moved comments
[strongswan.git] / src / libimcv / plugins / imv_attestation / imv_attestation.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_state.h"
17 #include "imv_attestation_process.h"
18
19 #include <imv/imv_agent.h>
20 #include <pa_tnc/pa_tnc_msg.h>
21 #include <ietf/ietf_attr.h>
22 #include <ietf/ietf_attr_pa_tnc_error.h>
23 #include <ietf/ietf_attr_product_info.h>
24
25 #include <libpts.h>
26
27 #include <pts/pts.h>
28 #include <pts/pts_database.h>
29 #include <pts/pts_creds.h>
30
31 #include <tcg/tcg_attr.h>
32 #include <tcg/tcg_pts_attr_proto_caps.h>
33 #include <tcg/tcg_pts_attr_meas_algo.h>
34 #include <tcg/tcg_pts_attr_dh_nonce_params_req.h>
35 #include <tcg/tcg_pts_attr_dh_nonce_finish.h>
36 #include <tcg/tcg_pts_attr_get_tpm_version_info.h>
37 #include <tcg/tcg_pts_attr_get_aik.h>
38 #include <tcg/tcg_pts_attr_req_funct_comp_evid.h>
39 #include <tcg/tcg_pts_attr_gen_attest_evid.h>
40 #include <tcg/tcg_pts_attr_req_file_meas.h>
41 #include <tcg/tcg_pts_attr_req_file_meta.h>
42
43 #include <tncif_pa_subtypes.h>
44
45 #include <pen/pen.h>
46 #include <debug.h>
47 #include <credentials/credential_manager.h>
48 #include <utils/linked_list.h>
49
50 /* IMV definitions */
51
52 static const char imv_name[] = "Attestation";
53
54 #define IMV_VENDOR_ID PEN_TCG
55 #define IMV_SUBTYPE PA_SUBTYPE_TCG_PTS
56
57 static imv_agent_t *imv_attestation;
58
59 /**
60 * Supported PTS measurement algorithms
61 */
62 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
63
64 /**
65 * Supported PTS Diffie Hellman Groups
66 */
67 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
68
69 /**
70 * PTS file measurement database
71 */
72 static pts_database_t *pts_db;
73
74 /**
75 * PTS credentials
76 */
77 static pts_creds_t *pts_creds;
78
79 /**
80 * PTS credential manager
81 */
82 static credential_manager_t *pts_credmgr;
83
84 /**
85 * see section 3.7.1 of TCG TNC IF-IMV Specification 1.2
86 */
87 TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
88 TNC_Version min_version,
89 TNC_Version max_version,
90 TNC_Version *actual_version)
91 {
92 char *hash_alg, *dh_group, *uri, *cadir;
93
94 if (imv_attestation)
95 {
96 DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
97 return TNC_RESULT_ALREADY_INITIALIZED;
98 }
99 if (!pts_meas_algo_probe(&supported_algorithms) ||
100 !pts_dh_group_probe(&supported_dh_groups))
101 {
102 return TNC_RESULT_FATAL;
103 }
104 imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
105 imv_id, actual_version);
106 if (!imv_attestation)
107 {
108 return TNC_RESULT_FATAL;
109 }
110
111 libpts_init();
112
113 if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
114 {
115 DBG1(DBG_IMV, "no common IF-IMV version");
116 return TNC_RESULT_NO_COMMON_VERSION;
117 }
118
119 hash_alg = lib->settings->get_str(lib->settings,
120 "libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
121 dh_group = lib->settings->get_str(lib->settings,
122 "libimcv.plugins.imv-attestation.dh_group", "ecp256");
123
124 if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
125 !pts_dh_group_update(dh_group, &supported_dh_groups))
126 {
127 return TNC_RESULT_FATAL;
128 }
129
130 /* create a PTS credential manager */
131 pts_credmgr = credential_manager_create();
132
133 /* create PTS credential set */
134 cadir = lib->settings->get_str(lib->settings,
135 "libimcv.plugins.imv-attestation.cadir", NULL);
136 pts_creds = pts_creds_create(cadir);
137 if (pts_creds)
138 {
139 pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
140 }
141
142 /* attach file measurement database */
143 uri = lib->settings->get_str(lib->settings,
144 "libimcv.plugins.imv-attestation.database", NULL);
145 pts_db = pts_database_create(uri);
