summaryrefslogtreecommitdiff
path: root/contrib/keychain-mcd/main.c
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/keychain-mcd/main.c')
-rw-r--r--contrib/keychain-mcd/main.c98
1 files changed, 77 insertions, 21 deletions
diff --git a/contrib/keychain-mcd/main.c b/contrib/keychain-mcd/main.c
index 2263b7d..7d8fc83 100644
--- a/contrib/keychain-mcd/main.c
+++ b/contrib/keychain-mcd/main.c
@@ -38,36 +38,44 @@
#include "../../src/openvpn/base64.h"
-SecIdentityRef template_to_identity(const char *template)
+SecIdentityRef
+template_to_identity(const char *template)
{
SecIdentityRef identity;
CertDataRef pCertDataTemplate = createCertDataFromString(template);
if (pCertDataTemplate == NULL)
+ {
errx(1, "Bad certificate template");
+ }
identity = findIdentity(pCertDataTemplate);
if (identity == NULL)
+ {
errx(1, "No such identify");
+ }
fprintf(stderr, "Identity found\n");
destroyCertData(pCertDataTemplate);
return identity;
}
-int connect_to_management_server(const char *ip, const char *port)
+int
+connect_to_management_server(const char *ip, const char *port)
{
int fd;
struct sockaddr_un addr_un;
struct sockaddr *addr;
size_t addr_len;
- if (strcmp(port, "unix") == 0) {
- addr = (struct sockaddr*)&addr_un;
+ if (strcmp(port, "unix") == 0)
+ {
+ addr = (struct sockaddr *)&addr_un;
addr_len = sizeof(addr_un);
addr_un.sun_family = AF_UNIX;
strncpy(addr_un.sun_path, ip, sizeof(addr_un.sun_path));
fd = socket(AF_UNIX, SOCK_STREAM, 0);
}
- else {
+ else
+ {
int rv;
struct addrinfo *result;
struct addrinfo hints;
@@ -78,9 +86,13 @@ int connect_to_management_server(const char *ip, const char *port)
rv = getaddrinfo(ip, port, &hints, &result);
if (rv < 0)
+ {
errx(1, "getaddrinfo: %s", gai_strerror(rv));
+ }
if (result == NULL)
+ {
errx(1, "getaddrinfo returned 0 addressed");
+ }
/* Use the first found address */
fd = socket(result->ai_family, result->ai_socktype, result->ai_protocol);
@@ -88,20 +100,26 @@ int connect_to_management_server(const char *ip, const char *port)
addr_len = result->ai_addrlen;
}
if (fd < 0)
+ {
err(1, "socket");
+ }
if (connect(fd, addr, addr_len) < 0)
+ {
err(1, "connect");
+ }
return fd;
}
-int is_prefix(const char *s, const char *prefix)
+int
+is_prefix(const char *s, const char *prefix)
{
return strncmp(s, prefix, strlen(prefix)) == 0;
}
-void handle_rsasign(FILE *man_file, SecIdentityRef identity, const char *input)
+void
+handle_rsasign(FILE *man_file, SecIdentityRef identity, const char *input)
{
const char *input_b64 = strchr(input, ':') + 1;
char *input_binary;
@@ -114,13 +132,17 @@ void handle_rsasign(FILE *man_file, SecIdentityRef identity, const char *input)
input_binary = malloc(input_len);
input_len = openvpn_base64_decode(input_b64, input_binary, input_len);
if (input_len < 0)
+ {
errx(1, "openvpn_base64_decode: overflow");
+ }
output_len = 1024;
output_binary = malloc(output_len);
signData(identity, (const uint8_t *)input_binary, input_len, (uint8_t *)output_binary, &output_len);
if (output_len == 0)
+ {
errx(1, "handle_rsasign: failed to sign data");
+ }
openvpn_base64_encode(output_binary, output_len, &output_b64);
fprintf(man_file, "rsa-sig\n%s\nEND\n", output_b64);
@@ -131,7 +153,8 @@ void handle_rsasign(FILE *man_file, SecIdentityRef identity, const char *input)
fprintf(stderr, "Handled RSA_SIGN command\n");
}
-void handle_needcertificate(FILE *man_file, SecIdentityRef identity)
+void
+handle_needcertificate(FILE *man_file, SecIdentityRef identity)
{
OSStatus status;
SecCertificateRef certificate = NULL;
