fixed setting of PTS DH group
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 7 Oct 2011 18:28:29 +0000 (20:28 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 28 Nov 2011 17:01:08 +0000 (18:01 +0100)
src/libimcv/plugins/imv_attestation/imv_attestation.c
src/libpts/pts/pts.h

index af3c337..d31cca4 100644 (file)
@@ -140,18 +140,20 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
        }
 
        /**
-        * Specify supported PTS Diffie Hellman Groups
+        * Specify supported PTS Diffie-Hellman groups
         *
-        * ike2: PTS_DH_GROUP_IKE2
-        * ike5: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5
-        * ike14: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14
-        * ike19: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 | PTS_DH_GROUP_IKE19
-        * ike20: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 | PTS_DH_GROUP_IKE19 | PTS_DH_GROUP_IKE20
+        * modp1024: PTS_DH_GROUP_IKE2
+        * modp1536: PTS_DH_GROUP_IKE2  | PTS_DH_GROUP_IKE5
+        * modp2048: PTS_DH_GROUP_IKE2  | PTS_DH_GROUP_IKE5  | PTS_DH_GROUP_IKE14
+        * ecp256:   PTS_DH_GROUP_IKE2  | PTS_DH_GROUP_IKE5  | PTS_DH_GROUP_IKE14 |
+        *           PTS_DH_GROUP_IKE19
+        * ecp384:   PTS_DH_GROUP_IKE2  | PTS_DH_GROUP_IKE5  | PTS_DH_GROUP_IKE14 |
+        *           PTS_DH_GROUP_IKE19 | PTS_DH_GROUP_IKE20
         *
         * we expect the PTS-IMC to select the strongest supported group
         */
        dh_group = lib->settings->get_str(lib->settings,
-                               "libimcv.plugins.imv-attestation.dh_group", "ike19");
+                               "libimcv.plugins.imv-attestation.dh_group", "ecp256");
        if (!pts_update_supported_dh_groups(dh_group, &supported_dh_groups))
        {
                return TNC_RESULT_FATAL;
@@ -239,7 +241,156 @@ static TNC_Result send_message(TNC_ConnectionID connection_id)
        }
        else
        {
+<<<<<<< HEAD
                result = TNC_RESULT_FATAL;
+=======
+               case IMV_ATTESTATION_STATE_INIT:
+               {
+                       pts_proto_caps_flag_t flags;
+
+                       /* Send Request Protocol Capabilities attribute */
+                       flags = pts->get_proto_caps(pts);
+                       attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
+                       attr->set_noskip_flag(attr, TRUE);
+                       msg->add_attribute(msg, attr);
+
+                       /* Send Measurement Algorithms attribute */
+                       attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
+                       attr->set_noskip_flag(attr, TRUE);
+                       msg->add_attribute(msg, attr);
+
+                       attestation_state->set_handshake_state(attestation_state,
+                                                                               IMV_ATTESTATION_STATE_TPM_INIT);
+                       break;
+               }
+               case IMV_ATTESTATION_STATE_TPM_INIT:
+               {
+                       if (!dh_nonce_req_sent)
+                       {
+                               /* Send DH nonce parameters request attribute */
+                               attr = tcg_pts_attr_dh_nonce_params_req_create(0, supported_dh_groups);
+                               attr->set_noskip_flag(attr, TRUE);
+                               msg->add_attribute(msg, attr);
+                               dh_nonce_req_sent = TRUE;
+                       }
+                       else
+                       {
+                               pts_meas_algorithms_t selected_algorithm;
+                               chunk_t initiator_pub_val;
+
+                               /* Send DH nonce finish attribute */
+                               selected_algorithm = pts->get_meas_algorithm(pts);
+                               pts->get_my_public_value(pts, &initiator_pub_val);
+
+                               attr = tcg_pts_attr_dh_nonce_finish_create(NONCE_LEN,
+                                                                       selected_algorithm,
+                                                                       chunk_create(initiator_nonce, NONCE_LEN),
+                                                                       initiator_pub_val);
+                               attr->set_noskip_flag(attr, TRUE);
+                               msg->add_attribute(msg, attr);
+
+                               /* Send Get TPM Version attribute */
+                               attr = tcg_pts_attr_get_tpm_version_info_create();
+                               attr->set_noskip_flag(attr, TRUE);
+                               msg->add_attribute(msg, attr);
+
+                               /* Send Get AIK attribute */
+                               attr = tcg_pts_attr_get_aik_create();
+                               attr->set_noskip_flag(attr, TRUE);
+                               msg->add_attribute(msg, attr);
