projects / strongswan.git / blob
? search:


a2b118d23279229f63f16526ed27bb6b0cbd0e27
[strongswan.git] / src / libpts / plugins / imc_attestation / imc_attestation.c
1 /*
2 * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imc_attestation_state.h"
17 #include "imc_attestation_process.h"
18
19 #include <imc/imc_agent.h>
20 #include <pa_tnc/pa_tnc_msg.h>
21 #include <ietf/ietf_attr.h>
22 #include <ietf/ietf_attr_pa_tnc_error.h>
23 #include <ietf/ietf_attr_product_info.h>
24 #include <ietf/ietf_attr_string_version.h>
25 #include <ietf/ietf_attr_assess_result.h>
26 #include <os_info/os_info.h>
27
28 #include <libpts.h>
29
30 #include <pts/pts_error.h>
31
32 #include <tcg/tcg_pts_attr_proto_caps.h>
33 #include <tcg/tcg_pts_attr_meas_algo.h>
34
35 #include <tncif_pa_subtypes.h>
36
37 #include <pen/pen.h>
38 #include <debug.h>
39 #include <utils/linked_list.h>
40
41 /* IMC definitions */
42
43 static const char imc_name[] = "Attestation";
44
45 static pen_type_t msg_types[] = {
46 { PEN_TCG, PA_SUBTYPE_TCG_PTS }
47 };
48
49 static imc_agent_t *imc_attestation;
50
51 /**
52 * Supported PTS measurement algorithms
53 */
54 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
55
56 /**
57 * Supported PTS Diffie Hellman Groups
58 */
59 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
60
61 /**
62 * see section 3.8.1 of TCG TNC IF-IMC Specification 1.3
63 */
64 TNC_Result TNC_IMC_Initialize(TNC_IMCID imc_id,
65 TNC_Version min_version,
66 TNC_Version max_version,
67 TNC_Version *actual_version)
68 {
69 if (imc_attestation)
70 {
71 DBG1(DBG_IMC, "IMC \"%s\" has already been initialized", imc_name);
72 return TNC_RESULT_ALREADY_INITIALIZED;
73 }
74 if (!pts_meas_algo_probe(&supported_algorithms) ||
75 !pts_dh_group_probe(&supported_dh_groups))
76 {
77 return TNC_RESULT_FATAL;
78 }
79 imc_attestation = imc_agent_create(imc_name, msg_types, 1, imc_id,
80 actual_version);
81 if (!imc_attestation)
82 {
83 return TNC_RESULT_FATAL;
84 }
85
86 libpts_init();
87
88 if (min_version > TNC_IFIMC_VERSION_1 || max_version < TNC_IFIMC_VERSION_1)
89 {
90 DBG1(DBG_IMC, "no common IF-IMC version");
91 return TNC_RESULT_NO_COMMON_VERSION;
92 }
93 return TNC_RESULT_SUCCESS;
94 }
95
96 /**
97 * see section 3.8.2 of TCG TNC IF-IMC Specification 1.3
98 */
99 TNC_Result TNC_IMC_NotifyConnectionChange(TNC_IMCID imc_id,
100 TNC_ConnectionID connection_id,
101 TNC_ConnectionState new_state)
102 {
103 imc_state_t *state;
104
105 if (!imc_attestation)
106 {
107 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
108 return TNC_RESULT_NOT_INITIALIZED;
109 }
110 switch (new_state)
111 {
112 case TNC_CONNECTION_STATE_CREATE:
113 state = imc_attestation_state_create(connection_id);
114 return imc_attestation->create_state(imc_attestation, state);
115 case TNC_CONNECTION_STATE_HANDSHAKE:
116 if (imc_attestation->change_state(imc_attestation, connection_id,
117 new_state, &state) != TNC_RESULT_SUCCESS)
118 {
119 return TNC_RESULT_FATAL;
120 }
121 state->set_result(state, imc_id,
122 TNC_IMV_EVALUATION_RESULT_DONT_KNOW);
123 return TNC_RESULT_SUCCESS;
