src/journal-remote/microhttpd-util.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2
   3 #include <stddef.h>
   4 #include <stdio.h>
   5
   6 #if HAVE_GNUTLS
   7 #include <gnutls/gnutls.h>
   8 #include <gnutls/x509.h>
   9 #endif
  10
  11 #include "alloc-util.h"
  12 #include "log.h"
  13 #include "macro.h"
  14 #include "microhttpd-util.h"
  15 #include "string-util.h"
  16 #include "strv.h"
  17 #include "util.h"
  18
  19 void microhttpd_logger(void *arg, const char *fmt, va_list ap) {
  20         char *f;
  21
  22         f = strjoina("microhttpd: ", fmt);
  23
  24         DISABLE_WARNING_FORMAT_NONLITERAL;
  25         log_internalv(LOG_INFO, 0, NULL, 0, NULL, f, ap);
  26         REENABLE_WARNING;
  27 }
  28
  29 static int mhd_respond_internal(struct MHD_Connection *connection,
  30                                 enum MHD_RequestTerminationCode code,
  31                                 const char *buffer,
  32                                 size_t size,
  33                                 enum MHD_ResponseMemoryMode mode) {
  34         assert(connection);
  35
  36         _cleanup_(MHD_destroy_responsep) struct MHD_Response *response
  37                 = MHD_create_response_from_buffer(size, (char*) buffer, mode);
  38         if (!response)
  39                 return MHD_NO;
  40
  41         log_debug("Queueing response %u: %s", code, buffer);
  42         MHD_add_response_header(response, "Content-Type", "text/plain");
  43         return MHD_queue_response(connection, code, response);
  44 }
  45
  46 int mhd_respond(struct MHD_Connection *connection,
  47                 enum MHD_RequestTerminationCode code,
  48                 const char *message) {
  49
  50         const char *fmt;
  51
  52         fmt = strjoina(message, "\n");
  53
  54         return mhd_respond_internal(connection, code,
  55                                     fmt, strlen(message) + 1,
  56                                     MHD_RESPMEM_PERSISTENT);
  57 }
  58
  59 int mhd_respond_oom(struct MHD_Connection *connection) {
  60         return mhd_respond(connection, MHD_HTTP_SERVICE_UNAVAILABLE,  "Out of memory.");
  61 }
  62
  63 int mhd_respondf(struct MHD_Connection *connection,
  64                  int error,
  65                  enum MHD_RequestTerminationCode code,
  66                  const char *format, ...) {
  67
  68         const char *fmt;
  69         char *m;
  70         int r;
  71         va_list ap;
  72
  73         assert(connection);
  74         assert(format);
  75
  76         if (error < 0)
  77                 error = -error;
  78         errno = -error;
  79         fmt = strjoina(format, "\n");
  80         va_start(ap, format);
  81 #pragma GCC diagnostic push
  82 #pragma GCC diagnostic ignored "-Wformat-nonliteral"
  83         r = vasprintf(&m, fmt, ap);
  84 #pragma GCC diagnostic pop
  85         va_end(ap);
  86
  87         if (r < 0)
  88                 return respond_oom(connection);
  89
  90         return mhd_respond_internal(connection, code, m, r, MHD_RESPMEM_MUST_FREE);
  91 }
  92
  93 #if HAVE_GNUTLS
  94
  95 static struct {
  96         const char *const names[4];
  97         int level;
  98         bool enabled;
  99 } gnutls_log_map[] = {
 100         { {"0"},                  LOG_DEBUG },
 101         { {"1", "audit"},         LOG_WARNING, true}, /* gnutls session audit */
 102         { {"2", "assert"},        LOG_DEBUG },        /* gnutls assert log */
 103         { {"3", "hsk", "ext"},    LOG_DEBUG },        /* gnutls handshake log */
 104         { {"4", "rec"},           LOG_DEBUG },        /* gnutls record log */
 105         { {"5", "dtls"},          LOG_DEBUG },        /* gnutls DTLS log */
 106         { {"6", "buf"},           LOG_DEBUG },
 107         { {"7", "write", "read"}, LOG_DEBUG },
 108         { {"8"},                  LOG_DEBUG },
 109         { {"9", "enc", "int"},    LOG_DEBUG },
 110 };
 111
 112 static void log_func_gnutls(int level, const char *message) {
 113         assert_se(message);
 114
 115         if (0 <= level && level < (int) ELEMENTSOF(gnutls_log_map)) {
 116                 if (gnutls_log_map[level].enabled)
 117                         log_internal(gnutls_log_map[level].level, 0, NULL, 0, NULL, "gnutls %d/%s: %s", level, gnutls_log_map[level].names[1], message);
 118         } else {
 119                 log_debug("Received GNUTLS message with unknown level %d.", level);
 120                 log_internal(LOG_DEBUG, 0, NULL, 0, NULL, "gnutls: %s", message);
 121         }
 122 }
 123
 124 static void log_reset_gnutls_level(void) {
 125         int i;
 126
 127         for (i = ELEMENTSOF(gnutls_log_map) - 1; i >= 0; i--)
 128                 if (gnutls_log_map[i].enabled) {
 129                         log_debug("Setting gnutls log level to %d", i);
 130                         gnutls_global_set_log_level(i);
 131                         break;
 132                 }
 133 }
 134
 135 static int log_enable_gnutls_category(const char *cat) {
 136         unsigned i;
 137
 138         if (streq(cat, "all")) {
 139                 for (i = 0; i < ELEMENTSOF(gnutls_log_map); i++)
 140                         gnutls_log_map[i].enabled = true;
 141                 log_reset_gnutls_level();
 142                 return 0;
 143         } else
 144                 for (i = 0; i < ELEMENTSOF(gnutls_log_map); i++)
 145                         if (strv_contains((char**)gnutls_log_map[i].names, cat)) {
 146                                 gnutls_log_map[i].enabled = true;
 147                                 log_reset_gnutls_level();
 148                                 return 0;
 149                         }
 150         return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No such log category: %s", cat);
