1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #include <err.h>
18 #include <errno.h>
19 
20 #include <fcntl.h>
21 #include <libgen.h>
22 #include <limits.h>
23 #include <signal.h>
24 #include <stdarg.h>
25 #include <string.h>
26 
27 #include "gmid.h"
28 
29 int
30 send_string(int fd, const char *str)
31 {
32 	ssize_t len;
33 
34 	if (str == NULL)
35 		len = 0;
36 	else
37 		len = strlen(str);
38 
39 	if (write(fd, &len, sizeof(len)) != sizeof(len))
40 		return 0;
41 
42 	if (len != 0)
43 		if (write(fd, str, len) != len)
44 			return 0;
45 
46 	return 1;
47 }
48 
49 int
50 recv_string(int fd, char **ret)
51 {
52 	ssize_t len;
53 
54 	if (read(fd, &len, sizeof(len)) != sizeof(len))
55 		return 0;
56 
57 	if (len == 0) {
58 		*ret = NULL;
59 		return 1;
60 	}
61 
62 	if ((*ret = calloc(1, len+1)) == NULL)
63 		return 0;
64 
65 	if (read(fd, *ret, len) != len)
66 		return 0;
67 	return 1;
68 }
69 
70 int
71 send_iri(int fd, struct iri *i)
72 {
73 	return send_string(fd, i->schema)
74 		&& send_string(fd, i->host)
75 		&& send_string(fd, i->port)
76 		&& send_string(fd, i->path)
77 		&& send_string(fd, i->query);
78 }
79 
80 int
81 recv_iri(int fd, struct iri *i)
82 {
83 	memset(i, 0, sizeof(*i));
84 
85 	if (!recv_string(fd, &i->schema)
86 	    || !recv_string(fd, &i->host)
87 	    || !recv_string(fd, &i->port)
88 	    || !recv_string(fd, &i->path)
89 	    || !recv_string(fd, &i->query))
90 		return 0;
91 
92 	return 1;
93 }
94 
95 void
96 free_recvd_iri(struct iri *i)
97 {
98 	free(i->schema);
99 	free(i->host);
100 	free(i->port);
101 	free(i->path);
102 	free(i->query);
103 }
104 
105 int
106 send_vhost(int fd, struct vhost *vhost)
107 {
108 	ssize_t n;
109 
110 	if (vhost < hosts || vhost > hosts + HOSTSLEN)
111 		return 0;
112 
113 	n = vhost - hosts;
114 	return write(fd, &n, sizeof(n)) == sizeof(n);
115 }
116 
117 int
118 recv_vhost(int fd, struct vhost **vhost)
119 {
120 	ssize_t n;
121 
122 	if (read(fd, &n, sizeof(n)) != sizeof(n))
123 		return 0;
124 
125 	if (n < 0 || n > HOSTSLEN)
126 		return 0;
127 
128 	*vhost = &hosts[n];
129 	if ((*vhost)->domain == NULL)
130 		return 0;
131 	return 1;
132 }
133 
134 /* send d though fd. see /usr/src/usr.sbin/syslogd/privsep_fdpass.c
135  * for an example */
136 int
137 send_fd(int fd, int d)
138 {
139 	struct msghdr msg;
140 	union {
141 		struct cmsghdr hdr;
142 		unsigned char buf[CMSG_SPACE(sizeof(int))];
143 	} cmsgbuf;
144 	struct cmsghdr *cmsg;
145 	struct iovec vec;
146 	int result = 1;
147 	ssize_t n;
148 
149 	memset(&msg, 0, sizeof(msg));
150 
151 	if (d >= 0) {
152 		msg.msg_control = &cmsgbuf.buf;
153 		msg.msg_controllen = sizeof(cmsgbuf.buf);
154 		cmsg = CMSG_FIRSTHDR(&msg);
155 		cmsg->cmsg_len = CMSG_LEN(sizeof(int));
156 		cmsg->cmsg_level = SOL_SOCKET;
157 		cmsg->cmsg_type = SCM_RIGHTS;
158 		*(int*)CMSG_DATA(cmsg) = d;
159 	} else
160 		result = 0;
161 
162 	vec.iov_base = &result;
163 	vec.iov_len = sizeof(int);
164 	msg.msg_iov = &vec;
165 	msg.msg_iovlen = 1;
166 
167 	if ((n = sendmsg(fd, &msg, 0)) == -1 || n != sizeof(int)) {
168                 log_err(NULL, "sendmsg: got %zu but wanted %zu: (errno) %s",
169 		    n, sizeof(int), strerror(errno));
