check if TNC client has a valid and registered AIK
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_state.h"
17 #include "imv_attestation_process.h"
18 #include "imv_attestation_build.h"
19
20 #include <imv/imv_agent.h>
21 #include <pa_tnc/pa_tnc_msg.h>
22 #include <ietf/ietf_attr.h>
23 #include <ietf/ietf_attr_pa_tnc_error.h>
24 #include <ietf/ietf_attr_product_info.h>
25
26 #include <libpts.h>
27
28 #include <pts/pts.h>
29 #include <pts/pts_database.h>
30 #include <pts/pts_creds.h>
31
32 #include <tcg/tcg_attr.h>
33
34 #include <tncif_pa_subtypes.h>
35
36 #include <pen/pen.h>
37 #include <debug.h>
38 #include <credentials/credential_manager.h>
39 #include <utils/linked_list.h>
40
41 /* IMV definitions */
42
43 static const char imv_name[] = "Attestation";
44
45 #define IMV_VENDOR_ID PEN_TCG
46 #define IMV_SUBTYPE PA_SUBTYPE_TCG_PTS
47
48 static imv_agent_t *imv_attestation;
49
50 /**
51 * Supported PTS measurement algorithms
52 */
53 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
54
55 /**
56 * Supported PTS Diffie Hellman Groups
57 */
58 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
59
60 /**
61 * PTS file measurement database
62 */
63 static pts_database_t *pts_db;
64
65 /**
66 * PTS credentials
67 */
68 static pts_creds_t *pts_creds;
69
70 /**
71 * PTS credential manager
72 */
73 static credential_manager_t *pts_credmgr;
74
75 /**
76 * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
77 */
78 TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
79 TNC_Version min_version,
80 TNC_Version max_version,
81 TNC_Version *actual_version)
82 {
83 char *hash_alg, *dh_group, *uri, *cadir;
84
85 if (imv_attestation)
86 {
87 DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
88 return TNC_RESULT_ALREADY_INITIALIZED;
89 }
90 if (!pts_meas_algo_probe(&supported_algorithms) ||
91 !pts_dh_group_probe(&supported_dh_groups))
92 {
93 return TNC_RESULT_FATAL;
94 }
95 imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
96 imv_id, actual_version);
97 if (!imv_attestation)
98 {
99 return TNC_RESULT_FATAL;
100 }
101
102 libpts_init();
103
104 if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
105 {
106 DBG1(DBG_IMV, "no common IF-IMV version");
107 return TNC_RESULT_NO_COMMON_VERSION;
108 }
109
110 hash_alg = lib->settings->get_str(lib->settings,
111 "libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
112 dh_group = lib->settings->get_str(lib->settings,
113 "libimcv.plugins.imv-attestation.dh_group", "ecp256");
114
115 if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
116 !pts_dh_group_update(dh_group, &supported_dh_groups))
117 {
118 return TNC_RESULT_FATAL;
119 }
120
121 /* create a PTS credential manager */
122 pts_credmgr = credential_manager_create();
123
124 /* create PTS credential set */
125 cadir = lib->settings->get_str(lib->settings,
126 "libimcv.plugins.imv-attestation.cadir", NULL);
127 pts_creds = pts_creds_create(cadir);
128 if (pts_creds)
129 {
130 pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
131 }
132
133 /* attach file measurement database */
134 uri = lib->settings->get_str(lib->settings,
135 "libimcv.plugins.imv-attestation.database", NULL);
136 pts_db = pts_database_create(uri);
137
138 return TNC_RESULT_SUCCESS;
139 }
140
141 /**
142 * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
143 */
144 TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
145 TNC_ConnectionID connection_id,
146 TNC_ConnectionState new_state)
147 {
148 imv_state_t *state;
149
150 if (!imv_attestation)
151 {
152 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
153 return TNC_RESULT_NOT_INITIALIZED;
154 }
155 switch (new_state)
156 {
157 case TNC_CONNECTION_STATE_CREATE:
158 state = imv_attestation_state_create(connection_id);
159 return imv_attestation->create_state(imv_attestation, state);
160 case TNC_CONNECTION_STATE_DELETE:
161 return imv_attestation->delete_state(imv_attestation, connection_id);
162 case TNC_CONNECTION_STATE_HANDSHAKE:
163 default:
164 return imv_attestation->change_state(imv_attestation, connection_id,
165 new_state, NULL);
166 }
167 }
168
169 static TNC_Result send_message(TNC_ConnectionID connection_id)
170 {
171 pa_tnc_msg_t *msg;
172 pa_tnc_attr_t *attr;
173 imv_state_t *state;
174 imv_attestation_state_t *attestation_state;
175 TNC_Result result;
176 linked_list_t *attr_list;
177 enumerator_t *enumerator;
178
179 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
180 {
181 return TNC_RESULT_FATAL;
182 }
183 attestation_state = (imv_attestation_state_t*)state;
184 attr_list = linked_list_create();
185
186 if (imv_attestation_build(attr_list, attestation_state, supported_algorithms,
187 supported_dh_groups, pts_db))
188 {
189 if (attr_list->get_count(attr_list))
190 {
191 msg = pa_tnc_msg_create();
192
