op public repos

Blob

Date:: Fri Jun 23 21:03:29 2023 UTC
Message:: implement `listen on' Listening by default on all the addresses is so bad I don't know why I haven't changed this before. Anyway. Add a `listen on $hostname port $port' syntax to the config file and deprecate the old "port" and "ipv6" global setting. Still try to honour them when no "listen on" directive is used for backward compatibily, but this will go away in the next next version hopefully. At the moment the `listen on' in server context don't filter the host, i.e. one can still reach a host from a address not specified in the corresponding `liste on', this will be added later.
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2020, 2021, 2022 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #ifndef GMID_H
18 #define GMID_H
19 
20 #include "config.h"
21 
22 #include <sys/socket.h>
23 #include <sys/types.h>
24 
25 #include <arpa/inet.h>
26 #include <netinet/in.h>
27 
28 #include <dirent.h>
29 #include <limits.h>
30 #include <netdb.h>
31 #include <signal.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <time.h>
35 #include <tls.h>
36 #include <unistd.h>
37 
38 #include <openssl/x509.h>
39 
40 #if HAVE_EVENT2
41 # include <event2/event.h>
42 # include <event2/event_compat.h>
43 # include <event2/event_struct.h>
44 # include <event2/buffer.h>
45 # include <event2/buffer_compat.h>
46 # include <event2/bufferevent.h>
47 # include <event2/bufferevent_struct.h>
48 # include <event2/bufferevent_compat.h>
49 #else
50 # include <event.h>
51 #endif
52 
53 #define VERSION_STR(n)	n " " VERSION
54 #define GE_STRING	VERSION_STR("ge")
55 #define GG_STRING	VERSION_STR("gg")
56 #define GMID_STRING	VERSION_STR("gmid")
57 
58 #define GMID_VERSION	"gmid/" VERSION
59 
60 #define GEMINI_URL_LEN (1024+3)	/* URL max len + \r\n + \0 */
61 
62 #define SUCCESS		20
63 #define TEMP_REDIRECT	30
64 #define TEMP_FAILURE	40
65 #define CGI_ERROR	42
66 #define PROXY_ERROR	43
67 #define NOT_FOUND	51
68 #define PROXY_REFUSED	53
69 #define BAD_REQUEST	59
70 #define CLIENT_CERT_REQ	60
71 #define CERT_NOT_AUTH	61
72 
73 /* maximum hostname and label length, +1 for the NUL-terminator */
74 #define DOMAIN_NAME_LEN	(253+1)
75 #define LABEL_LEN	(63+1)
76 
77 #define MEDIATYPE_NAMEMAX	128	/* file name extension */
78 #define MEDIATYPE_TYPEMAX	128	/* length of type/subtype */
79 
80 #define FCGI_NAME_MAX		511
81 #define FCGI_VAL_MAX		511
82 
83 #define PROC_MAX_INSTANCES	16
84 
85 #define TLS_CERT_HASH_SIZE	128
86 
87 /* forward declaration */
88 struct privsep;
89 struct privsep_proc;
90 
91 struct iri {
92 	char		*schema;
93 	char		*host;
94 	char		*port;
95 	uint16_t	 port_no;
96 	char		*path;
97 	char		*query;
98 	char		*fragment;
99 };
100 
101 struct parser {
102 	char		*iri;
103 	struct iri	*parsed;
104 	const char	*err;
105 };
106 
107 struct conf;
108 TAILQ_HEAD(addrhead, address);
109 struct address {
110 	int			 ai_flags;
111 	int			 ai_family;
112 	int			 ai_socktype;
113 	int			 ai_protocol;
114 	struct sockaddr_storage	 ss;
115 	socklen_t		 slen;
116 	int16_t			 port;
117 
118 	/* used in the server */
119 	struct conf		*conf;
120 	int			 sock;
