1 /*
2  * Copyright (c) 2020, 2021, 2022 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #ifndef GMID_H
18 #define GMID_H
19 
20 #include "config.h"
21 
22 #include <sys/socket.h>
23 #include <sys/types.h>
24 
25 #include <arpa/inet.h>
26 #include <netinet/in.h>
27 
28 #include <dirent.h>
29 #include <limits.h>
30 #include <netdb.h>
31 #include <signal.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <time.h>
35 #include <tls.h>
36 #include <unistd.h>
37 
38 #include <openssl/x509.h>
39 
40 #if HAVE_EVENT2
41 # include <event2/event.h>
42 # include <event2/event_compat.h>
43 # include <event2/event_struct.h>
44 # include <event2/buffer.h>
45 # include <event2/buffer_compat.h>
46 # include <event2/bufferevent.h>
47 # include <event2/bufferevent_struct.h>
48 # include <event2/bufferevent_compat.h>
49 #else
50 # include <event.h>
51 #endif
52 
53 #define VERSION_STR(n)	n " " VERSION
54 #define GE_STRING	VERSION_STR("ge")
55 #define GG_STRING	VERSION_STR("gg")
56 #define GMID_STRING	VERSION_STR("gmid")
57 
58 #define GMID_VERSION	"gmid/" VERSION
59 
60 #define GEMINI_URL_LEN (1024+3)	/* URL max len + \r\n + \0 */
61 
62 #define SUCCESS		20
63 #define TEMP_REDIRECT	30
64 #define TEMP_FAILURE	40
65 #define CGI_ERROR	42
66 #define PROXY_ERROR	43
67 #define NOT_FOUND	51
68 #define PROXY_REFUSED	53
69 #define BAD_REQUEST	59
70 #define CLIENT_CERT_REQ	60
71 #define CERT_NOT_AUTH	61
72 
73 /* maximum hostname and label length, +1 for the NUL-terminator */
74 #define DOMAIN_NAME_LEN	(253+1)
75 #define LABEL_LEN	(63+1)
76 
77 #define MEDIATYPE_NAMEMAX	128	/* file name extension */
78 #define MEDIATYPE_TYPEMAX	128	/* length of type/subtype */
79 
80 #define FCGI_NAME_MAX		511
81 #define FCGI_VAL_MAX		511
82 
83 #define PROC_MAX_INSTANCES	16
84 
85 #define TLS_CERT_HASH_SIZE	128
86 
87 /* forward declaration */
88 struct privsep;
89 struct privsep_proc;
90 
91 struct iri {
92 	char		*schema;
93 	char		*host;
94 	char		*port;
95 	uint16_t	 port_no;
96 	char		*path;
97 	char		*query;
98 	char		*fragment;
99 };
100 
101 struct parser {
102 	char		*iri;
103 	struct iri	*parsed;
104 	const char	*err;
105 };
106 
107 TAILQ_HEAD(fcgihead, fcgi);
108 struct fcgi {
109 	int		 id;
110 	char		 path[PATH_MAX];
111 	char		 port[32];
112 	TAILQ_ENTRY(fcgi) fcgi;
113 };
114 
115 TAILQ_HEAD(proxyhead, proxy);
116 struct proxy {
117 	char		 match_proto[32];
118 	char		 match_host[HOST_NAME_MAX + 1];
119 	char		 match_port[32];
120 
121 	char		 host[HOST_NAME_MAX + 1];
122 	char		 port[32];
123 	char		 sni[HOST_NAME_MAX];
124 	int		 notls;
125 	uint32_t	 protocols;
126 	int		 noverifyname;
127 	char		*cert_path;
128 	uint8_t		*cert;
129 	size_t		 certlen;
130 	char		*key_path;
131 	uint8_t		*key;
132 	size_t		 keylen;
133 	char		*reqca_path;
134 	X509_STORE	*reqca;
135 
136 	TAILQ_ENTRY(proxy) proxies;
137 };
138 
139 TAILQ_HEAD(lochead, location);
140 struct location {
