1
0
forked from aniani/gmnisrv
Commit Graph

87 Commits

Author SHA1 Message Date
William Casarin
1925bc3e7a serve: make hostname matching case-insensitive
Reported-by: James Tomasino <james@tomasino.org>
Signed-off-by: William Casarin <jb55@jb55.com>
2021-11-15 21:07:23 +01:00
mbays
5783501752 set session id context
This is necessary now client certificates are supported.
Without it, an attempt to resume a session fails with
"ssl_get_prev_session:session id context uninitialized".
2021-08-27 09:48:07 +02:00
Karmanyaah Malhotra
32854b79c7 Check index before serving autoindex
if a directory is being served.
2021-06-21 08:42:29 -04:00
dece
9f2481dcdf Support REMOTE_USER in CGI 2021-06-17 09:52:50 -04:00
dece
d7bd3c6a0d Support TLS_CLIENT_SERIAL_NUMBER in CGI 2021-06-17 09:52:50 -04:00
dece
0bf3cde2a0 Use strncpy to build TLS_CLIENT_HASH
strncat on an uninitialized array leads to issues.
2021-06-17 09:52:49 -04:00
Eyal Sawady
b9a92193e9 disconnect_client: fix index calculation
This was sometimes causing a gmnisrv_client to be overwritten by the
deinitialized client, which occasionally lead to a segfault when we
later tried to use it.
2021-05-16 15:54:16 -04:00
Thomas Karpiniec
53e4ce4abd Create certificates which last 68 years (INT32_MAX seconds)
This avoids integer overflow on 32-bit architectures.
2021-05-16 14:10:57 -04:00
Drew DeVault
0dc0e4432a Revert "Routing: Fix non-ascii paths"
This causes a security issue (path traversal)

This reverts commit ea360fa4c1.
2021-05-04 09:43:23 -04:00
bacardi55
8b65e303b0 Fix integer overflow error in tls.c 2021-03-24 08:02:48 -04:00
Drew DeVault
f23ec10a6d Move certificate expiration into the far future 2021-03-04 11:04:46 -05:00
nytpu
ae7ca3db39 Send client certificate hash for CGI scripts.
Set SSL_VERIFY_PEER to request a client certificate from the server,
when available.  Have to shim the certificate verification function or
else it will fail on self-signed client certs.

In serve_cgi retrieve client certificate, create a fingerprint, and set
proper environment variables.  It's pretty barebones, it doesn't parse
the certificate to give any other useful info like the common name, but
it's acceptable IMO.  For most CGI uses the fingerprint is the only
thing that is needed anyways.
2021-02-11 09:19:16 -05:00
Nolan Prescott
6d9dd838e4 ignore SIGCHLD to prevent CGI zombies
with nothing waiting on the forked processes there is no reason not to
reap the CGI process on exit

intended to address issue from mailing list "gmnisrv uses too many
tasks" <163806E8-A16A-463E-8C62-43E903EF1E35@librem.one>
2021-02-07 08:07:05 -05:00
Matt Keeter
d1ccb60a52 Use v3 X509 certificate
This fixes an issue where rustls failed to validate the X509v1 certificate.

Tested with Amfora, av-98, and titan (https://github.com/mkeeter/titan)

This requires fresh certificates, which could break clients with strict
trust-on-first-use policies; unfortunately, it doesn't appear to be possible
to migrate v1 certificates to v3.
2021-02-05 10:39:21 -05:00
René Wagner
32913c35cd implement handling of ROUTE_EXACT definitions
This patchset implements the handling of exact routes
as described in gmnisrvini(5).
2021-01-29 08:55:43 -05:00
Zach DeCook
ea360fa4c1 Routing: Fix non-ascii paths 2021-01-22 08:15:03 -05:00
Zach DeCook
fbef1d34a1 autoindex: fix off-by-one buffer size 2020-12-27 08:13:09 -05:00
Zach DeCook
eac874b925 autoindex: end directories with trailing slash 2020-12-24 09:05:28 -05:00
Nolan Prescott
61bf4c53aa Fix IP address logging
Cast generic sockaddr to the appropriate sockaddr_ AF and switch
inet_ntop argument accordingly.

Intended to fix issue reported on ~sircmpwn/gmni-discuss: "Logged IPv4
addresses are wrong"
2020-12-19 09:29:39 -05:00
Mark Dain
cb2c84b0ad Switch to using ECDSA (secp384r1) keys 2020-11-21 09:12:16 -05:00
William Casarin
10662cac46 serve: handle return value from chdir
Fixes a compile error on gcc 9.3.0:

src/serve.c: In function 'serve_cgi':
src/serve.c:150:3: error: ignoring return value of 'chdir', declared
with attribute warn_unused_result [-Werror=unused-result]
  150 |   chdir(dirname(cwd));
      |   ^~~~~~~~~~~~~~~~~~~

Signed-off-by: William Casarin <jb55@jb55.com>
2020-11-20 11:17:43 -05:00
Eyal Sawady
cb042d6263 CGI: Don't hang on directory with no index 2020-11-15 11:33:16 -05:00
Eyal Sawady
0646fd020c CGI: Fix paths which end in '/' 2020-11-15 10:55:48 -05:00
Kenny Levinsen
9fd9eef9d7 Fix use of wrong index during pollfd refresh
The right side of the refresh ended up using the index of the deleted
client instead of the index from the loop, which happens to work when
the destroyed client is either last or second-last.
2020-11-10 08:06:37 -05:00
Kenny Levinsen
fdd27bb4c1 Update pollfd pointers when destroying a client
The client pollfd pointer would go stale when the server pollfd array
was moved to compensate for a destroyed client, which in turn led to
poll breakage.

