1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include "gmid.h"
18 
19 #include <errno.h>
20 #include <string.h>
21 
22 #include <openssl/bn.h>
23 #include <openssl/pem.h>
24 #include <openssl/x509_vfy.h>
25 #include <openssl/x509v3.h>
26 
27 #include "log.h"
28 
29 int
30 starts_with(const char *str, const char *prefix)
31 {
32 	size_t i;
33 
34 	if (prefix == NULL)
35 		return 0;
36 
37 	for (i = 0; prefix[i] != '\0'; ++i)
38 		if (str[i] != prefix[i])
39 			return 0;
40 	return 1;
41 }
42 
43 int
44 ends_with(const char *str, const char *sufx)
45 {
46 	size_t i, j;
47 
48 	i = strlen(str);
49 	j = strlen(sufx);
50 
51 	if (j > i)
52 		return 0;
53 
54 	i -= j;
55 	for (j = 0; str[i] != '\0'; i++, j++)
56 		if (str[i] != sufx[j])
57 			return 0;
58 	return 1;
59 }
60 
61 ssize_t
62 filesize(int fd)
63 {
64 	ssize_t len;
65 
66 	if ((len = lseek(fd, 0, SEEK_END)) == -1)
67 		return -1;
68 	if (lseek(fd, 0, SEEK_SET) == -1)
69 		return -1;
70 	return len;
71 }
72 
73 char *
74 absolutify_path(const char *path)
75 {
76 	char *wd, *r;
77 
78 	if (*path == '/') {
79 		if ((r = strdup(path)) == NULL)
80 			err(1, "strdup");
81 		return r;
82 	}
83 
84 	wd = getcwd(NULL, 0);
85 	if (asprintf(&r, "%s/%s", wd, path) == -1)
86 		err(1, "asprintf");
87 	free(wd);
88 	return r;
89 }
90 
91 char *
92 xstrdup(const char *s)
93 {
94 	char *d;
95 
96 	if ((d = strdup(s)) == NULL)
97 		err(1, "strdup");
98 	return d;
99 }
100 
101 void *
102 xcalloc(size_t nmemb, size_t size)
103 {
104 	void *d;
105 
106 	if ((d = calloc(nmemb, size)) == NULL)
107 		err(1, "calloc");
108 	return d;
109 }
110 
111 void
112 gen_certificate(const char *hostname, const char *certpath, const char *keypath)
113 {
114 	BIGNUM		*e;
115 	EVP_PKEY	*pkey;
116 	RSA		*rsa;
117 	X509		*x509;
118 	X509_NAME	*name;
119 	FILE		*f;
120 	const unsigned char *host = (const unsigned char*)hostname;
121 
122 	log_info("generating new certificate for %s (it could take a while)",
123 	    host);
124 
125 	if ((pkey = EVP_PKEY_new()) == NULL)
126 		fatalx("couldn't create a new private key");
127 
128 	if ((rsa = RSA_new()) == NULL)
129 		fatalx("couldn't generate rsa");
130 
131 	if ((e = BN_new()) == NULL)
132 		fatalx("couldn't allocate a bignum");
133 
134 	BN_set_word(e, RSA_F4);
135 	if (!RSA_generate_key_ex(rsa, 4096, e, NULL))
136 		fatalx("couldn't generate a rsa key");
137 
138 	if (!EVP_PKEY_assign_RSA(pkey, rsa))
139 		fatalx("couldn't assign the key");
140 
141 	if ((x509 = X509_new()) == NULL)
142 		fatalx("couldn't generate the X509 certificate");
143 
144 	ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
145 	X509_gmtime_adj(X509_get_notBefore(x509), 0);
146 	X509_gmtime_adj(X509_get_notAfter(x509), 315360000L); /* 10 years */
147 	X509_set_version(x509, 3);
148 
149 	if (!X509_set_pubkey(x509, pkey))
