refactored DH group nonce exchange
[strongswan.git] / src / libimcv / plugins / imv_attestation / imv_attestation.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_state.h"
17 #include "imv_attestation_process.h"
18 #include "imv_attestation_build.h"
19
20 #include <imv/imv_agent.h>
21 #include <pa_tnc/pa_tnc_msg.h>
22 #include <ietf/ietf_attr.h>
23 #include <ietf/ietf_attr_pa_tnc_error.h>
24 #include <ietf/ietf_attr_product_info.h>
25
26 #include <libpts.h>
27
28 #include <pts/pts.h>
29 #include <pts/pts_database.h>
30 #include <pts/pts_creds.h>
31
32 #include <tcg/tcg_attr.h>
33
34 #include <tncif_pa_subtypes.h>
35
36 #include <pen/pen.h>
37 #include <debug.h>
38 #include <credentials/credential_manager.h>
39 #include <utils/linked_list.h>
40
41 /* IMV definitions */
42
43 static const char imv_name[] = "Attestation";
44
45 #define IMV_VENDOR_ID PEN_TCG
46 #define IMV_SUBTYPE PA_SUBTYPE_TCG_PTS
47
48 #define NONCE_LEN_LIMIT 16
49
50 static imv_agent_t *imv_attestation;
51
52 /**
53 * Supported PTS measurement algorithms
54 */
55 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
56
57 /**
58 * Supported PTS Diffie Hellman Groups
59 */
60 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
61
62 /**
63 * Supported PTS Diffie Hellman Groups
64 */
65 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
66
67 /**
68 * PTS file measurement database
69 */
70 static pts_database_t *pts_db;
71
72 /**
73 * PTS credentials
74 */
75 static pts_creds_t *pts_creds;
76
77 /**
78 * PTS credential manager
79 */
80 static credential_manager_t *pts_credmgr;
81
82 /**
83 * TRUE if DH Nonce Parameters Request attribute is sent
84 */
85 static bool dh_nonce_req_sent = FALSE;
86
87 /**
88 * see section 3.7.1 of TCG TNC IF-IMV Specification 1.2
89 */
90 TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
91 TNC_Version min_version,
92 TNC_Version max_version,
93 TNC_Version *actual_version)
94 {
95 char *hash_alg, *dh_group, *uri, *cadir;
96
97 if (imv_attestation)
98 {
99 DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
100 return TNC_RESULT_ALREADY_INITIALIZED;
101 }
102 if (!pts_meas_algo_probe(&supported_algorithms) ||
103 !pts_dh_group_probe(&supported_dh_groups))
104 {
105 return TNC_RESULT_FATAL;
106 }
107 if (!pts_probe_dh_groups(&supported_dh_groups))
108 {
109 return TNC_RESULT_FATAL;
110 }
111 imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
112 imv_id, actual_version);
113 if (!imv_attestation)
114 {
115 return TNC_RESULT_FATAL;
116 }
117
118 libpts_init();
119
120 if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
121 {
122 DBG1(DBG_IMV, "no common IF-IMV version");
123 return TNC_RESULT_NO_COMMON_VERSION;
124 }
125
126 hash_alg = lib->settings->get_str(lib->settings,
127 "libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
128 dh_group = lib->settings->get_str(lib->settings,
129 "libimcv.plugins.imv-attestation.dh_group", "ecp256");
130
131 if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
132 !pts_dh_group_update(dh_group, &supported_dh_groups))
133 {
134 return TNC_RESULT_FATAL;
135 }
136
137 /**
138 * Specify supported PTS Diffie-Hellman groups
139 *
140 * modp1024: PTS_DH_GROUP_IKE2
141 * modp1536: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5
142 * modp2048: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14
143 * ecp256: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 |
144 * PTS_DH_GROUP_IKE19
145 * ecp384: PTS_DH_GROUP_IKE2 | PTS_DH_GROUP_IKE5 | PTS_DH_GROUP_IKE14 |
146 * PTS_DH_GROUP_IKE19 | PTS_DH_GROUP_IKE20
147 *
148 * we expect the PTS-IMC to select the strongest supported group
149 */
150 dh_group = lib->settings->get_str(lib->settings,
151 "libimcv.plugins.imv-attestation.dh_group", "ecp256");
152
153 if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
154 !pts_dh_group_update(dh_group, &supported_dh_groups))
155 {
156 return TNC_RESULT_FATAL;
157 }
158
159 /* create a PTS credential manager */
160 pts_credmgr = credential_manager_create();
161
162 /* create PTS credential set */
163 cadir = lib->settings->get_str(lib->settings,
164 "libimcv.plugins.imv-attestation.cadir", NULL);
165 pts_creds = pts_creds_create(cadir);
166 if (pts_creds)
167 {
168 pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
169 }
170
171 /* attach file measurement database */
172 uri = lib->settings->get_str(lib->settings,
173 "libimcv.plugins.imv-attestation.database", NULL);
174 pts_db = pts_database_create(uri);
175
176 return TNC_RESULT_SUCCESS;
177 }
178
179 /**
180 * see section 3.7.2 of TCG TNC IF-IMV Specification 1.2
181 */
182 TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
183 TNC_ConnectionID connection_id,
