}
/**
- * Specify supported PTS Diffie Hellman Groups
+ * Specify supported PTS Diffie-Hellman groups
*
- * ike2: PTS_DH_GROUP_IKE2
- * ike5: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5
- * ike14: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14
- * ike19: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 | PTS_DH_GROUP_IKE19
- * ike20: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 | PTS_DH_GROUP_IKE19 | PTS_DH_GROUP_IKE20
+ * modp1024: PTS_DH_GROUP_IKE2
+ * modp1536: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5
+ * modp2048: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14
+ * ecp256: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 |
+ * PTS_DH_GROUP_IKE19
+ * ecp384: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 |
+ * PTS_DH_GROUP_IKE19 | PTS_DH_GROUP_IKE20
*
* we expect the PTS-IMC to select the strongest supported group
*/
dh_group = lib->settings->get_str(lib->settings,
- "libimcv.plugins.imv-attestation.dh_group", "ike19");
+ "libimcv.plugins.imv-attestation.dh_group", "ecp256");
if (!pts_update_supported_dh_groups(dh_group, &supported_dh_groups))
{
return TNC_RESULT_FATAL;
}
else
{
+<<<<<<< HEAD
result = TNC_RESULT_FATAL;
+=======
+ case IMV_ATTESTATION_STATE_INIT:
+ {
+ pts_proto_caps_flag_t flags;
+
+ /* Send Request Protocol Capabilities attribute */
+ flags = pts->get_proto_caps(pts);
+ attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
+ attr->set_noskip_flag(attr, TRUE);
+ msg->add_attribute(msg, attr);
+
+ /* Send Measurement Algorithms attribute */
+ attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
+ attr->set_noskip_flag(attr, TRUE);
+ msg->add_attribute(msg, attr);
+
+ attestation_state->set_handshake_state(attestation_state,
+ IMV_ATTESTATION_STATE_TPM_INIT);
+ break;
+ }
+ case IMV_ATTESTATION_STATE_TPM_INIT:
+ {
+ if (!dh_nonce_req_sent)
+ {
+ /* Send DH nonce parameters request attribute */
+ attr = tcg_pts_attr_dh_nonce_params_req_create(0, supported_dh_groups);
+ attr->set_noskip_flag(attr, TRUE);
+ msg->add_attribute(msg, attr);
+ dh_nonce_req_sent = TRUE;
+ }
+ else
+ {
+ pts_meas_algorithms_t selected_algorithm;
+ chunk_t initiator_pub_val;
+
+ /* Send DH nonce finish attribute */
+ selected_algorithm = pts->get_meas_algorithm(pts);
+ pts->get_my_public_value(pts, &initiator_pub_val);
+
+ attr = tcg_pts_attr_dh_nonce_finish_create(NONCE_LEN,
+ selected_algorithm,
+ chunk_create(initiator_nonce, NONCE_LEN),
+ initiator_pub_val);
+ attr->set_noskip_flag(attr, TRUE);
+ msg->add_attribute(msg, attr);
+
+ /* Send Get TPM Version attribute */
+ attr = tcg_pts_attr_get_tpm_version_info_create();
+ attr->set_noskip_flag(attr, TRUE);
+ msg->add_attribute(msg, attr);
+
+ /* Send Get AIK attribute */
+ attr = tcg_pts_attr_get_aik_create();
+ attr->set_noskip_flag(attr, TRUE);
+ msg->add_attribute(msg, attr);
+
+ attestation_state->set_handshake_state(attestation_state,
+ IMV_ATTESTATION_STATE_MEAS);
+ }
+
+ break;
+ }
+ case IMV_ATTESTATION_STATE_MEAS:
+ {
+
+ enumerator_t *enumerator;
+ u_int32_t delimiter = SOLIDUS_UTF;
+ char *platform_info, *pathname;
+ u_int16_t request_id;
+ int id, type;
+ bool is_dir;
+
+ attestation_state->set_handshake_state(attestation_state,
+ IMV_ATTESTATION_STATE_COMP_EVID);
+
+ /* Get Platform and OS of the PTS-IMC */
+ platform_info = pts->get_platform_info(pts);
+
+ if (!pts_db || !platform_info)
+ {
+ DBG1(DBG_IMV, "%s%s%s not available",
+ (pts_db) ? "" : "pts database",
+ (!pts_db && !platform_info) ? "and" : "",
+ (platform_info) ? "" : "platform info");
+ break;
+ }
+ DBG1(DBG_IMV, "platform is '%s'", platform_info);
+
+ /* Send Request File Metadata attribute */
+ attr = tcg_pts_attr_req_file_meta_create(FALSE, SOLIDUS_UTF, "/etc/tnc_config");
+ attr->set_noskip_flag(attr, TRUE);
+ msg->add_attribute(msg, attr);
+
+ /* Send Request File Measurement attribute */
+ enumerator = pts_db->create_file_enumerator(pts_db, platform_info);
+ if (!enumerator)
+ {
+ break;
+ }
+ while (enumerator->enumerate(enumerator, &id, &type, &pathname))
+ {
+ is_dir = (type != 0);
+ request_id = attestation_state->add_request(attestation_state,
+ id, is_dir);
+ DBG2(DBG_IMV, "measurement request %d for %s '%s'",
+ request_id, is_dir ? "directory" : "file", pathname);
+ attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
+ delimiter, pathname);
+ attr->set_noskip_flag(attr, TRUE);
+ msg->add_attribute(msg, attr);
+ }
+ enumerator->destroy(enumerator);
+ break;
+ }
+ case IMV_ATTESTATION_STATE_COMP_EVID:
+ {
+ pts_attr_req_funct_comp_evid_flag_t flags;
+ u_int32_t sub_comp_depth;
+ pts_qualifier_t qualifier;
+ pts_funct_comp_name_t name;
+
+ attestation_state->set_handshake_state(attestation_state,
+ IMV_ATTESTATION_STATE_END);
