Attestation IMV processes TPMRA workitem
[strongswan.git] / src / libpts / plugins / imv_attestation / imv_attestation_process.c
1 /*
2 * Copyright (C) 2011-2013 Sansar Choinyambuu, Andreas Steffen
3 * HSR Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #include "imv_attestation_process.h"
17
18 #include <imcv.h>
19 #include <ietf/ietf_attr_pa_tnc_error.h>
20
21 #include <pts/pts.h>
22
23 #include <tcg/pts/tcg_pts_attr_aik.h>
24 #include <tcg/pts/tcg_pts_attr_dh_nonce_params_resp.h>
25 #include <tcg/pts/tcg_pts_attr_file_meas.h>
26 #include <tcg/pts/tcg_pts_attr_meas_algo.h>
27 #include <tcg/pts/tcg_pts_attr_proto_caps.h>
28 #include <tcg/pts/tcg_pts_attr_simple_comp_evid.h>
29 #include <tcg/pts/tcg_pts_attr_simple_evid_final.h>
30 #include <tcg/pts/tcg_pts_attr_tpm_version_info.h>
31 #include <tcg/pts/tcg_pts_attr_unix_file_meta.h>
32
33 #include <utils/debug.h>
34 #include <crypto/hashers/hasher.h>
35
36 #include <inttypes.h>
37
38 bool imv_attestation_process(pa_tnc_attr_t *attr, imv_msg_t *out_msg,
39 imv_state_t *state,
40 pts_meas_algorithms_t supported_algorithms,
41 pts_dh_group_t supported_dh_groups,
42 pts_database_t *pts_db,
43 credential_manager_t *pts_credmgr)
44 {
45 imv_attestation_state_t *attestation_state;
46 pen_type_t attr_type;
47 pts_t *pts;
48
49 attestation_state = (imv_attestation_state_t*)state;
50 pts = attestation_state->get_pts(attestation_state);
51 attr_type = attr->get_type(attr);
52
53 switch (attr_type.type)
54 {
55 case TCG_PTS_PROTO_CAPS:
56 {
57 tcg_pts_attr_proto_caps_t *attr_cast;
58 pts_proto_caps_flag_t flags;
59
60 attr_cast = (tcg_pts_attr_proto_caps_t*)attr;
61 flags = attr_cast->get_flags(attr_cast);
62 pts->set_proto_caps(pts, flags);
63 break;
64 }
65 case TCG_PTS_MEAS_ALGO_SELECTION:
66 {
67 tcg_pts_attr_meas_algo_t *attr_cast;
68 pts_meas_algorithms_t selected_algorithm;
69
70 attr_cast = (tcg_pts_attr_meas_algo_t*)attr;
71 selected_algorithm = attr_cast->get_algorithms(attr_cast);
72 if (!(selected_algorithm & supported_algorithms))
73 {
74 DBG1(DBG_IMV, "PTS-IMC selected unsupported"
75 " measurement algorithm");
76 return FALSE;
77 }
78 pts->set_meas_algorithm(pts, selected_algorithm);
79 state->set_action_flags(state, IMV_ATTESTATION_FLAG_ALGO);
80 break;
81 }
82 case TCG_PTS_DH_NONCE_PARAMS_RESP:
83 {
84 tcg_pts_attr_dh_nonce_params_resp_t *attr_cast;
85 int nonce_len, min_nonce_len;
86 pts_dh_group_t dh_group;
87 pts_meas_algorithms_t offered_algorithms, selected_algorithm;
88 chunk_t responder_value, responder_nonce;
89
90 attr_cast = (tcg_pts_attr_dh_nonce_params_resp_t*)attr;
91 responder_nonce = attr_cast->get_responder_nonce(attr_cast);
92
93 /* check compliance of responder nonce length */
94 min_nonce_len = lib->settings->get_int(lib->settings,
95 "libimcv.plugins.imv-attestation.min_nonce_len", 0);
96 nonce_len = responder_nonce.len;
97 if (nonce_len < PTS_MIN_NONCE_LEN ||
98 (min_nonce_len > 0 && nonce_len < min_nonce_len))
99 {
100 attr = pts_dh_nonce_error_create(
101 max(PTS_MIN_NONCE_LEN, min_nonce_len),
102 PTS_MAX_NONCE_LEN);
103 out_msg->add_attribute(out_msg, attr);
104 break;
105 }
106
107 dh_group = attr_cast->get_dh_group(attr_cast);
