647faf470d9183d1820158adda072abf1cb6ece3
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation.c
1 /*
2 * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_state.h"
17 #include "imv_attestation_process.h"
18 #include "imv_attestation_build.h"
19
20 #include <imv/imv_agent.h>
21 #include <imv/imv_msg.h>
22 #include <pa_tnc/pa_tnc_msg.h>
23 #include <ietf/ietf_attr.h>
24 #include <ietf/ietf_attr_pa_tnc_error.h>
25 #include <ietf/ietf_attr_product_info.h>
26 #include <ietf/ietf_attr_string_version.h>
27
28 #include <libpts.h>
29
30 #include <pts/pts.h>
31 #include <pts/pts_database.h>
32 #include <pts/pts_creds.h>
33
34 #include <tcg/tcg_attr.h>
35
36 #include <tncif_pa_subtypes.h>
37
38 #include <pen/pen.h>
39 #include <utils/debug.h>
40 #include <credentials/credential_manager.h>
41 #include <collections/linked_list.h>
42
43 /* IMV definitions */
44
45 static const char imv_name[] = "Attestation";
46
47 static pen_type_t msg_types[] = {
48 { PEN_TCG, PA_SUBTYPE_TCG_PTS },
49 { PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
50 };
51
52 static imv_agent_t *imv_attestation;
53
54 /**
55 * Supported PTS measurement algorithms
56 */
57 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
58
59 /**
60 * Supported PTS Diffie Hellman Groups
61 */
62 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
63
64 /**
65 * PTS file measurement database
66 */
67 static pts_database_t *pts_db;
68
69 /**
70 * PTS credentials
71 */
72 static pts_creds_t *pts_creds;
73
74 /**
75 * PTS credential manager
76 */
77 static credential_manager_t *pts_credmgr;
78
79 /**
80 * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
81 */
82 TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
83 TNC_Version min_version,
84 TNC_Version max_version,
85 TNC_Version *actual_version)
86 {
87 char *hash_alg, *dh_group, *uri, *cadir;
88
89 if (imv_attestation)
90 {
91 DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
92 return TNC_RESULT_ALREADY_INITIALIZED;
93 }
94 if (!pts_meas_algo_probe(&supported_algorithms) ||
95 !pts_dh_group_probe(&supported_dh_groups))
96 {
97 return TNC_RESULT_FATAL;
98 }
99 imv_attestation = imv_agent_create(imv_name, msg_types, 2, imv_id,
100 actual_version);
101 if (!imv_attestation)
102 {
103 return TNC_RESULT_FATAL;
104 }
105
106 libpts_init();
107
108 if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
109 {
110 DBG1(DBG_IMV, "no common IF-IMV version");
111 return TNC_RESULT_NO_COMMON_VERSION;
112 }
113
114 hash_alg = lib->settings->get_str(lib->settings,
115 "libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
116 dh_group = lib->settings->get_str(lib->settings,
117 "libimcv.plugins.imv-attestation.dh_group", "ecp256");
118
119 if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
120 !pts_dh_group_update(dh_group, &supported_dh_groups))
121 {
122 return TNC_RESULT_FATAL;
123 }
124
125 /* create a PTS credential manager */
126 pts_credmgr = credential_manager_create();
127
128 /* create PTS credential set */
129 cadir = lib->settings->get_str(lib->settings,
130 "libimcv.plugins.imv-attestation.cadir", NULL);
131 pts_creds = pts_creds_create(cadir);
132 if (pts_creds)
133 {
134 pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
135 }
136
137 /* attach file measurement database */
138 uri = lib->settings->get_str(lib->settings,
139 "libimcv.plugins.imv-attestation.database", NULL);
140 pts_db = pts_database_create(uri);
141
142 return TNC_RESULT_SUCCESS;
143 }
144
145 /**
146 * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
147 */
148 TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
149 TNC_ConnectionID connection_id,
150 TNC_ConnectionState new_state)
151 {
152 imv_state_t *state;
153
154 if (!imv_attestation)
155 {
156 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
157 return TNC_RESULT_NOT_INITIALIZED;
158 }
159 switch (new_state)
160 {
161 case TNC_CONNECTION_STATE_CREATE:
162 state = imv_attestation_state_create(connection_id);
163 return imv_attestation->create_state(imv_attestation, state);
164 case TNC_CONNECTION_STATE_DELETE:
165 return imv_attestation->delete_state(imv_attestation, connection_id);
166 case TNC_CONNECTION_STATE_HANDSHAKE:
167 default:
168 return imv_attestation->change_state(imv_attestation, connection_id,
169 new_state, NULL);
170 }
171 }
172
173 static TNC_Result send_message(imv_state_t *state, imv_msg_t *out_msg)
174 {
