allow registration of multiple message type
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation.c
1 /*
2 * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_state.h"
17 #include "imv_attestation_process.h"
18 #include "imv_attestation_build.h"
19
20 #include <imv/imv_agent.h>
21 #include <pa_tnc/pa_tnc_msg.h>
22 #include <ietf/ietf_attr.h>
23 #include <ietf/ietf_attr_pa_tnc_error.h>
24 #include <ietf/ietf_attr_product_info.h>
25 #include <ietf/ietf_attr_string_version.h>
26
27 #include <libpts.h>
28
29 #include <pts/pts.h>
30 #include <pts/pts_database.h>
31 #include <pts/pts_creds.h>
32
33 #include <tcg/tcg_attr.h>
34
35 #include <tncif_pa_subtypes.h>
36
37 #include <pen/pen.h>
38 #include <debug.h>
39 #include <credentials/credential_manager.h>
40 #include <utils/linked_list.h>
41
42 /* IMV definitions */
43
44 static const char imv_name[] = "Attestation";
45
46 static pen_type_t msg_types[] = {
47 { PEN_TCG, PA_SUBTYPE_TCG_PTS },
48 { PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
49 };
50
51 static imv_agent_t *imv_attestation;
52
53 /**
54 * Supported PTS measurement algorithms
55 */
56 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
57
58 /**
59 * Supported PTS Diffie Hellman Groups
60 */
61 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
62
63 /**
64 * PTS file measurement database
65 */
66 static pts_database_t *pts_db;
67
68 /**
69 * PTS credentials
70 */
71 static pts_creds_t *pts_creds;
72
73 /**
74 * PTS credential manager
75 */
76 static credential_manager_t *pts_credmgr;
77
78 /**
79 * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
80 */
81 TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
82 TNC_Version min_version,
83 TNC_Version max_version,
84 TNC_Version *actual_version)
85 {
86 char *hash_alg, *dh_group, *uri, *cadir;
87
88 if (imv_attestation)
89 {
90 DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
91 return TNC_RESULT_ALREADY_INITIALIZED;
92 }
93 if (!pts_meas_algo_probe(&supported_algorithms) ||
94 !pts_dh_group_probe(&supported_dh_groups))
95 {
96 return TNC_RESULT_FATAL;
97 }
98 imv_attestation = imv_agent_create(imv_name, msg_types, 2, imv_id,
99 actual_version);
100 if (!imv_attestation)
101 {
102 return TNC_RESULT_FATAL;
103 }
104
105 libpts_init();
106
107 if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
108 {
109 DBG1(DBG_IMV, "no common IF-IMV version");
110 return TNC_RESULT_NO_COMMON_VERSION;
111 }
112
113 hash_alg = lib->settings->get_str(lib->settings,
114 "libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
115 dh_group = lib->settings->get_str(lib->settings,
116 "libimcv.plugins.imv-attestation.dh_group", "ecp256");
117
118 if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
119 !pts_dh_group_update(dh_group, &supported_dh_groups))
120 {
121 return TNC_RESULT_FATAL;
122 }
123
124 /* create a PTS credential manager */
125 pts_credmgr = credential_manager_create();
126
127 /* create PTS credential set */
128 cadir = lib->settings->get_str(lib->settings,
129 "libimcv.plugins.imv-attestation.cadir", NULL);
130 pts_creds = pts_creds_create(cadir);
131 if (pts_creds)
132 {
133 pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
134 }
135
136 /* attach file measurement database */
137 uri = lib->settings->get_str(lib->settings,
138 "libimcv.plugins.imv-attestation.database", NULL);
139 pts_db = pts_database_create(uri);
140
141 return TNC_RESULT_SUCCESS;
142 }
143
144 /**
145 * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
146 */
147 TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
148 TNC_ConnectionID connection_id,
149 TNC_ConnectionState new_state)
150 {
151 imv_state_t *state;
152
153 if (!imv_attestation)
154 {
155 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
156 return TNC_RESULT_NOT_INITIALIZED;
157 }
158 switch (new_state)
159 {
160 case TNC_CONNECTION_STATE_CREATE:
161 state = imv_attestation_state_create(connection_id);
162 return imv_attestation->create_state(imv_attestation, state);
163 case TNC_CONNECTION_STATE_DELETE:
164 return imv_attestation->delete_state(imv_attestation, connection_id);
165 case TNC_CONNECTION_STATE_HANDSHAKE:
166 default:
167 return imv_attestation->change_state(imv_attestation, connection_id,
168 new_state, NULL);
169 }
170 }
171
172 static TNC_Result send_message(TNC_ConnectionID connection_id)
173 {
174 linked_list_t *attr_list;
175 imv_state_t *state;
176 imv_attestation_state_t *attestation_state;
177 TNC_Result result;
178
179 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
180 {
181 return TNC_RESULT_FATAL;
182 }
183 attestation_state = (imv_attestation_state_t*)state;
