pt-tls-client: Support for TPM keyids
[strongswan.git] / src / pt-tls-client / pt-tls-client.c
1 /*
2 * Copyright (C) 2010-2013 Martin Willi, revosec AG
3 * Copyright (C) 2013-2015 Andreas Steffen
4 * HSR Hochschule für Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <unistd.h>
18 #include <stdio.h>
19 #include <sys/types.h>
20 #include <getopt.h>
21 #include <errno.h>
22 #include <string.h>
23 #include <stdlib.h>
24 #ifdef HAVE_SYSLOG
25 #include <syslog.h>
26 #endif
27
28 #include <pt_tls.h>
29 #include <pt_tls_client.h>
30 #include <tnc/tnc.h>
31 #include <tls.h>
32
33 #include <library.h>
34 #include <utils/debug.h>
35 #include <credentials/sets/mem_cred.h>
36 #include <utils/optionsfrom.h>
37
38 /**
39 * Print usage information
40 */
41 static void usage(FILE *out)
42 {
43 fprintf(out,
44 "Usage: pt-tls --connect <hostname|address> [--port <port>]\n"
45 " [--cert <file>]+ [--keyid <hex>|--key <file>]\n"
46 " [--key-type rsa|ecdsa] [--client <client-id>]\n"
47 " [--secret <password>] [--optionsfrom <filename>]\n"
48 " [--quiet] [--debug <level>]\n");
49 }
50
51 /**
52 * Client routine
53 */
54 static int client(char *address, uint16_t port, char *identity)
55 {
56 pt_tls_client_t *assessment;
57 tls_t *tnccs;
58 identification_t *server_id, *client_id;
59 host_t *server_ip, *client_ip;
60 status_t status;
61
62 server_ip = host_create_from_dns(address, AF_UNSPEC, port);
63 if (!server_ip)
64 {
65 return 1;
66 }
67
68 client_ip = host_create_any(server_ip->get_family(server_ip));
69 if (!client_ip)
70 {
71 server_ip->destroy(server_ip);
72 return 1;
73 }
74 server_id = identification_create_from_string(address);
75 client_id = identification_create_from_string(identity);
76
77 tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE,
78 server_id, client_id, server_ip, client_ip,
79 TNC_IFT_TLS_2_0, NULL);
80 client_ip->destroy(client_ip);
81
82 if (!tnccs)
83 {
84 fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS);
85 server_ip->destroy(server_ip);
86 server_id->destroy(server_id);
87 client_id->destroy(client_id);
88 return 1;
89 }
90 assessment = pt_tls_client_create(server_ip, server_id, client_id);
91 status = assessment->run_assessment(assessment, (tnccs_t*)tnccs);
92 assessment->destroy(assessment);
93 tnccs->destroy(tnccs);
94
95 return (status != SUCCESS);
96 }
97
98
99 /**
100 * In-Memory credential set
101 */
102 static mem_cred_t *creds;
103
104 /**
105 * Load certificate from file
106 */
107 static bool load_certificate(char *filename)
108 {
109 certificate_t *cert;
110
111 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
112 BUILD_FROM_FILE, filename, BUILD_END);
113 if (!cert)
114 {
115 DBG1(DBG_TLS, "loading certificate from '%s' failed", filename);
116 return FALSE;
117 }
118 creds->add_cert(creds, TRUE, cert);
119 return TRUE;
120 }
121
122 /**
123 * Load private key from file
124 */
125 static bool load_key(char *keyid, char *filename, key_type_t type)
126 {
127 private_key_t *key;
128 chunk_t chunk;
129
130 if (keyid)
131 {
132 chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL);
133 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY,
134 BUILD_PKCS11_KEYID, chunk, BUILD_END);
135 chunk_free(&chunk);
136 }
137 else
138 {
139 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type,
140 BUILD_FROM_FILE, filename, BUILD_END);
141 }
142 if (!key)
143 {
144 DBG1(DBG_TLS, "loading key from '%s' failed", keyid ? keyid : filename);
145 return FALSE;
146 }
147 creds->add_key(creds, key);
148 return TRUE;
149 }
150
151 /**
152 * Logging and debug level
153 */
154 static bool log_to_stderr = TRUE;
155 #ifdef HAVE_SYSLOG
156 static bool log_to_syslog = TRUE;
157 #endif /* HAVE_SYSLOG */
158 static level_t default_loglevel = 1;
159
160 static void dbg_pt_tls(debug_t group, level_t level, char *fmt, ...)
