projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
added IMC/IMV support for send_message_long() and reserve_additional_id() functions
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_state.h"
17 #include "imv_attestation_process.h"
18 #include "imv_attestation_build.h"
19
20 #include <imv/imv_agent.h>
21 #include <pa_tnc/pa_tnc_msg.h>
22 #include <ietf/ietf_attr.h>
23 #include <ietf/ietf_attr_pa_tnc_error.h>
24 #include <ietf/ietf_attr_product_info.h>
25
26 #include <libpts.h>
27
28 #include <pts/pts.h>
29 #include <pts/pts_database.h>
30 #include <pts/pts_creds.h>
31
32 #include <tcg/tcg_attr.h>
33
34 #include <tncif_pa_subtypes.h>
35
36 #include <pen/pen.h>
37 #include <debug.h>
38 #include <credentials/credential_manager.h>
39 #include <utils/linked_list.h>
40
41 /* IMV definitions */
42
43 static const char imv_name[] = "Attestation";
44
45 #define IMV_VENDOR_ID PEN_TCG
46 #define IMV_SUBTYPE PA_SUBTYPE_TCG_PTS
47
48 static imv_agent_t *imv_attestation;
49
50 /**
51 * Supported PTS measurement algorithms
52 */
53 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
54
55 /**
56 * Supported PTS Diffie Hellman Groups
57 */
58 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
59
60 /**
61 * PTS file measurement database
62 */
63 static pts_database_t *pts_db;
64
65 /**
66 * PTS credentials
67 */
68 static pts_creds_t *pts_creds;
69
70 /**
71 * PTS credential manager
72 */
73 static credential_manager_t *pts_credmgr;
74
75 /**
76 * see section 3.7.1 of TCG TNC IF-IMV Specification 1.2
77 */
78 TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
79 TNC_Version min_version,
80 TNC_Version max_version,
81 TNC_Version *actual_version)
82 {
83 char *hash_alg, *dh_group, *uri, *cadir;
84
85 if (imv_attestation)
86 {
87 DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
88 return TNC_RESULT_ALREADY_INITIALIZED;
89 }
90 if (!pts_meas_algo_probe(&supported_algorithms) ||
91 !pts_dh_group_probe(&supported_dh_groups))
92 {
93 return TNC_RESULT_FATAL;
94 }
95 imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
96 imv_id, actual_version);
97 if (!imv_attestation)
98 {
99 return TNC_RESULT_FATAL;
100 }
101
102 libpts_init();
103
104 if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
105 {
106 DBG1(DBG_IMV, "no common IF-IMV version");
107 return TNC_RESULT_NO_COMMON_VERSION;
108 }
109
110 hash_alg = lib->settings->get_str(lib->settings,
111 "libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
112 dh_group = lib->settings->get_str(lib->settings,
113 "libimcv.plugins.imv-attestation.dh_group", "ecp256");
114
115 if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
116 !pts_dh_group_update(dh_group, &supported_dh_groups))
117 {
118 return TNC_RESULT_FATAL;
119 }
120
121 /* create a PTS credential manager */
122 pts_credmgr = credential_manager_create();
123
124 /* create PTS credential set */
125 cadir = lib->settings->get_str(lib->settings,
126 "libimcv.plugins.imv-attestation.cadir", NULL);
127 pts_creds = pts_creds_create(cadir);
128 if (pts_creds)
129 {
130 pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
131 }
132
133 /* attach file measurement database */
134 uri = lib->settings->get_str(lib->settings,
135 "libimcv.plugins.imv-attestation.database", NULL);
136 pts_db = pts_database_create(uri);
137
138 return TNC_RESULT_SUCCESS;
139 }
140
141 /**
142 * see section 3.7.2 of TCG TNC IF-IMV Specification 1.2
143 */
144 TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
145 TNC_ConnectionID connection_id,
146 TNC_ConnectionState new_state)
147 {
148 imv_state_t *state;
149
150 if (!imv_attestation)
151 {
152 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
153 return TNC_RESULT_NOT_INITIALIZED;
154 }
155 switch (new_state)
156 {
157 case TNC_CONNECTION_STATE_CREATE:
158 state = imv_attestation_state_create(connection_id);
159 return imv_attestation->create_state(imv_attestation, state);
160 case TNC_CONNECTION_STATE_DELETE:
161 return imv_attestation->delete_state(imv_attestation, connection_id);
162 case TNC_CONNECTION_STATE_HANDSHAKE:
163 default:
164 return imv_attestation->change_state(imv_attestation, connection_id,
165 new_state, NULL);
166 }
167 }
168
169 static TNC_Result send_message(TNC_ConnectionID connection_id)
170 {
171 pa_tnc_msg_t *msg;
