[systemd.git] / src / journal-remote / microhttpd-util.c

/* SPDX-License-Identifier: LGPL-2.1-or-later */

#include <stddef.h>
#include <stdio.h>

#if HAVE_GNUTLS
#include <gnutls/gnutls.h>
#include <gnutls/x509.h>
#endif

#include "alloc-util.h"
#include "log.h"
#include "macro.h"
#include "microhttpd-util.h"
#include "string-util.h"
#include "strv.h"
#include "util.h"

void microhttpd_logger(void *arg, const char *fmt, va_list ap) {
        char *f;

        f = strjoina("microhttpd: ", fmt);

        DISABLE_WARNING_FORMAT_NONLITERAL;
        log_internalv(LOG_INFO, 0, NULL, 0, NULL, f, ap);
        REENABLE_WARNING;
}

static int mhd_respond_internal(struct MHD_Connection *connection,
                                enum MHD_RequestTerminationCode code,
                                const char *buffer,
                                size_t size,
                                enum MHD_ResponseMemoryMode mode) {
        assert(connection);

        _cleanup_(MHD_destroy_responsep) struct MHD_Response *response
                = MHD_create_response_from_buffer(size, (char*) buffer, mode);
        if (!response)
                return MHD_NO;

        log_debug("Queueing response %u: %s", code, buffer);
        if (MHD_add_response_header(response, "Content-Type", "text/plain") == MHD_NO)
                return MHD_NO;
        return MHD_queue_response(connection, code, response);
}

int mhd_respond(struct MHD_Connection *connection,
                enum MHD_RequestTerminationCode code,
                const char *message) {

        const char *fmt;

        fmt = strjoina(message, "\n");

        return mhd_respond_internal(connection, code,
                                    fmt, strlen(message) + 1,
                                    MHD_RESPMEM_PERSISTENT);
}

int mhd_respond_oom(struct MHD_Connection *connection) {
        return mhd_respond(connection, MHD_HTTP_SERVICE_UNAVAILABLE,  "Out of memory.");
}

int mhd_respondf(struct MHD_Connection *connection,
                 int error,
                 enum MHD_RequestTerminationCode code,
                 const char *format, ...) {

        const char *fmt;
        char *m;
        int r;
        va_list ap;

        assert(connection);
        assert(format);

        if (error < 0)
                error = -error;
        errno = -error;
        fmt = strjoina(format, "\n");
        va_start(ap, format);
        DISABLE_WARNING_FORMAT_NONLITERAL;
        r = vasprintf(&m, fmt, ap);
        REENABLE_WARNING;
        va_end(ap);

        if (r < 0)
                return respond_oom(connection);

        return mhd_respond_internal(connection, code, m, r, MHD_RESPMEM_MUST_FREE);
}

#if HAVE_GNUTLS

static struct {
        const char *const names[4];
        int level;
        bool enabled;
} gnutls_log_map[] = {
        { {"0"},                  LOG_DEBUG },
        { {"1", "audit"},         LOG_WARNING, true}, /* gnutls session audit */
        { {"2", "assert"},        LOG_DEBUG },        /* gnutls assert log */
        { {"3", "hsk", "ext"},    LOG_DEBUG },        /* gnutls handshake log */
        { {"4", "rec"},           LOG_DEBUG },        /* gnutls record log */
        { {"5", "dtls"},          LOG_DEBUG },        /* gnutls DTLS log */
        { {"6", "buf"},           LOG_DEBUG },
        { {"7", "write", "read"}, LOG_DEBUG },
        { {"8"},                  LOG_DEBUG },
        { {"9", "enc", "int"},    LOG_DEBUG },
};

static void log_func_gnutls(int level, const char *message) {
        assert_se(message);

        if (0 <= level && level < (int) ELEMENTSOF(gnutls_log_map)) {
                if (gnutls_log_map[level].enabled)
                        log_internal(gnutls_log_map[level].level, 0, NULL, 0, NULL, "gnutls %d/%s: %s", level, gnutls_log_map[level].names[1], message);
        } else {
                log_debug("Received GNUTLS message with unknown level %d.", level);
                log_internal(LOG_DEBUG, 0, NULL, 0, NULL, "gnutls: %s", message);
        }
}

static void log_reset_gnutls_level(void) {
        int i;

        for (i = ELEMENTSOF(gnutls_log_map) - 1; i >= 0; i--)
                if (gnutls_log_map[i].enabled) {
                        log_debug("Setting gnutls log level to %d", i);
                        gnutls_global_set_log_level(i);
                        break;
                }
}

