moved building of attributes to imv_attestation_build
[strongswan.git] / src / libimcv / plugins / imv_attestation / imv_attestation.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_state.h"
17 #include "imv_attestation_process.h"
18 #include "imv_attestation_build.h"
19
20 #include <imv/imv_agent.h>
21 #include <pa_tnc/pa_tnc_msg.h>
22 #include <ietf/ietf_attr.h>
23 #include <ietf/ietf_attr_pa_tnc_error.h>
24 #include <ietf/ietf_attr_product_info.h>
25
26 #include <libpts.h>
27
28 #include <pts/pts.h>
29 #include <pts/pts_database.h>
30 #include <pts/pts_creds.h>
31
32 #include <tcg/tcg_attr.h>
33
34 #include <tncif_pa_subtypes.h>
35
36 #include <pen/pen.h>
37 #include <debug.h>
38 #include <credentials/credential_manager.h>
39 #include <utils/linked_list.h>
40
41 /* IMV definitions */
42
43 static const char imv_name[] = "Attestation";
44
45 #define IMV_VENDOR_ID PEN_TCG
46 #define IMV_SUBTYPE PA_SUBTYPE_TCG_PTS
47
48 static imv_agent_t *imv_attestation;
49
50 /**
51 * Supported PTS measurement algorithms
52 */
53 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
54
55 /**
56 * Supported PTS Diffie Hellman Groups
57 */
58 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
59
60 /**
61 * PTS file measurement database
62 */
63 static pts_database_t *pts_db;
64
65 /**
66 * PTS credentials
67 */
68 static pts_creds_t *pts_creds;
69
70 /**
71 * PTS credential manager
72 */
73 static credential_manager_t *pts_credmgr;
74
75 /**
76 * see section 3.7.1 of TCG TNC IF-IMV Specification 1.2
77 */
78 TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
79 TNC_Version min_version,
80 TNC_Version max_version,
81 TNC_Version *actual_version)
82 {
83 char *hash_alg, *dh_group, *uri, *cadir;
84
85 if (imv_attestation)
86 {
87 DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
88 return TNC_RESULT_ALREADY_INITIALIZED;
89 }
90 if (!pts_meas_algo_probe(&supported_algorithms) ||
91 !pts_dh_group_probe(&supported_dh_groups))
92 {
93 return TNC_RESULT_FATAL;
94 }
95 imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
96 imv_id, actual_version);
97 if (!imv_attestation)
98 {
99 return TNC_RESULT_FATAL;
100 }
101
102 libpts_init();
103
104 if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
105 {
106 DBG1(DBG_IMV, "no common IF-IMV version");
107 return TNC_RESULT_NO_COMMON_VERSION;
108 }
109
110 hash_alg = lib->settings->get_str(lib->settings,
111 "libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
112 dh_group = lib->settings->get_str(lib->settings,
113 "libimcv.plugins.imv-attestation.dh_group", "ecp256");
114
115 if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
116 !pts_dh_group_update(dh_group, &supported_dh_groups))
117 {
118 return TNC_RESULT_FATAL;
119 }
120
121 /* create a PTS credential manager */
122 pts_credmgr = credential_manager_create();
123
124 /* create PTS credential set */
125 cadir = lib->settings->get_str(lib->settings,
126 "libimcv.plugins.imv-attestation.cadir", NULL);
127 pts_creds = pts_creds_create(cadir);
128 if (pts_creds)
129 {
130 pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
131 }
132
133 /* attach file measurement database */
134 uri = lib->settings->get_str(lib->settings,
135 "libimcv.plugins.imv-attestation.database", NULL);
136 pts_db = pts_database_create(uri);
137
138 return TNC_RESULT_SUCCESS;
139 }
140
141 /**
142 * see section 3.7.2 of TCG TNC IF-IMV Specification 1.2
143 */
144 TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
145 TNC_ConnectionID connection_id,
146 TNC_ConnectionState new_state)
147 {
148 imv_state_t *state;
149 imv_attestation_state_t *attestation_state;
150 TNC_Result result;
151
152 if (!imv_attestation)
153 {
154 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
155 return TNC_RESULT_NOT_INITIALIZED;
156 }
157 switch (new_state)
158 {
159 case TNC_CONNECTION_STATE_CREATE:
160 state = imv_attestation_state_create(connection_id);
161 return imv_attestation->create_state(imv_attestation, state);
162 case TNC_CONNECTION_STATE_DELETE:
163 return imv_attestation->delete_state(imv_attestation, connection_id);
164 case TNC_CONNECTION_STATE_HANDSHAKE:
165 result = imv_attestation->change_state(imv_attestation, connection_id,
166 new_state, &state);
167 if (result != TNC_RESULT_SUCCESS)
168 {
169 return result;
