75
75
argp_state, struct argp,
76
76
argp_parse(), ARGP_KEY_ARG,
77
77
ARGP_KEY_END, ARGP_ERR_UNKNOWN */
78
#include <signal.h> /* sigemptyset(), sigaddset(),
79
sigaction(), SIGTERM, sigaction */
82
79
#include <sys/klog.h> /* klogctl() */
133
130
} mandos_context;
135
/* global context so signal handler can reach it*/
139
* Make additional room in "buffer" for at least BUFFER_SIZE
140
* additional bytes. "buffer_capacity" is how much is currently
141
* allocated, "buffer_length" is how much is already used.
133
* Make room in "buffer" for at least BUFFER_SIZE additional bytes.
134
* "buffer_capacity" is how much is currently allocated,
135
* "buffer_length" is how much is already used.
143
size_t incbuffer(char **buffer, size_t buffer_length,
137
size_t adjustbuffer(char **buffer, size_t buffer_length,
144
138
size_t buffer_capacity){
145
139
if(buffer_length + BUFFER_SIZE > buffer_capacity){
146
140
*buffer = realloc(*buffer, buffer_capacity + BUFFER_SIZE);
156
150
* Initialize GPGME.
158
static bool init_gpgme(const char *seckey,
152
static bool init_gpgme(mandos_context *mc, const char *seckey,
159
153
const char *pubkey, const char *tempdir){
161
155
gpgme_error_t rc;
185
rc = gpgme_op_import(mc.ctx, pgp_data);
179
rc = gpgme_op_import(mc->ctx, pgp_data);
186
180
if(rc != GPG_ERR_NO_ERROR){
187
181
fprintf(stderr, "bad gpgme_op_import: %s: %s\n",
188
182
gpgme_strsource(rc), gpgme_strerror(rc));
233
227
/* Create new GPGME "context" */
234
rc = gpgme_new(&(mc.ctx));
228
rc = gpgme_new(&(mc->ctx));
235
229
if(rc != GPG_ERR_NO_ERROR){
236
230
fprintf(stderr, "bad gpgme_new: %s: %s\n",
237
231
gpgme_strsource(rc), gpgme_strerror(rc));
249
243
* Decrypt OpenPGP data.
250
244
* Returns -1 on error
252
static ssize_t pgp_packet_decrypt(const char *cryptotext,
246
static ssize_t pgp_packet_decrypt(const mandos_context *mc,
247
const char *cryptotext,
253
248
size_t crypto_size,
254
249
char **plaintext){
255
250
gpgme_data_t dh_crypto, dh_plain;
283
278
/* Decrypt data from the cryptotext data buffer to the plaintext
285
rc = gpgme_op_decrypt(mc.ctx, dh_crypto, dh_plain);
280
rc = gpgme_op_decrypt(mc->ctx, dh_crypto, dh_plain);
286
281
if(rc != GPG_ERR_NO_ERROR){
287
282
fprintf(stderr, "bad gpgme_op_decrypt: %s: %s\n",
288
283
gpgme_strsource(rc), gpgme_strerror(rc));
289
284
plaintext_length = -1;
291
286
gpgme_decrypt_result_t result;
292
result = gpgme_op_decrypt_result(mc.ctx);
287
result = gpgme_op_decrypt_result(mc->ctx);
293
288
if(result == NULL){
294
289
fprintf(stderr, "gpgme_op_decrypt_result failed\n");
332
327
*plaintext = NULL;
334
plaintext_capacity = incbuffer(plaintext,
329
plaintext_capacity = adjustbuffer(plaintext,
335
330
(size_t)plaintext_length,
336
331
plaintext_capacity);
337
332
if(plaintext_capacity == 0){
333
perror("adjustbuffer");
339
334
plaintext_length = -1;
340
335
goto decrypt_end;
387
382
fprintf(stderr, "GnuTLS: %s", string);
390
static int init_gnutls_global(const char *pubkeyfilename,
385
static int init_gnutls_global(mandos_context *mc,
386
const char *pubkeyfilename,
391
387
const char *seckeyfilename){
413
409
/* OpenPGP credentials */
414
gnutls_certificate_allocate_credentials(&mc.cred);
410
gnutls_certificate_allocate_credentials(&mc->cred);
415
411
if(ret != GNUTLS_E_SUCCESS){
416
412
fprintf(stderr, "GnuTLS memory error: %s\n", /* Spurious warning
