Optionally announce PB-TNC mutual protocol capability
[strongswan.git] / src / pt-tls-client / pt-tls-client.c
1 /*
2 * Copyright (C) 2010-2013 Martin Willi, revosec AG
3 * Copyright (C) 2013-2015 Andreas Steffen
4 * HSR Hochschule für Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 #include <unistd.h>
18 #include <stdio.h>
19 #include <sys/types.h>
20 #include <getopt.h>
21 #include <errno.h>
22 #include <string.h>
23 #include <stdlib.h>
24 #ifdef HAVE_SYSLOG
25 #include <syslog.h>
26 #endif
27
28 #include <pt_tls.h>
29 #include <pt_tls_client.h>
30 #include <tnc/tnc.h>
31 #include <tls.h>
32
33 #include <library.h>
34 #include <utils/debug.h>
35 #include <credentials/sets/mem_cred.h>
36 #include <utils/optionsfrom.h>
37
38 /**
39 * Print usage information
40 */
41 static void usage(FILE *out)
42 {
43 fprintf(out,
44 "Usage: pt-tls --connect <hostname|address> [--port <port>]\n"
45 " [--cert <file>]+ [--key <file>]\n"
46 " [--client <client-id>] [--secret <password>]\n"
47 " [--optionsfrom <filename>] [--quiet] [--debug <level>]\n");
48 }
49
50 /**
51 * Client routine
52 */
53 static int client(char *address, u_int16_t port, char *identity)
54 {
55 pt_tls_client_t *assessment;
56 tls_t *tnccs;
57 identification_t *server_id, *client_id;
58 host_t *server_ip, *client_ip;
59 status_t status;
60
61 server_ip = host_create_from_dns(address, AF_UNSPEC, port);
62 if (!server_ip)
63 {
64 return 1;
65 }
66
67 client_ip = host_create_any(server_ip->get_family(server_ip));
68 if (!client_ip)
69 {
70 server_ip->destroy(server_ip);
71 return 1;
72 }
73 server_id = identification_create_from_string(address);
74 client_id = identification_create_from_string(identity);
75
76 tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE,
77 server_id, client_id, server_ip, client_ip,
78 TNC_IFT_TLS_2_0, NULL);
79 client_ip->destroy(client_ip);
80
81 if (!tnccs)
82 {
83 fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS);
84 server_ip->destroy(server_ip);
85 server_id->destroy(server_id);
86 client_id->destroy(client_id);
87 return 1;
88 }
89 assessment = pt_tls_client_create(server_ip, server_id, client_id);
90 status = assessment->run_assessment(assessment, (tnccs_t*)tnccs);
91 assessment->destroy(assessment);
92 tnccs->destroy(tnccs);
93
94 return (status != SUCCESS);
95 }
96
97
98 /**
99 * In-Memory credential set
100 */
101 static mem_cred_t *creds;
102
103 /**
104 * Load certificate from file
105 */
106 static bool load_certificate(char *filename)
107 {
108 certificate_t *cert;
109
110 cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
111 BUILD_FROM_FILE, filename, BUILD_END);
112 if (!cert)
113 {
114 DBG1(DBG_TLS, "loading certificate from '%s' failed", filename);
115 return FALSE;
116 }
117 creds->add_cert(creds, TRUE, cert);
118 return TRUE;
119 }
120
121 /**
122 * Load private key from file
123 */
124 static bool load_key(char *filename)
125 {
126 private_key_t *key;
127
128 key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_RSA,
129 BUILD_FROM_FILE, filename, BUILD_END);
130 if (!key)
131 {
132 DBG1(DBG_TLS, "loading key from '%s' failed", filename);
133 return FALSE;
134 }
135 creds->add_key(creds, key);
136 return TRUE;
137 }
138
139 /**
140 * Logging and debug level
141 */
142 static bool log_to_stderr = TRUE;
143 #ifdef HAVE_SYSLOG
144 static bool log_to_syslog = TRUE;
145 #endif /* HAVE_SYSLOG */
146 static level_t default_loglevel = 1;
147
148 static void dbg_pt_tls(debug_t group, level_t level, char *fmt, ...)