161 {
162 va_list args;
163
164 if (level <= default_loglevel)
165 {
166 if (log_to_stderr)
167 {
168 va_start(args, fmt);
169 vfprintf(stderr, fmt, args);
170 va_end(args);
171 fprintf(stderr, "\n");
172 }
173 #ifdef HAVE_SYSLOG
174 if (log_to_syslog)
175 {
176 char buffer[8192];
177 char *current = buffer, *next;
178
179 /* write in memory buffer first */
180 va_start(args, fmt);
181 vsnprintf(buffer, sizeof(buffer), fmt, args);
182 va_end(args);
183
184 /* do a syslog with every line */
185 while (current)
186 {
187 next = strchr(current, '\n');
188 if (next)
189 {
190 *(next++) = '\0';
191 }
192 syslog(LOG_INFO, "%s\n", current);
193 current = next;
194 }
195 }
196 #endif /* HAVE_SYSLOG */
197 }
198 }
199
200 /**
201 * Initialize logging to stderr/syslog
202 */
203 static void init_log(const char *program)
204 {
205 dbg = dbg_pt_tls;
206
207 if (log_to_stderr)
208 {
209 setbuf(stderr, NULL);
210 }
211 #ifdef HAVE_SYSLOG
212 if (log_to_syslog)
213 {
214 openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
215 }
216 #endif /* HAVE_SYSLOG */
217 }
218
219 /**
220 * Handles --optionsfrom arguments
221 */
222 options_t *options;
223
224 /**
225 * Cleanup
226 */
227 static void cleanup()
228 {
229 lib->processor->cancel(lib->processor);
230 lib->credmgr->remove_set(lib->credmgr, &creds->set);
231 creds->destroy(creds);
232 options->destroy(options);
233 libtnccs_deinit();
234 library_deinit();
235 }
236
237 /**
238 * Initialize library
239 */
240 static void init()
241 {
242 plugin_feature_t features[] = {
243 PLUGIN_NOOP,
244 PLUGIN_PROVIDE(CUSTOM, "pt-tls-client"),
245 PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
246 };
247 library_init(NULL, "pt-tls-client");
248 libtnccs_init();
249
250 init_log("pt-tls-client");
251 options = options_create();
252
253 lib->plugins->add_static_features(lib->plugins, "pt-tls-client", features,
254 countof(features), TRUE, NULL, NULL);
255 if (!lib->plugins->load(lib->plugins,
256 lib->settings->get_str(lib->settings, "pt-tls-client.load", PLUGINS)))
257 {
258 exit(SS_RC_INITIALIZATION_FAILED);
259 }
260 lib->plugins->status(lib->plugins, LEVEL_CTRL);
261
262 creds = mem_cred_create();
263 lib->credmgr->add_set(lib->credmgr, &creds->set);
264
265 atexit(cleanup);
266 }
267
268 int main(int argc, char *argv[])
269 {
270 char *address = NULL, *identity = "%any", *secret = NULL;
271 char *keyid = NULL, *key_file = NULL;
272 key_type_t key_type = KEY_RSA;
273 int port = PT_TLS_PORT;
274
275 init();
276
277 while (TRUE)
278 {
279 struct option long_opts[] = {
280 {"help", no_argument, NULL, 'h' },
281 {"connect", required_argument, NULL, 'c' },
282 {"client", required_argument, NULL, 'i' },
283 {"secret", required_argument, NULL, 's' },
284 {"port", required_argument, NULL, 'p' },
285 {"cert", required_argument, NULL, 'x' },
286 {"keyid", required_argument, NULL, 'K' },
287 {"key", required_argument, NULL, 'k' },
288 {"key-type", required_argument, NULL, 't' },
289 {"mutual", no_argument, NULL, 'm' },
290 {"quiet", no_argument, NULL, 'q' },
291 {"debug", required_argument, NULL, 'd' },
292 {"optionsfrom", required_argument, NULL, '+' },
293 {0,0,0,0 }
294 };
295 switch (getopt_long(argc, argv, "", long_opts, NULL))
296 {
297 case EOF:
298 break;
299 case 'h': /* --help */
300 usage(stdout);
301 return 0;
302 case 'x': /* --cert <file> */
303 if (!load_certificate(optarg))
304 {
305 return 1;
306 }
307 continue;
308 case 'K': /* --keyid <hex> */
309 keyid = optarg;
310 continue;
311 case 'k': /* --key <file> */
312 key_file = optarg;
313 continue;
314 case 't': /* --key-type <type> */
315 if (strcaseeq(optarg, "ecdsa"))
316 {
317 key_type = KEY_ECDSA;
318 }
319 else if (strcaseeq(optarg, "rsa"))
320 {
321 key_type = KEY_RSA;
322 }
323 else
324 {
325 key_type = KEY_ANY;
326 }
327 continue;
328 case 'c': /* --connect <hostname|address> */
329 if (address)
330 {
331 usage(stderr);
332 return 1;
333 }
334 address = optarg;
335 continue;
336 case 'i': /* --client <client-id> */
337 identity = optarg;
338 continue;
339 case 's': /* --secret <password> */
340 secret = optarg;
341 continue;
342 case 'p': /* --port <port> */
343 port = atoi(optarg);
344 continue;
345 case 'm': /* --mutual */
346 lib->settings->set_bool(lib->settings,
347 "%s.plugins.tnccs-20.mutual", TRUE, lib->ns);
348 continue;
349 case 'q': /* --quiet */
350 log_to_stderr = FALSE;
351 continue;
352 case 'd': /* --debug <level> */
353 default_loglevel = atoi(optarg);
354 continue;
355 case '+': /* --optionsfrom <filename> */
356 if (!options->from(options, optarg, &argc, &argv, optind))
357 {
358 return 1;
359 }
360 continue;
361 default:
362 usage(stderr);
363 return 1;
364 }
365 break;
366 }
367 if (!address)
368 {
369 usage(stderr);
370 return 1;
371 }
372 if ((keyid || key_file) && !load_key(keyid, key_file, key_type))
373 {
374 return 1;
375 }
376 if (secret)
377 {
378 creds->add_shared(creds, shared_key_create(SHARED_EAP,
379 chunk_clone(chunk_from_str(secret))),
380 identification_create_from_string(identity), NULL);
381 }
382 return client(address, port, identity);
383 }