431
427
ret = gnutls_certificate_set_openpgp_key_file
432
(mc.cred, pubkeyfilename, seckeyfilename,
428
(mc->cred, pubkeyfilename, seckeyfilename,
433
429
GNUTLS_OPENPGP_FMT_BASE64);
434
430
if(ret != GNUTLS_E_SUCCESS){
443
439
/* GnuTLS server initialization */
444
ret = gnutls_dh_params_init(&mc.dh_params);
440
ret = gnutls_dh_params_init(&mc->dh_params);
445
441
if(ret != GNUTLS_E_SUCCESS){
446
442
fprintf(stderr, "Error in GnuTLS DH parameter initialization:"
447
443
" %s\n", safer_gnutls_strerror(ret));
450
ret = gnutls_dh_params_generate2(mc.dh_params, mc.dh_bits);
446
ret = gnutls_dh_params_generate2(mc->dh_params, mc->dh_bits);
451
447
if(ret != GNUTLS_E_SUCCESS){
452
448
fprintf(stderr, "Error in GnuTLS prime generation: %s\n",
453
449
safer_gnutls_strerror(ret));
457
gnutls_certificate_set_dh_params(mc.cred, mc.dh_params);
453
gnutls_certificate_set_dh_params(mc->cred, mc->dh_params);
463
gnutls_certificate_free_credentials(mc.cred);
459
gnutls_certificate_free_credentials(mc->cred);
464
460
gnutls_global_deinit();
465
gnutls_dh_params_deinit(mc.dh_params);
461
gnutls_dh_params_deinit(mc->dh_params);
469
static int init_gnutls_session(gnutls_session_t *session){
465
static int init_gnutls_session(mandos_context *mc,
466
gnutls_session_t *session){
471
468
/* GnuTLS session creation */
472
469
ret = gnutls_init(session, GNUTLS_SERVER);
480
ret = gnutls_priority_set_direct(*session, mc.priority, &err);
477
ret = gnutls_priority_set_direct(*session, mc->priority, &err);
481
478
if(ret != GNUTLS_E_SUCCESS){
482
479
fprintf(stderr, "Syntax error at: %s\n", err);
483
480
fprintf(stderr, "GnuTLS error: %s\n",
490
487
ret = gnutls_credentials_set(*session, GNUTLS_CRD_CERTIFICATE,
492
489
if(ret != GNUTLS_E_SUCCESS){
493
490
fprintf(stderr, "Error setting GnuTLS credentials: %s\n",
494
491
safer_gnutls_strerror(ret));
500
497
gnutls_certificate_server_set_request(*session,
501
498
GNUTLS_CERT_IGNORE);
503
gnutls_dh_set_prime_bits(*session, mc.dh_bits);
500
gnutls_dh_set_prime_bits(*session, mc->dh_bits);
512
509
/* Called when a Mandos server is found */
513
510
static int start_mandos_communication(const char *ip, uint16_t port,
514
511
AvahiIfIndex if_index,
512
mandos_context *mc, int af){
691
buffer_capacity = incbuffer(&buffer, buffer_length,
688
buffer_capacity = adjustbuffer(&buffer, buffer_length,
692
689
buffer_capacity);
693
690
if(buffer_capacity == 0){
691
perror("adjustbuffer");
736
733
gnutls_bye(session, GNUTLS_SHUT_RDWR);
738
735
if(buffer_length > 0){
739
decrypted_buffer_size = pgp_packet_decrypt(buffer,
736
decrypted_buffer_size = pgp_packet_decrypt(mc, buffer,
741
738
&decrypted_buffer);
742
739
if(decrypted_buffer_size >= 0){
788
785
AVAHI_GCC_UNUSED AvahiStringList *txt,
789
786
AVAHI_GCC_UNUSED AvahiLookupResultFlags
791
AVAHI_GCC_UNUSED void* userdata){
789
mandos_context *mc = userdata;
794
792
/* Called whenever a service has been resolved successfully or
799
797
case AVAHI_RESOLVER_FAILURE:
800
798
fprintf(stderr, "(Avahi Resolver) Failed to resolve service '%s'"
801
799
" of type '%s' in domain '%s': %s\n", name, type, domain,
802
avahi_strerror(avahi_server_errno(mc.server)));
800
avahi_strerror(avahi_server_errno(mc->server)));
805
803
case AVAHI_RESOLVER_FOUND:
811
809
PRIdMAX ") on port %" PRIu16 "\n", name, host_name,
812
810
ip, (intmax_t)interface, port);