146
147 return TNC_RESULT_SUCCESS;
148 }
149
150 /**
151 * see section 3.7.2 of TCG TNC IF-IMV Specification 1.2
152 */
153 TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
154 TNC_ConnectionID connection_id,
155 TNC_ConnectionState new_state)
156 {
157 imv_state_t *state;
158 imv_attestation_state_t *attestation_state;
159 TNC_Result result;
160
161 if (!imv_attestation)
162 {
163 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
164 return TNC_RESULT_NOT_INITIALIZED;
165 }
166 switch (new_state)
167 {
168 case TNC_CONNECTION_STATE_CREATE:
169 state = imv_attestation_state_create(connection_id);
170 return imv_attestation->create_state(imv_attestation, state);
171 case TNC_CONNECTION_STATE_DELETE:
172 return imv_attestation->delete_state(imv_attestation, connection_id);
173 case TNC_CONNECTION_STATE_HANDSHAKE:
174 result = imv_attestation->change_state(imv_attestation, connection_id,
175 new_state, &state);
176 if (result != TNC_RESULT_SUCCESS)
177 {
178 return result;
179 }
180 attestation_state = (imv_attestation_state_t*)state;
181
182 /* TODO: Get some configurations */
183
184 return TNC_RESULT_SUCCESS;
185 default:
186 return imv_attestation->change_state(imv_attestation, connection_id,
187 new_state, NULL);
188 }
189 }
190
191 static TNC_Result send_message(TNC_ConnectionID connection_id)
192 {
193 pa_tnc_msg_t *msg;
194 pa_tnc_attr_t *attr;
195 pts_t *pts;
196 imv_state_t *state;
197 imv_attestation_state_t *attestation_state;
198 imv_attestation_handshake_state_t handshake_state;
199 TNC_Result result;
200
201 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
202 {
203 return TNC_RESULT_FATAL;
204 }
205 attestation_state = (imv_attestation_state_t*)state;
206 handshake_state = attestation_state->get_handshake_state(attestation_state);
207 pts = attestation_state->get_pts(attestation_state);
208
209 msg = pa_tnc_msg_create();
210
211 if (handshake_state == IMV_ATTESTATION_STATE_NONCE_REQ &&
212 !(pts->get_proto_caps(pts) & PTS_PROTO_CAPS_T))
213 {
214 DBG1(DBG_IMV, "PTS-IMC has no TPM capability - "
215 "advancing to PTS measurement phase");
216 handshake_state = IMV_ATTESTATION_STATE_MEAS;
217 }
218
219 /* Switch on the attribute type IMV has received */
220 switch (handshake_state)
221 {
222 case IMV_ATTESTATION_STATE_INIT:
223 {
224 pts_proto_caps_flag_t flags;
225
226 /* Send Request Protocol Capabilities attribute */
227 flags = pts->get_proto_caps(pts);
228 attr = tcg_pts_attr_proto_caps_create(flags, TRUE);
229 attr->set_noskip_flag(attr, TRUE);
230 msg->add_attribute(msg, attr);
231
232 /* Send Measurement Algorithms attribute */
233 attr = tcg_pts_attr_meas_algo_create(supported_algorithms, FALSE);
234 attr->set_noskip_flag(attr, TRUE);
235 msg->add_attribute(msg, attr);
236
237 attestation_state->set_handshake_state(attestation_state,
238 IMV_ATTESTATION_STATE_NONCE_REQ);
239 break;
240 }
241 case IMV_ATTESTATION_STATE_NONCE_REQ:
242 {
243 int min_nonce_len;
244
245 /* Send DH nonce parameters request attribute */
246 min_nonce_len = lib->settings->get_int(lib->settings,
247 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
248 attr = tcg_pts_attr_dh_nonce_params_req_create(min_nonce_len,
249 supported_dh_groups);
250 attr->set_noskip_flag(attr, TRUE);
251 msg->add_attribute(msg, attr);
252
253 attestation_state->set_handshake_state(attestation_state,
254 IMV_ATTESTATION_STATE_TPM_INIT);
255 break;
256 }
257 case IMV_ATTESTATION_STATE_TPM_INIT:
258 {
259 pts_meas_algorithms_t selected_algorithm;
260 chunk_t initiator_value, initiator_nonce;
261
262 /* Send DH nonce finish attribute */
263 selected_algorithm = pts->get_meas_algorithm(pts);
264 pts->get_my_public_value(pts, &initiator_value, &initiator_nonce);
