1 /* An implementation of the nsd interface for GnuTLS. 2 * 3 * Copyright 2008-2021 Adiscon GmbH. 4 * 5 * This file is part of the rsyslog runtime library. 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); 8 * you may not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * -or- 13 * see COPYING.ASL20 in the source distribution 14 * 15 * Unless required by applicable law or agreed to in writing, software 16 * distributed under the License is distributed on an "AS IS" BASIS, 17 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 18 * See the License for the specific language governing permissions and 19 * limitations under the License. 20 */ 21 22 #ifndef INCLUDED_NSD_GTLS_H 23 #define INCLUDED_NSD_GTLS_H 24 25 #include "nsd.h" 26 27 #define NSD_GTLS_MAX_RCVBUF 16 * 1024 + 1/* TLS RFC 8449: max size of buffer for message reception */ 28 #define NSD_GTLS_MAX_CERT 10 /* max number of certs in our chain */ 29 30 typedef enum { 31 gtlsRtry_None = 0, /**< no call needs to be retried */ 32 gtlsRtry_handshake = 1, 33 gtlsRtry_recv = 2 34 } gtlsRtryCall_t; /**< IDs of calls that needs to be retried */ 35 36 typedef nsd_if_t nsd_gtls_if_t; /* we just *implement* this interface */ 37 38 /* the nsd_gtls object */ 39 struct nsd_gtls_s { 40 BEGINobjInstance; /* Data to implement generic object - MUST be the first data element! */ 41 nsd_t *pTcp; /**< our aggregated nsd_ptcp data */ 42 uchar *pszConnectHost; /**< hostname used for connect - may be used to 43 authenticate peer if no other name given */ 44 const uchar *pszCAFile; 45 const uchar *pszKeyFile; 46 const uchar *pszCertFile; 47 gnutls_certificate_credentials_t xcred; 48 int xcred_is_copy; 49 int iMode; /* 0 - plain tcp, 1 - TLS */ 50 int bAbortConn; /* if set, abort conncection (fatal error had happened) */ 51 enum { 52 GTLS_AUTH_CERTNAME = 0, 53 GTLS_AUTH_CERTFINGERPRINT = 1, 54 GTLS_AUTH_CERTVALID = 2, 55 GTLS_AUTH_CERTANON = 3 56 } authMode; 57 enum { 58 GTLS_EXPIRED_PERMIT = 0, 59 GTLS_EXPIRED_DENY = 1, 60 GTLS_EXPIRED_WARN = 2 61 } permitExpiredCerts; 62 enum { 63 GTLS_NONE = 0, 64 GTLS_PURPOSE = 1 65 } dataTypeCheck; 66 int bSANpriority; /* if true, we do stricter checking (if any SAN present we do not cehck CN) */ 67 gtlsRtryCall_t rtryCall;/**< what must we retry? */ 68 int bIsInitiator; /**< 0 if socket is the server end (listener), 1 if it is the initiator */ 69 gnutls_session_t sess; 70 int bHaveSess; /* as we don't know exactly which gnutls_session values 71 are invalid, we use this one to flag whether or 72 not we are in a session (same as -1 for a socket 73 meaning no sess) */ 74 int bReportAuthErr; /* only the first auth error is to be reported, this var triggers it. Initially, it is 75 * set to 1 and changed to 0 after the first report. It is changed back to 1 after 76 * one successful authentication. */ 77 permittedPeers_t *pPermPeers; /* permitted peers */ 78 uchar *gnutlsPriorityString; /* gnutls priority string */ 79 int DrvrVerifyDepth; /* Verify Depth for certificate chains */ 80 gnutls_x509_crt_t pOurCerts[NSD_GTLS_MAX_CERT]; /**< our certificate, if in client mode 81 (unused in server mode) */ 82 unsigned int nOurCerts; /* number of certificates in our chain */ 83 gnutls_x509_privkey_t ourKey; /**< our private key, if in client mode (unused in server mode) */ 84 short bOurCertIsInit; /**< 1 if our certificate is initialized and must be deinit on destruction */ 85 short bOurKeyIsInit; /**< 1 if our private key is initialized and must be deinit on destruction */ 86 char *pszRcvBuf; 87 int lenRcvBuf; 88 /**< -1: empty, 0: connection closed, 1..NSD_GTLS_MAX_RCVBUF-1: data of that size present */ 89 int ptrRcvBuf; /**< offset for next recv operation if 0 < lenRcvBuf < NSD_GTLS_MAX_RCVBUF */ 90 }; 91 92 /* interface is defined in nsd.h, we just implement it! */ 93 #define nsd_gtlsCURR_IF_VERSION nsdCURR_IF_VERSION 94 95 /* prototypes */ 96 PROTOTYPEObj(nsd_gtls); 97 /* some prototypes for things used by our nsdsel_gtls helper class */ 98 uchar *gtlsStrerror(int error); 99 rsRetVal gtlsChkPeerAuth(nsd_gtls_t *pThis); 100 rsRetVal gtlsRecordRecv(nsd_gtls_t *pThis); 101 102 /* the name of our library binary */ 103 #define LM_NSD_GTLS_FILENAME "lmnsd_gtls" 104 105 #if GNUTLS_VERSION_NUMBER <= 0x00030000 106 #define GTLS_ANON_PRIO_NOTLSV13 "NORMAL:-VERS-TLS1.3:+ANON-DH:+COMP-ALL" 107 #define GTLS_ANON_PRIO "NORMAL:+ANON-DH:+COMP-ALL" 108 #else 109 #define GTLS_ANON_PRIO_NOTLSV13 "NORMAL:-VERS-TLS1.3:+ANON-DH:+ANON-ECDH:+COMP-ALL" 110 #define GTLS_ANON_PRIO "NORMAL:+ANON-DH:+ANON-ECDH:+COMP-ALL" 111 #endif 112 113 #if GNUTLS_VERSION_MAJOR > 3 || (GNUTLS_VERSION_MAJOR == 3 && GNUTLS_VERSION_MINOR >=4) 114 #define EXTENDED_CERT_CHECK_AVAILABLE 115 #endif 116 117 #endif /* #ifndef INCLUDED_NSD_GTLS_H */ 118