Construct PCR Composite using information received in Simple Component Evidence attri...
authorSansar Choinyambuu <schoinya@hsr.ch>
Mon, 24 Oct 2011 08:39:17 +0000 (10:39 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 28 Nov 2011 13:39:51 +0000 (14:39 +0100)
src/libimcv/plugins/imv_attestation/imv_attestation_process.c
src/libpts/pts/pts.c
src/libpts/pts/pts.h

index f097043..be3d7e0 100644 (file)
@@ -246,19 +246,22 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        /* Call getters of optional fields when corresponding flag is set */
                        if (pcr_info_inclided)
                        {
+                               pcr_entry_t *entry;
+                               
                                extended_pcr = attr_cast->get_extended_pcr(attr_cast);
                                pcr_before = attr_cast->get_pcr_before_value(attr_cast);
                                pcr_after = attr_cast->get_pcr_after_value(attr_cast);
                                measurement = attr_cast->get_comp_measurement(attr_cast);
 
-                               DBG3(DBG_IMV,"PCR: %d was extended with %B", extended_pcr, &measurement);
-                               DBG3(DBG_IMV,"PCR: %d before value: %B", extended_pcr, &pcr_before);
-                               DBG3(DBG_IMV,"PCR: %d after value: %B", extended_pcr, &pcr_after);
+                               DBG4(DBG_IMV,"PCR: %d was extended with %B", extended_pcr, &measurement);
+                               DBG4(DBG_IMV,"PCR: %d before value: %B", extended_pcr, &pcr_before);
+                               DBG4(DBG_IMV,"PCR: %d after value: %B", extended_pcr, &pcr_after);
 
-                               if (!pts->does_pcr_value_match(pts, pcr_after))
-                               {
-                                       return FALSE;
-                               }
+                               entry = malloc_thing(pcr_entry_t);
+                               entry->pcr_number = extended_pcr;
+                               strcpy(entry->pcr_value, pcr_after.ptr);
+                               pts->add_pcr_entry(pts, entry);
+                               
                        }
                        if (flags != PTS_SIMPLE_COMP_EVID_FLAG_NO_VALID)
                        {
@@ -295,34 +298,32 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        }
                        if (flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO)
                        {
-                               chunk_t quote_info, quote_digest;
+                               chunk_t pcr_composite, quote_info, quote_digest;
                                hasher_t *hasher;
                                pcr_comp = attr_cast->get_pcr_comp(attr_cast);
                                tpm_quote_sign = attr_cast->get_tpm_quote_sign(attr_cast);
-                               
-                               if (!pts->get_quote_info(pts, &quote_info))
+
+                               /* Construct PCR Composite and TPM Quote Info structures*/
+                               if (!pts->get_quote_info(pts, &pcr_composite, &quote_info))
                                {
                                        DBG1(DBG_IMV, "unable to contruct TPM Quote Info");
-                                       free(quote_info.ptr);
                                        return FALSE;
                                }
 
-                               /* SHA1(TPM Quote Info) expected from IMC */
-                               hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-                               hasher->allocate_hash(hasher, quote_info, &quote_digest);
-                               hasher->destroy(hasher);
-                               
-                               if (pcr_comp.ptr && strncmp(quote_info.ptr, pcr_comp.ptr,
-                                                               quote_info.len - ASSESSMENT_SECRET_LEN) != 0)
+                               /* Check calculated PCR composite structure matches with received */
+                               if (pcr_comp.ptr && !chunk_equals(pcr_comp, pcr_composite))
                                {
-                                       DBG1(DBG_IMV, "calculated TPM Quote Info differs from received");
-                                       DBG3(DBG_IMV, "calculated: %B", &quote_info);
-                                       DBG3(DBG_IMV, "received: %B", &pcr_comp);
-                                       free(quote_digest.ptr);
+                                       DBG1(DBG_IMV, "received PCR Compsosite didn't match with constructed");
+                                       free(pcr_composite.ptr);
                                        free(quote_info.ptr);
                                        return FALSE;
                                }
-                               DBG2(DBG_IMV, "received TPM Quote Info matches with calculated");
+                               free(pcr_composite.ptr);
+                               
+                               /* SHA1(TPM Quote Info) expected from IMC */
+                               hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
+                               hasher->allocate_hash(hasher, quote_info, &quote_digest);
+                               hasher->destroy(hasher);
                                
                                if (tpm_quote_sign.ptr &&
                                        !pts->verify_quote_signature(pts, quote_digest, tpm_quote_sign))
index 05e4b7d..176bc87 100644 (file)
@@ -113,6 +113,10 @@ struct private_pts_t {
         */
        certificate_t *aik;
 
+       /**
+        * List of extended PCR's with corresponding values
+        */
+       linked_list_t *pcrs;
 };
 
