From: Andreas Steffen Date: Mon, 28 Nov 2011 21:03:46 +0000 (+0100) Subject: differences incurred by rebasing - thanks Linus X-Git-Tag: 4.6.2~142 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1fe683c1bd7afaaea49e4629ff68285423108d88;p=thirdparty%2Fstrongswan.git differences incurred by rebasing - thanks Linus --- diff --git a/src/libpts/plugins/imc_attestation/imc_attestation.c b/src/libpts/plugins/imc_attestation/imc_attestation.c index 9c60302488..e25b238148 100644 --- a/src/libpts/plugins/imc_attestation/imc_attestation.c +++ b/src/libpts/plugins/imc_attestation/imc_attestation.c @@ -28,6 +28,7 @@ #include #include + #include #include @@ -53,28 +54,6 @@ static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE; */ static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE; -/** - * List of buffered Simple Component Evidences - * To be sent on reception of Generate Attestation Evidence attribute - */ -static linked_list_t *evidences = NULL; - -/** - * Supported PTS Diffie Hellman Groups - */ -static pts_dh_group_t supported_dh_groups = 0; - -/** - * Supported PTS Diffie Hellman Groups - */ -static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE; - -/** - * List of buffered Simple Component Evidences - * To be sent on reception of Generate Attestation Evidence attribute - */ -static linked_list_t *evidences = NULL; - /** * see section 3.7.1 of TCG TNC IF-IMC Specification 1.2 */ @@ -268,6 +247,7 @@ TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id, supported_algorithms, supported_dh_groups)) { result = TNC_RESULT_FATAL; + break; } } } diff --git a/src/libpts/plugins/imv_attestation/attest.c b/src/libpts/plugins/imv_attestation/attest.c index ac91b5aa72..82c1f186f1 100644 --- a/src/libpts/plugins/imv_attestation/attest.c +++ b/src/libpts/plugins/imv_attestation/attest.c @@ -125,11 +125,8 @@ static void do_args(int argc, char *argv[]) { "add", no_argument, NULL, 'a' }, { "delete", no_argument, NULL, 'd' }, { "del", no_argument, NULL, 'd' }, - { "products", no_argument, NULL, 'p' }, - { "hashes", no_argument, NULL, 'H' }, - { "add", no_argument, NULL, 'a' }, - { "delete", no_argument, NULL, 'd' }, - { "del", no_argument, NULL, 'd' }, + { "component", required_argument, NULL, 'C' }, + { "comp", required_argument, NULL, 'C' }, { "directory", required_argument, NULL, 'D' }, { "dir", required_argument, NULL, 'D' }, { "file", required_argument, NULL, 'F' }, @@ -191,21 +188,6 @@ static void do_args(int argc, char *argv[]) exit(EXIT_FAILURE); } continue; - case 'H': - op = OP_HASHES; - continue; - case 'a': - op = OP_ADD; - continue; - case 'd': - op = OP_DEL; - continue; - case 'D': - if (!attest->set_directory(attest, optarg, op == OP_ADD)) - { - exit(EXIT_FAILURE); - } - continue; case 'F': if (!attest->set_file(attest, optarg, op == OP_ADD)) { @@ -299,9 +281,6 @@ static void do_args(int argc, char *argv[]) case OP_DEL: attest->delete(attest); break; - case OP_HASHES: - attest->list_hashes(attest); - break; default: usage(); exit(EXIT_FAILURE); diff --git a/src/libpts/plugins/imv_attestation/imv_attestation.c b/src/libpts/plugins/imv_attestation/imv_attestation.c index 3469979d1f..7d8445c131 100644 --- a/src/libpts/plugins/imv_attestation/imv_attestation.c +++ b/src/libpts/plugins/imv_attestation/imv_attestation.c @@ -57,11 +57,6 @@ static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE; */ static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE; -/** - * Supported PTS Diffie Hellman Groups - */ -static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE; - /** * PTS file measurement database */ @@ -97,10 +92,6 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, { return TNC_RESULT_FATAL; } - if (!pts_probe_dh_groups(&supported_dh_groups)) - { - return TNC_RESULT_FATAL; - } imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE, imv_id, actual_version); if (!imv_attestation) @@ -127,28 +118,6 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id, return TNC_RESULT_FATAL; } - /** - * Specify supported PTS Diffie-Hellman groups - * - * modp1024: PTS_DH_GROUP_IKE2 - * modp1536: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 - * modp2048: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 - * ecp256: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 | - * PTS_DH_GROUP_IKE19 - * ecp384: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 | - * PTS_DH_GROUP_IKE19 | PTS_DH_GROUP_IKE20 - * - * we expect the PTS-IMC to select the strongest supported group - */ - dh_group = lib->settings->get_str(lib->settings, - "libimcv.plugins.imv-attestation.dh_group", "ecp256"); - - if (!pts_meas_algo_update(hash_alg, &supported_algorithms) || - !pts_dh_group_update(dh_group, &supported_dh_groups)) - { - return TNC_RESULT_FATAL; - } - /* create a PTS credential manager */ pts_credmgr = credential_manager_create(); @@ -211,175 +180,16 @@ static TNC_Result send_message(TNC_ConnectionID connection_id) attestation_state = (imv_attestation_state_t*)state; msg = pa_tnc_msg_create(); -<<<<<<< HEAD if (imv_attestation_build(msg, attestation_state, supported_algorithms, supported_dh_groups, pts_db)) { msg->build(msg); result = imv_attestation->send_message(imv_attestation, connection_id, msg->get_encoding(msg)); -======= - if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ && - !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T)) - { - DBG1(DBG_IMV, "PTS-IMC has no TPM capability - " - "advancing to PTS measurement phase"); - handshake_state = IMV_ATTESTATION_STATE_MEAS; ->>>>>>> added the IMV_ATTESTATION_STATE_NONCE_REQ state } else { -<<<<<<< HEAD result = TNC_RESULT_FATAL; -======= - case IMV_ATTESTATION_STATE_INIT: - { - pts_proto_caps_flag_t flags; - - /* Send Request Protocol Capabilities attribute */ - flags = pts->get_proto_caps(pts); - attr = tcg_pts_attr_proto_caps_create(flags, TRUE); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - /* Send Measurement Algorithms attribute */ - attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_NONCE_REQ); - break; - } - case IMV_ATTESTATION_STATE_NONCE_REQ: - { - int min_nonce_len; - - /* Send DH nonce parameters request attribute */ - min_nonce_len = lib->settings->get_int(lib->settings, - "libimcv.plugins.imv-attestation.min_nonce_len", 0); - attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len, - supported_dh_groups); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_TPM_INIT); - break; - } - case IMV_ATTESTATION_STATE_TPM_INIT: - { - pts_meas_algorithms_t selected_algorithm; - chunk_t initiator_value, initiator_nonce; - - /* Send DH nonce finish attribute */ - selected_algorithm = pts->get_meas_algorithm(pts); - pts->get_my_public_value(pts, &initiator_value, &initiator_nonce); - attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm, - initiator_value, initiator_nonce); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - /* Send Get TPM Version attribute */ - attr = tcg_pts_attr_get_tpm_version_info_create(); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - /* Send Get AIK attribute */ - attr = tcg_pts_attr_get_aik_create(); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_MEAS); - break; - } - case IMV_ATTESTATION_STATE_MEAS: - { - - enumerator_t *enumerator; - u_int32_t delimiter = SOLIDUS_UTF; - char *platform_info, *pathname; - u_int16_t request_id; - int id, type; - bool is_dir; - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_COMP_EVID); - - /* Get Platform and OS of the PTS-IMC */ - platform_info = pts->get_platform_info(pts); - - if (!pts_db || !platform_info) - { - DBG1(DBG_IMV, "%s%s%s not available", - (pts_db) ? "" : "pts database", - (!pts_db && !platform_info) ? "and" : "", - (platform_info) ? "" : "platform info"); - break; - } - DBG1(DBG_IMV, "platform is '%s'", platform_info); - - /* Send Request File Metadata attribute */ - attr = tcg_pts_attr_req_file_meta_create(FALSE, SOLIDUS_UTF, "/etc/tnc_config"); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - /* Send Request File Measurement attribute */ - enumerator = pts_db->create_file_enumerator(pts_db, platform_info); - if (!enumerator) - { - break; - } - while (enumerator->enumerate(enumerator, &id, &type, &pathname)) - { - is_dir = (type != 0); - request_id = attestation_state->add_request(attestation_state, - id, is_dir); - DBG2(DBG_IMV, "measurement request %d for %s '%s'", - request_id, is_dir ? "directory" : "file", pathname); - attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id, - delimiter, pathname); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - } - enumerator->destroy(enumerator); - break; - } - case IMV_ATTESTATION_STATE_COMP_EVID: - { - pts_attr_req_funct_comp_evid_flag_t flags; - u_int32_t