+
+ flags = PTS_REQ_FUNC_COMP_FLAG_PCR;
+ sub_comp_depth = 0;
+ qualifier.kernel = FALSE;
+ qualifier.sub_component = FALSE;
+ qualifier.type = PTS_FUNC_COMP_TYPE_ALL;
+ name = PTS_FUNC_COMP_NAME_BIOS;
+
+ /* Send Request Functional Component Evidence attribute */
+ attr = tcg_pts_attr_req_funct_comp_evid_create(flags, sub_comp_depth,
+ PEN_TCG, qualifier, name);
+ attr->set_noskip_flag(attr, TRUE);
+ msg->add_attribute(msg, attr);
+ /* Send Generate Attestation Evidence attribute */
+ attr = tcg_pts_attr_gen_attest_evid_create();
+ attr->set_noskip_flag(attr, TRUE);
+ msg->add_attribute(msg, attr);
+
+ break;
+ }
+ default:
+ DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"",
+ handshake_state);
+ return TNC_RESULT_FATAL;
+>>>>>>> fixed setting of PTS DH group
}
msg->destroy(msg);
bool (*create_dh)(pts_t *this, pts_dh_group_t group);
/**
- * Gets Own Diffie Hellman Public Value
+ * Get my Diffie-Hellman public value
*
- * @param info chunk to keep own public value
+ * @param value My public DH value
*/
- void (*get_my_pub_val)(pts_t *this, chunk_t *pub_value);
+ void (*get_my_public_value)(pts_t *this, chunk_t *value);
/**
- * Sets the public value of partner.
+ * Set peer Diffie.Hellman public value
*
- * @param value public value of partner
+ * @param value Peer public DH value
*/
- void (*set_other_pub_val) (pts_t *this, chunk_t value);
+ void (*set_peer_public_value) (pts_t *this, chunk_t value);
/**
* Calculates secret assessment value to be used for TPM Quote as an external data
*
- * @param initiator_nonce Initiator nonce (IMV nonce)
- * @param responder_nonce Responder nonce (IMC nonce)
- * @param algorithm Hashing algorithm
- * @return TRUE, FALSE if not both DH public values and
- * nonces are set
+ * @param initiator_nonce Initiator nonce (IMV nonce)
+ * @param responder_nonce Responder nonce (IMC nonce)
+ * @param algorithm Hashing algorithm
+ * @return TRUE unless both DH public values
+ * and nonces are set
*/
bool (*calculate_secret) (pts_t *this, chunk_t initiator_nonce,
- chunk_t responder_nonce, pts_meas_algorithms_t algorithm);
+ chunk_t responder_nonce,
+ pts_meas_algorithms_t algorithm);
/**
* Returns secret assessment value to be used for TPM Quote as an external data
*
- * @return Secret assessment value
+ * @return Secret assessment value
*/
chunk_t (*get_secret) (pts_t *this);
* @param error_code Output variable for PTS error code
* @return TRUE if path is valid or file/directory
* doesn't exist or path is invalid
- * FALSE if local error occured within stat function
+ * FALSE if local error occured within stat function
*/
bool (*is_path_valid)(pts_t *this, char *path, pts_error_code_t *error_code);
/**
* Compute a hash over a file
+ *
* @param hasher Hasher to be used
* @param pathname Absolute path of a file
* @param hash Buffer to keep hash output
* Reads given PCR value and returns it
* Expects owner secret to be WELL_KNOWN_SECRET
*
- * @param pcr_num Number of PCR to read
- * @param pcr_value Chunk to save pcr read output
- * @return NULL in case of TSS error, PCR value otherwise
+ * @param pcr_num Number of PCR to read
+ * @param pcr_value Chunk to save pcr read output
+ * @return NULL in case of TSS error, PCR value otherwise
*/
bool (*read_pcr)(pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value);
* Extends given PCR with given value
* Expects owner secret to be WELL_KNOWN_SECRET
*
- * @param pcr_num Number of PCR to extend
- * @param input Value to extend
- * @param output Chunk to save PCR value after extension
- * @return FALSE in case of TSS error, TRUE otherwise
+ * @param pcr_num Number of PCR to extend
+ * @param input Value to extend
+ * @param output Chunk to save PCR value after extension
+ * @return FALSE in case of TSS error, TRUE otherwise
*/
bool (*extend_pcr)(pts_t *this, u_int32_t pcr_num, chunk_t input, chunk_t *output);
* Quote over PCR's
* Expects owner and SRK secret to be WELL_KNOWN_SECRET and no password set for AIK
*
- * @param pcrs List of PCR's to make quotation over
- * @param pcr_composite Chunk to save pcr composite structure
- * @param quote_signature Chunk to save quote operation output
- * without external data (anti-replay protection)
- * @return FALSE in case of TSS error, TRUE otherwise
+ * @param pcrs List of PCR's to make quotation over
+ * @param pcr_composite Chunk to save pcr composite structure
+ * @param quote_signature Chunk to save quote operation output
+ * without external data (anti-replay protection)
+ * @return FALSE in case of TSS error, TRUE otherwise
*/
bool (*quote_tpm)(pts_t *this, linked_list_t *pcrs,
chunk_t *pcr_composite, chunk_t *quote_signature);
projects / thirdparty / strongswan.git / commitdiff
