src/journal-remote/microhttpd-util.c

   1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
   2
   3 #include <stddef.h>
   4 #include <stdio.h>
   5
   6 #if HAVE_GNUTLS
   7 #include <gnutls/gnutls.h>
   8 #include <gnutls/x509.h>
   9 #endif
  10
  11 #include "alloc-util.h"
  12 #include "log.h"
  13 #include "macro.h"
  14 #include "microhttpd-util.h"
  15 #include "string-util.h"
  16 #include "strv.h"
  17
  18 void microhttpd_logger(void *arg, const char *fmt, va_list ap) {
  19         char *f;
  20
  21         f = strjoina("microhttpd: ", fmt);
  22
  23         DISABLE_WARNING_FORMAT_NONLITERAL;
  24         log_internalv(LOG_INFO, 0, NULL, 0, NULL, f, ap);
  25         REENABLE_WARNING;
  26 }
  27
  28 int mhd_respond_internal(
  29                 struct MHD_Connection *connection,
  30                 enum MHD_RequestTerminationCode code,
  31                 const char *buffer,
  32                 size_t size,
  33                 enum MHD_ResponseMemoryMode mode) {
  34
  35         assert(connection);
  36
  37         _cleanup_(MHD_destroy_responsep) struct MHD_Response *response
  38                 = MHD_create_response_from_buffer(size, (char*) buffer, mode);
  39         if (!response)
  40                 return MHD_NO;
  41
  42         log_debug("Queueing response %u: %s", code, buffer);
  43         if (MHD_add_response_header(response, "Content-Type", "text/plain") == MHD_NO)
  44                 return MHD_NO;
  45         return MHD_queue_response(connection, code, response);
  46 }
  47
  48 int mhd_respond_oom(struct MHD_Connection *connection) {
  49         return mhd_respond(connection, MHD_HTTP_SERVICE_UNAVAILABLE, "Out of memory.");
  50 }
  51
  52 int mhd_respondf_internal(
  53                 struct MHD_Connection *connection,
  54                 int error,
  55                 enum MHD_RequestTerminationCode code,
  56                 const char *format, ...) {
  57
  58         char *m;
  59         int r;
  60         va_list ap;
  61
  62         assert(connection);
  63         assert(format);
  64
  65         if (error < 0)
  66                 error = -error;
  67         errno = -error;
  68         va_start(ap, format);
  69         r = vasprintf(&m, format, ap);
  70         va_end(ap);
  71
  72         if (r < 0)
  73                 return respond_oom(connection);
  74
  75         return mhd_respond_internal(connection, code, m, r, MHD_RESPMEM_MUST_FREE);
  76 }
  77
  78 #if HAVE_GNUTLS
  79
  80 static struct {
  81         const char *const names[4];
  82         int level;
  83         bool enabled;
  84 } gnutls_log_map[] = {
  85         { {"0"},                  LOG_DEBUG },
  86         { {"1", "audit"},         LOG_WARNING, true}, /* gnutls session audit */
  87         { {"2", "assert"},        LOG_DEBUG },        /* gnutls assert log */
  88         { {"3", "hsk", "ext"},    LOG_DEBUG },        /* gnutls handshake log */
  89         { {"4", "rec"},           LOG_DEBUG },        /* gnutls record log */
  90         { {"5", "dtls"},          LOG_DEBUG },        /* gnutls DTLS log */
  91         { {"6", "buf"},           LOG_DEBUG },
  92         { {"7", "write", "read"}, LOG_DEBUG },
  93         { {"8"},                  LOG_DEBUG },
  94         { {"9", "enc", "int"},    LOG_DEBUG },
  95 };
  96
  97 static void log_func_gnutls(int level, const char *message) {
  98         assert_se(message);
  99
 100         if (0 <= level && level < (int) ELEMENTSOF(gnutls_log_map)) {
 101                 if (gnutls_log_map[level].enabled)
 102                         log_internal(gnutls_log_map[level].level, 0, NULL, 0, NULL, "gnutls %d/%s: %s", level, gnutls_log_map[level].names[1], message);
 103         } else {
 104                 log_debug("Received GNUTLS message with unknown level %d.", level);
 105                 log_internal(LOG_DEBUG, 0, NULL, 0, NULL, "gnutls: %s", message);
 106         }
 107 }
 108
 109 static void log_reset_gnutls_level(void) {
 110         int i;
 111
 112         for (i = ELEMENTSOF(gnutls_log_map) - 1; i >= 0; i--)
 113                 if (gnutls_log_map[i].enabled) {
 114                         log_debug("Setting gnutls log level to %d", i);
 115                         gnutls_global_set_log_level(i);
 116                         break;
 117                 }
 118 }
 119
 120 static int log_enable_gnutls_category(const char *cat) {
 121         unsigned i;
 122
 123         if (streq(cat, "all")) {
 124                 for (i = 0; i < ELEMENTSOF(gnutls_log_map); i++)
 125                         gnutls_log_map[i].enabled = true;
 126                 log_reset_gnutls_level();
 127                 return 0;
 128         } else
 129                 for (i = 0; i < ELEMENTSOF(gnutls_log_map); i++)
 130                         if (strv_contains((char**)gnutls_log_map[i].names, cat)) {
 131                                 gnutls_log_map[i].enabled = true;
 132                                 log_reset_gnutls_level();
 133                                 return 0;
 134                         }
 135         return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No such log category: %s", cat);
 136 }
 137
 138 int setup_gnutls_logger(char **categories) {
 139         int r;
 140
 141         gnutls_global_set_log_function(log_func_gnutls);
 142
 143         if (categories)
 144                 STRV_FOREACH(cat, categories) {
 145                         r = log_enable_gnutls_category(*cat);
