1/* $NetBSD: tls.h,v 1.3 2018/02/08 17:45:29 christos Exp $ */ 2 3/*- 4 * Copyright (c) 2008 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Martin Sch�tte. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by the NetBSD 21 * Foundation, Inc. and its contributors. 22 * 4. Neither the name of The NetBSD Foundation nor the names of its 23 * contributors may be used to endorse or promote products derived 24 * from this software without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 27 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 28 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 29 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 30 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 31 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 32 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 33 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 34 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 35 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 36 * POSSIBILITY OF SUCH DAMAGE. 37 */ 38/* 39 * tls.h 40 * 41 */ 42#ifndef _TLS_H 43#define _TLS_H 44#include <openssl/x509v3.h> 45#include <openssl/err.h> 46#include <openssl/rand.h> 47#include <openssl/pem.h> 48#include <openssl/dh.h> 49 50/* initial size for TLS inbuf, minimum prefix + linelength 51 * guaranteed to be accepted */ 52#define TLS_MIN_LINELENGTH (2048 + 5) 53/* usually the inbuf is enlarged as needed and then kept. 54 * if bigger than TLS_PERSIST_LINELENGTH, then shrink 55 * to TLS_LARGE_LINELENGTH immediately */ 56#define TLS_LARGE_LINELENGTH 8192 57#define TLS_PERSIST_LINELENGTH 32768 58 59/* timeout to call non-blocking TLS operations again */ 60#define TLS_RETRY_EVENT_USEC 20000 61 62/* reconnect to lost server after n sec (initial value) */ 63#define TLS_RECONNECT_SEC 10 64/* backoff connection attempts */ 65#define TLS_RECONNECT_BACKOFF_FACTOR 15/10 66#define TLS_RECONNECT_BACKOFF(x) (x) = (x) * TLS_RECONNECT_BACKOFF_FACTOR 67/* abandon connection attempts after n sec 68 * This has to be <= 5h (with 10sec initial interval), 69 * otherwise a daily SIGHUP from newsylog will reset 70 * all timers and the giveup time will never be reached 71 * 72 * set here: 2h, reached after ca. 7h of reconnecting 73 */ 74#define TLS_RECONNECT_GIVEUP 60*60*2 75 76/* default algorithm for certificate fingerprints */ 77#define DEFAULT_FINGERPRINT_ALG "sha-1" 78 79/* default X.509 files */ 80#define DEFAULT_X509_CERTFILE "/etc/openssl/default.crt" 81#define DEFAULT_X509_KEYFILE "/etc/openssl/default.key" 82 83/* options for peer certificate verification */ 84#define X509VERIFY_ALWAYS 0 85#define X509VERIFY_IFPRESENT 1 86#define X509VERIFY_NONE 2 87 88/* attributes for self-generated keys/certificates */ 89#define TLS_GENCERT_BITS 1024 90#define TLS_GENCERT_SERIAL 1 91#define TLS_GENCERT_DAYS 5*365 92 93/* TLS connection states */ 94#define ST_NONE 0 95#define ST_TLS_EST 1 96#define ST_TCP_EST 2 97#define ST_CONNECTING 3 98#define ST_ACCEPTING 4 99#define ST_READING 5 100#define ST_WRITING 6 101#define ST_EOF 7 102#define ST_CLOSING0 8 103#define ST_CLOSING1 9 104#define ST_CLOSING2 10 105 106/* backlog for listen */ 107#define TLSBACKLOG 4 108/* close TLS connection after multiple 'soft' errors */ 109#define TLS_MAXERRORCOUNT 4 110 111/* 112 * holds TLS related settings for one connection to be 113 * included in the SSL object and available in callbacks 114 * 115 * Many fields have a slightly different semantic for 116 * incoming and outgoing connections: 117 * - for outgoing connections it contains the values from syslog.conf and 118 * the server's cert is checked against these values by check_peer_cert() 