projects / strongswan.git / blob
? search:


660d082523dd3807795b40517c13518bdcf3d305
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation_process.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_process.h"
17
18 #include <ietf/ietf_attr_pa_tnc_error.h>
19
20 #include <pts/pts.h>
21
22 #include <tcg/tcg_pts_attr_aik.h>
23 #include <tcg/tcg_pts_attr_dh_nonce_params_resp.h>
24 #include <tcg/tcg_pts_attr_file_meas.h>
25 #include <tcg/tcg_pts_attr_meas_algo.h>
26 #include <tcg/tcg_pts_attr_proto_caps.h>
27 #include <tcg/tcg_pts_attr_simple_comp_evid.h>
28 #include <tcg/tcg_pts_attr_simple_evid_final.h>
29 #include <tcg/tcg_pts_attr_tpm_version_info.h>
30 #include <tcg/tcg_pts_attr_unix_file_meta.h>
31
32 #include <debug.h>
33 #include <crypto/hashers/hasher.h>
34
35 #include <inttypes.h>
36
37 bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
38 imv_attestation_state_t *attestation_state,
39 pts_meas_algorithms_t supported_algorithms,
40 pts_dh_group_t supported_dh_groups,
41 pts_database_t *pts_db,
42 credential_manager_t *pts_credmgr)
43 {
44 pts_t *pts;
45
46 pts = attestation_state->get_pts(attestation_state);
47
48 switch (attr->get_type(attr))
49 {
50 case TCG_PTS_PROTO_CAPS:
51 {
52 tcg_pts_attr_proto_caps_t *attr_cast;
53 pts_proto_caps_flag_t flags;
54
55 attr_cast = (tcg_pts_attr_proto_caps_t*)attr;
56 flags = attr_cast->get_flags(attr_cast);
57 pts->set_proto_caps(pts, flags);
58 break;
59 }
60 case TCG_PTS_MEAS_ALGO_SELECTION:
61 {
62 tcg_pts_attr_meas_algo_t *attr_cast;
63 pts_meas_algorithms_t selected_algorithm;
64
65 attr_cast = (tcg_pts_attr_meas_algo_t*)attr;
66 selected_algorithm = attr_cast->get_algorithms(attr_cast);
67 if (!(selected_algorithm & supported_algorithms))
68 {
69 DBG1(DBG_IMV, "PTS-IMC selected unsupported"
70 " measurement algorithm");
71 return FALSE;
72 }
73 pts->set_meas_algorithm(pts, selected_algorithm);
74 break;
75 }
76 case TCG_PTS_DH_NONCE_PARAMS_RESP:
77 {
78 tcg_pts_attr_dh_nonce_params_resp_t *attr_cast;
79 int nonce_len, min_nonce_len;
80 pts_dh_group_t dh_group;
81 pts_meas_algorithms_t offered_algorithms, selected_algorithm;
82 chunk_t responder_value, responder_nonce;
83
84 attr_cast = (tcg_pts_attr_dh_nonce_params_resp_t*)attr;
85 responder_nonce = attr_cast->get_responder_nonce(attr_cast);
86
87 /* check compliance of responder nonce length */
88 min_nonce_len = lib->settings->get_int(lib->settings,
89 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
90 nonce_len = responder_nonce.len;
91 if (nonce_len < PTS_MIN_NONCE_LEN ||
92 (min_nonce_len > 0 && nonce_len < min_nonce_len))
93 {
94 attr = pts_dh_nonce_error_create(
95 max(PTS_MIN_NONCE_LEN, min_nonce_len),
96 PTS_MAX_NONCE_LEN);
97 attr_list->insert_last(attr_list, attr);
98 break;
99 }
100
101 dh_group = attr_cast->get_dh_group(attr_cast);
102 if (!(dh_group & supported_dh_groups))
103 {
104 DBG1(DBG_IMV, "PTS-IMC selected unsupported DH group");
105 return FALSE;
106 }
107
108 offered_algorithms = attr_cast->get_hash_algo_set(attr_cast);
109 selected_algorithm = pts_meas_algo_select(supported_algorithms,
110 offered_algorithms);
111 if (selected_algorithm == PTS_MEAS_ALGO_NONE)
112 {
113 attr = pts_hash_alg_error_create(supported_algorithms);
114 attr_list->insert_last(attr_list, attr);
115 break;
116 }
117 pts->set_dh_hash_algorithm(pts, selected_algorithm);
118
119 if (!pts->create_dh_nonce(pts, dh_group, nonce_len))
120 {
121 return FALSE;
122 }
123
124 responder_value = attr_cast->get_responder_value(attr_cast);
125 pts->set_peer_public_value(pts, responder_value,
126 responder_nonce);
127
128 /* Calculate secret assessment value */
129 if (!pts->calculate_secret(pts))
130 {
131 return FALSE;
132 }
133 break;
134 }
135 case TCG_PTS_TPM_VERSION_INFO:
136 {
137 tcg_pts_attr_tpm_version_info_t *attr_cast;
138 chunk_t tpm_version_info;
139