265 attr = tcg_pts_attr_dh_nonce_finish_create(selected_algorithm,
266 initiator_value, initiator_nonce);
267 attr->set_noskip_flag(attr, TRUE);
268 msg->add_attribute(msg, attr);
269
270 /* Send Get TPM Version attribute */
271 attr = tcg_pts_attr_get_tpm_version_info_create();
272 attr->set_noskip_flag(attr, TRUE);
273 msg->add_attribute(msg, attr);
274
275 /* Send Get AIK attribute */
276 attr = tcg_pts_attr_get_aik_create();
277 attr->set_noskip_flag(attr, TRUE);
278 msg->add_attribute(msg, attr);
279
280 attestation_state->set_handshake_state(attestation_state,
281 IMV_ATTESTATION_STATE_MEAS);
282 break;
283 }
284 case IMV_ATTESTATION_STATE_MEAS:
285 {
286
287 enumerator_t *enumerator;
288 u_int32_t delimiter = SOLIDUS_UTF;
289 char *platform_info, *pathname;
290 u_int16_t request_id;
291 int id, type;
292 bool is_dir;
293
294 attestation_state->set_handshake_state(attestation_state,
295 IMV_ATTESTATION_STATE_COMP_EVID);
296
297 /* Get Platform and OS of the PTS-IMC */
298 platform_info = pts->get_platform_info(pts);
299
300 if (!pts_db || !platform_info)
301 {
302 DBG1(DBG_IMV, "%s%s%s not available",
303 (pts_db) ? "" : "pts database",
304 (!pts_db && !platform_info) ? "and" : "",
305 (platform_info) ? "" : "platform info");
306 break;
307 }
308 DBG1(DBG_IMV, "platform is '%s'", platform_info);
309
310 /* Send Request File Metadata attribute */
311 attr = tcg_pts_attr_req_file_meta_create(FALSE, SOLIDUS_UTF, "/etc/tnc_config");
312 attr->set_noskip_flag(attr, TRUE);
313 msg->add_attribute(msg, attr);
314
315 /* Send Request File Measurement attribute */
316 enumerator = pts_db->create_file_enumerator(pts_db, platform_info);
317 if (!enumerator)
318 {
319 break;
320 }
321 while (enumerator->enumerate(enumerator, &id, &type, &pathname))
322 {
323 is_dir = (type != 0);
324 request_id = attestation_state->add_request(attestation_state,
325 id, is_dir);
326 DBG2(DBG_IMV, "measurement request %d for %s '%s'",
327 request_id, is_dir ? "directory" : "file", pathname);
328 attr = tcg_pts_attr_req_file_meas_create(is_dir, request_id,
329 delimiter, pathname);
330 attr->set_noskip_flag(attr, TRUE);
331 msg->add_attribute(msg, attr);
332 }
333 enumerator->destroy(enumerator);
334 break;
335 }
336 case IMV_ATTESTATION_STATE_COMP_EVID:
337 {
338 pts_attr_req_funct_comp_evid_flag_t flags;
339 u_int32_t sub_comp_depth;
340 pts_qualifier_t qualifier;
341 pts_funct_comp_name_t name;
342
343 attestation_state->set_handshake_state(attestation_state,
344 IMV_ATTESTATION_STATE_END);
345
346 flags = PTS_REQ_FUNC_COMP_FLAG_PCR;
347 sub_comp_depth = 0;
348 qualifier.kernel = FALSE;
349 qualifier.sub_component = FALSE;
350 qualifier.type = PTS_FUNC_COMP_TYPE_ALL;
351 name = PTS_FUNC_COMP_NAME_BIOS;
352
353 /* Send Request Functional Component Evidence attribute */
354 attr = tcg_pts_attr_req_funct_comp_evid_create(flags, sub_comp_depth,
355 PEN_TCG, qualifier, name);
356 attr->set_noskip_flag(attr, TRUE);
357 msg->add_attribute(msg, attr);
358 /* Send Generate Attestation Evidence attribute */
359 attr = tcg_pts_attr_gen_attest_evid_create();
360 attr->set_noskip_flag(attr, TRUE);
361 msg->add_attribute(msg, attr);
362
363 break;
364 }
365 default:
366 DBG1(DBG_IMV, "Attestation IMV is in unknown state: \"%s\"",
367 handshake_state);
368 return TNC_RESULT_FATAL;
369 }
370
371 msg->build(msg);
372 result = imv_attestation->send_message(imv_attestation, connection_id,
373 msg->get_encoding(msg));
374 msg->destroy(msg);
375
376 return result;
377 }
378
379 /**
380 * see section 3.7.3 of TCG TNC IF-IMV Specification 1.2
381 */
382 TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
383 TNC_ConnectionID connection_id,