170 }
171 attestation_state = (imv_attestation_state_t*)state;
172
173 /* TODO: Get some configurations */
174
175 return TNC_RESULT_SUCCESS;
176 default:
177 return imv_attestation->change_state(imv_attestation, connection_id,
178 new_state, NULL);
179 }
180 }
181
182 static TNC_Result send_message(TNC_ConnectionID connection_id)
183 {
184 pa_tnc_msg_t *msg;
185 imv_state_t *state;
186 imv_attestation_state_t *attestation_state;
187 TNC_Result result;
188
189 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
190 {
191 return TNC_RESULT_FATAL;
192 }
193 attestation_state = (imv_attestation_state_t*)state;
194 msg = pa_tnc_msg_create();
195
196 if (imv_attestation_build(msg, attestation_state, supported_algorithms,
197 supported_dh_groups, pts_db))
198 {
199 msg->build(msg);
200 result = imv_attestation->send_message(imv_attestation, connection_id,
201 msg->get_encoding(msg));
202 }
203 else
204 {
205 result = TNC_RESULT_FATAL;
206 }
207 msg->destroy(msg);
208
209 return result;
210 }
211
212 /**
213 * see section 3.7.3 of TCG TNC IF-IMV Specification 1.2
214 */
215 TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
216 TNC_ConnectionID connection_id,
217 TNC_BufferReference msg,
218 TNC_UInt32 msg_len,
219 TNC_MessageType msg_type)
220 {
221 pa_tnc_msg_t *pa_tnc_msg;
222 pa_tnc_attr_t *attr;
223 linked_list_t *attr_list;
224 imv_state_t *state;
225 imv_attestation_state_t *attestation_state;
226 pts_t *pts;
227 enumerator_t *enumerator;
228 TNC_Result result;
229
230 if (!imv_attestation)
231 {
232 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
233 return TNC_RESULT_NOT_INITIALIZED;
234 }
235
236 /* get current IMV state */
237 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
238 {
239 return TNC_RESULT_FATAL;
240 }
241 attestation_state = (imv_attestation_state_t*)state;
242 pts = attestation_state->get_pts(attestation_state);
243
244 /* parse received PA-TNC message and automatically handle any errors */
245 result = imv_attestation->receive_message(imv_attestation, connection_id,
246 chunk_create(msg, msg_len), msg_type,
247 &pa_tnc_msg);
248
249 /* no parsed PA-TNC attributes available if an error occurred */
250 if (!pa_tnc_msg)
251 {
252 return result;
253 }
254
255 attr_list = linked_list_create();
256 result = TNC_RESULT_SUCCESS;
257
258 /* analyze PA-TNC attributes */
259 enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
260 while (enumerator->enumerate(enumerator, &attr))
261 {
262 if (attr->get_vendor_id(attr) == PEN_IETF)
263 {
264 if (attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
265 {
266 ietf_attr_pa_tnc_error_t *error_attr;
267 pen_t error_vendor_id;
268 pa_tnc_error_code_t error_code;
269 chunk_t msg_info, attr_info;
270 u_int32_t offset;
271
272 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
273 error_vendor_id = error_attr->get_vendor_id(error_attr);
274 error_code = error_attr->get_error_code(error_attr);
275 msg_info = error_attr->get_msg_info(error_attr);
276
277 if (error_vendor_id == PEN_IETF)
278 {
279 DBG1(DBG_IMV, "received PA-TNC error '%N' "
280 "concerning message %#B",
281 pa_tnc_error_code_names, error_code, &msg_info);
282
283 switch (error_code)
284 {
285 case PA_ERROR_INVALID_PARAMETER:
286 offset = error_attr->get_offset(error_attr);
287 DBG1(DBG_IMV, " occurred at offset of %u bytes",
288 offset);
289 break;
290 case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
291 attr_info = error_attr->get_attr_info(error_attr);
292 DBG1(DBG_IMV, " unsupported attribute %#B",
293 &attr_info);
294 break;
295 default:
296 break;
297 }
298 }
299 else if (error_vendor_id == PEN_TCG)
300 {
301 DBG1(DBG_IMV, "received TCG-PTS error '%N'",
302 pts_error_code_names, error_code);
303 DBG1(DBG_IMV, "error information: %B", &msg_info);
304 }
305 result = TNC_RESULT_FATAL;
306 }
307 else if (attr->get_type(attr) == IETF_ATTR_PRODUCT_INFORMATION)
308 {
309 ietf_attr_product_info_t *attr_cast;
310 char *platform_info;
311
312 attr_cast = (ietf_attr_product_info_t*)attr;
313 platform_info = attr_cast->get_info(attr_cast, NULL, NULL);
314 pts->set_platform_info(pts, platform_info);
315 }
316 }
317 else if (attr->get_vendor_id(attr) == PEN_TCG)
318 {
319 if (!imv_attestation_process(attr, attr_list, attestation_state,