static int log_enable_gnutls_category(const char *cat) {
        unsigned i;

        if (streq(cat, "all")) {
                for (i = 0; i < ELEMENTSOF(gnutls_log_map); i++)
                        gnutls_log_map[i].enabled = true;
                log_reset_gnutls_level();
                return 0;
        } else
                for (i = 0; i < ELEMENTSOF(gnutls_log_map); i++)
                        if (strv_contains((char**)gnutls_log_map[i].names, cat)) {
                                gnutls_log_map[i].enabled = true;
                                log_reset_gnutls_level();
                                return 0;
                        }
        return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No such log category: %s", cat);
}

int setup_gnutls_logger(char **categories) {
        int r;

        gnutls_global_set_log_function(log_func_gnutls);

        if (categories)
                STRV_FOREACH(cat, categories) {
                        r = log_enable_gnutls_category(*cat);
                        if (r < 0)
                                return r;
                }
        else
                log_reset_gnutls_level();

        return 0;
}

static int verify_cert_authorized(gnutls_session_t session) {
        unsigned status;
        gnutls_certificate_type_t type;
        gnutls_datum_t out;
        int r;

        r = gnutls_certificate_verify_peers2(session, &status);
        if (r < 0)
                return log_error_errno(r, "gnutls_certificate_verify_peers2 failed: %m");

        type = gnutls_certificate_type_get(session);
        r = gnutls_certificate_verification_status_print(status, type, &out, 0);
        if (r < 0)
                return log_error_errno(r, "gnutls_certificate_verification_status_print failed: %m");

        log_debug("Certificate status: %s", out.data);
        gnutls_free(out.data);

        return status == 0 ? 0 : -EPERM;
}

static int get_client_cert(gnutls_session_t session, gnutls_x509_crt_t *client_cert) {
        const gnutls_datum_t *pcert;
        unsigned listsize;
        gnutls_x509_crt_t cert;
        int r;

        assert(session);
        assert(client_cert);

        pcert = gnutls_certificate_get_peers(session, &listsize);
        if (!pcert || !listsize)
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
                                       "Failed to retrieve certificate chain");

        r = gnutls_x509_crt_init(&cert);
        if (r < 0) {
                log_error("Failed to initialize client certificate");
                return r;
        }

        /* Note that by passing values between 0 and listsize here, you
           can get access to the CA's certs */
        r = gnutls_x509_crt_import(cert, &pcert[0], GNUTLS_X509_FMT_DER);
        if (r < 0) {
                log_error("Failed to import client certificate");
                gnutls_x509_crt_deinit(cert);
                return r;
        }

        *client_cert = cert;
        return 0;
}

static int get_auth_dn(gnutls_x509_crt_t client_cert, char **buf) {
        size_t len = 0;
        int r;

        assert(buf);
        assert(*buf == NULL);

        r = gnutls_x509_crt_get_dn(client_cert, NULL, &len);
        if (r != GNUTLS_E_SHORT_MEMORY_BUFFER) {
                log_error("gnutls_x509_crt_get_dn failed");
                return r;
        }

        *buf = malloc(len);
        if (!*buf)
                return log_oom();

        gnutls_x509_crt_get_dn(client_cert, *buf, &len);
        return 0;
}

static void gnutls_x509_crt_deinitp(gnutls_x509_crt_t *p) {
        gnutls_x509_crt_deinit(*p);
}

int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
        const union MHD_ConnectionInfo *ci;
        gnutls_session_t session;
        _cleanup_(gnutls_x509_crt_deinitp) gnutls_x509_crt_t client_cert = NULL;
        _cleanup_free_ char *buf = NULL;
        int r;

        assert(connection);
        assert(code);

        *code = 0;

        ci = MHD_get_connection_info(connection,
                                     MHD_CONNECTION_INFO_GNUTLS_SESSION);
        if (!ci) {
                log_error("MHD_get_connection_info failed: session is unencrypted");
                *code = mhd_respond(connection, MHD_HTTP_FORBIDDEN,
                                    "Encrypted connection is required");
                return -EPERM;
        }
        session = ci->tls_session;
        assert(session);

        r = get_client_cert(session, &client_cert);
        if (r < 0) {
                *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
                                    "Authorization through certificate is required");
                return -EPERM;
        }

        r = get_auth_dn(client_cert, &buf);
        if (r < 0) {
                *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
                                    "Failed to determine distinguished name from certificate");
                return -EPERM;
        }

        log_debug("Connection from %s", buf);

        if (hostname)
                *hostname = TAKE_PTR(buf);

        r = verify_cert_authorized(session);
        if (r < 0) {
                log_warning("Client is not authorized");
                *code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
                                    "Client certificate not signed by recognized authority");
        }
        return r;
}