sub_comp_depth; - pts_qualifier_t qualifier; - pts_funct_comp_name_t name; - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_END); - - flags = PTS_REQ_FUNC_COMP_FLAG_PCR; - sub_comp_depth = 0; - qualifier.kernel = FALSE; - qualifier.sub_component = FALSE; - qualifier.type = PTS_FUNC_COMP_TYPE_ALL; - name = PTS_FUNC_COMP_NAME_BIOS; - - /* Send Request Functional Component Evidence attribute */ - attr = tcg_pts_attr_req_funct_comp_evid_create(flags, sub_comp_depth, - PEN_TCG, qualifier, name); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - /* Send Generate Attestation Evidence attribute */ - attr = tcg_pts_attr_gen_attest_evid_create(); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - break; - } - default: - DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"", - handshake_state); - return TNC_RESULT_FATAL; ->>>>>>> added the IMV_ATTESTATION_STATE_NONCE_REQ state } msg->destroy(msg); diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c index c30a557194..dbd66be0d6 100644 --- a/src/libpts/pts/pts.c +++ b/src/libpts/pts/pts.c @@ -1111,33 +1111,6 @@ METHOD(pts_t, add_pcr, bool, return TRUE; } -METHOD(pts_t, does_pcr_value_match, bool, - private_pts_t *this, chunk_t pcr_after_value) -{ - enumerator_t *e; - pcr_entry_t *entry; - - if (!this->pcrs) - { - this->pcrs = linked_list_create(); - } - - e = this->pcrs->create_enumerator(this->pcrs); - while (e->enumerate(e, &entry)) - { - if (entry->pcr_number == new->pcr_number) - { - DBG4(DBG_PTS, "updating already added PCR%d value", - entry->pcr_number); - this->pcrs->remove_at(this->pcrs, e); - free(entry); - break; - } - } - DESTROY_IF(e); - this->pcrs->insert_last(this->pcrs, new); -} - /** * TPM_QUOTE_INFO structure: * 4 bytes of version @@ -1229,26 +1202,6 @@ METHOD(pts_t, get_quote_info, bool, hasher->allocate_hash(hasher, pcr_comp, &hash_pcr_comp); hasher->destroy(hasher); - writer->write_data(writer, hash_pcr_composite); - chunk_clear(&pcr_composite); - chunk_clear(&hash_pcr_composite); - - /* Hash the PCR Composite Structure */ - hasher->allocate_hash(hasher, pcr_composite, out_pcr_composite); - DBG4(DBG_PTS, "Hash of calculated PCR Composite: %B", out_pcr_composite); - hasher->destroy(hasher); - } - else - { - *out_pcr_composite = chunk_clone(pcr_composite); - DBG3(DBG_PTS, "calculated PCR Composite: %B", out_pcr_composite); - } - - /* SHA1 hash of PCR Composite to construct TPM_QUOTE_INFO */ - hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); - hasher->allocate_hash(hasher, pcr_composite, &hash_pcr_composite); - hasher->destroy(hasher); - /* Construct TPM_QUOTE_INFO/TPM_QUOTE_INFO2 structure */ writer = bio_writer_create(TPM_QUOTE_INFO_LEN); @@ -1330,15 +1283,7 @@ METHOD(pts_t, verify_quote_signature, bool, DESTROY_IF(aik_pub_key); return FALSE; } - */ - if (!aik_pub_key->get_encoding(aik_pub_key, - PUBKEY_SPKI_ASN1_DER, &key_encoding)) - { - DBG1(DBG_PTS, "failed to get encoding of AIK public key"); - goto cleanup; - } - aik_pub_key->destroy(aik_pub_key); return TRUE; } diff --git a/src/libpts/pts/pts.h b/src/libpts/pts/pts.h index e1cba9180e..814befffc8 100644 --- a/src/libpts/pts/pts.h +++ b/src/libpts/pts/pts.h @@ -160,37 +160,6 @@ struct pts_t { */ bool (*calculate_secret) (pts_t *this); - /** - * Set PTS Diffie Hellman Object - * - * @param dh D-H object - */ - bool (*create_dh_nonce)(pts_t *this, pts_dh_group_t group, int nonce_len); - - /** - * Get my Diffie-Hellman public value - * - * @param value My public DH value - * @param nonce My DH nonce - */ - void (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce); - - /** - * Set peer Diffie.Hellman public value - * - * @param value Peer public DH value - * @param nonce Peer DH nonce - */ - void (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce); - - /** - * Calculates secret assessment value to be used for TPM Quote as ExternalData - * - * @return TRUE unless both DH public values - * and nonces are set - */ - bool (*calculate_secret) (pts_t *this); - /** * Get Platform and OS Info * @@ -261,8 +230,7 @@ struct pts_t { bool (*is_path_valid)(pts_t *this, char *path, pts_error_code_t *error_code); /** - * Compute a hash over a file - * + * Compute a hash over a file * @param hasher Hasher to be used * @param pathname Absolute path of a file * @param hash Buffer to keep hash output @@ -368,68 +336,6 @@ struct pts_t { */ bool (*verify_quote_signature)(pts_t *this, chunk_t data, chunk_t signature); - /** - * Reads given PCR value and returns it - * Expects owner secret to be WELL_KNOWN_SECRET - * - * @param pcr_num Number of PCR to read - * @param pcr_value Chunk to save pcr read output - * @return NULL in case of TSS error, PCR value otherwise - */ - bool (*read_pcr)(pts_t *this, u_int32_t pcr_num, chunk_t *pcr_value); - - /** - * Extends given PCR with given value - * Expects owner secret to be WELL_KNOWN_SECRET - * - * @param pcr_num Number of PCR to extend - * @param input Value to extend - * @param output Chunk to save PCR value after extension - * @return FALSE in case of TSS error, TRUE otherwise - */ - bool (*extend_pcr)(pts_t *this, u_int32_t pcr_num, chunk_t input, - chunk_t *output); - - /** - * Quote over PCR's - * Expects owner and SRK secret to be WELL_KNOWN_SECRET and no password set for AIK - * - * @param pcrs Array of PCR's to make quotation over - * @param num_of_pcrs Number of elements in pcrs array - * @param pcr_composite Chunk to save pcr composite structure - * @param quote_signature Chunk to save quote operation output - * without external data (anti-replay protection) - * @return FALSE in case of TSS error, TRUE otherwise - */ - bool (*quote_tpm)(pts_t *this, u_int32_t *pcrs, u_int32_t num_of_pcrs, - chunk_t *pcr_composite, chunk_t *quote_signature); - - /** - * Add extended PCR with its corresponding value - * - * @return FALSE in case of any error or non-match, TRUE otherwise - */ - void (*add_pcr_entry)(pts_t *this, pcr_entry_t *entry); - - /** - * Constructs and returns TPM Quote Info structure expected from IMC - * - * @param pcr_composite Output variable to store PCR Composite - * @param quote_info Output variable to store TPM Quote Info - * @return FALSE in case of any error, TRUE otherwise - */ - bool (*get_quote_info)(pts_t *this, chunk_t *pcr_composite, - chunk_t *quote_info); - - /** - * Constructs and returns PCR Quote Digest structure expected from IMC - * - * @param data Calculated TPM Quote Digest - * @param signature TPM Quote Signature received from IMC - * @return FALSE in case signature is not verified, TRUE otherwise - */ - bool (*verify_quote_signature)(pts_t *this, chunk_t data, chunk_t signature); - /** * Destroys a pts_t object. */ @@ -445,4 +351,3 @@ struct pts_t { pts_t* pts_create(bool is_imc); #endif /** PTS_H_ @}*/ - diff --git a/src/libpts/pts/pts_dh_group.h b/src/libpts/pts/pts_dh_group.h index 1734daaf68..8664a4b84c 100644 --- a/src/libpts/pts/pts_dh_group.h +++ b/src/libpts/pts/pts_dh_group.h @@ -93,17 +93,6 @@ bool pts_dh_group_update(char *dh_group, pts_dh_group_t *dh_groups); pts_dh_group_t pts_dh_group_select(pts_dh_group_t supported_dh_groups, pts_dh_group_t offered_dh_groups); -/** - * Select the strongest supported Diffie-Hellman group - * among a set of offered DH groups - * - * @param dh_group set of supported DH groups - * @param groups set of offered DH groups - * @return selected DH group - */ -pts_dh_group_t pts_dh_group_select(pts_dh_group_t supported_dh_groups, - pts_dh_group_t offered_dh_groups); - /** * Convert pts_dh_group_t to diffie_hellman_group_t * diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c index 7e3dcd0e5e..999c22b7bd 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c +++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c @@ -226,15 +226,18 @@ METHOD(pa_tnc_attr_t, process, status_t, /* Optional Composite Hash Algorithm and TPM PCR Composite fields */ if (this->flags != PTS_SIMPLE_EVID_FINAL_NO) { - u_int32_t pcr_comp_len, tpm_quote_sign_len; - - /** TODO: Ignoring Hashing algorithm field - * There is no flag defined which indicates the precense of it - * reader->read_uint16(reader, &algorithm); - * this->comp_hash_algorithm = algorithm; - */ - reader->read_uint32(reader, &pcr_comp_len); - reader->read_data(reader, pcr_comp_len, &this->pcr_comp); + if (!reader->read_uint32(reader, &pcr_comp_len)) + { + DBG1(DBG_TNC, "insufficient data for PTS Simple Evidence Final " + "PCR Composite Lenght"); + goto end; + } + if (!reader->read_data(reader, pcr_comp_len, &this->pcr_comp)) + { + DBG1(DBG_TNC, "insufficient data for PTS Simple Evidence Final " + "PCR Composite"); + goto end; + } this->pcr_comp = chunk_clone(this->pcr_comp); if (!reader->read_uint32(reader, &tpm_quote_sig_len))