193 /* move PA-TNC attributes to PA-TNC message */
194 enumerator = attr_list->create_enumerator(attr_list);
195 while (enumerator->enumerate(enumerator, &attr))
196 {
197 msg->add_attribute(msg, attr);
198 }
199 enumerator->destroy(enumerator);
200
201 msg->build(msg);
202 result = imv_attestation->send_message(imv_attestation,
203 connection_id, FALSE, 0, TNC_IMCID_ANY,
204 msg->get_encoding(msg));
205 msg->destroy(msg);
206 }
207 else
208 {
209 result = TNC_RESULT_SUCCESS;
210 }
211 attr_list->destroy(attr_list);
212 }
213 else
214 {
215 attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
216 result = TNC_RESULT_FATAL;
217 }
218
219 return result;
220 }
221
222 static TNC_Result receive_message(TNC_IMVID imv_id,
223 TNC_ConnectionID connection_id,
224 TNC_UInt32 msg_flags,
225 chunk_t msg,
226 TNC_VendorID msg_vid,
227 TNC_MessageSubtype msg_subtype,
228 TNC_UInt32 src_imc_id,
229 TNC_UInt32 dst_imv_id)
230 {
231 pa_tnc_msg_t *pa_tnc_msg;
232 pa_tnc_attr_t *attr;
233 linked_list_t *attr_list;
234 imv_state_t *state;
235 imv_attestation_state_t *attestation_state;
236 pts_t *pts;
237 enumerator_t *enumerator;
238 TNC_Result result;
239
240 if (!imv_attestation)
241 {
242 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
243 return TNC_RESULT_NOT_INITIALIZED;
244 }
245
246 /* get current IMV state */
247 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
248 {
249 return TNC_RESULT_FATAL;
250 }
251 attestation_state = (imv_attestation_state_t*)state;
252 pts = attestation_state->get_pts(attestation_state);
253
254 /* parse received PA-TNC message and automatically handle any errors */
255 result = imv_attestation->receive_message(imv_attestation, state, msg,
256 msg_vid, msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
257
258 /* no parsed PA-TNC attributes available if an error occurred */
259 if (!pa_tnc_msg)
260 {
261 return result;
262 }
263
264 /* preprocess any IETF standard error attributes */
265 result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ?
266 TNC_RESULT_FATAL : TNC_RESULT_SUCCESS;
267
268 attr_list = linked_list_create();
269
270 /* analyze PA-TNC attributes */
271 enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
272 while (enumerator->enumerate(enumerator, &attr))
273 {
274 if (attr->get_vendor_id(attr) == PEN_IETF)
275 {
276 if (attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
277 {
278 ietf_attr_pa_tnc_error_t *error_attr;
279 pen_t error_vendor_id;
280 pa_tnc_error_code_t error_code;
281 chunk_t msg_info;
282
283 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
284 error_vendor_id = error_attr->get_vendor_id(error_attr);
285
286 if (error_vendor_id == PEN_TCG)
287 {
288 error_code = error_attr->get_error_code(error_attr);
289 msg_info = error_attr->get_msg_info(error_attr);
290
291 DBG1(DBG_IMV, "received TCG-PTS error '%N'",
292 pts_error_code_names, error_code);
293 DBG1(DBG_IMV, "error information: %B", &msg_info);
294
295 result = TNC_RESULT_FATAL;
296 }
297 }
298 else if (attr->get_type(attr) == IETF_ATTR_PRODUCT_INFORMATION)
299 {
300 ietf_attr_product_info_t *attr_cast;
301 char *platform_info;
302
303 attr_cast = (ietf_attr_product_info_t*)attr;
304 platform_info = attr_cast->get_info(attr_cast, NULL, NULL);
305 pts->set_platform_info(pts, platform_info);
306 }
307 }
308 else if (attr->get_vendor_id(attr) == PEN_TCG)
309 {
310 if (!imv_attestation_process(attr, attr_list, attestation_state,
311 supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
312 {
313 result = TNC_RESULT_FATAL;
314 break;
315 }
316 }
317 }
318 enumerator->destroy(enumerator);
319 pa_tnc_msg->destroy(pa_tnc_msg);
320
321 if (result != TNC_RESULT_SUCCESS)
322 {
323 attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
324 state->set_recommendation(state,
325 TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
326 TNC_IMV_EVALUATION_RESULT_ERROR);
327 return imv_attestation->provide_recommendation(imv_attestation,
328 connection_id);
329 }
330
331 if (attr_list->get_count(attr_list))
332 {
333 pa_tnc_msg = pa_tnc_msg_create();
334
335 /* move PA-TNC attributes to PA-TNC message */
336 enumerator = attr_list->create_enumerator(attr_list);
337 while (enumerator->enumerate(enumerator, &attr))
338 {
339 pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
340 }
341 enumerator->destroy(enumerator);
342
343 pa_tnc_msg->build(pa_tnc_msg);
344 result = imv_attestation->send_message(imv_attestation, connection_id,
345 FALSE, 0, TNC_IMCID_ANY,
346 pa_tnc_msg->get_encoding(pa_tnc_msg));
347
348 pa_tnc_msg->destroy(pa_tnc_msg);
349 attr_list->destroy(attr_list);
350
351 return result;
352 }
353 attr_list->destroy(attr_list);
354
355 /* check the IMV state for the next PA-TNC attributes to send */
356 result = send_message(connection_id);
