ikev1: Handle queued TRANSACTION messages only after processing replies
[strongswan.git] / src / libimcv / plugins / imv_attestation / imv_attestation_process.c
1 /*
2 * Copyright (C) 2011-2012 Sansar Choinyambuu
3 * Copyright (C) 2011-2014 Andreas Steffen
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #define _GNU_SOURCE /* for stdndup() */
18 #include <string.h>
19
20 #include "imv_attestation_process.h"
21
22 #include <imcv.h>
23 #include <ietf/ietf_attr_pa_tnc_error.h>
24
25 #include <pts/pts.h>
26
27 #include <tcg/pts/tcg_pts_attr_aik.h>
28 #include <tcg/pts/tcg_pts_attr_dh_nonce_params_resp.h>
29 #include <tcg/pts/tcg_pts_attr_file_meas.h>
30 #include <tcg/pts/tcg_pts_attr_meas_algo.h>
31 #include <tcg/pts/tcg_pts_attr_proto_caps.h>
32 #include <tcg/pts/tcg_pts_attr_simple_comp_evid.h>
33 #include <tcg/pts/tcg_pts_attr_simple_evid_final.h>
34 #include <tcg/pts/tcg_pts_attr_tpm_version_info.h>
35 #include <tcg/pts/tcg_pts_attr_unix_file_meta.h>
36
37 #include <utils/debug.h>
38 #include <crypto/hashers/hasher.h>
39
40 #include <inttypes.h>
41
42 bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
43 imv_state_t *state,
44 pts_meas_algorithms_t supported_algorithms,
45 pts_dh_group_t supported_dh_groups,
46 pts_database_t *pts_db,
47 credential_manager_t *pts_credmgr)
48 {
49 imv_session_t *session;
50 imv_attestation_state_t *attestation_state;
51 pen_type_t attr_type;
52 pts_t *pts;
53
54 session = state->get_session(state);
55 attestation_state = (imv_attestation_state_t*)state;
56 pts = attestation_state->get_pts(attestation_state);
57 attr_type = attr->get_type(attr);
58
59 switch (attr_type.type)
60 {
61 case TCG_PTS_PROTO_CAPS:
62 {
63 tcg_pts_attr_proto_caps_t *attr_cast;
64 pts_proto_caps_flag_t flags;
65
66 attr_cast = (tcg_pts_attr_proto_caps_t*)attr;
67 flags = attr_cast->get_flags(attr_cast);
68 pts->set_proto_caps(pts, flags);
69 break;
70 }
71 case TCG_PTS_MEAS_ALGO_SELECTION:
72 {
73 tcg_pts_attr_meas_algo_t *attr_cast;
74 pts_meas_algorithms_t selected_algorithm;
75
76 attr_cast = (tcg_pts_attr_meas_algo_t*)attr;
77 selected_algorithm = attr_cast->get_algorithms(attr_cast);
78 if (!(selected_algorithm & supported_algorithms))
79 {
80 DBG1(DBG_IMV, "PTS-IMC selected unsupported"
81 " measurement algorithm");
82 return FALSE;
83 }
84 pts->set_meas_algorithm(pts, selected_algorithm);
85 state->set_action_flags(state, IMV_ATTESTATION_ALGO);
86 break;
87 }
88 case TCG_PTS_DH_NONCE_PARAMS_RESP:
89 {
90 tcg_pts_attr_dh_nonce_params_resp_t *attr_cast;
91 int nonce_len, min_nonce_len;
92 pts_dh_group_t dh_group;
93 pts_meas_algorithms_t offered_algorithms, selected_algorithm;
94 chunk_t responder_value, responder_nonce;
95
96 attr_cast = (tcg_pts_attr_dh_nonce_params_resp_t*)attr;
97 responder_nonce = attr_cast->get_responder_nonce(attr_cast);
98
99 /* check compliance of responder nonce length */
100 min_nonce_len = lib->settings->get_int(lib->settings,
101 "%s.plugins.imv-attestation.min_nonce_len", 0, lib->ns);
102 nonce_len = responder_nonce.len;
103 if (nonce_len < PTS_MIN_NONCE_LEN ||
104 (min_nonce_len > 0 && nonce_len < min_nonce_len))
105 {
106 attr = pts_dh_nonce_error_create(
107 max(PTS_MIN_NONCE_LEN, min_nonce_len),
108 PTS_MAX_NONCE_LEN);
109 out_msg->add_attribute(out_msg, attr);
110 break;
111 }
112
113 dh_group = attr_cast->get_dh_group(attr_cast);
114 if (!(dh_group & supported_dh_groups))
115 {