384 TNC_BufferReference msg,
385 TNC_UInt32 msg_len,
386 TNC_MessageType msg_type)
387 {
388 pa_tnc_msg_t *pa_tnc_msg;
389 pa_tnc_attr_t *attr;
390 linked_list_t *attr_list;
391 imv_state_t *state;
392 imv_attestation_state_t *attestation_state;
393 pts_t *pts;
394 enumerator_t *enumerator;
395 TNC_Result result;
396
397 if (!imv_attestation)
398 {
399 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
400 return TNC_RESULT_NOT_INITIALIZED;
401 }
402
403 /* get current IMV state */
404 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
405 {
406 return TNC_RESULT_FATAL;
407 }
408 attestation_state = (imv_attestation_state_t*)state;
409 pts = attestation_state->get_pts(attestation_state);
410
411 /* parse received PA-TNC message and automatically handle any errors */
412 result = imv_attestation->receive_message(imv_attestation, connection_id,
413 chunk_create(msg, msg_len), msg_type,
414 &pa_tnc_msg);
415
416 /* no parsed PA-TNC attributes available if an error occurred */
417 if (!pa_tnc_msg)
418 {
419 return result;
420 }
421
422 attr_list = linked_list_create();
423 result = TNC_RESULT_SUCCESS;
424
425 /* analyze PA-TNC attributes */
426 enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
427 while (enumerator->enumerate(enumerator, &attr))
428 {
429 if (attr->get_vendor_id(attr) == PEN_IETF)
430 {
431 if (attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
432 {
433 ietf_attr_pa_tnc_error_t *error_attr;
434 pen_t error_vendor_id;
435 pa_tnc_error_code_t error_code;
436 chunk_t msg_info, attr_info;
437 u_int32_t offset;
438
439 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
440 error_vendor_id = error_attr->get_vendor_id(error_attr);
441 error_code = error_attr->get_error_code(error_attr);
442 msg_info = error_attr->get_msg_info(error_attr);
443
444 if (error_vendor_id == PEN_IETF)
445 {
446 DBG1(DBG_IMV, "received PA-TNC error '%N' "
447 "concerning message %#B",
448 pa_tnc_error_code_names, error_code, &msg_info);
449
450 switch (error_code)
451 {
452 case PA_ERROR_INVALID_PARAMETER:
453 offset = error_attr->get_offset(error_attr);
454 DBG1(DBG_IMV, " occurred at offset of %u bytes",
455 offset);
456 break;
457 case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
458 attr_info = error_attr->get_attr_info(error_attr);
459 DBG1(DBG_IMV, " unsupported attribute %#B",
460 &attr_info);
461 break;
462 default:
463 break;
464 }
465 }
466 else if (error_vendor_id == PEN_TCG)
467 {
468 DBG1(DBG_IMV, "received TCG-PTS error '%N'",
469 pts_error_code_names, error_code);
470 DBG1(DBG_IMV, "error information: %B", &msg_info);
471 }
472 result = TNC_RESULT_FATAL;
473 }
474 else if (attr->get_type(attr) == IETF_ATTR_PRODUCT_INFORMATION)
475 {
476 ietf_attr_product_info_t *attr_cast;
477 char *platform_info;
478
479 attr_cast = (ietf_attr_product_info_t*)attr;
480 platform_info = attr_cast->get_info(attr_cast, NULL, NULL);
481 pts->set_platform_info(pts, platform_info);
482 }
483 }
484 else if (attr->get_vendor_id(attr) == PEN_TCG)
485 {
486 if (!imv_attestation_process(attr, attr_list, attestation_state,
487 supported_algorithms, supported_dh_groups, pts_db, pts_credmgr))
488 {
489 result = TNC_RESULT_FATAL;
490 break;
491 }
492 }
493 }
494 enumerator->destroy(enumerator);
495 pa_tnc_msg->destroy(pa_tnc_msg);
496
497 if (result != TNC_RESULT_SUCCESS)
498 {
499 attr_list->destroy(attr_list);
500 state->set_recommendation(state,
501 TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
502 TNC_IMV_EVALUATION_RESULT_ERROR);
503 return imv_attestation->provide_recommendation(imv_attestation,
504 connection_id);
505 }
506
507 if (attr_list->get_count(attr_list))
508 {
509 pa_tnc_msg = pa_tnc_msg_create();
