/* * Copyright (C) 2010-2013 Martin Willi, revosec AG * Copyright (C) 2013-2015 Andreas Steffen * HSR Hochschule für Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See . * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ #include #include #include #include #include #include #include #ifdef HAVE_SYSLOG #include #endif #include #include #include #include #include #include #include #include /** * Print usage information */ static void usage(FILE *out) { fprintf(out, "Usage: pt-tls --connect [--port ]\n" " [--cert ]+ [--keyid |--key ]\n" " [--key-type rsa|ecdsa] [--client ]\n" " [--secret ] [--mutual] [--quiet]\n" " [--debug ] [--options ]\n"); } /** * Client routine */ static int client(char *address, uint16_t port, char *identity) { pt_tls_client_t *assessment; tls_t *tnccs; identification_t *server_id, *client_id; host_t *server_ip, *client_ip; status_t status; server_ip = host_create_from_dns(address, AF_UNSPEC, port); if (!server_ip) { return 1; } client_ip = host_create_any(server_ip->get_family(server_ip)); if (!client_ip) { server_ip->destroy(server_ip); return 1; } server_id = identification_create_from_string(address); client_id = identification_create_from_string(identity); tnccs = (tls_t*)tnc->tnccs->create_instance(tnc->tnccs, TNCCS_2_0, FALSE, server_id, client_id, server_ip, client_ip, TNC_IFT_TLS_2_0, NULL); client_ip->destroy(client_ip); if (!tnccs) { fprintf(stderr, "loading TNCCS failed: %s\n", PLUGINS); server_ip->destroy(server_ip); server_id->destroy(server_id); client_id->destroy(client_id); return 1; } assessment = pt_tls_client_create(server_ip, server_id, client_id); status = assessment->run_assessment(assessment, (tnccs_t*)tnccs); assessment->destroy(assessment); tnccs->destroy(tnccs); return (status != SUCCESS); } /** * In-Memory credential set */ static mem_cred_t *creds; /** * Load certificate from file */ static bool load_certificate(char *filename) { certificate_t *cert; cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, filename, BUILD_END); if (!cert) { DBG1(DBG_TLS, "loading certificate from '%s' failed", filename); return FALSE; } creds->add_cert(creds, TRUE, cert); return TRUE; } /** * Load private key from file */ static bool load_key(char *keyid, char *filename, key_type_t type) { private_key_t *key; chunk_t chunk; if (keyid) { chunk = chunk_from_hex(chunk_create(keyid, strlen(keyid)), NULL); key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, BUILD_PKCS11_KEYID, chunk, BUILD_END); chunk_free(&chunk); } else { key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, BUILD_FROM_FILE, filename, BUILD_END); } if (!key) { DBG1(DBG_TLS, "loading key from '%s' failed", keyid ? keyid : filename); return FALSE; } creds->add_key(creds, key); return TRUE; } /** * Logging and debug level */ static bool log_to_stderr = TRUE; #ifdef HAVE_SYSLOG static bool log_to_syslog = TRUE; #endif /* HAVE_SYSLOG */ static level_t default_loglevel = 1; static void dbg_pt_tls(debug_t group, level_t level, char *fmt, ...) { va_list args; if (level <= default_loglevel) { if (log_to_stderr) { va_start(args, fmt); vfprintf(stderr, fmt, args); va_end(args); fprintf(stderr, "\n"); } #ifdef HAVE_SYSLOG if (log_to_syslog) { char buffer[8192]; char *current = buffer, *next; /* write in memory buffer first */ va_start(args, fmt); vsnprintf(buffer, sizeof(buffer), fmt, args); va_end(args); /* do a syslog with every line */ while (current) { next = strchr(current, '\n'); if (next) { *(next++) = '\0'; } syslog(LOG_INFO, "%s\n", current); current = next; } } #endif /* HAVE_SYSLOG */ } } /** * Initialize