6cfff7f5f4758a38554335e20eaefbe03ad8a73f
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation.c
1 /*
2 * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_state.h"
17 #include "imv_attestation_process.h"
18 #include "imv_attestation_build.h"
19
20 #include <imv/imv_agent.h>
21 #include <pa_tnc/pa_tnc_msg.h>
22 #include <ietf/ietf_attr.h>
23 #include <ietf/ietf_attr_pa_tnc_error.h>
24 #include <ietf/ietf_attr_product_info.h>
25 #include <ietf/ietf_attr_string_version.h>
26
27 #include <libpts.h>
28
29 #include <pts/pts.h>
30 #include <pts/pts_database.h>
31 #include <pts/pts_creds.h>
32
33 #include <tcg/tcg_attr.h>
34
35 #include <tncif_pa_subtypes.h>
36
37 #include <pen/pen.h>
38 #include <debug.h>
39 #include <credentials/credential_manager.h>
40 #include <utils/linked_list.h>
41
42 /* IMV definitions */
43
44 static const char imv_name[] = "Attestation";
45
46 #define IMV_VENDOR_ID PEN_TCG
47 #define IMV_SUBTYPE PA_SUBTYPE_TCG_PTS
48
49 static imv_agent_t *imv_attestation;
50
51 /**
52 * Supported PTS measurement algorithms
53 */
54 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
55
56 /**
57 * Supported PTS Diffie Hellman Groups
58 */
59 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
60
61 /**
62 * PTS file measurement database
63 */
64 static pts_database_t *pts_db;
65
66 /**
67 * PTS credentials
68 */
69 static pts_creds_t *pts_creds;
70
71 /**
72 * PTS credential manager
73 */
74 static credential_manager_t *pts_credmgr;
75
76 /**
77 * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
78 */
79 TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
80 TNC_Version min_version,
81 TNC_Version max_version,
82 TNC_Version *actual_version)
83 {
84 char *hash_alg, *dh_group, *uri, *cadir;
85
86 if (imv_attestation)
87 {
88 DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
89 return TNC_RESULT_ALREADY_INITIALIZED;
90 }
91 if (!pts_meas_algo_probe(&supported_algorithms) ||
92 !pts_dh_group_probe(&supported_dh_groups))
93 {
94 return TNC_RESULT_FATAL;
95 }
96 imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
97 imv_id, actual_version);
98 if (!imv_attestation)
99 {
100 return TNC_RESULT_FATAL;
101 }
102
103 libpts_init();
104
105 if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
106 {
107 DBG1(DBG_IMV, "no common IF-IMV version");
108 return TNC_RESULT_NO_COMMON_VERSION;
109 }
110
111 hash_alg = lib->settings->get_str(lib->settings,
112 "libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
113 dh_group = lib->settings->get_str(lib->settings,
114 "libimcv.plugins.imv-attestation.dh_group", "ecp256");
115
116 if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
117 !pts_dh_group_update(dh_group, &supported_dh_groups))
118 {
119 return TNC_RESULT_FATAL;
120 }
121
122 /* create a PTS credential manager */
123 pts_credmgr = credential_manager_create();
124
125 /* create PTS credential set */
126 cadir = lib->settings->get_str(lib->settings,
127 "libimcv.plugins.imv-attestation.cadir", NULL);
128 pts_creds = pts_creds_create(cadir);
129 if (pts_creds)
130 {
131 pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
132 }
133
134 /* attach file measurement database */
135 uri = lib->settings->get_str(lib->settings,
136 "libimcv.plugins.imv-attestation.database", NULL);
137 pts_db = pts_database_create(uri);
138
139 return TNC_RESULT_SUCCESS;
140 }
141
142 /**
143 * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
144 */
145 TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
146 TNC_ConnectionID connection_id,
147 TNC_ConnectionState new_state)
148 {
149 imv_state_t *state;
150
151 if (!imv_attestation)
152 {
153 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
154 return TNC_RESULT_NOT_INITIALIZED;
155 }
156 switch (new_state)
157 {
158 case TNC_CONNECTION_STATE_CREATE:
159 state = imv_attestation_state_create(connection_id);
160 return imv_attestation->create_state(imv_attestation, state);
161 case TNC_CONNECTION_STATE_DELETE:
162 return imv_attestation->delete_state(imv_attestation, connection_id);
163 case TNC_CONNECTION_STATE_HANDSHAKE:
164 default:
165 return imv_attestation->change_state(imv_attestation, connection_id,
166 new_state, NULL);
167 }
168 }
169
170 static TNC_Result send_message(TNC_ConnectionID connection_id)
171 {
172 linked_list_t *attr_list;
173 imv_state_t *state;
174 imv_attestation_state_t *attestation_state;
175 TNC_Result result;
176
177 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
178 {
179 return TNC_RESULT_FATAL;
180 }
181 attestation_state = (imv_attestation_state_t*)state;