+
+                               attestation_state->set_handshake_state(attestation_state,
+                                                                               IMV_ATTESTATION_STATE_MEAS);
+                       }
+
+                       break;
+               }
+               case IMV_ATTESTATION_STATE_MEAS:
+               {
+
+                       enumerator_t *enumerator;
+                       u_int32_t delimiter = SOLIDUS_UTF;
+                       char *platform_info, *pathname;
+                       u_int16_t request_id;
+                       int id, type;
+                       bool is_dir;
+
+                       attestation_state->set_handshake_state(attestation_state,
+                                                                               IMV_ATTESTATION_STATE_COMP_EVID);
+
+                       /* Get Platform and OS of the PTS-IMC */
+                       platform_info = pts->get_platform_info(pts);
+
+                       if (!pts_db || !platform_info)
+                       {
+                               DBG1(DBG_IMV, "%s%s%s not available",
+                                       (pts_db) ? "" : "pts database",
+                                       (!pts_db && !platform_info) ? "and" : "",
+                                       (platform_info) ? "" : "platform info");
+                               break;
+                       }
+                       DBG1(DBG_IMV, "platform is '%s'", platform_info);
+
+                       /* Send Request File Metadata attribute */
+                       attr = tcg_pts_attr_req_file_meta_create(FALSE, SOLIDUS_UTF, "/etc/tnc_config");
+                       attr->set_noskip_flag(attr, TRUE);
+                       msg->add_attribute(msg, attr);
+
+                       /* Send Request File Measurement attribute */
+                       enumerator = pts_db->create_file_enumerator(pts_db, platform_info);
+                       if (!enumerator)
+                       {
+                               break;
+                       }
+                       while (enumerator->enumerate(enumerator, &id, &type, &pathname))
+                       {
+                               is_dir = (type != 0);
+                               request_id = attestation_state->add_request(attestation_state,
+                                                                                                                       id, is_dir);
+                               DBG2(DBG_IMV, "measurement request %d for %s '%s'",
+                                        request_id, is_dir ? "directory" : "file", pathname);
+                               attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
+                                                                                                        delimiter, pathname);
+                               attr->set_noskip_flag(attr, TRUE);
+                               msg->add_attribute(msg, attr);
+                       }
+                       enumerator->destroy(enumerator);
+                       break;
+               }
+               case IMV_ATTESTATION_STATE_COMP_EVID:
+               {
+                       pts_attr_req_funct_comp_evid_flag_t flags;
+                       u_int32_t sub_comp_depth;
+                       pts_qualifier_t qualifier;
+                       pts_funct_comp_name_t name;
+
+                       attestation_state->set_handshake_state(attestation_state,
+                                                                               IMV_ATTESTATION_STATE_END);
+
+                       flags = PTS_REQ_FUNC_COMP_FLAG_PCR;
+                       sub_comp_depth = 0;
+                       qualifier.kernel = FALSE;
+                       qualifier.sub_component = FALSE;
+                       qualifier.type = PTS_FUNC_COMP_TYPE_ALL;
+                       name = PTS_FUNC_COMP_NAME_BIOS;
+
+                       /* Send Request Functional Component Evidence attribute */
+                       attr = tcg_pts_attr_req_funct_comp_evid_create(flags, sub_comp_depth,
+                                                                                                               PEN_TCG, qualifier, name);
+                       attr->set_noskip_flag(attr, TRUE);
+                       msg->add_attribute(msg, attr);
+                       /* Send Generate Attestation Evidence attribute */
+                       attr = tcg_pts_attr_gen_attest_evid_create();
+                       attr->set_noskip_flag(attr, TRUE);
+                       msg->add_attribute(msg, attr);
+
+                       break;
+               }
+               default:
+                       DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"",
+                                handshake_state);
+                       return TNC_RESULT_FATAL;
+>>>>>>> fixed setting of PTS DH group
        }
        msg->destroy(msg);
 