141 	char		 match[128];
142 	char		 lang[32];
143 	char		 default_mime[MEDIATYPE_TYPEMAX];
144 	char		 index[PATH_MAX];
145 	int		 auto_index; /* 0 auto, -1 off, 1 on */
146 	int		 block_code;
147 	char		 block_fmt[GEMINI_URL_LEN];
148 	int		 strip;
149 	char		*reqca_path;
150 	X509_STORE	*reqca;
151 	int		 disable_log;
152 	int		 fcgi;
153 
154 	char		 dir[PATH_MAX];
155 	int		 dirfd;
156 
157 	TAILQ_ENTRY(location) locations;
158 };
159 
160 TAILQ_HEAD(envhead, envlist);
161 struct envlist {
162 	char		 name[FCGI_NAME_MAX];
163 	char		 value[FCGI_VAL_MAX];
164 	TAILQ_ENTRY(envlist) envs;
165 };
166 
167 TAILQ_HEAD(aliashead, alist);
168 struct alist {
169 	char		alias[HOST_NAME_MAX + 1];
170 	TAILQ_ENTRY(alist) aliases;
171 };
172 
173 TAILQ_HEAD(vhosthead, vhost);
174 struct vhost {
175 	char		 domain[HOST_NAME_MAX + 1];
176 	char		*cert_path;
177 	char		*key_path;
178 	char		*ocsp_path;
179 
180 	uint8_t		*cert;
181 	size_t		 certlen;
182 
183 	uint8_t		*key;
184 	size_t		 keylen;
185 
186 	uint8_t		*ocsp;
187 	size_t		 ocsplen;
188 
189 	TAILQ_ENTRY(vhost) vhosts;
190 
191 	/*
192 	 * the first location rule is always '*' and holds the default
193 	 * settings for the vhost, then follows the "real" location
194 	 * rules as specified in the configuration.
195 	 */
196 	struct lochead	 locations;
197 
198 	struct envhead	 params;
199 	struct aliashead aliases;
200 	struct proxyhead proxies;
201 };
202 
203 struct etm {			/* extension to mime */
204 	char	 mime[MEDIATYPE_TYPEMAX];
205 	char	 ext[MEDIATYPE_NAMEMAX];
206 };
207 
208 struct mime {
209 	struct etm	*t;
210 	size_t		 len;
211 	size_t		 cap;
212 };
213 
214 TAILQ_HEAD(pkihead, pki);
215 struct pki {
216 	char		*hash;
217 	EVP_PKEY	*pkey;
218 	TAILQ_ENTRY(pki) pkis;
219 };
220 
221 struct conf {
222 	struct privsep	*ps;
223 	int		 port;
224 	int		 ipv6;
225 	uint32_t	 protos;
226 	struct mime	 mime;
227 	char		 chroot[PATH_MAX];
228 	char		 user[LOGIN_NAME_MAX];
229 	int		 prefork;
230 	int		 reload;
231 	int		 use_privsep_crypto;
232 
233 	int		 sock4;
234 	struct event	 evsock4;
235 	int		 sock6;
236 	struct event	 evsock6;
237 
238 	struct fcgihead	 fcgi;
239 	struct vhosthead hosts;
240 	struct pkihead	 pkis;
241 };
242 
243 extern const char *config_path;
244 
245 extern int servpipes[PROC_MAX_INSTANCES];
246 extern int privsep_process;
247 
248 typedef void (imsg_handlerfn)(struct imsgbuf*, struct imsg*, size_t);
249 
250 enum {
251 	REQUEST_UNDECIDED,
252 	REQUEST_FILE,
253 	REQUEST_DIR,
254 	REQUEST_FCGI,
255 	REQUEST_PROXY,
256 	REQUEST_DONE,
257 };
258 
259 struct client {
260 	struct conf	*conf;
261 	uint32_t	 id;
262 	struct tls	*ctx;
263 	char		*req;
264 	size_t		 reqlen;
265 	struct iri	 iri;
266 	char		 domain[DOMAIN_NAME_LEN];
267 
268 	struct bufferevent *bev;
269 
270 	int		 type;
271 
272 	struct bufferevent *cgibev;
273 
274 	struct proxy	*proxy;
