1 /*
2  * Copyright (c) 2020, 2021, 2022, 2023 Omar Polo <op@omarpolo.com>
3  *
4  * Permission to use, copy, modify, and distribute this software for any
5  * purpose with or without fee is hereby granted, provided that the above
6  * copyright notice and this permission notice appear in all copies.
7  *
8  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15  */
16 
17 #ifndef GMID_H
18 #define GMID_H
19 
20 #include "config.h"
21 
22 #include <sys/socket.h>
23 #include <sys/types.h>
24 
25 #include <arpa/inet.h>
26 #include <netinet/in.h>
27 
28 #include <dirent.h>
29 #include <limits.h>
30 #include <netdb.h>
31 #include <signal.h>
32 #include <stdio.h>
33 #include <stdlib.h>
34 #include <time.h>
35 #include <tls.h>
36 #include <unistd.h>
37 
38 #include <openssl/x509.h>
39 
40 #if HAVE_EVENT2
41 # include <event2/event.h>
42 # include <event2/event_compat.h>
43 # include <event2/event_struct.h>
44 # include <event2/buffer.h>
45 # include <event2/buffer_compat.h>
46 # include <event2/bufferevent.h>
47 # include <event2/bufferevent_struct.h>
48 # include <event2/bufferevent_compat.h>
49 #else
50 # include <event.h>
51 #endif
52 
53 #include "iri.h"
54 
55 #define VERSION_STR(n)	n " " VERSION
56 #define GE_STRING	VERSION_STR("ge")
57 #define GG_STRING	VERSION_STR("gg")
58 #define GMID_STRING	VERSION_STR("gmid")
59 
60 #define GMID_VERSION	"gmid/" VERSION
61 
62 #define GEMINI_URL_LEN (1024+3)	/* URL max len + \r\n + \0 */
63 
64 #define SUCCESS		20
65 #define TEMP_REDIRECT	30
66 #define TEMP_FAILURE	40
67 #define CGI_ERROR	42
68 #define PROXY_ERROR	43
69 #define NOT_FOUND	51
70 #define PROXY_REFUSED	53
71 #define BAD_REQUEST	59
72 #define CLIENT_CERT_REQ	60
73 #define CERT_NOT_AUTH	61
74 
75 /* maximum hostname and label length, +1 for the NUL-terminator */
76 #define DOMAIN_NAME_LEN	(253+1)
77 #define LABEL_LEN	(63+1)
78 
79 #define MEDIATYPE_NAMEMAX	128	/* file name extension */
80 #define MEDIATYPE_TYPEMAX	128	/* length of type/subtype */
81 
82 #define FCGI_NAME_MAX		511
83 #define FCGI_VAL_MAX		511
84 
85 #define PROC_MAX_INSTANCES	16
86 
87 #define TLS_CERT_HASH_SIZE	128
88 
89 /* forward declaration */
90 struct privsep;
91 struct privsep_proc;
92 
93 enum log_format {
94 	LOG_FORMAT_CONDENSED,
95 	LOG_FORMAT_COMMON,
96 	LOG_FORMAT_COMBINED,
97 	LOG_FORMAT_LEGACY,
98 };
99 
100 struct parser {
101 	char		*iri;
102 	struct iri	*parsed;
103 	const char	*err;
104 };
105 
106 struct conf;
107 TAILQ_HEAD(addrhead, address);
108 struct address {
109 	int			 ai_flags;
110 	int			 ai_family;
111 	int			 ai_socktype;
112 	int			 ai_protocol;
113 	struct sockaddr_storage	 ss;
114 	socklen_t		 slen;
115 	int16_t			 port;
116 
117 	/* used in the server */
118 	struct conf		*conf;
119 	int			 sock;
120 	struct event		 evsock; /* set if sock != -1 */
121 	struct tls		*ctx;
122 
123 	TAILQ_ENTRY(address)	 addrs;
124 };
125 
126 TAILQ_HEAD(fcgihead, fcgi);
127 struct fcgi {
128 	int		 id;
129 	char		 path[PATH_MAX];
130 	char		 port[32];
131 	TAILQ_ENTRY(fcgi) fcgi;
132 };
133 
134 TAILQ_HEAD(envhead, envlist);
