From: Sansar Choinyambuu Date: Mon, 31 Oct 2011 10:26:00 +0000 (+0100) Subject: Implemented matching of Optional PCR Composite field value when Hashing was done... X-Git-Tag: 4.6.2~274 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cb66320fee1f23d0b3ec3b42aec00a80c7ffdcbd;p=thirdparty%2Fstrongswan.git Implemented matching of Optional PCR Composite field value when Hashing was done to reduce the size of it Optional Composite Hash Algorithm field is always present, has value of all zeroes if was not used --- diff --git a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c index cbb3dc3d5e..8748202029 100644 --- a/src/libimcv/plugins/imc_attestation/imc_attestation_process.c +++ b/src/libimcv/plugins/imc_attestation/imc_attestation_process.c @@ -441,6 +441,7 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { enumerator_t *e; pts_simple_evid_final_flag_t flags; + pts_meas_algorithms_t composite_algorithm = 0; chunk_t pcr_composite, quote_signature; u_int32_t num_of_evidences, i = 0; u_int32_t *pcrs; @@ -478,9 +479,11 @@ bool imc_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, /* Send Simple Evidence Final attribute */ flags = PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO; + composite_algorithm |= PTS_MEAS_ALGO_SHA1; - attr = tcg_pts_attr_simple_evid_final_create(FALSE, flags, 0, - pcr_composite, quote_signature, chunk_empty); + attr = tcg_pts_attr_simple_evid_final_create(FALSE, flags, + composite_algorithm, pcr_composite, + quote_signature, chunk_empty); attr_list->insert_last(attr_list, attr); DESTROY_IF(e); diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c index aa2b0fe17f..1ba627ec9d 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c @@ -283,17 +283,21 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, { tcg_pts_attr_simple_evid_final_t *attr_cast; pts_simple_evid_final_flag_t flags; + pts_meas_algorithms_t composite_algorithm; chunk_t pcr_comp; chunk_t tpm_quote_sign; chunk_t evid_sign; bool evid_signature_included; - - /** TODO: Ignoring Composite Hash Algorithm field - * No flag defined which indicates the precense of it - */ + attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr; evid_signature_included = attr_cast->is_evid_sign_included(attr_cast); flags = attr_cast->get_flags(attr_cast); + + /** Optional Composite Hash Algorithm field is always present + * Field has value of all zeroes if not used. + * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011 + */ + composite_algorithm = attr_cast->get_comp_hash_algorithm(attr_cast); if ((flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO2) || (flags == PTS_SIMPLE_EVID_FINAL_FLAG_TPM_QUOTE_INFO2_CAP_VER)) @@ -310,13 +314,14 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, tpm_quote_sign = attr_cast->get_tpm_quote_sign(attr_cast); /* Construct PCR Composite and TPM Quote Info structures*/ - if (!pts->get_quote_info(pts, &pcr_composite, "e_info)) + if (!pts->get_quote_info(pts, composite_algorithm, + &pcr_composite, "e_info)) { DBG1(DBG_IMV, "unable to contruct TPM Quote Info"); return FALSE; } - /* Check calculated PCR composite structure matches with received */ + /* Check calculated PCR composite matches with received */ if (pcr_comp.ptr && !chunk_equals(pcr_comp, pcr_composite)) { DBG1(DBG_IMV, "received PCR Compsosite didn't match" diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c index df84e1cfc9..29327e15fc 100644 --- a/src/libpts/pts/pts.c +++ b/src/libpts/pts/pts.c @@ -1003,11 +1003,12 @@ METHOD(pts_t, add_pcr_entry, void, */ METHOD(pts_t, get_quote_info, bool, - private_pts_t *this, chunk_t *out_pcr_composite, chunk_t *out_quote_info) + private_pts_t *this, pts_meas_algorithms_t composite_algo, + chunk_t *out_pcr_composite, chunk_t *out_quote_info) { enumerator_t *e; pcr_entry_t *pcr_entry; - chunk_t pcr_composite; + chunk_t pcr_composite, hash_pcr_composite; u_int32_t pcr_composite_len; bio_writer_t *writer; u_int8_t