No empty .Rs/.Re
[netbsd-mini2440.git] / usr.sbin / syslogd / tls.h
blob02f122b792426bdda68d0629b23a96fd9dc9df32
1 /* $NetBSD: tls.h,v 1.1 2008/10/31 16:12:19 christos Exp $ */
3 /*-
4 * Copyright (c) 2008 The NetBSD Foundation, Inc.
5 * All rights reserved.
7 * This code is derived from software contributed to The NetBSD Foundation
8 * by Martin Schütte.
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 * 3. All advertising materials mentioning features or use of this software
19 * must display the following acknowledgement:
20 * This product includes software developed by the NetBSD
21 * Foundation, Inc. and its contributors.
22 * 4. Neither the name of The NetBSD Foundation nor the names of its
23 * contributors may be used to endorse or promote products derived
24 * from this software without specific prior written permission.
26 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
27 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
28 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
29 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
30 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
31 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
32 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
33 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
34 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
35 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
36 * POSSIBILITY OF SUCH DAMAGE.
39 * tls.h
42 #ifndef _TLS_H
43 #define _TLS_H
44 #include <openssl/x509v3.h>
45 #include <openssl/err.h>
46 #include <openssl/rand.h>
47 #include <openssl/pem.h>
49 /* initial size for TLS inbuf, minimum prefix + linelength
50 * guaranteed to be accepted */
51 #define TLS_MIN_LINELENGTH (2048 + 5)
52 /* usually the inbuf is enlarged as needed and then kept.
53 * if bigger than TLS_PERSIST_LINELENGTH, then shrink
54 * to TLS_LARGE_LINELENGTH immediately */
55 #define TLS_LARGE_LINELENGTH 8192
56 #define TLS_PERSIST_LINELENGTH 32768
58 /* timeout to call non-blocking TLS operations again */
59 #define TLS_RETRY_EVENT_USEC 20000
61 /* reconnect to lost server after n sec (initial value) */
62 #define TLS_RECONNECT_SEC 10
63 /* backoff connection attempts */
64 #define TLS_RECONNECT_BACKOFF_FACTOR 15/10
65 #define TLS_RECONNECT_BACKOFF(x) (x) = (x) * TLS_RECONNECT_BACKOFF_FACTOR
66 /* abandon connection attempts after n sec
67 * This has to be <= 5h (with 10sec initial interval),
68 * otherwise a daily SIGHUP from newsylog will reset
69 * all timers and the giveup time will never be reached
71 * set here: 2h, reached after ca. 7h of reconnecting
73 #define TLS_RECONNECT_GIVEUP 60*60*2
75 /* default algorithm for certificate fingerprints */
76 #define DEFAULT_FINGERPRINT_ALG "sha-1"
78 /* default X.509 files */
79 #define DEFAULT_X509_CERTFILE "/etc/openssl/default.crt"
80 #define DEFAULT_X509_KEYFILE "/etc/openssl/default.key"
82 /* options for peer certificate verification */
83 #define X509VERIFY_ALWAYS 0
84 #define X509VERIFY_IFPRESENT 1
85 #define X509VERIFY_NONE 2
87 /* attributes for self-generated keys/certificates */
88 #define TLS_GENCERT_BITS 1024
89 #define TLS_GENCERT_SERIAL 1
90 #define TLS_GENCERT_DAYS 5*365
92 /* TLS connection states */
93 #define ST_NONE 0
94 #define ST_TLS_EST 1
95 #define ST_TCP_EST 2
96 #define ST_CONNECTING 3
97 #define ST_ACCEPTING 4
98 #define ST_READING 5
99 #define ST_WRITING 6
100 #define ST_EOF 7
101 #define ST_CLOSING0 8
102 #define ST_CLOSING1 9
103 #define ST_CLOSING2 10
105 /* backlog for listen */
106 #define TLSBACKLOG 4
107 /* close TLS connection after multiple 'soft' errors */
108 #define TLS_MAXERRORCOUNT 4
111 * holds TLS related settings for one connection to be
112 * included in the SSL object and available in callbacks
114 * Many fields have a slightly different semantic for