182 attr_list = linked_list_create();
183
184 if (imv_attestation_build(attr_list, attestation_state, supported_algorithms,
185 supported_dh_groups, pts_db))
186 {
187 if (attr_list->get_count(attr_list))
188 {
189 result = imv_attestation->send_message(imv_attestation,
190 connection_id, FALSE, 0, TNC_IMCID_ANY, attr_list);
191 }
192 else
193 {
194 result = TNC_RESULT_SUCCESS;
195 }
196 attr_list->destroy(attr_list);
197 }
198 else
199 {
200 attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
201 result = TNC_RESULT_FATAL;
202 }
203
204 return result;
205 }
206
207 static TNC_Result receive_message(TNC_IMVID imv_id,
208 TNC_ConnectionID connection_id,
209 TNC_UInt32 msg_flags,
210 chunk_t msg,
211 TNC_VendorID msg_vid,
212 TNC_MessageSubtype msg_subtype,
213 TNC_UInt32 src_imc_id,
214 TNC_UInt32 dst_imv_id)
215 {
216 pa_tnc_msg_t *pa_tnc_msg;
217 pa_tnc_attr_t *attr;
218 pen_type_t type;
219 linked_list_t *attr_list;
220 imv_state_t *state;
221 imv_attestation_state_t *attestation_state;
222 pts_t *pts;
223 chunk_t os_name = chunk_empty;
224 chunk_t os_version = chunk_empty;
225 enumerator_t *enumerator;
226 TNC_Result result;
227
228 if (!imv_attestation)
229 {
230 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
231 return TNC_RESULT_NOT_INITIALIZED;
232 }
233
234 /* get current IMV state */
235 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
236 {
237 return TNC_RESULT_FATAL;
238 }
239 attestation_state = (imv_attestation_state_t*)state;
240 pts = attestation_state->get_pts(attestation_state);
241
242 /* parse received PA-TNC message and automatically handle any errors */
243 result = imv_attestation->receive_message(imv_attestation, state, msg,
244 msg_vid, msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
245
246 /* no parsed PA-TNC attributes available if an error occurred */
247 if (!pa_tnc_msg)
248 {
249 return result;
250 }
251
252 /* preprocess any IETF standard error attributes */
253 result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ?
254 TNC_RESULT_FATAL : TNC_RESULT_SUCCESS;
255
256 attr_list = linked_list_create();
257
258 /* analyze PA-TNC attributes */
259 enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
260 while (enumerator->enumerate(enumerator, &attr))
261 {
262 type = attr->get_type(attr);
263
264 if (type.vendor_id == PEN_IETF)
265 {
266 switch (type.type)
267 {
268 case IETF_ATTR_PA_TNC_ERROR:
269 {
270 ietf_attr_pa_tnc_error_t *error_attr;
271 pen_type_t error_code;
272 chunk_t msg_info;
273
274 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
275 error_code = error_attr->get_error_code(error_attr);
276
277 if (error_code.vendor_id == PEN_TCG)
278 {
279 msg_info = error_attr->get_msg_info(error_attr);
280
281 DBG1(DBG_IMV, "received TCG-PTS error '%N'",
282 pts_error_code_names, error_code.type);
283 DBG1(DBG_IMV, "error information: %B", &msg_info);
284
285 result = TNC_RESULT_FATAL;
286 }
287 break;
288 }
289 case IETF_ATTR_PRODUCT_INFORMATION:
290 {
291 ietf_attr_product_info_t *attr_cast;
292
293 attr_cast = (ietf_attr_product_info_t*)attr;
294 os_name = attr_cast->get_info(attr_cast, NULL, NULL);
295 break;
296 }
297 case IETF_ATTR_STRING_VERSION:
298 {
299 ietf_attr_string_version_t *attr_cast;
300
301 attr_cast = (ietf_attr_string_version_t*)attr;
302 os_version = attr_cast->get_version(attr_cast, NULL, NULL);
303 break;
304 }
305 default:
306 break;
307 }
308 }
309 else if (type.vendor_id == PEN_TCG)
310 {
311 if (!imv_attestation_process(attr, attr_list, attestation_state,
312 supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
313 {
314 result = TNC_RESULT_FATAL;
315 break;
316 }
317 }
318 }
319 enumerator->destroy(enumerator);
320
321 if (os_name.len && os_version.len)
322 {
323 pts->set_platform_info(pts, os_name, os_version);
324 }
325 pa_tnc_msg->destroy(pa_tnc_msg);
326
327 if (result != TNC_RESULT_SUCCESS)
328 {
329 attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
330 state->set_recommendation(state,
331 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
332 TNC_IMV_EVALUATION_RESULT_ERROR);
333 return imv_attestation->provide_recommendation(imv_attestation,
334 connection_id, src_imc_id);
335 }
336
337 if (attr_list->get_count(attr_list))
338 {
339 result = imv_attestation->send_message(imv_attestation, connection_id,
340 FALSE, 0, TNC_IMCID_ANY, attr_list);
341 attr_list->destroy(attr_list);
342 return result;
343 }
344 attr_list->destroy(attr_list);
345
346 /* check the IMV state for the next PA-TNC attributes to send */