116 DBG1(DBG_IMV, "PTS-IMC selected unsupported DH group");
117 return FALSE;
118 }
119
120 offered_algorithms = attr_cast->get_hash_algo_set(attr_cast);
121 selected_algorithm = pts_meas_algo_select(supported_algorithms,
122 offered_algorithms);
123 if (selected_algorithm == PTS_MEAS_ALGO_NONE)
124 {
125 attr = pts_hash_alg_error_create(supported_algorithms);
126 out_msg->add_attribute(out_msg, attr);
127 break;
128 }
129 pts->set_dh_hash_algorithm(pts, selected_algorithm);
130
131 if (!pts->create_dh_nonce(pts, dh_group, nonce_len))
132 {
133 return FALSE;
134 }
135
136 responder_value = attr_cast->get_responder_value(attr_cast);
137
138 /* Calculate secret assessment value */
139 if (!pts->set_peer_public_value(pts, responder_value,
140 responder_nonce) ||
141 !pts->calculate_secret(pts))
142 {
143 return FALSE;
144 }
145 state->set_action_flags(state, IMV_ATTESTATION_DH_NONCE);
146 break;
147 }
148 case TCG_PTS_TPM_VERSION_INFO:
149 {
150 tcg_pts_attr_tpm_version_info_t *attr_cast;
151 chunk_t tpm_version_info;
152
153 attr_cast = (tcg_pts_attr_tpm_version_info_t*)attr;
154 tpm_version_info = attr_cast->get_tpm_version_info(attr_cast);
155 pts->set_tpm_version_info(pts, tpm_version_info);
156 break;
157 }
158 case TCG_PTS_AIK:
159 {
160 tcg_pts_attr_aik_t *attr_cast;
161 certificate_t *aik, *issuer;
162 public_key_t *public;
163 chunk_t keyid, keyid_hex, device_id;
164 int aik_id;
165 enumerator_t *e;
166 bool trusted = FALSE, trusted_chain = FALSE;
167
168 attr_cast = (tcg_pts_attr_aik_t*)attr;
169 aik = attr_cast->get_aik(attr_cast);
170 if (!aik)
171 {
172 DBG1(DBG_IMV, "AIK unavailable");
173 attestation_state->set_measurement_error(attestation_state,
174 IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
175 break;
176 }
177
178 /* check trust into public key as stored in the database */
179 public = aik->get_public_key(aik);
180 public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid);
181 DBG1(DBG_IMV, "verifying AIK with keyid %#B", &keyid);
182 keyid_hex = chunk_to_hex(keyid, NULL, FALSE);
183 if (session->get_device_id(session, &device_id) &&
184 chunk_equals_const(keyid_hex, device_id))
185 {
186 trusted = session->get_device_trust(session);
187 }
188 else
189 {
190 DBG1(DBG_IMV, "device ID unknown or different from AIK keyid");
191 }
192 DBG1(DBG_IMV, "AIK public key is %strusted", trusted ? "" : "not ");
193 public->destroy(public);
194 chunk_free(&keyid_hex);
195
196 if (aik->get_type(aik) == CERT_X509)
197 {
198
199 e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
200 KEY_ANY, aik->get_issuer(aik), FALSE);
201 while (e->enumerate(e, &issuer, NULL))
202 {
203 if (aik->issued_by(aik, issuer, NULL))
204 {
205 trusted_chain = TRUE;
206 break;
207 }
208 }
209 e->destroy(e);
210 DBG1(DBG_IMV, "AIK certificate is %strusted",
211 trusted_chain ? "" : "not ");
212 if (!trusted || !trusted_chain)
213 {
214 attestation_state->set_measurement_error(attestation_state,
215 IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
216 break;
217 }
218 }
219 session->get_session_id(session, NULL, &aik_id);
220 pts->set_aik(pts, aik, aik_id);
221 state->set_action_flags(state, IMV_ATTESTATION_AIK);
222 break;
223 }
224 case TCG_PTS_FILE_MEAS:
225 {
226 TNC_IMV_Evaluation_Result eval;
227 TNC_IMV_Action_Recommendation rec;
228 tcg_pts_attr_file_meas_t *attr_cast;
229 uint16_t request_id;
230 int arg_int, file_count;
231 pts_meas_algorithms_t algo;
