summaryrefslogtreecommitdiffstats
path: root/plugins/omdtls/omdtls.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--plugins/omdtls/omdtls.c853
1 files changed, 853 insertions, 0 deletions
diff --git a/plugins/omdtls/omdtls.c b/plugins/omdtls/omdtls.c
new file mode 100644
index 0000000..c5ba167
--- /dev/null
+++ b/plugins/omdtls/omdtls.c
@@ -0,0 +1,853 @@
+/* omdtls.c
+ * The dtls output module, uses OpenSSL as library to implement DTLS.
+ *
+ * \author Andre Lorbach <alorbach@adiscon.com>
+ *
+ * Copyright (C) 2023 Adiscon GmbH.
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include "config.h"
+#include <stdio.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <strings.h>
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <pthread.h>
+#include <sys/uio.h>
+#include <sys/queue.h>
+#include <netdb.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <math.h>
+#ifdef HAVE_SYS_STAT_H
+# include <sys/stat.h>
+#endif
+#include <sys/time.h>
+#include <time.h>
+
+// --- Include openssl headers as well
+#include <openssl/ssl.h>
+#include <openssl/x509v3.h>
+#include <openssl/err.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
+# include <openssl/bioerr.h>
+#endif
+#include <openssl/engine.h>
+// ---
+
+// Include rsyslog headers
+#include "rsyslog.h"
+#include "syslogd-types.h"
+#include "srUtils.h"
+#include "template.h"
+#include "module-template.h"
+#include "glbl.h"
+#include "errmsg.h"
+#include "atomic.h"
+#include "statsobj.h"
+#include "unicode-helper.h"
+#include "datetime.h"
+#include "net_ossl.h"
+
+MODULE_TYPE_OUTPUT
+MODULE_TYPE_NOKEEP
+MODULE_CNFNAME("omdtls")
+
+/* internal structures
+ */
+DEF_OMOD_STATIC_DATA
+DEFobjCurrIf(glbl)
+DEFobjCurrIf(datetime)
+DEFobjCurrIf(statsobj)
+DEFobjCurrIf(net_ossl)
+
+statsobj_t *dtlsStats;
+STATSCOUNTER_DEF(ctrDtlsSubmit, mutCtrDtlsSubmit);
+STATSCOUNTER_DEF(ctrDtlsFail, mutCtrDtlsFail);
+
+#define DTLS_MAX_RCVBUF 8192 /* Maximum DTLS packet is 8192 bytes which fits into Jumbo Frames. If not enabled
+ * message fragmentation (Ethernet MTU of ~ 1500 bytes) can occur.*/
+#define SETUP_DTLS_NONE 0
+#define SETUP_DTLS_AUTOCLOSE 1
+
+enum DTLSState {
+ DTLS_CONNECTED,
+ DTLS_CONNECTING,
+ DTLS_DISCONNECTED
+};
+
+/* Struct for module InstanceData */
+typedef struct _instanceData {
+ uchar *tplName; /* name of assigned template */
+
+ uchar *target;
+ uchar *port;
+
+ uchar *tlscfgcmd; /* OpenSSL Config Command used to override any OpenSSL Settings */
+ int bHaveSess; /* True if DTLS session is established */
+ int CertVerifyDepth; /* Verify Depth for certificate chains */
+
+ /* OpenSSL and Config Cert vars inside net_ossl_t now */
+ net_ossl_t *pNetOssl; /* OSSL shared Config and object vars are here */
+
+ uchar *statsName;
+ statsobj_t *stats; /* listener stats */
+ STATSCOUNTER_DEF(ctrDtlsSubmit, mutCtrDtlsSubmit)
+ STATSCOUNTER_DEF(ctrDtlsFail, mutCtrDtlsFail);
+
+ struct _instanceData *next;
+ struct _instanceData *prev;
+} instanceData;
+
+/* Struct for module workerInstanceData */
+typedef struct wrkrInstanceData {
+ instanceData *pData;
+
+ enum DTLSState ConnectState; /* DTLS Connection State Status */
+ pthread_rwlock_t pnLock;
+
+ // DTLS Helpers
+ struct sockaddr_in dtls_client_addr; /* local bind socket*/
+ struct addrinfo* dtls_rcvr_addrinfo; /* remote receiver address */
+
+ int sockin; /* UDP Socket used to receive DTLS */
+ int sockout; /* UDP Socket used to send DTLS */
+ SSL *sslClient; /* DTSL (SSL) Client */
+} wrkrInstanceData_t;
+
+#define INST_STATSCOUNTER_INC(inst, ctr, mut) \
+ do { \
+ if (inst->stats) { STATSCOUNTER_INC(ctr, mut); } \
