summaryrefslogtreecommitdiffstats
path: root/runtime/lib_ksils12.h
diff options
context:
space:
mode:
Diffstat (limited to 'runtime/lib_ksils12.h')
-rw-r--r--runtime/lib_ksils12.h250
1 files changed, 250 insertions, 0 deletions
diff --git a/runtime/lib_ksils12.h b/runtime/lib_ksils12.h
new file mode 100644
index 0000000..c85ff85
--- /dev/null
+++ b/runtime/lib_ksils12.h
@@ -0,0 +1,250 @@
+/* lib_ksils12.h - rsyslog's KSI-LS12 support library
+ *
+ * Copyright 2013-2017 Adiscon GmbH and Guardtime, Inc.
+ *
+ * This file is part of rsyslog.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * -or-
+ * see COPYING.ASL20 in the source distribution
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef INCLUDED_KSILS12_H
+#define INCLUDED_KSILS12_H
+#include <ksi/ksi.h>
+
+#include "lib_ksi_queue.h"
+
+#define MAX_ROOTS 64
+
+/* Flags and record types for TLV handling */
+#define RSGT_FLAG_NONCRIT 0x20
+#define RSGT_FLAG_FORWARD 0x40
+#define RSGT_TYPE_MASK 0x1f
+#define RSGT_FLAG_TLV16 0x80
+
+/* check return state of operation and abort, if non-OK */
+#define CHKr(code) if((r = code) != 0) goto done
+
+/* check the return value of a ksi api call and log a message in case of error */
+#define CHECK_KSI_API(code, context, msg) if((res = code) != 0) do { \
+ reportKSIAPIErr(context, NULL, msg, res); \
+ goto cleanup; \
+ } while (0)
+
+
+typedef enum LOGSIG_SyncMode_en {
+ /** The block hashes and ksi signatures in one file */
+ LOGSIG_ASYNCHRONOUS = 0x00,
+ /** The block hashes and ksi signatures split into separate files */
+ LOGSIG_SYNCHRONOUS = 0x01
+} LOGSIG_SyncMode;
+
+enum {
+ /* Signer state assigned before the signer thread is initialized. State remains
+ * until thread initialization begins. In case of system failure to create new
+ * thread state remains the same.
+ */
+ SIGNER_IDLE = 0x01,
+
+ /* Signer state assigned while signer thread initialization is in progress.
+ */
+ SIGNER_INIT = 0x02,
+
+ /* Signer state assigned when signer thread is initialized and ready to work.
+ */
+ SIGNER_STARTED = 0x04,
+
+ /* Thread state assigned when signer thread is being closed (signer thread returns).
+ */
+ SIGNER_STOPPED = 0x08
+};
+
+/* Max number of roots inside the forest. This permits blocks of up to
+ * 2^MAX_ROOTS records. We assume that 64 is sufficient for all use
+ * cases ;) [and 64 is not really a waste of memory, so we do not even
+ * try to work with reallocs and such...]
+ */
+
+typedef struct rsksictx_s *rsksictx;
+typedef struct ksifile_s *ksifile;
+typedef struct ksierrctx_s ksierrctx_t;
+
+
+/* context for gt calls. This primarily serves as a container for the
+ * config settings. The actual file-specific data is kept in ksifile.
+ */
+struct rsksictx_s {
+ KSI_CTX *ksi_ctx; /* libksi's context object */
+ KSI_DataHasher *hasher;
+ KSI_HashAlgorithm hashAlg;
+ KSI_HashAlgorithm hmacAlg;
+ uint8_t bKeepRecordHashes;
+ uint8_t bKeepTreeHashes;
+ uint64_t confInterval;
+ time_t tConfRequested;
+ uint64_t blockLevelLimit;
+ uint32_t blockTimeLimit;
+ uint32_t blockSigTimeout;
+ uint32_t effectiveBlockLevelLimit; /* level limit adjusted by gateway settings */
+ uint32_t threadSleepms;
+ uint8_t syncMode;
+ uid_t fileUID; /* IDs for creation */
+ uid_t dirUID;
+ gid_t fileGID;
+ gid_t dirGID;
+ int fCreateMode; /* mode to use when creating files */
+ int fDirCreateMode; /* mode to use when creating files */
+ char* aggregatorUri;
+ char* aggregatorId;
+ char* aggregatorKey;
+ char* aggregatorEndpoints[KSI_CTX_HA_MAX_SUBSERVICES];
+ int aggregatorEndpointCount;
+ char* random_source;
+ pthread_mutex_t module_lock;
+ pthread_t signer_thread;
+ ProtectedQueue *signer_queue;
+#if KSI_SDK_VER_MAJOR == 3 && KSI_SDK_VER_MINOR < 22
+ size_t roundCount; /* Count of signing requests in round. */
+ uint8_t bRoundLock; /* A lock for async. signer. */
+#endif
+ int signer_state;
+ uint8_t disabled; /* permits to disable the plugin --> set to 1 */
+
+ ksifile *ksi; /* List of signature files for keeping track of block timeouts. */
+ size_t ksiCapacity;
+ size_t ksiCount;
+
+ char *debugFileName;
+ int debugLevel;
+ FILE *debugFile;
+ uint64_t max_requests;
+ void (*errFunc)(void *, unsigned char*);
+ void (*logFunc)(void *, unsigned char*);
+ void *usrptr; /* for error function */
+};
+
+/* this describes a file, as far as librsksi is concerned */
+struct ksifile_s {
+ /* the following data items are mirrored from rsksictx to
+ * increase cache hit ratio (they are frequently accesed).
