a263622b4a1e95a2fbcabd8fa0af1c8e3bf11295
[strongswan.git] / src / libimcv / plugins / imc_attestation / imc_attestation.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #define _GNU_SOURCE
17
18 #include "imc_attestation_state.h"
19 #include "imc_attestation_process.h"
20
21 #include <imc/imc_agent.h>
22 #include <pa_tnc/pa_tnc_msg.h>
23 #include <ietf/ietf_attr.h>
24 #include <ietf/ietf_attr_pa_tnc_error.h>
25 #include <ietf/ietf_attr_product_info.h>
26
27 #include <libpts.h>
28
29 #include <pts/pts_error.h>
30
31 #include <tcg/tcg_pts_attr_proto_caps.h>
32 #include <tcg/tcg_pts_attr_dh_nonce_params_req.h>
33 #include <tcg/tcg_pts_attr_dh_nonce_params_resp.h>
34 #include <tcg/tcg_pts_attr_dh_nonce_finish.h>
35 #include <tcg/tcg_pts_attr_meas_algo.h>
36 #include <tncif_pa_subtypes.h>
37
38 #include <pen/pen.h>
39 #include <debug.h>
40 #include <utils/linked_list.h>
41
42 /* IMC definitions */
43
44 static const char imc_name[] = "Attestation";
45
46 #define IMC_VENDOR_ID PEN_TCG
47 #define IMC_SUBTYPE PA_SUBTYPE_TCG_PTS
48 #define EXTEND_PCR 16
49
50 static imc_agent_t *imc_attestation;
51
52 /**
53 * Supported PTS measurement algorithms
54 */
55 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
56
57 /**
58 * Supported PTS Diffie Hellman Groups
59 */
60 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
61
62 /**
63 * List of buffered Simple Component Evidences
64 * To be sent on reception of Generate Attestation Evidence attribute
65 */
66 static linked_list_t *evidences = NULL;
67
68 /**
69 * Supported PTS Diffie Hellman Groups
70 */
71 static pts_dh_group_t supported_dh_groups = 0;
72
73 /**
74 * High Entropy Random Data
75 * used in calculation of shared secret for the assessment session
76 */
77 static char *responder_nonce = NULL;
78
79 /**
80 * List of buffered Simple Component Evidences
81 * To be sent on reception of Generate Attestation Evidence attribute
82 */
83 static linked_list_t *evidences = NULL;
84
85 /**
86 * see section 3.7.1 of TCG TNC IF-IMC Specification 1.2
87 */
88 TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
89 TNC_Version min_version,
90 TNC_Version max_version,
91 TNC_Version *actual_version)
92 {
93 rng_t *rng;
94
95 if (imc_attestation)
96 {
97 DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
98 return TNC_RESULT_ALREADY_INITIALIZED;
99 }
100 if (!pts_meas_probe_algorithms(&supported_algorithms) ||
101 !pts_probe_dh_groups(&supported_dh_groups))
102 {
103 return TNC_RESULT_FATAL;
104 }
105 imc_attestation = imc_agent_create(imc_name, IMC_VENDOR_ID, IMC_SUBTYPE,
106 imc_id, actual_version);
107 if (!imc_attestation)
108 {
109 return TNC_RESULT_FATAL;
110 }
111
112 libpts_init();
113
114 if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1)
115 {
116 DBG1(DBG_IMC, "no common IF-IMC version");
117 return TNC_RESULT_NO_COMMON_VERSION;
118 }
119 return TNC_RESULT_SUCCESS;
120 }
121
122 /**
123 * see section 3.7.2 of TCG TNC IF-IMC Specification 1.2
124 */
125 TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
126 TNC_ConnectionID connection_id,
127 TNC_ConnectionState new_state)
128 {
129 imc_state_t *state;
130
131 if (!imc_attestation)
132 {
133 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
134 return TNC_RESULT_NOT_INITIALIZED;
135 }
136 switch (new_state)
137 {
138 case TNC_CONNECTION_STATE_CREATE:
139 state = imc_attestation_state_create(connection_id);
140 return imc_attestation->create_state(imc_attestation, state);
141 case TNC_CONNECTION_STATE_DELETE:
142 return imc_attestation->delete_state(imc_attestation, connection_id);
143 case TNC_CONNECTION_STATE_HANDSHAKE:
144 case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
145 case TNC_CONNECTION_STATE_ACCESS_NONE:
146 default:
147 return imc_attestation->change_state(imc_attestation, connection_id,
148 new_state, NULL);
149 }
150 }
151
152
153 /**
154 * see section 3.7.3 of TCG TNC IF-IMC Specification 1.2
155 */
156 TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
157 TNC_ConnectionID connection_id)
158 {
159 imc_state_t *state;
160 imc_attestation_state_t *attestation_state;
161 pts_t *pts;
162 char *platform_info;
163 TNC_Result result = TNC_RESULT_SUCCESS;
164
165 if (!imc_attestation)
166 {
167 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
168 return TNC_RESULT_NOT_INITIALIZED;
169 }
170
171 /* get current IMC state */
172 if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
173 {
174 return TNC_RESULT_FATAL;
175 }
176 attestation_state = (imc_attestation_state_t*)state;
177 pts = attestation_state->get_pts(attestation_state);
178
179 platform_info = pts->get_platform_info(pts);
180 if (platform_info)
181 {
182 pa_tnc_msg_t *pa_tnc_msg;
183 pa_tnc_attr_t *attr;
184
185 pa_tnc_msg = pa_tnc_msg_create();
186 attr = ietf_attr_product_info_create(0, 0, platform_info);
187 pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
188 pa_tnc_msg->build(pa_tnc_msg);