320 supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
321 {
322 result = TNC_RESULT_FATAL;
323 break;
324 }
325 }
326 }
327 enumerator->destroy(enumerator);
328 pa_tnc_msg->destroy(pa_tnc_msg);
329
330 if (result != TNC_RESULT_SUCCESS)
331 {
332 attr_list->destroy(attr_list);
333 state->set_recommendation(state,
334 TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
335 TNC_IMV_EVALUATION_RESULT_ERROR);
336 return imv_attestation->provide_recommendation(imv_attestation,
337 connection_id);
338 }
339
340 if (attr_list->get_count(attr_list))
341 {
342 pa_tnc_msg = pa_tnc_msg_create();
343
344 enumerator = attr_list->create_enumerator(attr_list);
345 while (enumerator->enumerate(enumerator, &attr))
346 {
347 pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
348 }
349 enumerator->destroy(enumerator);
350
351 pa_tnc_msg->build(pa_tnc_msg);
352 result = imv_attestation->send_message(imv_attestation, connection_id,
353 pa_tnc_msg->get_encoding(pa_tnc_msg));
354
355 pa_tnc_msg->destroy(pa_tnc_msg);
356 attr_list->destroy(attr_list);
357
358 return result;
359 }
360 attr_list->destroy(attr_list);
361
362 if (attestation_state->get_handshake_state(attestation_state) ==
363 IMV_ATTESTATION_STATE_END)
364 {
365 if (attestation_state->get_request_count(attestation_state))
366 {
367 DBG1(DBG_IMV, "failure due to %d pending file measurements",
368 attestation_state->get_request_count(attestation_state));
369 attestation_state->set_measurement_error(attestation_state);
370 }
371 if (attestation_state->get_measurement_error(attestation_state))
372 {
373 state->set_recommendation(state,
374 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
375 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
376 }
377 else
378 {
379 state->set_recommendation(state,
380 TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
381 TNC_IMV_EVALUATION_RESULT_COMPLIANT);
382 }
383 return imv_attestation->provide_recommendation(imv_attestation,
384 connection_id);
385 }
386
387 return send_message(connection_id);
388 }
389
390 /**
391 * see section 3.7.4 of TCG TNC IF-IMV Specification 1.2
392 */
393 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
394 TNC_ConnectionID connection_id)
395 {
396 if (!imv_attestation)
397 {
398 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
399 return TNC_RESULT_NOT_INITIALIZED;
400 }
401 return imv_attestation->provide_recommendation(imv_attestation, connection_id);
402 }
403
404 /**
405 * see section 3.7.5 of TCG TNC IF-IMV Specification 1.2
406 */
407 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
408 TNC_ConnectionID connection_id)
409 {
410 imv_state_t *state;
411 imv_attestation_state_t *attestation_state;
412
413 if (!imv_attestation)
414 {
415 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
416 return TNC_RESULT_NOT_INITIALIZED;
417 }
418 /* get current IMV state */
419 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
420 {
421 return TNC_RESULT_FATAL;
422 }
423 attestation_state = (imv_attestation_state_t*)state;
424
425 /* Check if IMV has to initiate the PA-TNC exchange */
426 if (attestation_state->get_handshake_state(attestation_state) ==
427 IMV_ATTESTATION_STATE_INIT)
428 {
429 return send_message(connection_id);
430 }
431 return TNC_RESULT_SUCCESS;
432 }
433
434 /**
435 * see section 3.7.6 of TCG TNC IF-IMV Specification 1.2
436 */
437 TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
438 {
439 if (!imv_attestation)
440 {
441 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
442 return TNC_RESULT_NOT_INITIALIZED;
443 }
444 if (pts_creds)
445 {
446 pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
447 pts_creds->destroy(pts_creds);
448 }
449 DESTROY_IF(pts_db);
450 DESTROY_IF(pts_credmgr);
451
452 libpts_deinit();
453
454 imv_attestation->destroy(imv_attestation);
455 imv_attestation = NULL;
456
457 return TNC_RESULT_SUCCESS;
458 }
459
460 /**
461 * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.2
462 */
463 TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
464 TNC_TNCS_BindFunctionPointer bind_function)
465 {
466 if (!imv_attestation)
467 {
468 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
469 return TNC_RESULT_NOT_INITIALIZED;
470 }
471 return imv_attestation->bind_functions(imv_attestation, bind_function);
472 }