+ */
+ KSI_HashAlgorithm hashAlg;
+ uint8_t bKeepRecordHashes;
+ uint8_t bKeepTreeHashes;
+ uint64_t blockSizeLimit;
+ uint32_t blockTimeLimit;
+ /* end mirrored properties */
+ uint8_t disabled; /* permits to disable this file --> set to 1 */
+ uint8_t *IV; /* initial value for blinding masks */
+ unsigned char lastLeaf[KSI_MAX_IMPRINT_LEN]; /* last leaf hash (maybe of previous block)
+ --> preserve on term */
+ unsigned char *blockfilename;
+ unsigned char *ksifilename;
+ unsigned char *statefilename;
+ uint64_t nRecords; /* current number of records in current block */
+ uint64_t bInBlk; /* are we currently inside a blk --> need to finish on close */
+ time_t blockStarted;
+ int8_t nRoots;
+ /* algo engineering: roots structure is split into two arrays
+ * in order to improve cache hits.
+ */
+ KSI_DataHash *roots[MAX_ROOTS];
+ /* data members for the associated TLV file */
+ FILE *blockFile;
+ FILE *sigFile; /* Note that this may only be closed by signer thread or when signer thread has terminated. */
+ rsksictx ctx;
+};
+
+/* the following defines the ksistate file record. Currently, this record
+ * is fixed, we may change that over time.
+ */
+struct rsksistatefile {
+ char hdr[9]; /* must be "KSISTAT10" */
+ uint8_t hashID;
+ uint8_t lenHash;
+ /* after that, the hash value is contained within the file */
+};
+
+/* error states */
+#define RSGTE_SUCCESS 0 /* Success state */
+#define RSGTE_IO 1 /* any kind of io error */
+#define RSGTE_FMT 2 /* data fromat error */
+#define RSGTE_INVLTYP 3 /* invalid TLV type record (unexcpected at this point) */
+#define RSGTE_OOM 4 /* ran out of memory */
+#define RSGTE_LEN 5 /* error related to length records */
+#define RSGTE_SIG_EXTEND 6/* error extending signature */
+#define RSGTE_INVLD_RECCNT 7/* mismatch between actual records and records
+ given in block-sig record */
+#define RSGTE_INVLHDR 8/* invalid file header */
+#define RSGTE_EOF 9 /* specific EOF */
+#define RSGTE_MISS_REC_HASH 10 /* record hash missing when expected */
+#define RSGTE_MISS_TREE_HASH 11 /* tree hash missing when expected */
+#define RSGTE_INVLD_REC_HASH 12 /* invalid record hash (failed verification) */
+#define RSGTE_INVLD_TREE_HASH 13 /* invalid tree hash (failed verification) */
+#define RSGTE_INVLD_REC_HASHID 14 /* invalid record hash ID (failed verification) */
+#define RSGTE_INVLD_TREE_HASHID 15 /* invalid tree hash ID (failed verification) */
+#define RSGTE_MISS_BLOCKSIG 16 /* block signature record missing when expected */
+#define RSGTE_INVLD_SIGNATURE 17 /* Signature is invalid (KSI_Signature_verifyDataHash)*/
+#define RSGTE_TS_CREATEHASH 18 /* error creating HASH (KSI_DataHash_create) */
+#define RSGTE_TS_DERENCODE 19 /* error DER-Encoding a timestamp */
+#define RSGTE_HASH_CREATE 20 /* error creating a hash */
+#define RSGTE_END_OF_SIG 21 /* unexpected end of signature - more log line exist */
+#define RSGTE_END_OF_LOG 22 /* unexpected end of log file - more signatures exist */