+ } while(0);
+
+// QPID Proton Handler functions
+static rsRetVal dtls_create_socket(wrkrInstanceData_t *const __restrict__ pWrkrData, int autoclose);
+static rsRetVal dtls_init(wrkrInstanceData_t *pWrkrData);
+static rsRetVal dtls_connect(wrkrInstanceData_t *pWrkrData);
+static rsRetVal dtls_close(wrkrInstanceData_t *pWrkrData);
+static rsRetVal dtls_send(wrkrInstanceData_t *pWrkrData, const actWrkrIParams_t *__restrict__ const pParam,
+ const int iMsg);
+
+
+/* tables for interfacing with the v6 config system */
+/* action (instance) parameters */
+static struct cnfparamdescr actpdescr[] = {
+ { "target", eCmdHdlrGetWord, 0 },
+ { "port", eCmdHdlrGetWord, 0 },
+ { "tls.authmode", eCmdHdlrString, 0 },
+ { "tls.cacert", eCmdHdlrString, 0 },
+ { "tls.mycert", eCmdHdlrString, 0 },
+ { "tls.myprivkey", eCmdHdlrString, 0 },
+ { "tls.tlscfgcmd", eCmdHdlrString, 0 },
+ { "template", eCmdHdlrGetWord, 0 },
+ { "statsname", eCmdHdlrGetWord, 0 }
+};
+static struct cnfparamblk actpblk =
+ { CNFPARAMBLK_VERSION,
+ sizeof(actpdescr)/sizeof(struct cnfparamdescr),
+ actpdescr
+ };
+
+/* module-global parameters */
+static struct cnfparamdescr modpdescr[] = {
+ { "template", eCmdHdlrGetWord, 0 },
+};
+static struct cnfparamblk modpblk =
+ { CNFPARAMBLK_VERSION,
+ sizeof(modpdescr)/sizeof(struct cnfparamdescr),
+ modpdescr
+ };
+
+struct modConfData_s {
+ rsconf_t *pConf; /* our overall config object */
+ instanceData *root, *tail;
+ uchar *tplName; /* default template */
+};
+
+static modConfData_t *loadModConf = NULL; /* modConf ptr to use for the current load process */
+static modConfData_t *runModConf = NULL; /* modConf ptr to use for the current exec process */
+
+BEGINinitConfVars /* (re)set config variables to default values */
+CODESTARTinitConfVars
+ENDinitConfVars
+
+static rsRetVal
+dtls_create_socket(wrkrInstanceData_t *const __restrict__ pWrkrData, int autoclose)
+{
+ DEFiRet;
+ DBGPRINTF("omdtls[%p]: dtls_create_socket ENTER\n", pWrkrData);
+ pthread_rwlock_wrlock(&pWrkrData->pnLock);
+
+ if (autoclose == SETUP_DTLS_AUTOCLOSE) {
+ // Close Existing Connection
+ dtls_close(pWrkrData);
+ }
+
+ // Init & Open Connection
+ CHKiRet(dtls_init(pWrkrData));
+finalize_it:
+ if (iRet != RS_RET_OK) {
+ /* Parameter Error's cannot be resumed, so we need to disable the action */
+ if (iRet == RS_RET_PARAM_ERROR) {
+ iRet = RS_RET_DISABLE_ACTION;
+ LogError(0, iRet, "omdtls[%p]: action will be disabled due invalid "
+ "configuration parameters\n", pWrkrData);
+ }
+ }
+ pthread_rwlock_unlock(&pWrkrData->pnLock);
+ RETiRet;
+}
+
+BEGINbeginCnfLoad
+CODESTARTbeginCnfLoad
+ loadModConf = pModConf;
+ pModConf->pConf = pConf;
+ pModConf->tplName = NULL;
+ENDbeginCnfLoad
+
+BEGINsetModCnf
+ int i;
+CODESTARTsetModCnf
+ const struct cnfparamvals *const __restrict__ pvals = nvlstGetParams(lst, &modpblk, NULL);
+ if(pvals == NULL) {
+ ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
+ }
+
+ if(Debug) {
+ dbgprintf("module (global) param blk for omdtls:\n");
+ cnfparamsPrint(&modpblk, pvals);
+ }
+
+ for(i = 0 ; i < modpblk.nParams ; ++i) {
+ if(!pvals[i].bUsed)
+ continue;
+ if(!strcmp(modpblk.descr[i].name, "template")) {
+ loadModConf->tplName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ } else {
+ dbgprintf("omdtls: program error, non-handled "
+ "param '%s' in beginCnfLoad\n", modpblk.descr[i].name);
+ }
+ }
+finalize_it:
+ if(pvals != NULL)
+ cnfparamvalsDestruct(pvals, &modpblk);
+ENDsetModCnf
+
+BEGINendCnfLoad
+CODESTARTendCnfLoad
+ loadModConf = NULL; /* done loading */
