refactored DH group nonce exchange
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 8 Oct 2011 20:17:50 +0000 (22:17 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 28 Nov 2011 17:25:50 +0000 (18:25 +0100)
src/libimcv/plugins/imc_attestation/imc_attestation.c
src/libimcv/plugins/imv_attestation/imv_attestation.c
src/libpts/pts/pts.h

index a263622..12e9b80 100644 (file)
@@ -45,6 +45,8 @@ static const char imc_name[] = "Attestation";
 
 #define IMC_VENDOR_ID                          PEN_TCG
 #define IMC_SUBTYPE                                    PA_SUBTYPE_TCG_PTS
+
+#define DEFAULT_NONCE_LEN                      20
 #define EXTEND_PCR                                     16
 
 static imc_agent_t *imc_attestation;
@@ -71,10 +73,9 @@ static linked_list_t *evidences = NULL;
 static pts_dh_group_t supported_dh_groups = 0;
 
 /**
- * High Entropy Random Data
- * used in calculation of shared secret for the assessment session
+ * Supported PTS Diffie Hellman Groups
  */
-static char *responder_nonce = NULL;
+static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
 
 /**
  * List of buffered Simple Component Evidences
@@ -90,15 +91,13 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
                                                          TNC_Version max_version,
                                                          TNC_Version *actual_version)
 {
-       rng_t *rng;
-       
        if (imc_attestation)
        {
                DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
                return TNC_RESULT_ALREADY_INITIALIZED;
        }
-       if (!pts_meas_probe_algorithms(&supported_algorithms) ||
-               !pts_probe_dh_groups(&supported_dh_groups))
+       if (!pts_meas_algo_probe(&supported_algorithms) ||
+               !pts_dh_group_probe(&supported_dh_groups))
        {
                return TNC_RESULT_FATAL;
        }
index d31cca4..cd3e02e 100644 (file)
@@ -45,6 +45,8 @@ static const char imv_name[] = "Attestation";
 #define IMV_VENDOR_ID                  PEN_TCG
 #define IMV_SUBTYPE                            PA_SUBTYPE_TCG_PTS
 
+#define NONCE_LEN_LIMIT                        16
+
 static imv_agent_t *imv_attestation;
 
 /**
@@ -60,13 +62,7 @@ static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
 /**
  * Supported PTS Diffie Hellman Groups
  */
-static pts_dh_group_t supported_dh_groups = 0;
-
-/**
- * High Entropy Random Data
- * used in calculation of shared secret for the assessment session
- */
-static char *initiator_nonce = NULL;
+static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
 
 /**
  * PTS file measurement database
@@ -97,7 +93,6 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
                                                          TNC_Version *actual_version)
 {
        char *hash_alg, *dh_group, *uri, *cadir;
-       rng_t *rng;
 