 151 }
 152
 153 int setup_gnutls_logger(char **categories) {
 154         char **cat;
 155         int r;
 156
 157         gnutls_global_set_log_function(log_func_gnutls);
 158
 159         if (categories) {
 160                 STRV_FOREACH(cat, categories) {
 161                         r = log_enable_gnutls_category(*cat);
 162                         if (r < 0)
 163                                 return r;
 164                 }
 165         } else
 166                 log_reset_gnutls_level();
 167
 168         return 0;
 169 }
 170
 171 static int verify_cert_authorized(gnutls_session_t session) {
 172         unsigned status;
 173         gnutls_certificate_type_t type;
 174         gnutls_datum_t out;
 175         int r;
 176
 177         r = gnutls_certificate_verify_peers2(session, &status);
 178         if (r < 0)
 179                 return log_error_errno(r, "gnutls_certificate_verify_peers2 failed: %m");
 180
 181         type = gnutls_certificate_type_get(session);
 182         r = gnutls_certificate_verification_status_print(status, type, &out, 0);
 183         if (r < 0)
 184                 return log_error_errno(r, "gnutls_certificate_verification_status_print failed: %m");
 185
 186         log_debug("Certificate status: %s", out.data);
 187         gnutls_free(out.data);
 188
 189         return status == 0 ? 0 : -EPERM;
 190 }
 191
 192 static int get_client_cert(gnutls_session_t session, gnutls_x509_crt_t *client_cert) {
 193         const gnutls_datum_t *pcert;
 194         unsigned listsize;
 195         gnutls_x509_crt_t cert;
 196         int r;
 197
 198         assert(session);
 199         assert(client_cert);
 200
 201         pcert = gnutls_certificate_get_peers(session, &listsize);
 202         if (!pcert || !listsize)
 203                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
 204                                        "Failed to retrieve certificate chain");
 205
 206         r = gnutls_x509_crt_init(&cert);
 207         if (r < 0) {
 208                 log_error("Failed to initialize client certificate");
 209                 return r;
 210         }
 211
 212         /* Note that by passing values between 0 and listsize here, you
 213            can get access to the CA's certs */
 214         r = gnutls_x509_crt_import(cert, &pcert[0], GNUTLS_X509_FMT_DER);
 215         if (r < 0) {
 216                 log_error("Failed to import client certificate");
 217                 gnutls_x509_crt_deinit(cert);
 218                 return r;
 219         }
 220
 221         *client_cert = cert;
 222         return 0;
 223 }
 224
 225 static int get_auth_dn(gnutls_x509_crt_t client_cert, char **buf) {
 226         size_t len = 0;
 227         int r;
 228
 229         assert(buf);
 230         assert(*buf == NULL);
 231
 232         r = gnutls_x509_crt_get_dn(client_cert, NULL, &len);
 233         if (r != GNUTLS_E_SHORT_MEMORY_BUFFER) {
 234                 log_error("gnutls_x509_crt_get_dn failed");
 235                 return r;
 236         }
 237
 238         *buf = malloc(len);
 239         if (!*buf)
 240                 return log_oom();
 241
 242         gnutls_x509_crt_get_dn(client_cert, *buf, &len);
 243         return 0;
 244 }
 245
 246 static void gnutls_x509_crt_deinitp(gnutls_x509_crt_t *p) {
 247         gnutls_x509_crt_deinit(*p);
 248 }
 249
 250 int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
 251         const union MHD_ConnectionInfo *ci;
 252         gnutls_session_t session;
 253         _cleanup_(gnutls_x509_crt_deinitp) gnutls_x509_crt_t client_cert = NULL;
 254         _cleanup_free_ char *buf = NULL;
 255         int r;
 256
 257         assert(connection);
 258         assert(code);
 259
 260         *code = 0;
 261
 262         ci = MHD_get_connection_info(connection,
 263                                      MHD_CONNECTION_INFO_GNUTLS_SESSION);
 264         if (!ci) {
 265                 log_error("MHD_get_connection_info failed: session is unencrypted");
 266                 *code = mhd_respond(connection, MHD_HTTP_FORBIDDEN,
 267                                     "Encrypted connection is required");
 268                 return -EPERM;
 269         }
 270         session = ci->tls_session;
 271         assert(session);
 272
 273         r = get_client_cert(session, &client_cert);
 274         if (r < 0) {
 275                 *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
 276                                     "Authorization through certificate is required");
 277                 return -EPERM;
 278         }
 279
 280         r = get_auth_dn(client_cert, &buf);
 281         if (r < 0) {
 282                 *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
 283                                     "Failed to determine distinguished name from certificate");
 284                 return -EPERM;
 285         }
 286
 287         log_debug("Connection from %s", buf);
 288
 289         if (hostname)
 290                 *hostname = TAKE_PTR(buf);
 291
 292         r = verify_cert_authorized(session);
 293         if (r < 0) {
 294                 log_warning("Client is not authorized");
 295                 *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
 296                                     "Client certificate not signed by recognized authority");
 297         }
 298         return r;
 299 }
 300
 301 #else
 302 int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
 303         return -EPERM;
 304 }
 305
 306 int setup_gnutls_logger(char **categories) {
 307         if (categories)
 308                 log_notice("Ignoring specified gnutls logging categories — gnutls not available.");
 309         return 0;
 310 }
 311 #endif