use countof()
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation.c
1 /*
2 * Copyright (C) 2011-2012 Sansar Choinyambuu, Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_state.h"
17 #include "imv_attestation_process.h"
18 #include "imv_attestation_build.h"
19
20 #include <imv/imv_agent.h>
21 #include <imv/imv_msg.h>
22 #include <ietf/ietf_attr.h>
23 #include <ietf/ietf_attr_pa_tnc_error.h>
24 #include <ietf/ietf_attr_product_info.h>
25 #include <ietf/ietf_attr_string_version.h>
26
27 #include <libpts.h>
28
29 #include <pts/pts.h>
30 #include <pts/pts_database.h>
31 #include <pts/pts_creds.h>
32
33 #include <tcg/tcg_attr.h>
34
35 #include <tncif_pa_subtypes.h>
36
37 #include <pen/pen.h>
38 #include <utils/debug.h>
39 #include <credentials/credential_manager.h>
40 #include <collections/linked_list.h>
41
42 /* IMV definitions */
43
44 static const char imv_name[] = "Attestation";
45
46 static pen_type_t msg_types[] = {
47 { PEN_TCG, PA_SUBTYPE_TCG_PTS },
48 { PEN_IETF, PA_SUBTYPE_IETF_OPERATING_SYSTEM }
49 };
50
51 static imv_agent_t *imv_attestation;
52
53 /**
54 * Supported PTS measurement algorithms
55 */
56 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
57
58 /**
59 * Supported PTS Diffie Hellman Groups
60 */
61 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
62
63 /**
64 * PTS file measurement database
65 */
66 static pts_database_t *pts_db;
67
68 /**
69 * PTS credentials
70 */
71 static pts_creds_t *pts_creds;
72
73 /**
74 * PTS credential manager
75 */
76 static credential_manager_t *pts_credmgr;
77
78 /**
79 * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
80 */
81 TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
82 TNC_Version min_version,
83 TNC_Version max_version,
84 TNC_Version *actual_version)
85 {
86 char *hash_alg, *dh_group, *uri, *cadir;
87
88 if (imv_attestation)
89 {
90 DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
91 return TNC_RESULT_ALREADY_INITIALIZED;
92 }
93 if (!pts_meas_algo_probe(&supported_algorithms) ||
94 !pts_dh_group_probe(&supported_dh_groups))
95 {
96 return TNC_RESULT_FATAL;
97 }
98 imv_attestation = imv_agent_create(imv_name, msg_types, countof(msg_types),
99 imv_id, actual_version);
100 if (!imv_attestation)
101 {
102 return TNC_RESULT_FATAL;
103 }
104
105 libpts_init();
106
107 if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
108 {
109 DBG1(DBG_IMV, "no common IF-IMV version");
110 return TNC_RESULT_NO_COMMON_VERSION;
111 }
112
113 hash_alg = lib->settings->get_str(lib->settings,
114 "libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
115 dh_group = lib->settings->get_str(lib->settings,
116 "libimcv.plugins.imv-attestation.dh_group", "ecp256");
117
118 if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
119 !pts_dh_group_update(dh_group, &supported_dh_groups))
120 {
121 return TNC_RESULT_FATAL;
122 }
123
124 /* create a PTS credential manager */
125 pts_credmgr = credential_manager_create();
126
127 /* create PTS credential set */
128 cadir = lib->settings->get_str(lib->settings,
129 "libimcv.plugins.imv-attestation.cadir", NULL);
130 pts_creds = pts_creds_create(cadir);
131 if (pts_creds)
132 {
133 pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
134 }
135
136 /* attach file measurement database */
137 uri = lib->settings->get_str(lib->settings,
138 "libimcv.plugins.imv-attestation.database", NULL);
139 pts_db = pts_database_create(uri);
140
141 return TNC_RESULT_SUCCESS;
142 }
143
144 /**
145 * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
146 */
147 TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
148 TNC_ConnectionID connection_id,
149 TNC_ConnectionState new_state)
150 {
151 imv_state_t *state;
152
153 if (!imv_attestation)
154 {
155 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
156 return TNC_RESULT_NOT_INITIALIZED;
157 }
158 switch (new_state)
159 {
160 case TNC_CONNECTION_STATE_CREATE:
161 state = imv_attestation_state_create(connection_id);
162 return imv_attestation->create_state(imv_attestation, state);
163 case TNC_CONNECTION_STATE_DELETE:
164 return imv_attestation->delete_state(imv_attestation, connection_id);
165 case TNC_CONNECTION_STATE_HANDSHAKE:
166 default:
167 return imv_attestation->change_state(imv_attestation, connection_id,
168 new_state, NULL);
169 }
170 }
171
172 static TNC_Result send_message(imv_state_t *state, imv_msg_t *out_msg)
173 {