140 attr_cast = (tcg_pts_attr_tpm_version_info_t*)attr;
141 tpm_version_info = attr_cast->get_tpm_version_info(attr_cast);
142 pts->set_tpm_version_info(pts, tpm_version_info);
143 break;
144 }
145 case TCG_PTS_AIK:
146 {
147 tcg_pts_attr_aik_t *attr_cast;
148 certificate_t *aik, *issuer;
149 public_key_t *public;
150 chunk_t keyid;
151 enumerator_t *e;
152 bool trusted = FALSE;
153
154 attr_cast = (tcg_pts_attr_aik_t*)attr;
155 aik = attr_cast->get_aik(attr_cast);
156 if (!aik)
157 {
158 DBG1(DBG_IMV, "AIK unavailable");
159 return FALSE;
160 }
161 if (aik->get_type(aik) == CERT_X509)
162 {
163 public = aik->get_public_key(aik);
164 public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid);
165 DBG1(DBG_IMV, "verifying AIK certificate with keyid %#B", &keyid);
166 public->destroy(public);
167
168 e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
169 KEY_ANY, aik->get_issuer(aik), FALSE);
170 while (e->enumerate(e, &issuer))
171 {
172 if (aik->issued_by(aik, issuer))
173 {
174 trusted = TRUE;
175 break;
176 }
177 }
178 e->destroy(e);
179 DBG1(DBG_IMV, "AIK certificate is %strusted",
180 trusted ? "" : "not ");
181 }
182 pts->set_aik(pts, aik);
183 break;
184 }
185 case TCG_PTS_FILE_MEAS:
186 {
187 tcg_pts_attr_file_meas_t *attr_cast;
188 u_int16_t request_id;
189 int file_count, file_id;
190 pts_meas_algorithms_t algo;
191 pts_file_meas_t *measurements;
192 char *platform_info;
193 enumerator_t *e_hash;
194 bool is_dir;
195
196 platform_info = pts->get_platform_info(pts);
197 if (!pts_db || !platform_info)
198 {
199 DBG1(DBG_IMV, "%s%s%s not available",
200 (pts_db) ? "" : "pts database",
201 (!pts_db && !platform_info) ? "and" : "",
202 (platform_info) ? "" : "platform info");
203 break;
204 }
205
206 attr_cast = (tcg_pts_attr_file_meas_t*)attr;
207 measurements = attr_cast->get_measurements(attr_cast);
208 algo = pts->get_meas_algorithm(pts);
209 request_id = measurements->get_request_id(measurements);
210 file_count = measurements->get_file_count(measurements);
211
212 DBG1(DBG_IMV, "measurement request %d returned %d file%s:",
213 request_id, file_count, (file_count == 1) ? "":"s");
214
215 if (!attestation_state->check_off_file_meas_request(attestation_state,
216 request_id, &file_id, &is_dir))
217 {
218 DBG1(DBG_IMV, " no entry found for file measurement request %d",
219 request_id);
220 break;
221 }
222
223 /* check hashes from database against measurements */
224 e_hash = pts_db->create_file_hash_enumerator(pts_db,
225 platform_info, algo, file_id, is_dir);
226 if (!measurements->verify(measurements, e_hash, is_dir))
227 {
228 attestation_state->set_measurement_error(attestation_state);
229 }
230 e_hash->destroy(e_hash);
231 break;
232 }
233 case TCG_PTS_UNIX_FILE_META:
234 {
235 tcg_pts_attr_file_meta_t *attr_cast;
236 int file_count;
237 pts_file_meta_t *metadata;
238 pts_file_metadata_t *entry;
239 time_t created, modified, accessed;
240 bool utc = FALSE;
241 enumerator_t *e;
242
243 attr_cast = (tcg_pts_attr_file_meta_t*)attr;
244 metadata = attr_cast->get_metadata(attr_cast);
245 file_count = metadata->get_file_count(metadata);
246
247 DBG1(DBG_IMV, "metadata request returned %d file%s:",
248 file_count, (file_count == 1) ? "":"s");
249
250 e = metadata->create_enumerator(metadata);
251 while (e->enumerate(e, &entry))
252 {
253 DBG1(DBG_IMV, " '%s' (%"PRIu64" bytes)"
254 " owner %"PRIu64", group %"PRIu64", type %N",
255 entry->filename, entry->filesize, entry->owner,
256 entry->group, pts_file_type_names, entry->type);
257
258 created = entry->created;
259 modified = entry->modified;
260 accessed = entry->accessed;
261
262 DBG1(DBG_IMV, " created %T, modified %T, accessed %T",
263 &created, utc, &modified, utc, &accessed, utc);
264 }
265 e->destroy(e);
266 break;
267 }
268 case TCG_PTS_SIMPLE_COMP_EVID:
269 {
270 tcg_pts_attr_simple_comp_evid_t *attr_cast;
