Implemented creating and handling of Optional PCR Composite field in Simple Evidence...
authorSansar Choinyambuu <schoinya@hsr.ch>
Mon, 24 Oct 2011 09:28:17 +0000 (11:28 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 28 Nov 2011 13:39:51 +0000 (14:39 +0100)
src/libimcv/plugins/imv_attestation/imv_attestation_process.c
src/libpts/pts/pts.c
src/libpts/tcg/tcg_pts_attr_simple_evid_final.c

index be3d7e0..9c6908d 100644 (file)
@@ -314,27 +314,28 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                if (pcr_comp.ptr && !chunk_equals(pcr_comp, pcr_composite))
                                {
                                        DBG1(DBG_IMV, "received PCR Compsosite didn't match with constructed");
-                                       free(pcr_composite.ptr);
-                                       free(quote_info.ptr);
+                                       chunk_clear(&pcr_composite);
+                                       chunk_clear(&quote_info);
                                        return FALSE;
                                }
-                               free(pcr_composite.ptr);
+                               DBG2(DBG_IMV, "received PCR Composite matches with constructed");
+                               chunk_clear(&pcr_composite);
                                
                                /* SHA1(TPM Quote Info) expected from IMC */
                                hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
                                hasher->allocate_hash(hasher, quote_info, &quote_digest);
                                hasher->destroy(hasher);
+                               chunk_clear(&quote_info);
                                
                                if (tpm_quote_sign.ptr &&
                                        !pts->verify_quote_signature(pts, quote_digest, tpm_quote_sign))
                                {
-                                       free(quote_digest.ptr);
-                                       free(quote_info.ptr);
+                                       chunk_clear(&quote_digest);
                                        return FALSE;
                                }
+                               
                                DBG2(DBG_IMV, "signature verification succeeded for TPM Quote Info");
-                               free(quote_digest.ptr);
-                               free(quote_info.ptr);
+                               chunk_clear(&quote_digest);
                        }
                        
                        if (evid_signature_included)
index 176bc87..9c8d641 100644 (file)
@@ -832,7 +832,7 @@ METHOD(pts_t, quote_tpm, bool,
        TSS_VALIDATION valData;
        u_int32_t i;
        TSS_RESULT result;
-       chunk_t quote_sign;
+       chunk_t pcr_comp, quote_sign;
 
        result = Tspi_Context_Create(&hContext);
        if (result != TSS_SUCCESS)
@@ -913,14 +913,18 @@ METHOD(pts_t, quote_tpm, bool,
        }
 
        /* Set output chunks */
-       *pcr_composite = chunk_empty;
+       pcr_comp = chunk_alloc(HASH_SIZE_SHA1);
+       memcpy(pcr_comp.ptr, valData.rgbData + 8, HASH_SIZE_SHA1);
+       *pcr_composite = pcr_comp;
+       *pcr_composite = chunk_clone(*pcr_composite);
+       DBG3(DBG_PTS, "Hash of PCR Composite: %B",pcr_composite);
        
        quote_sign = chunk_alloc(valData.ulValidationDataLength);
        memcpy(quote_sign.ptr, valData.rgbValidationData,
                                                          valData.ulValidationDataLength);
        *quote_signature = quote_sign;
        *quote_signature = chunk_clone(*quote_signature);
-       DBG3(DBG_PTS, "Quote sign: %B",quote_signature);
+       DBG3(DBG_PTS, "TOM Quote Signature: %B",quote_signature);
 
        chunk_clear(&quote_sign);
        Tspi_Context_FreeMemory(hContext, NULL);
@@ -1008,7 +1012,7 @@ METHOD(pts_t, get_quote_info, bool,
 {
        enumerator_t *e;
        pcr_entry_t *pcr_entry;
-       chunk_t pcr_composite, hash_pcr_composite, quote_info;
+       chunk_t pcr_composite;
        u_int32_t pcr_composite_len;
        bio_writer_t *writer;
        u_int8_t mask_bytes[PCR_MASK_LEN] = {0,0,0}, i;
@@ -1053,8 +1057,6 @@ METHOD(pts_t, get_quote_info, bool,
        
        /* PCR Composite structure */
        pcr_composite = chunk_clone(writer->get_buf(writer));
-       *out_pcr_composite = pcr_composite;
-       DBG4(DBG_PTS, "Calculated PCR Composite: %B", out_pcr_composite);
        writer->destroy(writer);
 
        writer = bio_writer_create(TPM_QUOTE_INFO_LEN);
@@ -1072,28 +1074,28 @@ METHOD(pts_t, get_quote_info, bool,
 
        /* SHA1 hash of PCR Composite Structure */
        hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-       hasher->allocate_hash(hasher, pcr_composite, &hash_pcr_composite);
-       hasher->destroy(hasher);
-       writer->write_data(writer, hash_pcr_composite);
+       hasher->allocate_hash(hasher, pcr_composite, out_pcr_composite);
+       DBG4(DBG_PTS, "Hash of calculated PCR Composite: %B", out_pcr_composite);
 
+       chunk_clear(&pcr_composite);
+       hasher->destroy(hasher);
+       writer->write_data(writer, *out_pcr_composite);
+       
        if (!this->secret.ptr)
        {
                DBG1(DBG_PTS, "Secret assessment value unavailable",
                         "unable to construct TPM Quote Info");
-               chunk_clear(&pcr_composite);
-               chunk_clear(&hash_pcr_composite);
+               chunk_clear(out_pcr_composite);
                writer->destroy(writer);
                return FALSE;
        }
        /* Secret assessment value 20 bytes (nonce) */
        writer->write_data(writer, this->secret);
        /* TPM Quote Info */
-       quote_info = chunk_clone(writer->get_buf(writer));
-       *out_quote_info = quote_info;
+       *out_quote_info = chunk_clone(writer->get_buf(writer));
        DBG4(DBG_PTS, "Calculated TPM Quote Info: %B", out_quote_info);
-       
        writer->destroy(writer);
-       chunk_clear(&hash_pcr_composite);
+       
        return TRUE;
 }
 
index 9528e3a..a54d642 100644 (file)
@@ -236,8 +236,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
        /*  Optional Composite Hash Algorithm and TPM PCR Composite field is included */
        if (this->flags != PTS_SIMPLE_EVID_FINAL_FLAG_NO)
        {
-               /** u_int32_t pcr_comp_len;*/
-               u_int32_t tpm_quote_sign_len;
+               u_int32_t pcr_comp_len, tpm_quote_sign_len;
                
                /** TODO: Ignoring Hashing algorithm field
                 * There is no flag defined which indicates the precense of it
@@ -245,12 +244,10 @@ METHOD(pa_tnc_attr_t, process, status_t,
                 * this->comp_hash_algorithm = algorithm;
                 */
 
-               /** TODO: Ignoring PCR Composite field
-                * Which data to send in this field from IMC?
-                * reader->read_uint32(reader, &pcr_comp_len);
-                * reader->read_data(reader, pcr_comp_len, &this->pcr_comp);
-                * this->pcr_comp = chunk_clone(this->pcr_comp);
-                */
+               reader->read_uint32(reader, &pcr_comp_len);
+               reader->read_data(reader, pcr_comp_len, &this->pcr_comp);
+               this->pcr_comp = chunk_clone(this->pcr_comp);
+               
                this->pcr_comp = chunk_empty;
                reader->read_uint32(reader, &tpm_quote_sign_len);
                reader->read_data(reader, tpm_quote_sign_len, &this->tpm_quote_sign);