115 * incoming and outgoing connections:
116 * - for outgoing connections it contains the values from syslog.conf and
117 * the server's cert is checked against these values by check_peer_cert()
118 * - for incoming connections it is not used for checking, instead
119 * dispatch_tls_accept() fills in the connected hostname/port and
120 * check_peer_cert() fills in subject and fingerprint from the peer cert
122 struct tls_conn_settings {
123 unsigned send_queue:1, /* currently sending buffer */
124 errorcount:4, /* counter [0;TLS_MAXERRORCOUNT] */
125 accepted:1, /* workaround cf. check_peer_cert*/
126 shutdown:1, /* fast connection close on exit */
127 x509verify:2, /* kind of validation needed */
128 incoming:1, /* set if we are server */
129 state:4; /* outgoing connection state */
130 struct event *event; /* event for read/write activity */
131 struct event *retryevent; /* event for retries */
132 SSL *sslptr; /* active SSL object */
133 char *hostname; /* hostname or IP we connect to */
134 char *port; /* service name or port number */
135 char *subject; /* configured hostname in cert */
136 char *fingerprint; /* fingerprint of peer cert */
137 char *certfile; /* filename of peer cert */
138 unsigned reconnect; /* seconds between reconnects */
141 /* argument struct only used for tls_send() */
142 struct tls_send_msg {
143 struct filed *f;
144 struct buf_queue *qentry;
145 char *line; /* formatted message */
146 size_t linelen;
147 size_t offset; /* in case of partial writes */
150 /* return values for TLS_examine_error() */
151 #define TLS_OK 0 /* no real problem, just ignore */
152 #define TLS_RETRY_READ 1 /* just retry, non-blocking operation not finished yet */
153 #define TLS_RETRY_WRITE 2 /* just retry, non-blocking operation not finished yet */
154 #define TLS_TEMP_ERROR 4 /* recoverable error condition, but try again */
155 #define TLS_PERM_ERROR 8 /* non-recoverable error condition, closed TLS and socket */
157 /* global TLS setup and utility */
158 char *init_global_TLS_CTX(void);
159 struct socketEvent *socksetup_tls(const int, const char *, const char *);
160 int check_peer_cert(int, X509_STORE_CTX *);
161 int accept_cert(const char* , struct tls_conn_settings *, char *, char *);
162 int deny_cert(struct tls_conn_settings *, char *, char *);
163 bool read_certfile(X509 **, const char *);
164 bool write_x509files(EVP_PKEY *, X509 *, const char *, const char *);
165 bool mk_x509_cert(X509 **, EVP_PKEY **, int, int, int);
166 bool x509_cert_add_subjectAltName(X509 *, X509V3_CTX *);
167 int tls_examine_error(const char *, const SSL *, struct tls_conn_settings *, const int);
169 bool get_fingerprint(const X509 *, char **, const char *);
170 bool get_commonname(X509 *, char **);
171 bool match_hostnames(X509 *, const char *, const char *);
172 bool match_fingerprint(const X509 *, const char *);
173 bool match_certfile(const X509 *, const char *);
175 /* configuration & parsing */
176 bool parse_tls_destination(const char *, struct filed *, size_t);
177 /* event callbacks */
178 void dispatch_socket_accept(int, short, void *);
179 void dispatch_tls_accept(int, short, void *);
180 void dispatch_tls_read(int, short, void *);
181 void dispatch_tls_send(int, short, void *);
182 void dispatch_tls_eof(int, short, void *);
183 void dispatch_SSL_connect(int, short, void *);
184 void dispatch_SSL_shutdown(int, short, void *);
185 void dispatch_force_tls_reconnect(int, short, void *);
187 bool tls_connect(struct tls_conn_settings *);
188 void tls_reconnect(int, short, void *);
189 bool tls_send(struct filed *, char *, size_t, struct buf_queue*);
190 void tls_split_messages(struct TLS_Incoming_Conn *);
192 void free_tls_conn(struct tls_conn_settings *);
193 void free_tls_sslptr(struct tls_conn_settings *);
194 void free_tls_send_msg(struct tls_send_msg *);
196 #endif /* !_TLS_H */