135 struct envlist {
136 	char		 name[FCGI_NAME_MAX];
137 	char		 value[FCGI_VAL_MAX];
138 	TAILQ_ENTRY(envlist) envs;
139 };
140 
141 TAILQ_HEAD(aliashead, alist);
142 struct alist {
143 	char		alias[HOST_NAME_MAX + 1];
144 	TAILQ_ENTRY(alist) aliases;
145 };
146 
147 TAILQ_HEAD(proxyhead, proxy);
148 struct proxy {
149 	char		 match_proto[32];
150 	char		 match_host[HOST_NAME_MAX + 1];
151 	char		 match_port[32];
152 
153 	char		 host[HOST_NAME_MAX + 1];
154 	char		 port[32];
155 	char		 sni[HOST_NAME_MAX];
156 	int		 notls;
157 	uint32_t	 protocols;
158 	int		 noverifyname;
159 	char		*cert_path;
160 	uint8_t		*cert;
161 	size_t		 certlen;
162 	char		*key_path;
163 	uint8_t		*key;
164 	size_t		 keylen;
165 	char		*reqca_path;
166 	X509_STORE	*reqca;
167 
168 	TAILQ_ENTRY(proxy) proxies;
169 };
170 
171 TAILQ_HEAD(lochead, location);
172 struct location {
173 	char		 match[128];
174 	char		 lang[32];
175 	char		 default_mime[MEDIATYPE_TYPEMAX];
176 	char		 index[PATH_MAX];
177 	int		 auto_index; /* 0 auto, -1 off, 1 on */
178 	int		 block_code;
179 	char		 block_fmt[GEMINI_URL_LEN];
180 	int		 strip;
181 	char		*reqca_path;
182 	X509_STORE	*reqca;
183 	int		 disable_log;
184 	int		 fcgi;
185 	int		 nofcgi;
186 	struct envhead	 params;
187 
188 	char		 dir[PATH_MAX];
189 	int		 dirfd;
190 
191 	TAILQ_ENTRY(location) locations;
192 };
193 
194 TAILQ_HEAD(vhosthead, vhost);
195 struct vhost {
196 	char		 domain[HOST_NAME_MAX + 1];
197 	char		*cert_path;
198 	char		*key_path;
199 	char		*ocsp_path;
200 
201 	uint8_t		*cert;
202 	size_t		 certlen;
203 
204 	uint8_t		*key;
205 	size_t		 keylen;
206 
207 	uint8_t		*ocsp;
208 	size_t		 ocsplen;
209 
210 	TAILQ_ENTRY(vhost) vhosts;
211 
212 	struct addrhead	 addrs;
213 
214 	/*
215 	 * the first location rule is always '*' and holds the default
216 	 * settings for the vhost, then follows the "real" location
217 	 * rules as specified in the configuration.
218 	 */
219 	struct lochead	 locations;
220 
221 	struct aliashead aliases;
222 	struct proxyhead proxies;
223 };
224 
225 struct etm {			/* extension to mime */
226 	char	 mime[MEDIATYPE_TYPEMAX];
227 	char	 ext[MEDIATYPE_NAMEMAX];
228 };
229 
230 struct mime {
231 	struct etm	*t;
232 	size_t		 len;
233 	size_t		 cap;
234 };
235 
236 TAILQ_HEAD(pkihead, pki);
237 struct pki {
238 	char		*hash;
239 	EVP_PKEY	*pkey;
240 	TAILQ_ENTRY(pki) pkis;
241 };
242 
243 struct conf {
244 	struct privsep	*ps;
245 	uint32_t	 protos;
246 	struct mime	 mime;
247 	char		 chroot[PATH_MAX];
248 	char		 user[LOGIN_NAME_MAX];
249 	int		 prefork;
250 	int		 reload;
251 	int		 log_syslog;
252 	int		 log_facility;
253 	char		*log_access;
254 	enum log_format	 log_format;
255 	int		 use_privsep_crypto;
256 
257 	struct fcgihead	 fcgi;
258 	struct vhosthead hosts;
259 	struct pkihead	 pkis;
260 	struct addrhead	 addrs;
261 };
262 
263 extern const char *config_path;
264 
265 extern int servpipes[PROC_MAX_INSTANCES];
266 extern int privsep_process;
267 
268 typedef void (imsg_handlerfn)(struct imsgbuf*, struct imsg*, size_t);
269 