#else
_noreturn_ int check_permissions(struct MHD_Connection *connection, int *code, char **hostname) {
        assert_not_reached();
}

int setup_gnutls_logger(char **categories) {
        if (categories)
                log_notice("Ignoring specified gnutls logging categories — gnutls not available.");
        return 0;
}
#endif
Commit	Line	Data
a032b68d	1	/* SPDX-License-Identifier: LGPL-2.1-or-later */
663996b3 MS	2
	3	#include <stddef.h>
	4	#include <stdio.h>
	5
f5e65279	6	#if HAVE_GNUTLS
60f067b4 JS	7	#include <gnutls/gnutls.h>
	8	#include <gnutls/x509.h>
	9	#endif
	10
db2df898 MP	11	#include "alloc-util.h"
	12	#include "log.h"
	13	#include "macro.h"
	14	#include "microhttpd-util.h"
	15	#include "string-util.h"
	16	#include "strv.h"
	17	#include "util.h"
	18
663996b3	19	void microhttpd_logger(void arg, const char fmt, va_list ap) {
60f067b4 JS	20	char *f;
60f067b4 JS	21
e735f4d4	22	f = strjoina("microhttpd: ", fmt);
60f067b4 JS	23
60f067b4 JS	24	DISABLE_WARNING_FORMAT_NONLITERAL;
f47781d8	25	log_internalv(LOG_INFO, 0, NULL, 0, NULL, f, ap);
60f067b4 JS	26	REENABLE_WARNING;
	27	}
	28
60f067b4 JS	29	static int mhd_respond_internal(struct MHD_Connection *connection,
60f067b4 JS	30	enum MHD_RequestTerminationCode code,
8a584da2	31	const char *buffer,
60f067b4 JS	32	size_t size,
60f067b4 JS	33	enum MHD_ResponseMemoryMode mode) {
60f067b4 JS	34	assert(connection);
60f067b4 JS	35
7c20daf6 FS	36	_cleanup_(MHD_destroy_responsep) struct MHD_Response *response
7c20daf6 FS	37	= MHD_create_response_from_buffer(size, (char*) buffer, mode);
60f067b4 JS	38	if (!response)
	39	return MHD_NO;
	40
5a920b42	41	log_debug("Queueing response %u: %s", code, buffer);
3a6ce677 BR	42	if (MHD_add_response_header(response, "Content-Type", "text/plain") == MHD_NO)
3a6ce677 BR	43	return MHD_NO;
7c20daf6	44	return MHD_queue_response(connection, code, response);
60f067b4 JS	45	}
	46
	47	int mhd_respond(struct MHD_Connection *connection,
	48	enum MHD_RequestTerminationCode code,
	49	const char *message) {
	50
8a584da2 MP	51	const char *fmt;
	52
	53	fmt = strjoina(message, "\n");
	54
60f067b4	55	return mhd_respond_internal(connection, code,
8a584da2	56	fmt, strlen(message) + 1,
60f067b4 JS	57	MHD_RESPMEM_PERSISTENT);
	58	}
	59
	60	int mhd_respond_oom(struct MHD_Connection *connection) {
8a584da2	61	return mhd_respond(connection, MHD_HTTP_SERVICE_UNAVAILABLE, "Out of memory.");
60f067b4 JS	62	}
	63
	64	int mhd_respondf(struct MHD_Connection *connection,
8a584da2	65	int error,
60f067b4 JS	66	enum MHD_RequestTerminationCode code,
	67	const char *format, ...) {
	68
8a584da2	69	const char *fmt;
60f067b4 JS	70	char *m;
	71	int r;
	72	va_list ap;
	73
	74	assert(connection);
	75	assert(format);
	76
8a584da2 MP	77	if (error < 0)
	78	error = -error;
	79	errno = -error;
	80	fmt = strjoina(format, "\n");
60f067b4	81	va_start(ap, format);
a10f5d05	82	DISABLE_WARNING_FORMAT_NONLITERAL;
8a584da2	83	r = vasprintf(&m, fmt, ap);
a10f5d05	84	REENABLE_WARNING;
60f067b4 JS	85	va_end(ap);
	86
	87	if (r < 0)
	88	return respond_oom(connection);
	89
	90	return mhd_respond_internal(connection, code, m, r, MHD_RESPMEM_MUST_FREE);
	91	}
	92
f5e65279	93	#if HAVE_GNUTLS
60f067b4	94
5eef597e MP	95	static struct {
	96	const char *const names[4];
	97	int level;
	98	bool enabled;
	99	} gnutls_log_map[] = {
	100	{ {"0"}, LOG_DEBUG },
	101	{ {"1", "audit"}, LOG_WARNING, true}, /* gnutls session audit */