        if (imv_attestation)
        {
@@ -154,7 +149,9 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
         */
        dh_group = lib->settings->get_str(lib->settings,
                                "libimcv.plugins.imv-attestation.dh_group", "ecp256");
-       if (!pts_update_supported_dh_groups(dh_group, &supported_dh_groups))
+
+       if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
+               !pts_dh_group_update(dh_group, &supported_dh_groups))
        {
                return TNC_RESULT_FATAL;
        }
@@ -241,156 +238,7 @@ static TNC_Result send_message(TNC_ConnectionID connection_id)
        }
        else
        {
-<<<<<<< HEAD
                result = TNC_RESULT_FATAL;
-=======
-               case IMV_ATTESTATION_STATE_INIT:
-               {
-                       pts_proto_caps_flag_t flags;
-
-                       /* Send Request Protocol Capabilities attribute */
-                       flags = pts->get_proto_caps(pts);
-                       attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
-                       attr->set_noskip_flag(attr, TRUE);
-                       msg->add_attribute(msg, attr);
-
-                       /* Send Measurement Algorithms attribute */
-                       attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
-                       attr->set_noskip_flag(attr, TRUE);
-                       msg->add_attribute(msg, attr);
-
-                       attestation_state->set_handshake_state(attestation_state,
-                                                                               IMV_ATTESTATION_STATE_TPM_INIT);
-                       break;
-               }
-               case IMV_ATTESTATION_STATE_TPM_INIT:
-               {
-                       if (!dh_nonce_req_sent)
-                       {
-                               /* Send DH nonce parameters request attribute */
-                               attr = tcg_pts_attr_dh_nonce_params_req_create(0, supported_dh_groups);
-                               attr->set_noskip_flag(attr, TRUE);
-                               msg->add_attribute(msg, attr);
-                               dh_nonce_req_sent = TRUE;
-                       }
-                       else
-                       {
-                               pts_meas_algorithms_t selected_algorithm;
-                               chunk_t initiator_pub_val;
-
-                               /* Send DH nonce finish attribute */
-                               selected_algorithm = pts->get_meas_algorithm(pts);
-                               pts->get_my_public_value(pts, &initiator_pub_val);
-
-                               attr = tcg_pts_attr_dh_nonce_finish_create(NONCE_LEN,
-                                                                       selected_algorithm,
-                                                                       chunk_create(initiator_nonce, NONCE_LEN),
-                                                                       initiator_pub_val);
-                               attr->set_noskip_flag(attr, TRUE);
-                               msg->add_attribute(msg, attr);
-
-                               /* Send Get TPM Version attribute */
-                               attr = tcg_pts_attr_get_tpm_version_info_create();
-                               attr->set_noskip_flag(attr, TRUE);
-                               msg->add_attribute(msg, attr);
-
-                               /* Send Get AIK attribute */
-                               attr = tcg_pts_attr_get_aik_create();
-                               attr->set_noskip_flag(attr, TRUE);
-                               msg->add_attribute(msg, attr);
-
-                               attestation_state->set_handshake_state(attestation_state,
-                                                                               IMV_ATTESTATION_STATE_MEAS);
-                       }
-
-                       break;
-               }
-               case IMV_ATTESTATION_STATE_MEAS:
-               {
-
-                       enumerator_t *enumerator;
-                       u_int32_t delimiter = SOLIDUS_UTF;
-                       char *platform_info, *pathname;
-                       u_int16_t request_id;
-                       int id, type;
-                       bool is_dir;
-
-                       attestation_state->set_handshake_state(attestation_state,
-                                                                               IMV_ATTESTATION_STATE_COMP_EVID);
-
-                       /* Get Platform and OS of the PTS-IMC */
-                       platform_info = pts->get_platform_info(pts);
-
-                       if (!pts_db || !platform_info)
-                       {
-                               DBG1(DBG_IMV, "%s%s%s not available",
-                                       (pts_db) ? "" : "pts database",
-                                       (!pts_db && !platform_info) ? "and" : "",
-                                       (platform_info) ? "" : "platform info");
-                               break;
-                       }
-                       DBG1(DBG_IMV, "platform is '%s'", platform_info);
-
-                       /* Send Request File Metadata attribute */
-                       attr = tcg_pts_attr_req_file_meta_create(FALSE, SOLIDUS_UTF, "/etc/tnc_config");
-                       attr->set_noskip_flag(attr, TRUE);
-                       msg->add_attribute(msg, attr);
-
-                       /* Send Request File Measurement attribute */
-                       enumerator = pts_db->create_file_enumerator(pts_db, platform_info);
-                       if (!enumerator)
-                       {
-                               break;
-                       }
-                       while (enumerator->enumerate(enumerator, &id, &type, &pathname))
-                       {
-                               is_dir = (type != 0);
-                               request_id = attestation_state->add_request(attestation_state,
-                                                                                                                       id, is_dir);
-                               DBG2(DBG_IMV, "measurement request %d for %s '%s'",
-                                        request_id, is_dir ? "directory" : "file", pathname);
-                               attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
-                                                                                                        delimiter, pathname);
-                               attr->set_noskip_flag(attr, TRUE);
-                               msg->add_attribute(msg, attr);
-                       }
-                       enumerator->destroy(enumerator);
-                       break;
-               }
-               case IMV_ATTESTATION_STATE_COMP_EVID:
-               {
-                       pts_attr_req_funct_comp_evid_flag_t flags;
-                       u_int32_t sub_comp_depth;
-                       pts_qualifier_t qualifier;
-                       pts_funct_comp_name_t name;
-
-                       attestation_state->set_handshake_state(attestation_state,
-                                                                               IMV_ATTESTATION_STATE_END);
-
-                       flags = PTS_REQ_FUNC_COMP_FLAG_PCR;
-                       sub_comp_depth = 0;
-                       qualifier.kernel = FALSE;
-                       qualifier.sub_component = FALSE;
-                       qualifier.type = PTS_FUNC_COMP_TYPE_ALL;
-                       name = PTS_FUNC_COMP_NAME_BIOS;
-
-                       /* Send Request Functional Component Evidence attribute */
-                       attr = tcg_pts_attr_req_funct_comp_evid_create(flags, sub_comp_depth,
-                                                                                                               PEN_TCG, qualifier, name);
-                       attr->set_noskip_flag(attr, TRUE);
-                       msg->add_attribute(msg, attr);
-                       /* Send Generate Attestation Evidence attribute */
-                       attr = tcg_pts_attr_gen_attest_evid_create();
-                       attr->set_noskip_flag(attr, TRUE);
-                       msg->add_attribute(msg, attr);
-
-                       break;
-               }
-               default:
-                       DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"",
-                                handshake_state);
-                       return TNC_RESULT_FATAL;
->>>>>>> fixed setting of PTS DH group
        }
        msg->destroy(msg);
 
