TPM verify entry proof, RSU signs all TPMs

src/tpm.c

@@ -406,6 +406,12 @@ static void rsu_handle_recv(facilities_t* facilities, TPM_t* tpm_rx, void* secur
     TollingType_t* type_rx = tpm_rx->tpm->tollingType;
 
     uint64_t client_id, nonce, info_id;
+    const uint32_t buf_len = 1024;
+    uint8_t buf[buf_len];
+    uint8_t tpm_uper[buf_len];
+
+    SecurityRequest_t* sreq = NULL;
+    SecurityReply_t* srep = NULL;
 
     switch (type_rx->present) {
         case TollingType_PR_entry:
@@ -417,6 +423,7 @@ static void rsu_handle_recv(facilities_t* facilities, TPM_t* tpm_rx, void* secur
             nonce = type_rx->choice.entry.choice.request.transactionNonce;
             info_id = type_rx->choice.entry.choice.request.infoId;
             break;
+
         case TollingType_PR_exit:
             if (!type_rx->choice.exit ||
                 type_rx->choice.exit->present != TollingExit_PR_request ||
@@ -434,7 +441,71 @@ static void rsu_handle_recv(facilities_t* facilities, TPM_t* tpm_rx, void* secur
                 return;
             }
 
+            TPM_t* ep = (TPM_t*) type_rx->choice.exit->choice.request->entryProof;
+
+            if (!ep->tpmSignature) {
+                syslog_err("[facilities] [tolling] received TPM.exit.request.entryProof does not contain signature");;
+                return;
+            }
+
+            // Encode TollingPaymentMessage 
+            asn_enc_rval_t enc = oer_encode_to_buffer(&asn_DEF_TollingPaymentMessage, NULL, ep->tpm, buf, buf_len);
+            if (enc.encoded == -1) {
+                syslog_err("[facilities] [tolling] error encoding TollingPaymentMessage (%s)", enc.failed_type->name);
+                goto cleanup;
+            }
+
+            // Verify
+            sreq = calloc(1, sizeof(SecurityRequest_t));
+            sreq->present = SecurityRequest_PR_verify;
+            // message
+            sreq->choice.verify.message.size = enc.encoded;
+            sreq->choice.verify.message.buf = malloc(enc.encoded);
+            memcpy(sreq->choice.verify.message.buf, buf, enc.encoded);
+
+            // r
+            sreq->choice.verify.r.size = ep->tpmSignature->r.size;
+            sreq->choice.verify.r.buf = malloc(ep->tpmSignature->r.size);
+            memcpy(sreq->choice.verify.r.buf, ep->tpmSignature->r.buf, ep->tpmSignature->r.size);
+            // s
+            sreq->choice.verify.s.size = ep->tpmSignature->s.size;
+            sreq->choice.verify.s.buf = malloc(ep->tpmSignature->s.size);
+            memcpy(sreq->choice.verify.s.buf, ep->tpmSignature->s.buf, ep->tpmSignature->s.size);
+            // signer
+            sreq->choice.verify.signer.size = ep->tpmSignature->signer.size;
+            sreq->choice.verify.signer.buf = malloc(ep->tpmSignature->signer.size);
+            memcpy(sreq->choice.verify.signer.buf, ep->tpmSignature->signer.buf, ep->tpmSignature->signer.size);
+            // signature type
+            sreq->choice.verify.type = ep->tpmSignature->type;
+
+            buf[0] = 4;
+            enc = oer_encode_to_buffer(&asn_DEF_SecurityRequest, NULL, sreq, buf+1, buf_len-1);
+            syslog_debug("[facilities]->[security] SecurityRequest.verify (%ldB)", enc.encoded+1);
+            zmq_send(security_socket, buf, enc.encoded+1, 0);
+            int32_t rl = zmq_recv(security_socket, buf, buf_len, 0);
+            syslog_debug("[facilities]<-[security] SecurityReply.verify (%dB)", rl);
+
+            if (oer_decode(NULL, &asn_DEF_SecurityReply, (void**) &srep, buf, rl).code) {
+                syslog_err("[facilities] SecurityReply.verify decode failure");
+                goto cleanup;
+            }
+
+            if (srep->returnCode == SecurityReplyReturnCode_rejected) {
+                syslog_err("[facilities] SecurityReply.verify rejected");
+                goto cleanup;
+            }
+
+            if (srep->data->choice.verify.report != SecurityVerifyConfirmCode_success) {
+                syslog_debug("[facilities] entry proof signature verify failed");
+                goto cleanup;
+            }
+
+            ASN_STRUCT_FREE(asn_DEF_SecurityRequest, sreq);
+            ASN_STRUCT_FREE(asn_DEF_SecurityReply, srep);
+            sreq = NULL;
+            srep = NULL;
             break;
+
         case TollingType_PR_single:
             if (type_rx->choice.single.present != TollingSingle_PR_request) {
                 syslog_err("[facilities] [tolling] received TPM.single is not request");
@@ -444,6 +515,7 @@ static void rsu_handle_recv(facilities_t* facilities, TPM_t* tpm_rx, void* secur
             nonce = type_rx->choice.single.choice.request.transactionNonce;
             info_id = type_rx->choice.single.choice.request.infoId;
             break;
+
         default:
             syslog_err("[facilities] [tolling] received TPM has unrecognized type");
             return;
@@ -471,14 +543,9 @@ static void rsu_handle_recv(facilities_t* facilities, TPM_t* tpm_rx, void* secur
             break;
     }
 
-    const size_t buf_len = 2048;
-    uint8_t buf[buf_len];
-    uint8_t tpm_uper[buf_len];
 
     asn_enc_rval_t enc;
     TransportRequest_t* tr = NULL;
-    SecurityRequest_t* sreq = NULL;
-    SecurityReply_t* srep = NULL;
     FacilitiesIndication_t* fi = NULL;
     TPM_t* tpm = NULL;
 
@@ -624,7 +691,6 @@ static void rsu_handle_recv(facilities_t* facilities, TPM_t* tpm_rx, void* secur
         goto cleanup;
     }
 
-    if (tolling->protocol.p == TOLLING_PROTOCOL_SIMPLE) {
         // Sign
         sreq = calloc(1, sizeof(SecurityRequest_t));
         sreq->present = SecurityRequest_PR_sign;
@@ -659,7 +725,6 @@ static void rsu_handle_recv(facilities_t* facilities, TPM_t* tpm_rx, void* secur
         tpm->tpmSignature->signer.buf = malloc(srep->data->choice.sign.signer.size);
         memcpy(tpm->tpmSignature->signer.buf, srep->data->choice.sign.signer.buf,  srep->data->choice.sign.signer.size);
         tpm->tpmSignature->type = srep->data->choice.sign.type;
-    }
 
     // encode TPM 
     enc = uper_encode_to_buffer(&asn_DEF_TPM, NULL, tpm, tpm_uper, buf_len);