108 if (!(dh_group & supported_dh_groups))
109 {
110 DBG1(DBG_IMV, "PTS-IMC selected unsupported DH group");
111 return FALSE;
112 }
113
114 offered_algorithms = attr_cast->get_hash_algo_set(attr_cast);
115 selected_algorithm = pts_meas_algo_select(supported_algorithms,
116 offered_algorithms);
117 if (selected_algorithm == PTS_MEAS_ALGO_NONE)
118 {
119 attr = pts_hash_alg_error_create(supported_algorithms);
120 out_msg->add_attribute(out_msg, attr);
121 break;
122 }
123 pts->set_dh_hash_algorithm(pts, selected_algorithm);
124
125 if (!pts->create_dh_nonce(pts, dh_group, nonce_len))
126 {
127 return FALSE;
128 }
129
130 responder_value = attr_cast->get_responder_value(attr_cast);
131 pts->set_peer_public_value(pts, responder_value,
132 responder_nonce);
133
134 /* Calculate secret assessment value */
135 if (!pts->calculate_secret(pts))
136 {
137 return FALSE;
138 }
139 break;
140 }
141 case TCG_PTS_TPM_VERSION_INFO:
142 {
143 tcg_pts_attr_tpm_version_info_t *attr_cast;
144 chunk_t tpm_version_info;
145
146 attr_cast = (tcg_pts_attr_tpm_version_info_t*)attr;
147 tpm_version_info = attr_cast->get_tpm_version_info(attr_cast);
148 pts->set_tpm_version_info(pts, tpm_version_info);
149 break;
150 }
151 case TCG_PTS_AIK:
152 {
153 tcg_pts_attr_aik_t *attr_cast;
154 certificate_t *aik, *issuer;
155 public_key_t *public;
156 chunk_t keyid;
157 enumerator_t *e;
158 bool trusted = FALSE;
159
160 attr_cast = (tcg_pts_attr_aik_t*)attr;
161 aik = attr_cast->get_aik(attr_cast);
162 if (!aik)
163 {
164 DBG1(DBG_IMV, "AIK unavailable");
165 return FALSE;
166 }
167 if (aik->get_type(aik) == CERT_X509)
168 {
169 public = aik->get_public_key(aik);
170 public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid);
171 DBG1(DBG_IMV, "verifying AIK certificate with keyid %#B", &keyid);
172 public->destroy(public);
173
174 e = pts_credmgr->create_trusted_enumerator(pts_credmgr,
175 KEY_ANY, aik->get_issuer(aik), FALSE);
176 while (e->enumerate(e, &issuer))
177 {
178 if (aik->issued_by(aik, issuer, NULL))
179 {
180 trusted = TRUE;
181 break;
182 }
183 }
184 e->destroy(e);
185 DBG1(DBG_IMV, "AIK certificate is %strusted",
186 trusted ? "" : "not ");
187 if (!trusted)
188 {
189 return FALSE;
190 }
191 }
192 pts->set_aik(pts, aik);
193 break;
194 }
195 case TCG_PTS_FILE_MEAS:
196 {
197 TNC_IMV_Evaluation_Result eval;
198 TNC_IMV_Action_Recommendation rec;
199 tcg_pts_attr_file_meas_t *attr_cast;
200 u_int16_t request_id;
201 int arg_int, file_count;
202 pts_meas_algorithms_t algo;
203 pts_file_meas_t *measurements;
204 imv_session_t *session;
205 imv_workitem_t *workitem, *found = NULL;
206 imv_workitem_type_t type;
207 char result_str[BUF_LEN], *platform_info;
208 bool is_dir, correct;
209 enumerator_t *enumerator;
210
211 eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
212 session = state->get_session(state);
213 algo = pts->get_meas_algorithm(pts);
214 platform_info = pts->get_platform_info(pts);
215 attr_cast = (tcg_pts_attr_file_meas_t*)attr;
216 measurements = attr_cast->get_measurements(attr_cast);
217 request_id = measurements->get_request_id(measurements);
218 file_count = measurements->get_file_count(measurements);
