added pts_dh_group_error_create() and pts_dh_nonce_error_create()
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sun, 9 Oct 2011 20:30:55 +0000 (22:30 +0200)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Mon, 28 Nov 2011 13:39:50 +0000 (14:39 +0100)
src/libimcv/plugins/imc_attestation/imc_attestation_process.c
src/libimcv/plugins/imv_attestation/imv_attestation_process.c
src/libpts/pts/pts_error.c
src/libpts/pts/pts_error.h

index 7eb1797..aa64ee8 100644 (file)
@@ -109,11 +109,10 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
 
                        attr_cast = (tcg_pts_attr_dh_nonce_params_req_t*)attr;
                        min_nonce_len = attr_cast->get_min_nonce_len(attr_cast);
-                       if (min_nonce_len > 0 && nonce_len < min_nonce_len)
+                       if (nonce_len < PTS_MIN_NONCE_LEN ||
+                               min_nonce_len > 0 && nonce_len < min_nonce_len)
                        {
-                               attr_info = attr->get_value(attr);
-                               attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-                                                       TCG_PTS_BAD_NONCE_LENGTH, attr_info);
+                               attr = pts_dh_nonce_error_create(nonce_len, PTS_MAX_NONCE_LEN);
                                attr_list->insert_last(attr_list, attr);
                                break;
                        }
@@ -123,9 +122,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                                                                                        offered_dh_groups);
                        if (selected_dh_group == PTS_DH_GROUP_NONE)
                        {
-                               attr_info = attr->get_value(attr);
-                               attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-                                                       TCG_PTS_DH_GRPS_NOT_SUPPORTED, attr_info);
+                               attr = pts_dh_group_error_create(supported_dh_groups);
                                attr_list->insert_last(attr_list, attr);
                                break;
                        }
@@ -155,20 +152,21 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        if (!(selected_algorithm & supported_algorithms))
                        {
                                DBG1(DBG_IMC, "PTS-IMV selected unsupported DH hash algorithm");
-                               return TNC_RESULT_FATAL;
+                               return FALSE;
                        }
                        pts->set_dh_hash_algorithm(pts, selected_algorithm);
 
                        initiator_value = attr_cast->get_initiator_value(attr_cast);
                        initiator_nonce = attr_cast->get_initiator_nonce(attr_cast);
-                       nonce_len = initiator_nonce.len;
-                       if (nonce_len <= 16) /* TODO */
+
+                       nonce_len = lib->settings->get_int(lib->settings,
+                                                               "libimcv.plugins.imc-attestation.nonce_len",
+                                                                DEFAULT_NONCE_LEN);
+                       if (nonce_len != initiator_nonce.len)
                        {
-                               attr_info = attr->get_value(attr);
-                               attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-                                                       TCG_PTS_BAD_NONCE_LENGTH, attr_info);
-                               attr_list->insert_last(attr_list, attr);
-                               break;
+                               DBG1(DBG_IMC, "initiator and responder DH nonces "
+                                                         "have differing lengths");
+                               return FALSE;
                        }
                                        
                        pts->set_peer_public_value(pts, initiator_value, initiator_nonce);
index efb4966..bb55235 100644 (file)
@@ -31,8 +31,6 @@
 
 #include <debug.h>
 
-#define NONCE_LEN_LIMIT                16
-
 bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                                                         imv_attestation_state_t *attestation_state,
                                                         pts_meas_algorithms_t supported_algorithms,
@@ -87,12 +85,12 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list,
                        min_nonce_len = lib->settings->get_int(lib->settings,
                                                "libimcv.plugins.imv-attestation.min_nonce_len", 0);
                        nonce_len = responder_nonce.len;
-                       if (nonce_len <= NONCE_LEN_LIMIT ||
+                       if (nonce_len < PTS_MIN_NONCE_LEN ||
                           (min_nonce_len > 0 && nonce_len < min_nonce_len))
                        {
-                               attr_info = attr->get_value(attr);
-                               attr = ietf_attr_pa_tnc_error_create(PEN_TCG,
-                                                       TCG_PTS_BAD_NONCE_LENGTH, attr_info);
+                               attr = pts_dh_nonce_error_create(
+                                                                       max(PTS_MIN_NONCE_LEN, min_nonce_len),
+                                                                               PTS_MAX_NONCE_LEN);
                                attr_list->insert_last(attr_list, attr);
                                break;
                        }
index ec1e6c0..6e914b2 100644 (file)
@@ -56,4 +56,44 @@ pa_tnc_attr_t* pts_hash_alg_error_create(pts_meas_algorithms_t algorithms)
        writer->destroy(writer);
 