121 	struct event		 evsock; /* set if sock != -1 */
122 
123 	TAILQ_ENTRY(address)	 addrs;
124 };
125 
126 TAILQ_HEAD(fcgihead, fcgi);
127 struct fcgi {
128 	int		 id;
129 	char		 path[PATH_MAX];
130 	char		 port[32];
131 	TAILQ_ENTRY(fcgi) fcgi;
132 };
133 
134 TAILQ_HEAD(proxyhead, proxy);
135 struct proxy {
136 	char		 match_proto[32];
137 	char		 match_host[HOST_NAME_MAX + 1];
138 	char		 match_port[32];
139 
140 	char		 host[HOST_NAME_MAX + 1];
141 	char		 port[32];
142 	char		 sni[HOST_NAME_MAX];
143 	int		 notls;
144 	uint32_t	 protocols;
145 	int		 noverifyname;
146 	char		*cert_path;
147 	uint8_t		*cert;
148 	size_t		 certlen;
149 	char		*key_path;
150 	uint8_t		*key;
151 	size_t		 keylen;
152 	char		*reqca_path;
153 	X509_STORE	*reqca;
154 
155 	TAILQ_ENTRY(proxy) proxies;
156 };
157 
158 TAILQ_HEAD(lochead, location);
159 struct location {
160 	char		 match[128];
161 	char		 lang[32];
162 	char		 default_mime[MEDIATYPE_TYPEMAX];
163 	char		 index[PATH_MAX];
164 	int		 auto_index; /* 0 auto, -1 off, 1 on */
165 	int		 block_code;
166 	char		 block_fmt[GEMINI_URL_LEN];
167 	int		 strip;
168 	char		*reqca_path;
169 	X509_STORE	*reqca;
170 	int		 disable_log;
171 	int		 fcgi;
172 
173 	char		 dir[PATH_MAX];
174 	int		 dirfd;
175 
176 	TAILQ_ENTRY(location) locations;
177 };
178 
179 TAILQ_HEAD(envhead, envlist);
180 struct envlist {
181 	char		 name[FCGI_NAME_MAX];
182 	char		 value[FCGI_VAL_MAX];
183 	TAILQ_ENTRY(envlist) envs;
184 };
185 
186 TAILQ_HEAD(aliashead, alist);
187 struct alist {
188 	char		alias[HOST_NAME_MAX + 1];
189 	TAILQ_ENTRY(alist) aliases;
190 };
191 
192 TAILQ_HEAD(vhosthead, vhost);
193 struct vhost {
194 	char		 domain[HOST_NAME_MAX + 1];
195 	char		*cert_path;
196 	char		*key_path;
197 	char		*ocsp_path;
198 
199 	uint8_t		*cert;
200 	size_t		 certlen;
201 
202 	uint8_t		*key;
203 	size_t		 keylen;
204 
205 	uint8_t		*ocsp;
206 	size_t		 ocsplen;
207 
208 	TAILQ_ENTRY(vhost) vhosts;
209 
210 	struct addrhead	 addrs;
211 
212 	/*
213 	 * the first location rule is always '*' and holds the default
214 	 * settings for the vhost, then follows the "real" location
215 	 * rules as specified in the configuration.
216 	 */
217 	struct lochead	 locations;
218 
219 	struct envhead	 params;
220 	struct aliashead aliases;
221 	struct proxyhead proxies;
222 };
223 
224 struct etm {			/* extension to mime */
225 	char	 mime[MEDIATYPE_TYPEMAX];
226 	char	 ext[MEDIATYPE_NAMEMAX];
227 };
228 
229 struct mime {
230 	struct etm	*t;
231 	size_t		 len;
232 	size_t		 cap;
233 };
234 
235 TAILQ_HEAD(pkihead, pki);
236 struct pki {
237 	char		*hash;
238 	EVP_PKEY	*pkey;
239 	TAILQ_ENTRY(pki) pkis;
240 };
241 
242 struct conf {
243 	struct privsep	*ps;
244 	uint32_t	 protos;
245 	struct mime	 mime;
246 	char		 chroot[PATH_MAX];
247 	char		 user[LOGIN_NAME_MAX];
248 	int		 prefork;
249 	int		 reload;
250 	int		 use_privsep_crypto;
251 
252 	struct fcgihead	 fcgi;
253 	struct vhosthead hosts;
254 	struct pkihead	 pkis;
255 	struct addrhead	 addrs;
256 };
257 
258 extern const char *config_path;
259 
260 extern int servpipes[PROC_MAX_INSTANCES];
261 extern int privsep_process;
262 