+ENDendCnfLoad
+
+BEGINcheckCnf
+CODESTARTcheckCnf
+ENDcheckCnf
+
+BEGINactivateCnfPrePrivDrop
+ instanceData *inst;
+CODESTARTactivateCnfPrePrivDrop
+ runModConf = pModConf;
+ DBGPRINTF("omdtls: activateCnfPrePrivDrop\n");
+
+ for(inst = runModConf->root ; inst != NULL ; inst = inst->next) {
+ CHKiRet(net_ossl.osslCtxInit(inst->pNetOssl, DTLS_method()));
+ // Run openssl config commands in Context
+ CHKiRet(net_ossl_apply_tlscgfcmd(inst->pNetOssl, inst->tlscfgcmd));
+ }
+finalize_it:
+ENDactivateCnfPrePrivDrop
+
+BEGINactivateCnf
+CODESTARTactivateCnf
+ENDactivateCnf
+
+BEGINfreeCnf
+CODESTARTfreeCnf
+ free(pModConf->tplName);
+ENDfreeCnf
+
+BEGINcreateInstance
+CODESTARTcreateInstance
+ DBGPRINTF("createInstance[%p]: ENTER\n", pData);
+ pData->tplName = NULL;
+ pData->target = NULL;
+ pData->port = NULL;
+ pData->tlscfgcmd = NULL;
+ pData->statsName = NULL;
+
+ /* node created, let's add to config */
+ if(loadModConf->tail == NULL) {
+ loadModConf->tail = loadModConf->root = pData;
+ } else {
+ loadModConf->tail->next = pData;
+ loadModConf->tail = pData;
+ }
+
+ // Construct pNetOssl helper
+ CHKiRet(net_ossl.Construct(&pData->pNetOssl));
+ pData->pNetOssl->authMode = OSSL_AUTH_CERTANON;
+finalize_it:
+ENDcreateInstance
+
+
+BEGINcreateWrkrInstance
+CODESTARTcreateWrkrInstance
+ DBGPRINTF("createWrkrInstance[%p]: ENTER\n", pWrkrData);
+ pWrkrData->ConnectState = DTLS_DISCONNECTED;
+
+ CHKiRet(pthread_rwlock_init(&pWrkrData->pnLock, NULL));
+finalize_it:
+ DBGPRINTF("createWrkrInstance[%p] returned %d\n", pWrkrData, iRet);
+ENDcreateWrkrInstance
+
+
+BEGINisCompatibleWithFeature
+CODESTARTisCompatibleWithFeature
+ENDisCompatibleWithFeature
+
+
+BEGINfreeInstance
+CODESTARTfreeInstance
+ DBGPRINTF("freeInstance[%p]: ENTER\n", pData);
+
+ if (pData->stats) {
+ statsobj.Destruct(&pData->stats);
+ }
+
+ // DeConstruct pNetOssl helper
+ net_ossl.Destruct(&pData->pNetOssl);
+
+ /* Free other mem */
+ free(pData->target);
+ free(pData->port);
+ free(pData->tlscfgcmd);
+
+ free(pData->tplName);
+ free(pData->statsName);
+ENDfreeInstance
+
+BEGINfreeWrkrInstance
+CODESTARTfreeWrkrInstance
+ DBGPRINTF("freeWrkrInstance[%p]: ENTER\n", pWrkrData);
+ pthread_rwlock_wrlock(&pWrkrData->pnLock);
+
+ // Close DTLS Connection
+ dtls_close(pWrkrData);
+
+ pthread_rwlock_unlock(&pWrkrData->pnLock);
+ pthread_rwlock_destroy(&pWrkrData->pnLock);
+ENDfreeWrkrInstance
+
+
+BEGINdbgPrintInstInfo
+CODESTARTdbgPrintInstInfo
+ENDdbgPrintInstInfo
+
+BEGINtryResume
+CODESTARTtryResume
+ DBGPRINTF("omdtls[%p]: tryResume ENTER\n", pWrkrData);
+ if (pWrkrData->ConnectState == DTLS_DISCONNECTED) {
+ CHKiRet(dtls_create_socket(pWrkrData, SETUP_DTLS_AUTOCLOSE));
+ }
+finalize_it:
+ DBGPRINTF("omdtls[%p]: tryResume returned %d\n", pWrkrData, iRet);
+ENDtryResume
+
+BEGINbeginTransaction
+CODESTARTbeginTransaction
+ /* we have nothing to do to begin a transaction */
+ DBGPRINTF("omdtls[%p]: beginTransaction ENTER\n", pWrkrData);
+ if (pWrkrData->ConnectState == DTLS_DISCONNECTED) {
+ CHKiRet(dtls_create_socket(pWrkrData, SETUP_DTLS_NONE));
+ }
+finalize_it:
+ RETiRet;
+ENDbeginTransaction
+
+/*
+ * New Transaction action interface
+*/
+BEGINcommitTransaction
+ unsigned i;
+ sbool bDone = 0;
+CODESTARTcommitTransaction
+#ifndef NDEBUG
+ DBGPRINTF("omdtls[%p]: commitTransaction [%d msgs] ENTER\n", pWrkrData, nParams);
+#endif
+ do {
+ for(i = 0 ; i < nParams ; ++i) {
+ CHKiRet(dtls_send(pWrkrData, pParams, i));
+ }
+ bDone = 1;
+ } while (bDone == 0);
+finalize_it:
+ if(iRet != RS_RET_OK) {
+ DBGPRINTF("omdtls[%p]: commitTransaction failed with status %d\n", pWrkrData, iRet);
