src/journal-remote/microhttpd-util.c

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2
   3 #include <stddef.h>
   4 #include <stdio.h>
   5 #include <string.h>
   6
   7 #if HAVE_GNUTLS
   8 #include <gnutls/gnutls.h>
   9 #include <gnutls/x509.h>
  10 #endif
  11
  12 #include "alloc-util.h"
  13 #include "log.h"
  14 #include "macro.h"
  15 #include "microhttpd-util.h"
  16 #include "string-util.h"
  17 #include "strv.h"
  18 #include "util.h"
  19
  20 void microhttpd_logger(void *arg, const char *fmt, va_list ap) {
  21         char *f;
  22
  23         f = strjoina("microhttpd: ", fmt);
  24
  25         DISABLE_WARNING_FORMAT_NONLITERAL;
  26         log_internalv(LOG_INFO, 0, NULL, 0, NULL, f, ap);
  27         REENABLE_WARNING;
  28 }
  29
  30 static int mhd_respond_internal(struct MHD_Connection *connection,
  31                                 enum MHD_RequestTerminationCode code,
  32                                 const char *buffer,
  33                                 size_t size,
  34                                 enum MHD_ResponseMemoryMode mode) {
  35         struct MHD_Response *response;
  36         int r;
  37
  38         assert(connection);
  39
  40         response = MHD_create_response_from_buffer(size, (char*) buffer, mode);
  41         if (!response)
  42                 return MHD_NO;
  43
  44         log_debug("Queueing response %u: %s", code, buffer);
  45         MHD_add_response_header(response, "Content-Type", "text/plain");
  46         r = MHD_queue_response(connection, code, response);
  47         MHD_destroy_response(response);
  48
  49         return r;
  50 }
  51
  52 int mhd_respond(struct MHD_Connection *connection,
  53                 enum MHD_RequestTerminationCode code,
  54                 const char *message) {
  55
  56         const char *fmt;
  57
  58         fmt = strjoina(message, "\n");
  59
  60         return mhd_respond_internal(connection, code,
  61                                     fmt, strlen(message) + 1,
  62                                     MHD_RESPMEM_PERSISTENT);
  63 }
  64
  65 int mhd_respond_oom(struct MHD_Connection *connection) {
  66         return mhd_respond(connection, MHD_HTTP_SERVICE_UNAVAILABLE,  "Out of memory.");
  67 }
  68
  69 int mhd_respondf(struct MHD_Connection *connection,
  70                  int error,
  71                  enum MHD_RequestTerminationCode code,
  72                  const char *format, ...) {
  73
  74         const char *fmt;
  75         char *m;
  76         int r;
  77         va_list ap;
  78
  79         assert(connection);
  80         assert(format);
  81
  82         if (error < 0)
  83                 error = -error;
  84         errno = -error;
  85         fmt = strjoina(format, "\n");
  86         va_start(ap, format);
  87 #pragma GCC diagnostic push
  88 #pragma GCC diagnostic ignored "-Wformat-nonliteral"
  89         r = vasprintf(&m, fmt, ap);
  90 #pragma GCC diagnostic pop
  91         va_end(ap);
  92
  93         if (r < 0)
  94                 return respond_oom(connection);
  95
  96         return mhd_respond_internal(connection, code, m, r, MHD_RESPMEM_MUST_FREE);
  97 }
  98
  99 #if HAVE_GNUTLS
 100
 101 static struct {
 102         const char *const names[4];
 103         int level;
 104         bool enabled;
 105 } gnutls_log_map[] = {
 106         { {"0"},                  LOG_DEBUG },
 107         { {"1", "audit"},         LOG_WARNING, true}, /* gnutls session audit */
 108         { {"2", "assert"},        LOG_DEBUG },        /* gnutls assert log */
 109         { {"3", "hsk", "ext"},    LOG_DEBUG },        /* gnutls handshake log */
 110         { {"4", "rec"},           LOG_DEBUG },        /* gnutls record log */
 111         { {"5", "dtls"},          LOG_DEBUG },        /* gnutls DTLS log */
 112         { {"6", "buf"},           LOG_DEBUG },
 113         { {"7", "write", "read"}, LOG_DEBUG },
 114         { {"8"},                  LOG_DEBUG },
 115         { {"9", "enc", "int"},    LOG_DEBUG },
 116 };
 117
 118 static void log_func_gnutls(int level, const char *message) {
 119         assert_se(message);
 120
 121         if (0 <= level && level < (int) ELEMENTSOF(gnutls_log_map)) {
 122                 if (gnutls_log_map[level].enabled)
 123                         log_internal(gnutls_log_map[level].level, 0, NULL, 0, NULL, "gnutls %d/%s: %s", level, gnutls_log_map[level].names[1], message);
 124         } else {
 125                 log_debug("Received GNUTLS message with unknown level %d.", level);
 126                 log_internal(LOG_DEBUG, 0, NULL, 0, NULL, "gnutls: %s", message);
 127         }
 128 }
 129
 130 static void log_reset_gnutls_level(void) {
 131         int i;
 132
 133         for (i = ELEMENTSOF(gnutls_log_map) - 1; i >= 0; i--)
 134                 if (gnutls_log_map[i].enabled) {
 135                         log_debug("Setting gnutls log level to %d", i);
 136                         gnutls_global_set_log_level(i);
 137                         break;
 138                 }
 139 }
 140
 141 static int log_enable_gnutls_category(const char *cat) {
 142         unsigned i;
 143
 144         if (streq(cat, "all")) {
 145                 for (i = 0; i < ELEMENTSOF(gnutls_log_map); i++)
 146                         gnutls_log_map[i].enabled = true;
 147                 log_reset_gnutls_level();
 148                 return 0;
 149         } else
 150                 for (i = 0; i < ELEMENTSOF(gnutls_log_map); i++)
 151                         if (strv_contains((char**)gnutls_log_map[i].names, cat)) {
 152                                 gnutls_log_map[i].enabled = true;
 153                                 log_reset_gnutls_level();
 154                                 return 0;
 155                         }