219
220 DBG1(DBG_IMV, "measurement request %d returned %d file%s:",
221 request_id, file_count, (file_count == 1) ? "":"s");
222
223 if (request_id)
224 {
225 enumerator = session->create_workitem_enumerator(session);
226 while (enumerator->enumerate(enumerator, &workitem))
227 {
228 /* request ID consist of lower 16 bits of workitem ID */
229 if ((workitem->get_id(workitem) & 0xffff) == request_id)
230 {
231 found = workitem;
232 break;
233 }
234 }
235
236 if (!found)
237 {
238 DBG1(DBG_IMV, " no entry found for file measurement "
239 "request %d", request_id);
240 enumerator->destroy(enumerator);
241 break;
242 }
243 type = found->get_type(found);
244 arg_int = found->get_arg_int(found);
245
246 switch (type)
247 {
248 default:
249 case IMV_WORKITEM_FILE_REF_MEAS:
250 case IMV_WORKITEM_FILE_MEAS:
251 is_dir = FALSE;
252 break;
253 case IMV_WORKITEM_DIR_REF_MEAS:
254 case IMV_WORKITEM_DIR_MEAS:
255 is_dir = TRUE;
256 }
257
258 switch (type)
259 {
260 case IMV_WORKITEM_FILE_MEAS:
261 case IMV_WORKITEM_DIR_MEAS:
262 {
263 enumerator_t *e;
264
265 /* check hashes from database against measurements */
266 e = pts_db->create_file_hash_enumerator(pts_db,
267 platform_info, algo, is_dir, arg_int);
268 if (!e)
269 {
270 eval = TNC_IMV_EVALUATION_RESULT_ERROR;
271 break;
272 }
273 correct = measurements->verify(measurements, e, is_dir);
274 if (!correct)
275 {
276 attestation_state->set_measurement_error(
277 attestation_state,
278 IMV_ATTESTATION_ERROR_FILE_MEAS_FAIL);
279 eval = TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR;
280 }
281 e->destroy(e);
282
283 snprintf(result_str, BUF_LEN, "%s measurement%s correct",
284 is_dir ? "directory" : "file",
285 correct ? "" : " not");
286 break;
287 }
288 case IMV_WORKITEM_FILE_REF_MEAS:
289 case IMV_WORKITEM_DIR_REF_MEAS:
290 {
291 enumerator_t *e;
292 char *filename;
293 chunk_t measurement;
294
295 e = measurements->create_enumerator(measurements);
296 while (e->enumerate(e, &filename, &measurement))
297 {
298 if (pts_db->add_file_measurement(pts_db,
299 platform_info, algo, measurement, filename,
300 is_dir, arg_int) != SUCCESS)
301 {
302 eval = TNC_IMV_EVALUATION_RESULT_ERROR;
303 }
304 }
305 e->destroy(e);
306 snprintf(result_str, BUF_LEN, "%s reference measurement "
307 "successful", is_dir ? "directory" : "file");
308 break;
309 }
310 default:
311 break;
312 }
313
314 session->remove_workitem(session, enumerator);
315 enumerator->destroy(enumerator);
316 rec = found->set_result(found, result_str, eval);
317 state->update_recommendation(state, rec, eval);
318 imcv_db->finalize_workitem(imcv_db, found);
319 found->destroy(found);
320 }
321 else
322 {
323 measurements->check(measurements, pts_db, platform_info, algo);
324 }
325 break;
326 }
327 case TCG_PTS_UNIX_FILE_META:
328 {
329 tcg_pts_attr_file_meta_t *attr_cast;
330 int file_count;
331 pts_file_meta_t *metadata;
332 pts_file_metadata_t *entry;
333 time_t created, modified, accessed;
334 bool utc = FALSE;
335 enumerator_t *e;
336
337 attr_cast = (tcg_pts_attr_file_meta_t*)attr;
338 metadata = attr_cast->get_metadata(attr_cast);
339 file_count = metadata->get_file_count(metadata);
340
