refactored DH group nonce exchange
[strongswan.git] / src / libimcv / plugins / imc_attestation / imc_attestation.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #define _GNU_SOURCE
17
18 #include "imc_attestation_state.h"
19 #include "imc_attestation_process.h"
20
21 #include <imc/imc_agent.h>
22 #include <pa_tnc/pa_tnc_msg.h>
23 #include <ietf/ietf_attr.h>
24 #include <ietf/ietf_attr_pa_tnc_error.h>
25 #include <ietf/ietf_attr_product_info.h>
26
27 #include <libpts.h>
28
29 #include <pts/pts_error.h>
30
31 #include <tcg/tcg_pts_attr_proto_caps.h>
32 #include <tcg/tcg_pts_attr_dh_nonce_params_req.h>
33 #include <tcg/tcg_pts_attr_dh_nonce_params_resp.h>
34 #include <tcg/tcg_pts_attr_dh_nonce_finish.h>
35 #include <tcg/tcg_pts_attr_meas_algo.h>
36 #include <tncif_pa_subtypes.h>
37
38 #include <pen/pen.h>
39 #include <debug.h>
40 #include <utils/linked_list.h>
41
42 /* IMC definitions */
43
44 static const char imc_name[] = "Attestation";
45
46 #define IMC_VENDOR_ID PEN_TCG
47 #define IMC_SUBTYPE PA_SUBTYPE_TCG_PTS
48
49 #define DEFAULT_NONCE_LEN 20
50 #define EXTEND_PCR 16
51
52 static imc_agent_t *imc_attestation;
53
54 /**
55 * Supported PTS measurement algorithms
56 */
57 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
58
59 /**
60 * Supported PTS Diffie Hellman Groups
61 */
62 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
63
64 /**
65 * List of buffered Simple Component Evidences
66 * To be sent on reception of Generate Attestation Evidence attribute
67 */
68 static linked_list_t *evidences = NULL;
69
70 /**
71 * Supported PTS Diffie Hellman Groups
72 */
73 static pts_dh_group_t supported_dh_groups = 0;
74
75 /**
76 * Supported PTS Diffie Hellman Groups
77 */
78 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
79
80 /**
81 * List of buffered Simple Component Evidences
82 * To be sent on reception of Generate Attestation Evidence attribute
83 */
84 static linked_list_t *evidences = NULL;
85
86 /**
87 * see section 3.7.1 of TCG TNC IF-IMC Specification 1.2
88 */
89 TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
90 TNC_Version min_version,
91 TNC_Version max_version,
92 TNC_Version *actual_version)
93 {
94 if (imc_attestation)
95 {
96 DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
97 return TNC_RESULT_ALREADY_INITIALIZED;
98 }
99 if (!pts_meas_algo_probe(&supported_algorithms) ||
100 !pts_dh_group_probe(&supported_dh_groups))
101 {
102 return TNC_RESULT_FATAL;
103 }
104 imc_attestation = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE,
105 imc_id, actual_version);
106 if (!imc_attestation)
107 {
108 return TNC_RESULT_FATAL;
109 }
110
111 libpts_init();
112
113 if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1)
114 {
115 DBG1(DBG_IMC, "no common IF-IMC version");
116 return TNC_RESULT_NO_COMMON_VERSION;
117 }
118 return TNC_RESULT_SUCCESS;
119 }
120
121 /**
122 * see section 3.7.2 of TCG TNC IF-IMC Specification 1.2
123 */
124 TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
125 TNC_ConnectionID connection_id,
126 TNC_ConnectionState new_state)
127 {
128 imc_state_t *state;
129
130 if (!imc_attestation)
131 {
132 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
133 return TNC_RESULT_NOT_INITIALIZED;
134 }
135 switch (new_state)
136 {
137 case TNC_CONNECTION_STATE_CREATE:
138 state = imc_attestation_state_create(connection_id);
139 return imc_attestation->create_state(imc_attestation, state);
140 case TNC_CONNECTION_STATE_DELETE:
141 return imc_attestation->delete_state(imc_attestation, connection_id);
142 case TNC_CONNECTION_STATE_HANDSHAKE:
143 case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
144 case TNC_CONNECTION_STATE_ACCESS_NONE:
145 default:
146 return imc_attestation->change_state(imc_attestation, connection_id,
147 new_state, NULL);
148 }
149 }
150
151
152 /**
153 * see section 3.7.3 of TCG TNC IF-IMC Specification 1.2
154 */
155 TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
156 TNC_ConnectionID connection_id)
157 {
158 imc_state_t *state;
159 imc_attestation_state_t *attestation_state;
160 pts_t *pts;
161 char *platform_info;
162 TNC_Result result = TNC_RESULT_SUCCESS;
163
164 if (!imc_attestation)
165 {
166 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
167 return TNC_RESULT_NOT_INITIALIZED;
168 }
169
170 /* get current IMC state */
171 if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
172 {
173 return TNC_RESULT_FATAL;
174 }
175 attestation_state = (imc_attestation_state_t*)state;
176 pts = attestation_state->get_pts(attestation_state);
177
178 platform_info = pts->get_platform_info(pts);
179 if (platform_info)
180 {
181 pa_tnc_msg_t *pa_tnc_msg;
182 pa_tnc_attr_t *attr;
183
184 pa_tnc_msg = pa_tnc_msg_create();
185 attr = ietf_attr_product_info_create(0, 0, platform_info);
186 pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
187 pa_tnc_msg->build(pa_tnc_msg);
