#include <tcg/tcg_pts_attr_proto_caps.h>
#include <tcg/tcg_pts_attr_meas_algo.h>
+
#include <tncif_pa_subtypes.h>
#include <pen/pen.h>
static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
/**
- * List of buffered Simple Component Evidences
- * To be sent on reception of Generate Attestation Evidence attribute
- */
-static linked_list_t *evidences = NULL;
-
-/**
- * Supported PTS Diffie Hellman Groups
- */
-static pts_dh_group_t supported_dh_groups = 0;
-
-/**
- * Supported PTS Diffie Hellman Groups
- */
-static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
-
-/**
- * List of buffered Simple Component Evidences
- * To be sent on reception of Generate Attestation Evidence attribute
- */
-static linked_list_t *evidences = NULL;
-
-/**
* see section 3.7.1 of TCG TNC IF-IMC Specification 1.2
*/
TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
supported_algorithms, supported_dh_groups))
{
result = TNC_RESULT_FATAL;
+ break;
}
}
}
{ "add", no_argument, NULL, 'a' },
{ "delete", no_argument, NULL, 'd' },
{ "del", no_argument, NULL, 'd' },
- { "products", no_argument, NULL, 'p' },
- { "hashes", no_argument, NULL, 'H' },
- { "add", no_argument, NULL, 'a' },
- { "delete", no_argument, NULL, 'd' },
- { "del", no_argument, NULL, 'd' },
+ { "component", required_argument, NULL, 'C' },
+ { "comp", required_argument, NULL, 'C' },
{ "directory", required_argument, NULL, 'D' },
{ "dir", required_argument, NULL, 'D' },
{ "file", required_argument, NULL, 'F' },
exit(EXIT_FAILURE);
}
continue;
- case 'H':
- op = OP_HASHES;
- continue;
- case 'a':
- op = OP_ADD;
- continue;
- case 'd':
- op = OP_DEL;
- continue;
- case 'D':
- if (!attest->set_directory(attest, optarg, op == OP_ADD))
- {
- exit(EXIT_FAILURE);
- }
- continue;
case 'F':
if (!attest->set_file(attest, optarg, op == OP_ADD))
{
case OP_DEL:
attest->delete(attest);
break;
- case OP_HASHES:
- attest->list_hashes(attest);
- break;
default:
usage();
exit(EXIT_FAILURE);
static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
/**
- * Supported PTS Diffie Hellman Groups
- */
-static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
-
-/**
* PTS file measurement database
*/
static pts_database_t *pts_db;
{
return TNC_RESULT_FATAL;
}
- if (!pts_probe_dh_groups(&supported_dh_groups))
- {
- return TNC_RESULT_FATAL;
- }
imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
imv_id, actual_version);
if (!imv_attestation)
return TNC_RESULT_FATAL;
}
- /**
- * Specify supported PTS Diffie-Hellman groups
- *
- * modp1024: PTS_DH_GROUP_IKE2
- * modp1536: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5
- * modp2048: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14
- * ecp256: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 |
- * PTS_DH_GROUP_IKE19
- * ecp384: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 |
- * PTS_DH_GROUP_IKE19 | PTS_DH_GROUP_IKE20
- *
- * we expect the PTS-IMC to select the strongest supported group
- */
- dh_group = lib->settings->get_str(lib->settings,
- "libimcv.plugins.imv-attestation.dh_group", "ecp256");
-
- if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
- !pts_dh_group_update(dh_group, &supported_dh_groups))
- {
- return TNC_RESULT_FATAL;
- }
-
/* create a PTS credential manager */
pts_credmgr = credential_manager_create();
attestation_state = (imv_attestation_state_t*)state;
msg = pa_tnc_msg_create();
-<<<<<<< HEAD
if (imv_attestation_build(msg, attestation_state, supported_algorithms,
supported_dh_groups, pts_db))
{
msg->build(msg);
result = imv_attestation->send_message(imv_attestation, connection_id,
msg->get_encoding(msg));
-=======
- if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ &&
- !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T))
- {
- DBG1(DBG_IMV, "PTS-IMC has no TPM capability - "