275 	struct bufferevent *proxybev;
276 	struct tls	*proxyctx;
277 	int		 proxyevset;
278 	struct event	 proxyev;
279 
280 	char		*header;
281 
282 	int		 code;
283 	const char	*meta;
284 	int		 fd, pfd;
285 	struct dirent	**dir;
286 	int		 dirlen, diroff;
287 
288 	/* big enough to store STATUS + SPACE + META + CRLF */
289 	char		 sbuf[1029];
290 	ssize_t		 len, off;
291 
292 	struct sockaddr_storage	 addr;
293 	struct vhost	*host;	/* host they're talking to */
294 	size_t		 loc;	/* location matched */
295 
296 	SPLAY_ENTRY(client) entry;
297 };
298 SPLAY_HEAD(client_tree_id, client);
299 extern struct client_tree_id clients;
300 
301 struct connreq {
302 	char	host[NI_MAXHOST];
303 	char	port[NI_MAXSERV];
304 	int	flag;
305 };
306 
307 enum {
308 	FILE_EXISTS,
309 	FILE_DIRECTORY,
310 	FILE_MISSING,
311 };
312 
313 enum imsg_type {
314 	IMSG_FCGI_REQ,
315 	IMSG_FCGI_FD,
316 	IMSG_CONN_REQ,
317 	IMSG_CONN_FD,
318 	IMSG_LOG,
319 	IMSG_LOG_REQUEST,
320 	IMSG_LOG_TYPE,
321 
322 	IMSG_RECONF_START,	/* 7 */
323 	IMSG_RECONF_MIME,
324 	IMSG_RECONF_PROTOS,
325 	IMSG_RECONF_PORT,
326 	IMSG_RECONF_SOCK4,
327 	IMSG_RECONF_SOCK6,
328 	IMSG_RECONF_FCGI,
329 	IMSG_RECONF_HOST,
330 	IMSG_RECONF_CERT,
331 	IMSG_RECONF_KEY,
332 	IMSG_RECONF_OCSP,
333 	IMSG_RECONF_LOC,
334 	IMSG_RECONF_ENV,
335 	IMSG_RECONF_ALIAS,
336 	IMSG_RECONF_PROXY,
337 	IMSG_RECONF_PROXY_CERT,
338 	IMSG_RECONF_PROXY_KEY,
339 	IMSG_RECONF_END,
340 	IMSG_RECONF_DONE,
341 
342 	IMSG_CRYPTO_RSA_PRIVENC,
343 	IMSG_CRYPTO_RSA_PRIVDEC,
344 	IMSG_CRYPTO_ECDSA_SIGN,
345 
346 	IMSG_CTL_PROCFD,
347 };
348 
349 /* gmid.c */
350 char		*data_dir(void);
351 void		 load_local_cert(struct vhost*, const char*, const char*);
352 
353 /* gmid.c / ge.c */
354 void		 log_request(struct client *, char *, size_t);
355 
356 /* config.c */
357 struct conf	*config_new(void);
358 void		 config_purge(struct conf *);
359 int		 config_send(struct conf *);
360 int		 config_recv(struct conf *, struct imsg *);
361 
362 /* crypto.c */
363 void		 crypto(struct privsep *, struct privsep_proc *);
364 void		 crypto_engine_init(struct conf *);
365 
366 /* parse.y */
367 void		 yyerror(const char*, ...);
368 int		 parse_conf(struct conf *, const char*);
369 int		 cmdline_symset(char *);
370 
371 /* mime.c */
372 void		 init_mime(struct mime*);
373 int		 add_mime(struct mime*, const char*, const char*);
374 int		 load_default_mime(struct mime*);
375 void		 sort_mime(struct mime *);
376 const char	*mime(struct conf *, struct vhost*, const char*);
377 void		 free_mime(struct mime *);
378 
379 /* server.c */
380 extern int	shutting_down;
381 const char	*vhost_lang(struct vhost*, const char*);
382 const char	*vhost_default_mime(struct vhost*, const char*);
383 const char	*vhost_index(struct vhost*, const char*);
384 int		 vhost_auto_index(struct vhost*, const char*);
385 int		 vhost_block_return(struct vhost*, const char*, int*, const char**);