341 DBG1(DBG_IMV, "metadata request returned %d file%s:",
342 file_count, (file_count == 1) ? "":"s");
343
344 e = metadata->create_enumerator(metadata);
345 while (e->enumerate(e, &entry))
346 {
347 DBG1(DBG_IMV, " '%s' (%"PRIu64" bytes)"
348 " owner %"PRIu64", group %"PRIu64", type %N",
349 entry->filename, entry->filesize, entry->owner,
350 entry->group, pts_file_type_names, entry->type);
351
352 created = entry->created;
353 modified = entry->modified;
354 accessed = entry->accessed;
355
356 DBG1(DBG_IMV, " created %T, modified %T, accessed %T",
357 &created, utc, &modified, utc, &accessed, utc);
358 }
359 e->destroy(e);
360 break;
361 }
362 case TCG_PTS_SIMPLE_COMP_EVID:
363 {
364 tcg_pts_attr_simple_comp_evid_t *attr_cast;
365 pts_comp_func_name_t *name;
366 pts_comp_evidence_t *evidence;
367 pts_component_t *comp;
368 u_int32_t depth;
369 status_t status;
370
371 attr_cast = (tcg_pts_attr_simple_comp_evid_t*)attr;
372 evidence = attr_cast->get_comp_evidence(attr_cast);
373 name = evidence->get_comp_func_name(evidence, &depth);
374
375 comp = attestation_state->get_component(attestation_state, name);
376 if (!comp)
377 {
378 DBG1(DBG_IMV, " no entry found for component evidence request");
379 break;
380 }
381 status = comp->verify(comp, name->get_qualifier(name), pts, evidence);
382 if (status == VERIFY_ERROR || status == FAILED)
383 {
384 state->update_recommendation(state,
385 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
386 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
387 attestation_state->set_measurement_error(attestation_state,
388 IMV_ATTESTATION_ERROR_COMP_EVID_FAIL);
389 name->log(name, " measurement mismatch for ");
390 }
391 break;
392 }
393 case TCG_PTS_SIMPLE_EVID_FINAL:
394 {
395 tcg_pts_attr_simple_evid_final_t *attr_cast;
396 u_int8_t flags;
397 pts_meas_algorithms_t comp_hash_algorithm;
398 chunk_t pcr_comp, tpm_quote_sig, evid_sig;
399 chunk_t pcr_composite, quote_info;
400 imv_session_t *session;
401 imv_workitem_t *workitem;
402 enumerator_t *enumerator;
403 bool use_quote2, use_ver_info;
404
405 attr_cast = (tcg_pts_attr_simple_evid_final_t*)attr;
406 flags = attr_cast->get_quote_info(attr_cast, &comp_hash_algorithm,
407 &pcr_comp, &tpm_quote_sig);
408
409 if (flags != PTS_SIMPLE_EVID_FINAL_NO)
410 {
411 use_quote2 = (flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2 ||
412 flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2_CAP_VER);
413 use_ver_info = (flags == PTS_SIMPLE_EVID_FINAL_QUOTE_INFO2_CAP_VER);
414
415 /* Construct PCR Composite and TPM Quote Info structures */
416 if (!pts->get_quote_info(pts, use_quote2, use_ver_info,
417 comp_hash_algorithm, &pcr_composite, &quote_info))
418 {
419 DBG1(DBG_IMV, "unable to construct TPM Quote Info");
420 return FALSE;
421 }
422
423 if (!chunk_equals(pcr_comp, pcr_composite))
424 {
425 DBG1(DBG_IMV, "received PCR Composite does not match "
426 "constructed one");
427 state->update_recommendation(state,
428 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
429 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
430 attestation_state->set_measurement_error(attestation_state,
431 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