 METHOD(pts_t, get_proto_caps, pts_proto_caps_flag_t,
@@ -828,7 +832,7 @@ METHOD(pts_t, quote_tpm, bool,
        TSS_VALIDATION valData;
        u_int32_t i;
        TSS_RESULT result;
-       chunk_t pcr_comp, quote_sign;
+       chunk_t quote_sign;
 
        result = Tspi_Context_Create(&hContext);
        if (result != TSS_SUCCESS)
@@ -909,12 +913,7 @@ METHOD(pts_t, quote_tpm, bool,
        }
 
        /* Set output chunks */
-       pcr_comp = chunk_alloc(valData.ulDataLength - ASSESSMENT_SECRET_LEN);
-       memcpy(pcr_comp.ptr, valData.rgbData,
-                                                       valData.ulDataLength - ASSESSMENT_SECRET_LEN);
-       *pcr_composite = pcr_comp;
-       *pcr_composite = chunk_clone(*pcr_composite);
-       DBG3(DBG_PTS, "PCR comp: %B",pcr_composite);
+       *pcr_composite = chunk_empty;
        
        quote_sign = chunk_alloc(valData.ulValidationDataLength);
        memcpy(quote_sign.ptr, valData.rgbValidationData,
@@ -923,7 +922,6 @@ METHOD(pts_t, quote_tpm, bool,
        *quote_signature = chunk_clone(*quote_signature);
        DBG3(DBG_PTS, "Quote sign: %B",quote_signature);
 
-       chunk_clear(&pcr_comp);
        chunk_clear(&quote_sign);
        Tspi_Context_FreeMemory(hContext, NULL);
        Tspi_Context_CloseObject(hContext, hPcrComposite);
@@ -949,149 +947,34 @@ METHOD(pts_t, quote_tpm, bool,
        return FALSE;
 }
 
-/**
- *  Convert from string to byte array (configured PCR values)
- */
-static u_int8_t* pcr_string_to_bytearray(char *str_value)
-{
-       u_int32_t i;
-       u_int8_t *ret;
-
-       if (strlen(str_value) != PCR_LEN * 2)
-       {
-               DBG1(DBG_PTS, "expected PCR value with %d characters, current:%s",
-                        PCR_LEN * 2, str_value);
-               return NULL;
-       }
-
-       ret = malloc(PCR_LEN);
-       for (i = 0; i < strlen(str_value)/2; i++)
-       {
-               char c1, c2;
-               u_int8_t d1, d2;
-
-               c1 = str_value[i*2];
-               c2 = str_value[i*2 + 1];
-
-               /**
-                * Convert characters to u_int8_t
-                * code taken from http://www.codeguru.com/forum/showthread.php?t=316299
-               */
-               
-               if (isdigit(c1))
-               {
-                       d1 = c1 - '0';
-               }
-               else if (c1 >= 'A' && c1 <= 'F')
-               {
-                       d1 = c1 - 'A' + 10;
-               }
-               else if (c1 >= 'a' && c1 <= 'f')
-               {
-                       d1 = c1 - 'a' + 10;
-               }
-               
-               if (isdigit(c2))
-               {
-                       d2 = c2 - '0';
-               }
-               else if (c2 >= 'A' && c2 <= 'F')
-               {
-                       d2 = c2 - 'A' + 10;
-               }
-               else if (c2 >= 'a' && c2 <= 'f')
-               {
-                       d2 = c2 - 'a' + 10;
-               }
-               /* save value of two characters in one byte */
-               ret[i] = d1*16 + d2;
-       }
-       
-       return ret;
-}
-
-/**
- *  Build PCR Entries from the configuration
- */
-static bool load_pcr_entries(linked_list_t **output)
-{
-       linked_list_t *entries;
-       int i, len;
-
-       entries = linked_list_create();
-       for(i = 0; i < MAX_NUM_PCR; i++)
-       {
-               char *string_pcr_value;
-               pcr_entry_t *entry;
-               len = snprintf(NULL, 0, "%s%d", "libimcv.plugins.imv-attestation.pcr", i);
-
-               char var[len + 1];
-               len = snprintf(var, len + 1, "%s%d", "libimcv.plugins.imv-attestation.pcr", i); 
-               string_pcr_value = lib->settings->get_str(lib->settings, var, NULL);
-
-               if (string_pcr_value)
-               {
-                       u_int8_t *pcr_value;
-                       
-                       entry = malloc_thing(pcr_entry_t);
-                       entry->pcr_number = i;
-
-                       pcr_value = pcr_string_to_bytearray(string_pcr_value);
-                       strcpy(entry->pcr_value, pcr_value);
-                       entries->insert_last(entries, entry);
-                       free(pcr_value);
-               }
-       }
-       
-       if (entries->get_count(entries))
-       {
-               *output = entries;
-               return TRUE;
-       }
-
-       DBG1(DBG_PTS, "pcr value(s) not available");
-       DESTROY_IF(entries);
-       *output = NULL;
-       return FALSE;
-}
-
-METHOD(pts_t, does_pcr_value_match, bool,
-       private_pts_t *this, chunk_t pcr_after_value)
+METHOD(pts_t, add_pcr_entry, void,
+       private_pts_t *this, pcr_entry_t *new)
 {
-       linked_list_t *entries;
        enumerator_t *e;
-       pcr_entry_t *pcr_entry;
-       bool match_found = FALSE;
+       pcr_entry_t *entry;
        