386 int		 vhost_fastcgi(struct vhost*, const char*);
387 int		 vhost_dirfd(struct vhost*, const char*, size_t*);
388 int		 vhost_strip(struct vhost*, const char*);
389 X509_STORE	*vhost_require_ca(struct vhost*, const char*);
390 int		 vhost_disable_log(struct vhost*, const char*);
391 
392 void		 mark_nonblock(int);
393 void		 client_write(struct bufferevent *, void *);
394 void		 start_reply(struct client*, int, const char*);
395 void		 client_close(struct client *);
396 struct client	*client_by_id(int);
397 void		 do_accept(int, short, void *);
398 void		 server_init(struct privsep *, struct privsep_proc *, void *);
399 int		 server_configure_done(struct conf *);
400 void		 server(struct privsep *ps, struct privsep_proc *);
401 
402 int		 client_tree_cmp(struct client *, struct client *);
403 SPLAY_PROTOTYPE(client_tree_id, client, entry, client_tree_cmp);
404 
405 /* dirs.c */
406 int		 scandir_fd(int, struct dirent***, int(*)(const struct dirent*),
407 		    int(*)(const struct dirent**, const struct dirent**));
408 int		 select_non_dot(const struct dirent*);
409 int		 select_non_dotdot(const struct dirent*);
410 
411 /* fcgi.c */
412 void		 fcgi_read(struct bufferevent *, void *);
413 void		 fcgi_write(struct bufferevent *, void *);
414 void		 fcgi_error(struct bufferevent *, short, void *);
415 void		 fcgi_req(struct client *);
416 
417 /* sandbox.c */
418 void		 sandbox_main_process(void);
419 void		 sandbox_server_process(void);
420 void		 sandbox_crypto_process(void);
421 void		 sandbox_logger_process(void);
422 
423 /* utf8.c */
424 int		 valid_multibyte_utf8(struct parser*);
425 char		*utf8_nth(char*, size_t);
426 
427 /* iri.c */
428 int		 parse_iri(char*, struct iri*, const char**);
429 int		 serialize_iri(struct iri*, char*, size_t);
430 int		 encode_path(char *, size_t, const char *);
431 char		*pct_decode_str(char *);
432 
433 /* logger.c */
434 void		 logger(struct privsep *, struct privsep_proc *);
435 
436 /* proxy.c */
437 int		 proxy_init(struct client *);
438 
439 /* puny.c */
440 int		 puny_decode(const char*, char*, size_t, const char**);
441 
442 /* utils.c */
443 void		 block_signals(void);
444 void		 unblock_signals(void);
445 int		 starts_with(const char*, const char*);
446 int		 ends_with(const char*, const char*);
447 ssize_t		 filesize(int);
448 char		*absolutify_path(const char*);
449 char		*xstrdup(const char*);
450 void		*xcalloc(size_t, size_t);
451 void		 gen_certificate(const char*, const char*, const char*);
452 X509_STORE	*load_ca(uint8_t *, size_t);
453 int		 validate_against_ca(X509_STORE*, const uint8_t*, size_t);
454 void		 ssl_error(const char *);
455 char		*ssl_pubkey_hash(const uint8_t *, size_t);
456 EVP_PKEY	*ssl_load_pkey(const uint8_t *, size_t);
457 struct vhost	*new_vhost(void);
458 struct location	*new_location(void);
459 struct proxy	*new_proxy(void);
460 
461 #endif