263 typedef void (imsg_handlerfn)(struct imsgbuf*, struct imsg*, size_t);
264 
265 enum {
266 	REQUEST_UNDECIDED,
267 	REQUEST_FILE,
268 	REQUEST_DIR,
269 	REQUEST_FCGI,
270 	REQUEST_PROXY,
271 	REQUEST_DONE,
272 };
273 
274 struct client {
275 	struct conf	*conf;
276 	struct address	*addr;
277 	uint32_t	 id;
278 	struct tls	*ctx;
279 	char		*req;
280 	size_t		 reqlen;
281 	struct iri	 iri;
282 	char		 domain[DOMAIN_NAME_LEN];
283 
284 	struct bufferevent *bev;
285 
286 	int		 type;
287 
288 	struct bufferevent *cgibev;
289 
290 	struct proxy	*proxy;
291 	struct bufferevent *proxybev;
292 	struct tls	*proxyctx;
293 	int		 proxyevset;
294 	struct event	 proxyev;
295 
296 	char		*header;
297 
298 	int		 code;
299 	const char	*meta;
300 	int		 fd, pfd;
301 	struct dirent	**dir;
302 	int		 dirlen, diroff;
303 
304 	/* big enough to store STATUS + SPACE + META + CRLF */
305 	char		 sbuf[1029];
306 	ssize_t		 len, off;
307 
308 	struct sockaddr_storage	 raddr;
309 	socklen_t		 raddrlen;
310 
311 	struct vhost	*host;	/* host they're talking to */
312 	size_t		 loc;	/* location matched */
313 
314 	SPLAY_ENTRY(client) entry;
315 };
316 SPLAY_HEAD(client_tree_id, client);
317 extern struct client_tree_id clients;
318 
319 struct connreq {
320 	char	host[NI_MAXHOST];
321 	char	port[NI_MAXSERV];
322 	int	flag;
323 };
324 
325 enum {
326 	FILE_EXISTS,
327 	FILE_DIRECTORY,
328 	FILE_MISSING,
329 };
330 
331 enum imsg_type {
332 	IMSG_FCGI_REQ,
333 	IMSG_FCGI_FD,
334 	IMSG_CONN_REQ,
335 	IMSG_CONN_FD,
336 	IMSG_LOG,
337 	IMSG_LOG_REQUEST,
338 	IMSG_LOG_TYPE,
339 
340 	IMSG_RECONF_START,	/* 7 */
341 	IMSG_RECONF_MIME,
342 	IMSG_RECONF_PROTOS,
343 	IMSG_RECONF_SOCK,
344 	IMSG_RECONF_FCGI,
345 	IMSG_RECONF_HOST,
346 	IMSG_RECONF_CERT,
347 	IMSG_RECONF_KEY,
348 	IMSG_RECONF_OCSP,
349 	IMSG_RECONF_LOC,
350 	IMSG_RECONF_ENV,
351 	IMSG_RECONF_ALIAS,
352 	IMSG_RECONF_PROXY,
353 	IMSG_RECONF_PROXY_CERT,
354 	IMSG_RECONF_PROXY_KEY,
355 	IMSG_RECONF_END,
356 	IMSG_RECONF_DONE,
357 
358 	IMSG_CRYPTO_RSA_PRIVENC,
359 	IMSG_CRYPTO_RSA_PRIVDEC,
360 	IMSG_CRYPTO_ECDSA_SIGN,
361 
362 	IMSG_CTL_PROCFD,
363 };
364 
365 /* gmid.c */
366 char		*data_dir(void);
367 void		 load_local_cert(struct vhost*, const char*, const char*);
368 
369 /* gmid.c / ge.c */
370 void		 log_request(struct client *, char *, size_t);
371 
372 /* config.c */
373 struct conf	*config_new(void);
374 void		 config_purge(struct conf *);
375 int		 config_send(struct conf *);
376 int		 config_recv(struct conf *, struct imsg *);
377 
378 /* crypto.c */
379 void		 crypto(struct privsep *, struct privsep_proc *);
380 void		 crypto_engine_init(struct conf *);
381 
382 /* parse.y */
383 void		 yyerror(const char*, ...);
384 int		 parse_conf(struct conf *, const char*);
385 int		 cmdline_symset(char *);
386 
387 /* mime.c */
388 void		 init_mime(struct mime*);
389 int		 add_mime(struct mime*, const char*, const char*);
390 int		 load_default_mime(struct mime*);
391 void		 sort_mime(struct mime *);
392 const char	*mime(struct conf *, struct vhost*, const char*);
393 void		 free_mime(struct mime *);
394 
395 /* server.c */
396 extern int	shutting_down;
397 const char	*vhost_lang(struct vhost*, const char*);