814
int ret = start_mandos_communication(ip, port, interface,
812
int ret = start_mandos_communication(ip, port, interface, mc,
815
813
avahi_proto_to_af(proto));
817
avahi_simple_poll_quit(mc.simple_poll);
815
avahi_simple_poll_quit(mc->simple_poll);
841
840
case AVAHI_BROWSER_FAILURE:
843
842
fprintf(stderr, "(Avahi browser) %s\n",
844
avahi_strerror(avahi_server_errno(mc.server)));
845
avahi_simple_poll_quit(mc.simple_poll);
843
avahi_strerror(avahi_server_errno(mc->server)));
844
avahi_simple_poll_quit(mc->simple_poll);
848
847
case AVAHI_BROWSER_NEW:
851
850
the callback function is called the Avahi server will free the
852
851
resolver for us. */
854
if(!(avahi_s_service_resolver_new(mc.server, interface,
853
if(!(avahi_s_service_resolver_new(mc->server, interface,
855
854
protocol, name, type, domain,
856
855
AVAHI_PROTO_INET6, 0,
857
resolve_callback, NULL)))
856
resolve_callback, mc)))
858
857
fprintf(stderr, "Avahi: Failed to resolve service '%s': %s\n",
859
name, avahi_strerror(avahi_server_errno(mc.server)));
858
name, avahi_strerror(avahi_server_errno(mc->server)));
862
861
case AVAHI_BROWSER_REMOVE:
874
static void handle_sigterm(__attribute__((unused)) int sig){
875
int old_errno = errno;
876
avahi_simple_poll_quit(mc.simple_poll);
880
873
int main(int argc, char *argv[]){
881
874
AvahiSServiceBrowser *sb = NULL;
896
889
const char *seckey = PATHDIR "/" SECKEY;
897
890
const char *pubkey = PATHDIR "/" PUBKEY;
899
/* Initialize Mandos context */
900
mc = (mandos_context){ .simple_poll = NULL, .server = NULL,
901
.dh_bits = 1024, .priority = "SECURE256"
902
":!CTYPE-X.509:+CTYPE-OPENPGP" };
892
mandos_context mc = { .simple_poll = NULL, .server = NULL,
893
.dh_bits = 1024, .priority = "SECURE256"
894
":!CTYPE-X.509:+CTYPE-OPENPGP" };
903
895
bool gnutls_initialized = false;
904
896
bool gpgme_initialized = false;
905
897
double delay = 2.5;
907
struct sigaction old_sigterm_action;
908
struct sigaction sigterm_action = { .sa_handler = handle_sigterm };
911
900
struct argp_option options[] = {
1105
1094
perror("setuid");
1108
ret = init_gnutls_global(pubkey, seckey);
1097
ret = init_gnutls_global(&mc, pubkey, seckey);
1110
1099
fprintf(stderr, "init_gnutls_global failed\n");
1111
1100
exitcode = EXIT_FAILURE;
1121
1110
tempdir_created = true;
1123
if(not init_gpgme(pubkey, seckey, tempdir)){
1112
if(not init_gpgme(&mc, pubkey, seckey, tempdir)){
1124
1113
fprintf(stderr, "init_gpgme failed\n");
1125
1114
exitcode = EXIT_FAILURE;
1167
ret = start_mandos_communication(address, port, if_index, af);
1156
ret = start_mandos_communication(address, port, if_index, &mc,
1169
1159
exitcode = EXIT_FAILURE;
1217
1207
/* Create the Avahi service browser */
1218
1208
sb = avahi_s_service_browser_new(mc.server, if_index,
1219
1209
AVAHI_PROTO_INET6, "_mandos._tcp",
1220
NULL, 0, browse_callback, NULL);
1210
NULL, 0, browse_callback, &mc);
1221
1211
if(sb == NULL){
1222
1212
fprintf(stderr, "Failed to create service browser: %s\n",
1223
1213
avahi_strerror(avahi_server_errno(mc.server)));
1228
sigemptyset(&sigterm_action.sa_mask);
1229
ret = sigaddset(&sigterm_action.sa_mask, SIGTERM);
1231
perror("sigaddset");
1232
exitcode = EXIT_FAILURE;
1235
ret = sigaction(SIGTERM, &sigterm_action, &old_sigterm_action);
1237
perror("sigaction");
1238
exitcode = EXIT_FAILURE;
1242
1218
/* Run the main loop */