175 imv_attestation_state_t *attestation_state;
176 TNC_Result result;
177
178 attestation_state = (imv_attestation_state_t*)state;
179
180 if (imv_attestation_build(out_msg, attestation_state, supported_algorithms,
181 supported_dh_groups, pts_db))
182 {
183 result = out_msg->send(out_msg, TRUE);
184 }
185 else
186 {
187 out_msg->delete_attributes(out_msg);
188 result = TNC_RESULT_FATAL;
189 }
190
191 return result;
192 }
193
194 static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
195 {
196 imv_attestation_state_t *attestation_state;
197 imv_msg_t *out_msg;
198 enumerator_t *enumerator;
199 pa_tnc_attr_t *attr;
200 pen_type_t type;
201 TNC_Result result;
202 pts_t *pts;
203 chunk_t os_name = chunk_empty;
204 chunk_t os_version = chunk_empty;
205 bool fatal_error = FALSE;
206
207 /* parse received PA-TNC message and handle local and remote errors */
208 result = in_msg->receive(in_msg, &fatal_error);
209 if (result != TNC_RESULT_SUCCESS)
210 {
211 return result;
212 }
213
214 attestation_state = (imv_attestation_state_t*)state;
215 pts = attestation_state->get_pts(attestation_state);
216
217 out_msg = imv_msg_create_as_reply(in_msg);
218 out_msg->set_msg_type(out_msg, msg_types[0]);
219
220 /* analyze PA-TNC attributes */
221 enumerator = in_msg->create_attribute_enumerator(in_msg);
222 while (enumerator->enumerate(enumerator, &attr))
223 {
224 type = attr->get_type(attr);
225
226 if (type.vendor_id == PEN_IETF)
227 {
228 switch (type.type)
229 {
230 case IETF_ATTR_PA_TNC_ERROR:
231 {
232 ietf_attr_pa_tnc_error_t *error_attr;
233 pen_type_t error_code;
234 chunk_t msg_info;
235
236 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
237 error_code = error_attr->get_error_code(error_attr);
238
239 if (error_code.vendor_id == PEN_TCG)
240 {
241 msg_info = error_attr->get_msg_info(error_attr);
242
243 DBG1(DBG_IMV, "received TCG-PTS error '%N'",
244 pts_error_code_names, error_code.type);
245 DBG1(DBG_IMV, "error information: %B", &msg_info);
246
247 result = TNC_RESULT_FATAL;
248 }
249 break;
250 }
251 case IETF_ATTR_PRODUCT_INFORMATION:
252 {
253 ietf_attr_product_info_t *attr_cast;
254
255 attr_cast = (ietf_attr_product_info_t*)attr;
256 os_name = attr_cast->get_info(attr_cast, NULL, NULL);
257 break;
258 }
259 case IETF_ATTR_STRING_VERSION:
260 {
261 ietf_attr_string_version_t *attr_cast;
262
263 attr_cast = (ietf_attr_string_version_t*)attr;
264 os_version = attr_cast->get_version(attr_cast, NULL, NULL);
265 break;
266 }
267 default:
268 break;
269 }
270 }
271 else if (type.vendor_id == PEN_TCG)
272 {
273 if (!imv_attestation_process(attr, out_msg, attestation_state,
274 supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
275 {
276 result = TNC_RESULT_FATAL;
277 break;
278 }
279 }
280 }
281 enumerator->destroy(enumerator);
282
283 if (os_name.len && os_version.len)
284 {
285 pts->set_platform_info(pts, os_name, os_version);
286 }
287
288 if (result != TNC_RESULT_SUCCESS)
289 {
290 out_msg->delete_attributes(out_msg);
291 state->set_recommendation(state,
292 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
293 TNC_IMV_EVALUATION_RESULT_ERROR);
294 result = out_msg->send_assessment(out_msg);
295 out_msg->destroy(out_msg);
296 if (result != TNC_RESULT_SUCCESS)
297 {
298 return result;
299 }
300 return imv_attestation->provide_recommendation(imv_attestation, state);
301 }
302
303 /* send PA-TNC message with excl flag set */
304 result = out_msg->send(out_msg, TRUE);
305
306 if (result != TNC_RESULT_SUCCESS)
307 {
308 out_msg->destroy(out_msg);
309 return result;
310 }
311
312 /* check the IMV state for the next PA-TNC attributes to send */
313 result = send_message(state, out_msg);
314
315 if (result != TNC_RESULT_SUCCESS)
316 {
317 state->set_recommendation(state,
318 TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
319 TNC_IMV_EVALUATION_RESULT_ERROR);
320 out_msg->delete_attributes(out_msg);
321 result = out_msg->send_assessment(out_msg);
322 if (result != TNC_RESULT_SUCCESS)
323 {
324 return result;
325 }
326 return imv_attestation->provide_recommendation(imv_attestation, state);
327 }
328
329 if (attestation_state->get_handshake_state(attestation_state) ==
330 IMV_ATTESTATION_STATE_END)
331 {
332 if (attestation_state->get_file_meas_request_count(attestation_state))
333 {
334 DBG1(DBG_IMV, "failure due to %d pending file measurements",
335 attestation_state->get_file_meas_request_count(attestation_state));