184 attr_list = linked_list_create();
185
186 if (imv_attestation_build(attr_list, attestation_state, supported_algorithms,
187 supported_dh_groups, pts_db))
188 {
189 if (attr_list->get_count(attr_list))
190 {
191 result = imv_attestation->send_message(imv_attestation,
192 connection_id, FALSE, 0, TNC_IMCID_ANY,
193 PEN_TCG, PA_SUBTYPE_TCG_PTS, attr_list);
194 }
195 else
196 {
197 result = TNC_RESULT_SUCCESS;
198 }
199 attr_list->destroy(attr_list);
200 }
201 else
202 {
203 attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
204 result = TNC_RESULT_FATAL;
205 }
206
207 return result;
208 }
209
210 static TNC_Result receive_message(TNC_IMVID imv_id,
211 TNC_ConnectionID connection_id,
212 TNC_UInt32 msg_flags,
213 chunk_t msg,
214 TNC_VendorID msg_vid,
215 TNC_MessageSubtype msg_subtype,
216 TNC_UInt32 src_imc_id,
217 TNC_UInt32 dst_imv_id)
218 {
219 pa_tnc_msg_t *pa_tnc_msg;
220 pa_tnc_attr_t *attr;
221 pen_type_t type;
222 linked_list_t *attr_list;
223 imv_state_t *state;
224 imv_attestation_state_t *attestation_state;
225 pts_t *pts;
226 chunk_t os_name = chunk_empty;
227 chunk_t os_version = chunk_empty;
228 enumerator_t *enumerator;
229 TNC_Result result;
230
231 if (!imv_attestation)
232 {
233 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
234 return TNC_RESULT_NOT_INITIALIZED;
235 }
236
237 /* get current IMV state */
238 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
239 {
240 return TNC_RESULT_FATAL;
241 }
242 attestation_state = (imv_attestation_state_t*)state;
243 pts = attestation_state->get_pts(attestation_state);
244
245 /* parse received PA-TNC message and automatically handle any errors */
246 result = imv_attestation->receive_message(imv_attestation, state, msg,
247 msg_vid, msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
248
249 /* no parsed PA-TNC attributes available if an error occurred */
250 if (!pa_tnc_msg)
251 {
252 return result;
253 }
254
255 /* preprocess any IETF standard error attributes */
256 result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ?
257 TNC_RESULT_FATAL : TNC_RESULT_SUCCESS;
258
259 attr_list = linked_list_create();
260
261 /* analyze PA-TNC attributes */
262 enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
263 while (enumerator->enumerate(enumerator, &attr))
264 {
265 type = attr->get_type(attr);
266
267 if (type.vendor_id == PEN_IETF)
268 {
269 switch (type.type)
270 {
271 case IETF_ATTR_PA_TNC_ERROR:
272 {
273 ietf_attr_pa_tnc_error_t *error_attr;
274 pen_type_t error_code;
275 chunk_t msg_info;
276
277 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
278 error_code = error_attr->get_error_code(error_attr);
279
280 if (error_code.vendor_id == PEN_TCG)
281 {
282 msg_info = error_attr->get_msg_info(error_attr);
283
284 DBG1(DBG_IMV, "received TCG-PTS error '%N'",
285 pts_error_code_names, error_code.type);
286 DBG1(DBG_IMV, "error information: %B", &msg_info);
287
288 result = TNC_RESULT_FATAL;
289 }
290 break;
291 }
292 case IETF_ATTR_PRODUCT_INFORMATION:
293 {
294 ietf_attr_product_info_t *attr_cast;
295
296 attr_cast = (ietf_attr_product_info_t*)attr;
297 os_name = attr_cast->get_info(attr_cast, NULL, NULL);
298 break;
299 }
300 case IETF_ATTR_STRING_VERSION:
301 {
302 ietf_attr_string_version_t *attr_cast;
303
304 attr_cast = (ietf_attr_string_version_t*)attr;
305 os_version = attr_cast->get_version(attr_cast, NULL, NULL);
306 break;
307 }
308 default:
309 break;
310 }
311 }
312 else if (type.vendor_id == PEN_TCG)
313 {
314 if (!imv_attestation_process(attr, attr_list, attestation_state,
315 supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
316 {
317 result = TNC_RESULT_FATAL;
318 break;
319 }
320 }
321 }
322 enumerator->destroy(enumerator);
323
324 if (os_name.len && os_version.len)
325 {
326 pts->set_platform_info(pts, os_name, os_version);
327 }
328 pa_tnc_msg->destroy(pa_tnc_msg);
329
330 if (result != TNC_RESULT_SUCCESS)
331 {
332 attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
333 state->set_recommendation(state,
334 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
335 TNC_IMV_EVALUATION_RESULT_ERROR);
336 return imv_attestation->provide_recommendation(imv_attestation,
337 connection_id, src_imc_id, PEN_TCG, PA_SUBTYPE_TCG_PTS);
338 }
339
340 if (attr_list->get_count(attr_list))
341 {
342 result = imv_attestation->send_message(imv_attestation, connection_id,
343 FALSE, 0, TNC_IMCID_ANY, PEN_TCG, PA_SUBTYPE_TCG_PTS,
344 attr_list);
345 attr_list->destroy(attr_list);
346 return result;
347 }
348 attr_list->destroy(attr_list);
349
350 /* check the IMV state for the next PA-TNC attributes to send */
351 result = send_message(connection_id);