184 TNC_ConnectionState new_state)
185 {
186 imv_state_t *state;
187 imv_attestation_state_t *attestation_state;
188 TNC_Result result;
189
190 if (!imv_attestation)
191 {
192 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
193 return TNC_RESULT_NOT_INITIALIZED;
194 }
195 switch (new_state)
196 {
197 case TNC_CONNECTION_STATE_CREATE:
198 state = imv_attestation_state_create(connection_id);
199 return imv_attestation->create_state(imv_attestation, state);
200 case TNC_CONNECTION_STATE_DELETE:
201 return imv_attestation->delete_state(imv_attestation, connection_id);
202 case TNC_CONNECTION_STATE_HANDSHAKE:
203 result = imv_attestation->change_state(imv_attestation,
204 connection_id, new_state, &state);
205 if (result != TNC_RESULT_SUCCESS)
206 {
207 return result;
208 }
209 attestation_state = (imv_attestation_state_t*)state;
210
211 return TNC_RESULT_SUCCESS;
212 default:
213 return imv_attestation->change_state(imv_attestation, connection_id,
214 new_state, NULL);
215 }
216 }
217
218 static TNC_Result send_message(TNC_ConnectionID connection_id)
219 {
220 pa_tnc_msg_t *msg;
221 imv_state_t *state;
222 imv_attestation_state_t *attestation_state;
223 TNC_Result result;
224
225 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
226 {
227 return TNC_RESULT_FATAL;
228 }
229 attestation_state = (imv_attestation_state_t*)state;
230 msg = pa_tnc_msg_create();
231
232 if (imv_attestation_build(msg, attestation_state, supported_algorithms,
233 supported_dh_groups, pts_db))
234 {
235 msg->build(msg);
236 result = imv_attestation->send_message(imv_attestation, connection_id,
237 msg->get_encoding(msg));
238 }
239 else
240 {
241 result = TNC_RESULT_FATAL;
242 }
243 msg->destroy(msg);
244
245 return result;
246 }
247
248 /**
249 * see section 3.7.3 of TCG TNC IF-IMV Specification 1.2
250 */
251 TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
252 TNC_ConnectionID connection_id,
253 TNC_BufferReference msg,
254 TNC_UInt32 msg_len,
255 TNC_MessageType msg_type)
256 {
257 pa_tnc_msg_t *pa_tnc_msg;
258 pa_tnc_attr_t *attr;
259 linked_list_t *attr_list;
260 imv_state_t *state;
261 imv_attestation_state_t *attestation_state;
262 pts_t *pts;
263 enumerator_t *enumerator;
264 TNC_Result result;
265
266 if (!imv_attestation)
267 {
268 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
269 return TNC_RESULT_NOT_INITIALIZED;
270 }
271
272 /* get current IMV state */
273 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
274 {
275 return TNC_RESULT_FATAL;
276 }
277 attestation_state = (imv_attestation_state_t*)state;
278 pts = attestation_state->get_pts(attestation_state);
279
280 /* parse received PA-TNC message and automatically handle any errors */
281 result = imv_attestation->receive_message(imv_attestation, connection_id,
282 chunk_create(msg, msg_len), msg_type,
283 &pa_tnc_msg);
284
285 /* no parsed PA-TNC attributes available if an error occurred */
286 if (!pa_tnc_msg)
287 {
288 return result;
289 }
290
291 attr_list = linked_list_create();
292 result = TNC_RESULT_SUCCESS;
293
294 /* analyze PA-TNC attributes */
295 enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
296 while (enumerator->enumerate(enumerator, &attr))
297 {
298 if (attr->get_vendor_id(attr) == PEN_IETF)
299 {
300 if (attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
301 {
302 ietf_attr_pa_tnc_error_t *error_attr;
303 pen_t error_vendor_id;
304 pa_tnc_error_code_t error_code;
305 chunk_t msg_info, attr_info;
306 u_int32_t offset;
307
308 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
309 error_vendor_id = error_attr->get_vendor_id(error_attr);
310 error_code = error_attr->get_error_code(error_attr);
311 msg_info = error_attr->get_msg_info(error_attr);
312
313 if (error_vendor_id == PEN_IETF)
314 {
315 DBG1(DBG_IMV, "received PA-TNC error '%N' "
316 "concerning message %#B",
317 pa_tnc_error_code_names, error_code, &msg_info);
318
319 switch (error_code)
320 {
321 case PA_ERROR_INVALID_PARAMETER:
322 offset = error_attr->get_offset(error_attr);
323 DBG1(DBG_IMV, " occurred at offset of %u bytes",
324 offset);
325 break;
326 case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
327 attr_info = error_attr->get_attr_info(error_attr);
328 DBG1(DBG_IMV, " unsupported attribute %#B",
329 &attr_info);
330 break;
331 default:
332 break;
333 }
334 }
335 else if (error_vendor_id == PEN_TCG)
336 {
337 DBG1(DBG_IMV, "received TCG-PTS error '%N'",
338 pts_error_code_names, error_code);
339 DBG1(DBG_IMV, "error information: %B", &msg_info);
340 }
341 result = TNC_RESULT_FATAL;
342 }
343 else if (attr->get_type(attr) == IETF_ATTR_PRODUCT_INFORMATION)
344 {
