libpts: Move settings to <ns>.plugins with fallback to libimcv
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation_process.c
1 /*
2 * Copyright (C) 2011-2012 Sansar Choinyambuu
3 * Copyright (C) 2011-2014 Andreas Steffen
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include "imv_attestation_process.h"
18
19 #include <imcv.h>
20 #include <ietf/ietf_attr_pa_tnc_error.h>
21
22 #include <pts/pts.h>
23
24 #include <tcg/pts/tcg_pts_attr_aik.h>
25 #include <tcg/pts/tcg_pts_attr_dh_nonce_params_resp.h>
26 #include <tcg/pts/tcg_pts_attr_file_meas.h>
27 #include <tcg/pts/tcg_pts_attr_meas_algo.h>
28 #include <tcg/pts/tcg_pts_attr_proto_caps.h>
29 #include <tcg/pts/tcg_pts_attr_simple_comp_evid.h>
30 #include <tcg/pts/tcg_pts_attr_simple_evid_final.h>
31 #include <tcg/pts/tcg_pts_attr_tpm_version_info.h>
32 #include <tcg/pts/tcg_pts_attr_unix_file_meta.h>
33
34 #include <utils/debug.h>
35 #include <crypto/hashers/hasher.h>
36
37 #include <inttypes.h>
38
39 bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
40 imv_state_t *state,
41 pts_meas_algorithms_t supported_algorithms,
42 pts_dh_group_t supported_dh_groups,
43 pts_database_t *pts_db,
44 credential_manager_t *pts_credmgr)
45 {
46 imv_attestation_state_t *attestation_state;
47 pen_type_t attr_type;
48 pts_t *pts;
49
50 attestation_state = (imv_attestation_state_t*)state;
51 pts = attestation_state->get_pts(attestation_state);
52 attr_type = attr->get_type(attr);
53
54 switch (attr_type.type)
55 {
56 case TCG_PTS_PROTO_CAPS:
57 {
58 tcg_pts_attr_proto_caps_t *attr_cast;
59 pts_proto_caps_flag_t flags;
60
61 attr_cast = (tcg_pts_attr_proto_caps_t*)attr;
62 flags = attr_cast->get_flags(attr_cast);
63 pts->set_proto_caps(pts, flags);
64 break;
65 }
66 case TCG_PTS_MEAS_ALGO_SELECTION:
67 {
68 tcg_pts_attr_meas_algo_t *attr_cast;
69 pts_meas_algorithms_t selected_algorithm;
70
71 attr_cast = (tcg_pts_attr_meas_algo_t*)attr;
72 selected_algorithm = attr_cast->get_algorithms(attr_cast);
73 if (!(selected_algorithm & supported_algorithms))
74 {
75 DBG1(DBG_IMV, "PTS-IMC selected unsupported"
76 " measurement algorithm");
77 return FALSE;
78 }
79 pts->set_meas_algorithm(pts, selected_algorithm);
80 state->set_action_flags(state, IMV_ATTESTATION_FLAG_ALGO);
81 break;
82 }
83 case TCG_PTS_DH_NONCE_PARAMS_RESP:
84 {
85 tcg_pts_attr_dh_nonce_params_resp_t *attr_cast;
86 int nonce_len, min_nonce_len;
87 pts_dh_group_t dh_group;
88 pts_meas_algorithms_t offered_algorithms, selected_algorithm;
89 chunk_t responder_value, responder_nonce;
90
91 attr_cast = (tcg_pts_attr_dh_nonce_params_resp_t*)attr;
92 responder_nonce = attr_cast->get_responder_nonce(attr_cast);
93
94 /* check compliance of responder nonce length */
95 min_nonce_len = lib->settings->get_int(lib->settings,
96 "%s.plugins.imv-attestation.min_nonce_len", 0, lib->ns);
97 nonce_len = responder_nonce.len;
98 if (nonce_len < PTS_MIN_NONCE_LEN ||
99 (min_nonce_len > 0 && nonce_len < min_nonce_len))
100 {
101 attr = pts_dh_nonce_error_create(
102 max(PTS_MIN_NONCE_LEN, min_nonce_len),
103 PTS_MAX_NONCE_LEN);
104 out_msg->add_attribute(out_msg, attr);
105 break;
106 }
107
108 dh_group = attr_cast->get_dh_group(attr_cast);
109 if (!(dh_group & supported_dh_groups))
