Home | History | Annotate | Line # | Download | only in syslogd 
      1 /*	$NetBSD: tls.h,v 1.3 2018/02/08 17:45:29 christos Exp $	*/
      2 
      3 /*-
      4  * Copyright (c) 2008 The NetBSD Foundation, Inc.
      5  * All rights reserved.
      6  *
      7  * This code is derived from software contributed to The NetBSD Foundation
      8  * by Martin Schtte.
      9  *
     10  * Redistribution and use in source and binary forms, with or without
     11  * modification, are permitted provided that the following conditions
     12  * are met:
     13  * 1. Redistributions of source code must retain the above copyright
     14  *    notice, this list of conditions and the following disclaimer.
     15  * 2. Redistributions in binary form must reproduce the above copyright
     16  *    notice, this list of conditions and the following disclaimer in the
     17  *    documentation and/or other materials provided with the distribution.
     18  * 3. All advertising materials mentioning features or use of this software
     19  *    must display the following acknowledgement:
     20  *        This product includes software developed by the NetBSD
     21  *        Foundation, Inc. and its contributors.
     22  * 4. Neither the name of The NetBSD Foundation nor the names of its
     23  *    contributors may be used to endorse or promote products derived
     24  *    from this software without specific prior written permission.
     25  *
     26  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
     27  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
     28  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
     29  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
     30  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
     31  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
     32  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
     33  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
     34  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
     35  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
     36  * POSSIBILITY OF SUCH DAMAGE.
     37  */
     38 /*
     39  * tls.h
     40  *
     41  */
     42 #ifndef _TLS_H
     43 #define _TLS_H
     44 #include <openssl/x509v3.h>
     45 #include <openssl/err.h>
     46 #include <openssl/rand.h>
     47 #include <openssl/pem.h>
     48 #include <openssl/dh.h>
     49 
     50 /* initial size for TLS inbuf, minimum prefix + linelength
     51  * guaranteed to be accepted */
     52 #define TLS_MIN_LINELENGTH	   (2048 + 5)
     53 /* usually the inbuf is enlarged as needed and then kept.
     54  * if bigger than TLS_PERSIST_LINELENGTH, then shrink
     55  * to TLS_LARGE_LINELENGTH immediately	*/
     56 #define TLS_LARGE_LINELENGTH	  8192
     57 #define TLS_PERSIST_LINELENGTH	 32768
     58 
     59 /* timeout to call non-blocking TLS operations again */
     60 #define TLS_RETRY_EVENT_USEC 20000
     61 
     62 /* reconnect to lost server after n sec (initial value) */
     63 #define TLS_RECONNECT_SEC 10
     64 /* backoff connection attempts */
     65 #define TLS_RECONNECT_BACKOFF_FACTOR 15/10
     66 #define TLS_RECONNECT_BACKOFF(x)     (x) = (x) * TLS_RECONNECT_BACKOFF_FACTOR
     67 /* abandon connection attempts after n sec
     68  * This has to be <= 5h (with 10sec initial interval),
     69  * otherwise a daily SIGHUP from newsylog will reset
     70  * all timers and the giveup time will never be reached
     71  *
     72  * set here: 2h, reached after ca. 7h of reconnecting
     73  */
     74 #define TLS_RECONNECT_GIVEUP	     60*60*2
     75 
     76 /* default algorithm for certificate fingerprints */
     77 #define DEFAULT_FINGERPRINT_ALG "sha-1"
     78 
     79 /* default X.509 files */
     80 #define DEFAULT_X509_CERTFILE "/etc/openssl/default.crt"
     81 #define DEFAULT_X509_KEYFILE "/etc/openssl/default.key"
     82 
     83 /* options for peer certificate verification */
     84 #define X509VERIFY_ALWAYS	0
     85 #define X509VERIFY_IFPRESENT	1
     86 #define X509VERIFY_NONE		2
     87 
     88 /* attributes for self-generated keys/certificates */
     89 #define TLS_GENCERT_BITS     1024
     90 #define TLS_GENCERT_SERIAL	1
     91 #define TLS_GENCERT_DAYS    5*365
     92 
     93 /* TLS connection states */
     94 #define ST_NONE	      0
     95 #define ST_TLS_EST    1
     96 #define ST_TCP_EST    2
     97 #define ST_CONNECTING 3
     98 #define ST_ACCEPTING  4
     99 #define ST_READING    5
    100 #define ST_WRITING    6
    101 #define ST_EOF	      7
    102 #define ST_CLOSING0   8
    103 #define ST_CLOSING1   9
    104 #define ST_CLOSING2  10
    105 
    106 /* backlog for listen */
    107 #define TLSBACKLOG 4
