projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
moved send_message() in front of recommendation evaluation
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation.c
1 /*
2 * Copyright (C) 2011 Sansar Choinyambuu
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_state.h"
17 #include "imv_attestation_process.h"
18 #include "imv_attestation_build.h"
19
20 #include <imv/imv_agent.h>
21 #include <pa_tnc/pa_tnc_msg.h>
22 #include <ietf/ietf_attr.h>
23 #include <ietf/ietf_attr_pa_tnc_error.h>
24 #include <ietf/ietf_attr_product_info.h>
25
26 #include <libpts.h>
27
28 #include <pts/pts.h>
29 #include <pts/pts_database.h>
30 #include <pts/pts_creds.h>
31
32 #include <tcg/tcg_attr.h>
33
34 #include <tncif_pa_subtypes.h>
35
36 #include <pen/pen.h>
37 #include <debug.h>
38 #include <credentials/credential_manager.h>
39 #include <utils/linked_list.h>
40
41 /* IMV definitions */
42
43 static const char imv_name[] = "Attestation";
44
45 #define IMV_VENDOR_ID PEN_TCG
46 #define IMV_SUBTYPE PA_SUBTYPE_TCG_PTS
47
48 static imv_agent_t *imv_attestation;
49
50 /**
51 * Supported PTS measurement algorithms
52 */
53 static pts_meas_algorithms_t supported_algorithms = PTS_MEAS_ALGO_NONE;
54
55 /**
56 * Supported PTS Diffie Hellman Groups
57 */
58 static pts_dh_group_t supported_dh_groups = PTS_DH_GROUP_NONE;
59
60 /**
61 * PTS file measurement database
62 */
63 static pts_database_t *pts_db;
64
65 /**
66 * PTS credentials
67 */
68 static pts_creds_t *pts_creds;
69
70 /**
71 * PTS credential manager
72 */
73 static credential_manager_t *pts_credmgr;
74
75 /**
76 * see section 3.8.1 of TCG TNC IF-IMV Specification 1.3
77 */
78 TNC_Result TNC_IMV_Initialize(TNC_IMVID imv_id,
79 TNC_Version min_version,
80 TNC_Version max_version,
81 TNC_Version *actual_version)
82 {
83 char *hash_alg, *dh_group, *uri, *cadir;
84
85 if (imv_attestation)
86 {
87 DBG1(DBG_IMV, "IMV \"%s\" has already been initialized", imv_name);
88 return TNC_RESULT_ALREADY_INITIALIZED;
89 }
90 if (!pts_meas_algo_probe(&supported_algorithms) ||
91 !pts_dh_group_probe(&supported_dh_groups))
92 {
93 return TNC_RESULT_FATAL;
94 }
95 imv_attestation = imv_agent_create(imv_name, IMV_VENDOR_ID, IMV_SUBTYPE,
96 imv_id, actual_version);
97 if (!imv_attestation)
98 {
99 return TNC_RESULT_FATAL;
100 }
101
102 libpts_init();
103
104 if (min_version > TNC_IFIMV_VERSION_1 || max_version < TNC_IFIMV_VERSION_1)
105 {
106 DBG1(DBG_IMV, "no common IF-IMV version");
107 return TNC_RESULT_NO_COMMON_VERSION;
108 }
109
110 hash_alg = lib->settings->get_str(lib->settings,
111 "libimcv.plugins.imv-attestation.hash_algorithm", "sha256");
112 dh_group = lib->settings->get_str(lib->settings,
113 "libimcv.plugins.imv-attestation.dh_group", "ecp256");
114
115 if (!pts_meas_algo_update(hash_alg, &supported_algorithms) ||
116 !pts_dh_group_update(dh_group, &supported_dh_groups))
117 {
118 return TNC_RESULT_FATAL;
119 }
120
121 /* create a PTS credential manager */
122 pts_credmgr = credential_manager_create();
123
124 /* create PTS credential set */
125 cadir = lib->settings->get_str(lib->settings,
126 "libimcv.plugins.imv-attestation.cadir", NULL);
127 pts_creds = pts_creds_create(cadir);
128 if (pts_creds)
129 {
130 pts_credmgr->add_set(pts_credmgr, pts_creds->get_set(pts_creds));
131 }
132
133 /* attach file measurement database */
134 uri = lib->settings->get_str(lib->settings,
135 "libimcv.plugins.imv-attestation.database", NULL);
136 pts_db = pts_database_create(uri);
137
138 return TNC_RESULT_SUCCESS;
139 }
140
141 /**