-       if (!load_pcr_entries(&entries))
+       if (!this->pcrs)
        {
-               DBG1(DBG_PTS, "failed to load PCR entries");
-               return FALSE;
+               this->pcrs = linked_list_create();
        }
-       
-       e = entries->create_enumerator(entries);
-       while (e->enumerate(e, &pcr_entry))
+
+       e = this->pcrs->create_enumerator(this->pcrs);
+       while (e->enumerate(e, &entry))
        {
-               if (strncmp(pcr_entry->pcr_value, pcr_after_value.ptr, PCR_LEN) == 0)
+               if (entry->pcr_number == new->pcr_number)
                {
-                       DBG1(DBG_PTS, "PCR %d value matched with configured value",
-                                pcr_entry->pcr_number);
-                       match_found = TRUE;
+                       DBG4(DBG_PTS, "updating already added PCR%d value",
+                                entry->pcr_number);
+                       this->pcrs->remove_at(this->pcrs, e);
+                       free(entry);
                        break;
                }
        }
-       
        DESTROY_IF(e);
-       DESTROY_IF(entries);
-       free(pcr_entry);
-
-       if (match_found)
-       {
-               return TRUE;
-       }
        
-       DBG1(DBG_PTS, "PCR after value didn't match with any of the configured values");
-       return FALSE;
+       this->pcrs->insert_last(this->pcrs, new);
+
+       /* TODO: Sort pcr entries with pcr index */
 }
 
 /**
@@ -1103,7 +986,7 @@ METHOD(pts_t, does_pcr_value_match, bool,
  * The first two bytes of the message represent the length
  * of the bitmask that follows. The bitmask represents the
  * requested PCRs to be quoted.
- * 
+ *
  * TPM Main-Part 2 TPM Structures_v1.2 8.1
  * The bitmask is in big endian order"
  *
@@ -1119,48 +1002,61 @@ METHOD(pts_t, does_pcr_value_match, bool,
  *     20 byte SHA1 of TCPA_PCR_COMPOSITE
  *     20 byte nonce
  */
-static chunk_t calculate_quote_info(private_pts_t *this, linked_list_t *pcr_entries)
+
+METHOD(pts_t, get_quote_info, bool,
+       private_pts_t *this, chunk_t *out_pcr_composite, chunk_t *out_quote_info)
 {
        enumerator_t *e;
        pcr_entry_t *pcr_entry;
-       chunk_t quote_info, pcr_composite, hash_pcr_composite;
+       chunk_t pcr_composite, hash_pcr_composite, quote_info;
        u_int32_t pcr_composite_len;
        bio_writer_t *writer;
        u_int8_t mask_bytes[PCR_MASK_LEN] = {0,0,0}, i;
        hasher_t *hasher;
 
+       if (this->pcrs->get_count(this->pcrs) == 0)
+       {
+               DBG1(DBG_PTS, "PCR entries unavailable, unable to construct TPM Quote Info");
+               return FALSE;
+       }
+
        pcr_composite_len = 2 + PCR_MASK_LEN + 4 +
-                                               pcr_entries->get_count(pcr_entries) * PCR_LEN;
-       
+                                               this->pcrs->get_count(this->pcrs) * PCR_LEN;
+
        writer = bio_writer_create(pcr_composite_len);
        /* Lenght of the bist mask field */
        writer->write_uint16(writer, PCR_MASK_LEN);
        /* Bit mask indicating selected PCRs */
-       e = pcr_entries->create_enumerator(pcr_entries);
+       e = this->pcrs->create_enumerator(this->pcrs);
        while (e->enumerate(e, &pcr_entry))
        {
                u_int32_t index = pcr_entry->pcr_number;
                mask_bytes[index / 8] |= (1 << (index % 8));
        }
-       
        e->destroy(e);
+
        for (i = 0; i< PCR_MASK_LEN ; i++)
        {
                writer->write_uint8(writer, mask_bytes[i]);
        }
-       
+
        /* Lenght of the pcr entries */
-       writer->write_uint32(writer, pcr_entries->get_count(pcr_entries) * PCR_LEN);
+       writer->write_uint32(writer, this->pcrs->get_count(this->pcrs) * PCR_LEN);
        /* Actual PCR values */
-       e = pcr_entries->create_enumerator(pcr_entries);
+       e = this->pcrs->create_enumerator(this->pcrs);
        while (e->enumerate(e, &pcr_entry))
        {
                writer->write_data(writer, chunk_create(pcr_entry->pcr_value, PCR_LEN));
        }
+       free(pcr_entry);
+       e->destroy(e);
        