172 imv_state_t *state;
173 imv_attestation_state_t *attestation_state;
174 TNC_Result result;
175
176 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
177 {
178 return TNC_RESULT_FATAL;
179 }
180 attestation_state = (imv_attestation_state_t*)state;
181 msg = pa_tnc_msg_create();
182
183 if (imv_attestation_build(msg, attestation_state, supported_algorithms,
184 supported_dh_groups, pts_db))
185 {
186 msg->build(msg);
187 result = imv_attestation->send_message(imv_attestation, connection_id,
188 FALSE, 0, TNC_IMCID_ANY,
189 msg->get_encoding(msg));
190 }
191 else
192 {
193 result = TNC_RESULT_FATAL;
194 }
195 msg->destroy(msg);
196
197 return result;
198 }
199
200 /**
201 * see section 3.7.3 of TCG TNC IF-IMV Specification 1.2
202 */
203 TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
204 TNC_ConnectionID connection_id,
205 TNC_BufferReference msg,
206 TNC_UInt32 msg_len,
207 TNC_MessageType msg_type)
208 {
209 pa_tnc_msg_t *pa_tnc_msg;
210 pa_tnc_attr_t *attr;
211 linked_list_t *attr_list;
212 imv_state_t *state;
213 imv_attestation_state_t *attestation_state;
214 pts_t *pts;
215 enumerator_t *enumerator;
216 TNC_Result result;
217
218 if (!imv_attestation)
219 {
220 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
221 return TNC_RESULT_NOT_INITIALIZED;
222 }
223
224 /* get current IMV state */
225 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
226 {
227 return TNC_RESULT_FATAL;
228 }
229 attestation_state = (imv_attestation_state_t*)state;
230 pts = attestation_state->get_pts(attestation_state);
231
232 /* parse received PA-TNC message and automatically handle any errors */
233 result = imv_attestation->receive_message(imv_attestation, connection_id,
234 chunk_create(msg, msg_len), msg_type,
235 &pa_tnc_msg);
236
237 /* no parsed PA-TNC attributes available if an error occurred */
238 if (!pa_tnc_msg)
239 {
240 return result;
241 }
242
243 attr_list = linked_list_create();
244 result = TNC_RESULT_SUCCESS;
245
246 /* analyze PA-TNC attributes */
247 enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
248 while (enumerator->enumerate(enumerator, &attr))
249 {
250 if (attr->get_vendor_id(attr) == PEN_IETF)
251 {
252 if (attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
253 {
254 ietf_attr_pa_tnc_error_t *error_attr;
255 pen_t error_vendor_id;
256 pa_tnc_error_code_t error_code;
257 chunk_t msg_info, attr_info;
258 u_int32_t offset;
259
260 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
261 error_vendor_id = error_attr->get_vendor_id(error_attr);
262 error_code = error_attr->get_error_code(error_attr);
263 msg_info = error_attr->get_msg_info(error_attr);
264
265 if (error_vendor_id == PEN_IETF)
266 {
267 DBG1(DBG_IMV, "received PA-TNC error '%N' "
268 "concerning message %#B",
269 pa_tnc_error_code_names, error_code, &msg_info);
270
271 switch (error_code)
272 {
273 case PA_ERROR_INVALID_PARAMETER:
274 offset = error_attr->get_offset(error_attr);
275 DBG1(DBG_IMV, " occurred at offset of %u bytes",
276 offset);
277 break;
278 case PA_ERROR_ATTR_TYPE_NOT_SUPPORTED:
279 attr_info = error_attr->get_attr_info(error_attr);
280 DBG1(DBG_IMV, " unsupported attribute %#B",
281 &attr_info);
282 break;
283 default:
284 break;
285 }
286 }
287 else if (error_vendor_id == PEN_TCG)
288 {
289 DBG1(DBG_IMV, "received TCG-PTS error '%N'",
290 pts_error_code_names, error_code);
291 DBG1(DBG_IMV, "error information: %B", &msg_info);
292 }
293 result = TNC_RESULT_FATAL;
294 }
295 else if (attr->get_type(attr) == IETF_ATTR_PRODUCT_INFORMATION)
296 {
297 ietf_attr_product_info_t *attr_cast;
298 char *platform_info;
299
300 attr_cast = (ietf_attr_product_info_t*)attr;
301 platform_info = attr_cast->get_info(attr_cast, NULL, NULL);
302 pts->set_platform_info(pts, platform_info);
303 }
304 }
305 else if (attr->get_vendor_id(attr) == PEN_TCG)
306 {
307 if (!imv_attestation_process(attr, attr_list, attestation_state,
308 supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
309 {
310 result = TNC_RESULT_FATAL;
311 break;
312 }
313 }
314 }
315 enumerator->destroy(enumerator);
316 pa_tnc_msg->destroy(pa_tnc_msg);
317
318 if (result != TNC_RESULT_SUCCESS)
319 {
320 attr_list->destroy(attr_list);
321 state->set_recommendation(state,
322 TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
