src/libimcv/imcv.c

   1 /*
   2  * Copyright (C) 2011-2022 Andreas Steffen
   3  *
   4  * Copyright (C) secunet Security Networks AG
   5  *
   6  * This program is free software; you can redistribute it and/or modify it
   7  * under the terms of the GNU General Public License as published by the
   8  * Free Software Foundation; either version 2 of the License, or (at your
   9  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  10  *
  11  * This program is distributed in the hope that it will be useful, but
  12  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  13  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * for more details.
  15  */
  16
  17 #include "imcv.h"
  18 #include "ietf/ietf_attr.h"
  19 #include "ita/ita_attr.h"
  20 #include "pwg/pwg_attr.h"
  21 #include "tcg/tcg_attr.h"
  22 #include "pts/components/pts_component.h"
  23 #include "pts/components/pts_component_manager.h"
  24 #include "pts/components/tcg/tcg_comp_func_name.h"
  25 #include "pts/components/ita/ita_comp_func_name.h"
  26 #include "pts/components/ita/ita_comp_ima.h"
  27 #include "pts/components/ita/ita_comp_tboot.h"
  28 #include "pts/components/ita/ita_comp_tgrub.h"
  29
  30 #include <utils/debug.h>
  31 #include <utils/utils.h>
  32 #include <pen/pen.h>
  33
  34 #ifdef HAVE_SYSLOG
  35 #include <syslog.h>
  36 #endif
  37
  38 #ifndef IPSEC_SCRIPT
  39 #define IPSEC_SCRIPT "ipsec"
  40 #endif
  41
  42 #define IMCV_DEBUG_LEVEL                        1
  43 #define IMCV_DEFAULT_POLICY_SCRIPT      IPSEC_SCRIPT " _imv_policy"
  44
  45
  46 /**
  47  * PA-TNC attribute manager
  48  */
  49 pa_tnc_attr_manager_t *imcv_pa_tnc_attributes;
  50
  51 /**
  52  * Global list of IMV sessions
  53  */
  54 imv_session_manager_t *imcv_sessions;
  55
  56 /**
  57  * Global IMV database
  58  */
  59 imv_database_t *imcv_db;
  60
  61 /**
  62  * PTS Functional Component manager
  63  */
  64 pts_component_manager_t *imcv_pts_components;
  65
  66 /**
  67  * Reference count for libimcv
  68  */
  69 static refcount_t libimcv_ref = 0;
  70
  71 /**
  72  * Reference count for libstrongswan
  73  */
  74 static refcount_t libstrongswan_ref = 0;
  75
  76 /**
  77  * Global configuration of imcv dbg function
  78  */
  79 static int  imcv_debug_level;
  80 static bool imcv_stderr_quiet;
  81
  82 /**
  83  * Described in header.
  84  */
  85 void imcv_list_pa_tnc_attribute_type(char *label, pen_t vendor_id, uint32_t type)
  86 {
  87         enum_name_t *pa_attr_names;
  88
  89         pa_attr_names = imcv_pa_tnc_attributes->get_names(imcv_pa_tnc_attributes,
  90                                                                                                           vendor_id);
  91         if (pa_attr_names)
  92         {
  93                 DBG2(DBG_TNC, "%s PA-TNC attribute type '%N/%N' 0x%06x/0x%08x",
  94                          label, pen_names, vendor_id, pa_attr_names, type, vendor_id, type);
  95         }
  96         else
  97         {
  98                 DBG2(DBG_TNC, "%s PA-TNC attribute type '%N' 0x%06x/0x%08x",
  99                          label, pen_names, vendor_id, vendor_id, type);
 100         }
 101 }
 102
 103 /**
 104  * imvc dbg function
 105  */
 106 static void imcv_dbg(debug_t group, level_t level, char *fmt, ...)
 107 {
 108         va_list args;
 109
 110         if (level <= imcv_debug_level)
 111         {
 112                 if (!imcv_stderr_quiet)
 113                 {
 114                         va_start(args, fmt);
 115                         fprintf(stderr, "[HSR] ");
 116                         vfprintf(stderr, fmt, args);
 117                         fprintf(stderr, "\n");
 118                         va_end(args);
 119                 }
 120
 121 #ifdef HAVE_SYSLOG
 122                 {
 123                         int priority = LOG_INFO;
 124                         char buffer[8192];
 125                         char *current = buffer, *next;
 126
 127                         /* write in memory buffer first */
 128                         va_start(args, fmt);
 129                         vsnprintf(buffer, sizeof(buffer), fmt, args);
 130                         va_end(args);
 131
 132                         /* do a syslog with every line */
 133                         while (current)
 134                         {
 135                                 next = strchr(current, '\n');
 136                                 if (next)
 137                                 {
 138                                         *(next++) = '\0';
 139                                 }
 140                                 syslog(priority, "[HSR] %s\n", current);
 141                                 current = next;
 142                         }
 143                 }
 144 #endif /* HAVE_SYSLOG */
 145         }
 146 }
 147
 148 /**
 149  * Described in header.