@@ -141,14 +164,17 @@ void handle_needcertificate(FILE *man_file, SecIdentityRef identity)
char *result_b64, *tmp_b64;
status = SecIdentityCopyCertificate(identity, &certificate);
- if (status != noErr) {
+ if (status != noErr)
+ {
const char *msg = GetMacOSStatusErrorString(status);
err(1, "SecIdentityCopyCertificate() failed: %s", msg);
}
data = SecCertificateCopyData(certificate);
if (data == NULL)
+ {
err(1, "SecCertificateCopyData() returned NULL");
+ }
cert = CFDataGetBytePtr(data);
cert_len = CFDataGetLength(data);
@@ -162,11 +188,13 @@ void handle_needcertificate(FILE *man_file, SecIdentityRef identity)
fprintf(man_file, "-----BEGIN CERTIFICATE-----\n");
tmp_b64 = result_b64;
while (strlen(tmp_b64) > 64) {
- fprintf(man_file, "%.64s\n", tmp_b64);
- tmp_b64 += 64;
+ fprintf(man_file, "%.64s\n", tmp_b64);
+ tmp_b64 += 64;
}
if (*tmp_b64)
- fprintf(man_file, "%s\n", tmp_b64);
+ {
+ fprintf(man_file, "%s\n", tmp_b64);
+ }
fprintf(man_file, "-----END CERTIFICATE-----\n");
fprintf(man_file, "END\n");
@@ -177,62 +205,87 @@ void handle_needcertificate(FILE *man_file, SecIdentityRef identity)
fprintf(stderr, "Handled NEED 'cert' command\n");
}
-void management_loop(SecIdentityRef identity, int man_fd, const char *password)
+void
+management_loop(SecIdentityRef identity, int man_fd, const char *password)
{
char *buffer = NULL;
size_t buffer_len = 0;
FILE *man = fdopen(man_fd, "w+");
if (man == 0)
+ {
err(1, "fdopen");
+ }
if (password)
+ {
fprintf(man, "%s\n", password);
+ }
while (1) {
if (getline(&buffer, &buffer_len, man) < 0)
+ {
err(1, "getline");
+ }
#if 0
fprintf(stderr, "M: %s", buffer);
#endif
if (is_prefix(buffer, ">RSA_SIGN:"))
+ {
handle_rsasign(man, identity, buffer);
- if (is_prefix(buffer, ">NEED-CERTIFICATE")) {
- if (!identity) {
+ }
+ if (is_prefix(buffer, ">NEED-CERTIFICATE"))
+ {
+ if (!identity)
+ {
const char prefix[] = ">NEED-CERTIFICATE:macosx-keychain:";
if (!is_prefix(buffer, prefix))
- errx(1, "No identity template is passed via command line and " \
- "NEED-CERTIFICATE management interface command " \
- "misses 'macosx-keychain' prefix.");
+ {
+ errx(1, "No identity template is passed via command line and " \
+ "NEED-CERTIFICATE management interface command " \
+ "misses 'macosx-keychain' prefix.");
+ }
identity = template_to_identity(buffer+strlen(prefix));
}
handle_needcertificate(man, identity);
}
if (is_prefix(buffer, ">FATAL"))
+ {
fprintf(stderr, "Fatal message from OpenVPN: %s\n", buffer+7);
+ }
if (is_prefix(buffer, ">INFO"))
+ {
fprintf(stderr, "INFO message from OpenVPN: %s\n", buffer+6);
+ }
}
}
-char *read_password(const char *fname)
+char *
+read_password(const char *fname)
{
char *password = NULL;
FILE *pwf = fopen(fname, "r");
size_t n = 0;
if (pwf == NULL)
+ {
errx(1, "fopen(%s) failed", fname);
+ }
if (getline(&password, &n, pwf) < 0)
+ {
err(1, "getline");
+ }
fclose(pwf);
return password;
}
-int main(int argc, char* argv[])
+int
+main(int argc, char *argv[])
{
if (argc < 4)
+ {
err(1, "usage: %s <identity_template> <management_ip> <management_port> [<pw-file>]", argv[0]);
+ }
char *identity_template = argv[1];
char *s_ip = argv[2];
@@ -240,14 +293,17 @@ int main(int argc, char* argv[])
char *password = NULL;
int man_fd;
- if (argc > 4) {
+ if (argc > 4)
+ {
char *s_pw_file = argv[4];
password = read_password(s_pw_file);
}
SecIdentityRef identity = NULL;
if (strcmp(identity_template, "auto"))
+ {
identity = template_to_identity(identity_template);
+ }
man_fd = connect_to_management_server(s_ip, s_port);
fprintf(stderr, "Successfully connected to openvpn\n");