142 * see section 3.8.2 of TCG TNC IF-IMV Specification 1.3
143 */
144 TNC_Result TNC_IMV_NotifyConnectionChange(TNC_IMVID imv_id,
145 TNC_ConnectionID connection_id,
146 TNC_ConnectionState new_state)
147 {
148 imv_state_t *state;
149
150 if (!imv_attestation)
151 {
152 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
153 return TNC_RESULT_NOT_INITIALIZED;
154 }
155 switch (new_state)
156 {
157 case TNC_CONNECTION_STATE_CREATE:
158 state = imv_attestation_state_create(connection_id);
159 return imv_attestation->create_state(imv_attestation, state);
160 case TNC_CONNECTION_STATE_DELETE:
161 return imv_attestation->delete_state(imv_attestation, connection_id);
162 case TNC_CONNECTION_STATE_HANDSHAKE:
163 default:
164 return imv_attestation->change_state(imv_attestation, connection_id,
165 new_state, NULL);
166 }
167 }
168
169 static TNC_Result send_message(TNC_ConnectionID connection_id)
170 {
171 pa_tnc_msg_t *msg;
172 pa_tnc_attr_t *attr;
173 imv_state_t *state;
174 imv_attestation_state_t *attestation_state;
175 TNC_Result result;
176 linked_list_t *attr_list;
177 enumerator_t *enumerator;
178
179 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
180 {
181 return TNC_RESULT_FATAL;
182 }
183 attestation_state = (imv_attestation_state_t*)state;
184 attr_list = linked_list_create();
185
186 if (imv_attestation_build(attr_list, attestation_state, supported_algorithms,
187 supported_dh_groups, pts_db))
188 {
189 if (attr_list->get_count(attr_list))
190 {
191 msg = pa_tnc_msg_create();
192
193 /* move PA-TNC attributes to PA-TNC message */
194 enumerator = attr_list->create_enumerator(attr_list);
195 while (enumerator->enumerate(enumerator, &attr))
196 {
197 msg->add_attribute(msg, attr);
198 }
199 enumerator->destroy(enumerator);
200
201 msg->build(msg);
202 result = imv_attestation->send_message(imv_attestation,
203 connection_id, FALSE, 0, TNC_IMCID_ANY,
204 msg->get_encoding(msg));
205 msg->destroy(msg);
206 }
207 else
208 {
209 result = TNC_RESULT_SUCCESS;
210 }
211 attr_list->destroy(attr_list);
212 }
213 else
214 {
215 attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
216 result = TNC_RESULT_FATAL;
217 }
218
219 return result;
220 }
221
222 static TNC_Result receive_message(TNC_IMVID imv_id,
223 TNC_ConnectionID connection_id,
224 TNC_UInt32 msg_flags,
225 chunk_t msg,
226 TNC_VendorID msg_vid,
227 TNC_MessageSubtype msg_subtype,
228 TNC_UInt32 src_imc_id,
229 TNC_UInt32 dst_imv_id)
230 {
231 pa_tnc_msg_t *pa_tnc_msg;
232 pa_tnc_attr_t *attr;
233 linked_list_t *attr_list;
234 imv_state_t *state;
235 imv_attestation_state_t *attestation_state;
236 pts_t *pts;
237 enumerator_t *enumerator;
238 TNC_Result result;
239
240 if (!imv_attestation)
241 {
242 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
243 return TNC_RESULT_NOT_INITIALIZED;
244 }
245
246 /* get current IMV state */
247 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
248 {
249 return TNC_RESULT_FATAL;
250 }
251 attestation_state = (imv_attestation_state_t*)state;
252 pts = attestation_state->get_pts(attestation_state);
253
254 /* parse received PA-TNC message and automatically handle any errors */
255 result = imv_attestation->receive_message(imv_attestation, state, msg,
256 msg_vid, msg_subtype, src_imc_id, dst_imv_id, &pa_tnc_msg);
257
258 /* no parsed PA-TNC attributes available if an error occurred */
259 if (!pa_tnc_msg)
260 {
261 return result;
262 }
263
264 /* preprocess any IETF standard error attributes */
265 result = pa_tnc_msg->process_ietf_std_errors(pa_tnc_msg) ?
