usr.sbin/syslogd/tls.h

   1 /*      $NetBSD: tls.h,v 1.1 2008/10/31 16:12:19 christos Exp $ */
   2
   3 /*-
   4  * Copyright (c) 2008 The NetBSD Foundation, Inc.
   5  * All rights reserved.
   6  *
   7  * This code is derived from software contributed to The NetBSD Foundation
   8  * by Martin Schütte.
   9  *
  10  * Redistribution and use in source and binary forms, with or without
  11  * modification, are permitted provided that the following conditions
  12  * are met:
  13  * 1. Redistributions of source code must retain the above copyright
  14  *    notice, this list of conditions and the following disclaimer.
  15  * 2. Redistributions in binary form must reproduce the above copyright
  16  *    notice, this list of conditions and the following disclaimer in the
  17  *    documentation and/or other materials provided with the distribution.
  18  * 3. All advertising materials mentioning features or use of this software
  19  *    must display the following acknowledgement:
  20  *        This product includes software developed by the NetBSD
  21  *        Foundation, Inc. and its contributors.
  22  * 4. Neither the name of The NetBSD Foundation nor the names of its
  23  *    contributors may be used to endorse or promote products derived
  24  *    from this software without specific prior written permission.
  25  *
  26  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
  27  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
  28  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  29  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
  30  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
  31  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
  32  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
  33  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
  34  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  35  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  36  * POSSIBILITY OF SUCH DAMAGE.
  37  */
  38 /*
  39  * tls.h
  40  *
  41  */
  42 #ifndef _TLS_H
  43 #define _TLS_H
  44 #include <openssl/x509v3.h>
  45 #include <openssl/err.h>
  46 #include <openssl/rand.h>
  47 #include <openssl/pem.h>
  48
  49 /* initial size for TLS inbuf, minimum prefix + linelength
  50  * guaranteed to be accepted */
  51 #define TLS_MIN_LINELENGTH         (2048 + 5)
  52 /* usually the inbuf is enlarged as needed and then kept.
  53  * if bigger than TLS_PERSIST_LINELENGTH, then shrink
  54  * to TLS_LARGE_LINELENGTH immediately  */
  55 #define TLS_LARGE_LINELENGTH      8192
  56 #define TLS_PERSIST_LINELENGTH   32768
  57
  58 /* timeout to call non-blocking TLS operations again */
  59 #define TLS_RETRY_EVENT_USEC 20000
  60
  61 /* reconnect to lost server after n sec (initial value) */
  62 #define TLS_RECONNECT_SEC 10
  63 /* backoff connection attempts */
  64 #define TLS_RECONNECT_BACKOFF_FACTOR 15/10
  65 #define TLS_RECONNECT_BACKOFF(x)     (x) = (x) * TLS_RECONNECT_BACKOFF_FACTOR
  66 /* abandon connection attempts after n sec
  67  * This has to be <= 5h (with 10sec initial interval),
  68  * otherwise a daily SIGHUP from newsylog will reset
  69  * all timers and the giveup time will never be reached
  70  *
  71  * set here: 2h, reached after ca. 7h of reconnecting
  72  */
  73 #define TLS_RECONNECT_GIVEUP         60*60*2
  74
  75 /* default algorithm for certificate fingerprints */
  76 #define DEFAULT_FINGERPRINT_ALG "sha-1"
  77
  78 /* default X.509 files */
  79 #define DEFAULT_X509_CERTFILE "/etc/openssl/default.crt"
  80 #define DEFAULT_X509_KEYFILE "/etc/openssl/default.key"
  81
  82 /* options for peer certificate verification */
  83 #define X509VERIFY_ALWAYS       0
  84 #define X509VERIFY_IFPRESENT    1
  85 #define X509VERIFY_NONE         2
  86
  87 /* attributes for self-generated keys/certificates */
  88 #define TLS_GENCERT_BITS     1024
  89 #define TLS_GENCERT_SERIAL      1
  90 #define TLS_GENCERT_DAYS    5*365
  91
  92 /* TLS connection states */
  93 #define ST_NONE       0
  94 #define ST_TLS_EST    1
  95 #define ST_TCP_EST    2
  96 #define ST_CONNECTING 3
  97 #define ST_ACCEPTING  4
  98 #define ST_READING    5
  99 #define ST_WRITING    6
 100 #define ST_EOF        7
 101 #define ST_CLOSING0   8
 102 #define ST_CLOSING1   9
 103 #define ST_CLOSING2  10
 104
 105 /* backlog for listen */
 106 #define TLSBACKLOG 4
 107 /* close TLS connection after multiple 'soft' errors */
 108 #define TLS_MAXERRORCOUNT 4
 109
 110 /*
 111  * holds TLS related settings for one connection to be
 112  * included in the SSL object and available in callbacks
