1 /* $NetBSD: tls.h,v 1.2 2008/11/07 07:36:38 minskim Exp $ */ 2 3 /*- 4 * Copyright (c) 2008 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Martin Sch�tte. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by the NetBSD 21 * Foundation, Inc. and its contributors. 22 * 4. Neither the name of The NetBSD Foundation nor the names of its 23 * contributors may be used to endorse or promote products derived 24 * from this software without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 27 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 28 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 29 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 30 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 31 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 32 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 33 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 34 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 35 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 36 * POSSIBILITY OF SUCH DAMAGE. 37 */ 38 /* 39 * tls.h 40 * 41 */ 42 #ifndef _TLS_H 43 #define _TLS_H 44 #include <openssl/x509v3.h> 45 #include <openssl/err.h> 46 #include <openssl/rand.h> 47 #include <openssl/pem.h> 48 49 /* initial size for TLS inbuf, minimum prefix + linelength 50 * guaranteed to be accepted */ 51 #define TLS_MIN_LINELENGTH (2048 + 5) 52 /* usually the inbuf is enlarged as needed and then kept. 53 * if bigger than TLS_PERSIST_LINELENGTH, then shrink 54 * to TLS_LARGE_LINELENGTH immediately */ 55 #define TLS_LARGE_LINELENGTH 8192 56 #define TLS_PERSIST_LINELENGTH 32768 57 58 /* timeout to call non-blocking TLS operations again */ 59 #define TLS_RETRY_EVENT_USEC 20000 60 61 /* reconnect to lost server after n sec (initial value) */ 62 #define TLS_RECONNECT_SEC 10 63 /* backoff connection attempts */ 64 #define TLS_RECONNECT_BACKOFF_FACTOR 15/10 65 #define TLS_RECONNECT_BACKOFF(x) (x) = (x) * TLS_RECONNECT_BACKOFF_FACTOR 66 /* abandon connection attempts after n sec 67 * This has to be <= 5h (with 10sec initial interval), 68 * otherwise a daily SIGHUP from newsylog will reset 69 * all timers and the giveup time will never be reached 70 * 71 * set here: 2h, reached after ca. 7h of reconnecting 72 */ 73 #define TLS_RECONNECT_GIVEUP 60*60*2 74 75 /* default algorithm for certificate fingerprints */ 76 #define DEFAULT_FINGERPRINT_ALG "sha-1" 77 78 /* default X.509 files */ 79 #define DEFAULT_X509_CERTFILE "/etc/openssl/default.crt" 80 #define DEFAULT_X509_KEYFILE "/etc/openssl/default.key" 81 82 /* options for peer certificate verification */ 83 #define X509VERIFY_ALWAYS 0 84 #define X509VERIFY_IFPRESENT 1 85 #define X509VERIFY_NONE 2 86 87 /* attributes for self-generated keys/certificates */ 88 #define TLS_GENCERT_BITS 1024 89 #define TLS_GENCERT_SERIAL 1 90 #define TLS_GENCERT_DAYS 5*365 91 92 /* TLS connection states */ 93 #define ST_NONE 0 94 #define ST_TLS_EST 1 95 #define ST_TCP_EST 2 96 #define ST_CONNECTING 3 97 #define ST_ACCEPTING 4 98 #define ST_READING 5 99 #define ST_WRITING 6 100 #define ST_EOF 7 101 #define ST_CLOSING0 8 102 #define ST_CLOSING1 9 103 #define ST_CLOSING2 10 104 105 /* backlog for listen */ 106 #define TLSBACKLOG 4 107 /* close TLS connection after multiple 'soft' errors */ 108 #define TLS_MAXERRORCOUNT 4 109 110 /* 111 * holds TLS related settings for one connection to be 112 * included in the SSL object and available in callbacks 113 * 114 * Many fields have a slightly different semantic for 115 * incoming and outgoing connections: 116 * - for outgoing connections it contains the values from syslog.conf and 117 * the server's cert is checked against these values by check_peer_cert() 118 * - for