Adding upstream version 1.9.13p3.upstream/1.9.13p3upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

1 files changed, 251 insertions, 0 deletions

diff --git a/logsrvd/tls_client.c b/logsrvd/tls_client.c
new file mode 100644
index 0000000..dde6a60
--- /dev/null
+++ b/logsrvd/tls_client.c
@@ -0,0 +1,251 @@
+/*
+ * SPDX-License-Identifier: ISC
+ *
+ * Copyright (c) 2019-2022 Todd C. Miller <Todd.Miller@sudo.ws>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * This is an open source non-commercial project. Dear PVS-Studio, please check it.
+ * PVS-Studio Static Code Analyzer for C, C++ and C#: http://www.viva64.com
+ */
+
+#include <config.h>
+
+#include <errno.h>
+#ifdef HAVE_STDBOOL_H
+# include <stdbool.h>
+#else
+# include "compat/stdbool.h"
+#endif /* HAVE_STDBOOL_H */
+#if defined(HAVE_STDINT_H)
+# include <stdint.h>
+#elif defined(HAVE_INTTYPES_H)
+# include <inttypes.h>
+#endif
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+#include "sudo_compat.h"
+#include "sudo_debug.h"
+#include "sudo_event.h"
+#include "sudo_fatal.h"
+#include "sudo_gettext.h"
+#include "sudo_util.h"
+
+#include "logsrv_util.h"
+#include "tls_common.h"
+#include "hostcheck.h"
+
+#if defined(HAVE_OPENSSL)
+
+/*
+ * Check that the server's certificate is valid that it contains the
+ * server name or IP address.
+ * Returns 0 if the cert is invalid, else 1.
+ */
+static int
+verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
+{
+    HostnameValidationResult result;
+    struct peer_info *peer_info;
+    SSL *ssl;
+    X509 *current_cert;
+    X509 *peer_cert;
+    debug_decl(verify_peer_identity, SUDO_DEBUG_UTIL);
+
+    /* if pre-verification of the cert failed, just propagate that result back */
+    if (preverify_ok != 1) {
+        debug_return_int(0);
+    }
+
+    /*
+     * Since this callback is called for each cert in the chain,
+     * check that current cert is the peer's certificate
+     */
+    current_cert = X509_STORE_CTX_get_current_cert(ctx);
+    peer_cert = X509_STORE_CTX_get0_cert(ctx);
+    if (current_cert != peer_cert) {
+        debug_return_int(1);
+    }
+
+    /* Fetch the attached peer_info from the ssl connection object. */
+    ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+    peer_info = SSL_get_ex_data(ssl, 1);
+
+    /*
+     * Validate the cert based on the host name and IP address.
+     * If host name is not known, validate_hostname() can resolve it.
+     */
+    result = validate_hostname(peer_cert,
+	peer_info->name ? peer_info->name : peer_info->ipaddr,
+	peer_info->ipaddr, peer_info->name ? 0 : 1);
+
+    debug_return_int(result == MatchFound);
+}
+
+void
+tls_connect_cb(int sock, int what, void *v)
+{
+    struct tls_client_closure *tls_client = v;
+    struct sudo_event_base *evbase = tls_client->evbase;
+    const struct timespec *timeout = &tls_client->connect_timeout;
+    const char *errstr;
+    int con_stat;
+    debug_decl(tls_connect_cb, SUDO_DEBUG_UTIL);
+
+    if (what == SUDO_EV_TIMEOUT) {
+        sudo_warnx("%s", U_("TLS handshake timeout occurred"));
+        goto bad;
+    }
+
+    con_stat = SSL_connect(tls_client->ssl);
+
+    if (con_stat == 1) {
+	sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+	    "SSL_connect successful");
+        tls_client->tls_connect_state = true;
+    } else {
+        switch (SSL_get_error(tls_client->ssl, con_stat)) {
+            /* TLS handshake is not finished, reschedule event */
+            case SSL_ERROR_WANT_READ:
+		sudo_debug_printf(SUDO_DEBUG_NOTICE|SUDO_DEBUG_LINENO,
+		    "SSL_connect returns SSL_ERROR_WANT_READ");
+		if (what != SUDO_EV_READ) {
+		    if (sudo_ev_set(tls_client->tls_connect_ev,
+			    SSL_get_fd(tls_client->ssl), SUDO_EV_READ,
+			    tls_connect_cb, tls_client) == -1) {
+			sudo_warnx("%s", U_("unable to set event"));
