attest displays dates either in local time or UTC
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation_process.c
1 /*
2 * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_process.h"
17
18 #include <ietf/ietf_attr_pa_tnc_error.h>
19
20 #include <pts/pts.h>
21
22 #include <tcg/tcg_pts_attr_aik.h>
23 #include <tcg/tcg_pts_attr_dh_nonce_params_resp.h>
24 #include <tcg/tcg_pts_attr_file_meas.h>
25 #include <tcg/tcg_pts_attr_meas_algo.h>
26 #include <tcg/tcg_pts_attr_proto_caps.h>
27 #include <tcg/tcg_pts_attr_simple_comp_evid.h>
28 #include <tcg/tcg_pts_attr_simple_evid_final.h>
29 #include <tcg/tcg_pts_attr_tpm_version_info.h>
30 #include <tcg/tcg_pts_attr_unix_file_meta.h>
31
32 #include <utils/debug.h>
33 #include <crypto/hashers/hasher.h>
34
35 #include <inttypes.h>
36
37 bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
38 imv_attestation_state_t *attestation_state,
39 pts_meas_algorithms_t supported_algorithms,
40 pts_dh_group_t supported_dh_groups,
41 pts_database_t *pts_db,
42 credential_manager_t *pts_credmgr)
43 {
44 pen_type_t attr_type;
45 pts_t *pts;
46
47 pts = attestation_state->get_pts(attestation_state);
48 attr_type = attr->get_type(attr);
49
50 switch (attr_type.type)
51 {
52 case TCG_PTS_PROTO_CAPS:
53 {
54 tcg_pts_attr_proto_caps_t *attr_cast;
55 pts_proto_caps_flag_t flags;
56
57 attr_cast = (tcg_pts_attr_proto_caps_t*)attr;
58 flags = attr_cast->get_flags(attr_cast);
59 pts->set_proto_caps(pts, flags);
60 break;
61 }
62 case TCG_PTS_MEAS_ALGO_SELECTION:
63 {
64 tcg_pts_attr_meas_algo_t *attr_cast;
65 pts_meas_algorithms_t selected_algorithm;
66
67 attr_cast = (tcg_pts_attr_meas_algo_t*)attr;
68 selected_algorithm = attr_cast->get_algorithms(attr_cast);
69 if (!(selected_algorithm & supported_algorithms))
70 {
71 DBG1(DBG_IMV, "PTS-IMC selected unsupported"
72 " measurement algorithm");
73 return FALSE;
74 }
75 pts->set_meas_algorithm(pts, selected_algorithm);
76 break;
77 }
78 case TCG_PTS_DH_NONCE_PARAMS_RESP:
79 {
80 tcg_pts_attr_dh_nonce_params_resp_t *attr_cast;
81 int nonce_len, min_nonce_len;
82 pts_dh_group_t dh_group;
83 pts_meas_algorithms_t offered_algorithms, selected_algorithm;
84 chunk_t responder_value, responder_nonce;
85
86 attr_cast = (tcg_pts_attr_dh_nonce_params_resp_t*)attr;
87 responder_nonce = attr_cast->get_responder_nonce(attr_cast);
88
89 /* check compliance of responder nonce length */
90 min_nonce_len = lib->settings->get_int(lib->settings,
91 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
92 nonce_len = responder_nonce.len;
93 if (nonce_len < PTS_MIN_NONCE_LEN ||
94 (min_nonce_len > 0 && nonce_len < min_nonce_len))
95 {
96 attr = pts_dh_nonce_error_create(
97 max(PTS_MIN_NONCE_LEN, min_nonce_len),
98 PTS_MAX_NONCE_LEN);
99 out_msg->add_attribute(out_msg, attr);
100 break;
101 }
102
103 dh_group = attr_cast->get_dh_group(attr_cast);
104 if (!(dh_group & supported_dh_groups))
105 {
106 DBG1(DBG_IMV, "PTS-IMC selected unsupported DH group");
107 return FALSE;
108 }
109
110 offered_algorithms = attr_cast->get_hash_algo_set(attr_cast);
111 selected_algorithm = pts_meas_algo_select(supported_algorithms,
112 offered_algorithms);
113 if (selected_algorithm == PTS_MEAS_ALGO_NONE)
114 {
115 attr = pts_hash_alg_error_create(supported_algorithms);
116 out_msg->add_attribute(out_msg, attr);
117 break;
118 }
119 pts->set_dh_hash_algorithm(pts, selected_algorithm);
120
121 if (!pts->create_dh_nonce(pts, dh_group, nonce_len))
122 {
123 return FALSE;
124 }
125
126 responder_value = attr_cast->get_responder_value(attr_cast);
127 pts->set_peer_public_value(pts, responder_value,
128 responder_nonce);
129
130 /* Calculate secret assessment value */
131 if (!pts->calculate_secret(pts))
132 {
133 return FALSE;
134 }
135 break;
136 }
137 case TCG_PTS_TPM_VERSION_INFO:
138 {
139 tcg_pts_attr_tpm_version_info_t *attr_cast;
140 chunk_t tpm_version_info;
141
142 attr_cast = (tcg_pts_attr_tpm_version_info_t*)attr;
143 tpm_version_info = attr_cast->get_tpm_version_info(attr_cast);