index c7c43ac..cd9314d 100644 (file)
@@ -183,35 +183,36 @@ struct pts_t {
        bool (*create_dh)(pts_t *this, pts_dh_group_t group);
 
        /**
-        * Gets Own Diffie Hellman Public Value
+        * Get my Diffie-Hellman public value
         *
-        * @param info                  chunk to keep own public value
+        * @param value                         My public DH value
         */
-       void (*get_my_pub_val)(pts_t *this, chunk_t *pub_value);
+       void (*get_my_public_value)(pts_t *this, chunk_t *value);
 
        /**
-        * Sets the public value of partner.
+        * Set peer Diffie.Hellman public value
         *
-        * @param value         public value of partner
+        * @param value                         Peer public DH value
         */
-       void (*set_other_pub_val) (pts_t *this, chunk_t value);
+       void (*set_peer_public_value) (pts_t *this, chunk_t value);
 
        /**
         * Calculates secret assessment value to be used for TPM Quote as an external data
         *
-        * @param initiator_nonce               Initiator nonce (IMV nonce)
-        * @param responder_nonce               Responder nonce (IMC nonce)
-        * @param algorithm                             Hashing algorithm
-        * @return                                              TRUE, FALSE if not both DH public values and
-        *                                                                                                                       nonces are set
+        * @param initiator_nonce       Initiator nonce (IMV nonce)
+        * @param responder_nonce       Responder nonce (IMC nonce)
+        * @param algorithm                     Hashing algorithm
+        * @return                                      TRUE unless both DH public values
+        *                                                      and nonces are set
         */
        bool (*calculate_secret) (pts_t *this, chunk_t initiator_nonce,
-                                               chunk_t responder_nonce, pts_meas_algorithms_t algorithm);
+                                                         chunk_t responder_nonce,
+                                                         pts_meas_algorithms_t algorithm);
 
        /**
         * Returns secret assessment value to be used for TPM Quote as an external data
         *
-        * @return                      Secret assessment value
+        * @return                                      Secret assessment value
         */
        chunk_t (*get_secret) (pts_t *this);
 
@@ -265,12 +266,13 @@ struct pts_t {
         * @param error_code            Output variable for PTS error code
         * @return                                      TRUE if path is valid or file/directory
         *                                                      doesn't exist or path is invalid
-        *                                              FALSE if local error occured within stat function
+        *                                                      FALSE if local error occured within stat function
         */
        bool (*is_path_valid)(pts_t *this, char *path, pts_error_code_t *error_code);
 
        /**
         * Compute a hash over a file
+        *
         * @param hasher                        Hasher to be used
         * @param pathname                      Absolute path of a file
         * @param hash                          Buffer to keep hash output
@@ -365,9 +367,9 @@ struct pts_t {
         * Reads given PCR value and returns it
         * Expects owner secret to be WELL_KNOWN_SECRET
         *
-        * @param pcr_num               Number of PCR to read
-        * @param pcr_value             Chunk to save pcr read output
-        * @return                              NULL in case of TSS error, PCR value otherwise
+        * @param pcr_num                       Number of PCR to read
+        * @param pcr_value                     Chunk to save pcr read output
+        * @return                                      NULL in case of TSS error, PCR value otherwise
         */
        bool (*read_pcr)(pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value);
 
@@ -375,10 +377,10 @@ struct pts_t {
         * Extends given PCR with given value
         * Expects owner secret to be WELL_KNOWN_SECRET
         *
-        * @param pcr_num               Number of PCR to extend
-        * @param input                 Value to extend
-        * @param output                Chunk to save PCR value after extension
-        * @return                              FALSE in case of TSS error, TRUE otherwise
+        * @param pcr_num                       Number of PCR to extend
+        * @param input                         Value to extend
+        * @param output                        Chunk to save PCR value after extension
+        * @return                                      FALSE in case of TSS error, TRUE otherwise
         */
        bool (*extend_pcr)(pts_t *this, u_int32_t pcr_num, chunk_t input, chunk_t *output);
 
@@ -386,11 +388,11 @@ struct pts_t {
         * Quote over PCR's
         * Expects owner and SRK secret to be WELL_KNOWN_SECRET and no password set for AIK
         *
-        * @param pcrs                                  List of PCR's to make quotation over
-        * @param pcr_composite                 Chunk to save pcr composite structure
-        * @param quote_signature               Chunk to save quote operation output
-        *                                                              without external data (anti-replay protection)
-        * @return                                              FALSE in case of TSS error, TRUE otherwise
+        * @param pcrs                          List of PCR's to make quotation over
+        * @param pcr_composite         Chunk to save pcr composite structure
+        * @param quote_signature       Chunk to save quote operation output
+        *                                                      without external data (anti-replay protection)
+        * @return                                      FALSE in case of TSS error, TRUE otherwise
         */
         bool (*quote_tpm)(pts_t *this, linked_list_t *pcrs,
                                           chunk_t *pcr_composite, chunk_t *quote_signature);