270 enum {
271 	REQUEST_UNDECIDED,
272 	REQUEST_FILE,
273 	REQUEST_DIR,
274 	REQUEST_FCGI,
275 	REQUEST_PROXY,
276 	REQUEST_DONE,
277 };
278 
279 struct client {
280 	struct conf	*conf;
281 	struct address	*addr;
282 	uint32_t	 id;
283 	struct tls	*ctx;
284 	char		*req;
285 	size_t		 reqlen;
286 	struct iri	 iri;
287 	char		 domain[DOMAIN_NAME_LEN];
288 	char		 rhost[NI_MAXHOST];
289 	char		 rserv[NI_MAXSERV];
290 
291 	struct bufferevent *bev;
292 
293 	int		 type;
294 
295 	struct bufferevent *cgibev;
296 
297 	struct proxy	*proxy;
298 	struct bufferevent *proxybev;
299 	struct tls	*proxyctx;
300 	int		 proxyevset;
301 	struct event	 proxyev;
302 
303 	char		*header;
304 
305 	int		 code;
306 	const char	*meta;
307 	int		 fd, pfd;
308 	struct dirent	**dir;
309 	int		 dirlen, diroff;
310 
311 	/* big enough to store STATUS + SPACE + META + CRLF */
312 	char		 sbuf[1029];
313 	size_t		 soff;
314 
315 	struct sockaddr_storage	 raddr;
316 	socklen_t		 raddrlen;
317 
318 	struct vhost	*host;	/* host they're talking to */
319 	size_t		 loc;	/* location matched */
320 
321 	SPLAY_ENTRY(client) entry;
322 };
323 SPLAY_HEAD(client_tree_id, client);
324 extern struct client_tree_id clients;
325 
326 struct connreq {
327 	char	host[NI_MAXHOST];
328 	char	port[NI_MAXSERV];
329 	int	flag;
330 };
331 
332 enum imsg_type {
333 	IMSG_LOG_REQUEST,
334 	IMSG_LOG_ACCESS,
335 	IMSG_LOG_SYSLOG,
336 	IMSG_LOG_FACILITY,
337 
338 	IMSG_RECONF_START,
339 	IMSG_RECONF_LOG_FMT,
340 	IMSG_RECONF_MIME,
341 	IMSG_RECONF_PROTOS,
342 	IMSG_RECONF_SOCK,
343 	IMSG_RECONF_FCGI,
344 	IMSG_RECONF_HOST,
345 	IMSG_RECONF_CERT,
346 	IMSG_RECONF_KEY,
347 	IMSG_RECONF_OCSP,
348 	IMSG_RECONF_HOST_ADDR,
349 	IMSG_RECONF_LOC,
350 	IMSG_RECONF_ENV,
351 	IMSG_RECONF_ALIAS,
352 	IMSG_RECONF_PROXY,
353 	IMSG_RECONF_PROXY_CERT,
354 	IMSG_RECONF_PROXY_KEY,
355 	IMSG_RECONF_END,
356 	IMSG_RECONF_DONE,
357 
358 	IMSG_CRYPTO_RSA_PRIVENC,
359 	IMSG_CRYPTO_RSA_PRIVDEC,
360 	IMSG_CRYPTO_ECDSA_SIGN,
361 
362 	IMSG_CTL_PROCFD,
363 };
364 
365 /* gmid.c */
366 char		*data_dir(void);
367 void		 load_local_cert(struct vhost*, const char*, const char*);
368 
369 /* gmid.c / ge.c */
370 void		 log_request(struct client *, int, const char *);
371 
372 /* config.c */
373 struct conf	*config_new(void);
374 void		 config_purge(struct conf *);
375 int		 config_send(struct conf *);
376 int		 config_recv(struct conf *, struct imsg *);
377 int		 config_test(struct conf *);
378 
379 /* crypto.c */
380 void		 crypto(struct privsep *, struct privsep_proc *);
381 void		 crypto_engine_init(struct conf *);
382 
383 /* parse.y */
384 void		 yyerror(const char*, ...);
385 int		 parse_conf(struct conf *, const char*);
386 int		 cmdline_symset(char *);
387 
388 /* mime.c */
389 void		 init_mime(struct mime*);
390 int		 add_mime(struct mime*, const char*, const char*);
391 int		 load_default_mime(struct mime*);
392 void		 sort_mime(struct mime *);
393 const char	*mime(struct conf *, struct vhost*, const char*);
394 void		 free_mime(struct mime *);
395 
396 /* server.c */
397 extern int	shutting_down;
