diff options
| -rw-r--r-- | src/libimcv/plugins/imv_attestation/imv_attestation.c | 165 | ||||
| -rw-r--r-- | src/libpts/pts/pts.h | 54 |
2 files changed, 186 insertions, 33 deletions
diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation.c b/src/libimcv/plugins/imv_attestation/imv_attestation.c index af3c33734..d31cca423 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation.c @@ -140,18 +140,20 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, } /** - * Specify supported PTS Diffie Hellman Groups + * Specify supported PTS Diffie-Hellman groups * - * ike2: PTS_DH_GROUP_IKE2 - * ike5: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 - * ike14: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 - * ike19: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 | PTS_DH_GROUP_IKE19 - * ike20: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 | PTS_DH_GROUP_IKE19 | PTS_DH_GROUP_IKE20 + * modp1024: PTS_DH_GROUP_IKE2 + * modp1536: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 + * modp2048: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 + * ecp256: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 | + * PTS_DH_GROUP_IKE19 + * ecp384: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 | + * PTS_DH_GROUP_IKE19 | PTS_DH_GROUP_IKE20 * * we expect the PTS-IMC to select the strongest supported group */ dh_group = lib->settings->get_str(lib->settings, - "libimcv.plugins.imv-attestation.dh_group", "ike19"); + "libimcv.plugins.imv-attestation.dh_group", "ecp256"); if (!pts_update_supported_dh_groups(dh_group, &supported_dh_groups)) { return TNC_RESULT_FATAL; @@ -239,7 +241,156 @@ static TNC_Result send_message(TNC_ConnectionID connection_id) } else { +<<<<<<< HEAD result = TNC_RESULT_FATAL; +======= + case IMV_ATTESTATION_STATE_INIT: + { + pts_proto_caps_flag_t flags; + + /* Send Request Protocol Capabilities attribute */ + flags = pts->get_proto_caps(pts); + attr = tcg_pts_attr_proto_caps_create(flags, TRUE); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + /* Send Measurement Algorithms attribute */ + attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + attestation_state->set_handshake_state(attestation_state, + IMV_ATTESTATION_STATE_TPM_INIT); + break; + } + case IMV_ATTESTATION_STATE_TPM_INIT: + { + if (!dh_nonce_req_sent) + { + /* Send DH nonce parameters request attribute */ + attr = tcg_pts_attr_dh_nonce_params_req_create(0, supported_dh_groups); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + dh_nonce_req_sent = TRUE; + } + else + { + pts_meas_algorithms_t selected_algorithm; + chunk_t initiator_pub_val; + + /* Send DH nonce finish attribute */ + selected_algorithm = pts->get_meas_algorithm(pts); + pts->get_my_public_value(pts, &initiator_pub_val); + + attr = tcg_pts_attr_dh_nonce_finish_create(NONCE_LEN, + selected_algorithm, + chunk_create(initiator_nonce, NONCE_LEN), + initiator_pub_val); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + /* Send Get TPM Version attribute */ + attr = tcg_pts_attr_get_tpm_version_info_create(); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + /* Send Get AIK attribute */ + attr = tcg_pts_attr_get_aik_create(); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + attestation_state->set_handshake_state(attestation_state, + IMV_ATTESTATION_STATE_MEAS); + } + + break; + } + case IMV_ATTESTATION_STATE_MEAS: + { + + enumerator_t *enumerator; + u_int32_t delimiter = SOLIDUS_UTF; + char *platform_info, *pathname; + u_int16_t request_id; + int id, type; + bool is_dir; + + attestation_state->set_handshake_state(attestation_state, + IMV_ATTESTATION_STATE_COMP_EVID); + + /* Get Platform and OS of the PTS-IMC */ + platform_info = pts->get_platform_info(pts); + + if (!pts_db || !platform_info) + { + DBG1(DBG_IMV, "%s%s%s not available", + (pts_db) ? "" : "pts database", + (!pts_db && !platform_info) ? "and" : "", + (platform_info) ? "" : "platform info"); + break; + } + DBG1(DBG_IMV, "platform is '%s'", platform_info); + + /* Send Request File Metadata attribute */ + attr = tcg_pts_attr_req_file_meta_create(FALSE, SOLIDUS_UTF, "/etc/tnc_config"); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + /* Send Request File Measurement attribute */ + enumerator = pts_db->create_file_enumerator(pts_db, platform_info); + if (!enumerator) + { + break; + } + while (enumerator->enumerate(enumerator, &id, &type, &pathname)) + { + is_dir = (type != 0); + request_id = attestation_state->add_request(attestation_state, + id, is_dir); + DBG2(DBG_IMV, "measurement request %d for %s '%s'", + request_id, is_dir ? "directory" : "file", pathname); + attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id, + delimiter, pathname); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + } + enumerator->destroy(enumerator); + break; + } + case IMV_ATTESTATION_STATE_COMP_EVID: + { + pts_attr_req_funct_comp_evid_flag_t flags; + u_int32_t sub_comp_depth; + pts_qualifier_t qualifier; + pts_funct_comp_name_t