+ pWrkrData->ConnectState = DTLS_DISCONNECTED;
+ iRet = RS_RET_SUSPENDED;
+ }
+ DBGPRINTF("omdtls[%p]: commitTransaction [%d msgs] EXIT\n", pWrkrData, nParams);
+ENDcommitTransaction
+
+BEGINnewActInst
+ struct cnfparamvals *pvals;
+ int i;
+ int iNumTpls;
+ FILE *fp;
+ DBGPRINTF("newActInst: ENTER\n");
+CODESTARTnewActInst
+ if((pvals = nvlstGetParams(lst, &actpblk, NULL)) == NULL) {
+ ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
+ }
+
+ // Create new instance and set default params
+ CHKiRet(createInstance(&pData));
+
+ for(i = 0 ; i < actpblk.nParams ; ++i) {
+ if(!pvals[i].bUsed)
+ continue;
+ if(!strcmp(actpblk.descr[i].name, "target")) {
+ pData->target = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ } else if(!strcmp(actpblk.descr[i].name, "port")) {
+ pData->port = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ } else if(!strcmp(actpblk.descr[i].name, "template")) {
+ pData->tplName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ } else if(!strcmp(actpblk.descr[i].name, "statsname")) {
+ pData->statsName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ } else if(!strcmp(actpblk.descr[i].name, "tls.authmode")) {
+ char* pszAuthMode = es_str2cstr(pvals[i].val.d.estr, NULL);
+ if(!strcasecmp(pszAuthMode, "fingerprint"))
+ pData->pNetOssl->authMode = OSSL_AUTH_CERTFINGERPRINT;
+ else if(!strcasecmp(pszAuthMode, "name"))
+ pData->pNetOssl->authMode = OSSL_AUTH_CERTNAME;
+ else if(!strcasecmp(pszAuthMode, "certvalid"))
+ pData->pNetOssl->authMode = OSSL_AUTH_CERTVALID;
+ else
+ pData->pNetOssl->authMode = OSSL_AUTH_CERTANON;
+ free(pszAuthMode);
+ } else if(!strcmp(actpblk.descr[i].name, "tls.cacert")) {
+ pData->pNetOssl->pszCAFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ fp = fopen((const char*)pData->pNetOssl->pszCAFile, "r");
+ if(fp == NULL) {
+ char errStr[1024];
+ rs_strerror_r(errno, errStr, sizeof(errStr));
+ LogError(0, RS_RET_NO_FILE_ACCESS,
+ "error: certificate file %s couldn't be accessed: %s\n",
+ pData->pNetOssl->pszCAFile, errStr);
+ } else {
+ fclose(fp);
+ }
+ } else if(!strcmp(actpblk.descr[i].name, "tls.mycert")) {
+ pData->pNetOssl->pszCertFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ fp = fopen((const char*)pData->pNetOssl->pszCertFile, "r");
+ if(fp == NULL) {
+ char errStr[1024];
+ rs_strerror_r(errno, errStr, sizeof(errStr));
+ LogError(0, RS_RET_NO_FILE_ACCESS,
+ "error: certificate file %s couldn't be accessed: %s\n",
+ pData->pNetOssl->pszCertFile, errStr);
+ } else {
+ fclose(fp);
+ }
+ } else if(!strcmp(actpblk.descr[i].name, "tls.myprivkey")) {
+ pData->pNetOssl->pszKeyFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ fp = fopen((const char*)pData->pNetOssl->pszKeyFile, "r");
+ if(fp == NULL) {
+ char errStr[1024];
+ rs_strerror_r(errno, errStr, sizeof(errStr));
+ LogError(0, RS_RET_NO_FILE_ACCESS,
+ "error: certificate file %s couldn't be accessed: %s\n",
+ pData->pNetOssl->pszKeyFile, errStr);
+ } else {
+ fclose(fp);
+ }
+ } else if(!strcmp(actpblk.descr[i].name, "tls.tlscfgcmd")) {
+ pData->tlscfgcmd = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
+ } else {
+ LogError(0, RS_RET_INTERNAL_ERROR,
+ "omdtls: program error, non-handled param '%s'\n", actpblk.descr[i].name);
+ }
+ }
+
+ /* check if no port is set. If so, we use DEFAULT of 433 */
+ if(pData->port == NULL) {
+ CHKmalloc(pData->port = (uchar *)strdup("443"));
+ }
+
+ iNumTpls = 1;
+ CODE_STD_STRING_REQUESTnewActInst(iNumTpls);
+
+ CHKiRet(OMSRsetEntry(*ppOMSR, 0, (uchar*)strdup((pData->tplName == NULL) ?