149 {
150 va_list args;
151
152 if (level <= default_loglevel)
153 {
154 if (log_to_stderr)
155 {
156 va_start(args, fmt);
157 vfprintf(stderr, fmt, args);
158 va_end(args);
159 fprintf(stderr, "\n");
160 }
161 #ifdef HAVE_SYSLOG
162 if (log_to_syslog)
163 {
164 char buffer[8192];
165 char *current = buffer, *next;
166
167 /* write in memory buffer first */
168 va_start(args, fmt);
169 vsnprintf(buffer, sizeof(buffer), fmt, args);
170 va_end(args);
171
172 /* do a syslog with every line */
173 while (current)
174 {
175 next = strchr(current, '\n');
176 if (next)
177 {
178 *(next++) = '\0';
179 }
180 syslog(LOG_INFO, "%s\n", current);
181 current = next;
182 }
183 }
184 #endif /* HAVE_SYSLOG */
185 }
186 }
187
188 /**
189 * Initialize logging to stderr/syslog
190 */
191 static void init_log(const char *program)
192 {
193 dbg = dbg_pt_tls;
194
195 if (log_to_stderr)
196 {
197 setbuf(stderr, NULL);
198 }
199 #ifdef HAVE_SYSLOG
200 if (log_to_syslog)
201 {
202 openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
203 }
204 #endif /* HAVE_SYSLOG */
205 }
206
207 /**
208 * Handles --optionsfrom arguments
209 */
210 options_t *options;
211
212 /**
213 * Cleanup
214 */
215 static void cleanup()
216 {
217 lib->processor->cancel(lib->processor);
218 lib->credmgr->remove_set(lib->credmgr, &creds->set);
219 creds->destroy(creds);
220 options->destroy(options);
221 libtnccs_deinit();
222 library_deinit();
223 }
224
225 /**
226 * Initialize library
227 */
228 static void init()
229 {
230 plugin_feature_t features[] = {
231 PLUGIN_NOOP,
232 PLUGIN_PROVIDE(CUSTOM, "pt-tls-client"),
233 PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"),
234 };
235 library_init(NULL, "pt-tls-client");
236 libtnccs_init();
237
238 init_log("pt-tls-client");
239 options = options_create();
240
241 lib->plugins->add_static_features(lib->plugins, "pt-tls-client", features,
242 countof(features), TRUE, NULL, NULL);
243 if (!lib->plugins->load(lib->plugins,
244 lib->settings->get_str(lib->settings, "pt-tls-client.load", PLUGINS)))
245 {
246 exit(SS_RC_INITIALIZATION_FAILED);
247 }
248 lib->plugins->status(lib->plugins, LEVEL_CTRL);
249
250 creds = mem_cred_create();
251 lib->credmgr->add_set(lib->credmgr, &creds->set);
252
253 atexit(cleanup);
254 }
255
256 int main(int argc, char *argv[])
257 {
258 char *address = NULL, *identity = "%any", *secret = NULL;
259 int port = PT_TLS_PORT;
260
261 init();
262
263 while (TRUE)
264 {
265 struct option long_opts[] = {
266 {"help", no_argument, NULL, 'h' },
267 {"connect", required_argument, NULL, 'c' },
268 {"client", required_argument, NULL, 'i' },
269 {"secret", required_argument, NULL, 's' },
270 {"port", required_argument, NULL, 'p' },
271 {"cert", required_argument, NULL, 'x' },
272 {"key", required_argument, NULL, 'k' },
273 {"mutual", no_argument, NULL, 'm' },
274 {"quiet", no_argument, NULL, 'q' },
275 {"debug", required_argument, NULL, 'd' },
276 {"optionsfrom", required_argument, NULL, '+' },
277 {0,0,0,0 }
278 };
279 switch (getopt_long(argc, argv, "", long_opts, NULL))
280 {
281 case EOF:
282 break;
283 case 'h': /* --help */
284 usage(stdout);
285 return 0;
286 case 'x': /* --cert <file> */
287 if (!load_certificate(optarg))
288 {
289 return 1;
290 }
291 continue;
292 case 'k': /* --key <file> */
293 if (!load_key(optarg))
294 {
295 return 1;
296 }
297 continue;
298 case 'c': /* --connect <hostname|address> */
299 if (address)
300 {
301 usage(stderr);
302 return 1;
303 }
304 address = optarg;
305 continue;
306 case 'i': /* --client <client-id> */
307 identity = optarg;
308 continue;
309 case 's': /* --secret <password> */
310 secret = optarg;
311 continue;
312 case 'p': /* --port <port> */
313 port = atoi(optarg);
314 continue;
315 case 'm': /* --mutual */
316 lib->settings->set_bool(lib->settings,
317 "%s.plugins.tnccs-20.mutual", TRUE, lib->ns);
318 continue;
319 case 'q': /* --quiet */
320 log_to_stderr = FALSE;
321 continue;
322 case 'd': /* --debug <level> */
323 default_loglevel = atoi(optarg);
324 continue;
325 case '+': /* --optionsfrom <filename> */
326 if (!options->from(options, optarg, &argc, &argv, optind))
327 {
328 return 1;
329 }
330 continue;
331 default:
332 usage(stderr);
333 return 1;
334 }
335 break;
336 }
337 if (!address)
338 {
339 usage(stderr);
340 return 1;
341 }
342 if (secret)
343 {
344 creds->add_shared(creds, shared_key_create(SHARED_EAP,
345 chunk_clone(chunk_from_str(secret))),
346 identification_create_from_string(identity), NULL);
347 }
348
349 return client(address, port, identity);
350 }