336 attestation_state->set_measurement_error(attestation_state);
337 }
338 if (attestation_state->get_measurement_error(attestation_state))
339 {
340 state->set_recommendation(state,
341 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
342 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
343 }
344 else
345 {
346 state->set_recommendation(state,
347 TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
348 TNC_IMV_EVALUATION_RESULT_COMPLIANT);
349 }
350 result = out_msg->send_assessment(out_msg);
351 out_msg->destroy(out_msg);
352 if (result != TNC_RESULT_SUCCESS)
353 {
354 return result;
355 }
356 return imv_attestation->provide_recommendation(imv_attestation, state);
357 }
358 out_msg->destroy(out_msg);
359
360 return result;
361 }
362
363 /**
364 * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
365 */
366 TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
367 TNC_ConnectionID connection_id,
368 TNC_BufferReference msg,
369 TNC_UInt32 msg_len,
370 TNC_MessageType msg_type)
371 {
372 imv_state_t *state;
373 imv_msg_t *in_msg;
374 TNC_Result result;
375
376 if (!imv_attestation)
377 {
378 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
379 return TNC_RESULT_NOT_INITIALIZED;
380 }
381 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
382 {
383 return TNC_RESULT_FATAL;
384 }
385 in_msg = imv_msg_create_from_data(imv_attestation, state, connection_id,
386 msg_type, chunk_create(msg, msg_len));
387 result = receive_message(state, in_msg);
388 in_msg->destroy(in_msg);
389
390 return result;
391 }
392
393 /**
394 * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
395 */
396 TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
397 TNC_ConnectionID connection_id,
398 TNC_UInt32 msg_flags,
399 TNC_BufferReference msg,
400 TNC_UInt32 msg_len,
401 TNC_VendorID msg_vid,
402 TNC_MessageSubtype msg_subtype,
403 TNC_UInt32 src_imc_id,
404 TNC_UInt32 dst_imv_id)
405 {
406 imv_state_t *state;
407 imv_msg_t *in_msg;
408 TNC_Result result;
409
410 if (!imv_attestation)
411 {
412 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
413 return TNC_RESULT_NOT_INITIALIZED;
414 }
415 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
416 {
417 return TNC_RESULT_FATAL;
418 }
419 in_msg = imv_msg_create_from_long_data(imv_attestation, state, connection_id,
420 src_imc_id, dst_imv_id, msg_vid, msg_subtype,
421 chunk_create(msg, msg_len));
422 result =receive_message(state, in_msg);
423 in_msg->destroy(in_msg);
424
425 return result;
426 }
427
428 /**
429 * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
430 */
431 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
432 TNC_ConnectionID connection_id)
433 {
434 imv_state_t *state;
435
436 if (!imv_attestation)
437 {
438 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
439 return TNC_RESULT_NOT_INITIALIZED;
440 }
441 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
442 {
443 return TNC_RESULT_FATAL;
444 }
445 return imv_attestation->provide_recommendation(imv_attestation, state);
446 }
447
448 /**
449 * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
450 */
451 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
452 TNC_ConnectionID connection_id)
453 {
454 if (!imv_attestation)
455 {
456 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
457 return TNC_RESULT_NOT_INITIALIZED;
458 }
459 return TNC_RESULT_SUCCESS;
460 }
461
462 /**
463 * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
464 */
465 TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
466 {
467 if (!imv_attestation)
468 {
469 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
470 return TNC_RESULT_NOT_INITIALIZED;
471 }
472 if (pts_creds)
473 {
474 pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
475 pts_creds->destroy(pts_creds);
476 }
477 DESTROY_IF(pts_db);
478 DESTROY_IF(pts_credmgr);
479
480 libpts_deinit();
481
482 imv_attestation->destroy(imv_attestation);
483 imv_attestation = NULL;
484
485 return TNC_RESULT_SUCCESS;
486 }
487
488 /**
489 * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
490 */
491 TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
492 TNC_TNCS_BindFunctionPointer bind_function)
493 {
494 if (!imv_attestation)
495 {
496 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
497 return TNC_RESULT_NOT_INITIALIZED;
498 }
499 return imv_attestation->bind_functions(imv_attestation, bind_function);
500 }