transfer IMA file measurements via PA-TNC
[strongswan.git] / src / libpts / pts / components / ita / ita_comp_tboot.c
index 5ab6dc8..8ac8335 100644 (file)
@@ -1,6 +1,5 @@
 /*
- * Copyright (C) 2011 Andreas Steffen
- *
+ * Copyright (C) 2011-2012 Andreas Steffen
  * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
@@ -17,6 +16,7 @@
 #include "ita_comp_tboot.h"
 #include "ita_comp_func_name.h"
 
+#include "libpts.h"
 #include "pts/components/pts_component.h"
 
 #include <debug.h>
@@ -41,20 +41,50 @@ struct pts_ita_comp_tboot_t {
        pts_comp_func_name_t *name;
 
        /**
+        * AIK keyid
+        */
+       chunk_t keyid;
+
+       /**
         * Sub-component depth
         */
        u_int32_t depth;
 
        /**
-        * Extended PCR last handled
+        * PTS measurement database
         */
-       u_int32_t extended_pcr;
+       pts_database_t *pts_db;
+
+       /**
+        * Primary key for Component Functional Name database entry
+        */
+       int cid;
+
+       /**
+        * Primary key for AIK database entry
+        */
+       int kid;
+
+       /**
+        * Component is registering measurements 
+        */
+       bool is_registering;
 
        /**
         * Time of TBOOT measurement
         */
        time_t measurement_time;
 
+       /**
+        * Expected measurement count
+        */
+       int count;
+
+       /**
+        * Measurement sequence number
+        */
+       int seq_no;
+
 };
 
 METHOD(pts_component_t, get_comp_func_name, pts_comp_func_name_t*,
@@ -76,15 +106,19 @@ METHOD(pts_component_t, get_depth, u_int32_t,
 }
 
 METHOD(pts_component_t, measure, status_t,
-       pts_ita_comp_tboot_t *this, pts_t *pts, pts_comp_evidence_t **evidence)
+       pts_ita_comp_tboot_t *this, pts_t *pts, pts_comp_evidence_t **evidence,
+       pts_file_meas_t **measurements)
+
 {
        pts_comp_evidence_t *evid;
        char *meas_hex, *pcr_before_hex, *pcr_after_hex;
        chunk_t measurement, pcr_before, pcr_after;
+       size_t hash_size, pcr_len;
+       u_int32_t extended_pcr;
        pts_pcr_transform_t pcr_transform;
        pts_meas_algorithms_t hash_algo;
        
-       switch (this->extended_pcr)
+       switch (this->seq_no++)
        {
                case 0:
                        /* dummy data since currently the TBOOT log is not retrieved */
@@ -95,9 +129,9 @@ METHOD(pts_component_t, measure, status_t,
                                                "libimcv.plugins.imc-attestation.pcr17_before", NULL);
                        pcr_after_hex = lib->settings->get_str(lib->settings,
                                                "libimcv.plugins.imc-attestation.pcr17_after", NULL);
-                       this->extended_pcr = PCR_TBOOT_POLICY;
+                       extended_pcr = PCR_TBOOT_POLICY;
                        break;
-               case PCR_TBOOT_POLICY:
+               case 1:
                        /* dummy data since currently the TBOOT log is not retrieved */
                        meas_hex = lib->settings->get_str(lib->settings,
                                                "libimcv.plugins.imc-attestation.pcr18_meas", NULL);
@@ -105,109 +139,121 @@ METHOD(pts_component_t, measure, status_t,
                                                "libimcv.plugins.imc-attestation.pcr18_before", NULL);
                        pcr_after_hex = lib->settings->get_str(lib->settings,
                                                "libimcv.plugins.imc-attestation.pcr18_after", NULL);
-                       this->extended_pcr = PCR_TBOOT_MLE;
+                       extended_pcr = PCR_TBOOT_MLE;
                        break;
                default:
                        return FAILED;
        }
 
-       hash_algo = pts->get_meas_algorithm(pts);
-       switch (hash_algo)
+       if (meas_hex == NULL || pcr_before_hex == NULL || pcr_after_hex == NULL)
        {
-               case PTS_MEAS_ALGO_SHA1:
-                       pcr_transform = PTS_PCR_TRANSFORM_MATCH;
-               case PTS_MEAS_ALGO_SHA256:
-               case PTS_MEAS_ALGO_SHA384:
-                       pcr_transform = PTS_PCR_TRANSFORM_LONG;
-               case PTS_MEAS_ALGO_NONE:
-               default:
-                       pcr_transform = PTS_PCR_TRANSFORM_NO;
+               return FAILED;
        }
 