189 result = imc_attestation->send_message(imc_attestation, connection_id,
190 pa_tnc_msg->get_encoding(pa_tnc_msg));
191 pa_tnc_msg->destroy(pa_tnc_msg);
192 }
193
194 evidences = linked_list_create();
195
196 return result;
197 }
198
199 /**
200 * see section 3.7.4 of TCG TNC IF-IMC Specification 1.2
201 */
202 TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
203 TNC_ConnectionID connection_id,
204 TNC_BufferReference msg,
205 TNC_UInt32 msg_len,
206 TNC_MessageType msg_type)
207 {
208 pa_tnc_msg_t *pa_tnc_msg;
209 pa_tnc_attr_t *attr;
210 linked_list_t *attr_list;
211 imc_state_t *state;
212 imc_attestation_state_t *attestation_state;
213 enumerator_t *enumerator;
214 pts_t *pts;
215 TNC_Result result;
216
217 if (!imc_attestation)
218 {
219 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
220 return TNC_RESULT_NOT_INITIALIZED;
221 }
222
223 /* get current IMC state */
224 if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
225 {
226 return TNC_RESULT_FATAL;
227 }
228 attestation_state = (imc_attestation_state_t*)state;
229 pts = attestation_state->get_pts(attestation_state);
230
231 /* parse received PA-TNC message and automatically handle any errors */
232 result = imc_attestation->receive_message(imc_attestation, connection_id,
233 chunk_create(msg, msg_len), msg_type,
234 &pa_tnc_msg);
235
236 /* no parsed PA-TNC attributes available if an error occurred */
237 if (!pa_tnc_msg)
238 {
239 return result;
240 }
241
242 attr_list = linked_list_create();
243 result = TNC_RESULT_SUCCESS;
244
245 /* analyze PA-TNC attributes */
246 enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
247 while (enumerator->enumerate(enumerator, &attr))
248 {
249 if (attr->get_vendor_id(attr) == PEN_IETF &&
250 attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
251 {
252 ietf_attr_pa_tnc_error_t *error_attr;
253 pa_tnc_error_code_t error_code;
254 chunk_t msg_info, attr_info;
255 u_int32_t offset;
256
257 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
258 error_code = error_attr->get_error_code(error_attr);
259 msg_info = error_attr->get_msg_info(error_attr);
260
261 DBG1(DBG_IMC, "received PA-TNC error '%N' concerning message %#B",
262 pa_tnc_error_code_names, error_code, &msg_info);
263 switch (error_code)
264 {
265 case PA_ERROR_INVALID_PARAMETER:
266 offset = error_attr->get_offset(error_attr);
267 DBG1(DBG_IMC, " occurred at offset of %u bytes", offset);
268 break;
269 case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
270 attr_info = error_attr->get_attr_info(error_attr);
271 DBG1(DBG_IMC, " unsupported attribute %#B", &attr_info);
272 break;
273 default:
274 break;
275 }
276 result = TNC_RESULT_FATAL;
277 }
278 else if (attr->get_vendor_id(attr) == PEN_TCG)
279 {
280 if (!imc_attestation_process(attr, attr_list, attestation_state,
281 supported_algorithms, supported_dh_groups, evidences))
282 {
283 result = TNC_RESULT_FATAL;
284 }
285 }
286 }
287 enumerator->destroy(enumerator);
288 pa_tnc_msg->destroy(pa_tnc_msg);
289
290 if (result == TNC_RESULT_SUCCESS && attr_list->get_count(attr_list))
291 {
292 pa_tnc_msg = pa_tnc_msg_create();
293
294 enumerator = attr_list->create_enumerator(attr_list);
295 while (enumerator->enumerate(enumerator, &attr))
296 {
297 pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
298 }
299 enumerator->destroy(enumerator);
300
301 pa_tnc_msg->build(pa_tnc_msg);
302 result = imc_attestation->send_message(imc_attestation, connection_id,
303 pa_tnc_msg->get_encoding(pa_tnc_msg));
304 pa_tnc_msg->destroy(pa_tnc_msg);
305 }
306
307 attr_list->destroy(attr_list);
308 return result;
309
310 err:
311 DESTROY_IF(attr_list);
312 return TNC_RESULT_FATAL;
313 }
314
315 /**
316 * see section 3.7.5 of TCG TNC IF-IMC Specification 1.2
317 */
318 TNC_Result TNC_IMC_BatchEnding(TNC_IMCID imc_id,
319 TNC_ConnectionID connection_id)
320 {
321 if (!imc_attestation)
322 {
323 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
324 return TNC_RESULT_NOT_INITIALIZED;
325 }
326 return TNC_RESULT_SUCCESS;
327 }
328
329 /**
330 * see section 3.7.6 of TCG TNC IF-IMC Specification 1.2
331 */
332 TNC_Result TNC_IMC_Terminate(TNC_IMCID imc_id)
333 {
334 if (!imc_attestation)
335 {
336 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
337 return TNC_RESULT_NOT_INITIALIZED;
338 }
339
340 DESTROY_IF(evidences);
341 libpts_deinit();
342
343 imc_attestation->destroy(imc_attestation);
344 imc_attestation = NULL;
345
346 return TNC_RESULT_SUCCESS;
347 }
348
349 /**
350 * see section 4.2.8.1 of TCG TNC IF-IMC Specification 1.2
351 */
352 TNC_Result TNC_IMC_ProvideBindFunction(TNC_IMCID imc_id,
353 TNC_TNCC_BindFunctionPointer bind_function)
354 {
355 if (!imc_attestation)
356 {
357 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
358 return TNC_RESULT_NOT_INITIALIZED;
359 }
360 return imc_attestation->bind_functions(imc_attestation, bind_function);
361 }