logging to stderr/syslog */ static void init_log(const char *program) { dbg = dbg_pt_tls; if (log_to_stderr) { setbuf(stderr, NULL); } #ifdef HAVE_SYSLOG if (log_to_syslog) { openlog(program, LOG_CONS | LOG_NDELAY | LOG_PID, LOG_AUTHPRIV); } #endif /* HAVE_SYSLOG */ } /** * Handles --optionsfrom arguments */ options_t *options; /** * Cleanup */ static void cleanup() { lib->processor->cancel(lib->processor); lib->credmgr->remove_set(lib->credmgr, &creds->set); creds->destroy(creds); options->destroy(options); libtnccs_deinit(); library_deinit(); } /** * Initialize library */ static void init() { plugin_feature_t features[] = { PLUGIN_NOOP, PLUGIN_PROVIDE(CUSTOM, "pt-tls-client"), PLUGIN_DEPENDS(CUSTOM, "tnccs-manager"), }; library_init(NULL, "pt-tls-client"); libtnccs_init(); init_log("pt-tls-client"); options = options_create(); lib->plugins->add_static_features(lib->plugins, "pt-tls-client", features, countof(features), TRUE, NULL, NULL); if (!lib->plugins->load(lib->plugins, lib->settings->get_str(lib->settings, "pt-tls-client.load", PLUGINS))) { exit(SS_RC_INITIALIZATION_FAILED); } lib->plugins->status(lib->plugins, LEVEL_CTRL); creds = mem_cred_create(); lib->credmgr->add_set(lib->credmgr, &creds->set); atexit(cleanup); } int main(int argc, char *argv[]) { char *address = NULL, *identity = "%any", *secret = NULL; char *keyid = NULL, *key_file = NULL; key_type_t key_type = KEY_RSA; int port = PT_TLS_PORT; init(); while (TRUE) { struct option long_opts[] = { {"help", no_argument, NULL, 'h' }, {"connect", required_argument, NULL, 'c' }, {"client", required_argument, NULL, 'i' }, {"secret", required_argument, NULL, 's' }, {"port", required_argument, NULL, 'p' }, {"cert", required_argument, NULL, 'x' }, {"keyid", required_argument, NULL, 'K' }, {"key", required_argument, NULL, 'k' }, {"key-type", required_argument, NULL, 't' }, {"mutual", no_argument, NULL, 'm' }, {"quiet", no_argument, NULL, 'q' }, {"debug", required_argument, NULL, 'd' }, {"options", required_argument, NULL, '+' }, {"optionsfrom", required_argument, NULL, '+' }, {0,0,0,0 } }; switch (getopt_long(argc, argv, "hc:i:s:p:x:K:k:t:mqd:+:", long_opts, NULL)) { case EOF: break; case 'h': /* --help */ usage(stdout); return 0; case 'x': /* --cert */ if (!load_certificate(optarg)) { return 1; } continue; case 'K': /* --keyid */ keyid = optarg; continue; case 'k': /* --key */ key_file = optarg; continue; case 't': /* --key-type */ if (strcaseeq(optarg, "ecdsa")) { key_type = KEY_ECDSA; } else if (strcaseeq(optarg, "rsa")) { key_type = KEY_RSA; } else { key_type = KEY_ANY; } continue; case 'c': /* --connect */ if (address) { usage(stderr); return 1; } address = optarg; continue; case 'i': /* --client */ identity = optarg; continue; case 's': /* --secret */ secret = optarg; continue; case 'p': /* --port */ port = atoi(optarg); continue; case 'm': /* --mutual */ lib->settings->set_bool(lib->settings, "%s.plugins.tnccs-20.mutual", TRUE, lib->ns); continue; case 'q': /* --quiet */ log_to_stderr = FALSE; continue; case 'd': /* --debug */ default_loglevel = atoi(optarg); continue; case '+': /* --optionsfrom */ if (!options->from(options, optarg, &argc, &argv, optind)) { return 1; } continue; default: usage(stderr); return 1; } break; } if (!address) { usage(stderr); return 1; } if ((keyid || key_file) && !load_key(keyid, key_file, key_type)) { return 1; } if (secret) { creds->add_shared(creds, shared_key_create(SHARED_EAP, chunk_clone(chunk_from_str(secret))), identification_create_from_string(identity), NULL); } return client(address, port, identity); }