op public repos

Blob

Date:: Fri Jun 23 21:03:29 2023 UTC
Message:: implement `listen on' Listening by default on all the addresses is so bad I don't know why I haven't changed this before. Anyway. Add a `listen on $hostname port $port' syntax to the config file and deprecate the old "port" and "ipv6" global setting. Still try to honour them when no "listen on" directive is used for backward compatibily, but this will go away in the next next version hopefully. At the moment the `listen on' in server context don't filter the host, i.e. one can still reach a host from a address not specified in the corresponding `liste on', this will be added later.
Actions:: History | Blame | Raw File
1 /*
2  * Copyright (c) 2021 Omar Polo <op@omarpolo.com>
3  * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org>
4  * Copyright (c) 2008 Reyk Floeter <reyk@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #include "gmid.h"
20 
21 #include <errno.h>
22 #include <string.h>
23 
24 #include <openssl/bn.h>
25 #include <openssl/err.h>
26 #include <openssl/pem.h>
27 #include <openssl/x509_vfy.h>
28 #include <openssl/x509v3.h>
29 
30 #include "log.h"
31 
32 int
33 starts_with(const char *str, const char *prefix)
34 {
35 	size_t i;
36 
37 	if (prefix == NULL)
38 		return 0;
39 
40 	for (i = 0; prefix[i] != '\0'; ++i)
41 		if (str[i] != prefix[i])
42 			return 0;
43 	return 1;
44 }
45 
46 int
47 ends_with(const char *str, const char *sufx)
48 {
49 	size_t i, j;
50 
51 	i = strlen(str);
52 	j = strlen(sufx);
53 
54 	if (j > i)
55 		return 0;
56 
57 	i -= j;
58 	for (j = 0; str[i] != '\0'; i++, j++)
59 		if (str[i] != sufx[j])
60 			return 0;
61 	return 1;
62 }
63 
64 ssize_t
65 filesize(int fd)
66 {
67 	ssize_t len;
68 
69 	if ((len = lseek(fd, 0, SEEK_END)) == -1)
70 		return -1;
71 	if (lseek(fd, 0, SEEK_SET) == -1)
72 		return -1;
73 	return len;
74 }
75 
76 char *
77 absolutify_path(const char *path)
78 {
79 	char *wd, *r;
80 
81 	if (*path == '/') {
82 		if ((r = strdup(path)) == NULL)
83 			fatal("strdup");
84 		return r;
85 	}
86 
87 	wd = getcwd(NULL, 0);
88 	if (asprintf(&r, "%s/%s", wd, path) == -1)
89 		fatal("asprintf");
90 	free(wd);
91 	return r;
92 }
93 
94 char *
95 xstrdup(const char *s)
96 {
97 	char *d;
98 
99 	if ((d = strdup(s)) == NULL)
100 		fatal("strdup");
101 	return d;
102 }
103 
104 void *
105 xcalloc(size_t nmemb, size_t size)
106 {
107 	void *d;
108 
109 	if ((d = calloc(nmemb, size)) == NULL)
110 		fatal("calloc");
111 	return d;
112 }
113 
114 void
115 gen_certificate(const char *hostname, const char *certpath, const char *keypath)
116 {
117 	BIGNUM		*e;
118 	EVP_PKEY	*pkey;
119 	RSA		*rsa;
120 	X509		*x509;
121 	X509_NAME	*name;
122 	FILE		*f;
123 	const unsigned char *host = (const unsigned char*)hostname;
124 
125 	log_info("generating new certificate for %s (it could take a while)",
126 	    host);
127 
128 	if ((pkey = EVP_PKEY_new()) == NULL)
129 		fatalx("couldn't create a new private key");
130 
131 	if ((rsa = RSA_new()) == NULL)
132 		fatalx("couldn't generate rsa");