    108 /* close TLS connection after multiple 'soft' errors */
    109 #define TLS_MAXERRORCOUNT 4
    110 
    111 /*
    112  * holds TLS related settings for one connection to be
    113  * included in the SSL object and available in callbacks
    114  *
    115  * Many fields have a slightly different semantic for
    116  * incoming and outgoing connections:
    117  * - for outgoing connections it contains the values from syslog.conf and
    118  *   the server's cert is checked against these values by check_peer_cert()
    119  * - for incoming connections it is not used for checking, instead
    120  *   dispatch_tls_accept() fills in the connected hostname/port and
    121  *   check_peer_cert() fills in subject and fingerprint from the peer cert
    122  */
    123 struct tls_conn_settings {
    124 	unsigned      send_queue:1, /* currently sending buffer	     */
    125 		      errorcount:4, /* counter [0;TLS_MAXERRORCOUNT] */
    126 		      accepted:1,   /* workaround cf. check_peer_cert*/
    127 		      shutdown:1,   /* fast connection close on exit */
    128 		      x509verify:2, /* kind of validation needed     */
    129 		      incoming:1,   /* set if we are server	     */
    130 		      state:4;	    /* outgoing connection state     */
    131 	struct event *event;	    /* event for read/write activity */
    132 	struct event *retryevent;   /* event for retries	     */
    133 	SSL	     *sslptr;	    /* active SSL object	     */
    134 	char	     *hostname;	    /* hostname or IP we connect to  */
    135 	char	     *port;	    /* service name or port number   */
    136 	char	     *subject;	    /* configured hostname in cert   */
    137 	char	     *fingerprint;  /* fingerprint of peer cert	     */
    138 	char	     *certfile;	    /* filename of peer cert	     */
    139 	unsigned      reconnect;    /* seconds between reconnects    */
    140 };
    141 
    142 /* argument struct only used for tls_send() */
    143 struct tls_send_msg {
    144 	struct filed	 *f;
    145 	struct buf_queue *qentry;
    146 	char		 *line;	     /* formatted message */
    147 	size_t		  linelen;
    148 	size_t	  	  offset;    /* in case of partial writes */
    149 };
    150 
    151 /* return values for TLS_examine_error() */
    152 #define TLS_OK		0	 /* no real problem, just ignore */
    153 #define TLS_RETRY_READ	1	 /* just retry, non-blocking operation not finished yet */
    154 #define TLS_RETRY_WRITE 2	 /* just retry, non-blocking operation not finished yet */
    155 #define TLS_TEMP_ERROR	4	 /* recoverable error condition, but try again */
    156 #define TLS_PERM_ERROR	8	 /* non-recoverable error condition, closed TLS and socket */
    157 
    158 /* global TLS setup and utility */
    159 char *init_global_TLS_CTX(void);
    160 struct socketEvent *socksetup_tls(const int, const char *, const char *);
    161 int check_peer_cert(int, X509_STORE_CTX *);
    162 int accept_cert(const char* , struct tls_conn_settings *, char *, char *);
    163 int deny_cert(struct tls_conn_settings *, char *, char *);
    164 bool read_certfile(X509 **, const char *);
    165 bool write_x509files(EVP_PKEY *, X509 *, const char *, const char *);
    166 bool mk_x509_cert(X509 **, EVP_PKEY **, int, int, int);
    167 bool x509_cert_add_subjectAltName(X509 *, X509V3_CTX *);
    168 int tls_examine_error(const char *, const SSL *, struct tls_conn_settings *, const int);
    169 
    170 bool get_fingerprint(const X509 *, char **, const char *);
    171 bool get_commonname(X509 *, char **);
    172 bool match_hostnames(X509 *, const char *, const char *);
    173 bool match_fingerprint(const X509 *, const char *);
    174 bool match_certfile(const X509 *, const char *);
    175 
    176 /* configuration & parsing */
    177 bool parse_tls_destination(const char *, struct filed *, size_t);
    178 /* event callbacks */
    179 void dispatch_socket_accept(int, short, void *);
    180 void dispatch_tls_accept(int, short, void *);
    181 void dispatch_tls_read(int, short, void *);
    182 void dispatch_tls_send(int, short, void *);
    183 void dispatch_tls_eof(int, short, void *);
    184 void dispatch_SSL_connect(int, short, void *);
    185 void dispatch_SSL_shutdown(int, short, void *);
    186 void dispatch_force_tls_reconnect(int, short, void *);
    187 
    188 bool tls_connect(struct tls_conn_settings *);
    189 void tls_reconnect(int, short, void *);
    190 bool tls_send(struct filed *, char *, size_t, struct buf_queue*);
    191 void tls_split_messages(struct TLS_Incoming_Conn *);
    192 
    193 void free_tls_conn(struct tls_conn_settings *);
    194 void free_tls_sslptr(struct tls_conn_settings *);
    195 void free_tls_send_msg(struct tls_send_msg *);
    196 
    197 #endif /* !_TLS_H */
    198