refactored DH group nonce exchange
This commit is contained in:
Andreas Steffen
parent
4ee4da47f8
commit
c50f881f6a
|
|
@ -45,6 +45,8 @@ static const char imc_name[] = "Attestation";
|
|||
|
||||
#define IMC_VENDOR_ID PEN_TCG
|
||||
#define IMC_SUBTYPE PA_SUBTYPE_TCG_PTS
|
||||
|
||||
#define DEFAULT_NONCE_LEN 20
|
||||
#define EXTEND_PCR 16
|
||||
|
||||
static imc_agent_t *imc_attestation;
|
||||
|
|
@ -71,10 +73,9 @@ static linked_list_t *evidences = NULL;
|
|||
static pts_dh_group_t supported_dh_groups = 0;
|
||||
|
||||
/**
|
||||
* High Entropy Random Data
|
||||
* used in calculation of shared secret for the assessment session
|
||||
* Supported PTS Diffie Hellman Groups
|
||||
*/
|
||||
static char *responder_nonce = NULL;
|
||||
static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
|
||||
|
||||
/**
|
||||
* List of buffered Simple Component Evidences
|
||||
|
|
@ -90,15 +91,13 @@ TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
|
|||
TNC_Version max_version,
|
||||
TNC_Version *actual_version)
|
||||
{
|
||||
rng_t *rng;
|
||||
|
||||
if (imc_attestation)
|
||||
{
|
||||
DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
|
||||
return TNC_RESULT_ALREADY_INITIALIZED;
|
||||
}
|
||||
if (!pts_meas_probe_algorithms(&supported_algorithms) ||
|
||||
!pts_probe_dh_groups(&supported_dh_groups))
|
||||
if (!pts_meas_algo_probe(&supported_algorithms) ||
|
||||
!pts_dh_group_probe(&supported_dh_groups))
|
||||
{
|
||||
return TNC_RESULT_FATAL;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -45,6 +45,8 @@ static const char imv_name[] = "Attestation";
|
|||
#define IMV_VENDOR_ID PEN_TCG
|
||||
#define IMV_SUBTYPE PA_SUBTYPE_TCG_PTS
|
||||
|
||||
#define NONCE_LEN_LIMIT 16
|
||||
|
||||
static imv_agent_t *imv_attestation;
|
||||
|
||||
/**
|
||||
|
|
@ -60,13 +62,7 @@ static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
|
|||
/**
|
||||
* Supported PTS Diffie Hellman Groups
|
||||
*/
|
||||
static pts_dh_group_t supported_dh_groups = 0;
|
||||
|
||||
/**
|
||||
* High Entropy Random Data
|
||||
* used in calculation of shared secret for the assessment session
|
||||
*/
|
||||
static char *initiator_nonce = NULL;
|
||||
static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
|
||||
|
||||
/**
|
||||
* PTS file measurement database
|
||||
|
|
@ -97,7 +93,6 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
|
|||
TNC_Version *actual_version)
|
||||
{
|
||||
char *hash_alg, *dh_group, *uri, *cadir;
|
||||
rng_t *rng;
|
||||
|
||||
if (imv_attestation)
|
||||
{
|
||||
|
|
@ -154,7 +149,9 @@ TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
|
|||
*/
|
||||
dh_group = lib->settings->get_str(lib->settings,
|
||||
"libimcv.plugins.imv-attestation.dh_group", "ecp256");
|
||||
if (!pts_update_supported_dh_groups(dh_group, &supported_dh_groups))
|
||||
|
||||
if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
|
||||
!pts_dh_group_update(dh_group, &supported_dh_groups))
|
||||
{
|
||||
return TNC_RESULT_FATAL;
|
||||
}
|
||||
|
|
@ -241,156 +238,7 @@ static TNC_Result send_message(TNC_ConnectionID connection_id)
|
|||
}
|
||||
else
|
||||
{
|
||||
<<<<<<< HEAD
|
||||
result = TNC_RESULT_FATAL;
|
||||
=======
|
||||
case IMV_ATTESTATION_STATE_INIT:
|
||||
{
|
||||
pts_proto_caps_flag_t flags;
|
||||
|
||||
/* Send Request Protocol Capabilities attribute */
|
||||
flags = pts->get_proto_caps(pts);
|
||||
attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