+ "RSYSLOG_FileFormat" : (char*)pData->tplName),
+ OMSR_NO_RQD_TPL_OPTS));
+
+ if (pData->statsName) {
+ CHKiRet(statsobj.Construct(&pData->stats));
+ CHKiRet(statsobj.SetName(pData->stats, (uchar *)pData->statsName));
+ CHKiRet(statsobj.SetOrigin(pData->stats, (uchar *)"omdtls"));
+
+ /* Track following stats */
+ STATSCOUNTER_INIT(pData->ctrDtlsSubmit, pData->mutCtrDtlsSubmit);
+ CHKiRet(statsobj.AddCounter(pData->stats, (uchar *)"submitted",
+ ctrType_IntCtr, CTR_FLAG_RESETTABLE, &pData->ctrDtlsSubmit));
+ STATSCOUNTER_INIT(pData->ctrDtlsFail, pData->mutCtrDtlsFail);
+ CHKiRet(statsobj.AddCounter(pData->stats, (uchar *)"failures",
+ ctrType_IntCtr, CTR_FLAG_RESETTABLE, &pData->ctrDtlsFail));
+ CHKiRet(statsobj.ConstructFinalize(pData->stats));
+ }
+CODE_STD_FINALIZERnewActInst
+ cnfparamvalsDestruct(pvals, &actpblk);
+ENDnewActInst
+
+
+BEGINmodExit
+CODESTARTmodExit
+ DBGPRINTF("modExit: ENTER\n");
+ statsobj.Destruct(&dtlsStats);
+ objRelease(net_ossl, LM_NET_OSSL_FILENAME);
+ objRelease(statsobj, CORE_COMPONENT);
+ objRelease(datetime, CORE_COMPONENT);
+ objRelease(glbl, CORE_COMPONENT);
+ENDmodExit
+
+NO_LEGACY_CONF_parseSelectorAct
+BEGINqueryEtryPt
+CODESTARTqueryEtryPt
+CODEqueryEtryPt_STD_OMODTX_QUERIES
+CODEqueryEtryPt_STD_OMOD8_QUERIES
+CODEqueryEtryPt_STD_CONF2_QUERIES
+CODEqueryEtryPt_STD_CONF2_setModCnf_QUERIES
+CODEqueryEtryPt_STD_CONF2_PREPRIVDROP_QUERIES
+CODEqueryEtryPt_STD_CONF2_OMOD_QUERIES
+ENDqueryEtryPt
+
+
+BEGINmodInit()
+CODESTARTmodInit
+ DBGPRINTF("modInit: ENTER\n");
+INITLegCnfVars
+ *ipIFVersProvided = CURR_MOD_IF_VERSION;
+CODEmodInit_QueryRegCFSLineHdlr
+ /* request objects we use */
+ CHKiRet(objUse(glbl, CORE_COMPONENT));
+ CHKiRet(objUse(net_ossl, LM_NET_OSSL_FILENAME));
+ CHKiRet(objUse(datetime, CORE_COMPONENT));
+ CHKiRet(objUse(statsobj, CORE_COMPONENT));
+
+ CHKiRet(statsobj.Construct(&dtlsStats));
+ CHKiRet(statsobj.SetName(dtlsStats, (uchar *)"omdtls"));
+ CHKiRet(statsobj.SetOrigin(dtlsStats, (uchar*)"omdtls"));
+ STATSCOUNTER_INIT(ctrDtlsSubmit, mutCtrDtlsSubmit);
+ CHKiRet(statsobj.AddCounter(dtlsStats, (uchar *)"submitted",
+ ctrType_IntCtr, CTR_FLAG_RESETTABLE, &ctrDtlsSubmit));
+ STATSCOUNTER_INIT(ctrDtlsFail, mutCtrDtlsFail);
+ CHKiRet(statsobj.AddCounter(dtlsStats, (uchar *)"failures",
+ ctrType_IntCtr, CTR_FLAG_RESETTABLE, &ctrDtlsFail));
+
+ CHKiRet(statsobj.ConstructFinalize(dtlsStats));
+ENDmodInit
+
+/*
+* Setup socket and establish virtual Connect on a SOCKET Level for DTLS
+*/
+static rsRetVal
+dtls_send(wrkrInstanceData_t *pWrkrData, const actWrkrIParams_t *__restrict__ const pParam, const int iMsg)
+{
+ DEFiRet;
+ int iErr, sslerr;
+ instanceData *const pData = (instanceData *const) pWrkrData->pData;
+
+ // Get Msg String
+ const char* pszParamStr = (const char*)actParam(pParam, 1 /*pData->iNumTpls*/, iMsg, 0).param;
+ size_t tzParamStrLen = actParam(pParam, 1 /*pData->iNumTpls*/, iMsg, 0).lenStr;
+ DBGPRINTF("dtls_send[%p]: msg %d msg:'%.*s%s'\n",
+ pWrkrData,
+ iMsg,
+ (int)(tzParamStrLen > 0 ? (tzParamStrLen > 64 ? 64 : tzParamStrLen-1) : 0),
+ pszParamStr,
+ (tzParamStrLen > 64 ? "..." : ""));
+