	102	{ {"2", "assert"}, LOG_DEBUG }, /* gnutls assert log */
	103	{ {"3", "hsk", "ext"}, LOG_DEBUG }, /* gnutls handshake log */
	104	{ {"4", "rec"}, LOG_DEBUG }, /* gnutls record log */
	105	{ {"5", "dtls"}, LOG_DEBUG }, /* gnutls DTLS log */
	106	{ {"6", "buf"}, LOG_DEBUG },
	107	{ {"7", "write", "read"}, LOG_DEBUG },
	108	{ {"8"}, LOG_DEBUG },
	109	{ {"9", "enc", "int"}, LOG_DEBUG },
60f067b4 JS	110	};
60f067b4 JS	111
e3bff60a	112	static void log_func_gnutls(int level, const char *message) {
60f067b4 JS	113	assert_se(message);
60f067b4 JS	114
5eef597e MP	115	if (0 <= level && level < (int) ELEMENTSOF(gnutls_log_map)) {
5eef597e MP	116	if (gnutls_log_map[level].enabled)
f47781d8	117	log_internal(gnutls_log_map[level].level, 0, NULL, 0, NULL, "gnutls %d/%s: %s", level, gnutls_log_map[level].names[1], message);
5eef597e MP	118	} else {
5eef597e MP	119	log_debug("Received GNUTLS message with unknown level %d.", level);
f47781d8	120	log_internal(LOG_DEBUG, 0, NULL, 0, NULL, "gnutls: %s", message);
5eef597e MP	121	}
	122	}
	123
e3bff60a MP	124	static void log_reset_gnutls_level(void) {
	125	int i;
	126
	127	for (i = ELEMENTSOF(gnutls_log_map) - 1; i >= 0; i--)
	128	if (gnutls_log_map[i].enabled) {
	129	log_debug("Setting gnutls log level to %d", i);
	130	gnutls_global_set_log_level(i);
	131	break;
	132	}
	133	}
	134
	135	static int log_enable_gnutls_category(const char *cat) {
5eef597e MP	136	unsigned i;
	137
	138	if (streq(cat, "all")) {
	139	for (i = 0; i < ELEMENTSOF(gnutls_log_map); i++)
	140	gnutls_log_map[i].enabled = true;
	141	log_reset_gnutls_level();
	142	return 0;
	143	} else
	144	for (i = 0; i < ELEMENTSOF(gnutls_log_map); i++)
	145	if (strv_contains((char**)gnutls_log_map[i].names, cat)) {
	146	gnutls_log_map[i].enabled = true;
	147	log_reset_gnutls_level();
	148	return 0;
	149	}
6e866b33	150	return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No such log category: %s", cat);
5eef597e MP	151	}
5eef597e MP	152
e3bff60a	153	int setup_gnutls_logger(char **categories) {
e3bff60a	154	int r;
60f067b4	155
e3bff60a MP	156	gnutls_global_set_log_function(log_func_gnutls);
e3bff60a MP	157
f5caa8fa	158	if (categories)
e3bff60a MP	159	STRV_FOREACH(cat, categories) {
	160	r = log_enable_gnutls_category(*cat);
	161	if (r < 0)
	162	return r;
5eef597e	163	}
f5caa8fa	164	else
e3bff60a MP	165	log_reset_gnutls_level();
	166
	167	return 0;
60f067b4 JS	168	}
	169
	170	static int verify_cert_authorized(gnutls_session_t session) {
	171	unsigned status;
	172	gnutls_certificate_type_t type;
	173	gnutls_datum_t out;
	174	int r;
	175
	176	r = gnutls_certificate_verify_peers2(session, &status);
f47781d8 MP	177	if (r < 0)
f47781d8 MP	178	return log_error_errno(r, "gnutls_certificate_verify_peers2 failed: %m");
60f067b4 JS	179
	180	type = gnutls_certificate_type_get(session);
	181	r = gnutls_certificate_verification_status_print(status, type, &out, 0);
f47781d8 MP	182	if (r < 0)
f47781d8 MP	183	return log_error_errno(r, "gnutls_certificate_verification_status_print failed: %m");
60f067b4	184
e3bff60a MP	185	log_debug("Certificate status: %s", out.data);
e3bff60a MP	186	gnutls_free(out.data);
60f067b4 JS	187
	188	return status == 0 ? 0 : -EPERM;
	189	}
	190
	191	static int get_client_cert(gnutls_session_t session, gnutls_x509_crt_t *client_cert) {
	192	const gnutls_datum_t *pcert;
	193	unsigned listsize;
	194	gnutls_x509_crt_t cert;
	195	int r;
	196
	197	assert(session);