119 * - for incoming connections it is not used for checking, instead 120 * dispatch_tls_accept() fills in the connected hostname/port and 121 * check_peer_cert() fills in subject and fingerprint from the peer cert 122 */ 123struct tls_conn_settings { 124 unsigned send_queue:1, /* currently sending buffer */ 125 errorcount:4, /* counter [0;TLS_MAXERRORCOUNT] */ 126 accepted:1, /* workaround cf. check_peer_cert*/ 127 shutdown:1, /* fast connection close on exit */ 128 x509verify:2, /* kind of validation needed */ 129 incoming:1, /* set if we are server */ 130 state:4; /* outgoing connection state */ 131 struct event *event; /* event for read/write activity */ 132 struct event *retryevent; /* event for retries */ 133 SSL *sslptr; /* active SSL object */ 134 char *hostname; /* hostname or IP we connect to */ 135 char *port; /* service name or port number */ 136 char *subject; /* configured hostname in cert */ 137 char *fingerprint; /* fingerprint of peer cert */ 138 char *certfile; /* filename of peer cert */ 139 unsigned reconnect; /* seconds between reconnects */ 140}; 141 142/* argument struct only used for tls_send() */ 143struct tls_send_msg { 144 struct filed *f; 145 struct buf_queue *qentry; 146 char *line; /* formatted message */ 147 size_t linelen; 148 size_t offset; /* in case of partial writes */ 149}; 150 151/* return values for TLS_examine_error() */ 152#define TLS_OK 0 /* no real problem, just ignore */ 153#define TLS_RETRY_READ 1 /* just retry, non-blocking operation not finished yet */ 154#define TLS_RETRY_WRITE 2 /* just retry, non-blocking operation not finished yet */ 155#define TLS_TEMP_ERROR 4 /* recoverable error condition, but try again */ 156#define TLS_PERM_ERROR 8 /* non-recoverable error condition, closed TLS and socket */ 157 158/* global TLS setup and utility */ 159char *init_global_TLS_CTX(void); 160struct socketEvent *socksetup_tls(const int, const char *, const char *); 161int check_peer_cert(int, X509_STORE_CTX *); 162int accept_cert(const char* , struct tls_conn_settings *, char *, char *); 163int deny_cert(struct tls_conn_settings *, char *, char *); 164bool read_certfile(X509 **, const char *); 165bool write_x509files(EVP_PKEY *, X509 *, const char *, const char *); 166bool mk_x509_cert(X509 **, EVP_PKEY **, int, int, int); 167bool x509_cert_add_subjectAltName(X509 *, X509V3_CTX *); 168int tls_examine_error(const char *, const SSL *, struct tls_conn_settings *, const int); 169 170bool get_fingerprint(const X509 *, char **, const char *); 171bool get_commonname(X509 *, char **); 172bool match_hostnames(X509 *, const char *, const char *); 173bool match_fingerprint(const X509 *, const char *); 174bool match_certfile(const X509 *, const char *); 175 176/* configuration & parsing */ 177bool parse_tls_destination(const char *, struct filed *, size_t); 178/* event callbacks */ 179void dispatch_socket_accept(int, short, void *); 180void dispatch_tls_accept(int, short, void *); 181void dispatch_tls_read(int, short, void *); 182void dispatch_tls_send(int, short, void *); 183void dispatch_tls_eof(int, short, void *); 184void dispatch_SSL_connect(int, short, void *); 185void dispatch_SSL_shutdown(int, short, void *); 186void dispatch_force_tls_reconnect(int, short, void *); 187 188bool tls_connect(struct tls_conn_settings *); 189void tls_reconnect(int, short, void *); 190bool tls_send(struct filed *, char *, size_t, struct buf_queue*); 191void tls_split_messages(struct TLS_Incoming_Conn *); 192 193void free_tls_conn(struct tls_conn_settings *); 194void free_tls_sslptr(struct tls_conn_settings *); 195void free_tls_send_msg(struct tls_send_msg *); 196 197#endif /* !_TLS_H */ 198