Implemented matching of Optional PCR Composite field value when Hashing was done...
authorSansar Choinyambuu <schoinya@hsr.ch>
Mon, 31 Oct 2011 10:26:00 +0000 (11:26 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 28 Nov 2011 13:39:53 +0000 (14:39 +0100)
Optional Composite Hash Algorithm field is always present, has value of all zeroes if was not used

src/libimcv/plugins/imc_attestation/imc_attestation_process.c
src/libimcv/plugins/imv_attestation/imv_attestation_process.c
src/libpts/pts/pts.c
src/libpts/pts/pts.h
src/libpts/tcg/tcg_pts_attr_simple_evid_final.c

index cbb3dc3..8748202 100644 (file)
@@ -441,6 +441,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                {
                        enumerator_t *e;
                        pts_simple_evid_final_flag_t flags;
+                       pts_meas_algorithms_t composite_algorithm = 0;
                        chunk_t pcr_composite, quote_signature;
                        u_int32_t num_of_evidences, i = 0;
                        u_int32_t *pcrs;
@@ -478,9 +479,11 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
        
                        /* Send Simple Evidence Final attribute */
                        flags = PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO;
+                       composite_algorithm |= PTS_MEAS_ALGO_SHA1;
                        
-                       attr = tcg_pts_attr_simple_evid_final_create(FALSE, flags, 0,
-                                                               pcr_composite, quote_signature, chunk_empty);
+                       attr = tcg_pts_attr_simple_evid_final_create(FALSE, flags,
+                                                               composite_algorithm, pcr_composite,
+                                                               quote_signature, chunk_empty);
                        attr_list->insert_last(attr_list, attr);
                                        
                        DESTROY_IF(e);
index aa2b0fe..1ba627e 100644 (file)
@@ -283,17 +283,21 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                {
                        tcg_pts_attr_simple_evid_final_t *attr_cast;
                        pts_simple_evid_final_flag_t flags;
+                       pts_meas_algorithms_t composite_algorithm;
                        chunk_t pcr_comp;
                        chunk_t tpm_quote_sign;
                        chunk_t evid_sign;
                        bool evid_signature_included;
-                                       
-                       /** TODO: Ignoring Composite Hash Algorithm field
-                        * No flag defined which indicates the precense of it
-                        */
+                       
                        attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
                        evid_signature_included = attr_cast->is_evid_sign_included(attr_cast);
                        flags = attr_cast->get_flags(attr_cast);
+                       
+                       /** Optional Composite Hash Algorithm field is always present
+                        * Field has value of all zeroes if not used.
+                        * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011
+                        */
+                       composite_algorithm = attr_cast->get_comp_hash_algorithm(attr_cast);
 
                        if ((flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO2) ||
                                (flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO2_CAP_VER))
@@ -310,13 +314,14 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                tpm_quote_sign = attr_cast->get_tpm_quote_sign(attr_cast);
 
                                /* Construct PCR Composite and TPM Quote Info structures*/
-                               if (!pts->get_quote_info(pts, &pcr_composite, &quote_info))
+                               if (!pts->get_quote_info(pts, composite_algorithm,
+                                       &pcr_composite, &quote_info))
                                {
                                        DBG1(DBG_IMV, "unable to contruct TPM Quote Info");
                                        return FALSE;
                                }
 
-                               /* Check calculated PCR composite structure matches with received */
+                               /* Check calculated PCR composite matches with received */
                                if (pcr_comp.ptr && !chunk_equals(pcr_comp, pcr_composite))
                                {
                                        DBG1(DBG_IMV, "received PCR Compsosite didn't match"
index df84e1c..29327e1 100644 (file)
@@ -1003,11 +1003,12 @@ METHOD(pts_t, add_pcr_entry, void,
  */
 
 METHOD(pts_t, get_quote_info, bool,
-       private_pts_t *this, chunk_t *out_pcr_composite, chunk_t *out_quote_info)
+       private_pts_t *this, pts_meas_algorithms_t composite_algo,
+       chunk_t *out_pcr_composite, chunk_t *out_quote_info)
 {
        enumerator_t *e;
        pcr_entry_t *pcr_entry;
-       chunk_t pcr_composite;
+       chunk_t pcr_composite, hash_pcr_composite;
        u_int32_t pcr_composite_len;
        bio_writer_t *writer;
        u_int8_t mask_bytes[PCR_MASK_LEN] = {0,0,0}, i;
@@ -1068,14 +1069,33 @@ METHOD(pts_t, get_quote_info, bool,
        writer->write_uint8(writer, 'O');
        writer->write_uint8(writer, 'T');
 