	198	assert(client_cert);
	199
	200	pcert = gnutls_certificate_get_peers(session, &listsize);
6e866b33 MB	201	if (!pcert \|\| !listsize)
	202	return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
	203	"Failed to retrieve certificate chain");
60f067b4 JS	204
	205	r = gnutls_x509_crt_init(&cert);
	206	if (r < 0) {
	207	log_error("Failed to initialize client certificate");
	208	return r;
	209	}
	210
	211	/* Note that by passing values between 0 and listsize here, you
	212	can get access to the CA's certs */
	213	r = gnutls_x509_crt_import(cert, &pcert[0], GNUTLS_X509_FMT_DER);
	214	if (r < 0) {
	215	log_error("Failed to import client certificate");
	216	gnutls_x509_crt_deinit(cert);
	217	return r;
	218	}
	219
	220	*client_cert = cert;
	221	return 0;
	222	}
	223
	224	static int get_auth_dn(gnutls_x509_crt_t client_cert, char **buf) {
	225	size_t len = 0;
	226	int r;
	227
	228	assert(buf);
	229	assert(*buf == NULL);
	230
	231	r = gnutls_x509_crt_get_dn(client_cert, NULL, &len);
	232	if (r != GNUTLS_E_SHORT_MEMORY_BUFFER) {
	233	log_error("gnutls_x509_crt_get_dn failed");
	234	return r;
	235	}
	236
	237	*buf = malloc(len);
	238	if (!*buf)
	239	return log_oom();
	240
	241	gnutls_x509_crt_get_dn(client_cert, *buf, &len);
	242	return 0;
	243	}
	244
7c20daf6	245	static void gnutls_x509_crt_deinitp(gnutls_x509_crt_t *p) {
e3bff60a MP	246	gnutls_x509_crt_deinit(*p);
	247	}
	248
5eef597e	249	int check_permissions(struct MHD_Connection connection, int code, char **hostname) {
60f067b4 JS	250	const union MHD_ConnectionInfo *ci;
60f067b4 JS	251	gnutls_session_t session;
e3bff60a	252	_cleanup_(gnutls_x509_crt_deinitp) gnutls_x509_crt_t client_cert = NULL;
e842803a	253	_cleanup_free_ char *buf = NULL;
60f067b4 JS	254	int r;
	255
	256	assert(connection);
	257	assert(code);
	258
	259	*code = 0;
	260
	261	ci = MHD_get_connection_info(connection,
	262	MHD_CONNECTION_INFO_GNUTLS_SESSION);
	263	if (!ci) {
	264	log_error("MHD_get_connection_info failed: session is unencrypted");
	265	*code = mhd_respond(connection, MHD_HTTP_FORBIDDEN,
	266	"Encrypted connection is required");
	267	return -EPERM;
	268	}
	269	session = ci->tls_session;
	270	assert(session);
	271
	272	r = get_client_cert(session, &client_cert);
	273	if (r < 0) {
	274	*code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
	275	"Authorization through certificate is required");
	276	return -EPERM;
	277	}
	278
	279	r = get_auth_dn(client_cert, &buf);
	280	if (r < 0) {
	281	*code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
	282	"Failed to determine distinguished name from certificate");
	283	return -EPERM;
	284	}
	285
e3bff60a	286	log_debug("Connection from %s", buf);
60f067b4	287
b012e921 MB	288	if (hostname)
b012e921 MB	289	*hostname = TAKE_PTR(buf);
5eef597e	290
60f067b4 JS	291	r = verify_cert_authorized(session);
	292	if (r < 0) {
	293	log_warning("Client is not authorized");
	294	*code = mhd_respond(connection, MHD_HTTP_UNAUTHORIZED,
	295	"Client certificate not signed by recognized authority");
	296	}
	297	return r;
	298	}
	299
	300	#else
3e11e177	301	_noreturn_ int check_permissions(struct MHD_Connection connection, int code, char **hostname) {
f5caa8fa	302	assert_not_reached();
663996b3	303	}
e3bff60a MP	304
	305	int setup_gnutls_logger(char **categories) {
	306	if (categories)
	307	log_notice("Ignoring specified gnutls logging categories — gnutls not available.");
	308	return 0;
	309	}
60f067b4	310	#endif