Refresh the pollfd pointers after memmove.
2020-11-08 21:34:34 -05:00
Drew DeVault
74077b6f95 Prevent double free of client resources 2020-11-08 16:37:53 -05:00
Drew DeVault
ea2914efff Set CWD to cgi-bin when executing scripts 2020-11-08 12:16:59 -05:00
Drew DeVault
57f4fcdc41 Fix double free 2020-11-08 12:12:43 -05:00
René Wagner
02a386b568 check if file served as cgi is executable
if not, send a response 50 to the client
fixes ~sircmpwn/gmni#47
2020-11-08 10:59:35 -05:00
dbandstra
c145ac6a65 fix typo in GATEWAY_INTERFACE value 2020-11-08 09:38:52 -05:00
mbays
4b2c3afdb0 Set POLLOUT only when there's something to write 2020-11-08 09:38:17 -05:00
William Casarin
ea40fb5a53 tls: fix crash when opening priv key for writing
The open syscall will return a negative value if the call fails. Switch
the check to look for this instead of 0.

before:

[gmnisrv] generating certificate for localhost
gmnisrv: src/tls.c:68: tls_host_gencert: Assertion `pf' failed.
abort (core dumped)  ./gmnisrv -C config.ini

after:

[gmnisrv] generating certificate for localhost
[gmnisrv] opening private key for writing failed: No such file or directory
[gmnisrv] TLS initialization failed

Signed-off-by: William Casarin <jb55@jb55.com>
2020-11-08 09:38:04 -05:00
Tom Lebreux
7aedbed774 Don't memmove one past clients 2020-11-08 09:37:59 -05:00
Tom Lebreux
d20caf389b Fix not moving all fds 2020-11-08 09:37:55 -05:00
Tom Lebreux
4f12abfbc2 Fix memory leaks 2020-11-08 09:37:55 -05:00
William Casarin
d484ba0ab0 config/routing: fix maybe-uninitialized errors
Trivial fix to silence compilation errors on gcc 9.3.0:

  src/config.c: In function ‘conf_ini_handler’:
  src/config.c:154:23: error: ‘routing’ may be used uninitialized in this
  function [-Werror=maybe-uninitialized]
    154 |  enum gmnisrv_routing routing;
        |                       ^~~~~~~

  src/config.c:197:18: error: ‘spec’ may be used uninitialized in this
  function [-Werror=maybe-uninitialized]
    197 |    route->path = strdup(spec);
        |                  ^~~~~~~~~~~~

Signed-off-by: William Casarin <jb55@jb55.com>
2020-11-02 12:29:19 -05:00
Drew DeVault
dc6e4e80c0 Implement URL rewrites with regex capture groups 2020-11-01 11:19:51 -05:00
Drew DeVault
16e55c6262 Change meaning of root (backwards incompatible!)
This takes the nginx approach to the "root" directive, which is simpler
to implement and more consistent with more complex routing behaviors
like regexp.

The path component of the URL is now simply appended to the root to form
the path to the file which should be served to the client.
2020-11-01 10:32:44 -05:00
Drew DeVault
0ba984b841 regexp.c: ditch unused test code 2020-11-01 09:51:14 -05:00
Drew DeVault
f15bea6583 Implement regex route matching 2020-11-01 09:43:46 -05:00
Drew DeVault
7e8a953794 Initial pass on regex routing support
All this does is parse the regexes out of the config file.

I've vendored libregexp from Bellard's quickjs project, because it's
reasonably small and self-contained, and POSIX regexes don't support
captures. We're eventually going to want captures for URL rewrites, so
this'll do for now.
2020-10-29 22:47:56 -04:00
Drew DeVault
a26573251b Fail gracefully if mime database is not present 2020-10-28 12:49:47 -04:00
Drew DeVault
077b96d3cc config: free more routing information on finish 2020-10-28 12:43:05 -04:00
Drew DeVault
becc4460b6 Implement MIME database support 2020-10-28 12:38:32 -04:00
Drew DeVault
ac6145ed6a server: handle write errors 2020-10-28 12:36:05 -04:00
Drew DeVault
da6f7e9f05 CGI: Fix SCRIPT_NAME variable 2020-10-26 18:16:05 -04:00
Drew DeVault
5d725ff4ee CGI: set PATH_INFO 2020-10-25 23:55:42 -04:00
Drew DeVault
cc1bd152e3 Initial support for CGI scripts 2020-10-25 23:16:50 -04:00
Drew DeVault
8baeb5a51c Initial implementation of a routing table 2020-10-25 21:46:01 -04:00
Drew DeVault
1fe107875b Overhaul network I/O to be async for real
Had to totally cut off OpenSSL from the network fd because obviously
OpenSSL is just going to wreck our shit
2020-10-25 14:50:07 -04:00