110 {
111 DBG1(DBG_IMV, "PTS-IMC selected unsupported DH group");
112 return FALSE;
113 }
114
115 offered_algorithms = attr_cast->get_hash_algo_set(attr_cast);
116 selected_algorithm = pts_meas_algo_select(supported_algorithms,
117 offered_algorithms);
118 if (selected_algorithm == PTS_MEAS_ALGO_NONE)
119 {
120 attr = pts_hash_alg_error_create(supported_algorithms);
121 out_msg->add_attribute(out_msg, attr);
122 break;
123 }
124 pts->set_dh_hash_algorithm(pts, selected_algorithm);
125
126 if (!pts->create_dh_nonce(pts, dh_group, nonce_len))
127 {
128 return FALSE;
129 }
130
131 responder_value = attr_cast->get_responder_value(attr_cast);
132 pts->set_peer_public_value(pts, responder_value,
133 responder_nonce);
134
135 /* Calculate secret assessment value */
136 if (!pts->calculate_secret(pts))
137 {
138 return FALSE;
139 }
140 break;
141 }
142 case TCG_PTS_TPM_VERSION_INFO:
143 {
144 tcg_pts_attr_tpm_version_info_t *attr_cast;
145 chunk_t tpm_version_info;
146
147 attr_cast = (tcg_pts_attr_tpm_version_info_t*)attr;
148 tpm_version_info = attr_cast->get_tpm_version_info(attr_cast);
149 pts->set_tpm_version_info(pts, tpm_version_info);
150 break;
151 }
152 case TCG_PTS_AIK:
153 {
154 tcg_pts_attr_aik_t *attr_cast;
155 certificate_t *aik, *issuer;
156 public_key_t *public;
157 chunk_t keyid;
158 enumerator_t *e;
159 bool trusted = FALSE;
160
161 attr_cast = (tcg_pts_attr_aik_t*)attr;
162 aik = attr_cast->get_aik(attr_cast);
163 if (!aik)
164 {
165 DBG1(DBG_IMV, "AIK unavailable");
166 attestation_state->set_measurement_error(attestation_state,
167 IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
168 break;
169 }
170 if (aik->get_type(aik) == CERT_X509)
171 {
172 public = aik->get_public_key(aik);
173 public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid);
174 DBG1(DBG_IMV, "verifying AIK certificate with keyid %#B", &keyid);
175 public->destroy(public);
176
177 e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
178 KEY_ANY, aik->get_issuer(aik), FALSE);
179 while (e->enumerate(e, &issuer))
180 {
181 if (aik->issued_by(aik, issuer, NULL))
182 {
183 trusted = TRUE;
184 break;
185 }
186 }
187 e->destroy(e);
188 DBG1(DBG_IMV, "AIK certificate is %strusted",
189 trusted ? "" : "not ");
190 if (!trusted)
191 {
192 attestation_state->set_measurement_error(attestation_state,
193 IMV_ATTESTATION_ERROR_NO_TRUSTED_AIK);
194 break;
195 }
196 }
197 pts->set_aik(pts, aik);
198 break;
199 }
200 case TCG_PTS_FILE_MEAS:
201 {
202 TNC_IMV_Evaluation_Result eval;
203 TNC_IMV_Action_Recommendation rec;
204 tcg_pts_attr_file_meas_t *attr_cast;
205 u_int16_t request_id;
206 int arg_int, file_count;
207 pts_meas_algorithms_t algo;
208 pts_file_meas_t *measurements;
209 imv_session_t *session;
210 imv_workitem_t *workitem, *found = NULL;
211 imv_workitem_type_t type;
212 char result_str[BUF_LEN], *platform_info;
213 bool is_dir, correct;
214 enumerator_t *enumerator;
215
216 eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
217 session = state->get_session(state);
218 algo = pts->get_meas_algorithm(pts);
219 platform_info = pts->get_platform_info(pts);
220 attr_cast = (tcg_pts_attr_file_meas_t*)attr;
221 measurements = attr_cast->get_measurements(attr_cast);