+ iErr = SSL_write(pWrkrData->sslClient, pszParamStr, tzParamStrLen);
+ if(iErr > 0) {
+ DBGPRINTF("dtls_send[%p]: Successfully send message '%s' with %ld bytes to %s:%s\n",
+ pWrkrData, pszParamStr, tzParamStrLen, pData->target, pData->port);
+
+ // Increment Stats Counter
+ STATSCOUNTER_INC(ctrDtlsSubmit, mutCtrDtlsSubmit);
+ INST_STATSCOUNTER_INC(pData, pData->ctrDtlsSubmit, pData->mutCtrDtlsSubmit);
+ } else {
+ sslerr = SSL_get_error(pWrkrData->sslClient, iErr);
+ if (sslerr == SSL_ERROR_SYSCALL) {
+ dbgprintf("dtls_send[%p]: SSL_write failed with SSL_ERROR_SYSCALL(%s)"
+ " - Aborting Connection.\n", pWrkrData, strerror(errno));
+ net_ossl_lastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_WARNING,
+ "omdtls", "SSL_write");
+ ABORT_FINALIZE(RS_RET_ERR);
+ } else {
+ dbgprintf("dtls_send[%p]: SSL_write failed with ERROR [%d]: %s"
+ " - Aborting Connection.\n", pWrkrData, sslerr, ERR_error_string(sslerr, NULL));
+ net_ossl_lastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_WARNING,
+ "omdtls", "SSL_write");
+ ABORT_FINALIZE(RS_RET_ERR);
+ }
+
+ // Increment Stats Counter
+ STATSCOUNTER_INC(ctrDtlsFail, mutCtrDtlsFail);
+ INST_STATSCOUNTER_INC(pData, pData->ctrDtlsFail, pData->mutCtrDtlsFail);
+ }
+finalize_it:
+ DBGPRINTF("dtls_send[%p]: Exit with %d for %s:%s\n", pWrkrData, iRet, pData->target, pData->port);
+ if(iRet != RS_RET_OK) {
+ dtls_close(pWrkrData);
+ }
+ RETiRet;
+}
+
+/*
+* Setup socket and establish virtual Connect on a SOCKET Level for DTLS
+*/
+static rsRetVal
+dtls_connect(wrkrInstanceData_t *pWrkrData) {
+ DEFiRet;
+ int iErr;
+ instanceData *const pData = (instanceData *const) pWrkrData->pData;
+ BIO *bio_client;
+ const SSL_CIPHER *sslCipher;
+
+ DBGPRINTF("dtls_connect[%p]: setup DTLS for %s:%s\n", pWrkrData, pData->target, pData->port);
+ pWrkrData->ConnectState = DTLS_CONNECTING;
+
+ // Create SSL object
+ pWrkrData->sslClient = SSL_new(pData->pNetOssl->ctx);
+ if(!pWrkrData->sslClient) {
+ dbgprintf("dtls_connect[%p]: SSL_new failed failed\n", pWrkrData);
+ net_ossl_lastOpenSSLErrorMsg(pData->target, 0, pWrkrData->sslClient, LOG_WARNING, "omdtls", "SSL_new");
+ ABORT_FINALIZE(RS_RET_ERR);
+ }
+
+ // Set certifcate check callback
+ if (pData->pNetOssl->authMode != OSSL_AUTH_CERTANON) {
+ dbgprintf("dtls_connect[%p]: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
+ pWrkrData, pData->pNetOssl->authMode, pData->CertVerifyDepth);
+ /* Enable certificate valid checking */
+ net_ossl_set_ssl_verify_callback(pWrkrData->sslClient, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
+ if (pData->CertVerifyDepth != 0) {
+ SSL_set_verify_depth(pWrkrData->sslClient, pData->CertVerifyDepth);
+ }
+ } else {
+ dbgprintf("dtls_connect[%p]: disable certificate checking\n", pWrkrData);
+ net_ossl_set_ssl_verify_callback(pWrkrData->sslClient, SSL_VERIFY_NONE);
+ }
+
+ /* Create BIO from socket array! */
+ bio_client = BIO_new_dgram(pWrkrData->sockout, BIO_NOCLOSE);
+ if (!bio_client) {
+ net_ossl_lastOpenSSLErrorMsg(pData->target, 0, pWrkrData->sslClient, LOG_INFO,
+ "dtls_connect", "BIO_new_dgram");
+ ABORT_FINALIZE(RS_RET_ERR);
+ }
