From: Sansar Choinyambuu Date: Mon, 24 Oct 2011 09:28:17 +0000 (+0200) Subject: Implemented creating and handling of Optional PCR Composite field in Simple Evidence... X-Git-Tag: 4.6.2~305 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7fa72be3f214a7e32ae706a9e3823e050deb29dc;p=thirdparty%2Fstrongswan.git Implemented creating and handling of Optional PCR Composite field in Simple Evidence Final attribute --- diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c index be3d7e07dd..9c6908d3a2 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation_process.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_process.c @@ -314,27 +314,28 @@ bool imv_attestation_process(pa_tnc_attr_t *attr, linked_list_t *attr_list, if (pcr_comp.ptr && !chunk_equals(pcr_comp, pcr_composite)) { DBG1(DBG_IMV, "received PCR Compsosite didn't match with constructed"); - free(pcr_composite.ptr); - free(quote_info.ptr); + chunk_clear(&pcr_composite); + chunk_clear("e_info); return FALSE; } - free(pcr_composite.ptr); + DBG2(DBG_IMV, "received PCR Composite matches with constructed"); + chunk_clear(&pcr_composite); /* SHA1(TPM Quote Info) expected from IMC */ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); hasher->allocate_hash(hasher, quote_info, "e_digest); hasher->destroy(hasher); + chunk_clear("e_info); if (tpm_quote_sign.ptr && !pts->verify_quote_signature(pts, quote_digest, tpm_quote_sign)) { - free(quote_digest.ptr); - free(quote_info.ptr); + chunk_clear("e_digest); return FALSE; } + DBG2(DBG_IMV, "signature verification succeeded for TPM Quote Info"); - free(quote_digest.ptr); - free(quote_info.ptr); + chunk_clear("e_digest); } if (evid_signature_included) diff --git a/src/libpts/pts/pts.c b/src/libpts/pts/pts.c index 176bc87dce..9c8d64167e 100644 --- a/src/libpts/pts/pts.c +++ b/src/libpts/pts/pts.c @@ -832,7 +832,7 @@ METHOD(pts_t, quote_tpm, bool, TSS_VALIDATION valData; u_int32_t i; TSS_RESULT result; - chunk_t quote_sign; + chunk_t pcr_comp, quote_sign; result = Tspi_Context_Create(&hContext); if (result != TSS_SUCCESS) @@ -913,14 +913,18 @@ METHOD(pts_t, quote_tpm, bool, } /* Set output chunks */ - *pcr_composite = chunk_empty; + pcr_comp = chunk_alloc(HASH_SIZE_SHA1); + memcpy(pcr_comp.ptr, valData.rgbData + 8, HASH_SIZE_SHA1); + *pcr_composite = pcr_comp; + *pcr_composite = chunk_clone(*pcr_composite); + DBG3(DBG_PTS, "Hash of PCR Composite: %B",pcr_composite); quote_sign = chunk_alloc(valData.ulValidationDataLength); memcpy(quote_sign.ptr, valData.rgbValidationData, valData.ulValidationDataLength); *quote_signature = quote_sign; *quote_signature = chunk_clone(*quote_signature); - DBG3(DBG_PTS, "Quote sign: %B",quote_signature); + DBG3(DBG_PTS, "TOM Quote Signature: %B",quote_signature); chunk_clear("e_sign); Tspi_Context_FreeMemory(hContext, NULL); @@ -1008,7 +1012,7 @@ METHOD(pts_t, get_quote_info, bool, { enumerator_t *e; pcr_entry_t *pcr_entry; - chunk_t pcr_composite, hash_pcr_composite, quote_info; + chunk_t pcr_composite; u_int32_t pcr_composite_len; bio_writer_t *writer; u_int8_t mask_bytes[PCR_MASK_LEN] = {0,0,0}, i; @@ -1053,8 +1057,6 @@ METHOD(pts_t, get_quote_info, bool, /* PCR Composite structure */ pcr_composite = chunk_clone(writer->get_buf(writer)); - *out_pcr_composite = pcr_composite; - DBG4(DBG_PTS, "Calculated PCR Composite: %B", out_pcr_composite); writer->destroy(writer); writer = bio_writer_create(TPM_QUOTE_INFO_LEN); @@ -1072,28 +1074,28 @@ METHOD(pts_t, get_quote_info, bool, /* SHA1 hash of PCR Composite Structure */ hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); - hasher->allocate_hash(hasher, pcr_composite, &hash_pcr_composite); - hasher->destroy(hasher); - writer->write_data(writer, hash_pcr_composite); + hasher->allocate_hash(hasher, pcr_composite, out_pcr_composite); + DBG4(DBG_PTS, "Hash of calculated PCR Composite: %B", out_pcr_composite); + chunk_clear(&pcr_composite); + hasher->destroy(hasher); + writer->write_data(writer, *out_pcr_composite); + if (!this->secret.ptr) { DBG1(DBG_PTS, "Secret assessment value unavailable", "unable to construct TPM Quote Info"); - chunk_clear(&pcr_composite); - chunk_clear(&hash_pcr_composite); + chunk_clear(out_pcr_composite); writer->destroy(writer); return FALSE; } /* Secret assessment value 20 bytes (nonce) */ writer->write_data(writer, this->secret); /* TPM Quote Info */ - quote_info = chunk_clone(writer->get_buf(writer)); - *out_quote_info = quote_info; + *out_quote_info = chunk_clone(writer->get_buf(writer)); DBG4(DBG_PTS, "Calculated TPM Quote Info: %B", out_quote_info); - writer->destroy(writer); - chunk_clear(&hash_pcr_composite); + return TRUE; } diff --git a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c index 9528e3a6ac..a54d6423d0 100644 --- a/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c +++ b/src/libpts/tcg/tcg_pts_attr_simple_evid_final.c @@ -236,8 +236,7 @@ METHOD(pa_tnc_attr_t, process, status_t, /* Optional Composite Hash Algorithm and TPM PCR Composite field is included */ if (this->flags != PTS_SIMPLE_EVID_FINAL_FLAG_NO) { - /** u_int32_t pcr_comp_len;*/ - u_int32_t tpm_quote_sign_len; + u_int32_t pcr_comp_len, tpm_quote_sign_len; /** TODO: Ignoring Hashing algorithm field * There is no flag defined which indicates the precense of it @@ -245,12 +244,10 @@ METHOD(pa_tnc_attr_t, process, status_t, * this->comp_hash_algorithm = algorithm; */ - /** TODO: Ignoring PCR Composite field - * Which data to send in this field from IMC? - * reader->read_uint32(reader, &pcr_comp_len); - * reader->read_data(reader, pcr_comp_len, &this->pcr_comp); - * this->pcr_comp = chunk_clone(this->pcr_comp); - */ + reader->read_uint32(reader, &pcr_comp_len); + reader->read_data(reader, pcr_comp_len, &this->pcr_comp); + this->pcr_comp = chunk_clone(this->pcr_comp); + this->pcr_comp = chunk_empty; reader->read_uint32(reader, &tpm_quote_sign_len); reader->read_data(reader, tpm_quote_sign_len, &this->tpm_quote_sign);