- "advancing to PTS measurement phase");
- handshake_state = IMV_ATTESTATION_STATE_MEAS;
->>>>>>> added the IMV_ATTESTATION_STATE_NONCE_REQ state
}
else
{
-<<<<<<< HEAD
result = TNC_RESULT_FATAL;
-=======
- case IMV_ATTESTATION_STATE_INIT:
- {
- pts_proto_caps_flag_t flags;
-
- /* Send Request Protocol Capabilities attribute */
- flags = pts->get_proto_caps(pts);
- attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
- attr->set_noskip_flag(attr, TRUE);
- msg->add_attribute(msg, attr);
-
- /* Send Measurement Algorithms attribute */
- attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
- attr->set_noskip_flag(attr, TRUE);
- msg->add_attribute(msg, attr);
-
- attestation_state->set_handshake_state(attestation_state,
- IMV_ATTESTATION_STATE_NONCE_REQ);
- break;
- }
- case IMV_ATTESTATION_STATE_NONCE_REQ:
- {
- int min_nonce_len;
-
- /* Send DH nonce parameters request attribute */
- min_nonce_len = lib->settings->get_int(lib->settings,
- "libimcv.plugins.imv-attestation.min_nonce_len", 0);
- attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
- supported_dh_groups);
- attr->set_noskip_flag(attr, TRUE);
- msg->add_attribute(msg, attr);
-
- attestation_state->set_handshake_state(attestation_state,
- IMV_ATTESTATION_STATE_TPM_INIT);
- break;
- }
- case IMV_ATTESTATION_STATE_TPM_INIT:
- {
- pts_meas_algorithms_t selected_algorithm;
- chunk_t initiator_value, initiator_nonce;
-
- /* Send DH nonce finish attribute */
- selected_algorithm = pts->get_meas_algorithm(pts);
- pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
- attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
- initiator_value, initiator_nonce);
- attr->set_noskip_flag(attr, TRUE);
- msg->add_attribute(msg, attr);
-
- /* Send Get TPM Version attribute */
- attr = tcg_pts_attr_get_tpm_version_info_create();
- attr->set_noskip_flag(attr, TRUE);
- msg->add_attribute(msg, attr);
-
- /* Send Get AIK attribute */
- attr = tcg_pts_attr_get_aik_create();
- attr->set_noskip_flag(attr, TRUE);
- msg->add_attribute(msg, attr);
-
- attestation_state->set_handshake_state(attestation_state,
- IMV_ATTESTATION_STATE_MEAS);
- break;
- }
- case IMV_ATTESTATION_STATE_MEAS:
- {
-
- enumerator_t *enumerator;
- u_int32_t delimiter = SOLIDUS_UTF;
- char *platform_info, *pathname;
- u_int16_t request_id;
- int id, type;
- bool is_dir;
-
- attestation_state->set_handshake_state(attestation_state,
- IMV_ATTESTATION_STATE_COMP_EVID);
-
- /* Get Platform and OS of the PTS-IMC */
- platform_info = pts->get_platform_info(pts);
-
- if (!pts_db || !platform_info)
- {
- DBG1(DBG_IMV, "%s%s%s not available",
- (pts_db) ? "" : "pts database",
- (!pts_db && !platform_info) ? "and" : "",
- (platform_info) ? "" : "platform info");
- break;
- }
- DBG1(DBG_IMV, "platform is '%s'", platform_info);
-
- /* Send Request File Metadata attribute */
- attr = tcg_pts_attr_req_file_meta_create(FALSE, SOLIDUS_UTF, "/etc/tnc_config");
- attr->set_noskip_flag(attr, TRUE);
- msg->add_attribute(msg, attr);
-
- /* Send Request File Measurement attribute */
- enumerator = pts_db->create_file_enumerator(pts_db, platform_info);
- if (!enumerator)
- {
- break;
- }
- while (enumerator->enumerate(enumerator, &id, &type, &pathname))
- {
- is_dir = (type != 0);
- request_id = attestation_state->add_request(attestation_state,
- id, is_dir);
- DBG2(DBG_IMV, "measurement request %d for %s '%s'",
- request_id, is_dir ? "directory" : "file", pathname);
- attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
- delimiter, pathname);
- attr->set_noskip_flag(attr, TRUE);
- msg->add_attribute(msg, attr);
- }
- enumerator->destroy(enumerator);
- break;
- }
- case IMV_ATTESTATION_STATE_COMP_EVID:
- {
- pts_attr_req_funct_comp_evid_flag_t flags;
- u_int32_t sub_comp_depth;
- pts_qualifier_t qualifier;