398 const char	*vhost_default_mime(struct vhost*, const char*);
399 const char	*vhost_index(struct vhost*, const char*);
400 int		 vhost_auto_index(struct vhost*, const char*);
401 int		 vhost_block_return(struct vhost*, const char*, int*, const char**);
402 int		 vhost_fastcgi(struct vhost*, const char*);
403 int		 vhost_dirfd(struct vhost*, const char*, size_t*);
404 int		 vhost_strip(struct vhost*, const char*);
405 X509_STORE	*vhost_require_ca(struct vhost*, const char*);
406 int		 vhost_disable_log(struct vhost*, const char*);
407 
408 void		 mark_nonblock(int);
409 void		 client_write(struct bufferevent *, void *);
410 void		 start_reply(struct client*, int, const char*);
411 void		 client_close(struct client *);
412 struct client	*client_by_id(int);
413 void		 do_accept(int, short, void *);
414 void		 server_init(struct privsep *, struct privsep_proc *, void *);
415 int		 server_configure_done(struct conf *);
416 void		 server(struct privsep *ps, struct privsep_proc *);
417 
418 int		 client_tree_cmp(struct client *, struct client *);
419 SPLAY_PROTOTYPE(client_tree_id, client, entry, client_tree_cmp);
420 
421 /* dirs.c */
422 int		 scandir_fd(int, struct dirent***, int(*)(const struct dirent*),
423 		    int(*)(const struct dirent**, const struct dirent**));
424 int		 select_non_dot(const struct dirent*);
425 int		 select_non_dotdot(const struct dirent*);
426 
427 /* fcgi.c */
428 void		 fcgi_read(struct bufferevent *, void *);
429 void		 fcgi_write(struct bufferevent *, void *);
430 void		 fcgi_error(struct bufferevent *, short, void *);
431 void		 fcgi_req(struct client *);
432 
433 /* sandbox.c */
434 void		 sandbox_main_process(void);
435 void		 sandbox_server_process(void);
436 void		 sandbox_crypto_process(void);
437 void		 sandbox_logger_process(void);
438 
439 /* utf8.c */
440 int		 valid_multibyte_utf8(struct parser*);
441 char		*utf8_nth(char*, size_t);
442 
443 /* iri.c */
444 int		 parse_iri(char*, struct iri*, const char**);
445 int		 serialize_iri(struct iri*, char*, size_t);
446 int		 encode_path(char *, size_t, const char *);
447 char		*pct_decode_str(char *);
448 
449 /* logger.c */
450 void		 logger(struct privsep *, struct privsep_proc *);
451 
452 /* proxy.c */
453 int		 proxy_init(struct client *);
454 
455 /* puny.c */
456 int		 puny_decode(const char*, char*, size_t, const char**);
457 
458 /* utils.c */
459 void		 block_signals(void);
460 void		 unblock_signals(void);
461 int		 starts_with(const char*, const char*);
462 int		 ends_with(const char*, const char*);
463 ssize_t		 filesize(int);
464 char		*absolutify_path(const char*);
465 char		*xstrdup(const char*);
466 void		*xcalloc(size_t, size_t);
467 void		 gen_certificate(const char*, const char*, const char*);
468 X509_STORE	*load_ca(uint8_t *, size_t);
469 int		 validate_against_ca(X509_STORE*, const uint8_t*, size_t);
470 void		 ssl_error(const char *);
471 char		*ssl_pubkey_hash(const uint8_t *, size_t);
472 EVP_PKEY	*ssl_load_pkey(const uint8_t *, size_t);
473 struct vhost	*new_vhost(void);
474 struct location	*new_location(void);
475 struct proxy	*new_proxy(void);
476 
477 #endif