222 request_id = measurements->get_request_id(measurements);
223 file_count = measurements->get_file_count(measurements);
224
225 DBG1(DBG_IMV, "measurement request %d returned %d file%s:",
226 request_id, file_count, (file_count == 1) ? "":"s");
227
228 if (request_id)
229 {
230 enumerator = session->create_workitem_enumerator(session);
231 while (enumerator->enumerate(enumerator, &workitem))
232 {
233 /* request ID consist of lower 16 bits of workitem ID */
234 if ((workitem->get_id(workitem) & 0xffff) == request_id)
235 {
236 found = workitem;
237 break;
238 }
239 }
240
241 if (!found)
242 {
243 DBG1(DBG_IMV, " no entry found for file measurement "
244 "request %d", request_id);
245 enumerator->destroy(enumerator);
246 break;
247 }
248 type = found->get_type(found);
249 arg_int = found->get_arg_int(found);
250
251 switch (type)
252 {
253 default:
254 case IMV_WORKITEM_FILE_REF_MEAS:
255 case IMV_WORKITEM_FILE_MEAS:
256 is_dir = FALSE;
257 break;
258 case IMV_WORKITEM_DIR_REF_MEAS:
259 case IMV_WORKITEM_DIR_MEAS:
260 is_dir = TRUE;
261 }
262
263 switch (type)
264 {
265 case IMV_WORKITEM_FILE_MEAS:
266 case IMV_WORKITEM_DIR_MEAS:
267 {
268 enumerator_t *e;
269
270 /* check hashes from database against measurements */
271 e = pts_db->create_file_hash_enumerator(pts_db,
272 platform_info, algo, is_dir, arg_int);
273 if (!e)
274 {
275 eval = TNC_IMV_EVALUATION_RESULT_ERROR;
276 break;
277 }
278 correct = measurements->verify(measurements, e, is_dir);
279 if (!correct)
280 {
281 attestation_state->set_measurement_error(
282 attestation_state,
283 IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL);
284 eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR;
285 }
286 e->destroy(e);
287
288 snprintf(result_str, BUF_LEN, "%s measurement%s correct",
289 is_dir ? "directory" : "file",
290 correct ? "" : " not");
291 break;
292 }
293 case IMV_WORKITEM_FILE_REF_MEAS:
294 case IMV_WORKITEM_DIR_REF_MEAS:
295 {
296 enumerator_t *e;
297 char *filename;
298 chunk_t measurement;
299
300 e = measurements->create_enumerator(measurements);
301 while (e->enumerate(e, &filename, &measurement))
302 {
303 if (pts_db->add_file_measurement(pts_db,
304 platform_info, algo, measurement, filename,
305 is_dir, arg_int) != SUCCESS)
306 {
307 eval = TNC_IMV_EVALUATION_RESULT_ERROR;
308 }
309 }
310 e->destroy(e);
311 snprintf(result_str, BUF_LEN, "%s reference measurement "
312 "successful", is_dir ? "directory" : "file");
313 break;
314 }
315 default:
316 break;
317 }
318
319 session->remove_workitem(session, enumerator);
320 enumerator->destroy(enumerator);
321 rec = found->set_result(found, result_str, eval);
322 state->update_recommendation(state, rec, eval);
323 imcv_db->finalize_workitem(imcv_db, found);
324 found->destroy(found);
325 }
326 else
327 {
328 measurements->check(measurements, pts_db, platform_info, algo);
329 }
330 break;
331 }
332 case TCG_PTS_UNIX_FILE_META:
333 {
334 tcg_pts_attr_file_meta_t *attr_cast;
335 int file_count;
336 pts_file_meta_t *metadata;
337 pts_file_metadata_t *entry;
338 time_t created, modified, accessed;
339 bool utc = FALSE;
340 enumerator_t *e;
341
342 attr_cast = (tcg_pts_attr_file_meta_t*)attr;
343 metadata = attr_cast->get_metadata(attr_cast);