174 imv_attestation_state_t *attestation_state;
175 TNC_Result result;
176
177 attestation_state = (imv_attestation_state_t*)state;
178
179 if (imv_attestation_build(out_msg, attestation_state, supported_algorithms,
180 supported_dh_groups, pts_db))
181 {
182 result = out_msg->send(out_msg, TRUE);
183 }
184 else
185 {
186 out_msg->delete_attributes(out_msg);
187 result = TNC_RESULT_FATAL;
188 }
189
190 return result;
191 }
192
193 static TNC_Result receive_message(imv_state_t *state, imv_msg_t *in_msg)
194 {
195 imv_attestation_state_t *attestation_state;
196 imv_msg_t *out_msg;
197 enumerator_t *enumerator;
198 pa_tnc_attr_t *attr;
199 pen_type_t type;
200 TNC_Result result;
201 pts_t *pts;
202 chunk_t os_name = chunk_empty;
203 chunk_t os_version = chunk_empty;
204 bool fatal_error = FALSE;
205
206 /* parse received PA-TNC message and handle local and remote errors */
207 result = in_msg->receive(in_msg, &fatal_error);
208 if (result != TNC_RESULT_SUCCESS)
209 {
210 return result;
211 }
212
213 attestation_state = (imv_attestation_state_t*)state;
214 pts = attestation_state->get_pts(attestation_state);
215
216 out_msg = imv_msg_create_as_reply(in_msg);
217 out_msg->set_msg_type(out_msg, msg_types[0]);
218
219 /* analyze PA-TNC attributes */
220 enumerator = in_msg->create_attribute_enumerator(in_msg);
221 while (enumerator->enumerate(enumerator, &attr))
222 {
223 type = attr->get_type(attr);
224
225 if (type.vendor_id == PEN_IETF)
226 {
227 switch (type.type)
228 {
229 case IETF_ATTR_PA_TNC_ERROR:
230 {
231 ietf_attr_pa_tnc_error_t *error_attr;
232 pen_type_t error_code;
233 chunk_t msg_info;
234
235 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
236 error_code = error_attr->get_error_code(error_attr);
237
238 if (error_code.vendor_id == PEN_TCG)
239 {
240 msg_info = error_attr->get_msg_info(error_attr);
241
242 DBG1(DBG_IMV, "received TCG-PTS error '%N'",
243 pts_error_code_names, error_code.type);
244 DBG1(DBG_IMV, "error information: %B", &msg_info);
245
246 result = TNC_RESULT_FATAL;
247 }
248 break;
249 }
250 case IETF_ATTR_PRODUCT_INFORMATION:
251 {
252 ietf_attr_product_info_t *attr_cast;
253
254 attr_cast = (ietf_attr_product_info_t*)attr;
255 os_name = attr_cast->get_info(attr_cast, NULL, NULL);
256 break;
257 }
258 case IETF_ATTR_STRING_VERSION:
259 {
260 ietf_attr_string_version_t *attr_cast;
261
262 attr_cast = (ietf_attr_string_version_t*)attr;
263 os_version = attr_cast->get_version(attr_cast, NULL, NULL);
264 break;
265 }
266 default:
267 break;
268 }
269 }
270 else if (type.vendor_id == PEN_TCG)
271 {
272 if (!imv_attestation_process(attr, out_msg, attestation_state,
273 supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
274 {
275 result = TNC_RESULT_FATAL;
276 break;
277 }
278 }
279 }
280 enumerator->destroy(enumerator);
281
282 if (os_name.len && os_version.len)
283 {
284 pts->set_platform_info(pts, os_name, os_version);
285 }
286
287 if (result != TNC_RESULT_SUCCESS)
288 {
289 out_msg->delete_attributes(out_msg);
290 state->set_recommendation(state,
291 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
292 TNC_IMV_EVALUATION_RESULT_ERROR);
293 result = out_msg->send_assessment(out_msg);
294 out_msg->destroy(out_msg);
295 if (result != TNC_RESULT_SUCCESS)
296 {
297 return result;
298 }
299 return imv_attestation->provide_recommendation(imv_attestation, state);
300 }
301
302 /* send PA-TNC message with excl flag set */
303 result = out_msg->send(out_msg, TRUE);
304
305 if (result != TNC_RESULT_SUCCESS)
306 {
307 out_msg->destroy(out_msg);
308 return result;
309 }
310
311 /* check the IMV state for the next PA-TNC attributes to send */
312 result = send_message(state, out_msg);
313
314 if (result != TNC_RESULT_SUCCESS)
315 {
316 state->set_recommendation(state,
317 TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
318 TNC_IMV_EVALUATION_RESULT_ERROR);
319 out_msg->delete_attributes(out_msg);
320 result = out_msg->send_assessment(out_msg);
321 if (result != TNC_RESULT_SUCCESS)
322 {
323 return result;
324 }
325 return imv_attestation->provide_recommendation(imv_attestation, state);
326 }
327
328 if (attestation_state->get_handshake_state(attestation_state) ==
329 IMV_ATTESTATION_STATE_END)
330 {
331 if (attestation_state->get_file_meas_request_count(attestation_state))
332 {
333 DBG1(DBG_IMV, "failure due to %d pending file measurements",
334 attestation_state->get_file_meas_request_count(attestation_state));