mask_bytes[PCR_MASK_LEN] = {0,0,0}, i; @@ -1068,14 +1069,33 @@ METHOD(pts_t, get_quote_info, bool, writer->write_uint8(writer, 'O'); writer->write_uint8(writer, 'T'); - /* SHA1 hash of PCR Composite Structure */ - hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); - hasher->allocate_hash(hasher, pcr_composite, out_pcr_composite); - DBG4(DBG_PTS, "Hash of calculated PCR Composite: %B", out_pcr_composite); + /* Output the TPM_PCR_COMPOSITE expected from IMC */ + if (composite_algo) + { + hash_algorithm_t algo; + + algo = pts_meas_algo_to_hash(composite_algo); + hasher = lib->crypto->create_hasher(lib->crypto, algo); - chunk_clear(&pcr_composite); + /* Hash the PCR Composite Structure */ + hasher->allocate_hash(hasher, pcr_composite, out_pcr_composite); + DBG4(DBG_PTS, "Hash of calculated PCR Composite: %B", out_pcr_composite); + hasher->destroy(hasher); + } + else + { + *out_pcr_composite = chunk_clone(pcr_composite); + DBG4(DBG_PTS, "calculated PCR Composite: %B", out_pcr_composite); + } + + /* SHA1 hash of PCR Composite to construct TPM_QUOTE_INFO */ + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + hasher->allocate_hash(hasher, pcr_composite, &hash_pcr_composite); hasher->destroy(hasher); - writer->write_data(writer, *out_pcr_composite); + + writer->write_data(writer, hash_pcr_composite); + chunk_clear(&pcr_composite); + chunk_clear(&hash_pcr_composite); if (!this->secret.ptr) { diff --git a/src/libpts/pts/pts.h b/src/libpts/pts/pts.h index 932bf2f692..84175d7cee 100644 --- a/src/libpts/pts/pts.h +++ b/src/libpts/pts/pts.h @@ -289,8 +289,8 @@ struct pts_t { * @param quote_info Output variable to store TPM Quote Info * @return FALSE in case of any error, TRUE otherwise */ - bool (*get_quote_info)(pts_t *this, chunk_t *pcr_composite, - chunk_t *quote_info); + bool (*get_quote_info)(pts_t *this, pts_meas_algorithms_t composite_algo, + chunk_t *pcr_composite, chunk_t *quote_info); /** * Constructs and returns PCR Quote Digest structure expected from IMC diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c index 833b1017e6..c6a5af3e17 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c +++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c @@ -167,11 +167,13 @@ METHOD(pa_tnc_attr_t, build, void, writer->write_uint8 (writer, flags); writer->write_uint8 (writer, PTS_SIMPLE_EVID_FINAL_RESERVED); + /** Optional Composite Hash Algorithm field is always present + * Field has value of all zeroes if not used. + * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011 + */ + writer->write_uint16(writer, this->comp_hash_algorithm); + /* Optional fields */ - if (this->comp_hash_algorithm) - { - writer->write_uint16(writer, this->comp_hash_algorithm); - } if (this->pcr_comp.ptr && this->pcr_comp.len > 0) { writer->write_uint32 (writer, this->pcr_comp.len); @@ -197,7 +199,7 @@ METHOD(pa_tnc_attr_t, process, status_t, bio_reader_t *reader; u_int8_t flags; u_int8_t reserved; - /** u_int16_t algorithm;*/ + u_int16_t algorithm; if (this->value.len < PTS_SIMPLE_EVID_FINAL_SIZE) { @@ -232,18 +234,20 @@ METHOD(pa_tnc_attr_t, process, status_t, } reader->read_uint8(reader, &reserved); + + /** Optional Composite Hash Algorithm field is always present + * Field has value of all zeroes if not used. + * Implemented adhering the suggestion of Paul Sangster 28.Oct.2011 + */ + + reader->read_uint16(reader, &algorithm); + this->comp_hash_algorithm = algorithm; /* Optional Composite Hash Algorithm and TPM PCR Composite field is included */ if (this->flags != PTS_SIMPLE_EVID_FINAL_FLAG_NO) { u_int32_t pcr_comp_len, tpm_quote_sign_len; - /** TODO: Ignoring Hashing algorithm field - * There is no flag defined which indicates the precense of it - * reader->read_uint16(reader, &algorithm); - * this->comp_hash_algorithm = algorithm; - */ - reader->read_uint32(reader, &pcr_comp_len); reader->read_data(reader, pcr_comp_len, &this->pcr_comp); this->pcr_comp = chunk_clone(this->pcr_comp);