133 
134 	if ((e = BN_new()) == NULL)
135 		fatalx("couldn't allocate a bignum");
136 
137 	BN_set_word(e, RSA_F4);
138 	if (!RSA_generate_key_ex(rsa, 4096, e, NULL))
139 		fatalx("couldn't generate a rsa key");
140 
141 	if (!EVP_PKEY_assign_RSA(pkey, rsa))
142 		fatalx("couldn't assign the key");
143 
144 	if ((x509 = X509_new()) == NULL)
145 		fatalx("couldn't generate the X509 certificate");
146 
147 	ASN1_INTEGER_set(X509_get_serialNumber(x509), 0);
148 	X509_gmtime_adj(X509_get_notBefore(x509), 0);
149 	X509_gmtime_adj(X509_get_notAfter(x509), 315360000L); /* 10 years */
150 	X509_set_version(x509, 3);
151 
152 	if (!X509_set_pubkey(x509, pkey))
153 		fatalx("couldn't set the public key");
154 
155 	name = X509_get_subject_name(x509);
156 	if (!X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC, host, -1, -1, 0))
157 		fatalx("couldn't add CN to cert");
158 	X509_set_issuer_name(x509, name);
159 
160 	if (!X509_sign(x509, pkey, EVP_sha256()))
161 		fatalx("couldn't sign the certificate");
162 
163 	if ((f = fopen(keypath, "w")) == NULL)
164 		fatal("can't open %s", keypath);
165 	if (!PEM_write_PrivateKey(f, pkey, NULL, NULL, 0, NULL, NULL))
166 		fatalx("couldn't write private key");
167 	fclose(f);
168 
169 	if ((f = fopen(certpath, "w")) == NULL)
170 		fatal("can't open %s", certpath);
171 	if (!PEM_write_X509(f, x509))
172 		fatalx("couldn't write cert");
173 	fclose(f);
174 
175 	BN_free(e);
176 	X509_free(x509);
177 	RSA_free(rsa);
178 
179 	log_info("certificate successfully generated");
180 }
181 
182 X509_STORE *
183 load_ca(uint8_t *d, size_t len)
184 {
185 	BIO		*in;
186 	X509		*x = NULL;
187 	X509_STORE	*store;
188 
189 	if ((store = X509_STORE_new()) == NULL) {
190 		log_warnx("%s: X509_STORE_new failed", __func__);
191 		return NULL;
192 	}
193 
194 	if ((in = BIO_new_mem_buf(d, len)) == NULL) {
195 		log_warnx("%s: BIO_new_mem_buf failed", __func__);
196 		goto err;
197 	}
198 
199 	if ((x = PEM_read_bio_X509(in, NULL, NULL, NULL)) == NULL) {
200 		log_warnx("%s: PEM_read_bio_X509 failed", __func__);
201 		ssl_error("PEM_read_bio_X509");
202 		goto err;
203 	}
204 
205 	if (X509_check_ca(x) == 0) {
206 		ssl_error("X509_check_ca");
207 		goto err;
208 	}
209 
210 	if (!X509_STORE_add_cert(store, x)) {
211 		ssl_error("X509_STORE_add_cert");
212 		goto err;
213 	}
214 
215 	X509_free(x);
216 	BIO_free(in);
217 	return store;
218 
219 err:
220 	X509_STORE_free(store);
221 	if (x != NULL)
222 		X509_free(x);
223 	if (in != NULL)
224 		BIO_free(in);
225 	return NULL;
226 }
227 
228 int
229 validate_against_ca(X509_STORE *ca, const uint8_t *chain, size_t len)
230 {
231 	X509		*client;
232 	BIO		*m;
233 	X509_STORE_CTX	*ctx = NULL;
234 	int		 ret = 0;
235 
236 	if ((m = BIO_new_mem_buf(chain, len)) == NULL)
237 		return 0;
238 
239 	if ((client = PEM_read_bio_X509(m, NULL, NULL, NULL)) == NULL)
240 		goto end;
241 
242 	if ((ctx = X509_STORE_CTX_new()) == NULL)
243 		goto end;
244 
245 	if (!X509_STORE_CTX_init(ctx, ca, client, NULL))
246 		goto end;
247 