344 file_count = metadata->get_file_count(metadata);
345
346 DBG1(DBG_IMV, "metadata request returned %d file%s:",
347 file_count, (file_count == 1) ? "":"s");
348
349 e = metadata->create_enumerator(metadata);
350 while (e->enumerate(e, &entry))
351 {
352 DBG1(DBG_IMV, " '%s' (%"PRIu64" bytes)"
353 " owner %"PRIu64", group %"PRIu64", type %N",
354 entry->filename, entry->filesize, entry->owner,
355 entry->group, pts_file_type_names, entry->type);
356
357 created = entry->created;
358 modified = entry->modified;
359 accessed = entry->accessed;
360
361 DBG1(DBG_IMV, " created %T, modified %T, accessed %T",
362 &created, utc, &modified, utc, &accessed, utc);
363 }
364 e->destroy(e);
365 break;
366 }
367 case TCG_PTS_SIMPLE_COMP_EVID:
368 {
369 tcg_pts_attr_simple_comp_evid_t *attr_cast;
370 pts_comp_func_name_t *name;
371 pts_comp_evidence_t *evidence;
372 pts_component_t *comp;
373 u_int32_t depth;
374 status_t status;
375
376 attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
377 evidence = attr_cast->get_comp_evidence(attr_cast);
378 name = evidence->get_comp_func_name(evidence, &depth);
379
380 comp = attestation_state->get_component(attestation_state, name);
381 if (!comp)
382 {
383 DBG1(DBG_IMV, " no entry found for component evidence request");
384 break;
385 }
386 status = comp->verify(comp, name->get_qualifier(name), pts, evidence);
387 if (status == VERIFY_ERROR || status == FAILED)
388 {
389 attestation_state->set_measurement_error(attestation_state,
390 IMV_ATTESTATION_ERROR_COMP_EVID_FAIL);
391 name->log(name, " measurement mismatch for ");
392 }
393 break;
394 }
395 case TCG_PTS_SIMPLE_EVID_FINAL:
396 {
397 tcg_pts_attr_simple_evid_final_t *attr_cast;
398 u_int8_t flags;
399 pts_meas_algorithms_t comp_hash_algorithm;
400 chunk_t pcr_comp, tpm_quote_sig, evid_sig;
401 chunk_t pcr_composite, quote_info;
402 imv_session_t *session;
403 imv_workitem_t *workitem;
404 enumerator_t *enumerator;
405 bool use_quote2, use_ver_info;
406
407 attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
408 flags = attr_cast->get_quote_info(attr_cast, &comp_hash_algorithm,
409 &pcr_comp, &tpm_quote_sig);
410
411 if (flags != PTS_SIMPLE_EVID_FINAL_NO)
412 {
413 use_quote2 = (flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2 ||
414 flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2_CAP_VER);
415 use_ver_info = (flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2_CAP_VER);
416
417 /* Construct PCR Composite and TPM Quote Info structures */
418 if (!pts->get_quote_info(pts, use_quote2, use_ver_info,
419 comp_hash_algorithm, &pcr_composite, &quote_info))
420 {
421 DBG1(DBG_IMV, "unable to construct TPM Quote Info");
422 return FALSE;
423 }
424
425 if (!chunk_equals(pcr_comp, pcr_composite))
426 {
427 DBG1(DBG_IMV, "received PCR Composite does not match "
428 "constructed one");
429 attestation_state->set_measurement_error(attestation_state,
430 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
431 goto quote_error;
432 }
433 DBG2(DBG_IMV, "received PCR Composite matches constructed one");
434
435 if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig))
436 {
437 attestation_state->set_measurement_error(attestation_state,