266 TNC_RESULT_FATAL : TNC_RESULT_SUCCESS;
267
268 attr_list = linked_list_create();
269
270 /* analyze PA-TNC attributes */
271 enumerator = pa_tnc_msg->create_attribute_enumerator(pa_tnc_msg);
272 while (enumerator->enumerate(enumerator, &attr))
273 {
274 if (attr->get_vendor_id(attr) == PEN_IETF)
275 {
276 if (attr->get_type(attr) == IETF_ATTR_PA_TNC_ERROR)
277 {
278 ietf_attr_pa_tnc_error_t *error_attr;
279 pen_t error_vendor_id;
280 pa_tnc_error_code_t error_code;
281 chunk_t msg_info;
282
283 error_attr = (ietf_attr_pa_tnc_error_t*)attr;
284 error_vendor_id = error_attr->get_vendor_id(error_attr);
285
286 if (error_vendor_id == PEN_TCG)
287 {
288 error_code = error_attr->get_error_code(error_attr);
289 msg_info = error_attr->get_msg_info(error_attr);
290
291 DBG1(DBG_IMV, "received TCG-PTS error '%N'",
292 pts_error_code_names, error_code);
293 DBG1(DBG_IMV, "error information: %B", &msg_info);
294
295 result = TNC_RESULT_FATAL;
296 }
297 }
298 else if (attr->get_type(attr) == IETF_ATTR_PRODUCT_INFORMATION)
299 {
300 ietf_attr_product_info_t *attr_cast;
301 char *platform_info;
302
303 attr_cast = (ietf_attr_product_info_t*)attr;
304 platform_info = attr_cast->get_info(attr_cast, NULL, NULL);
305 pts->set_platform_info(pts, platform_info);
306 }
307 }
308 else if (attr->get_vendor_id(attr) == PEN_TCG)
309 {
310 if (!imv_attestation_process(attr, attr_list, attestation_state,
311 supported_algorithms,supported_dh_groups, pts_db, pts_credmgr))
312 {
313 result = TNC_RESULT_FATAL;
314 break;
315 }
316 }
317 }
318 enumerator->destroy(enumerator);
319 pa_tnc_msg->destroy(pa_tnc_msg);
320
321 if (result != TNC_RESULT_SUCCESS)
322 {
323 attr_list->destroy_offset(attr_list, offsetof(pa_tnc_attr_t, destroy));
324 state->set_recommendation(state,
325 TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION,
326 TNC_IMV_EVALUATION_RESULT_ERROR);
327 return imv_attestation->provide_recommendation(imv_attestation,
328 connection_id);
329 }
330
331 if (attr_list->get_count(attr_list))
332 {
333 pa_tnc_msg = pa_tnc_msg_create();
334
335 /* move PA-TNC attributes to PA-TNC message */
336 enumerator = attr_list->create_enumerator(attr_list);
337 while (enumerator->enumerate(enumerator, &attr))
338 {
339 pa_tnc_msg->add_attribute(pa_tnc_msg, attr);
340 }
341 enumerator->destroy(enumerator);
342
343 pa_tnc_msg->build(pa_tnc_msg);
344 result = imv_attestation->send_message(imv_attestation, connection_id,
345 FALSE, 0, TNC_IMCID_ANY,
346 pa_tnc_msg->get_encoding(pa_tnc_msg));
347
348 pa_tnc_msg->destroy(pa_tnc_msg);
349 attr_list->destroy(attr_list);
350
351 return result;
352 }
353 attr_list->destroy(attr_list);
354
355 /* check the IMV state for the next PA-TNC attributes to send */
356 result = send_message(connection_id);
357
358 if (attestation_state->get_handshake_state(attestation_state) ==
359 IMV_ATTESTATION_STATE_END)
360 {
361 if (attestation_state->get_file_meas_request_count(attestation_state))
362 {
363 DBG1(DBG_IMV, "failure due to %d pending file measurements",
364 attestation_state->get_file_meas_request_count(attestation_state));
365 attestation_state->set_measurement_error(attestation_state);
366 }
367 if (attestation_state->get_component_count(attestation_state))
368 {
369 DBG1(DBG_IMV, "failure due to %d components waiting for evidence",
370 attestation_state->get_component_count(attestation_state));
371 attestation_state->set_measurement_error(attestation_state);
372 }
373 if (attestation_state->get_measurement_error(attestation_state))
374 {
375 state->set_recommendation(state,
376 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
377 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR);
