File:  [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / pt-tls-client / pt-tls-client.c
Revision 1.1: download - view: text, annotated - select for diffs - revision graph
Wed Jun 3 09:46:44 2020 UTC (4 years, 5 months ago) by misho
CVS tags: MAIN, HEAD
Initial revision

/*
 * Copyright (C) 2013-2015 Andreas Steffen
 * HSR Hochschule fuer Technik Rapperswil
 *
 * Copyright (C) 2010-2013 Martin Willi
 * Copyright (C) 2010-2013 revosec AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <getopt.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#ifdef HAVE_SYSLOG
#include <syslog.h>
#endif

#include <pt_tls.h>
#include <pt_tls_client.h>
#include <tnc/tnc.h>
#include <tls.h>

#include <library.h>
#include <utils/debug.h>
#include <credentials/sets/mem_cred.h>
#include <utils/optionsfrom.h>

/**
 * Print usage information
 */
static void usage(FILE *out)
{
	fprintf(out,
		"Usage: pt-tls  --connect <hostname|address> [--port <port>]\n"
		"              [--certid <hex>|--cert <file>]+ [--keyid <hex>|--key <file>]\n"
		"              [--key-type rsa|ecdsa] [--client <client-id>]\n"
		"              [--secret <password>] [--mutual] [--quiet]\n"
		"              [--debug <level>] [--options <filename>]\n");
}

/**
 * Client routine
 */
static int client(char *address, uint16_t port, char *identity)
{
	pt_tls_client_t *assessment;
	tls_t *tnccs;
	identification_t *server_id, *client_id;
	host_t *server_ip, *client_ip;
	status_t status;

	server_ip = host_create_from_dns(address, AF_UNSPEC, port);
	if (!server_ip)
	{
		return 1;
	}

	client_ip = host_create_any(server_ip->get_family(server_ip));
	if (!client_ip)
	{
		server_ip->destroy(server_ip);
		return 1;
	}
	server_id = identification_create_from_string(address);
	client_id = identification_create_from_string(identity);

	tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE,
								server_id, client_id, server_ip, client_ip,
								TNC_IFT_TLS_2_0, NULL);
	client_ip->destroy(client_ip);

	if (!tnccs)
	{
		fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS);
		server_ip->destroy(server_ip);
		server_id->destroy(server_id);
		client_id->destroy(client_id);
		return 1;
	}
	assessment = pt_tls_client_create(server_ip, server_id, client_id);
	status = assessment->run_assessment(assessment, (tnccs_t*)tnccs);
	assessment->destroy(assessment);
	tnccs->destroy(tnccs);

	return (status != SUCCESS);
}


/**
 * In-Memory credential set
 */
static mem_cred_t *creds;

/**
 * Load certificate from file
 */
static bool load_certificate(char *certid, char *filename)
{
	certificate_t *cert;
	chunk_t chunk;

	if (certid)
	{
		chunk = chunk_from_hex(chunk_create(certid, strlen(certid)), NULL);
		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
								  BUILD_PKCS11_KEYID, chunk, BUILD_END);
	}
	else
	{
		cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
								  BUILD_FROM_FILE, filename, BUILD_END);
	}
	if (!cert)
	{
		DBG1(DBG_TLS, "loading certificate from '%s' failed",
					   certid ? certid : filename);
		return FALSE;
	}
	creds->add_cert(creds, TRUE, cert);
	return TRUE;
}

/**
 * Load private key from file
 */
static bool load_key(char *keyid, char *filename, key_type_t type)
{
	private_key_t *key;
	chunk_t chunk;

	if (keyid)
	{
		chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
								 BUILD_PKCS11_KEYID, chunk, BUILD_END);
		chunk_free(&chunk);
	}
	else
	{
		key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
								 BUILD_FROM_FILE, filename, BUILD_END);
	}
	if (!key)
	{
		DBG1(DBG_TLS, "loading key from '%s' failed", keyid ? keyid : filename);
		return FALSE;
	}
	creds->add_key(creds, key);
	return TRUE;
}

/**
 * Logging and debug level
 */
static bool log_to_stderr = TRUE;
#ifdef HAVE_SYSLOG
static bool log_to_syslog = TRUE;
#endif /* HAVE_SYSLOG */
static level_t default_loglevel = 1;

static void dbg_pt_tls(debug_t group, level_t level, char *fmt, ...)
{
	va_list args;

	if (level <= default_loglevel)
	{
		if (log_to_stderr)
		{
			va_start(args, fmt);
			vfprintf(stderr, fmt, args);
			va_end(args);
			fprintf(stderr, "\n");
		}
#ifdef HAVE_SYSLOG
		if (log_to_syslog)
		{
			char buffer[8192];
			char *current = buffer, *next;

			/* write in memory buffer first */
			va_start(args, fmt);
			vsnprintf(buffer, sizeof(buffer), fmt, args);
			va_end(args);

			/* do a syslog with every line */
			while (current)
			{
				next = strchr(current, '\n');
				if (next)
				{
					*(next++) = '\0';
				}
				syslog(LOG_INFO, "%s\n", current);
				current = next;
			}
		}
#endif /* HAVE_SYSLOG */
	}
}