271 pts_comp_func_name_t *name;
272 pts_comp_evidence_t *evidence;
273 pts_component_t *comp;
274 u_int32_t depth;
275 status_t status;
276
277 attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
278 evidence = attr_cast->get_comp_evidence(attr_cast);
279 name = evidence->get_comp_func_name(evidence, &depth);
280
281 comp = attestation_state->check_off_component(attestation_state, name);
282 if (!comp)
283 {
284 DBG1(DBG_IMV, " no entry found for component evidence request");
285 break;
286 }
287 status = comp->verify(comp, pts, evidence);
288
289 switch (status)
290 {
291 default:
292 case FAILED:
293 attestation_state->set_measurement_error(attestation_state);
294 comp->destroy(comp);
295 break;
296 case SUCCESS:
297 name->log(name, " successfully measured ");
298 comp->destroy(comp);
299 break;
300 case NEED_MORE:
301 /* re-enter component into list */
302 attestation_state->add_component(attestation_state, comp);
303 }
304 break;
305 }
306 case TCG_PTS_SIMPLE_EVID_FINAL:
307 {
308 tcg_pts_attr_simple_evid_final_t *attr_cast;
309 u_int8_t flags;
310 pts_meas_algorithms_t comp_hash_algorithm;
311 chunk_t pcr_comp, tpm_quote_sig, evid_sig;
312 chunk_t pcr_composite, quote_info;
313 bool use_quote2, use_ver_info;
314
315 attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
316 flags = attr_cast->get_quote_info(attr_cast, &comp_hash_algorithm,
317 &pcr_comp, &tpm_quote_sig);
318
319 if (flags != PTS_SIMPLE_EVID_FINAL_NO)
320 {
321 use_quote2 = (flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2 ||
322 flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2_CAP_VER);
323 use_ver_info = (flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2_CAP_VER);
324
325 /* Construct PCR Composite and TPM Quote Info structures */
326 if (!pts->get_quote_info(pts, use_quote2, use_ver_info,
327 comp_hash_algorithm, &pcr_composite, &quote_info))
328 {
329 DBG1(DBG_IMV, "unable to construct TPM Quote Info");
330 return FALSE;
331 }
332
333 if (!chunk_equals(pcr_comp, pcr_composite))
334 {
335 DBG1(DBG_IMV, "received PCR Composite does not match "
336 "constructed one");
337 free(pcr_composite.ptr);
338 free(quote_info.ptr);
339 return FALSE;
340 }
341 DBG2(DBG_IMV, "received PCR Composite matches constructed one");
342 free(pcr_composite.ptr);
343
344 if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig))
345 {
346 free(quote_info.ptr);
347 return FALSE;
348 }
349 DBG2(DBG_IMV, "TPM Quote Info signature verification successful");
350 free(quote_info.ptr);
351
352 /* Finalize any pending measurement registrations */
353 attestation_state->check_off_registrations(attestation_state);
354 }
355
356 if (attr_cast->get_evid_sig(attr_cast, &evid_sig))
357 {
358 /** TODO: What to do with Evidence Signature */
359 DBG1(DBG_IMV, "this version of the Attestation IMV can not "
360 "handle Evidence Signatures");
361 }
362 break;
363 }
364
365 /* TODO: Not implemented yet */
366 case TCG_PTS_INTEG_MEAS_LOG:
367 /* Attributes using XML */
368 case TCG_PTS_TEMPL_REF_MANI_SET_META:
369 case TCG_PTS_VERIFICATION_RESULT:
370 case TCG_PTS_INTEG_REPORT:
371 /* On Windows only*/
372 case TCG_PTS_WIN_FILE_META:
373 case TCG_PTS_REGISTRY_VALUE:
374 /* Received on IMC side only*/
375 case TCG_PTS_REQ_PROTO_CAPS:
376 case TCG_PTS_DH_NONCE_PARAMS_REQ:
377 case TCG_PTS_DH_NONCE_FINISH:
378 case TCG_PTS_MEAS_ALGO:
379 case TCG_PTS_GET_TPM_VERSION_INFO:
380 case TCG_PTS_REQ_TEMPL_REF_MANI_SET_META:
381 case TCG_PTS_UPDATE_TEMPL_REF_MANI:
382 case TCG_PTS_GET_AIK:
383 case TCG_PTS_REQ_FUNC_COMP_EVID:
384 case TCG_PTS_GEN_ATTEST_EVID:
385 case TCG_PTS_REQ_FILE_META:
386 case TCG_PTS_REQ_FILE_MEAS:
387 case TCG_PTS_REQ_INTEG_MEAS_LOG:
388 default:
389 DBG1(DBG_IMV, "received unsupported attribute '%N'",
390 tcg_attr_names, attr->get_type(attr));
391 break;
392 }
393 return TRUE;
394 }
395
strongSwan - IPsec VPN