352 if (result != TNC_RESULT_SUCCESS)
353 {
354 state->set_recommendation(state,
355 TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
356 TNC_IMV_EVALUATION_RESULT_ERROR);
357 return imv_attestation->provide_recommendation(imv_attestation,
358 connection_id, src_imc_id, PEN_TCG, PA_SUBTYPE_TCG_PTS);
359 }
360
361 if (attestation_state->get_handshake_state(attestation_state) ==
362 IMV_ATTESTATION_STATE_END)
363 {
364 if (attestation_state->get_file_meas_request_count(attestation_state))
365 {
366 DBG1(DBG_IMV, "failure due to %d pending file measurements",
367 attestation_state->get_file_meas_request_count(attestation_state));
368 attestation_state->set_measurement_error(attestation_state);
369 }
370 if (attestation_state->get_measurement_error(attestation_state))
371 {
372 state->set_recommendation(state,
373 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
374 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
375 }
376 else
377 {
378 state->set_recommendation(state,
379 TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
380 TNC_IMV_EVALUATION_RESULT_COMPLIANT);
381 }
382 return imv_attestation->provide_recommendation(imv_attestation,
383 connection_id, src_imc_id, PEN_TCG, PA_SUBTYPE_TCG_PTS);
384 }
385
386 return result;
387 }
388
389 /**
390 * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
391 */
392 TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
393 TNC_ConnectionID connection_id,
394 TNC_BufferReference msg,
395 TNC_UInt32 msg_len,
396 TNC_MessageType msg_type)
397 {
398 TNC_VendorID msg_vid;
399 TNC_MessageSubtype msg_subtype;
400
401 msg_vid = msg_type >> 8;
402 msg_subtype = msg_type & TNC_SUBTYPE_ANY;
403
404 return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
405 msg_vid, msg_subtype, 0, TNC_IMVID_ANY);
406 }
407
408 /**
409 * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
410 */
411 TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
412 TNC_ConnectionID connection_id,
413 TNC_UInt32 msg_flags,
414 TNC_BufferReference msg,
415 TNC_UInt32 msg_len,
416 TNC_VendorID msg_vid,
417 TNC_MessageSubtype msg_subtype,
418 TNC_UInt32 src_imc_id,
419 TNC_UInt32 dst_imv_id)
420 {
421 return receive_message(imv_id, connection_id, msg_flags,
422 chunk_create(msg, msg_len), msg_vid, msg_subtype,
423 src_imc_id, dst_imv_id);
424 }
425
426 /**
427 * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
428 */
429 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
430 TNC_ConnectionID connection_id)
431 {
432 if (!imv_attestation)
433 {
434 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
435 return TNC_RESULT_NOT_INITIALIZED;
436 }
437 return imv_attestation->provide_recommendation(imv_attestation,
438 connection_id, TNC_IMCID_ANY, PEN_TCG, PA_SUBTYPE_TCG_PTS);
439 }
440
441 /**
442 * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
443 */
444 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
445 TNC_ConnectionID connection_id)
446 {
447 imv_state_t *state;
448 imv_attestation_state_t *attestation_state;
449
450 if (!imv_attestation)
451 {
452 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
453 return TNC_RESULT_NOT_INITIALIZED;
454 }
455 /* get current IMV state */
456 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
457 {
458 return TNC_RESULT_FATAL;
459 }
460 attestation_state = (imv_attestation_state_t*)state;
461
462 /* Check if IMV has to initiate the PA-TNC exchange */
463 if (attestation_state->get_handshake_state(attestation_state) ==
464 IMV_ATTESTATION_STATE_INIT)
465 {
466 return send_message(connection_id);
467 }
468 return TNC_RESULT_SUCCESS;
469 }
470
471 /**
472 * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
473 */
474 TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
475 {
476 if (!imv_attestation)
477 {
478 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
479 return TNC_RESULT_NOT_INITIALIZED;
480 }
481 if (pts_creds)
482 {
483 pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
484 pts_creds->destroy(pts_creds);
485 }
486 DESTROY_IF(pts_db);
487 DESTROY_IF(pts_credmgr);
488
489 libpts_deinit();
490
491 imv_attestation->destroy(imv_attestation);
492 imv_attestation = NULL;
493
494 return TNC_RESULT_SUCCESS;
495 }
496
497 /**
498 * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
499 */
500 TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
501 TNC_TNCS_BindFunctionPointer bind_function)
502 {
503 if (!imv_attestation)
504 {
505 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
506 return TNC_RESULT_NOT_INITIALIZED;
507 }
508 return imv_attestation->bind_functions(imv_attestation, bind_function);
509 }