510
511 enumerator = attr_list->create_enumerator(attr_list);
512 while (enumerator->enumerate(enumerator, &attr))
513 {
514 pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
515 }
516 enumerator->destroy(enumerator);
517
518 pa_tnc_msg->build(pa_tnc_msg);
519 result = imv_attestation->send_message(imv_attestation, connection_id,
520 pa_tnc_msg->get_encoding(pa_tnc_msg));
521
522 pa_tnc_msg->destroy(pa_tnc_msg);
523 attr_list->destroy(attr_list);
524
525 return result;
526 }
527 attr_list->destroy(attr_list);
528
529 if (attestation_state->get_handshake_state(attestation_state) ==
530 IMV_ATTESTATION_STATE_END)
531 {
532 if (attestation_state->get_request_count(attestation_state))
533 {
534 DBG1(DBG_IMV, "failure due to %d pending file measurements",
535 attestation_state->get_request_count(attestation_state));
536 attestation_state->set_measurement_error(attestation_state);
537 }
538 if (attestation_state->get_measurement_error(attestation_state))
539 {
540 state->set_recommendation(state,
541 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
542 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
543 }
544 else
545 {
546 state->set_recommendation(state,
547 TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
548 TNC_IMV_EVALUATION_RESULT_COMPLIANT);
549 }
550 return imv_attestation->provide_recommendation(imv_attestation,
551 connection_id);
552 }
553
554 return send_message(connection_id);
555 }
556
557 /**
558 * see section 3.7.4 of TCG TNC IF-IMV Specification 1.2
559 */
560 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
561 TNC_ConnectionID connection_id)
562 {
563 if (!imv_attestation)
564 {
565 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
566 return TNC_RESULT_NOT_INITIALIZED;
567 }
568 return imv_attestation->provide_recommendation(imv_attestation, connection_id);
569 }
570
571 /**
572 * see section 3.7.5 of TCG TNC IF-IMV Specification 1.2
573 */
574 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
575 TNC_ConnectionID connection_id)
576 {
577 imv_state_t *state;
578 imv_attestation_state_t *attestation_state;
579
580 if (!imv_attestation)
581 {
582 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
583 return TNC_RESULT_NOT_INITIALIZED;
584 }
585 /* get current IMV state */
586 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
587 {
588 return TNC_RESULT_FATAL;
589 }
590 attestation_state = (imv_attestation_state_t*)state;
591
592 /* Check if IMV has to initiate the PA-TNC exchange */
593 if (attestation_state->get_handshake_state(attestation_state) ==
594 IMV_ATTESTATION_STATE_INIT)
595 {
596 return send_message(connection_id);
597 }
598 return TNC_RESULT_SUCCESS;
599 }
600
601 /**
602 * see section 3.7.6 of TCG TNC IF-IMV Specification 1.2
603 */
604 TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
605 {
606 if (!imv_attestation)
607 {
608 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
609 return TNC_RESULT_NOT_INITIALIZED;
610 }
611 if (pts_creds)
612 {
613 pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
614 pts_creds->destroy(pts_creds);
615 }
616 DESTROY_IF(pts_db);
617 DESTROY_IF(pts_credmgr);
618
619 libpts_deinit();
620
621 imv_attestation->destroy(imv_attestation);
622 imv_attestation = NULL;
623
624 return TNC_RESULT_SUCCESS;
625 }
626
627 /**
628 * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.2
629 */
630 TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
631 TNC_TNCS_BindFunctionPointer bind_function)
632 {
633 if (!imv_attestation)
634 {
635 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
636 return TNC_RESULT_NOT_INITIALIZED;
637 }
638 return imv_attestation->bind_functions(imv_attestation, bind_function);
639 }