efcb1c695b471883af4944d0e20914bada49c296
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation_build.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_build.h"
17 #include "imv_attestation_state.h"
18
19 #include <libpts.h>
20 #include <tcg/tcg_pts_attr_proto_caps.h>
21 #include <tcg/tcg_pts_attr_meas_algo.h>
22 #include <tcg/tcg_pts_attr_dh_nonce_params_req.h>
23 #include <tcg/tcg_pts_attr_dh_nonce_finish.h>
24 #include <tcg/tcg_pts_attr_get_tpm_version_info.h>
25 #include <tcg/tcg_pts_attr_get_aik.h>
26 #include <tcg/tcg_pts_attr_req_func_comp_evid.h>
27 #include <tcg/tcg_pts_attr_gen_attest_evid.h>
28 #include <tcg/tcg_pts_attr_req_file_meas.h>
29 #include <tcg/tcg_pts_attr_req_file_meta.h>
30
31 #include <debug.h>
32
33 bool imv_attestation_build(linked_list_t *attr_list,
34 imv_attestation_state_t *attestation_state,
35 pts_meas_algorithms_t supported_algorithms,
36 pts_dh_group_t supported_dh_groups,
37 pts_database_t *pts_db)
38 {
39 imv_attestation_handshake_state_t handshake_state;
40 pts_t *pts;
41 pa_tnc_attr_t *attr = NULL;
42
43 handshake_state = attestation_state->get_handshake_state(attestation_state);
44 pts = attestation_state->get_pts(attestation_state);
45
46 /**
47 * Skip DH Nonce Parameters Request attribute when
48 * DH Nonce Exchange is not selected by PTS-IMC side
49 */
50 if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ &&
51 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
52 {
53 DBG2(DBG_IMV, "PTS-IMC does not support DH Nonce negotiation - "
54 "advancing to TPM Initialization");
55 handshake_state = IMV_ATTESTATION_STATE_TPM_INIT;
56 }
57
58 /**
59 * Skip TPM Version Info and AIK attributes when
60 * no TPM is available on the PTS-IMC side
61 */
62 if (handshake_state == IMV_ATTESTATION_STATE_TPM_INIT &&
63 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T))
64 {
65 DBG2(DBG_IMV, "PTS-IMC made no TPM available - "
66 "advancing to File Measurements");
67 handshake_state = IMV_ATTESTATION_STATE_MEAS;
68 }
69
70 /**
71 * Skip Component Measurements when
72 * neither DH Nonce Exchange nor a TPM are available on the PTS-IMC side
73 */
74 if (handshake_state == IMV_ATTESTATION_STATE_COMP_EVID &&
75 (!(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T) ||
76 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D)) )
77 {
78 DBG2(DBG_IMV, "PTS-IMC made no TPM available - "
79 "skipping Component Measurements");
80 handshake_state = IMV_ATTESTATION_STATE_END;
81 }
82
83 switch (handshake_state)
84 {
85 case IMV_ATTESTATION_STATE_INIT:
86 {
87 pts_proto_caps_flag_t flags;
88
89 /* Send Request Protocol Capabilities attribute */
90 flags = pts->get_proto_caps(pts);
91 attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
92 attr->set_noskip_flag(attr, TRUE);
93 attr_list->insert_last(attr_list, attr);
94
95 /* Send Measurement Algorithms attribute */
96 attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
97 attr->set_noskip_flag(attr, TRUE);
98 attr_list->insert_last(attr_list, attr);
99
100 attestation_state->set_handshake_state(attestation_state,
101 IMV_ATTESTATION_STATE_NONCE_REQ);
102 break;
103 }
104 case IMV_ATTESTATION_STATE_NONCE_REQ:
105 {
106 int min_nonce_len;
107
108 /* Send DH nonce parameters request attribute */
109 min_nonce_len = lib->settings->get_int(lib->settings,
110 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
111 attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
112 supported_dh_groups);
113 attr->set_noskip_flag(attr, TRUE);
114 attr_list->insert_last(attr_list, attr);
115
116 attestation_state->set_handshake_state(attestation_state,
117 IMV_ATTESTATION_STATE_TPM_INIT);
118 break;
119 }
120 case IMV_ATTESTATION_STATE_TPM_INIT:
121 {
122 pts_meas_algorithms_t selected_algorithm;
123 chunk_t initiator_value, initiator_nonce;
124
125 if ((pts->get_proto_caps(pts) & PTS_PROTO_CAPS_D))
126 {
127 /* Send DH nonce finish attribute */
128 selected_algorithm = pts->get_meas_algorithm(pts);
129 pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
130 attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
131 initiator_value, initiator_nonce);
132 attr->set_noskip_flag(attr, TRUE);
133 attr_list->insert_last(attr_list, attr);
134 }
135
136 /* Send Get TPM Version attribute */
137 attr = tcg_pts_attr_get_tpm_version_info_create();
138 attr->set_noskip_flag(attr, TRUE);
139 attr_list->insert_last(attr_list, attr);