438 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
439 goto quote_error;
440 }
441 DBG2(DBG_IMV, "TPM Quote Info signature verification successful");
442
443 quote_error:
444 free(pcr_composite.ptr);
445 free(quote_info.ptr);
446
447 /**
448 * Finalize any pending measurement registrations and check
449 * if all expected component measurements were received
450 */
451 attestation_state->finalize_components(attestation_state);
452
453 session = state->get_session(state);
454 enumerator = session->create_workitem_enumerator(session);
455 while (enumerator->enumerate(enumerator, &workitem))
456 {
457 if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST)
458 {
459 TNC_IMV_Action_Recommendation rec;
460 TNC_IMV_Evaluation_Result eval;
461 char *result_str;
462 u_int32_t error;
463
464 error = attestation_state->get_measurement_error(
465 attestation_state);
466 if (error & (IMV_ATTESTATION_ERROR_COMP_EVID_FAIL |
467 IMV_ATTESTATION_ERROR_COMP_EVID_PEND |
468 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL))
469 {
470 imv_reason_string_t *reason_string;
471 chunk_t result;
472
473 reason_string = imv_reason_string_create("en", ", ");
474 attestation_state->add_comp_evid_reasons(
475 attestation_state, reason_string);
476 result = reason_string->get_encoding(reason_string);
477 result_str = strndup(result.ptr, result.len);
478 reason_string->destroy(reason_string);
479 eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR;
480 }
481 else
482 {
483 result_str = strdup("attestation successful");
484 eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
485 }
486 session->remove_workitem(session, enumerator);
487 rec = workitem->set_result(workitem, result_str, eval);
488 state->update_recommendation(state, rec, eval);
489 imcv_db->finalize_workitem(imcv_db, workitem);
490 workitem->destroy(workitem);
491 free(result_str);
492 attestation_state->set_handshake_state(attestation_state,
493 IMV_ATTESTATION_STATE_END);
494 break;
495 }
496 }
497 enumerator->destroy(enumerator);
498 }
499
500 if (attr_cast->get_evid_sig(attr_cast, &evid_sig))
501 {
502 /** TODO: What to do with Evidence Signature */
503 DBG1(DBG_IMV, "this version of the Attestation IMV can not "
504 "handle Evidence Signatures");
505 }
506 break;
507 }
508
509 /* TODO: Not implemented yet */
510 case TCG_PTS_INTEG_MEAS_LOG:
511 /* Attributes using XML */
512 case TCG_PTS_TEMPL_REF_MANI_SET_META:
513 case TCG_PTS_VERIFICATION_RESULT:
514 case TCG_PTS_INTEG_REPORT:
515 /* On Windows only*/
516 case TCG_PTS_WIN_FILE_META:
517 case TCG_PTS_REGISTRY_VALUE:
518 /* Received on IMC side only*/
519 case TCG_PTS_REQ_PROTO_CAPS:
520 case TCG_PTS_DH_NONCE_PARAMS_REQ:
521 case TCG_PTS_DH_NONCE_FINISH:
522 case TCG_PTS_MEAS_ALGO:
523 case TCG_PTS_GET_TPM_VERSION_INFO:
524 case TCG_PTS_REQ_TEMPL_REF_MANI_SET_META:
525 case TCG_PTS_UPDATE_TEMPL_REF_MANI:
526 case TCG_PTS_GET_AIK:
527 case TCG_PTS_REQ_FUNC_COMP_EVID:
528 case TCG_PTS_GEN_ATTEST_EVID:
529 case TCG_PTS_REQ_FILE_META:
530 case TCG_PTS_REQ_FILE_MEAS:
531 case TCG_PTS_REQ_INTEG_MEAS_LOG:
532 default:
533 DBG1(DBG_IMV, "received unsupported attribute '%N'",
534 tcg_attr_names, attr->get_type(attr));
535 break;
536 }
537 return TRUE;
538 }
539