+ BIO_ctrl(bio_client, BIO_CTRL_DGRAM_SET_CONNECTED, 0, &pWrkrData->dtls_client_addr);
+ SSL_set_bio(pWrkrData->sslClient, bio_client, bio_client);
+
+ /* Set debug Callback for conn BIO as well! */
+ net_ossl_set_bio_callback(bio_client);
+
+ dbgprintf("dtls_connect[%p]: Starting DTLS session ...\n", pWrkrData);
+ /* Perform handshake */
+ iErr = SSL_connect(pWrkrData->sslClient);
+ if (iErr <= 0) {
+ net_ossl_lastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_INFO,
+ "dtls_connect", "SSL_connect");
+ ABORT_FINALIZE(RS_RET_ERR);
+ }
+
+ // Print Cipher info
+ sslCipher = SSL_get_current_cipher(pWrkrData->sslClient);
+ dbgprintf("dtls_connect[%p]: Cipher Version: %s Name: %s\n", pWrkrData,
+ SSL_CIPHER_get_version(sslCipher), SSL_CIPHER_get_name(sslCipher));
+
+ if(Debug) {
+ // Print Peer Certificate info
+ X509 *cert = SSL_get_peer_certificate(pWrkrData->sslClient);
+ if (cert != NULL) {
+ char *line;
+ line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
+ dbgprintf("dtls_connect[%p]: Subject: %s\n", pWrkrData, line);
+ OPENSSL_free(line);
+
+ line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
+ dbgprintf("dtls_connect[%p]: Issuer: %s\n", pWrkrData, line);
+ OPENSSL_free(line);
+ X509_free(cert);
+ } else {
+ dbgprintf("dtls_connect[%p]: No certificates.\n", pWrkrData);
+ }
+ }
+
+ /* Set reference in SSL obj */
+ SSL_set_ex_data(pWrkrData->sslClient, 0, NULL);
+ SSL_set_ex_data(pWrkrData->sslClient, 1, NULL);
+
+ /* Set and activate timeouts */
+ struct timeval timeout;
+ timeout.tv_sec = 3;
+ timeout.tv_usec = 0;
+ BIO_ctrl(bio_client, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
+
+ pWrkrData->ConnectState = DTLS_CONNECTED;
+finalize_it:
+ DBGPRINTF("dtls_connect[%p]: Exit with %d for %s:%s\n", pWrkrData, iRet, pData->target, pData->port);
+ if(iRet != RS_RET_OK) {
+ pWrkrData->ConnectState = DTLS_DISCONNECTED;
+ }
+ RETiRet;
+}
+
+/*
+* Setup socket and establish virtual Connect on a SOCKET Level for DTLS
+*/
+static rsRetVal
+dtls_init(wrkrInstanceData_t *pWrkrData)
+{
+ DEFiRet;
+ int iErr;
+ instanceData *const pData = (instanceData *const) pWrkrData->pData;
+ struct addrinfo *addrResolved = NULL;
+ struct addrinfo hints;
+ DBGPRINTF("dtls_init[%p]: setup for %s:%s\n", pWrkrData, pData->target, pData->port);
+
+ // Close previous ressources if any left open
+ dtls_close(pWrkrData);
+
+ // Setup receiving Socket for DTLS
+ if((pWrkrData->sockin = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
+ return 1;
+ memset(&pWrkrData->dtls_client_addr, 0, sizeof(pWrkrData->dtls_client_addr));
+ pWrkrData->dtls_client_addr.sin_family = AF_INET;
+ pWrkrData->dtls_client_addr.sin_port = htons(0);
+ pWrkrData->dtls_client_addr.sin_addr.s_addr = INADDR_ANY;
+ if (bind(pWrkrData->sockin,
+ (struct sockaddr*)&pWrkrData->dtls_client_addr,
+ sizeof(pWrkrData->dtls_client_addr)) < 0) {
+ LogError(0, RS_RET_SUSPENDED, "omdtls[%p]: dtls_init Unable to bind DTLS CLient socket with errno %d",
+ pWrkrData, errno);
+ ABORT_FINALIZE(RS_RET_COULD_NOT_BIND);
+ }
+
+ // Resolve target address
+ memset(&hints, 0, sizeof(hints));
+ /* port must be numeric, because config file syntax requires this */