@@ -637,7 +485,6 @@ TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
        }
        DESTROY_IF(pts_db);
        DESTROY_IF(pts_credmgr);
-       free(initiator_nonce);
 
        libpts_deinit();
 
index cd9314d..4bf9980 100644 (file)
@@ -180,41 +180,31 @@ struct pts_t {
         *
         * @param dh                    D-H object
         */
-       bool (*create_dh)(pts_t *this, pts_dh_group_t group);
+       bool (*create_dh_nonce)(pts_t *this, pts_dh_group_t group, int nonce_len);
 
        /**
         * Get my Diffie-Hellman public value
         *
         * @param value                         My public DH value
+        * @param nonce                         My DH nonce
         */
-       void (*get_my_public_value)(pts_t *this, chunk_t *value);
+       void (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce);
 
        /**
         * Set peer Diffie.Hellman public value
         *
         * @param value                         Peer public DH value
+        * @param nonce                         Peer DH nonce
         */
-       void (*set_peer_public_value) (pts_t *this, chunk_t value);
+       void (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce);
 
        /**
-        * Calculates secret assessment value to be used for TPM Quote as an external data
+        * Calculates secret assessment value to be used for TPM Quote as ExternalData
         *
-        * @param initiator_nonce       Initiator nonce (IMV nonce)
-        * @param responder_nonce       Responder nonce (IMC nonce)
-        * @param algorithm                     Hashing algorithm
         * @return                                      TRUE unless both DH public values
         *                                                      and nonces are set
         */
-       bool (*calculate_secret) (pts_t *this, chunk_t initiator_nonce,
-                                                         chunk_t responder_nonce,
-                                                         pts_meas_algorithms_t algorithm);
-
-       /**
-        * Returns secret assessment value to be used for TPM Quote as an external data
-        *
-        * @return                                      Secret assessment value
-        */
-       chunk_t (*get_secret) (pts_t *this);
+       bool (*calculate_secret) (pts_t *this);
 
        /**
         * Get Platform and OS Info