ARG_DISBL_SET([updown], [disable updown firewall script plugin.])
# programs/components
ARG_ENABL_SET([aikgen], [enable AIK generator for TPM 1.2.])
-ARG_ENABL_SET([aikpub2], [enable AIK extractor for TPM 2.0.])
ARG_DISBL_SET([charon], [disable the IKEv1/IKEv2 keying daemon charon.])
ARG_ENABL_SET([cmd], [enable the command line IKE client charon-cmd.])
ARG_ENABL_SET([conftest], [enforce Suite B conformance test framework.])
tss_trousers=true
fi
-if test x$aikpub2 = xtrue; then
- tss_tss2=true
-fi
-
if test x$ntru = xtrue -o x$bliss = xtrue; then
mgf1=true
fi
AM_CONDITIONAL(USE_SCEPCLIENT, test x$scepclient = xtrue)
AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue)
AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue)
-AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$aikpub2 = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
+AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pki = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue -o x$fast = xtrue -o x$imcv = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$tls = xtrue -o x$tnc_tnccs = xtrue -o x$aikgen = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue -o x$nm = xtrue -o x$tkm = xtrue -o x$cmd = xtrue -o x$svc = xtrue -o x$systemd = xtrue)
AM_CONDITIONAL(USE_LIBIPSEC, test x$libipsec = xtrue)
AM_CONDITIONAL(USE_LIBNTTFFT, test x$bliss = xtrue -o x$newhope = xtrue)
AM_CONDITIONAL(USE_LIBTNCIF, test x$tnc_tnccs = xtrue -o x$imcv = xtrue)
AM_CONDITIONAL(USE_LIBTNCCS, test x$tnc_tnccs = xtrue)
AM_CONDITIONAL(USE_LIBPTTLS, test x$tnc_tnccs = xtrue)
-AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm -o x$aikgen = xtrue -o x$aikpub2 = xtrue -o x$imcv = xtrue)
+AM_CONDITIONAL(USE_LIBTPMTSS, test x$tss_trousers = xtrue -o x$tss_tss2 = xtrue -o x$tpm -o x$aikgen = xtrue -o x$imcv = xtrue)
AM_CONDITIONAL(USE_FILE_CONFIG, test x$stroke = xtrue)
AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$stroke = xtrue -o x$scepclient = xtrue -o x$conftest = xtrue)
AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap)
AM_CONDITIONAL(USE_TKM, test x$tkm = xtrue)
AM_CONDITIONAL(USE_CMD, test x$cmd = xtrue)
AM_CONDITIONAL(USE_AIKGEN, test x$aikgen = xtrue)
-AM_CONDITIONAL(USE_AIKPUB2, test x$aikpub2 = xtrue)
AM_CONDITIONAL(USE_SWANCTL, test x$swanctl = xtrue)
AM_CONDITIONAL(USE_SVC, test x$svc = xtrue)
AM_CONDITIONAL(USE_SYSTEMD, test x$systemd = xtrue)
strongswan_options=
AM_COND_IF([USE_AIKGEN], [strongswan_options=${strongswan_options}" aikgen"])
-AM_COND_IF([USE_AIKPUB2], [strongswan_options=${strongswan_options}" aikpub2"])
AM_COND_IF([USE_ATTR_SQL], [strongswan_options=${strongswan_options}" pool"])
AM_COND_IF([USE_CHARON], [strongswan_options=${strongswan_options}" charon charon-logging"])
AM_COND_IF([USE_FILE_CONFIG], [strongswan_options=${strongswan_options}" starter"])
src/_copyright/Makefile
src/scepclient/Makefile
src/aikgen/Makefile
- src/aikpub2/Makefile
src/pki/Makefile
src/pki/man/Makefile
src/pool/Makefile
+++ /dev/null
-/*
- * Copyright (C) 2016 Andreas Steffen
- * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
- * Free Software Foundation; either version 2 of the License, or (at your
- * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
- *
- * This program is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
- * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * for more details.