170 		return 0;
171 	}
172 	return 1;
173 }
174 
175 /* receive a descriptor via fd */
176 int
177 recv_fd(int fd)
178 {
179 	struct msghdr msg;
180 	union {
181 		struct cmsghdr hdr;
182 		char buf[CMSG_SPACE(sizeof(int))];
183 	} cmsgbuf;
184 	struct cmsghdr *cmsg;
185 	struct iovec vec;
186 	ssize_t n;
187 	int result;
188 
189 	memset(&msg, 0, sizeof(msg));
190 	vec.iov_base = &result;
191 	vec.iov_len = sizeof(int);
192 	msg.msg_iov = &vec;
193 	msg.msg_iovlen = 1;
194 	msg.msg_control = &cmsgbuf.buf;
195 	msg.msg_controllen = sizeof(cmsgbuf.buf);
196 
197 	if ((n = recvmsg(fd, &msg, 0)) != sizeof(int)) {
198 		log_err(NULL, "read %zu bytes bu wanted %zu\n", n, sizeof(int));
199 		return -1;
200 	}
201 
202 	if (result) {
203 		cmsg = CMSG_FIRSTHDR(&msg);
204 		if (cmsg == NULL || cmsg->cmsg_type != SCM_RIGHTS)
205 			return -1;
206 		return (*(int *)CMSG_DATA(cmsg));
207 	} else
208 		return -1;
209 }
210 
211 static inline void
212 safe_setenv(const char *name, const char *val)
213 {
214 	if (val == NULL)
215 		val = "";
216 	setenv(name, val, 1);
217 }
218 
219 static char *
220 xasprintf(const char *fmt, ...)
221 {
222 	va_list ap;
223 	char *s;
224 
225 	va_start(ap, fmt);
226 	if (vasprintf(&s, fmt, ap) == -1)
227 		s = NULL;
228 	va_end(ap);
229 
230 	return s;
231 }
232 
233 static void
234 do_exec(const char *ex, const char *spath, char *query)
235 {
236 	char **argv, buf[PATH_MAX], *sname, *t;
237 	size_t i, n;
238 
239 	strlcpy(buf, spath, sizeof(buf));
240 	sname = basename(buf);
241 
242 	if (query == NULL || strchr(query, '=') != NULL) {
243 		if ((argv = calloc(2, sizeof(char*))) == NULL)
244 			err(1, "calloc");
245 		argv[0] = sname;
246 		execvp(ex, argv);
247 		warn("execvp: %s", argv[0]);
248 		return;
249 	}
250 
251 	n = 1;
252 	for (t = query ;; t++, n++) {
253 		if ((t = strchr(t, '+')) == NULL)
254 			break;
255 	}
256 
257 	if ((argv = calloc(n+2, sizeof(char*))) == NULL)
258 		err(1, "calloc");
259 
260 	argv[0] = sname;
261 	for (i = 0; i < n; ++i) {
262 		t = strchr(query, '+');
263 		if (t != NULL)
264 			*t = '\0';
265 		argv[i+1] = pct_decode_str(query);
266 		query = t+1;
267 	}
268 
269 	execvp(ex, argv);
270 	warn("execvp: %s", argv[0]);
271 }
272 
273 /* fd or -1 on error */
274 static int
275 launch_cgi(struct iri *iri, const char *spath, char *relpath,
276     const char *addr, const char *ruser, const char *cissuer,
277     const char *chash, struct vhost *vhost)
278 {
279 	int p[2];		/* read end, write end */
280 
281 	if (pipe(p) == -1)
282 		return -1;
283 
284 	switch (fork()) {
285 	case -1:
286 		return -1;
287 
288 	case 0: {		/* child */
289 		char *ex, *pwd;
290 		char iribuf[GEMINI_URL_LEN];
291 		char path[PATH_MAX];
292 
293 		close(p[0]);
294 		if (dup2(p[1], 1) == -1)
295 			goto childerr;
296 
297 		ex = xasprintf("%s/%s", vhost->dir, spath);
298 
299 		serialize_iri(iri, iribuf, sizeof(iribuf));
300 
301 		safe_setenv("GATEWAY_INTERFACE", "CGI/1.1");
302 		safe_setenv("GEMINI_DOCUMENT_ROOT", vhost->dir);
303 		safe_setenv("GEMINI_SCRIPT_FILENAME",
304 		    xasprintf("%s/%s", vhost->dir, spath));
305 		safe_setenv("GEMINI_URL", iribuf);