 113  *
 114  * Many fields have a slightly different semantic for
 115  * incoming and outgoing connections:
 116  * - for outgoing connections it contains the values from syslog.conf and
 117  *   the server's cert is checked against these values by check_peer_cert()
 118  * - for incoming connections it is not used for checking, instead
 119  *   dispatch_tls_accept() fills in the connected hostname/port and
 120  *   check_peer_cert() fills in subject and fingerprint from the peer cert
 121  */
 122 struct tls_conn_settings {
 123         unsigned      send_queue:1, /* currently sending buffer      */
 124                       errorcount:4, /* counter [0;TLS_MAXERRORCOUNT] */
 125                       accepted:1,   /* workaround cf. check_peer_cert*/
 126                       shutdown:1,   /* fast connection close on exit */
 127                       x509verify:2, /* kind of validation needed     */
 128                       incoming:1,   /* set if we are server          */
 129                       state:4;      /* outgoing connection state     */
 130         struct event *event;        /* event for read/write activity */
 131         struct event *retryevent;   /* event for retries             */
 132         SSL          *sslptr;       /* active SSL object             */
 133         char         *hostname;     /* hostname or IP we connect to  */
 134         char         *port;         /* service name or port number   */
 135         char         *subject;      /* configured hostname in cert   */
 136         char         *fingerprint;  /* fingerprint of peer cert      */
 137         char         *certfile;     /* filename of peer cert         */
 138         unsigned      reconnect;    /* seconds between reconnects    */
 139 };
 140
 141 /* argument struct only used for tls_send() */
 142 struct tls_send_msg {
 143         struct filed     *f;
 144         struct buf_queue *qentry;
 145         char             *line;      /* formatted message */
 146         size_t            linelen;
 147         size_t            offset;    /* in case of partial writes */
 148 };
 149
 150 /* return values for TLS_examine_error() */
 151 #define TLS_OK          0        /* no real problem, just ignore */
 152 #define TLS_RETRY_READ  1        /* just retry, non-blocking operation not finished yet */
 153 #define TLS_RETRY_WRITE 2        /* just retry, non-blocking operation not finished yet */
 154 #define TLS_TEMP_ERROR  4        /* recoverable error condition, but try again */
 155 #define TLS_PERM_ERROR  8        /* non-recoverable error condition, closed TLS and socket */
 156
 157 /* global TLS setup and utility */
 158 char *init_global_TLS_CTX(void);
 159 struct socketEvent *socksetup_tls(const int, const char *, const char *);
 160 int check_peer_cert(int, X509_STORE_CTX *);
 161 int accept_cert(const char* , struct tls_conn_settings *, char *, char *);
 162 int deny_cert(struct tls_conn_settings *, char *, char *);
 163 bool read_certfile(X509 **, const char *);
 164 bool write_x509files(EVP_PKEY *, X509 *, const char *, const char *);
 165 bool mk_x509_cert(X509 **, EVP_PKEY **, int, int, int);
 166 bool x509_cert_add_subjectAltName(X509 *, X509V3_CTX *);
 167 int tls_examine_error(const char *, const SSL *, struct tls_conn_settings *, const int);
 168
 169 bool get_fingerprint(const X509 *, char **, const char *);
 170 bool get_commonname(X509 *, char **);
 171 bool match_hostnames(X509 *, const char *, const char *);
 172 bool match_fingerprint(const X509 *, const char *);
 173 bool match_certfile(const X509 *, const char *);
 174
 175 /* configuration & parsing */
 176 bool parse_tls_destination(const char *, struct filed *, size_t);
 177 /* event callbacks */
 178 void dispatch_socket_accept(int, short, void *);
 179 void dispatch_tls_accept(int, short, void *);
 180 void dispatch_tls_read(int, short, void *);
 181 void dispatch_tls_send(int, short, void *);
 182 void dispatch_tls_eof(int, short, void *);
 183 void dispatch_SSL_connect(int, short, void *);
 184 void dispatch_SSL_shutdown(int, short, void *);
 185 void dispatch_force_tls_reconnect(int, short, void *);
 186
 187 bool tls_connect(struct tls_conn_settings *);
 188 void tls_reconnect(int, short, void *);
 189 bool tls_send(struct filed *, char *, size_t, struct buf_queue*);
 190 void tls_split_messages(struct TLS_Incoming_Conn *);
 191
 192 void free_tls_conn(struct tls_conn_settings *);
 193 void free_tls_sslptr(struct tls_conn_settings *);
 194 void free_tls_send_msg(struct tls_send_msg *);
 195
 196 #endif /* !_TLS_H */