345 ietf_attr_product_info_t *attr_cast;
346 char *platform_info;
347
348 attr_cast = (ietf_attr_product_info_t*)attr;
349 platform_info = attr_cast->get_info(attr_cast, NULL, NULL);
350 pts->set_platform_info(pts, platform_info);
351 }
352 }
353 else if (attr->get_vendor_id(attr) == PEN_TCG)
354 {
355 if (!imv_attestation_process(attr, attr_list, attestation_state,
356 supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
357 {
358 result = TNC_RESULT_FATAL;
359 break;
360 }
361 }
362 }
363 enumerator->destroy(enumerator);
364 pa_tnc_msg->destroy(pa_tnc_msg);
365
366 if (result != TNC_RESULT_SUCCESS)
367 {
368 attr_list->destroy(attr_list);
369 state->set_recommendation(state,
370 TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
371 TNC_IMV_EVALUATION_RESULT_ERROR);
372 return imv_attestation->provide_recommendation(imv_attestation,
373 connection_id);
374 }
375
376 if (attr_list->get_count(attr_list))
377 {
378 pa_tnc_msg = pa_tnc_msg_create();
379
380 enumerator = attr_list->create_enumerator(attr_list);
381 while (enumerator->enumerate(enumerator, &attr))
382 {
383 pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
384 }
385 enumerator->destroy(enumerator);
386
387 pa_tnc_msg->build(pa_tnc_msg);
388 result = imv_attestation->send_message(imv_attestation, connection_id,
389 pa_tnc_msg->get_encoding(pa_tnc_msg));
390
391 pa_tnc_msg->destroy(pa_tnc_msg);
392 attr_list->destroy(attr_list);
393
394 return result;
395 }
396 attr_list->destroy(attr_list);
397
398 if (attestation_state->get_handshake_state(attestation_state) ==
399 IMV_ATTESTATION_STATE_END)
400 {
401 if (attestation_state->get_request_count(attestation_state))
402 {
403 DBG1(DBG_IMV, "failure due to %d pending file measurements",
404 attestation_state->get_request_count(attestation_state));
405 attestation_state->set_measurement_error(attestation_state);
406 }
407 if (attestation_state->get_measurement_error(attestation_state))
408 {
409 state->set_recommendation(state,
410 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
411 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
412 }
413 else
414 {
415 state->set_recommendation(state,
416 TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
417 TNC_IMV_EVALUATION_RESULT_COMPLIANT);
418 }
419 return imv_attestation->provide_recommendation(imv_attestation,
420 connection_id);
421 }
422
423 return send_message(connection_id);
424 }
425
426 /**
427 * see section 3.7.4 of TCG TNC IF-IMV Specification 1.2
428 */
429 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
430 TNC_ConnectionID connection_id)
431 {
432 if (!imv_attestation)
433 {
434 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
435 return TNC_RESULT_NOT_INITIALIZED;
436 }
437 return imv_attestation->provide_recommendation(imv_attestation,
438 connection_id);
439 }
440
441 /**
442 * see section 3.7.5 of TCG TNC IF-IMV Specification 1.2
443 */
444 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
445 TNC_ConnectionID connection_id)
446 {
447 imv_state_t *state;
448 imv_attestation_state_t *attestation_state;
449
450 if (!imv_attestation)
451 {
452 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
453 return TNC_RESULT_NOT_INITIALIZED;
454 }
455 /* get current IMV state */
456 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
457 {
458 return TNC_RESULT_FATAL;
459 }
460 attestation_state = (imv_attestation_state_t*)state;
461
462 /* Check if IMV has to initiate the PA-TNC exchange */
463 if (attestation_state->get_handshake_state(attestation_state) ==
464 IMV_ATTESTATION_STATE_INIT)
465 {
466 return send_message(connection_id);
467 }
468 return TNC_RESULT_SUCCESS;
469 }
470
471 /**
472 * see section 3.7.6 of TCG TNC IF-IMV Specification 1.2
473 */
474 TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
475 {
476 if (!imv_attestation)
477 {
478 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
479 return TNC_RESULT_NOT_INITIALIZED;
480 }
481 if (pts_creds)
482 {
483 pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
484 pts_creds->destroy(pts_creds);
485 }
486 DESTROY_IF(pts_db);
487 DESTROY_IF(pts_credmgr);
488
489 libpts_deinit();
490
491 imv_attestation->destroy(imv_attestation);
492 imv_attestation = NULL;
493
494 return TNC_RESULT_SUCCESS;
495 }
496
497 /**
498 * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.2
499 */
500 TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
501 TNC_TNCS_BindFunctionPointer bind_function)
502 {
503 if (!imv_attestation)
504 {
505 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
506 return TNC_RESULT_NOT_INITIALIZED;
507 }
508 return imv_attestation->bind_functions(imv_attestation, bind_function);
509 }