- pts_funct_comp_name_t name;
-
- attestation_state->set_handshake_state(attestation_state,
- IMV_ATTESTATION_STATE_END);
-
- flags = PTS_REQ_FUNC_COMP_FLAG_PCR;
- sub_comp_depth = 0;
- qualifier.kernel = FALSE;
- qualifier.sub_component = FALSE;
- qualifier.type = PTS_FUNC_COMP_TYPE_ALL;
- name = PTS_FUNC_COMP_NAME_BIOS;
-
- /* Send Request Functional Component Evidence attribute */
- attr = tcg_pts_attr_req_funct_comp_evid_create(flags, sub_comp_depth,
- PEN_TCG, qualifier, name);
- attr->set_noskip_flag(attr, TRUE);
- msg->add_attribute(msg, attr);
- /* Send Generate Attestation Evidence attribute */
- attr = tcg_pts_attr_gen_attest_evid_create();
- attr->set_noskip_flag(attr, TRUE);
- msg->add_attribute(msg, attr);
-
- break;
- }
- default:
- DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"",
- handshake_state);
- return TNC_RESULT_FATAL;
->>>>>>> added the IMV_ATTESTATION_STATE_NONCE_REQ state
}
msg->destroy(msg);
return TRUE;
}
-METHOD(pts_t, does_pcr_value_match, bool,
- private_pts_t *this, chunk_t pcr_after_value)
-{
- enumerator_t *e;
- pcr_entry_t *entry;
-
- if (!this->pcrs)
- {
- this->pcrs = linked_list_create();
- }
-
- e = this->pcrs->create_enumerator(this->pcrs);
- while (e->enumerate(e, &entry))
- {
- if (entry->pcr_number == new->pcr_number)
- {
- DBG4(DBG_PTS, "updating already added PCR%d value",
- entry->pcr_number);
- this->pcrs->remove_at(this->pcrs, e);
- free(entry);
- break;
- }
- }
- DESTROY_IF(e);
- this->pcrs->insert_last(this->pcrs, new);
-}
-
/**
* TPM_QUOTE_INFO structure:
* 4 bytes of version
hasher->allocate_hash(hasher, pcr_comp, &hash_pcr_comp);
hasher->destroy(hasher);
- writer->write_data(writer, hash_pcr_composite);
- chunk_clear(&pcr_composite);
- chunk_clear(&hash_pcr_composite);
-
- /* Hash the PCR Composite Structure */
- hasher->allocate_hash(hasher, pcr_composite, out_pcr_composite);
- DBG4(DBG_PTS, "Hash of calculated PCR Composite: %B", out_pcr_composite);
- hasher->destroy(hasher);
- }
- else
- {
- *out_pcr_composite = chunk_clone(pcr_composite);
- DBG3(DBG_PTS, "calculated PCR Composite: %B", out_pcr_composite);
- }
-
- /* SHA1 hash of PCR Composite to construct TPM_QUOTE_INFO */
- hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
- hasher->allocate_hash(hasher, pcr_composite, &hash_pcr_composite);
- hasher->destroy(hasher);
-
/* Construct TPM_QUOTE_INFO/TPM_QUOTE_INFO2 structure */
writer = bio_writer_create(TPM_QUOTE_INFO_LEN);
DESTROY_IF(aik_pub_key);
return FALSE;
}
- */
- if (!aik_pub_key->get_encoding(aik_pub_key,
- PUBKEY_SPKI_ASN1_DER, &key_encoding))
- {
- DBG1(DBG_PTS, "failed to get encoding of AIK public key");
- goto cleanup;
- }
-
aik_pub_key->destroy(aik_pub_key);
return TRUE;
}
bool (*calculate_secret) (pts_t *this);
/**
- * Set PTS Diffie Hellman Object
- *
- * @param dh D-H object
- */
- bool (*create_dh_nonce)(pts_t *this, pts_dh_group_t group, int nonce_len);
-
- /**
- * Get my Diffie-Hellman public value
- *
- * @param value My public DH value
- * @param nonce My DH nonce
- */
- void (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce);
-
- /**
- * Set peer Diffie.Hellman public value
- *
- * @param value Peer public DH value
- * @param nonce Peer DH nonce
- */
- void (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce);
-
- /**
- * Calculates secret assessment value to be used for TPM Quote as ExternalData
- *
- * @return TRUE unless both DH public values
- * and nonces are set
- */
- bool (*calculate_secret) (pts_t *this);
-
- /**
* Get Platform and OS Info
*
* @return Platform and OS info
bool (*is_path_valid)(pts_t *this, char *path, pts_error_code_t *error_code);
/**
- * Compute a hash over a file
- *
+ * Compute a hash over a file
* @param hasher Hasher to be used
* @param pathname Absolute path of a file
* @param hash Buffer to keep hash output