150 		fatalx("couldn't set the public key");
151 
152 	name = X509_get_subject_name(x509);
153 	if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, host, -1, -1, 0))
154 		fatalx("couldn't add CN to cert");
155 	X509_set_issuer_name(x509, name);
156 
157 	if (!X509_sign(x509, pkey, EVP_sha256()))
158 		fatalx("couldn't sign the certificate");
159 
160 	if ((f = fopen(keypath, "w")) == NULL)
161 		fatal("can't open %s", keypath);
162 	if (!PEM_write_PrivateKey(f, pkey, NULL, NULL, 0, NULL, NULL))
163 		fatalx("couldn't write private key");
164 	fclose(f);
165 
166 	if ((f = fopen(certpath, "w")) == NULL)
167 		fatal("can't open %s", certpath);
168 	if (!PEM_write_X509(f, x509))
169 		fatalx("couldn't write cert");
170 	fclose(f);
171 
172 	BN_free(e);
173 	X509_free(x509);
174 	RSA_free(rsa);
175 
176 	log_info("certificate successfully generated");
177 }
178 
179 X509_STORE *
180 load_ca(const char *path)
181 {
182 	FILE		*f = NULL;
183 	X509		*x = NULL;
184 	X509_STORE	*store;
185 
186 	if ((store = X509_STORE_new()) == NULL)
187 		return NULL;
188 
189 	if ((f = fopen(path, "r")) == NULL)
190 		goto err;
191 
192 	if ((x = PEM_read_X509(f, NULL, NULL, NULL)) == NULL)
193 		goto err;
194 
195 	if (X509_check_ca(x) == 0)
196 		goto err;
197 
198 	if (!X509_STORE_add_cert(store, x))
199 		goto err;
200 
201 	X509_free(x);
202 	fclose(f);
203 	return store;
204 
205 err:
206 	X509_STORE_free(store);
207 	if (x != NULL)
208 		X509_free(x);
209 	if (f != NULL)
210 		fclose(f);
211 	return NULL;
212 }
213 
214 int
215 validate_against_ca(X509_STORE *ca, const uint8_t *chain, size_t len)
216 {
217 	X509		*client;
218 	BIO		*m;
219 	X509_STORE_CTX	*ctx = NULL;
220 	int		 ret = 0;
221 
222 	if ((m = BIO_new_mem_buf(chain, len)) == NULL)
223 		return 0;
224 
225 	if ((client = PEM_read_bio_X509(m, NULL, NULL, NULL)) == NULL)
226 		goto end;
227 
228 	if ((ctx = X509_STORE_CTX_new()) == NULL)
229 		goto end;
230 
231 	if (!X509_STORE_CTX_init(ctx, ca, client, NULL))
232 		goto end;
233 
234 	ret = X509_verify_cert(ctx);
235 
236 end:
237 	BIO_free(m);
238 	if (client != NULL)
239 		X509_free(client);
240 	if (ctx != NULL)
241 		X509_STORE_CTX_free(ctx);
242 	return ret;
243 }
244 
245 struct vhost *
246 new_vhost(void)
247 {
248 	struct vhost *h;
249 
250 	h = xcalloc(1, sizeof(*h));
251 	TAILQ_INIT(&h->locations);
252 	TAILQ_INIT(&h->params);
253 	TAILQ_INIT(&h->aliases);
254 	TAILQ_INIT(&h->proxies);
255 	return h;
256 }
257 
258 struct location *
259 new_location(void)
260 {
261 	struct location *l;
262 
263 	l = xcalloc(1, sizeof(*l));
264 	l->dirfd = -1;
265 	l->fcgi = -1;
266 	return l;
267 }
268 
269 struct proxy *
270 new_proxy(void)
271 {
272 	struct proxy *p;
273 
274 	p = xcalloc(1, sizeof(*p));
275 	p->protocols = TLS_PROTOCOLS_DEFAULT;
276 	return p;
277 }