+#define RSGTE_EXTRACT_HASH 23 /* error extracting hashes for record */
+#define RSGTE_CONFIG_ERROR 24 /* Configuration error */
+#define RSGTE_NETWORK_ERROR 25 /* Network error */
+#define RSGTE_MISS_KSISIG 26 /* KSI signature missing */
+#define RSGTE_INTERNAL 27 /* Internal error */
+
+#define getIVLenKSI(bh) (hashOutputLengthOctetsKSI((bh)->hashID))
+#define rsksiSetBlockLevelLimit(ctx, limit) ((ctx)->blockLevelLimit = (ctx)->effectiveBlockLevelLimit = limit)
+#define rsksiSetBlockTimeLimit(ctx, limit) ((ctx)->blockTimeLimit = limit)
+#define rsksiSetBlockSigTimeout(ctx, val) ((ctx)->blockSigTimeout = val)
+#define rsksiSetConfInterval(ctx, val) ((ctx)->confInterval = val)
+#define rsksiSetKeepRecordHashes(ctx, val) ((ctx)->bKeepRecordHashes = val)
+#define rsksiSetKeepTreeHashes(ctx, val) ((ctx)->bKeepTreeHashes = val)
+#define rsksiSetFileFormat(ctx, val) ((ctx)->fileFormat = val)
+#define rsksiSetSyncMode(ctx, val) ((ctx)->syncMode = val)
+#define rsksiSetRandomSource(ctx, val) ((ctx)->random_source = strdup(val))
+#define rsksiSetFileUID(ctx, val) ((ctx)->fileUID = val) /* IDs for creation */
+#define rsksiSetDirUID(ctx, val) ((ctx)->dirUID = val)
+#define rsksiSetFileGID(ctx, val) ((ctx)->fileGID= val)
+#define rsksiSetDirGID(ctx, val) ((ctx)->dirGID = val)
+#define rsksiSetCreateMode(ctx, val) ((ctx)->fCreateMode= val)
+#define rsksiSetDirCreateMode(ctx, val) ((ctx)->fDirCreateMode = val)
+#define rsksiSetDebugLevel(ctx, val) ((ctx)->debugLevel = val)
+
+
+int rsksiSetDebugFile(rsksictx ctx, char *val);
+int rsksiSetAggregator(rsksictx ctx, char *uri, char *loginid, char *key);
+int rsksiSetHashFunction(rsksictx ctx, char *algName);
+int rsksiSetHmacFunction(rsksictx ctx, char *algName);
+int rsksiInitModule(rsksictx ctx);
+rsksictx rsksiCtxNew(void);
+void rsksisetErrFunc(rsksictx ctx, void (*func)(void*, unsigned char *), void *usrptr);
+void rsksisetLogFunc(rsksictx ctx, void (*func)(void*, unsigned char *), void *usrptr);
+void reportKSIAPIErr(rsksictx ctx, ksifile ksi, const char *apiname, int ecode);
+ksifile rsksiCtxOpenFile(rsksictx ctx, unsigned char *logfn);
+int rsksifileDestruct(ksifile ksi);
+void rsksiCtxDel(rsksictx ctx);
+void sigblkInitKSI(ksifile ksi);
+int sigblkAddRecordKSI(ksifile ksi, const unsigned char *rec, const size_t len);
+int sigblkAddLeaf(ksifile ksi, const unsigned char *rec, const size_t len, bool metadata);
+unsigned sigblkCalcLevel(unsigned leaves);
+int sigblkFinishKSI(ksifile ksi);
+int sigblkAddMetadata(ksifile ksi, const char *key, const char *value);
+int sigblkCreateMask(ksifile ksi, KSI_DataHash **m);
+int sigblkCreateHash(ksifile ksi, KSI_DataHash **r, const unsigned char *rec, const size_t len);
+int sigblkHashTwoNodes(ksifile ksi, KSI_DataHash **node, KSI_DataHash *m, KSI_DataHash *r, uint8_t level);
+
+#endif /* #ifndef INCLUDED_KSILS12_H */
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-28 19:26:08 +0000