- */
-
-#include "tpm_tss.h"
-
-#include <library.h>
-#include <utils/debug.h>
-#include <utils/optionsfrom.h>
-
-#include <syslog.h>
-#include <getopt.h>
-#include <errno.h>
-
-/* default directory where AIK keys are stored */
-#define AIK_DIR IPSEC_CONFDIR "/pts/"
-
-/* default name of AIK public key blob */
-#define DEFAULT_FILENAME_AIKPUBKEY AIK_DIR "aikPub.der"
-
-/* logging */
-static bool log_to_stderr = TRUE;
-static bool log_to_syslog = TRUE;
-static level_t default_loglevel = 1;
-
-/* options read by optionsfrom */
-options_t *options;
-
-chunk_t aik_pubkey;
-chunk_t aik_keyid;
-
-/**
- * logging function for aikpub2
- */
-static void aikpub2_dbg(debug_t group, level_t level, char *fmt, ...)
-{
- char buffer[8192];
- char *current = buffer, *next;
- va_list args;
-
- if (level <= default_loglevel)
- {
- if (log_to_stderr)
- {
- va_start(args, fmt);
- vfprintf(stderr, fmt, args);
- va_end(args);
- fprintf(stderr, "\n");
- }
- if (log_to_syslog)
- {
- /* write in memory buffer first */
- va_start(args, fmt);
- vsnprintf(buffer, sizeof(buffer), fmt, args);
- va_end(args);
-
- /* do a syslog with every line */
- while (current)
- {
- next = strchr(current, '\n');
- if (next)
- {
- *(next++) = '\0';
- }
- syslog(LOG_INFO, "%s\n", current);
- current = next;
- }
- }
- }
-}
-
-/**
- * Initialize logging to stderr/syslog
- */
-static void init_log(const char *program)
-{
- dbg = aikpub2_dbg;
-
- if (log_to_stderr)
- {
- setbuf(stderr, NULL);
- }
- if (log_to_syslog)
- {
- openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV);
- }
-}
-
-/**
- * @brief exit aikgen
- *
- * @param status 0 = OK, -1 = general discomfort
- */
-static void exit_aikpub2(err_t message, ...)
-{
- int status = 0;
-
- free(aik_pubkey.ptr);
- free(aik_keyid.ptr);
- options->destroy(options);
-
- /* print any error message to stderr */
- if (message != NULL && *message != '\0')
- {
- va_list args;
- char m[8192];
-
- va_start(args, message);
- vsnprintf(m, sizeof(m), message, args);
- va_end(args);
-
- fprintf(stderr, "aikpub2 error: %s\n", m);
- status = -1;
- }
- library_deinit();
- exit(status);
-}
-
-/**
- * @brief prints the usage of the program to the stderr output
- *
- * If message is set, program is exited with 1 (error)
- * @param message message in case of an error
- */
-static void usage(const char *message)
-{
- fprintf(stderr,
- "Usage: aikpub2 --handle <handle> --out <filename>\n"
- " [--force] [--quiet] [--debug <level>]\n"
- " aikpub2 --help\n"
- "\n"
- "Options:\n"
- " --handle (-H) TSS 2.0 AIK object handle\n"
- " --out (-o) AIK public key in PKCS #1 format\n"
- " --force (-f) force to overwrite existing files\n"
- " --help (-h) show usage and exit\n"
- "\n"
- "Debugging output:\n"
- " --debug (-l) changes the log level (-1..4, default: 1)\n"
- " --quiet (-q) do not write log output to stderr\n"
- );
- exit_aikpub2(message);
-}
-
-
-/**
- * @brief main of aikpub2 which extracts an Attestation Identity Key (AIK)
- *
- * @param argc number of arguments
- * @param argv pointer to the argument values
- */
-int main(int argc, char *argv[])
-{
- /* external values */
- extern char * optarg;
- extern int optind;
-
- char *aik_out_filename = DEFAULT_FILENAME_AIKPUBKEY;