398 const char	*vhost_lang(struct vhost*, const char*);
399 const char	*vhost_default_mime(struct vhost*, const char*);
400 const char	*vhost_index(struct vhost*, const char*);
401 int		 vhost_auto_index(struct vhost*, const char*);
402 int		 vhost_block_return(struct vhost*, const char*, int*, const char**);
403 struct location	*vhost_fastcgi(struct vhost*, const char*);
404 int		 vhost_dirfd(struct vhost*, const char*, size_t*);
405 int		 vhost_strip(struct vhost*, const char*);
406 X509_STORE	*vhost_require_ca(struct vhost*, const char*);
407 int		 vhost_disable_log(struct vhost*, const char*);
408 
409 void		 mark_nonblock(int);
410 void		 client_write(struct bufferevent *, void *);
411 void		 start_reply(struct client*, int, const char*);
412 void		 client_close(struct client *);
413 struct client	*client_by_id(int);
414 void		 server_accept(int, short, void *);
415 void		 server_init(struct privsep *, struct privsep_proc *, void *);
416 int		 server_configure_done(struct conf *);
417 void		 server(struct privsep *ps, struct privsep_proc *);
418 
419 int		 client_tree_cmp(struct client *, struct client *);
420 SPLAY_PROTOTYPE(client_tree_id, client, entry, client_tree_cmp);
421 
422 /* dirs.c */
423 int		 scandir_fd(int, struct dirent***, int(*)(const struct dirent*),
424 		    int(*)(const struct dirent**, const struct dirent**));
425 int		 select_non_dot(const struct dirent*);
426 int		 select_non_dotdot(const struct dirent*);
427 
428 /* fcgi.c */
429 void		 fcgi_read(struct bufferevent *, void *);
430 void		 fcgi_write(struct bufferevent *, void *);
431 void		 fcgi_error(struct bufferevent *, short, void *);
432 void		 fcgi_req(struct client *, struct location *);
433 
434 /* sandbox.c */
435 void		 sandbox_main_process(void);
436 void		 sandbox_server_process(void);
437 void		 sandbox_crypto_process(void);
438 void		 sandbox_logger_process(void);
439 
440 /* utf8.c */
441 int		 valid_multibyte_utf8(struct parser*);
442 char		*utf8_nth(char*, size_t);
443 
444 /* logger.c */
445 void		 logger(struct privsep *, struct privsep_proc *);
446 
447 /* proxy.c */
448 int		 proxy_init(struct client *);
449 
450 /* puny.c */
451 int		 puny_decode(const char*, char*, size_t, const char**);
452 
453 /* utils.c */
454 void		 block_signals(void);
455 void		 unblock_signals(void);
456 const char	*strip_path(const char *, int);
457 int		 starts_with(const char*, const char*);
458 int		 ends_with(const char*, const char*);
459 ssize_t		 filesize(int);
460 char		*absolutify_path(const char*);
461 char		*xstrdup(const char*);
462 void		*xcalloc(size_t, size_t);
463 void		 gen_certificate(const char*, const char*, const char*);
464 X509_STORE	*load_ca(uint8_t *, size_t);
465 int		 validate_against_ca(X509_STORE*, const uint8_t*, size_t);
466 void		 ssl_error(const char *);
467 char		*ssl_pubkey_hash(const uint8_t *, size_t);
468 EVP_PKEY	*ssl_load_pkey(const uint8_t *, size_t);
469 struct vhost	*new_vhost(void);
470 struct location	*new_location(void);
471 struct proxy	*new_proxy(void);
472 
473 #endif