144 pts->set_tpm_version_info(pts, tpm_version_info);
145 break;
146 }
147 case TCG_PTS_AIK:
148 {
149 tcg_pts_attr_aik_t *attr_cast;
150 certificate_t *aik, *issuer;
151 public_key_t *public;
152 chunk_t keyid;
153 enumerator_t *e;
154 bool trusted = FALSE;
155
156 attr_cast = (tcg_pts_attr_aik_t*)attr;
157 aik = attr_cast->get_aik(attr_cast);
158 if (!aik)
159 {
160 DBG1(DBG_IMV, "AIK unavailable");
161 return FALSE;
162 }
163 if (aik->get_type(aik) == CERT_X509)
164 {
165 public = aik->get_public_key(aik);
166 public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid);
167 DBG1(DBG_IMV, "verifying AIK certificate with keyid %#B", &keyid);
168 public->destroy(public);
169
170 e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
171 KEY_ANY, aik->get_issuer(aik), FALSE);
172 while (e->enumerate(e, &issuer))
173 {
174 if (aik->issued_by(aik, issuer, NULL))
175 {
176 trusted = TRUE;
177 break;
178 }
179 }
180 e->destroy(e);
181 DBG1(DBG_IMV, "AIK certificate is %strusted",
182 trusted ? "" : "not ");
183 if (!trusted)
184 {
185 return FALSE;
186 }
187 }
188 pts->set_aik(pts, aik);
189 break;
190 }
191 case TCG_PTS_FILE_MEAS:
192 {
193 tcg_pts_attr_file_meas_t *attr_cast;
194 u_int16_t request_id;
195 int file_count, file_id;
196 pts_meas_algorithms_t algo;
197 pts_file_meas_t *measurements;
198 char *platform_info;
199 enumerator_t *e_hash;
200 bool is_dir;
201
202 platform_info = pts->get_platform_info(pts);
203 if (!pts_db || !platform_info)
204 {
205 DBG1(DBG_IMV, "%s%s%s not available",
206 (pts_db) ? "" : "pts database",
207 (!pts_db && !platform_info) ? "and" : "",
208 (platform_info) ? "" : "platform info");
209 break;
210 }
211
212 attr_cast = (tcg_pts_attr_file_meas_t*)attr;
213 measurements = attr_cast->get_measurements(attr_cast);
214 algo = pts->get_meas_algorithm(pts);
215 request_id = measurements->get_request_id(measurements);
216 file_count = measurements->get_file_count(measurements);
217
218 DBG1(DBG_IMV, "measurement request %d returned %d file%s:",
219 request_id, file_count, (file_count == 1) ? "":"s");
220
221 if (request_id)
222 {
223 if (!attestation_state->check_off_file_meas_request(
224 attestation_state, request_id, &file_id, &is_dir))
225 {
226 DBG1(DBG_IMV, " no entry found for file measurement "
227 "request %d", request_id);
228 break;
229 }
230
231 /* check hashes from database against measurements */
232 e_hash = pts_db->create_file_hash_enumerator(pts_db,
233 platform_info, algo, file_id, is_dir);
234 if (!measurements->verify(measurements, e_hash, is_dir))
235 {
236 attestation_state->set_measurement_error(attestation_state,
237 IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL);
238 }
239 e_hash->destroy(e_hash);
240 }
241 else
242 {
243 measurements->check(measurements, pts_db, platform_info, algo);
244 }
245 break;
246 }
247 case TCG_PTS_UNIX_FILE_META:
248 {
249 tcg_pts_attr_file_meta_t *attr_cast;
250 int file_count;
251 pts_file_meta_t *metadata;
252 pts_file_metadata_t *entry;
253 time_t created, modified, accessed;
254 bool utc = FALSE;
255 enumerator_t *e;
256
257 attr_cast = (tcg_pts_attr_file_meta_t*)attr;
258 metadata = attr_cast->get_metadata(attr_cast);
259 file_count = metadata->get_file_count(metadata);
260
261 DBG1(DBG_IMV, "metadata request returned %d file%s:",
262 file_count, (file_count == 1) ? "":"s");
263
264 e = metadata->create_enumerator(metadata);
265 while (e->enumerate(e, &entry))
266 {
267 DBG1(DBG_IMV, " '%s' (%"PRIu64" bytes)"
268 " owner %"PRIu64", group %"PRIu64", type %N",
269 entry->filename, entry->filesize, entry->owner,
270 entry->group, pts_file_type_names, entry->type);
271
272 created = entry->created;
273 modified = entry->modified;
274 accessed = entry->accessed;
275
276 DBG1(DBG_IMV, " created %T, modified %T, accessed %T",
277 &created, utc, &modified, utc, &accessed, utc);
278 }
279 e->destroy(e);
280 break;
281 }
282 case TCG_PTS_SIMPLE_COMP_EVID:
283 {