- uint32_t aik_handle = 0;
- bool force = FALSE;
- hasher_t *hasher;
- tpm_tss_t *tpm;
-
- atexit(library_deinit);
- if (!library_init(NULL, "aikpub2"))
- {
- exit(SS_RC_LIBSTRONGSWAN_INTEGRITY);
- }
- if (lib->integrity &&
- !lib->integrity->check_file(lib->integrity, "aikpub2", argv[0]))
- {
- fprintf(stderr, "integrity check of aikpub2 failed\n");
- exit(SS_RC_DAEMON_INTEGRITY);
- }
-
- /* initialize global variables */
- options = options_create();
-
- for (;;)
- {
- static const struct option long_opts[] = {
- /* name, has_arg, flag, val */
- { "help", no_argument, NULL, 'h' },
- { "optionsfrom", required_argument, NULL, '+' },
- { "handle", required_argument, NULL, 'H' },
- { "in", required_argument, NULL, 'i' },
- { "out", required_argument, NULL, 'o' },
- { "force", no_argument, NULL, 'f' },
- { "quiet", no_argument, NULL, 'q' },
- { "debug", required_argument, NULL, 'l' },
- { 0,0,0,0 }
- };
-
- /* parse next option */
- int c = getopt_long(argc, argv, "h+:H:i:o:fql:", long_opts, NULL);
-
- switch (c)
- {
- case EOF: /* end of flags */
- break;
-
- case 'h': /* --help */
- usage(NULL);
-
- case '+': /* --optionsfrom <filename> */
- if (!options->from(options, optarg, &argc, &argv, optind))
- {
- exit_aikpub2("optionsfrom failed");
- }
- continue;
-
- case 'H': /* --handle <handle> */
- aik_handle = strtoll(optarg, NULL, 16);
- continue;
-
- case 'o': /* --out <filename> */
- aik_out_filename = optarg;
- continue;
-
- case 'f': /* --force */
- force = TRUE;
- continue;
-
- case 'q': /* --quiet */
- log_to_stderr = FALSE;
- continue;
-
- case 'l': /* --debug <level> */
- default_loglevel = atoi(optarg);
- continue;
-
- default:
- usage("unknown option");
- }
- /* break from loop */
- break;
- }
-
- init_log("aikpub2");
-
- if (!lib->plugins->load(lib->plugins,
- lib->settings->get_str(lib->settings, "aikpub2.load", PLUGINS)))
- {
- exit_aikpub2("plugin loading failed");
- }
- if (!aik_handle)
- {
- usage("--handle option is required");
- }
-
- /* try to find a TPM 2.0 */
- tpm = tpm_tss_probe(TPM_VERSION_2_0);
- if (!tpm)
- {
- exit_aikpub2("no TPM 2.0 found");
- }
-
- /* get AIK public key from TPM */
- aik_pubkey = tpm->get_public(tpm, aik_handle);
- tpm->destroy(tpm);
-
- /* exit if AIK public key retrieval failed */
- if (aik_pubkey.len == 0)
- {
- exit_aikpub2("retrieval of AIK public key failed");
- }
-
- /* store AIK subjectPublicKeyInfo to file */
- if (!chunk_write(aik_pubkey, aik_out_filename, 0022, force))
- {
- exit_aikpub2("could not write AIK public key file '%s': %s",
- aik_out_filename, strerror(errno));
- }
- DBG1(DBG_LIB, "AIK public key written to '%s' (%u bytes)",
- aik_out_filename, aik_pubkey.len);
-
- /* AIK keyid derived from subjectPublicKeyInfo encoding */
- hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
- if (!hasher)
- {
- exit_aikpub2("SHA1 hash algorithm not supported");
- }
- if (!hasher->allocate_hash(hasher, aik_pubkey, &aik_keyid))
- {
- hasher->destroy(hasher);
- exit_aikpub2("computing SHA1 fingerprint failed");
- }
- hasher->destroy(hasher);
-
- DBG1(DBG_LIB, "AIK keyid: %#B", &aik_keyid);
-
- exit_aikpub2(NULL);
- return -1; /* should never be reached */
-}