188 result = imc_attestation->send_message(imc_attestation, connection_id,
189 pa_tnc_msg->get_encoding(pa_tnc_msg));
190 pa_tnc_msg->destroy(pa_tnc_msg);
191 }
192
193 evidences = linked_list_create();
194
195 return result;
196 }
197
198 /**
199 * see section 3.7.4 of TCG TNC IF-IMC Specification 1.2
200 */
201 TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
202 TNC_ConnectionID connection_id,
203 TNC_BufferReference msg,
204 TNC_UInt32 msg_len,
205 TNC_MessageType msg_type)
206 {
207 pa_tnc_msg_t *pa_tnc_msg;
208 pa_tnc_attr_t *attr;
209 linked_list_t *attr_list;
210 imc_state_t *state;
211 imc_attestation_state_t *attestation_state;
212 enumerator_t *enumerator;
213 pts_t *pts;
214 TNC_Result result;
215
216 if (!imc_attestation)
217 {
218 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
219 return TNC_RESULT_NOT_INITIALIZED;
220 }
221
222 /* get current IMC state */
223 if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
224 {
225 return TNC_RESULT_FATAL;
226 }
227 attestation_state = (imc_attestation_state_t*)state;
228 pts = attestation_state->get_pts(attestation_state);
229
230 /* parse received PA-TNC message and automatically handle any errors */
231 result = imc_attestation->receive_message(imc_attestation, connection_id,
232 chunk_create(msg, msg_len), msg_type,
233 &pa_tnc_msg);
234
235 /* no parsed PA-TNC attributes available if an error occurred */
236 if (!pa_tnc_msg)
237 {
238 return result;
239 }
240
241 attr_list = linked_list_create();
242 result = TNC_RESULT_SUCCESS;
243
244 /* analyze PA-TNC attributes */
245 enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
246 while (enumerator->enumerate(enumerator, &attr))
247 {
248 if (attr->get_vendor_id(attr) == PEN_IETF &&
249 attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
250 {
251 ietf_attr_pa_tnc_error_t *error_attr;
252 pa_tnc_error_code_t error_code;
253 chunk_t msg_info, attr_info;
254 u_int32_t offset;
255
256 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
257 error_code = error_attr->get_error_code(error_attr);
258 msg_info = error_attr->get_msg_info(error_attr);
259
260 DBG1(DBG_IMC, "received PA-TNC error '%N' concerning message %#B",
261 pa_tnc_error_code_names, error_code, &msg_info);
262 switch (error_code)
263 {
264 case PA_ERROR_INVALID_PARAMETER:
265 offset = error_attr->get_offset(error_attr);
266 DBG1(DBG_IMC, " occurred at offset of %u bytes", offset);
267 break;
268 case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
269 attr_info = error_attr->get_attr_info(error_attr);
270 DBG1(DBG_IMC, " unsupported attribute %#B", &attr_info);
271 break;
272 default:
273 break;
274 }
275 result = TNC_RESULT_FATAL;
276 }
277 else if (attr->get_vendor_id(attr) == PEN_TCG)
278 {
279 if (!imc_attestation_process(attr, attr_list, attestation_state,
280 supported_algorithms, supported_dh_groups, evidences))
281 {
282 result = TNC_RESULT_FATAL;
283 }
284 }
285 }
286 enumerator->destroy(enumerator);
287 pa_tnc_msg->destroy(pa_tnc_msg);
288
289 if (result == TNC_RESULT_SUCCESS && attr_list->get_count(attr_list))
290 {
291 pa_tnc_msg = pa_tnc_msg_create();
292
293 enumerator = attr_list->create_enumerator(attr_list);
294 while (enumerator->enumerate(enumerator, &attr))
295 {
296 pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
297 }
298 enumerator->destroy(enumerator);
299
300 pa_tnc_msg->build(pa_tnc_msg);
301 result = imc_attestation->send_message(imc_attestation, connection_id,
302 pa_tnc_msg->get_encoding(pa_tnc_msg));
303 pa_tnc_msg->destroy(pa_tnc_msg);
304 }
305
306 attr_list->destroy(attr_list);
307 return result;
308
309 err:
310 DESTROY_IF(attr_list);
311 return TNC_RESULT_FATAL;
312 }
313
314 /**
315 * see section 3.7.5 of TCG TNC IF-IMC Specification 1.2
316 */
317 TNC_Result TNC_IMC_BatchEnding(TNC_IMCID imc_id,
318 TNC_ConnectionID connection_id)
319 {
320 if (!imc_attestation)
321 {
322 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
323 return TNC_RESULT_NOT_INITIALIZED;
324 }
325 return TNC_RESULT_SUCCESS;
326 }
327
328 /**
329 * see section 3.7.6 of TCG TNC IF-IMC Specification 1.2
330 */
331 TNC_Result TNC_IMC_Terminate(TNC_IMCID imc_id)
332 {
333 if (!imc_attestation)
334 {
335 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
336 return TNC_RESULT_NOT_INITIALIZED;
337 }
338
339 DESTROY_IF(evidences);
340 libpts_deinit();
341
342 imc_attestation->destroy(imc_attestation);
343 imc_attestation = NULL;
344
345 return TNC_RESULT_SUCCESS;
346 }
347
348 /**
349 * see section 4.2.8.1 of TCG TNC IF-IMC Specification 1.2
350 */
351 TNC_Result TNC_IMC_ProvideBindFunction(TNC_IMCID imc_id,
352 TNC_TNCC_BindFunctionPointer bind_function)
353 {
354 if (!imc_attestation)
355 {
356 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
357 return TNC_RESULT_NOT_INITIALIZED;
358 }
359 return imc_attestation->bind_functions(imc_attestation, bind_function);
360 }