bool (*verify_quote_signature)(pts_t *this, chunk_t data, chunk_t signature);
/**
- * Reads given PCR value and returns it
- * Expects owner secret to be WELL_KNOWN_SECRET
- *
- * @param pcr_num Number of PCR to read
- * @param pcr_value Chunk to save pcr read output
- * @return NULL in case of TSS error, PCR value otherwise
- */
- bool (*read_pcr)(pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value);
-
- /**
- * Extends given PCR with given value
- * Expects owner secret to be WELL_KNOWN_SECRET
- *
- * @param pcr_num Number of PCR to extend
- * @param input Value to extend
- * @param output Chunk to save PCR value after extension
- * @return FALSE in case of TSS error, TRUE otherwise
- */
- bool (*extend_pcr)(pts_t *this, u_int32_t pcr_num, chunk_t input,
- chunk_t *output);
-
- /**
- * Quote over PCR's
- * Expects owner and SRK secret to be WELL_KNOWN_SECRET and no password set for AIK
- *
- * @param pcrs Array of PCR's to make quotation over
- * @param num_of_pcrs Number of elements in pcrs array
- * @param pcr_composite Chunk to save pcr composite structure
- * @param quote_signature Chunk to save quote operation output
- * without external data (anti-replay protection)
- * @return FALSE in case of TSS error, TRUE otherwise
- */
- bool (*quote_tpm)(pts_t *this, u_int32_t *pcrs, u_int32_t num_of_pcrs,
- chunk_t *pcr_composite, chunk_t *quote_signature);
-
- /**
- * Add extended PCR with its corresponding value
- *
- * @return FALSE in case of any error or non-match, TRUE otherwise
- */
- void (*add_pcr_entry)(pts_t *this, pcr_entry_t *entry);
-
- /**
- * Constructs and returns TPM Quote Info structure expected from IMC
- *
- * @param pcr_composite Output variable to store PCR Composite
- * @param quote_info Output variable to store TPM Quote Info
- * @return FALSE in case of any error, TRUE otherwise
- */
- bool (*get_quote_info)(pts_t *this, chunk_t *pcr_composite,
- chunk_t *quote_info);
-
- /**
- * Constructs and returns PCR Quote Digest structure expected from IMC
- *
- * @param data Calculated TPM Quote Digest
- * @param signature TPM Quote Signature received from IMC
- * @return FALSE in case signature is not verified, TRUE otherwise
- */
- bool (*verify_quote_signature)(pts_t *this, chunk_t data, chunk_t signature);
-
- /**
* Destroys a pts_t object.
*/
void (*destroy)(pts_t *this);
pts_t* pts_create(bool is_imc);
#endif /** PTS_H_ @}*/
-
pts_dh_group_t offered_dh_groups);
/**
- * Select the strongest supported Diffie-Hellman group
- * among a set of offered DH groups
- *
- * @param dh_group set of supported DH groups
- * @param groups set of offered DH groups
- * @return selected DH group
- */
-pts_dh_group_t pts_dh_group_select(pts_dh_group_t supported_dh_groups,
- pts_dh_group_t offered_dh_groups);
-
-/**
* Convert pts_dh_group_t to diffie_hellman_group_t
*
* @param dh_group PTS DH group type
/* Optional Composite Hash Algorithm and TPM PCR Composite fields */
if (this->flags != PTS_SIMPLE_EVID_FINAL_NO)
{
- u_int32_t pcr_comp_len, tpm_quote_sign_len;
-
- /** TODO: Ignoring Hashing algorithm field
- * There is no flag defined which indicates the precense of it
- * reader->read_uint16(reader, &algorithm);
- * this->comp_hash_algorithm = algorithm;
- */
- reader->read_uint32(reader, &pcr_comp_len);
- reader->read_data(reader, pcr_comp_len, &this->pcr_comp);
+ if (!reader->read_uint32(reader, &pcr_comp_len))
+ {
+ DBG1(DBG_TNC, "insufficient data for PTS Simple Evidence Final "
+ "PCR Composite Lenght");
+ goto end;
+ }
+ if (!reader->read_data(reader, pcr_comp_len, &this->pcr_comp))
+ {
+ DBG1(DBG_TNC, "insufficient data for PTS Simple Evidence Final "
+ "PCR Composite");
+ goto end;
+ }
this->pcr_comp = chunk_clone(this->pcr_comp);
if (!reader->read_uint32(reader, &tpm_quote_sig_len))