-       /* SHA1 hash of PCR Composite Structure */
-       hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-       hasher->allocate_hash(hasher, pcr_composite, out_pcr_composite);
-       DBG4(DBG_PTS, "Hash of calculated PCR Composite: %B", out_pcr_composite);
+       /* Output the TPM_PCR_COMPOSITE expected from IMC */
+       if (composite_algo)
+       {
+               hash_algorithm_t algo;
+               
+               algo = pts_meas_algo_to_hash(composite_algo);
+               hasher = lib->crypto->create_hasher(lib->crypto, algo);
 
-       chunk_clear(&pcr_composite);
+               /* Hash the PCR Composite Structure */
+               hasher->allocate_hash(hasher, pcr_composite, out_pcr_composite);
+               DBG4(DBG_PTS, "Hash of calculated PCR Composite: %B", out_pcr_composite);
+               hasher->destroy(hasher);
+       }
+       else
+       {
+               *out_pcr_composite = chunk_clone(pcr_composite);
+               DBG4(DBG_PTS, "calculated PCR Composite: %B", out_pcr_composite);
+       }
+       
+       /* SHA1 hash of PCR Composite to construct TPM_QUOTE_INFO */
+       hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+       hasher->allocate_hash(hasher, pcr_composite, &hash_pcr_composite);
        hasher->destroy(hasher);
-       writer->write_data(writer, *out_pcr_composite);
+       
+       writer->write_data(writer, hash_pcr_composite);
+       chunk_clear(&pcr_composite);
+       chunk_clear(&hash_pcr_composite);
        
        if (!this->secret.ptr)
        {
index 932bf2f..84175d7 100644 (file)
@@ -289,8 +289,8 @@ struct pts_t {
         * @param quote_info                    Output variable to store TPM Quote Info
         * @return                                      FALSE in case of any error, TRUE otherwise
         */
-        bool (*get_quote_info)(pts_t *this, chunk_t *pcr_composite,
-                                                       chunk_t *quote_info);
+        bool (*get_quote_info)(pts_t *this, pts_meas_algorithms_t composite_algo,
+                                                       chunk_t *pcr_composite, chunk_t *quote_info);
 
         /**
         * Constructs and returns PCR Quote Digest structure expected from IMC
index 833b101..c6a5af3 100644 (file)
@@ -167,11 +167,13 @@ METHOD(pa_tnc_attr_t, build, void,
        writer->write_uint8 (writer, flags);
        writer->write_uint8 (writer, PTS_SIMPLE_EVID_FINAL_RESERVED);
        
+       /** Optional Composite Hash Algorithm field is always present
+        * Field has value of all zeroes if not used.
+        * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011
+        */
+       writer->write_uint16(writer, this->comp_hash_algorithm);
+
        /* Optional fields */
-       if (this->comp_hash_algorithm)
-       {
-               writer->write_uint16(writer, this->comp_hash_algorithm);
-       }
        if (this->pcr_comp.ptr && this->pcr_comp.len > 0)
        {
                writer->write_uint32 (writer, this->pcr_comp.len);
@@ -197,7 +199,7 @@ METHOD(pa_tnc_attr_t, process, status_t,
        bio_reader_t *reader;
        u_int8_t flags;
        u_int8_t reserved;
-       /** u_int16_t algorithm;*/
+       u_int16_t algorithm;
        
        if (this->value.len < PTS_SIMPLE_EVID_FINAL_SIZE)
        {
@@ -232,18 +234,20 @@ METHOD(pa_tnc_attr_t, process, status_t,
        }
        
        reader->read_uint8(reader, &reserved);
+
+       /** Optional Composite Hash Algorithm field is always present
+        * Field has value of all zeroes if not used.
+        * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011
+        */
+       
+       reader->read_uint16(reader, &algorithm);
+       this->comp_hash_algorithm = algorithm;
        
        /*  Optional Composite Hash Algorithm and TPM PCR Composite field is included */
        if (this->flags != PTS_SIMPLE_EVID_FINAL_FLAG_NO)
        {
                u_int32_t pcr_comp_len, tpm_quote_sign_len;
                
-               /** TODO: Ignoring Hashing algorithm field
-                * There is no flag defined which indicates the precense of it
-                * reader->read_uint16(reader, &algorithm);
-                * this->comp_hash_algorithm = algorithm;
-                */
-
                reader->read_uint32(reader, &pcr_comp_len);
                reader->read_data(reader, pcr_comp_len, &this->pcr_comp);
                this->pcr_comp = chunk_clone(this->pcr_comp);