+       /* PCR Composite structure */
        pcr_composite = chunk_clone(writer->get_buf(writer));
+       *out_pcr_composite = pcr_composite;
+       DBG4(DBG_PTS, "Calculated PCR Composite: %B", out_pcr_composite);
        writer->destroy(writer);
-       
+
        writer = bio_writer_create(TPM_QUOTE_INFO_LEN);
        /* Version number */
        writer->write_uint8(writer, 1);
@@ -1177,38 +1073,27 @@ static chunk_t calculate_quote_info(private_pts_t *this, linked_list_t *pcr_entr
        /* SHA1 hash of PCR Composite Structure */
        hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
        hasher->allocate_hash(hasher, pcr_composite, &hash_pcr_composite);
+       hasher->destroy(hasher);
        writer->write_data(writer, hash_pcr_composite);
 
+       if (!this->secret.ptr)
+       {
+               DBG1(DBG_PTS, "Secret assessment value unavailable",
+                        "unable to construct TPM Quote Info");
+               chunk_clear(&pcr_composite);
+               chunk_clear(&hash_pcr_composite);
+               writer->destroy(writer);
+               return FALSE;
+       }
        /* Secret assessment value 20 bytes (nonce) */
        writer->write_data(writer, this->secret);
-
        /* TPM Quote Info */
        quote_info = chunk_clone(writer->get_buf(writer));
-       DBG3(DBG_PTS, "Calculated TPM Quote Info: %B", &quote_info);
+       *out_quote_info = quote_info;
+       DBG4(DBG_PTS, "Calculated TPM Quote Info: %B", out_quote_info);
        
-       e->destroy(e);
        writer->destroy(writer);
-       hasher->destroy(hasher);
-       chunk_clear(&pcr_composite);
        chunk_clear(&hash_pcr_composite);
-       free(pcr_entry);
-       pcr_entries->destroy(pcr_entries);
-       
-       return quote_info;
-}
-
-METHOD(pts_t, get_quote_info, bool,
-       private_pts_t *this, chunk_t *quote_info)
-{
-       linked_list_t *entries;
-
-       if (!load_pcr_entries(&entries))
-       {
-               DBG1(DBG_PTS, "failed to load PCR entries");
-               return FALSE;
-       }
-
-       *quote_info = calculate_quote_info(this, entries);
        return TRUE;
 }
 
@@ -1294,6 +1179,7 @@ METHOD(pts_t, destroy, void,
 {
        DESTROY_IF(this->aik);
        DESTROY_IF(this->dh);
+       DESTROY_IF(this->pcrs);
        free(this->initiator_nonce.ptr);
        free(this->responder_nonce.ptr);
        free(this->secret.ptr);
@@ -1483,7 +1369,7 @@ pts_t *pts_create(bool is_imc)
                        .read_pcr = _read_pcr,
                        .extend_pcr = _extend_pcr,
                        .quote_tpm = _quote_tpm,
-                       .does_pcr_value_match = _does_pcr_value_match,
+                       .add_pcr_entry = _add_pcr_entry,
                        .get_quote_info = _get_quote_info,
                        .verify_quote_signature  = _verify_quote_signature,
                        .destroy = _destroy,
index c4c87f7..cac578d 100644 (file)
@@ -274,19 +274,20 @@ struct pts_t {
                                           chunk_t *pcr_composite, chunk_t *quote_signature);
 
         /**
-        * Check PCR after value in Simple Component Evidence matches configured value
+        * Add extended PCR with its corresponding value
         *
         * @return                                      FALSE in case of any error or non-match, TRUE otherwise
         */
-        bool (*does_pcr_value_match)(pts_t *this, chunk_t pcr_after_value);
+        void (*add_pcr_entry)(pts_t *this, pcr_entry_t *entry);
 
         /**
         * Constructs and returns TPM Quote Info structure expected from IMC
-        * 
-        * @param digest                        Output variable to store quote digest
+        *
+        * @param pcr_composite                 Output variable to store PCR Composite
+        * @param quote_info                    Output variable to store TPM Quote Info
         * @return                                      FALSE in case of any error, TRUE otherwise
         */
-        bool (*get_quote_info)(pts_t *this, chunk_t *quote_info);
+        bool (*get_quote_info)(pts_t *this, chunk_t *pcr_composite, chunk_t *quote_info);
 
         /**
         * Constructs and returns PCR Quote Digest structure expected from IMC