 146                         if (r < 0)
 147                                 return r;
 148                 }
 149         else
 150                 log_reset_gnutls_level();
 151
 152         return 0;
 153 }
 154
 155 static int verify_cert_authorized(gnutls_session_t session) {
 156         unsigned status;
 157         gnutls_certificate_type_t type;
 158         gnutls_datum_t out;
 159         int r;
 160
 161         r = gnutls_certificate_verify_peers2(session, &status);
 162         if (r < 0)
 163                 return log_error_errno(r, "gnutls_certificate_verify_peers2 failed: %m");
 164
 165         type = gnutls_certificate_type_get(session);
 166         r = gnutls_certificate_verification_status_print(status, type, &out, 0);
 167         if (r < 0)
 168                 return log_error_errno(r, "gnutls_certificate_verification_status_print failed: %m");
 169
 170         log_debug("Certificate status: %s", out.data);
 171         gnutls_free(out.data);
 172
 173         return status == 0 ? 0 : -EPERM;
 174 }
 175
 176 static int get_client_cert(gnutls_session_t session, gnutls_x509_crt_t *client_cert) {
 177         const gnutls_datum_t *pcert;
 178         unsigned listsize;
 179         gnutls_x509_crt_t cert;
 180         int r;
 181
 182         assert(session);
 183         assert(client_cert);
 184
 185         pcert = gnutls_certificate_get_peers(session, &listsize);
 186         if (!pcert || !listsize)
 187                 return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
 188                                        "Failed to retrieve certificate chain");
 189
 190         r = gnutls_x509_crt_init(&cert);
 191         if (r < 0) {
 192                 log_error("Failed to initialize client certificate");
 193                 return r;
 194         }
 195
 196         /* Note that by passing values between 0 and listsize here, you
 197            can get access to the CA's certs */
 198         r = gnutls_x509_crt_import(cert, &pcert[0], GNUTLS_X509_FMT_DER);
 199         if (r < 0) {
 200                 log_error("Failed to import client certificate");
 201                 gnutls_x509_crt_deinit(cert);
 202                 return r;
 203         }
 204
 205         *client_cert = cert;
 206         return 0;
 207 }
 208
 209 static int get_auth_dn(gnutls_x509_crt_t client_cert, char **buf) {
 210         size_t len = 0;
 211         int r;
 212
 213         assert(buf);
 214         assert(*buf == NULL);
 215
 216         r = gnutls_x509_crt_get_dn(client_cert, NULL, &len);
 217         if (r != GNUTLS_E_SHORT_MEMORY_BUFFER) {
 218                 log_error("gnutls_x509_crt_get_dn failed");
 219                 return r;
 220         }
 221
 222         *buf = malloc(len);
 223         if (!*buf)
 224                 return log_oom();
 225
 226         gnutls_x509_crt_get_dn(client_cert, *buf, &len);
 227         return 0;
 228 }
 229
 230 static void gnutls_x509_crt_deinitp(gnutls_x509_crt_t *p) {
 231         gnutls_x509_crt_deinit(*p);
 232 }
 233
 234 int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
 235         const union MHD_ConnectionInfo *ci;
 236         gnutls_session_t session;
 237         _cleanup_(gnutls_x509_crt_deinitp) gnutls_x509_crt_t client_cert = NULL;
 238         _cleanup_free_ char *buf = NULL;
 239         int r;
 240
 241         assert(connection);
 242         assert(code);
 243
 244         *code = 0;
 245
 246         ci = MHD_get_connection_info(connection,
 247                                      MHD_CONNECTION_INFO_GNUTLS_SESSION);
 248         if (!ci) {
 249                 log_error("MHD_get_connection_info failed: session is unencrypted");
 250                 *code = mhd_respond(connection, MHD_HTTP_FORBIDDEN,
 251                                     "Encrypted connection is required");
 252                 return -EPERM;
 253         }
 254         session = ci->tls_session;
 255         assert(session);
 256
 257         r = get_client_cert(session, &client_cert);
 258         if (r < 0) {
 259                 *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
 260                                     "Authorization through certificate is required");
 261                 return -EPERM;
 262         }
 263
 264         r = get_auth_dn(client_cert, &buf);
 265         if (r < 0) {
 266                 *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
 267                                     "Failed to determine distinguished name from certificate");
 268                 return -EPERM;
 269         }
 270
 271         log_debug("Connection from %s", buf);
 272
 273         if (hostname)
 274                 *hostname = TAKE_PTR(buf);
 275
 276         r = verify_cert_authorized(session);
 277         if (r < 0) {
 278                 log_warning("Client is not authorized");
 279                 *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
 280                                     "Client certificate not signed by recognized authority");
 281         }
 282         return r;
 283 }
 284
 285 #else
 286 _noreturn_ int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
 287         assert_not_reached();
 288 }
 289
 290 int setup_gnutls_logger(char **categories) {
 291         if (categories)
 292                 log_notice("Ignoring specified gnutls logging categories — gnutls not available.");
 293         return 0;
 294 }
 295 #endif