284 tcg_pts_attr_simple_comp_evid_t *attr_cast;
285 pts_comp_func_name_t *name;
286 pts_comp_evidence_t *evidence;
287 pts_component_t *comp;
288 u_int32_t depth;
289
290 attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
291 evidence = attr_cast->get_comp_evidence(attr_cast);
292 name = evidence->get_comp_func_name(evidence, &depth);
293
294 comp = attestation_state->get_component(attestation_state, name);
295 if (!comp)
296 {
297 DBG1(DBG_IMV, " no entry found for component evidence request");
298 break;
299 }
300 if (comp->verify(comp, name->get_qualifier(name), pts,
301 evidence) != SUCCESS)
302 {
303 attestation_state->set_measurement_error(attestation_state,
304 IMV_ATTESTATION_ERROR_COMP_EVID_FAIL);
305 name->log(name, " measurement mismatch for ");
306 }
307 break;
308 }
309 case TCG_PTS_SIMPLE_EVID_FINAL:
310 {
311 tcg_pts_attr_simple_evid_final_t *attr_cast;
312 u_int8_t flags;
313 pts_meas_algorithms_t comp_hash_algorithm;
314 chunk_t pcr_comp, tpm_quote_sig, evid_sig;
315 chunk_t pcr_composite, quote_info;
316 bool use_quote2, use_ver_info;
317
318 attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
319 flags = attr_cast->get_quote_info(attr_cast, &comp_hash_algorithm,
320 &pcr_comp, &tpm_quote_sig);
321
322 if (flags != PTS_SIMPLE_EVID_FINAL_NO)
323 {
324 use_quote2 = (flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2 ||
325 flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2_CAP_VER);
326 use_ver_info = (flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2_CAP_VER);
327
328 /* Construct PCR Composite and TPM Quote Info structures */
329 if (!pts->get_quote_info(pts, use_quote2, use_ver_info,
330 comp_hash_algorithm, &pcr_composite, &quote_info))
331 {
332 DBG1(DBG_IMV, "unable to construct TPM Quote Info");
333 return FALSE;
334 }
335
336 if (!chunk_equals(pcr_comp, pcr_composite))
337 {
338 DBG1(DBG_IMV, "received PCR Composite does not match "
339 "constructed one");
340 attestation_state->set_measurement_error(attestation_state,
341 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
342 free(pcr_composite.ptr);
343 free(quote_info.ptr);
344 break;
345 }
346 DBG2(DBG_IMV, "received PCR Composite matches constructed one");
347 free(pcr_composite.ptr);
348
349 if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig))
350 {
351 attestation_state->set_measurement_error(attestation_state,
352 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
353 free(quote_info.ptr);
354 break;
355 }
356 DBG2(DBG_IMV, "TPM Quote Info signature verification successful");
357 free(quote_info.ptr);
358
359 /**
360 * Finalize any pending measurement registrations and check
361 * if all expected component measurements were received
362 */
363 attestation_state->finalize_components(attestation_state);
364 }
365
366 if (attr_cast->get_evid_sig(attr_cast, &evid_sig))
367 {
368 /** TODO: What to do with Evidence Signature */
369 DBG1(DBG_IMV, "this version of the Attestation IMV can not "
370 "handle Evidence Signatures");
371 }
372 break;
373 }
374
375 /* TODO: Not implemented yet */
376 case TCG_PTS_INTEG_MEAS_LOG:
377 /* Attributes using XML */
378 case TCG_PTS_TEMPL_REF_MANI_SET_META:
379 case TCG_PTS_VERIFICATION_RESULT:
380 case TCG_PTS_INTEG_REPORT:
381 /* On Windows only*/
382 case TCG_PTS_WIN_FILE_META:
383 case TCG_PTS_REGISTRY_VALUE:
384 /* Received on IMC side only*/
385 case TCG_PTS_REQ_PROTO_CAPS:
386 case TCG_PTS_DH_NONCE_PARAMS_REQ:
387 case TCG_PTS_DH_NONCE_FINISH:
388 case TCG_PTS_MEAS_ALGO:
389 case TCG_PTS_GET_TPM_VERSION_INFO:
390 case TCG_PTS_REQ_TEMPL_REF_MANI_SET_META:
391 case TCG_PTS_UPDATE_TEMPL_REF_MANI:
392 case TCG_PTS_GET_AIK:
393 case TCG_PTS_REQ_FUNC_COMP_EVID:
394 case TCG_PTS_GEN_ATTEST_EVID:
395 case TCG_PTS_REQ_FILE_META:
396 case TCG_PTS_REQ_FILE_MEAS:
397 case TCG_PTS_REQ_INTEG_MEAS_LOG:
398 default:
399 DBG1(DBG_IMV, "received unsupported attribute '%N'",
400 tcg_attr_names, attr->get_type(attr));
401 break;
402 }
403 return TRUE;
404 }
405