357 if (result != TNC_RESULT_SUCCESS)
358 {
359 state->set_recommendation(state,
360 TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
361 TNC_IMV_EVALUATION_RESULT_ERROR);
362 return imv_attestation->provide_recommendation(imv_attestation,
363 connection_id);
364 }
365
366 if (attestation_state->get_handshake_state(attestation_state) ==
367 IMV_ATTESTATION_STATE_END)
368 {
369 if (attestation_state->get_file_meas_request_count(attestation_state))
370 {
371 DBG1(DBG_IMV, "failure due to %d pending file measurements",
372 attestation_state->get_file_meas_request_count(attestation_state));
373 attestation_state->set_measurement_error(attestation_state);
374 }
375 if (attestation_state->get_component_count(attestation_state))
376 {
377 DBG1(DBG_IMV, "failure due to %d components waiting for evidence",
378 attestation_state->get_component_count(attestation_state));
379 attestation_state->set_measurement_error(attestation_state);
380 }
381 if (attestation_state->get_measurement_error(attestation_state))
382 {
383 state->set_recommendation(state,
384 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
385 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
386 }
387 else
388 {
389 state->set_recommendation(state,
390 TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
391 TNC_IMV_EVALUATION_RESULT_COMPLIANT);
392 }
393 return imv_attestation->provide_recommendation(imv_attestation,
394 connection_id);
395 }
396
397 return result;
398 }
399
400 /**
401 * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
402 */
403 TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
404 TNC_ConnectionID connection_id,
405 TNC_BufferReference msg,
406 TNC_UInt32 msg_len,
407 TNC_MessageType msg_type)
408 {
409 TNC_VendorID msg_vid;
410 TNC_MessageSubtype msg_subtype;
411
412 msg_vid = msg_type >> 8;
413 msg_subtype = msg_type & TNC_SUBTYPE_ANY;
414
415 return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
416 msg_vid, msg_subtype, 0, TNC_IMVID_ANY);
417 }
418
419 /**
420 * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
421 */
422 TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
423 TNC_ConnectionID connection_id,
424 TNC_UInt32 msg_flags,
425 TNC_BufferReference msg,
426 TNC_UInt32 msg_len,
427 TNC_VendorID msg_vid,
428 TNC_MessageSubtype msg_subtype,
429 TNC_UInt32 src_imc_id,
430 TNC_UInt32 dst_imv_id)
431 {
432 return receive_message(imv_id, connection_id, msg_flags,
433 chunk_create(msg, msg_len), msg_vid, msg_subtype,
434 src_imc_id, dst_imv_id);
435 }
436
437 /**
438 * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
439 */
440 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
441 TNC_ConnectionID connection_id)
442 {
443 if (!imv_attestation)
444 {
445 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
446 return TNC_RESULT_NOT_INITIALIZED;
447 }
448 return imv_attestation->provide_recommendation(imv_attestation,
449 connection_id);
450 }
451
452 /**
453 * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
454 */
455 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
456 TNC_ConnectionID connection_id)
457 {
458 imv_state_t *state;
459 imv_attestation_state_t *attestation_state;
460
461 if (!imv_attestation)
462 {
463 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
464 return TNC_RESULT_NOT_INITIALIZED;
465 }
466 /* get current IMV state */
467 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
468 {
469 return TNC_RESULT_FATAL;
470 }
471 attestation_state = (imv_attestation_state_t*)state;
472
473 /* Check if IMV has to initiate the PA-TNC exchange */
474 if (attestation_state->get_handshake_state(attestation_state) ==
475 IMV_ATTESTATION_STATE_INIT)
476 {
477 return send_message(connection_id);
478 }
479 return TNC_RESULT_SUCCESS;
480 }
481
482 /**
483 * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
484 */
485 TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
486 {
487 if (!imv_attestation)
488 {
489 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
490 return TNC_RESULT_NOT_INITIALIZED;
491 }
492 if (pts_creds)
493 {
494 pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
495 pts_creds->destroy(pts_creds);
496 }
497 DESTROY_IF(pts_db);
498 DESTROY_IF(pts_credmgr);
499
500 libpts_deinit();
501
502 imv_attestation->destroy(imv_attestation);
503 imv_attestation = NULL;
504
505 return TNC_RESULT_SUCCESS;
506 }
507
508 /**
509 * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
510 */
511 TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
512 TNC_TNCS_BindFunctionPointer bind_function)
513 {
514 if (!imv_attestation)
515 {
516 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
517 return TNC_RESULT_NOT_INITIALIZED;
518 }
519 return imv_attestation->bind_functions(imv_attestation, bind_function);
520 }