 150  */
 151 bool libimcv_init(bool is_imv)
 152 {
 153         /* initialize libstrongswan library only once */
 154         if (lib)
 155         {
 156                 /* did main program initialize libstrongswan? */
 157                 if (!ref_cur(&libstrongswan_ref))
 158                 {
 159                         ref_get(&libstrongswan_ref);
 160                 }
 161         }
 162         else
 163         {
 164                 /* we are the first to initialize libstrongswan */
 165                 if (!library_init(NULL, "libimcv"))
 166                 {
 167                         return FALSE;
 168                 }
 169
 170                 /* set the debug level and stderr output */
 171                 imcv_debug_level =  lib->settings->get_int(lib->settings,
 172                                                                         "libimcv.debug_level", IMCV_DEBUG_LEVEL);
 173                 imcv_stderr_quiet = lib->settings->get_int(lib->settings,
 174                                                                         "libimcv.stderr_quiet", FALSE);
 175
 176                 /* activate the imcv debugging hook */
 177                 dbg = imcv_dbg;
 178 #ifdef HAVE_SYSLOG
 179                 openlog("imcv", 0, LOG_DAEMON);
 180 #endif
 181
 182                 if (!lib->plugins->load(lib->plugins,
 183                                 lib->settings->get_str(lib->settings, "libimcv.load",
 184                                         "random nonce gmp pubkey x509")))
 185                 {
 186                         library_deinit();
 187                         return FALSE;
 188                 }
 189         }
 190         ref_get(&libstrongswan_ref);
 191
 192         lib->settings->add_fallback(lib->settings, "%s.imcv", "libimcv", lib->ns);
 193         lib->settings->add_fallback(lib->settings, "%s.plugins", "libimcv.plugins",
 194                                                                 lib->ns);
 195
 196         if (!ref_cur(&libimcv_ref))
 197         {
 198                 char *uri, *script;
 199
 200                 libtpmtss_init();
 201
 202                 /* initialize the PA-TNC attribute manager */
 203                 imcv_pa_tnc_attributes = pa_tnc_attr_manager_create();
 204                 imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_IETF,
 205                                                         ietf_attr_create_from_data, ietf_attr_names);
 206                 imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_ITA,
 207                                                         ita_attr_create_from_data, ita_attr_names);
 208                 imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_PWG,
 209                                                         pwg_attr_create_from_data, pwg_attr_names);
 210                 imcv_pa_tnc_attributes->add_vendor(imcv_pa_tnc_attributes, PEN_TCG,
 211                                                         tcg_attr_create_from_data, tcg_attr_names);
 212
 213                 imcv_pts_components = pts_component_manager_create();
 214                 imcv_pts_components->add_vendor(imcv_pts_components, PEN_TCG,
 215                                         pts_tcg_comp_func_names, PTS_TCG_QUALIFIER_TYPE_SIZE,
 216                                         pts_tcg_qualifier_flag_names, pts_tcg_qualifier_type_names);
 217                 imcv_pts_components->add_vendor(imcv_pts_components, PEN_ITA,
 218                                         pts_ita_comp_func_names, PTS_ITA_QUALIFIER_TYPE_SIZE,
 219                                         pts_ita_qualifier_flag_names, pts_ita_qualifier_type_names);
 220
 221                 imcv_pts_components->add_component(imcv_pts_components, PEN_ITA,
 222                                                                           PTS_ITA_COMP_FUNC_NAME_TGRUB,
 223                                                                           pts_ita_comp_tgrub_create);
 224                 imcv_pts_components->add_component(imcv_pts_components, PEN_ITA,
 225                                                                           PTS_ITA_COMP_FUNC_NAME_TBOOT,
 226                                                                           pts_ita_comp_tboot_create);
 227                 imcv_pts_components->add_component(imcv_pts_components, PEN_ITA,
 228                                                                           PTS_ITA_COMP_FUNC_NAME_IMA,
 229                                                                           pts_ita_comp_ima_create);
 230                 if (is_imv)
 231                 {
 232                         /* instantiate global IMV session manager */
 233                         imcv_sessions = imv_session_manager_create();
 234
 235                         /* instantiate and attach global IMV database if URI is valid */
 236                         uri = lib->settings->get_str(lib->settings,
 237                                                 "%s.imcv.database", NULL, lib->ns);
 238                         script = lib->settings->get_str(lib->settings,
 239                                                 "%s.imcv.policy_script", IMCV_DEFAULT_POLICY_SCRIPT,
 240                                                 lib->ns);
 241                         if (uri)
 242                         {
 243                                 imcv_db = imv_database_create(uri, script);
 244                         }
 245                 }
 246                 DBG1(DBG_LIB, "libimcv initialized");
 247         }
 248         ref_get(&libimcv_ref);
 249
 250         return TRUE;
 251 }
 252
 253 /**
 254  * Described in header.
 255  */
 256 void libimcv_deinit(void)
 257 {
 258         if (ref_put(&libimcv_ref))
 259         {
 260                 imcv_pts_components->remove_vendor(imcv_pts_components, PEN_TCG);
 261                 imcv_pts_components->remove_vendor(imcv_pts_components, PEN_ITA);
 262                 imcv_pts_components->destroy(imcv_pts_components);
 263
 264                 imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_IETF);
 265                 imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_ITA);
 266                 imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_PWG);
 267                 imcv_pa_tnc_attributes->remove_vendor(imcv_pa_tnc_attributes, PEN_TCG);
 268                 DESTROY_IF(imcv_pa_tnc_attributes);
 269                 imcv_pa_tnc_attributes = NULL;
 270                 DESTROY_IF(imcv_db);
 271                 DESTROY_IF(imcv_sessions);
 272                 DBG1(DBG_LIB, "libimcv terminated");
 273
 274                 libtpmtss_deinit();
 275         }
 276         if (ref_put(&libstrongswan_ref))
 277         {
 278                 library_deinit();
 279         }
 280 }