124 case TNC_CONNECTION_STATE_DELETE:
125 return imc_attestation->delete_state(imc_attestation, connection_id);
126 case TNC_CONNECTION_STATE_ACCESS_ISOLATED:
127 case TNC_CONNECTION_STATE_ACCESS_NONE:
128 default:
129 return imc_attestation->change_state(imc_attestation, connection_id,
130 new_state, NULL);
131 }
132 }
133
134
135 /**
136 * see section 3.8.3 of TCG TNC IF-IMC Specification 1.3
137 */
138 TNC_Result TNC_IMC_BeginHandshake(TNC_IMCID imc_id,
139 TNC_ConnectionID connection_id)
140 {
141 if (!imc_attestation)
142 {
143 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
144 return TNC_RESULT_NOT_INITIALIZED;
145 }
146
147 return TNC_RESULT_SUCCESS;
148 }
149
150 static TNC_Result receive_message(TNC_IMCID imc_id,
151 TNC_ConnectionID connection_id,
152 TNC_UInt32 msg_flags,
153 chunk_t msg,
154 TNC_VendorID msg_vid,
155 TNC_MessageSubtype msg_subtype,
156 TNC_UInt32 src_imv_id,
157 TNC_UInt32 dst_imc_id)
158 {
159 pa_tnc_msg_t *pa_tnc_msg;
160 pa_tnc_attr_t *attr;
161 pen_type_t type;
162 linked_list_t *attr_list;
163 imc_state_t *state;
164 imc_attestation_state_t *attestation_state;
165 enumerator_t *enumerator;
166 TNC_Result result;
167 TNC_UInt32 target_imc_id;
168
169 if (!imc_attestation)
170 {
171 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
172 return TNC_RESULT_NOT_INITIALIZED;
173 }
174
175 /* get current IMC state */
176 if (!imc_attestation->get_state(imc_attestation, connection_id, &state))
177 {
178 return TNC_RESULT_FATAL;
179 }
180 attestation_state = (imc_attestation_state_t*)state;
181
182 /* parse received PA-TNC message and automatically handle any errors */
183 result = imc_attestation->receive_message(imc_attestation, state, msg,
184 msg_vid, msg_subtype, src_imv_id, dst_imc_id, &pa_tnc_msg);
185
186 /* no parsed PA-TNC attributes available if an error occurred */
187 if (!pa_tnc_msg)
188 {
189 return result;
190 }
191 target_imc_id = (dst_imc_id == TNC_IMCID_ANY) ? imc_id : dst_imc_id;
192
193 /* preprocess any IETF standard error attributes */
194 result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ?
195 TNC_RESULT_FATAL : TNC_RESULT_SUCCESS;
196
197 attr_list = linked_list_create();
198
199 /* analyze PA-TNC attributes */
200 enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
201 while (enumerator->enumerate(enumerator, &attr))
202 {
203 type = attr->get_type(attr);
204
205 if (type.vendor_id == PEN_IETF)
206 {
207 if (type.type == IETF_ATTR_PA_TNC_ERROR)
208 {
209 ietf_attr_pa_tnc_error_t *error_attr;
210 pen_type_t error_code;
211 chunk_t msg_info;
212
213 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
214 error_code = error_attr->get_error_code(error_attr);
215
216 if (error_code.vendor_id == PEN_TCG)
217 {
218 msg_info = error_attr->get_msg_info(error_attr);
219
220 DBG1(DBG_IMC, "received TCG-PTS error '%N'",
221 pts_error_code_names, error_code.type);
222 DBG1(DBG_IMC, "error information: %B", &msg_info);
223
224 result = TNC_RESULT_FATAL;
225 }
226 }
227 else if (type.type == IETF_ATTR_ASSESSMENT_RESULT)
228 {