+			goto bad;
+		    }
+		}
+                if (sudo_ev_add(evbase, tls_client->tls_connect_ev, timeout, false) == -1) {
+                    sudo_warnx("%s", U_("unable to add event to queue"));
+		    goto bad;
+                }
+		break;
+            case SSL_ERROR_WANT_WRITE:
+		sudo_debug_printf(SUDO_DEBUG_NOTICE|SUDO_DEBUG_LINENO,
+		    "SSL_connect returns SSL_ERROR_WANT_WRITE");
+		if (what != SUDO_EV_WRITE) {
+		    if (sudo_ev_set(tls_client->tls_connect_ev,
+			    SSL_get_fd(tls_client->ssl), SUDO_EV_WRITE,
+			    tls_connect_cb, tls_client) == -1) {
+			sudo_warnx("%s", U_("unable to set event"));
+			goto bad;
+		    }
+		}
+                if (sudo_ev_add(evbase, tls_client->tls_connect_ev, timeout, false) == -1) {
+                    sudo_warnx("%s", U_("unable to add event to queue"));
+		    goto bad;
+                }
+		break;
+	    case SSL_ERROR_SYSCALL:
+                sudo_warnx(U_("TLS connection failed: %s"), strerror(errno));
+		goto bad;
+            default:
+		errstr = ERR_reason_error_string(ERR_get_error());
+                sudo_warnx(U_("TLS connection failed: %s"),
+		    errstr ? errstr : strerror(errno));
+                goto bad;
+        }
+    }
+
+    if (tls_client->tls_connect_state) {
+	sudo_debug_printf(SUDO_DEBUG_INFO|SUDO_DEBUG_LINENO,
+	    "TLS version: %s, negotiated cipher suite: %s",
+	    SSL_get_version(tls_client->ssl), SSL_get_cipher(tls_client->ssl));
+
+	/* Done with TLS connect, send ClientHello */
+	sudo_ev_free(tls_client->tls_connect_ev);
+	tls_client->tls_connect_ev = NULL;
+	if (!tls_client->start_fn(tls_client))
+	    goto bad;
+    }
+
+    debug_return;
+
+bad:
+    sudo_ev_loopbreak(evbase);
+    debug_return;
+}
+
+bool
+tls_ctx_client_setup(SSL_CTX *ssl_ctx, int sock,
+    struct tls_client_closure *closure)
+{
+    const char *errstr;
+    bool ret = false;
+    debug_decl(tls_ctx_client_setup, SUDO_DEBUG_UTIL);
+
+    if ((closure->ssl = SSL_new(ssl_ctx)) == NULL) {
+	errstr = ERR_reason_error_string(ERR_get_error());
+        sudo_warnx(U_("unable to allocate ssl object: %s"),
+	    errstr ? errstr : strerror(errno));
+        goto done;
+    }
+
+    if (SSL_set_ex_data(closure->ssl, 1, closure->peer_name) <= 0) {
+	errstr = ERR_reason_error_string(ERR_get_error());
+	sudo_warnx(U_("Unable to attach user data to the ssl object: %s"),
+	    errstr ? errstr : strerror(errno));
+	goto done;
+    }
+
+    if (SSL_set_fd(closure->ssl, sock) <= 0) {
+	errstr = ERR_reason_error_string(ERR_get_error());
+        sudo_warnx(U_("Unable to attach socket to the ssl object: %s"),
+	    errstr ? errstr : strerror(errno));
+        goto done;
+    }
+
+    if (sudo_ev_add(closure->evbase, closure->tls_connect_ev, NULL, false) == -1) {
+	sudo_warnx("%s", U_("unable to add event to queue"));
+	goto done;
+    }
+
+    ret = true;
+
+done:
+    debug_return_bool(ret);
+}
+
+bool
+tls_client_setup(int sock, const char *ca_bundle_file, const char *cert_file,
+    const char *key_file, const char *dhparam_file, const char *ciphers_v12,
+    const char *ciphers_v13, bool verify_server, bool check_peer,
+    struct tls_client_closure *closure)
+{
+    SSL_CTX *ssl_ctx;
+    debug_decl(tls_client_setup, SUDO_DEBUG_UTIL);
+
+    ssl_ctx = init_tls_context(ca_bundle_file, cert_file, key_file,
+	dhparam_file, ciphers_v12, ciphers_v13, verify_server);
+    if (ssl_ctx == NULL) {
+        sudo_warnx("%s", U_("unable to initialize TLS context"));
+	debug_return_bool(false);
+    }
+
+    if (check_peer) {
+	/* Verify server cert during the handshake. */
+	SSL_CTX_set_verify(ssl_ctx,
+	    SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+	    verify_peer_identity);
+    }
+
+    debug_return_bool(tls_ctx_client_setup(ssl_ctx, sock, closure));
+}
+#endif /* HAVE_OPENSSL */