323 TNC_IMV_EVALUATION_RESULT_ERROR);
324 return imv_attestation->provide_recommendation(imv_attestation,
325 connection_id);
326 }
327
328 if (attr_list->get_count(attr_list))
329 {
330 pa_tnc_msg = pa_tnc_msg_create();
331
332 enumerator = attr_list->create_enumerator(attr_list);
333 while (enumerator->enumerate(enumerator, &attr))
334 {
335 pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
336 }
337 enumerator->destroy(enumerator);
338
339 pa_tnc_msg->build(pa_tnc_msg);
340 result = imv_attestation->send_message(imv_attestation, connection_id,
341 FALSE, 0, TNC_IMCID_ANY,
342 pa_tnc_msg->get_encoding(pa_tnc_msg));
343
344 pa_tnc_msg->destroy(pa_tnc_msg);
345 attr_list->destroy(attr_list);
346
347 return result;
348 }
349 attr_list->destroy(attr_list);
350
351 if (attestation_state->get_handshake_state(attestation_state) ==
352 IMV_ATTESTATION_STATE_END)
353 {
354 if (attestation_state->get_file_meas_request_count(attestation_state))
355 {
356 DBG1(DBG_IMV, "failure due to %d pending file measurements",
357 attestation_state->get_file_meas_request_count(attestation_state));
358 attestation_state->set_measurement_error(attestation_state);
359 }
360 if (attestation_state->get_component_count(attestation_state))
361 {
362 DBG1(DBG_IMV, "failure due to %d components waiting for evidence",
363 attestation_state->get_component_count(attestation_state));
364 attestation_state->set_measurement_error(attestation_state);
365 }
366 if (attestation_state->get_measurement_error(attestation_state))
367 {
368 state->set_recommendation(state,
369 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
370 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
371 }
372 else
373 {
374 state->set_recommendation(state,
375 TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
376 TNC_IMV_EVALUATION_RESULT_COMPLIANT);
377 }
378 return imv_attestation->provide_recommendation(imv_attestation,
379 connection_id);
380 }
381
382 return send_message(connection_id);
383 }
384
385 /**
386 * see section 3.7.4 of TCG TNC IF-IMV Specification 1.2
387 */
388 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
389 TNC_ConnectionID connection_id)
390 {
391 if (!imv_attestation)
392 {
393 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
394 return TNC_RESULT_NOT_INITIALIZED;
395 }
396 return imv_attestation->provide_recommendation(imv_attestation,
397 connection_id);
398 }
399
400 /**
401 * see section 3.7.5 of TCG TNC IF-IMV Specification 1.2
402 */
403 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
404 TNC_ConnectionID connection_id)
405 {
406 imv_state_t *state;
407 imv_attestation_state_t *attestation_state;
408
409 if (!imv_attestation)
410 {
411 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
412 return TNC_RESULT_NOT_INITIALIZED;
413 }
414 /* get current IMV state */
415 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
416 {
417 return TNC_RESULT_FATAL;
418 }
419 attestation_state = (imv_attestation_state_t*)state;
420
421 /* Check if IMV has to initiate the PA-TNC exchange */
422 if (attestation_state->get_handshake_state(attestation_state) ==
423 IMV_ATTESTATION_STATE_INIT)
424 {
425 return send_message(connection_id);
426 }
427 return TNC_RESULT_SUCCESS;
428 }
429
430 /**
431 * see section 3.7.6 of TCG TNC IF-IMV Specification 1.2
432 */
433 TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
434 {
435 if (!imv_attestation)
436 {
437 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
438 return TNC_RESULT_NOT_INITIALIZED;
439 }
440 if (pts_creds)
441 {
442 pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
443 pts_creds->destroy(pts_creds);
444 }
445 DESTROY_IF(pts_db);
446 DESTROY_IF(pts_credmgr);
447
448 libpts_deinit();
449
450 imv_attestation->destroy(imv_attestation);
451 imv_attestation = NULL;
452
453 return TNC_RESULT_SUCCESS;
454 }
455
456 /**
457 * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.2
458 */
459 TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
460 TNC_TNCS_BindFunctionPointer bind_function)
461 {
462 if (!imv_attestation)
463 {
464 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
465 return TNC_RESULT_NOT_INITIALIZED;
466 }
467 return imv_attestation->bind_functions(imv_attestation, bind_function);
468 }
strongSwan - IPsec VPN