232 pts_file_meas_t *measurements;
233 imv_workitem_t *workitem, *found = NULL;
234 imv_workitem_type_t type;
235 char result_str[BUF_LEN];
236 bool is_dir, correct;
237 enumerator_t *enumerator;
238
239 eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
240 algo = pts->get_meas_algorithm(pts);
241 attr_cast = (tcg_pts_attr_file_meas_t*)attr;
242 measurements = attr_cast->get_measurements(attr_cast);
243 request_id = measurements->get_request_id(measurements);
244 file_count = measurements->get_file_count(measurements);
245
246 DBG1(DBG_IMV, "measurement request %d returned %d file%s:",
247 request_id, file_count, (file_count == 1) ? "":"s");
248
249 if (request_id)
250 {
251 enumerator = session->create_workitem_enumerator(session);
252 while (enumerator->enumerate(enumerator, &workitem))
253 {
254 /* request ID consist of lower 16 bits of workitem ID */
255 if ((workitem->get_id(workitem) & 0xffff) == request_id)
256 {
257 found = workitem;
258 break;
259 }
260 }
261
262 if (!found)
263 {
264 DBG1(DBG_IMV, " no entry found for file measurement "
265 "request %d", request_id);
266 enumerator->destroy(enumerator);
267 break;
268 }
269 type = found->get_type(found);
270 arg_int = found->get_arg_int(found);
271
272 switch (type)
273 {
274 default:
275 case IMV_WORKITEM_FILE_REF_MEAS:
276 case IMV_WORKITEM_FILE_MEAS:
277 is_dir = FALSE;
278 break;
279 case IMV_WORKITEM_DIR_REF_MEAS:
280 case IMV_WORKITEM_DIR_MEAS:
281 is_dir = TRUE;
282 }
283
284 switch (type)
285 {
286 case IMV_WORKITEM_FILE_MEAS:
287 case IMV_WORKITEM_DIR_MEAS:
288 {
289 enumerator_t *e;
290
291 /* check hashes from database against measurements */
292 e = pts_db->create_file_hash_enumerator(pts_db,
293 pts->get_platform_id(pts),
294 algo, is_dir, arg_int);
295 if (!e)
296 {
297 eval = TNC_IMV_EVALUATION_RESULT_ERROR;
298 break;
299 }
300 correct = measurements->verify(measurements, e, is_dir);
301 if (!correct)
302 {
303 attestation_state->set_measurement_error(
304 attestation_state,
305 IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL);
306 eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR;
307 }
308 e->destroy(e);
309
310 snprintf(result_str, BUF_LEN, "%s measurement%s correct",
311 is_dir ? "directory" : "file",
312 correct ? "" : " not");
313 break;
314 }
315 case IMV_WORKITEM_FILE_REF_MEAS:
316 case IMV_WORKITEM_DIR_REF_MEAS:
317 {
318 enumerator_t *e;
319 char *filename;
320 chunk_t measurement;
321
322 e = measurements->create_enumerator(measurements);
323 while (e->enumerate(e, &filename, &measurement))
324 {
325 if (pts_db->add_file_measurement(pts_db,
326 pts->get_platform_id(pts), algo, measurement,
327 filename, is_dir, arg_int) != SUCCESS)
328 {
329 eval = TNC_IMV_EVALUATION_RESULT_ERROR;
330 }
331 }
332 e->destroy(e);
333 snprintf(result_str, BUF_LEN, "%s reference measurement "
334 "successful", is_dir ? "directory" : "file");
335 break;
336 }
337 default:
338 break;
339 }
340
341 session->remove_workitem(session, enumerator);
342 enumerator->destroy(enumerator);
343 rec = found->set_result(found, result_str, eval);
344 state->update_recommendation(state, rec, eval);
345 imcv_db->finalize_workitem(imcv_db, found);
346 found->destroy(found);
347 }
348 else
349 {
350 measurements->check(measurements, pts_db,
351 pts->get_platform_id(pts), algo);
352 }
353 break;
354 }
355 case TCG_PTS_UNIX_FILE_META:
356 {
357 tcg_pts_attr_file_meta_t *attr_cast;