248 	ret = X509_verify_cert(ctx);
249 
250 end:
251 	BIO_free(m);
252 	if (client != NULL)
253 		X509_free(client);
254 	if (ctx != NULL)
255 		X509_STORE_CTX_free(ctx);
256 	return ret;
257 }
258 
259 void
260 ssl_error(const char *where)
261 {
262 	unsigned long	 code;
263 	char		 errbuf[128];
264 
265 	while ((code = ERR_get_error()) != 0) {
266 		ERR_error_string_n(code, errbuf, sizeof(errbuf));
267 		log_debug("debug: SSL library error: %s: %s", where, errbuf);
268 	}
269 }
270 
271 char *
272 ssl_pubkey_hash(const uint8_t *buf, size_t len)
273 {
274 	static const char hex[] = "0123456789abcdef";
275 	BIO		*in;
276 	X509		*x509 = NULL;
277 	char		*hash = NULL;
278 	size_t		 off;
279 	unsigned char	 digest[EVP_MAX_MD_SIZE];
280 	unsigned int	 dlen, i;
281 
282 	if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
283 		log_warnx("%s: BIO_new_mem_buf failed", __func__);
284 		return NULL;
285 	}
286 
287 	if ((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)) == NULL) {
288 		log_warnx("%s: PEM_read_bio_X509 failed", __func__);
289 		ssl_error("PEM_read_bio_X509");
290 		goto fail;
291 	}
292 
293 	if ((hash = malloc(TLS_CERT_HASH_SIZE)) == NULL) {
294 		log_warn("%s: malloc", __func__);
295 		goto fail;
296 	}
297 
298 	if (X509_pubkey_digest(x509, EVP_sha256(), digest, &dlen) != 1) {
299 		log_warnx("%s: X509_pubkey_digest failed", __func__);
300 		ssl_error("X509_pubkey_digest");
301 		free(hash);
302 		hash = NULL;
303 		goto fail;
304 	}
305 
306 	if (TLS_CERT_HASH_SIZE < 2 * dlen + sizeof("SHA256:"))
307 		fatalx("%s: hash buffer too small", __func__);
308 
309 	off = strlcpy(hash, "SHA256:", TLS_CERT_HASH_SIZE);
310 	for (i = 0; i < dlen; ++i) {
311 		hash[off++] = hex[(digest[i] >> 4) & 0xf];
312 		hash[off++] = hex[digest[i] & 0xf];
313 	}
314 	hash[off] = '\0';
315 
316  fail:
317 	BIO_free(in);
318 	if (x509)
319 		X509_free(x509);
320 	return hash;
321 }
322 
323 EVP_PKEY *
324 ssl_load_pkey(const uint8_t *buf, size_t len)
325 {
326 	BIO		*in;
327 	EVP_PKEY	*pkey;
328 
329 	if ((in = BIO_new_mem_buf(buf, len)) == NULL) {
330 		log_warnx("%s: BIO_new_mem_buf failed", __func__);
331 		return NULL;
332 	}
333 
334 	if ((pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, NULL)) == NULL) {
335 		log_warnx("%s: PEM_read_bio_PrivateKey failed", __func__);
336 		ssl_error("PEM_read_bio_PrivateKey");
337 	}
338 
339 	BIO_free(in);
340 	return pkey;
341 }
342 
343 struct vhost *
344 new_vhost(void)
345 {
346 	struct vhost *h;
347 
348 	h = xcalloc(1, sizeof(*h));
349 	TAILQ_INIT(&h->addrs);
350 	TAILQ_INIT(&h->locations);
351 	TAILQ_INIT(&h->params);
352 	TAILQ_INIT(&h->aliases);
353 	TAILQ_INIT(&h->proxies);
354 	return h;
355 }
356 
357 struct location *
358 new_location(void)
359 {
360 	struct location *l;
361 
362 	l = xcalloc(1, sizeof(*l));
363 	l->dirfd = -1;
364 	l->fcgi = -1;
365 	return l;
366 }
367 
368 struct proxy *
369 new_proxy(void)
370 {
371 	struct proxy *p;
372 
373 	p = xcalloc(1, sizeof(*p));
374 	p->protocols = TLS_PROTOCOLS_DEFAULT;
375 	return p;
376 }