From: Andreas Steffen Date: Sun, 9 Oct 2011 17:37:48 +0000 (+0200) Subject: moved building of attributes to imv_attestation_build X-Git-Tag: 4.6.2~326 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d7bc2841ca683551fe4dc2d3aaeb2a3dfa489f00;p=thirdparty%2Fstrongswan.git moved building of attributes to imv_attestation_build --- diff --git a/src/libimcv/plugins/imv_attestation/Makefile.am b/src/libimcv/plugins/imv_attestation/Makefile.am index e52a4f325d..c6eb46d651 100644 --- a/src/libimcv/plugins/imv_attestation/Makefile.am +++ b/src/libimcv/plugins/imv_attestation/Makefile.am @@ -12,7 +12,8 @@ imv_attestation_la_LIBADD = $(top_builddir)/src/libimcv/libimcv.la \ imv_attestation_la_SOURCES = imv_attestation.c \ imv_attestation_state.h imv_attestation_state.c \ - imv_attestation_process.h imv_attestation_process.c + imv_attestation_process.h imv_attestation_process.c \ + imv_attestation_build.h imv_attestation_build.c imv_attestation_la_LDFLAGS = -module -avoid-version diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation.c b/src/libimcv/plugins/imv_attestation/imv_attestation.c index 329f03e2f1..1a1358f4ab 100644 --- a/src/libimcv/plugins/imv_attestation/imv_attestation.c +++ b/src/libimcv/plugins/imv_attestation/imv_attestation.c @@ -15,6 +15,7 @@ #include "imv_attestation_state.h" #include "imv_attestation_process.h" +#include "imv_attestation_build.h" #include #include @@ -29,16 +30,6 @@ #include #include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include #include @@ -191,11 +182,8 @@ TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id, static TNC_Result send_message(TNC_ConnectionID connection_id) { pa_tnc_msg_t *msg; - pa_tnc_attr_t *attr; - pts_t *pts; imv_state_t *state; imv_attestation_state_t *attestation_state; - imv_attestation_handshake_state_t handshake_state; TNC_Result result; if (!imv_attestation->get_state(imv_attestation, connection_id, &state)) @@ -203,174 +191,19 @@ static TNC_Result send_message(TNC_ConnectionID connection_id) return TNC_RESULT_FATAL; } attestation_state = (imv_attestation_state_t*)state; - handshake_state = attestation_state->get_handshake_state(attestation_state); - pts = attestation_state->get_pts(attestation_state); - msg = pa_tnc_msg_create(); - if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ && - !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T)) + if (imv_attestation_build(msg, attestation_state, supported_algorithms, + supported_dh_groups, pts_db)) { - DBG1(DBG_IMV, "PTS-IMC has no TPM capability - " - "advancing to PTS measurement phase"); - handshake_state = IMV_ATTESTATION_STATE_MEAS; + msg->build(msg); + result = imv_attestation->send_message(imv_attestation, connection_id, + msg->get_encoding(msg)); } - - /* Switch on the attribute type IMV has received */ - switch (handshake_state) + else { - case IMV_ATTESTATION_STATE_INIT: - { - pts_proto_caps_flag_t flags; - - /* Send Request Protocol Capabilities attribute */ - flags = pts->get_proto_caps(pts); - attr = tcg_pts_attr_proto_caps_create(flags, TRUE); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - /* Send Measurement Algorithms attribute */ - attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_NONCE_REQ); - break; - } - case IMV_ATTESTATION_STATE_NONCE_REQ: - { - int min_nonce_len; - - /* Send DH nonce parameters request attribute */ - min_nonce_len = lib->settings->get_int(lib->settings, - "libimcv.plugins.imv-attestation.min_nonce_len", 0); - attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len, - supported_dh_groups); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_TPM_INIT); - break; - } - case IMV_ATTESTATION_STATE_TPM_INIT: - { - pts_meas_algorithms_t selected_algorithm; - chunk_t initiator_value, initiator_nonce; - - /* Send DH nonce finish attribute */ - selected_algorithm = pts->get_meas_algorithm(pts); - pts->get_my_public_value(pts, &initiator_value, &initiator_nonce); - attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm, - initiator_value, initiator_nonce); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - /* Send Get TPM Version attribute */ - attr = tcg_pts_attr_get_tpm_version_info_create(); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - /* Send Get AIK attribute */ - attr = tcg_pts_attr_get_aik_create(); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_MEAS); - break; - } - case IMV_ATTESTATION_STATE_MEAS: - { - - enumerator_t *enumerator; - u_int32_t delimiter = SOLIDUS_UTF; - char *platform_info, *pathname; - u_int16_t request_id; - int id, type; - bool is_dir; - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_COMP_EVID); - - /* Get Platform and OS of the PTS-IMC */ - platform_info = pts->get_platform_info(pts); - - if (!pts_db || !platform_info) - { - DBG1(DBG_IMV, "%s%s%s not available", - (pts_db) ? "" : "pts database", - (!pts_db && !platform_info) ? "and" : "", - (platform_info) ? "" : "platform info"); - break; - } - DBG1(DBG_IMV, "platform is '%s'", platform_info); - - /* Send Request File Metadata attribute */ - attr = tcg_pts_attr_req_file_meta_create(FALSE, SOLIDUS_UTF, "/etc/tnc_config"); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - /* Send Request File Measurement attribute */ - enumerator = pts_db->create_file_enumerator(pts_db, platform_info); - if (!enumerator) - { - break; - } - while (enumerator->enumerate(enumerator, &id, &type, &pathname)) - { - is_dir = (type != 0); - request_id = attestation_state->add_request(attestation_state, - id, is_dir); - DBG2(DBG_IMV, "measurement request %d for %s '%s'", - request_id, is_dir ? "directory" : "file", pathname); - attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id, - delimiter, pathname); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - } - enumerator->destroy(enumerator); - break; - } - case IMV_ATTESTATION_STATE_COMP_EVID: - { - pts_attr_req_funct_comp_evid_flag_t flags; - u_int32_t sub_comp_depth; - pts_qualifier_t qualifier; - pts_funct_comp_name_t name; - - attestation_state->set_handshake_state(attestation_state, - IMV_ATTESTATION_STATE_END); - - flags = PTS_REQ_FUNC_COMP_FLAG_PCR; - sub_comp_depth = 0; - qualifier.kernel = FALSE; - qualifier.sub_component = FALSE; - qualifier.type = PTS_FUNC_COMP_TYPE_ALL; - name = PTS_FUNC_COMP_NAME_BIOS; - - /* Send Request Functional Component Evidence attribute */ - attr = tcg_pts_attr_req_funct_comp_evid_create(flags, sub_comp_depth, - PEN_TCG, qualifier, name); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - /* Send Generate Attestation Evidence attribute */ - attr = tcg_pts_attr_gen_attest_evid_create(); - attr->set_noskip_flag(attr, TRUE); - msg->add_attribute(msg, attr); - - break; - } - default: - DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"", - handshake_state); - return TNC_RESULT_FATAL; + result = TNC_RESULT_FATAL; } - - msg->build(msg); - result = imv_attestation->send_message(imv_attestation, connection_id, - msg->get_encoding(msg)); msg->destroy(msg); return result; @@ -484,7 +317,7 @@ TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id, else if (attr->get_vendor_id(attr) == PEN_TCG) { if (!imv_attestation_process(attr, attr_list, attestation_state, - supported_algorithms, supported_dh_groups, pts_db, pts_credmgr)) + supported_algorithms,supported_dh_groups, pts_db, pts_credmgr)) { result = TNC_RESULT_FATAL; break; diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_build.c b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c new file mode 100644 index 0000000000..fc3d446b6a --- /dev/null +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_build.c @@ -0,0 +1,205 @@ +/* + * Copyright (C) 2011 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_attestation_build.h" +#include "imv_attestation_state.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +bool imv_attestation_build(pa_tnc_msg_t *msg, + imv_attestation_state_t *attestation_state, + pts_meas_algorithms_t supported_algorithms, + pts_dh_group_t supported_dh_groups, + pts_database_t *pts_db) +{ + imv_attestation_handshake_state_t handshake_state; + pts_t *pts; + pa_tnc_attr_t *attr; + + handshake_state = attestation_state->get_handshake_state(attestation_state); + pts = attestation_state->get_pts(attestation_state); + + if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ && + !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T)) + { + DBG1(DBG_IMV, "PTS-IMC has no TPM capability - " + "advancing to PTS measurement phase"); + handshake_state = IMV_ATTESTATION_STATE_MEAS; + } + + /* Switch on the attribute type IMV has received */ + switch (handshake_state) + { + case IMV_ATTESTATION_STATE_INIT: + { + pts_proto_caps_flag_t flags; + + /* Send Request Protocol Capabilities attribute */ + flags = pts->get_proto_caps(pts); + attr = tcg_pts_attr_proto_caps_create(flags, TRUE); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + /* Send Measurement Algorithms attribute */ + attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + attestation_state->set_handshake_state(attestation_state, + IMV_ATTESTATION_STATE_NONCE_REQ); + break; + } + case IMV_ATTESTATION_STATE_NONCE_REQ: + { + int min_nonce_len; + + /* Send DH nonce parameters request attribute */ + min_nonce_len = lib->settings->get_int(lib->settings, + "libimcv.plugins.imv-attestation.min_nonce_len", 0); + attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len, + supported_dh_groups); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + attestation_state->set_handshake_state(attestation_state, + IMV_ATTESTATION_STATE_TPM_INIT); + break; + } + case IMV_ATTESTATION_STATE_TPM_INIT: + { + pts_meas_algorithms_t selected_algorithm; + chunk_t initiator_value, initiator_nonce; + + /* Send DH nonce finish attribute */ + selected_algorithm = pts->get_meas_algorithm(pts); + pts->get_my_public_value(pts, &initiator_value, &initiator_nonce); + attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm, + initiator_value, initiator_nonce); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + /* Send Get TPM Version attribute */ + attr = tcg_pts_attr_get_tpm_version_info_create(); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + /* Send Get AIK attribute */ + attr = tcg_pts_attr_get_aik_create(); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + attestation_state->set_handshake_state(attestation_state, + IMV_ATTESTATION_STATE_MEAS); + break; + } + case IMV_ATTESTATION_STATE_MEAS: + { + + enumerator_t *enumerator; + u_int32_t delimiter = SOLIDUS_UTF; + char *platform_info, *pathname; + u_int16_t request_id; + int id, type; + bool is_dir; + + attestation_state->set_handshake_state(attestation_state, + IMV_ATTESTATION_STATE_COMP_EVID); + + /* Get Platform and OS of the PTS-IMC */ + platform_info = pts->get_platform_info(pts); + + if (!pts_db || !platform_info) + { + DBG1(DBG_IMV, "%s%s%s not available", + (pts_db) ? "" : "pts database", + (!pts_db && !platform_info) ? "and" : "", + (platform_info) ? "" : "platform info"); + break; + } + DBG1(DBG_IMV, "platform is '%s'", platform_info); + + /* Send Request File Metadata attribute */ + attr = tcg_pts_attr_req_file_meta_create(FALSE, SOLIDUS_UTF, "/etc/tnc_config"); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + /* Send Request File Measurement attribute */ + enumerator = pts_db->create_file_enumerator(pts_db, platform_info); + if (!enumerator) + { + break; + } + while (enumerator->enumerate(enumerator, &id, &type, &pathname)) + { + is_dir = (type != 0); + request_id = attestation_state->add_request(attestation_state, + id, is_dir); + DBG2(DBG_IMV, "measurement request %d for %s '%s'", + request_id, is_dir ? "directory" : "file", pathname); + attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id, + delimiter, pathname); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + } + enumerator->destroy(enumerator); + break; + } + case IMV_ATTESTATION_STATE_COMP_EVID: + { + pts_attr_req_funct_comp_evid_flag_t flags; + u_int32_t sub_comp_depth; + pts_qualifier_t qualifier; + pts_funct_comp_name_t name; + + attestation_state->set_handshake_state(attestation_state, + IMV_ATTESTATION_STATE_END); + + flags = PTS_REQ_FUNC_COMP_FLAG_PCR; + sub_comp_depth = 0; + qualifier.kernel = FALSE; + qualifier.sub_component = FALSE; + qualifier.type = PTS_FUNC_COMP_TYPE_ALL; + name = PTS_FUNC_COMP_NAME_BIOS; + + /* Send Request Functional Component Evidence attribute */ + attr = tcg_pts_attr_req_funct_comp_evid_create(flags, sub_comp_depth, + PEN_TCG, qualifier, name); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + /* Send Generate Attestation Evidence attribute */ + attr = tcg_pts_attr_gen_attest_evid_create(); + attr->set_noskip_flag(attr, TRUE); + msg->add_attribute(msg, attr); + + break; + } + default: + DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"", + handshake_state); + return FALSE; + } + return TRUE; +} diff --git a/src/libimcv/plugins/imv_attestation/imv_attestation_build.h b/src/libimcv/plugins/imv_attestation/imv_attestation_build.h new file mode 100644 index 0000000000..e397e8458e --- /dev/null +++ b/src/libimcv/plugins/imv_attestation/imv_attestation_build.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2011 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup imv_attestation_build_t imv_attestation_build + * @{ @ingroup imv_attestation_build + */ + +#ifndef IMV_ATTESTATION_BUILD_H_ +#define IMV_ATTESTATION_BUILD_H_ + +#include "imv_attestation_state.h" + +#include +#include + +#include +#include +#include + +/** + * Process a TCG PTS attribute + * + * @param msg PA-TNC message to be built + * @param attestation_state attestation state of a given connection + * @param supported_algorithms supported PTS measurement algorithms + * @param supported_dh_groups supported DH groups + * @param pts_db PTS configuration database + * @return TRUE if successful + */ +bool imv_attestation_build(pa_tnc_msg_t *msg, + imv_attestation_state_t *attestation_state, + pts_meas_algorithms_t supported_algorithms, + pts_dh_group_t supported_dh_groups, + pts_database_t *pts_db); + +#endif /** IMV_ATTESTATION_BUILD_H_ @}*/