358 int file_count;
359 pts_file_meta_t *metadata;
360 pts_file_metadata_t *entry;
361 time_t created, modified, accessed;
362 bool utc = FALSE;
363 enumerator_t *e;
364
365 attr_cast = (tcg_pts_attr_file_meta_t*)attr;
366 metadata = attr_cast->get_metadata(attr_cast);
367 file_count = metadata->get_file_count(metadata);
368
369 DBG1(DBG_IMV, "metadata request returned %d file%s:",
370 file_count, (file_count == 1) ? "":"s");
371
372 e = metadata->create_enumerator(metadata);
373 while (e->enumerate(e, &entry))
374 {
375 DBG1(DBG_IMV, " '%s' (%"PRIu64" bytes)"
376 " owner %"PRIu64", group %"PRIu64", type %N",
377 entry->filename, entry->filesize, entry->owner,
378 entry->group, pts_file_type_names, entry->type);
379
380 created = entry->created;
381 modified = entry->modified;
382 accessed = entry->accessed;
383
384 DBG1(DBG_IMV, " created %T, modified %T, accessed %T",
385 &created, utc, &modified, utc, &accessed, utc);
386 }
387 e->destroy(e);
388 break;
389 }
390 case TCG_PTS_SIMPLE_COMP_EVID:
391 {
392 tcg_pts_attr_simple_comp_evid_t *attr_cast;
393 pts_comp_func_name_t *name;
394 pts_comp_evidence_t *evidence;
395 pts_component_t *comp;
396 uint32_t depth;
397 status_t status;
398
399 attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
400 evidence = attr_cast->get_comp_evidence(attr_cast);
401 name = evidence->get_comp_func_name(evidence, &depth);
402
403 comp = attestation_state->get_component(attestation_state, name);
404 if (!comp)
405 {
406 DBG1(DBG_IMV, " no entry found for component evidence request");
407 break;
408 }
409 status = comp->verify(comp, name->get_qualifier(name), pts, evidence);
410 if (status == VERIFY_ERROR || status == FAILED)
411 {
412 attestation_state->set_measurement_error(attestation_state,
413 IMV_ATTESTATION_ERROR_COMP_EVID_FAIL);
414 name->log(name, " measurement mismatch for ");
415 }
416 break;
417 }
418 case TCG_PTS_SIMPLE_EVID_FINAL:
419 {
420 tcg_pts_attr_simple_evid_final_t *attr_cast;
421 uint8_t flags;
422 pts_meas_algorithms_t comp_hash_algorithm;
423 chunk_t pcr_comp, tpm_quote_sig, evid_sig;
424 chunk_t pcr_composite, quote_info, result_buf;
425 imv_workitem_t *workitem;
426 imv_reason_string_t *reason_string;
427 enumerator_t *enumerator;
428 bool use_quote2, use_ver_info;
429 bio_writer_t *result;
430
431 attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
432 flags = attr_cast->get_quote_info(attr_cast, &comp_hash_algorithm,
433 &pcr_comp, &tpm_quote_sig);
434
435 if (flags != PTS_SIMPLE_EVID_FINAL_NO)
436 {
437 use_quote2 = (flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2 ||
438 flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2_CAP_VER);
439 use_ver_info = (flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2_CAP_VER);
440
441 /* Construct PCR Composite and TPM Quote Info structures */
442 if (!pts->get_quote_info(pts, use_quote2, use_ver_info,
443 comp_hash_algorithm, &pcr_composite, &quote_info))
444 {
445 DBG1(DBG_IMV, "unable to construct TPM Quote Info");
446 return FALSE;
447 }
448
449 if (!chunk_equals_const(pcr_comp, pcr_composite))
450 {
451 DBG1(DBG_IMV, "received PCR Composite does not match "
452 "constructed one");
453 attestation_state->set_measurement_error(attestation_state,
454 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
455 goto quote_error;
456 }
457 DBG2(DBG_IMV, "received PCR Composite matches constructed one");
458