306 
307 		strlcpy(path, "/", sizeof(path));
308 		strlcat(path, spath, sizeof(path));
309 		safe_setenv("GEMINI_URL_PATH", path);
310 
311 		if (relpath != NULL) {
312 			strlcpy(path, "/", sizeof(path));
313 			strlcat(path, relpath, sizeof(path));
314 			safe_setenv("PATH_INFO", path);
315 
316 			strlcpy(path, vhost->dir, sizeof(path));
317 			strlcat(path, "/", sizeof(path));
318 			strlcat(path, relpath, sizeof(path));
319 			safe_setenv("PATH_TRANSLATED", path);
320 		}
321 
322 		safe_setenv("QUERY_STRING", iri->query);
323 		safe_setenv("REMOTE_ADDR", addr);
324 		safe_setenv("REMOTE_HOST", addr);
325 		safe_setenv("REQUEST_METHOD", "");
326 
327 		strlcpy(path, "/", sizeof(path));
328 		strlcat(path, spath, sizeof(path));
329 		safe_setenv("SCRIPT_NAME", path);
330 
331 		safe_setenv("SERVER_NAME", iri->host);
332 
333 		snprintf(path, sizeof(path), "%d", conf.port);
334 		safe_setenv("SERVER_PORT", path);
335 
336 		safe_setenv("SERVER_PROTOCOL", "GEMINI");
337 		safe_setenv("SERVER_SOFTWARE", "gmid/1.5");
338 
339 		if (ruser != NULL)
340 			safe_setenv("AUTH_TYPE", "Certificate");
341 		else
342 			safe_setenv("AUTH_TYPE", "");
343 
344 		safe_setenv("REMOTE_USER", ruser);
345 		safe_setenv("TLS_CLIENT_ISSUER", cissuer);
346 		safe_setenv("TLS_CLIENT_HASH", chash);
347 
348 		strlcpy(path, ex, sizeof(path));
349 
350 		pwd = dirname(path);
351 		if (chdir(pwd)) {
352 			warn("chdir");
353 			goto childerr;
354 		}
355 
356 		do_exec(ex, spath, iri->query);
357 		goto childerr;
358 	}
359 
360 	default:
361 		close(p[1]);
362 		mark_nonblock(p[0]);
363 		return p[0];
364 	}
365 
366 childerr:
367 	dprintf(p[1], "%d internal server error\r\n", TEMP_FAILURE);
368 	_exit(1);
369 }
370 
371 int
372 executor_main()
373 {
374 	char *spath, *relpath, *addr, *ruser, *cissuer, *chash;
375         struct vhost *vhost;
376 	struct iri iri;
377 	int d;
378 
379 #ifdef __OpenBSD__
380 	for (vhost = hosts; vhost->domain != NULL; ++vhost) {
381 		/* r so we can chdir into the correct directory */
382 		if (unveil(vhost->dir, "rx") == -1)
383 			err(1, "unveil %s for domain %s",
384 			    vhost->dir, vhost->domain);
385 	}
386 
387 	/* rpath to chdir into the correct directory */
388 	if (pledge("stdio rpath sendfd proc exec", NULL))
389 		err(1, "pledge");
390 #endif
391 
392 	while (!hupped) {
393 		if (!recv_iri(exfd, &iri)
394 		    || !recv_string(exfd, &spath)
395 		    || !recv_string(exfd, &relpath)
396 		    || !recv_string(exfd, &addr)
397 		    || !recv_string(exfd, &ruser)
398 		    || !recv_string(exfd, &cissuer)
399 		    || !recv_string(exfd, &chash)
400 		    || !recv_vhost(exfd, &vhost))
401 			break;
402 
403 		d = launch_cgi(&iri, spath, relpath, addr, ruser, cissuer, chash,
404 		    vhost);
405 		if (!send_fd(exfd, d))
406 			break;
407 		close(d);
408 
409 		free_recvd_iri(&iri);
410 		free(spath);
411 		free(relpath);
412 		free(addr);
413 		free(ruser);
414 		free(cissuer);
415 		free(chash);
416 	}
417 
418 	if (hupped)
419 		_exit(0);
420 
421 	/* kill all process in my group.  This means the listener and
422 	 * every pending CGI script. */
423 	kill(0, SIGINT);
424 	return 1;
425 }