 156         return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No such log category: %s", cat);
 157 }
 158
 159 int setup_gnutls_logger(char **categories) {
 160         char **cat;
 161         int r;
 162
 163         gnutls_global_set_log_function(log_func_gnutls);
 164
 165         if (categories) {
 166                 STRV_FOREACH(cat, categories) {
 167                         r = log_enable_gnutls_category(*cat);
 168                         if (r < 0)
 169                                 return r;
 170                 }
 171         } else
 172                 log_reset_gnutls_level();
 173
 174         return 0;
 175 }
 176
 177 static int verify_cert_authorized(gnutls_session_t session) {
 178         unsigned status;
 179         gnutls_certificate_type_t type;
 180         gnutls_datum_t out;
 181         int r;
 182
 183         r = gnutls_certificate_verify_peers2(session, &status);
 184         if (r < 0)
 185                 return log_error_errno(r, "gnutls_certificate_verify_peers2 failed: %m");
 186
 187         type = gnutls_certificate_type_get(session);
 188         r = gnutls_certificate_verification_status_print(status, type, &out, 0);
 189         if (r < 0)
 190                 return log_error_errno(r, "gnutls_certificate_verification_status_print failed: %m");
 191
 192         log_debug("Certificate status: %s", out.data);
 193         gnutls_free(out.data);
 194
 195         return status == 0 ? 0 : -EPERM;
 196 }
 197
 198 static int get_client_cert(gnutls_session_t session, gnutls_x509_crt_t *client_cert) {
 199         const gnutls_datum_t *pcert;
 200         unsigned listsize;
 201         gnutls_x509_crt_t cert;
 202         int r;
 203
 204         assert(session);
 205         assert(client_cert);
 206
 207         pcert = gnutls_certificate_get_peers(session, &listsize);
 208         if (!pcert || !listsize)
 209                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
 210                                        "Failed to retrieve certificate chain");
 211
 212         r = gnutls_x509_crt_init(&cert);
 213         if (r < 0) {
 214                 log_error("Failed to initialize client certificate");
 215                 return r;
 216         }
 217
 218         /* Note that by passing values between 0 and listsize here, you
 219            can get access to the CA's certs */
 220         r = gnutls_x509_crt_import(cert, &pcert[0], GNUTLS_X509_FMT_DER);
 221         if (r < 0) {
 222                 log_error("Failed to import client certificate");
 223                 gnutls_x509_crt_deinit(cert);
 224                 return r;
 225         }
 226
 227         *client_cert = cert;
 228         return 0;
 229 }
 230
 231 static int get_auth_dn(gnutls_x509_crt_t client_cert, char **buf) {
 232         size_t len = 0;
 233         int r;
 234
 235         assert(buf);
 236         assert(*buf == NULL);
 237
 238         r = gnutls_x509_crt_get_dn(client_cert, NULL, &len);
 239         if (r != GNUTLS_E_SHORT_MEMORY_BUFFER) {
 240                 log_error("gnutls_x509_crt_get_dn failed");
 241                 return r;
 242         }
 243
 244         *buf = malloc(len);
 245         if (!*buf)
 246                 return log_oom();
 247
 248         gnutls_x509_crt_get_dn(client_cert, *buf, &len);
 249         return 0;
 250 }
 251
 252 static inline void gnutls_x509_crt_deinitp(gnutls_x509_crt_t *p) {
 253         gnutls_x509_crt_deinit(*p);
 254 }
 255
 256 int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
 257         const union MHD_ConnectionInfo *ci;
 258         gnutls_session_t session;
 259         _cleanup_(gnutls_x509_crt_deinitp) gnutls_x509_crt_t client_cert = NULL;
 260         _cleanup_free_ char *buf = NULL;
 261         int r;
 262
 263         assert(connection);
 264         assert(code);
 265
 266         *code = 0;
 267
 268         ci = MHD_get_connection_info(connection,
 269                                      MHD_CONNECTION_INFO_GNUTLS_SESSION);
 270         if (!ci) {
 271                 log_error("MHD_get_connection_info failed: session is unencrypted");
 272                 *code = mhd_respond(connection, MHD_HTTP_FORBIDDEN,
 273                                     "Encrypted connection is required");
 274                 return -EPERM;
 275         }
 276         session = ci->tls_session;
 277         assert(session);
 278
 279         r = get_client_cert(session, &client_cert);
 280         if (r < 0) {
 281                 *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
 282                                     "Authorization through certificate is required");
 283                 return -EPERM;
 284         }
 285
 286         r = get_auth_dn(client_cert, &buf);
 287         if (r < 0) {
 288                 *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
 289                                     "Failed to determine distinguished name from certificate");
 290                 return -EPERM;
 291         }
 292
 293         log_debug("Connection from %s", buf);
 294
 295         if (hostname)
 296                 *hostname = TAKE_PTR(buf);
 297
 298         r = verify_cert_authorized(session);
 299         if (r < 0) {
 300                 log_warning("Client is not authorized");
 301                 *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
 302                                     "Client certificate not signed by recognized authority");
 303         }
 304         return r;
 305 }
 306
 307 #else
 308 int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
 309         return -EPERM;
 310 }
 311
 312 int setup_gnutls_logger(char **categories) {
 313         if (categories)
 314                 log_notice("Ignoring specified gnutls logging categories — gnutls not available.");
 315         return 0;
 316 }
 317 #endif