+       hash_algo = pts->get_meas_algorithm(pts);
+       hash_size = pts_meas_algo_hash_size(hash_algo);
+       pcr_len = pts->get_pcr_len(pts);
+       pcr_transform = pts_meas_algo_to_pcr_transform(hash_algo, pcr_len);
+
+       /* get and check the measurement data */
        measurement = chunk_from_hex(
                                        chunk_create(meas_hex, strlen(meas_hex)), NULL);
        pcr_before = chunk_from_hex(
                                        chunk_create(pcr_before_hex, strlen(pcr_before_hex)), NULL);
        pcr_after = chunk_from_hex(
                                        chunk_create(pcr_after_hex, strlen(pcr_after_hex)), NULL);
+       if (pcr_before.len != pcr_len || pcr_after.len != pcr_len ||
+               measurement.len != hash_size)
+       {
+               DBG1(DBG_PTS, "TBOOT measurement or pcr data have the wrong size");
+               free(measurement.ptr);
+               free(pcr_before.ptr);
+               free(pcr_after.ptr);
+               return FAILED;
+       }
 
        evid = *evidence = pts_comp_evidence_create(this->name->clone(this->name),
-                                                               this->depth, this->extended_pcr,
+                                                               this->depth, extended_pcr,
                                                                hash_algo, pcr_transform,
                                                                this->measurement_time, measurement);
        evid->set_pcr_info(evid, pcr_before, pcr_after);
 
-
-
-       return (this->extended_pcr == PCR_TBOOT_MLE) ? SUCCESS : NEED_MORE;
+       return (this->seq_no < 2) ? NEED_MORE : SUCCESS;
 }
 
 METHOD(pts_component_t, verify, status_t,
-       pts_ita_comp_tboot_t *this, pts_t *pts, pts_database_t *pts_db,
-       pts_comp_evidence_t *evidence)
+       pts_ita_comp_tboot_t *this, pts_t *pts, pts_comp_evidence_t *evidence)
 {
        bool has_pcr_info;
-       u_int32_t extended_pcr;
+       u_int32_t extended_pcr, vid, name;
+       enum_name_t *names;
        pts_meas_algorithms_t algo;
        pts_pcr_transform_t transform;
        time_t measurement_time;
        chunk_t measurement, pcr_before, pcr_after;
-       enumerator_t *enumerator;
-       char *file;
-       chunk_t hash;
-       char *platform_info;
+       status_t status;
 
-       platform_info = pts->get_platform_info(pts);
-       if (!pts_db || !platform_info)
-       {
-               DBG1(DBG_PTS, "%s%s%s not available",
-                        (pts_db) ? "" : "pts database",
-                        (!pts_db && !platform_info) ? "and" : "",
-                        (platform_info) ? "" : "platform info");
-               return FAILED;
-       }
+       measurement = evidence->get_measurement(evidence, &extended_pcr,
+                                                               &algo, &transform, &measurement_time);
 
-       switch (this->extended_pcr)
+       if (!this->keyid.ptr)
        {
-               case 0:
-                       this->extended_pcr = PCR_TBOOT_POLICY;
-                       file = "tboot_pcr17";
-                       break;
-               case PCR_TBOOT_POLICY:
-                       this->extended_pcr = PCR_TBOOT_MLE;
-                       file = "tboot_pcr18";
-                       break;
-               default:
+               if (!pts->get_aik_keyid(pts, &this->keyid))
+               {
                        return FAILED;
-       }
+               }
+               this->keyid = chunk_clone(this->keyid);
 