229 ietf_attr_assess_result_t *ietf_attr;
230
231 ietf_attr = (ietf_attr_assess_result_t*)attr;
232 state->set_result(state, target_imc_id,
233 ietf_attr->get_result(ietf_attr));
234 }
235 }
236 else if (type.vendor_id == PEN_TCG)
237 {
238 if (!imc_attestation_process(attr, attr_list, attestation_state,
239 supported_algorithms, supported_dh_groups))
240 {
241 result = TNC_RESULT_FATAL;
242 break;
243 }
244 }
245 }
246 enumerator->destroy(enumerator);
247 pa_tnc_msg->destroy(pa_tnc_msg);
248
249 if (result == TNC_RESULT_SUCCESS && attr_list->get_count(attr_list))
250 {
251 result = imc_attestation->send_message(imc_attestation, connection_id,
252 FALSE, 0, TNC_IMVID_ANY, PEN_TCG, PA_SUBTYPE_TCG_PTS,
253 attr_list);
254 }
255 attr_list->destroy(attr_list);
256
257 return result;
258 }
259
260 /**
261 * see section 3.8.4 of TCG TNC IF-IMC Specification 1.3
262 */
263 TNC_Result TNC_IMC_ReceiveMessage(TNC_IMCID imc_id,
264 TNC_ConnectionID connection_id,
265 TNC_BufferReference msg,
266 TNC_UInt32 msg_len,
267 TNC_MessageType msg_type)
268 {
269 TNC_VendorID msg_vid;
270 TNC_MessageSubtype msg_subtype;
271
272 msg_vid = msg_type >> 8;
273 msg_subtype = msg_type & TNC_SUBTYPE_ANY;
274
275 return receive_message(imc_id, connection_id, 0, chunk_create(msg, msg_len),
276 msg_vid, msg_subtype, 0, TNC_IMCID_ANY);
277 }
278
279 /**
280 * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
281 */
282 TNC_Result TNC_IMC_ReceiveMessageLong(TNC_IMCID imc_id,
283 TNC_ConnectionID connection_id,
284 TNC_UInt32 msg_flags,
285 TNC_BufferReference msg,
286 TNC_UInt32 msg_len,
287 TNC_VendorID msg_vid,
288 TNC_MessageSubtype msg_subtype,
289 TNC_UInt32 src_imv_id,
290 TNC_UInt32 dst_imc_id)
291 {
292 return receive_message(imc_id, connection_id, msg_flags,
293 chunk_create(msg, msg_len), msg_vid, msg_subtype,
294 src_imv_id, dst_imc_id);
295 }
296
297 /**
298 * see section 3.8.7 of TCG TNC IF-IMC Specification 1.3
299 */
300 TNC_Result TNC_IMC_BatchEnding(TNC_IMCID imc_id,
301 TNC_ConnectionID connection_id)
302 {
303 if (!imc_attestation)
304 {
305 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
306 return TNC_RESULT_NOT_INITIALIZED;
307 }
308 return TNC_RESULT_SUCCESS;
309 }
310
311 /**
312 * see section 3.8.8 of TCG TNC IF-IMC Specification 1.3
313 */
314 TNC_Result TNC_IMC_Terminate(TNC_IMCID imc_id)
315 {
316 if (!imc_attestation)
317 {
318 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
319 return TNC_RESULT_NOT_INITIALIZED;
320 }
321
322 libpts_deinit();
323
324 imc_attestation->destroy(imc_attestation);
325 imc_attestation = NULL;
326
327 return TNC_RESULT_SUCCESS;
328 }
329
330 /**
331 * see section 4.2.8.1 of TCG TNC IF-IMC Specification 1.3
332 */
333 TNC_Result TNC_IMC_ProvideBindFunction(TNC_IMCID imc_id,
334 TNC_TNCC_BindFunctionPointer bind_function)
335 {
336 if (!imc_attestation)
337 {
338 DBG1(DBG_IMC, "IMC \"%s\" has not been initialized", imc_name);
339 return TNC_RESULT_NOT_INITIALIZED;
340 }
341 return imc_attestation->bind_functions(imc_attestation, bind_function);
342 }
strongSwan - IPsec VPN