335 attestation_state->set_measurement_error(attestation_state);
336 }
337 if (attestation_state->get_measurement_error(attestation_state))
338 {
339 state->set_recommendation(state,
340 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
341 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
342 }
343 else
344 {
345 state->set_recommendation(state,
346 TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
347 TNC_IMV_EVALUATION_RESULT_COMPLIANT);
348 }
349 result = out_msg->send_assessment(out_msg);
350 out_msg->destroy(out_msg);
351 if (result != TNC_RESULT_SUCCESS)
352 {
353 return result;
354 }
355 return imv_attestation->provide_recommendation(imv_attestation, state);
356 }
357 out_msg->destroy(out_msg);
358
359 return result;
360 }
361
362 /**
363 * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
364 */
365 TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
366 TNC_ConnectionID connection_id,
367 TNC_BufferReference msg,
368 TNC_UInt32 msg_len,
369 TNC_MessageType msg_type)
370 {
371 imv_state_t *state;
372 imv_msg_t *in_msg;
373 TNC_Result result;
374
375 if (!imv_attestation)
376 {
377 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
378 return TNC_RESULT_NOT_INITIALIZED;
379 }
380 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
381 {
382 return TNC_RESULT_FATAL;
383 }
384 in_msg = imv_msg_create_from_data(imv_attestation, state, connection_id,
385 msg_type, chunk_create(msg, msg_len));
386 result = receive_message(state, in_msg);
387 in_msg->destroy(in_msg);
388
389 return result;
390 }
391
392 /**
393 * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
394 */
395 TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
396 TNC_ConnectionID connection_id,
397 TNC_UInt32 msg_flags,
398 TNC_BufferReference msg,
399 TNC_UInt32 msg_len,
400 TNC_VendorID msg_vid,
401 TNC_MessageSubtype msg_subtype,
402 TNC_UInt32 src_imc_id,
403 TNC_UInt32 dst_imv_id)
404 {
405 imv_state_t *state;
406 imv_msg_t *in_msg;
407 TNC_Result result;
408
409 if (!imv_attestation)
410 {
411 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
412 return TNC_RESULT_NOT_INITIALIZED;
413 }
414 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
415 {
416 return TNC_RESULT_FATAL;
417 }
418 in_msg = imv_msg_create_from_long_data(imv_attestation, state, connection_id,
419 src_imc_id, dst_imv_id, msg_vid, msg_subtype,
420 chunk_create(msg, msg_len));
421 result =receive_message(state, in_msg);
422 in_msg->destroy(in_msg);
423
424 return result;
425 }
426
427 /**
428 * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
429 */
430 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
431 TNC_ConnectionID connection_id)
432 {
433 imv_state_t *state;
434
435 if (!imv_attestation)
436 {
437 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
438 return TNC_RESULT_NOT_INITIALIZED;
439 }
440 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
441 {
442 return TNC_RESULT_FATAL;
443 }
444 return imv_attestation->provide_recommendation(imv_attestation, state);
445 }
446
447 /**
448 * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
449 */
450 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
451 TNC_ConnectionID connection_id)
452 {
453 if (!imv_attestation)
454 {
455 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
456 return TNC_RESULT_NOT_INITIALIZED;
457 }
458 return TNC_RESULT_SUCCESS;
459 }
460
461 /**
462 * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
463 */
464 TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
465 {
466 if (!imv_attestation)
467 {
468 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
469 return TNC_RESULT_NOT_INITIALIZED;
470 }
471 if (pts_creds)
472 {
473 pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
474 pts_creds->destroy(pts_creds);
475 }
476 DESTROY_IF(pts_db);
477 DESTROY_IF(pts_credmgr);
478
479 libpts_deinit();
480
481 imv_attestation->destroy(imv_attestation);
482 imv_attestation = NULL;
483
484 return TNC_RESULT_SUCCESS;
485 }
486
487 /**
488 * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
489 */
490 TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
491 TNC_TNCS_BindFunctionPointer bind_function)
492 {
493 if (!imv_attestation)
494 {
495 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
496 return TNC_RESULT_NOT_INITIALIZED;
497 }
498 return imv_attestation->bind_functions(imv_attestation, bind_function);
499 }