140
141 /* Send Get AIK attribute */
142 attr = tcg_pts_attr_get_aik_create();
143 attr->set_noskip_flag(attr, TRUE);
144 attr_list->insert_last(attr_list, attr);
145
146 attestation_state->set_handshake_state(attestation_state,
147 IMV_ATTESTATION_STATE_MEAS);
148 break;
149 }
150 case IMV_ATTESTATION_STATE_MEAS:
151 {
152 enumerator_t *enumerator;
153 u_int32_t delimiter = SOLIDUS_UTF;
154 char *platform_info, *pathname;
155 u_int16_t request_id;
156 int id, type;
157 bool is_dir;
158
159 attestation_state->set_handshake_state(attestation_state,
160 IMV_ATTESTATION_STATE_COMP_EVID);
161
162 /* Get Platform and OS of the PTS-IMC */
163 platform_info = pts->get_platform_info(pts);
164
165 if (!pts_db || !platform_info)
166 {
167 DBG1(DBG_IMV, "%s%s%s not available",
168 (pts_db) ? "" : "pts database",
169 (!pts_db && !platform_info) ? "and" : "",
170 (platform_info) ? "" : "platform info");
171 break;
172 }
173 DBG1(DBG_IMV, "platform is '%s'", platform_info);
174
175 /* Send Request File Metadata attribute */
176 enumerator = pts_db->create_file_meta_enumerator(pts_db,
177 platform_info);
178 if (!enumerator)
179 {
180 break;
181 }
182 while (enumerator->enumerate(enumerator, &type, &pathname))
183 {
184 is_dir = (type != 0);
185 DBG2(DBG_IMV, "metadata request for %s '%s'",
186 is_dir ? "directory" : "file", pathname);
187 attr = tcg_pts_attr_req_file_meta_create(is_dir, delimiter,
188 pathname);
189 attr->set_noskip_flag(attr, TRUE);
190 attr_list->insert_last(attr_list, attr);
191 }
192 enumerator->destroy(enumerator);
193
194 /* Send Request File Measurement attribute */
195 enumerator = pts_db->create_file_meas_enumerator(pts_db,
196 platform_info);
197 if (!enumerator)
198 {
199 break;
200 }
201 while (enumerator->enumerate(enumerator, &id, &type, &pathname))
202 {
203 is_dir = (type != 0);
204 request_id = attestation_state->add_file_meas_request(
205 attestation_state, id, is_dir);
206 DBG2(DBG_IMV, "measurement request %d for %s '%s'",
207 request_id, is_dir ? "directory" : "file", pathname);
208 attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
209 delimiter, pathname);
210 attr->set_noskip_flag(attr, TRUE);
211 attr_list->insert_last(attr_list, attr);
212 }
213 enumerator->destroy(enumerator);
214 break;
215 }
216 case IMV_ATTESTATION_STATE_COMP_EVID:
217 {
218 tcg_pts_attr_req_func_comp_evid_t *attr_cast;
219 enumerator_t *enumerator;
220 pts_component_t *comp;
221 pts_comp_func_name_t *comp_name;
222 chunk_t keyid;
223 int vid, name, qualifier;
224 u_int8_t flags;
225 u_int32_t depth;
226 bool first = TRUE;
227
228 attestation_state->set_handshake_state(attestation_state,
229 IMV_ATTESTATION_STATE_END);
230
231 if (!pts->get_aik_keyid(pts, &keyid))
232 {
233 break;
234 }
235 if (!pts_db)
236 {
237 DBG1(DBG_PTS, "pts database not available");
238 break;
239 }
240
241 enumerator = pts_db->create_comp_evid_enumerator(pts_db, keyid);
242 if (!enumerator)
243 {
244 break;
245 }
246 DBG2(DBG_IMV, "evidence request by");
247 while (enumerator->enumerate(enumerator, &vid, &name,
248 &qualifier, &depth))
249 {
250 comp_name = pts_comp_func_name_create(vid, name, qualifier);
251 comp_name->log(comp_name, " ");
252
253 comp = pts_components->create(pts_components, comp_name,
254 depth, pts_db);
255 if (!comp)
256 {
257 DBG2(DBG_IMV, " not registered: removed from request");
258 comp_name->destroy(comp_name);
259 continue;
260 }
261 attestation_state->add_component(attestation_state, comp);
262 if (first)
263 {
264 attr = tcg_pts_attr_req_func_comp_evid_create();
265 attr->set_noskip_flag(attr, TRUE);
266 first = FALSE;
267 }
268 flags = comp->get_evidence_flags(comp);
269 /* TODO check flags against negotiated_caps */
270 attr_cast = (tcg_pts_attr_req_func_comp_evid_t *)attr;
271 attr_cast->add_component(attr_cast, flags, depth, comp_name);
272 }
273 enumerator->destroy(enumerator);
274
275 if (attr)
276 {
277 /* Send Request Functional Component Evidence attribute */
278 attr_list->insert_last(attr_list, attr);
279
280 /* Send Generate Attestation Evidence attribute */
281 attr = tcg_pts_attr_gen_attest_evid_create();
282 attr->set_noskip_flag(attr, TRUE);
283 attr_list->insert_last(attr_list, attr);
284 }
285 break;
286 }
287 default:
288 DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"",
289 handshake_state);
290 return FALSE;
291 }
292 return TRUE;
293 }