378 }
379 else
380 {
381 state->set_recommendation(state,
382 TNC_IMV_ACTION_RECOMMENDATION_ALLOW,
383 TNC_IMV_EVALUATION_RESULT_COMPLIANT);
384 }
385 return imv_attestation->provide_recommendation(imv_attestation,
386 connection_id);
387 }
388
389 return result;
390 }
391
392 /**
393 * see section 3.8.4 of TCG TNC IF-IMV Specification 1.3
394 */
395 TNC_Result TNC_IMV_ReceiveMessage(TNC_IMVID imv_id,
396 TNC_ConnectionID connection_id,
397 TNC_BufferReference msg,
398 TNC_UInt32 msg_len,
399 TNC_MessageType msg_type)
400 {
401 TNC_VendorID msg_vid;
402 TNC_MessageSubtype msg_subtype;
403
404 msg_vid = msg_type >> 8;
405 msg_subtype = msg_type & TNC_SUBTYPE_ANY;
406
407 return receive_message(imv_id, connection_id, 0, chunk_create(msg, msg_len),
408 msg_vid, msg_subtype, 0, TNC_IMVID_ANY);
409 }
410
411 /**
412 * see section 3.8.6 of TCG TNC IF-IMV Specification 1.3
413 */
414 TNC_Result TNC_IMV_ReceiveMessageLong(TNC_IMVID imv_id,
415 TNC_ConnectionID connection_id,
416 TNC_UInt32 msg_flags,
417 TNC_BufferReference msg,
418 TNC_UInt32 msg_len,
419 TNC_VendorID msg_vid,
420 TNC_MessageSubtype msg_subtype,
421 TNC_UInt32 src_imc_id,
422 TNC_UInt32 dst_imv_id)
423 {
424 return receive_message(imv_id, connection_id, msg_flags,
425 chunk_create(msg, msg_len), msg_vid, msg_subtype,
426 src_imc_id, dst_imv_id);
427 }
428
429 /**
430 * see section 3.8.7 of TCG TNC IF-IMV Specification 1.3
431 */
432 TNC_Result TNC_IMV_SolicitRecommendation(TNC_IMVID imv_id,
433 TNC_ConnectionID connection_id)
434 {
435 if (!imv_attestation)
436 {
437 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
438 return TNC_RESULT_NOT_INITIALIZED;
439 }
440 return imv_attestation->provide_recommendation(imv_attestation,
441 connection_id);
442 }
443
444 /**
445 * see section 3.8.8 of TCG TNC IF-IMV Specification 1.3
446 */
447 TNC_Result TNC_IMV_BatchEnding(TNC_IMVID imv_id,
448 TNC_ConnectionID connection_id)
449 {
450 imv_state_t *state;
451 imv_attestation_state_t *attestation_state;
452
453 if (!imv_attestation)
454 {
455 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
456 return TNC_RESULT_NOT_INITIALIZED;
457 }
458 /* get current IMV state */
459 if (!imv_attestation->get_state(imv_attestation, connection_id, &state))
460 {
461 return TNC_RESULT_FATAL;
462 }
463 attestation_state = (imv_attestation_state_t*)state;
464
465 /* Check if IMV has to initiate the PA-TNC exchange */
466 if (attestation_state->get_handshake_state(attestation_state) ==
467 IMV_ATTESTATION_STATE_INIT)
468 {
469 return send_message(connection_id);
470 }
471 return TNC_RESULT_SUCCESS;
472 }
473
474 /**
475 * see section 3.8.9 of TCG TNC IF-IMV Specification 1.3
476 */
477 TNC_Result TNC_IMV_Terminate(TNC_IMVID imv_id)
478 {
479 if (!imv_attestation)
480 {
481 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
482 return TNC_RESULT_NOT_INITIALIZED;
483 }
484 if (pts_creds)
485 {
486 pts_credmgr->remove_set(pts_credmgr, pts_creds->get_set(pts_creds));
487 pts_creds->destroy(pts_creds);
488 }
489 DESTROY_IF(pts_db);
490 DESTROY_IF(pts_credmgr);
491
492 libpts_deinit();
493
494 imv_attestation->destroy(imv_attestation);
495 imv_attestation = NULL;
496
497 return TNC_RESULT_SUCCESS;
498 }
499
500 /**
501 * see section 4.2.8.1 of TCG TNC IF-IMV Specification 1.3
502 */
503 TNC_Result TNC_IMV_ProvideBindFunction(TNC_IMVID imv_id,
504 TNC_TNCS_BindFunctionPointer bind_function)
505 {
506 if (!imv_attestation)
507 {
508 DBG1(DBG_IMV, "IMV \"%s\" has not been initialized", imv_name);
509 return TNC_RESULT_NOT_INITIALIZED;
510 }
511 return imv_attestation->bind_functions(imv_attestation, bind_function);
512 }
strongSwan - IPsec VPN