-       measurement = evidence->get_measurement(evidence, &extended_pcr,
-                                                                                       &algo, &transform, &measurement_time);
-       if (extended_pcr != this->extended_pcr)
-       {
-               return FAILED;
-       }
-       
-       /* check measurement in database */
-       enumerator = pts_db->create_comp_hash_enumerator(pts_db, file,
-                                                               platform_info, this->name, TRUSTED_HASH_ALGO);
-       while (enumerator->enumerate(enumerator, &hash))
-       {
-               if (!chunk_equals(hash, measurement))
+               if (!this->pts_db)
                {
-                       DBG1(DBG_PTS, "Incorrect TBOOT component measurement for PCR %d. "
-                                                 "Expected: %#B, Received: %#B",
-                                                 this->extended_pcr, &hash, &measurement);
+                       DBG1(DBG_PTS, "pts database not available");
                        return FAILED;
                }
+               status = this->pts_db->get_comp_measurement_count(this->pts_db,
+                                                               this->name, this->keyid, algo, &this->cid,
+                                                               &this->kid, &this->count);
+               if (status != SUCCESS)
+               {
+                       return status;
+               }
+               vid = this->name->get_vendor_id(this->name);
+               name = this->name->get_name(this->name);
+               names = pts_components->get_comp_func_names(pts_components, vid);
+
+               if (this->count)
+               {
+                       DBG1(DBG_PTS, "checking %d %N '%N' functional component evidence "
+                                "measurements", this->count, pen_names, vid, names, name);
+               }
                else
                {
-                       DBG3(DBG_PTS, "Matching TBOOT component measurement for PCR %d",
-                                                 this->extended_pcr);
-                       break;
+                       DBG1(DBG_PTS, "registering %N '%N' functional component evidence "
+                                "measurements", pen_names, vid, names, name);
+                       this->is_registering = TRUE;
+               }
+       }
+
+       if (this->is_registering)
+       {
+               status = this->pts_db->insert_comp_measurement(this->pts_db,
+                                                               measurement, this->cid, this->kid,
+                                                               ++this->seq_no, extended_pcr, algo);
+               if (status != SUCCESS)
+               {
+                       return status;
+               }
+               this->count = this->seq_no + 1;
+       }
+       else
+       {
+               status = this->pts_db->check_comp_measurement(this->pts_db,
+                                                               measurement, this->cid, this->kid,
+                                                               ++this->seq_no, extended_pcr, algo);
+               if (status != SUCCESS)
+               {
+                       return status;
                }
        }
-       enumerator->destroy(enumerator);
 
        has_pcr_info = evidence->get_pcr_info(evidence, &pcr_before, &pcr_after);
        if (has_pcr_info)
@@ -218,20 +264,65 @@ METHOD(pts_component_t, verify, status_t,
                }
        }
 
-       return (this->extended_pcr == PCR_TBOOT_MLE) ? SUCCESS : NEED_MORE;
+       return SUCCESS;
+}
+
+METHOD(pts_component_t, finalize, bool,
+       pts_ita_comp_tboot_t *this)
+{
+       u_int32_t vid, name;
+       enum_name_t *names;
+               
+       vid = this->name->get_vendor_id(this->name);
+       name = this->name->get_name(this->name);
+       names = pts_components->get_comp_func_names(pts_components, vid);
+
+       if (this->is_registering)
+       {
+               /* close registration */
+               this->is_registering = FALSE;
+
+               DBG1(DBG_PTS, "registered %d %N '%N' functional component evidence "
+                                         "measurements", this->seq_no, pen_names, vid, names, name);
+       }
+       else if (this->seq_no < this->count)
+       {
+               DBG1(DBG_PTS, "%d of %d %N '%N' functional component evidence "
+                                         "measurements missing", this->count - this->seq_no,
+                                          this->count, pen_names, vid, names, name);
+               return FALSE;
+       }
+
+       return TRUE;
 }
 
 METHOD(pts_component_t, destroy, void,
           pts_ita_comp_tboot_t *this)
 {
+       int count;
+       u_int32_t vid, name;
+       enum_name_t *names;
+
+       if (this->is_registering)
+       {
+               count = this->pts_db->delete_comp_measurements(this->pts_db,
+                                                                                                          this->cid, this->kid);
+               vid = this->name->get_vendor_id(this->name);
+               name = this->name->get_name(this->name);
+               names = pts_components->get_comp_func_names(pts_components, vid);
+               DBG1(DBG_PTS, "deleted %d registered %N '%N' functional component "
+                        "evidence measurements", count, pen_names, vid, names, name);
+       }
        this->name->destroy(this->name);
+       free(this->keyid.ptr);
        free(this);
 }
 
 /**
  * See header
  */
-pts_component_t *pts_ita_comp_tboot_create(u_int8_t qualifier, u_int32_t depth)
+pts_component_t *pts_ita_comp_tboot_create(u_int8_t qualifier, u_int32_t depth,
+                                                                                  pts_database_t *pts_db)
 {
        pts_ita_comp_tboot_t *this;
 
@@ -242,11 +333,13 @@ pts_component_t *pts_ita_comp_tboot_create(u_int8_t qualifier, u_int32_t depth)
                        .get_depth = _get_depth,
                        .measure = _measure,
                        .verify = _verify,
+                       .finalize = _finalize,
                        .destroy = _destroy,
                },
                .name = pts_comp_func_name_create(PEN_ITA, PTS_ITA_COMP_FUNC_NAME_TBOOT,
                                                                                  qualifier),
                .depth = depth,
+               .pts_db = pts_db,
        );
 
        return &this->public;