incoming connections it is not used for checking, instead 119 * dispatch_tls_accept() fills in the connected hostname/port and 120 * check_peer_cert() fills in subject and fingerprint from the peer cert 121 */ 122 struct tls_conn_settings { 123 unsigned send_queue:1, /* currently sending buffer */ 124 errorcount:4, /* counter [0;TLS_MAXERRORCOUNT] */ 125 accepted:1, /* workaround cf. check_peer_cert*/ 126 shutdown:1, /* fast connection close on exit */ 127 x509verify:2, /* kind of validation needed */ 128 incoming:1, /* set if we are server */ 129 state:4; /* outgoing connection state */ 130 struct event *event; /* event for read/write activity */ 131 struct event *retryevent; /* event for retries */ 132 SSL *sslptr; /* active SSL object */ 133 char *hostname; /* hostname or IP we connect to */ 134 char *port; /* service name or port number */ 135 char *subject; /* configured hostname in cert */ 136 char *fingerprint; /* fingerprint of peer cert */ 137 char *certfile; /* filename of peer cert */ 138 unsigned reconnect; /* seconds between reconnects */ 139 }; 140 141 /* argument struct only used for tls_send() */ 142 struct tls_send_msg { 143 struct filed *f; 144 struct buf_queue *qentry; 145 char *line; /* formatted message */ 146 size_t linelen; 147 size_t offset; /* in case of partial writes */ 148 }; 149 150 /* return values for TLS_examine_error() */ 151 #define TLS_OK 0 /* no real problem, just ignore */ 152 #define TLS_RETRY_READ 1 /* just retry, non-blocking operation not finished yet */ 153 #define TLS_RETRY_WRITE 2 /* just retry, non-blocking operation not finished yet */ 154 #define TLS_TEMP_ERROR 4 /* recoverable error condition, but try again */ 155 #define TLS_PERM_ERROR 8 /* non-recoverable error condition, closed TLS and socket */ 156 157 /* global TLS setup and utility */ 158 char *init_global_TLS_CTX(void); 159 struct socketEvent *socksetup_tls(const int, const char *, const char *); 160 int check_peer_cert(int, X509_STORE_CTX *); 161 int accept_cert(const char* , struct tls_conn_settings *, char *, char *); 162 int deny_cert(struct tls_conn_settings *, char *, char *); 163 bool read_certfile(X509 **, const char *); 164 bool write_x509files(EVP_PKEY *, X509 *, const char *, const char *); 165 bool mk_x509_cert(X509 **, EVP_PKEY **, int, int, int); 166 bool x509_cert_add_subjectAltName(X509 *, X509V3_CTX *); 167 int tls_examine_error(const char *, const SSL *, struct tls_conn_settings *, const int); 168 169 bool get_fingerprint(const X509 *, char **, const char *); 170 bool get_commonname(X509 *, char **); 171 bool match_hostnames(X509 *, const char *, const char *); 172 bool match_fingerprint(const X509 *, const char *); 173 bool match_certfile(const X509 *, const char *); 174 175 /* configuration & parsing */ 176 bool parse_tls_destination(const char *, struct filed *, size_t); 177 /* event callbacks */ 178 void dispatch_socket_accept(int, short, void *); 179 void dispatch_tls_accept(int, short, void *); 180 void dispatch_tls_read(int, short, void *); 181 void dispatch_tls_send(int, short, void *); 182 void dispatch_tls_eof(int, short, void *); 183 void dispatch_SSL_connect(int, short, void *); 184 void dispatch_SSL_shutdown(int, short, void *); 185 void dispatch_force_tls_reconnect(int, short, void *); 186 187 bool tls_connect(struct tls_conn_settings *); 188 void tls_reconnect(int, short, void *); 189 bool tls_send(struct filed *, char *, size_t, struct buf_queue*); 190 void tls_split_messages(struct TLS_Incoming_Conn *); 191 192 void free_tls_conn(struct tls_conn_settings *); 193 void free_tls_sslptr(struct tls_conn_settings *); 194 void free_tls_send_msg(struct tls_send_msg *); 195 196 #endif /* !_TLS_H */ 197