459 if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig))
460 {
461 attestation_state->set_measurement_error(attestation_state,
462 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
463 goto quote_error;
464 }
465 DBG2(DBG_IMV, "TPM Quote Info signature verification successful");
466
467 quote_error:
468 free(pcr_composite.ptr);
469 free(quote_info.ptr);
470
471 /**
472 * Finalize any pending measurement registrations and check
473 * if all expected component measurements were received
474 */
475 result = bio_writer_create(128);
476 attestation_state->finalize_components(attestation_state,
477 result);
478
479 enumerator = session->create_workitem_enumerator(session);
480 while (enumerator->enumerate(enumerator, &workitem))
481 {
482 if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST)
483 {
484 TNC_IMV_Action_Recommendation rec;
485 TNC_IMV_Evaluation_Result eval;
486 uint32_t error;
487
488 error = attestation_state->get_measurement_error(
489 attestation_state);
490 if (error & (IMV_ATTESTATION_ERROR_COMP_EVID_FAIL |
491 IMV_ATTESTATION_ERROR_COMP_EVID_PEND |
492 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL))
493 {
494 reason_string = imv_reason_string_create("en", ", ");
495 attestation_state->add_comp_evid_reasons(
496 attestation_state, reason_string);
497 result->write_data(result, chunk_from_str("; "));
498 result->write_data(result,
499 reason_string->get_encoding(reason_string));
500 reason_string->destroy(reason_string);
501 eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR;
502 }
503 else
504 {
505 eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
506 }
507 session->remove_workitem(session, enumerator);
508
509 result->write_uint8(result, '\0');
510 result_buf = result->get_buf(result);
511 rec = workitem->set_result(workitem, result_buf.ptr,
512 eval);
513 state->update_recommendation(state, rec, eval);
514 imcv_db->finalize_workitem(imcv_db, workitem);
515 workitem->destroy(workitem);
516 attestation_state->set_handshake_state(attestation_state,
517 IMV_ATTESTATION_STATE_END);
518 break;
519 }
520 }
521 enumerator->destroy(enumerator);
522 result->destroy(result);
523 }
524
525 if (attr_cast->get_evid_sig(attr_cast, &evid_sig))
526 {
527 /** TODO: What to do with Evidence Signature */
528 DBG1(DBG_IMV, "this version of the Attestation IMV can not "
529 "handle Evidence Signatures");
530 }
531 break;
532 }
533 case TCG_SEG_MAX_ATTR_SIZE_RESP:
534 case TCG_SEG_ATTR_SEG_ENV:
535 break;
536
537 /* TODO: Not implemented yet */
538 case TCG_PTS_INTEG_MEAS_LOG:
539 /* Attributes using XML */
540 case TCG_PTS_TEMPL_REF_MANI_SET_META:
541 case TCG_PTS_VERIFICATION_RESULT:
542 case TCG_PTS_INTEG_REPORT:
543 /* On Windows only*/
544 case TCG_PTS_WIN_FILE_META:
545 case TCG_PTS_REGISTRY_VALUE:
546 /* Received on IMC side only*/
547 case TCG_PTS_REQ_PROTO_CAPS:
548 case TCG_PTS_DH_NONCE_PARAMS_REQ:
549 case TCG_PTS_DH_NONCE_FINISH:
550 case TCG_PTS_MEAS_ALGO:
551 case TCG_PTS_GET_TPM_VERSION_INFO:
552 case TCG_PTS_REQ_TEMPL_REF_MANI_SET_META:
553 case TCG_PTS_UPDATE_TEMPL_REF_MANI:
554 case TCG_PTS_GET_AIK:
555 case TCG_PTS_REQ_FUNC_COMP_EVID:
556 case TCG_PTS_GEN_ATTEST_EVID:
557 case TCG_PTS_REQ_FILE_META:
558 case TCG_PTS_REQ_FILE_MEAS:
559 case TCG_PTS_REQ_INTEG_MEAS_LOG:
560 default:
561 DBG1(DBG_IMV, "received unsupported attribute '%N/%N'",
562 pen_names, PEN_TCG, tcg_attr_names, attr_type.type);
563 break;
564 }
565 return TRUE;
566 }