1 /*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
4 This file is part of systemd.
6 Copyright 2012 Lennart Poettering
7 Copyright 2012 Zbigniew Jędrzejewski-Szmek
9 systemd is free software; you can redistribute it and/or modify it
10 under the terms of the GNU Lesser General Public License as published by
11 the Free Software Foundation; either version 2.1 of the License, or
12 (at your option) any later version.
14 systemd is distributed in the hope that it will be useful, but
15 WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 Lesser General Public License for more details.
19 You should have received a copy of the GNU Lesser General Public License
20 along with systemd; If not, see <http://www.gnu.org/licenses/>.
27 #include "microhttpd-util.h"
33 #include <gnutls/gnutls.h>
34 #include <gnutls/x509.h>
37 void microhttpd_logger(void *arg, const char *fmt, va_list ap) {
38 _cleanup_free_ char *f = NULL;
40 if (asprintf(&f, "microhttpd: %s", fmt) <= 0) {
45 DISABLE_WARNING_FORMAT_NONLITERAL;
46 log_metav(LOG_INFO, NULL, 0, NULL, f, ap);
51 int respond_oom_internal(struct MHD_Connection *connection) {
52 struct MHD_Response *response;
53 const char m[] = "Out of memory.\n";
58 response = MHD_create_response_from_buffer(sizeof(m)-1, (char*) m, MHD_RESPMEM_PERSISTENT);
62 MHD_add_response_header(response, "Content-Type", "text/plain");
63 ret = MHD_queue_response(connection, MHD_HTTP_SERVICE_UNAVAILABLE, response);
64 MHD_destroy_response(response);
70 int respond_error(struct MHD_Connection *connection,
72 const char *format, ...) {
74 struct MHD_Response *response;
83 r = vasprintf(&m, format, ap);
87 return respond_oom(connection);
89 response = MHD_create_response_from_buffer(strlen(m), m, MHD_RESPMEM_MUST_FREE);
92 return respond_oom(connection);
95 log_debug("queing response %u: %s", code, m);
96 MHD_add_response_header(response, "Content-Type", "text/plain");
97 r = MHD_queue_response(connection, code, response);
98 MHD_destroy_response(response);
105 static int log_level_map[] = {
107 LOG_WARNING, /* gnutls session audit */
108 LOG_DEBUG, /* gnutls debug log */
109 LOG_WARNING, /* gnutls assert log */
110 LOG_INFO, /* gnutls handshake log */
111 LOG_DEBUG, /* gnutls record log */
112 LOG_DEBUG, /* gnutls dtls log */
116 LOG_DEBUG, /* gnutls hard log */
117 LOG_DEBUG, /* gnutls read log */
118 LOG_DEBUG, /* gnutls write log */
119 LOG_DEBUG, /* gnutls io log */
120 LOG_DEBUG, /* gnutls buffers log */
123 void log_func_gnutls(int level, const char *message) {
128 if (0 <= level && level < (int) ELEMENTSOF(log_level_map))
129 ourlevel = log_level_map[level];
133 log_meta(ourlevel, NULL, 0, NULL, "gnutls: %s", message);
136 static int verify_cert_authorized(gnutls_session_t session) {
138 gnutls_certificate_type_t type;
142 r = gnutls_certificate_verify_peers2(session, &status);
144 log_error("gnutls_certificate_verify_peers2 failed: %s", strerror(-r));
148 type = gnutls_certificate_type_get(session);
149 r = gnutls_certificate_verification_status_print(status, type, &out, 0);
151 log_error("gnutls_certificate_verification_status_print failed: %s", strerror(-r));
155 log_info("Certificate status: %s", out.data);
157 return status == 0 ? 0 : -EPERM;
160 static int get_client_cert(gnutls_session_t session, gnutls_x509_crt_t *client_cert) {
161 const gnutls_datum_t *pcert;
163 gnutls_x509_crt_t cert;
169 pcert = gnutls_certificate_get_peers(session, &listsize);
170 if (!pcert || !listsize) {
171 log_error("Failed to retrieve certificate chain");
175 r = gnutls_x509_crt_init(&cert);
177 log_error("Failed to initialize client certificate");
181 /* Note that by passing values between 0 and listsize here, you
182 can get access to the CA's certs */
183 r = gnutls_x509_crt_import(cert, &pcert[0], GNUTLS_X509_FMT_DER);
185 log_error("Failed to import client certificate");
186 gnutls_x509_crt_deinit(cert);
194 static int get_auth_dn(gnutls_x509_crt_t client_cert, char **buf) {
199 assert(*buf == NULL);
201 r = gnutls_x509_crt_get_dn(client_cert, NULL, &len);
202 if (r != GNUTLS_E_SHORT_MEMORY_BUFFER) {
203 log_error("gnutls_x509_crt_get_dn failed");
211 gnutls_x509_crt_get_dn(client_cert, *buf, &len);
215 int check_permissions(struct MHD_Connection *connection, int *code) {
216 const union MHD_ConnectionInfo *ci;
217 gnutls_session_t session;
218 gnutls_x509_crt_t client_cert;
219 char _cleanup_free_ *buf = NULL;
227 ci = MHD_get_connection_info(connection,
228 MHD_CONNECTION_INFO_GNUTLS_SESSION);
230 log_error("MHD_get_connection_info failed");
233 session = ci->tls_session;
236 r = get_client_cert(session, &client_cert);
238 *code = respond_error(connection, MHD_HTTP_UNAUTHORIZED,
239 "Authorization through certificate is required");
243 r = get_auth_dn(client_cert, &buf);
245 *code = respond_error(connection, MHD_HTTP_UNAUTHORIZED,
246 "Failed to determine distinguished name from certificate");
250 log_info("Connection from %s", buf);
252 r = verify_cert_authorized(session);
254 log_error("Client is not authorized");
255 *code = respond_error(connection, MHD_HTTP_UNAUTHORIZED,
256 "Client certificate not signed by recognized authority");
262 int check_permissions(struct MHD_Connection *connection, int *code) {