+ hints.ai_family = glbl.GetDefPFFamily(runModConf->pConf);
+ hints.ai_socktype = SOCK_DGRAM;
+ if((iErr = (getaddrinfo((char*)pData->target, (char*)pData->port, &hints, &addrResolved))) != 0) {
+ LogError(0, RS_RET_SUSPENDED,
+ "omdtls[%p]: could not get addrinfo for hostname '%s':'%s': %s",
+ pWrkrData, pData->target, pData->port, gai_strerror(iErr));
+ ABORT_FINALIZE(RS_RET_ADDRESS_UNKNOWN);
+ }
+ pWrkrData->dtls_rcvr_addrinfo = addrResolved;
+ addrResolved = NULL;
+
+ // Init Socket Connection (Which technically does not connect but prepares socket for DTLS)
+ DBGPRINTF("dtls_init[%p]: Init Session to %s:%s\n", pWrkrData, pData->target, pData->port);
+
+ // Connect the UDP socket to the receiver's address
+ pWrkrData->sockout = socket(AF_INET, SOCK_DGRAM, 0);
+ if (connect(pWrkrData->sockout,
+ pWrkrData->dtls_rcvr_addrinfo->ai_addr,
+ pWrkrData->dtls_rcvr_addrinfo->ai_addrlen) < 0) {
+ LogError(0, RS_RET_SUSPENDED,
+ "dtls_init[%p]: Failed to connect to hostname '%s':'%s': %s",
+ pWrkrData, pData->target, pData->port, gai_strerror(iErr));
+ ABORT_FINALIZE(RS_RET_ERR);
+ }
+
+ // Socket Connect successfull, no continue with TLS
+ CHKiRet(dtls_connect(pWrkrData));
+
+ // We reached this position means we are ready to send!
+ pWrkrData->ConnectState = DTLS_CONNECTED;
+finalize_it:
+ DBGPRINTF("dtls_init[%p]: doTryResume %s iRet %d\n", pWrkrData, pData->target, iRet);
+ if(addrResolved != NULL) {
+ freeaddrinfo(addrResolved);
+ }
+ if(iRet != RS_RET_OK) {
+ if(pWrkrData->dtls_rcvr_addrinfo != NULL) {
+ freeaddrinfo(pWrkrData->dtls_rcvr_addrinfo);
+ pWrkrData->dtls_rcvr_addrinfo = NULL;
+ }
+ iRet = RS_RET_SUSPENDED;
+
+ // Force DTLS Disconnect State
+ dtls_close(pWrkrData);
+ // pWrkrData->ConnectState = DTLS_DISCONNECTED;
+ }
+ RETiRet;
+}
+
+static rsRetVal
+dtls_close(wrkrInstanceData_t *pWrkrData)
+{
+ DEFiRet;
+ int iErr;
+ instanceData *const pData = (instanceData *const) pWrkrData->pData;
+ if (pWrkrData->ConnectState == DTLS_CONNECTED) {
+ DBGPRINTF("dtls_close[%p]: close session for %s:%s\n", pWrkrData, pData->target, pData->port);
+ if ( pWrkrData->sslClient != NULL &&
+ pWrkrData->ConnectState == DTLS_CONNECTED) {
+ iErr = SSL_shutdown(pWrkrData->sslClient);
+ if (iErr <= 0){
+ /* Shutdown not finished, call SSL_read to do a bidirectional shutdown, see doc:
+ * https://www.openssl.org/docs/man1.1.1/man3/SSL_shutdown.html
+ * We do a single SSL_read which should be fine for protocol handling.
+ * No data is to be expected from the receiver side.
+ */
+ char rcvBuf[DTLS_MAX_RCVBUF];
+ SSL_read(pWrkrData->sslClient, rcvBuf, DTLS_MAX_RCVBUF);
+ }
+ SSL_free(pWrkrData->sslClient);
+ pWrkrData->sslClient = NULL;
+ }
+ }
+
+ // Close Sockets
+ if ( pWrkrData->sockout != 0) {
+ close(pWrkrData->sockout);
+ pWrkrData->sockout = 0;
+ }
+ if ( pWrkrData->sockin != 0) {
+ close(pWrkrData->sockin);
+ pWrkrData->sockin = 0;
+ }
+
+ // Free Memory
+ if(pWrkrData->dtls_rcvr_addrinfo != NULL) {
+ freeaddrinfo(pWrkrData->dtls_rcvr_addrinfo);
+ pWrkrData->dtls_rcvr_addrinfo = NULL;
+ }
+
+ // Reset Helpers
+ pWrkrData->ConnectState = DTLS_DISCONNECTED;
+FINALIZE;
+finalize_it:
+ RETiRet;
+}