|
||||
attr->set_noskip_flag(attr, TRUE);
|
||||
msg->add_attribute(msg, attr);
|
||||
|
||||
/* Send Measurement Algorithms attribute */
|
||||
attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
|
||||
attr->set_noskip_flag(attr, TRUE);
|
||||
msg->add_attribute(msg, attr);
|
||||
|
||||
attestation_state->set_handshake_state(attestation_state,
|
||||
IMV_ATTESTATION_STATE_TPM_INIT);
|
||||
break;
|
||||
}
|
||||
case IMV_ATTESTATION_STATE_TPM_INIT:
|
||||
{
|
||||
if (!dh_nonce_req_sent)
|
||||
{
|
||||
/* Send DH nonce parameters request attribute */
|
||||
attr = tcg_pts_attr_dh_nonce_params_req_create(0, supported_dh_groups);
|
||||
attr->set_noskip_flag(attr, TRUE);
|
||||
msg->add_attribute(msg, attr);
|
||||
dh_nonce_req_sent = TRUE;
|
||||
}
|
||||
else
|
||||
{
|
||||
pts_meas_algorithms_t selected_algorithm;
|
||||
chunk_t initiator_pub_val;
|
||||
|
||||
/* Send DH nonce finish attribute */
|
||||
selected_algorithm = pts->get_meas_algorithm(pts);
|
||||
pts->get_my_public_value(pts, &initiator_pub_val);
|
||||
|
||||
attr = tcg_pts_attr_dh_nonce_finish_create(NONCE_LEN,
|
||||
selected_algorithm,
|
||||
chunk_create(initiator_nonce, NONCE_LEN),
|
||||
initiator_pub_val);
|
||||
attr->set_noskip_flag(attr, TRUE);
|
||||
msg->add_attribute(msg, attr);
|
||||
|
||||
/* Send Get TPM Version attribute */
|
||||
attr = tcg_pts_attr_get_tpm_version_info_create();
|
||||
attr->set_noskip_flag(attr, TRUE);
|
||||
msg->add_attribute(msg, attr);
|
||||
|
||||
/* Send Get AIK attribute */
|
||||
attr = tcg_pts_attr_get_aik_create();
|
||||
attr->set_noskip_flag(attr, TRUE);
|
||||
msg->add_attribute(msg, attr);
|
||||
|
||||
attestation_state->set_handshake_state(attestation_state,
|
||||
IMV_ATTESTATION_STATE_MEAS);
|
||||
}
|
||||
|
||||
break;
|
||||
}
|
||||
case IMV_ATTESTATION_STATE_MEAS:
|
||||
{
|
||||
|
||||
enumerator_t *enumerator;
|
||||
u_int32_t delimiter = SOLIDUS_UTF;
|
||||
char *platform_info, *pathname;
|
||||
u_int16_t request_id;
|
||||
int id, type;
|
||||
bool is_dir;
|
||||
|
||||
attestation_state->set_handshake_state(attestation_state,
|
||||
IMV_ATTESTATION_STATE_COMP_EVID);
|
||||
|
||||
/* Get Platform and OS of the PTS-IMC */
|
||||
platform_info = pts->get_platform_info(pts);
|
||||
|
||||
if (!pts_db || !platform_info)
|
||||
{
|
||||
DBG1(DBG_IMV, "%s%s%s not available",
|
||||
(pts_db) ? "" : "pts database",
|
||||
(!pts_db && !platform_info) ? "and" : "",
|
||||
(platform_info) ? "" : "platform info");
|
||||
break;
|
||||
}
|
||||
DBG1(DBG_IMV, "platform is '%s'", platform_info);
|
||||
|
||||
/* Send Request File Metadata attribute */
|
||||
attr = tcg_pts_attr_req_file_meta_create(FALSE, SOLIDUS_UTF, "/etc/tnc_config");
|
||||
attr->set_noskip_flag(attr, TRUE);
|
||||
msg->add_attribute(msg, attr);
|
||||
|
||||
/* Send Request File Measurement attribute */
|
||||
enumerator = pts_db->create_file_enumerator(pts_db, platform_info);
|
||||
if (!enumerator)
|
||||
{
|
||||
break;
|
||||
}
|
||||
while (enumerator->enumerate(enumerator, &id, &type, &pathname))
|
||||
{
|
||||
is_dir = (type != 0);
|
||||
request_id = attestation_state->add_request(attestation_state,
|
||||
id, is_dir);
|
||||
DBG2(DBG_IMV, "measurement request %d for %s '%s'",
|
||||
request_id, is_dir ? "directory" : "file", pathname);
|
||||
attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
|
||||
delimiter, pathname);
|
||||