432 goto quote_error;
433 }
434 DBG2(DBG_IMV, "received PCR Composite matches constructed one");
435
436 if (!pts->verify_quote_signature(pts, quote_info, tpm_quote_sig))
437 {
438 state->update_recommendation(state,
439 TNC_IMV_ACTION_RECOMMENDATION_ISOLATE,
440 TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR);
441 attestation_state->set_measurement_error(attestation_state,
442 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL);
443 goto quote_error;
444 }
445 DBG2(DBG_IMV, "TPM Quote Info signature verification successful");
446
447 quote_error:
448 free(pcr_composite.ptr);
449 free(quote_info.ptr);
450
451 /**
452 * Finalize any pending measurement registrations and check
453 * if all expected component measurements were received
454 */
455 attestation_state->finalize_components(attestation_state);
456
457 session = state->get_session(state);
458 enumerator = session->create_workitem_enumerator(session);
459 while (enumerator->enumerate(enumerator, &workitem))
460 {
461 if (workitem->get_type(workitem) == IMV_WORKITEM_TPM_ATTEST)
462 {
463 TNC_IMV_Action_Recommendation rec;
464 TNC_IMV_Evaluation_Result eval;
465 char *result_str;
466 u_int32_t error;
467
468 error = attestation_state->get_measurement_error(
469 attestation_state);
470 if (error & (IMV_ATTESTATION_ERROR_COMP_EVID_FAIL |
471 IMV_ATTESTATION_ERROR_COMP_EVID_PEND |
472 IMV_ATTESTATION_ERROR_TPM_QUOTE_FAIL))
473 {
474 result_str = "attestation failed";
475 eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
476 }
477 else
478 {
479 result_str = "attestation successful";
480 eval = TNC_IMV_EVALUATION_RESULT_COMPLIANT;
481 }
482 session->remove_workitem(session, enumerator);
483 rec = workitem->set_result(workitem, result_str, eval);
484 state->update_recommendation(state, rec, eval);
485 imcv_db->finalize_workitem(imcv_db, workitem);
486 workitem->destroy(workitem);
487 break;
488 }
489 }
490 enumerator->destroy(enumerator);
491 }
492
493 if (attr_cast->get_evid_sig(attr_cast, &evid_sig))
494 {
495 /** TODO: What to do with Evidence Signature */
496 DBG1(DBG_IMV, "this version of the Attestation IMV can not "
497 "handle Evidence Signatures");
498 }
499 break;
500 }
501
502 /* TODO: Not implemented yet */
503 case TCG_PTS_INTEG_MEAS_LOG:
504 /* Attributes using XML */
505 case TCG_PTS_TEMPL_REF_MANI_SET_META:
506 case TCG_PTS_VERIFICATION_RESULT:
507 case TCG_PTS_INTEG_REPORT:
508 /* On Windows only*/
509 case TCG_PTS_WIN_FILE_META:
510 case TCG_PTS_REGISTRY_VALUE:
511 /* Received on IMC side only*/
512 case TCG_PTS_REQ_PROTO_CAPS:
513 case TCG_PTS_DH_NONCE_PARAMS_REQ:
514 case TCG_PTS_DH_NONCE_FINISH:
515 case TCG_PTS_MEAS_ALGO:
516 case TCG_PTS_GET_TPM_VERSION_INFO:
517 case TCG_PTS_REQ_TEMPL_REF_MANI_SET_META:
518 case TCG_PTS_UPDATE_TEMPL_REF_MANI:
519 case TCG_PTS_GET_AIK:
520 case TCG_PTS_REQ_FUNC_COMP_EVID:
521 case TCG_PTS_GEN_ATTEST_EVID:
522 case TCG_PTS_REQ_FILE_META:
523 case TCG_PTS_REQ_FILE_MEAS:
524 case TCG_PTS_REQ_INTEG_MEAS_LOG:
525 default:
526 DBG1(DBG_IMV, "received unsupported attribute '%N'",
527 tcg_attr_names, attr->get_type(attr));
528 break;
529 }
530 return TRUE;
531 }
532