name; + + attestation_state->set_handshake_state(attestation_state, + IMV_ATTESTATION_STATE_END); + + flags = PTS_REQ_FUNC_COMP_FLAG_PCR; + sub_comp_depth = 0; + qualifier.kernel = FALSE; + qualifier.sub_component = FALSE; + qualifier.type = PTS_FUNC_COMP_TYPE_ALL; + name = PTS_FUNC_COMP_NAME_BIOS; + + /* Send Request Functional Component Evidence attribute */ + attr = tcg_pts_attr_req_funct_comp_evid_create(flags, sub_comp_depth, + PEN_TCG, qualifier, name); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + /* Send Generate Attestation Evidence attribute */ + attr = tcg_pts_attr_gen_attest_evid_create(); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + break; + } + default: + DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"", + handshake_state); + return TNC_RESULT_FATAL; +>>>>>>> fixed setting of PTS DH group } msg->destroy(msg); diff --git a/src/libpts/pts/pts.h b/src/libpts/pts/pts.h index c7c43ac27..cd9314d83 100644 --- a/src/libpts/pts/pts.h +++ b/src/libpts/pts/pts.h @@ -183,35 +183,36 @@ struct pts_t { bool (*create_dh)(pts_t *this, pts_dh_group_t group); /** - * Gets Own Diffie Hellman Public Value + * Get my Diffie-Hellman public value * - * @param info chunk to keep own public value + * @param value My public DH value */ - void (*get_my_pub_val)(pts_t *this, chunk_t *pub_value); + void (*get_my_public_value)(pts_t *this, chunk_t *value); /** - * Sets the public value of partner. + * Set peer Diffie.Hellman public value * - * @param value public value of partner + * @param value Peer public DH value */ - void (*set_other_pub_val) (pts_t *this, chunk_t value); + void (*set_peer_public_value) (pts_t *this, chunk_t value); /** * Calculates secret assessment value to be used for TPM Quote as an external data * - * @param initiator_nonce Initiator nonce (IMV nonce) - * @param responder_nonce Responder nonce (IMC nonce) - * @param algorithm Hashing algorithm - * @return TRUE, FALSE if not both DH public values and - * nonces are set + * @param initiator_nonce Initiator nonce (IMV nonce) + * @param responder_nonce Responder nonce (IMC nonce) + * @param algorithm Hashing algorithm + * @return TRUE unless both DH public values + * and nonces are set */ bool (*calculate_secret) (pts_t *this, chunk_t initiator_nonce, - chunk_t responder_nonce, pts_meas_algorithms_t algorithm); + chunk_t responder_nonce, + pts_meas_algorithms_t algorithm); /** * Returns secret assessment value to be used for TPM Quote as an external data * - * @return Secret assessment value + * @return Secret assessment value */ chunk_t (*get_secret) (pts_t *this); @@ -265,12 +266,13 @@ struct pts_t { * @param error_code Output variable for PTS error code * @return TRUE if path is valid or file/directory * doesn't exist or path is invalid - * FALSE if local error occured within stat function + * FALSE if local error occured within stat function */ bool (*is_path_valid)(pts_t *this, char *path, pts_error_code_t *error_code); /** * Compute a hash over a file + * * @param hasher Hasher to be used * @param pathname Absolute path of a file * @param hash Buffer to keep hash output @@ -365,9 +367,9 @@ struct pts_t { * Reads given PCR value and returns it * Expects owner secret to be WELL_KNOWN_SECRET * - * @param pcr_num Number of PCR to read - * @param pcr_value Chunk to save pcr read output - * @return NULL in case of TSS error, PCR value otherwise + * @param pcr_num Number of PCR to read + * @param pcr_value Chunk to save pcr read output + * @return NULL in case of TSS error, PCR value otherwise */ bool (*read_pcr)(pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value); @@ -375,10 +377,10 @@ struct pts_t { * Extends given PCR with given value * Expects owner secret to be WELL_KNOWN_SECRET * - * @param pcr_num Number of PCR to extend - * @param input Value to extend - * @param output Chunk to save PCR value after extension - * @return FALSE in case of TSS error, TRUE otherwise + * @param pcr_num Number of PCR to extend + * @param input Value to extend + * @param output Chunk to save PCR value after extension + * @return FALSE in case of TSS error, TRUE otherwise */ bool (*extend_pcr)(pts_t *this, u_int32_t pcr_num, chunk_t input, chunk_t *output); @@ -386,11 +388,11 @@ struct pts_t { * Quote over PCR's * Expects owner and SRK secret to be WELL_KNOWN_SECRET and no password set for AIK * - * @param pcrs List of PCR's to make quotation over - * @param pcr_composite Chunk to save pcr composite structure - * @param quote_signature Chunk to save quote operation output - * without external data (anti-replay protection) - * @return FALSE in case of TSS error, TRUE otherwise + * @param pcrs List of PCR's to make quotation over + * @param pcr_composite Chunk to save pcr composite structure + * @param quote_signature Chunk to save quote operation output + * without external data (anti-replay protection) + * @return FALSE in case of TSS error, TRUE otherwise */ bool (*quote_tpm)(pts_t *this, linked_list_t *pcrs, chunk_t *pcr_composite, chunk_t *quote_signature); |