        return attr;
-}
\ No newline at end of file
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t* pts_dh_group_error_create(pts_dh_group_t dh_groups)
+{
+       bio_writer_t *writer;
+       chunk_t msg_info;
+       pa_tnc_attr_t *attr;
+
+       writer = bio_writer_create(4);
+       writer->write_uint16(writer, 0x0000);
+       writer->write_uint16(writer, dh_groups);
+       msg_info = writer->get_buf(writer);
+       attr = ietf_attr_pa_tnc_error_create(PEN_TCG, TCG_PTS_DH_GRPS_NOT_SUPPORTED,
+                                                                                msg_info);
+       writer->destroy(writer);
+
+       return attr;
+}
+
+/**
+ * Described in header.
+ */
+pa_tnc_attr_t* pts_dh_nonce_error_create(int min_nonce_len, int max_nonce_len)
+{
+       bio_writer_t *writer;
+       chunk_t msg_info;
+       pa_tnc_attr_t *attr;
+
+       writer = bio_writer_create(4);
+       writer->write_uint16(writer, min_nonce_len);
+       writer->write_uint16(writer, max_nonce_len);
+       msg_info = writer->get_buf(writer);
+       attr = ietf_attr_pa_tnc_error_create(PEN_TCG, TCG_PTS_BAD_NONCE_LENGTH,
+                                                                                msg_info);
+       writer->destroy(writer);
+
+       return attr;
+}
index 5389fe5..9a53abd 100644 (file)
 typedef enum pts_error_code_t pts_error_code_t;
 
 #include "pts_meas_algo.h"
+#include "pts_dh_group.h"
 #include "pa_tnc/pa_tnc_attr.h"
 
 #include <library.h>
 
+#define PTS_MIN_NONCE_LEN              17
+#define PTS_MAX_NONCE_LEN              0xffff
+
 /**
  * PTS Attestation Error Codes
  * see section 3.14.2 of PTS Protocol: Binding to TNC IF-M Specification
@@ -61,8 +65,25 @@ extern enum_name_t *pts_error_code_names;
  * Creates a PTS Hash Algorithm Not Supported Error Attribute
  * see section 4.2.2 of PTS Protocol: Binding to TNC IF-M Specification
  *
- * @param algorithms   supported measurement hash algorithms
+ * @param algorithms           supported measurement hash algorithms
  */
 pa_tnc_attr_t* pts_hash_alg_error_create(pts_meas_algorithms_t algorithms);
 
+/**
+ * Creates a PTS DH Group Not Supported Error Attribute
+ * see section 4.2.4 of PTS Protocol: Binding to TNC IF-M Specification
+ *
+ * @param dh_groups                    supported DH groups
+ */
+pa_tnc_attr_t* pts_dh_group_error_create(pts_dh_group_t dh_groups);
+
+/**
+ * Creates a PTS DH PN Nonce Not Supported Error Attribute
+ * see section 4.2.5 of PTS Protocol: Binding to TNC IF-M Specification
+ *
+ * @param min_nonce_len                minimum nonce length
+ * @param max_nonce_len                maximum nonce length
+ */
+pa_tnc_attr_t* pts_dh_nonce_error_create(int min_nonce_len, int max_nonce_len);
+
 #endif /** PTS_ERROR_H_ @}*/