attr->set_noskip_flag(attr, TRUE);
|
||||
msg->add_attribute(msg, attr);
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
break;
|
||||
}
|
||||
case IMV_ATTESTATION_STATE_COMP_EVID:
|
||||
{
|
||||
pts_attr_req_funct_comp_evid_flag_t flags;
|
||||
u_int32_t sub_comp_depth;
|
||||
pts_qualifier_t qualifier;
|
||||
pts_funct_comp_name_t name;
|
||||
|
||||
attestation_state->set_handshake_state(attestation_state,
|
||||
IMV_ATTESTATION_STATE_END);
|
||||
|
||||
flags = PTS_REQ_FUNC_COMP_FLAG_PCR;
|
||||
sub_comp_depth = 0;
|
||||
qualifier.kernel = FALSE;
|
||||
qualifier.sub_component = FALSE;
|
||||
qualifier.type = PTS_FUNC_COMP_TYPE_ALL;
|
||||
name = PTS_FUNC_COMP_NAME_BIOS;
|
||||
|
||||
/* Send Request Functional Component Evidence attribute */
|
||||
attr = tcg_pts_attr_req_funct_comp_evid_create(flags, sub_comp_depth,
|
||||
PEN_TCG, qualifier, name);
|
||||
attr->set_noskip_flag(attr, TRUE);
|
||||
msg->add_attribute(msg, attr);
|
||||
/* Send Generate Attestation Evidence attribute */
|
||||
attr = tcg_pts_attr_gen_attest_evid_create();
|
||||
attr->set_noskip_flag(attr, TRUE);
|
||||
msg->add_attribute(msg, attr);
|
||||
|
||||
break;
|
||||
}
|
||||
default:
|
||||
DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"",
|
||||
handshake_state);
|
||||
return TNC_RESULT_FATAL;
|
||||
>>>>>>> fixed setting of PTS DH group
|
||||
}
|
||||
msg->destroy(msg);
|
||||
|
||||
|
|
@ -637,7 +485,6 @@ TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
|
|||
}
|
||||
DESTROY_IF(pts_db);
|
||||
DESTROY_IF(pts_credmgr);
|
||||
free(initiator_nonce);
|
||||
|
||||
libpts_deinit();
|
||||
|
||||
|
|
|
|||
|
|
@ -180,41 +180,31 @@ struct pts_t {
|
|||
*
|
||||
* @param dh D-H object
|
||||
*/
|
||||
bool (*create_dh)(pts_t *this, pts_dh_group_t group);
|
||||
bool (*create_dh_nonce)(pts_t *this, pts_dh_group_t group, int nonce_len);
|
||||
|
||||
/**
|
||||
* Get my Diffie-Hellman public value
|
||||
*
|
||||
* @param value My public DH value
|
||||
* @param nonce My DH nonce
|
||||
*/
|
||||
void (*get_my_public_value)(pts_t *this, chunk_t *value);
|
||||
void (*get_my_public_value)(pts_t *this, chunk_t *value, chunk_t *nonce);
|
||||
|
||||
/**
|
||||
* Set peer Diffie.Hellman public value
|
||||
*
|
||||
* @param value Peer public DH value
|
||||
* @param nonce Peer DH nonce
|
||||
*/
|
||||
void (*set_peer_public_value) (pts_t *this, chunk_t value);
|
||||
void (*set_peer_public_value) (pts_t *this, chunk_t value, chunk_t nonce);
|
||||
|
||||
/**
|
||||
* Calculates secret assessment value to be used for TPM Quote as an external data
|
||||
* Calculates secret assessment value to be used for TPM Quote as ExternalData
|
||||
*
|
||||
* @param initiator_nonce Initiator nonce (IMV nonce)
|
||||
* @param responder_nonce Responder nonce (IMC nonce)
|
||||
* @param algorithm Hashing algorithm
|
||||
* @return TRUE unless both DH public values
|
||||
* and nonces are set
|
||||
*/
|
||||
bool (*calculate_secret) (pts_t *this, chunk_t initiator_nonce,
|
||||
chunk_t responder_nonce,
|
||||
pts_meas_algorithms_t algorithm);
|
||||
|
||||
/**
|
||||
* Returns secret assessment value to be used for TPM Quote as an external data
|
||||
*
|
||||
* @return Secret assessment value
|
||||
*/
|
||||
chunk_t (*get_secret) (pts_t *this);
|
||||
bool (*calculate_secret) (pts_t *this);
|
||||
|
||||
/**
|
||||
* Get Platform and OS Info
|
||||
|
|
|
|||
Loading…
Reference in New Issue