347 result = send_message(connection_id);
348 if (result != TNC_RESULT_SUCCESS)
349 {
350 state->set_recommendation(state,
351 TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
352 TNC_IMV_EVALUATION_RESULT_ERROR);
353 return imv_attestation->provide_recommendation(imv_attestation,
354 connection_id, src_imc_id);
355 }
356
357 if (attestation_state->get_handshake_state(attestation_state) ==
358 IMV_ATTESTATION_STATE_END)
359 {
360 if (attestation_state->get_file_meas_request_count(attestation_state))
361 {
362 DBG1(DBG_IMV, "failure due to %d pending file measurements",
363 attestation_state->get_file_meas_request_count(attestation_state));
364 attestation_state->set_measurement_error(attestation_state);
365 }
366 if (attestation_state->get_measurement_error(attestation_state))
367 {
368 state->set_recommendation(state,
369 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
370 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
371 }
372 else
373 {
374 state->set_recommendation(state,
375 TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
376 TNC_IMV_EVALUATION_RESULT_COMPLIANT);
377 }
378 return imv_attestation->provide_recommendation(imv_attestation,
379 connection_id, src_imc_id);
380 }
381
382 return result;
383 }
384
385 /**
386 * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
387 */
388 TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
389 TNC_ConnectionID connection_id,
390 TNC_BufferReference msg,
391 TNC_UInt32 msg_len,
392 TNC_MessageType msg_type)
393 {
394 TNC_VendorID msg_vid;
395 TNC_MessageSubtype msg_subtype;
396
397 msg_vid = msg_type >> 8;
398 msg_subtype = msg_type & TNC_SUBTYPE_ANY;
399
400 return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
401 msg_vid, msg_subtype, 0, TNC_IMVID_ANY);
402 }
403
404 /**
405 * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
406 */
407 TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
408 TNC_ConnectionID connection_id,
409 TNC_UInt32 msg_flags,
410 TNC_BufferReference msg,
411 TNC_UInt32 msg_len,
412 TNC_VendorID msg_vid,
413 TNC_MessageSubtype msg_subtype,
414 TNC_UInt32 src_imc_id,
415 TNC_UInt32 dst_imv_id)
416 {
417 return receive_message(imv_id, connection_id, msg_flags,
418 chunk_create(msg, msg_len), msg_vid, msg_subtype,
419 src_imc_id, dst_imv_id);
420 }
421
422 /**
423 * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
424 */
425 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
426 TNC_ConnectionID connection_id)
427 {
428 if (!imv_attestation)
429 {
430 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
431 return TNC_RESULT_NOT_INITIALIZED;
432 }
433 return imv_attestation->provide_recommendation(imv_attestation,
434 connection_id, TNC_IMCID_ANY);
435 }
436
437 /**
438 * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
439 */
440 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
441 TNC_ConnectionID connection_id)
442 {
443 imv_state_t *state;
444 imv_attestation_state_t *attestation_state;
445
446 if (!imv_attestation)
447 {
448 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
449 return TNC_RESULT_NOT_INITIALIZED;
450 }
451 /* get current IMV state */
452 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
453 {
454 return TNC_RESULT_FATAL;
455 }
456 attestation_state = (imv_attestation_state_t*)state;
457
458 /* Check if IMV has to initiate the PA-TNC exchange */
459 if (attestation_state->get_handshake_state(attestation_state) ==
460 IMV_ATTESTATION_STATE_INIT)
461 {
462 return send_message(connection_id);
463 }
464 return TNC_RESULT_SUCCESS;
465 }
466
467 /**
468 * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
469 */
470 TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
471 {
472 if (!imv_attestation)
473 {
474 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
475 return TNC_RESULT_NOT_INITIALIZED;
476 }
477 if (pts_creds)
478 {
479 pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
480 pts_creds->destroy(pts_creds);
481 }
482 DESTROY_IF(pts_db);
483 DESTROY_IF(pts_credmgr);
484
485 libpts_deinit();
486
487 imv_attestation->destroy(imv_attestation);
488 imv_attestation = NULL;
489
490 return TNC_RESULT_SUCCESS;
491 }
492
493 /**
494 * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
495 */
496 TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
497 TNC_TNCS_BindFunctionPointer bind_function)
498 {
499 if (!imv_attestation)
500 {
501 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
502 return TNC_RESULT_NOT_INITIALIZED;
503 }
504 return imv_attestation->bind_functions(imv_attestation, bind_function);
505 }