comp_name, depth, pts_db);
264 if (!comp)
265 {
266 DBG2(DBG_IMV, " not registered or duplicate"
267 " - removed from request");
268 comp_name->destroy(comp_name);
269 continue;
270 }
271 if (first_component)
272 {
273 attr = tcg_pts_attr_req_func_comp_evid_create();
274 attr->set_noskip_flag(attr, TRUE);
275 first_component = FALSE;
276 }
277 flags = comp->get_evidence_flags(comp);
278 /* TODO check flags against negotiated_caps */
279 attr_cast = (tcg_pts_attr_req_func_comp_evid_t *)attr;
280 attr_cast->add_component(attr_cast, flags, depth, comp_name);
281 }
282 enumerator->destroy(enumerator);
283
284 if (attr)
285 {
286 /* Send Request Functional Component Evidence attribute */
287 out_msg->add_attribute(out_msg, attr);
288
289 /* Send Generate Attestation Evidence attribute */
290 attr = tcg_pts_attr_gen_attest_evid_create();
291 attr->set_noskip_flag(attr, TRUE);
292 out_msg->add_attribute(out_msg, attr);
293
294 attestation_state->set_handshake_state(attestation_state,
295 IMV_ATTESTATION_STATE_EVID_FINAL);
296 }
297 break;
298 }
299 case IMV_ATTESTATION_STATE_EVID_FINAL:
300 if (attestation_state->components_finalized(attestation_state))
301 {
302 attestation_state->set_handshake_state(attestation_state,
303 IMV_ATTESTATION_STATE_END);
304 }
305 break;
306 case IMV_ATTESTATION_STATE_END:
307 break;
308 }
309 return TRUE;
310 }