/**
 * Initialize logging to stderr/syslog
 */
static void init_log(const char *program)
{
	dbg = dbg_pt_tls;

	if (log_to_stderr)
	{
		setbuf(stderr, NULL);
	}
#ifdef HAVE_SYSLOG
	if (log_to_syslog)
	{
		openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
	}
#endif /* HAVE_SYSLOG */
}

/**
 * Handles --optionsfrom arguments
 */
options_t *options;

/**
 * Cleanup
 */
static void cleanup()
{
	lib->processor->cancel(lib->processor);
	lib->credmgr->remove_set(lib->credmgr, &creds->set);
	creds->destroy(creds);
	options->destroy(options);
	libtnccs_deinit();
	library_deinit();
}

/**
 * Initialize library
 */
static void init()
{
	plugin_feature_t features[] = {
		PLUGIN_NOOP,
			PLUGIN_PROVIDE(CUSTOM, "pt-tls-client"),
				PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
	};
	library_init(NULL, "pt-tls-client");
	libtnccs_init();

	init_log("pt-tls-client");
	options = options_create();

	lib->plugins->add_static_features(lib->plugins, "pt-tls-client", features,
									  countof(features), TRUE, NULL, NULL);
	if (!lib->plugins->load(lib->plugins,
			lib->settings->get_str(lib->settings, "pt-tls-client.load", PLUGINS)))
	{
		exit(SS_RC_INITIALIZATION_FAILED);
	}
	lib->plugins->status(lib->plugins, LEVEL_CTRL);

	creds = mem_cred_create();
	lib->credmgr->add_set(lib->credmgr, &creds->set);

	atexit(cleanup);
}

int main(int argc, char *argv[])
{
	char *address = NULL, *identity = "%any", *secret = NULL;
	char *keyid = NULL, *key_file = NULL;
	key_type_t key_type = KEY_RSA;
	int port = PT_TLS_PORT;

	init();

	while (TRUE)
	{
		struct option long_opts[] = {
			{"help",		no_argument,			NULL,		'h' },
			{"connect",		required_argument,		NULL,		'c' },
			{"client",		required_argument,		NULL,		'i' },
			{"secret",		required_argument,		NULL,		's' },
			{"port",		required_argument,		NULL,		'p' },
			{"certid",		required_argument,		NULL,		'X' },
			{"cert",		required_argument,		NULL,		'x' },
			{"keyid",		required_argument,		NULL,		'K' },
			{"key",			required_argument,		NULL,		'k' },
			{"key-type",	required_argument,		NULL,		't' },
			{"mutual",		no_argument,			NULL,		'm' },
			{"quiet",		no_argument,			NULL,		'q' },
			{"debug",		required_argument,		NULL,		'd' },
			{"options",		required_argument,		NULL,		'+' },
			{"optionsfrom",	required_argument,		NULL,		'+' },
			{0,0,0,0 }
		};
		switch (getopt_long(argc, argv, "hc:i:s:p:x:K:k:t:mqd:+:", long_opts,
			    NULL))
		{
			case EOF:
				break;
			case 'h':			/* --help */
				usage(stdout);
				return 0;
			case 'X':			/* --certid <hex> */
				if (!load_certificate(optarg, NULL))
				{
					return 1;
				}
				continue;
			case 'x':			/* --cert <file> */
				if (!load_certificate(NULL, optarg))
				{
					return 1;
				}
				continue;
			case 'K':			/* --keyid <hex> */
				keyid = optarg;
				continue;
			case 'k':			/* --key <file> */
				key_file = optarg;
				continue;
			case 't':			/* --key-type <type> */
				if (strcaseeq(optarg, "ecdsa"))
				{
					key_type = KEY_ECDSA;
				}
				else if (strcaseeq(optarg, "rsa"))
				{
					key_type = KEY_RSA;
				}
				else
				{
					key_type = KEY_ANY;
				}
				continue;
			case 'c':			/* --connect <hostname|address> */
				if (address)
				{
					usage(stderr);
					return 1;
				}
				address = optarg;
				continue;
			case 'i':			/* --client <client-id> */
				identity = optarg;
				continue;
			case 's':			/* --secret <password> */
				secret = optarg;
				continue;
			case 'p':			/* --port <port> */
				port = atoi(optarg);
				continue;
			case 'm':			/* --mutual */
				lib->settings->set_bool(lib->settings,
								"%s.plugins.tnccs-20.mutual", TRUE, lib->ns);
				continue;
			case 'q':       	/* --quiet */
				log_to_stderr = FALSE;
				continue;
			case 'd':			/* --debug <level> */
				default_loglevel = atoi(optarg);
				continue;
			case '+':			/* --optionsfrom <filename> */
				if (!options->from(options, optarg, &argc, &argv, optind))
				{
					return 1;
				}
				continue;
			default:
				usage(stderr);
				return 1;
		}
		break;
	}
	if (!address)
	{
		usage(stderr);
		return 1;
	}
	if ((keyid || key_file) && !load_key(keyid, key_file, key_type))
	{
		return 1;
	}
	if (secret)
	{
		creds->add_shared(creds, shared_key_create(SHARED_EAP,
										chunk_clone(chunk_from_str(secret))),
							identification_create_from_string(identity), NULL);
	}
	return client(address, port, identity);
}

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>