path: root/plugins/omdtls/omdtls.c

/* omdtls.c
 * The dtls output module, uses OpenSSL as library to implement DTLS.
 *
 * \author  Andre Lorbach <alorbach@adiscon.com>
 *
 * Copyright (C) 2023 Adiscon GmbH.
 *
 * This file is part of rsyslog.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *       http://www.apache.org/licenses/LICENSE-2.0
 *       -or-
 *       see COPYING.ASL20 in the source distribution
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
#include "config.h"
#include <stdio.h>
#include <stdarg.h>
#include <stdlib.h>
#include <string.h>
#include <strings.h>
#include <assert.h>
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <sys/uio.h>
#include <sys/queue.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <math.h>
#ifdef HAVE_SYS_STAT_H
#	include <sys/stat.h>
#endif
#include <sys/time.h>
#include <time.h>

// --- Include openssl headers as well
#include <openssl/ssl.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
#	include <openssl/bioerr.h>
#endif
#include <openssl/engine.h>
// ---

// Include rsyslog headers
#include "rsyslog.h"
#include "syslogd-types.h"
#include "srUtils.h"
#include "template.h"
#include "module-template.h"
#include "glbl.h"
#include "errmsg.h"
#include "atomic.h"
#include "statsobj.h"
#include "unicode-helper.h"
#include "datetime.h"
#include "net_ossl.h"

MODULE_TYPE_OUTPUT
MODULE_TYPE_NOKEEP
MODULE_CNFNAME("omdtls")

/* internal structures
 */
DEF_OMOD_STATIC_DATA
DEFobjCurrIf(glbl)
DEFobjCurrIf(datetime)
DEFobjCurrIf(statsobj)
DEFobjCurrIf(net_ossl)

statsobj_t *dtlsStats;
STATSCOUNTER_DEF(ctrDtlsSubmit, mutCtrDtlsSubmit);
STATSCOUNTER_DEF(ctrDtlsFail, mutCtrDtlsFail);

#define DTLS_MAX_RCVBUF 8192	/* Maximum DTLS packet is 8192 bytes which fits into Jumbo Frames. If not enabled
				*  message fragmentation (Ethernet MTU of ~ 1500 bytes) can occur.*/
#define SETUP_DTLS_NONE 0
#define SETUP_DTLS_AUTOCLOSE 1

enum DTLSState {
	DTLS_CONNECTED,
	DTLS_CONNECTING,
	DTLS_DISCONNECTED
};

/* Struct for module InstanceData */
typedef struct _instanceData {
	uchar 	*tplName;	/* name of assigned template */

	uchar *target;
	uchar *port;

	uchar *tlscfgcmd;		/* OpenSSL Config Command used to override any OpenSSL Settings */
	int bHaveSess;			/* True if DTLS session is established */
	int CertVerifyDepth;		/* Verify Depth for certificate chains */

	/* OpenSSL and Config Cert vars inside net_ossl_t now */
	net_ossl_t *pNetOssl;		/* OSSL shared Config and object vars are here */

	uchar *statsName;
	statsobj_t *stats;		/* listener stats */
	STATSCOUNTER_DEF(ctrDtlsSubmit, mutCtrDtlsSubmit)
	STATSCOUNTER_DEF(ctrDtlsFail, mutCtrDtlsFail);

	struct _instanceData *next;
	struct _instanceData *prev;
} instanceData;

/* Struct for module workerInstanceData */
typedef struct wrkrInstanceData {
	instanceData *pData;
	
	enum DTLSState ConnectState;		/* DTLS Connection State Status */
	pthread_rwlock_t pnLock;

	// DTLS Helpers
	struct sockaddr_in dtls_client_addr;	/* local bind socket*/
	struct addrinfo* dtls_rcvr_addrinfo;	/* remote receiver address */

	int sockin;			/* UDP Socket used to receive DTLS */
	int sockout;			/* UDP Socket used to send DTLS */
	SSL *sslClient;			/* DTSL (SSL) Client */
} wrkrInstanceData_t;

#define INST_STATSCOUNTER_INC(inst, ctr, mut) \
	do { \
		if (inst->stats) { STATSCOUNTER_INC(ctr, mut); } \
	} while(0);

// QPID Proton Handler functions
static rsRetVal dtls_create_socket(wrkrInstanceData_t *const __restrict__ pWrkrData, int autoclose);
static rsRetVal dtls_init(wrkrInstanceData_t *pWrkrData);
static rsRetVal dtls_connect(wrkrInstanceData_t *pWrkrData);
static rsRetVal dtls_close(wrkrInstanceData_t *pWrkrData);
static rsRetVal dtls_send(wrkrInstanceData_t *pWrkrData, const actWrkrIParams_t *__restrict__ const pParam,
	const int iMsg);


/* tables for interfacing with the v6 config system */
/* action (instance) parameters */
static struct cnfparamdescr actpdescr[] = {
	{ "target", eCmdHdlrGetWord, 0 },
	{ "port", eCmdHdlrGetWord, 0 },
	{ "tls.authmode", eCmdHdlrString, 0 },
	{ "tls.cacert", eCmdHdlrString, 0 },
	{ "tls.mycert", eCmdHdlrString, 0 },
	{ "tls.myprivkey", eCmdHdlrString, 0 },
	{ "tls.tlscfgcmd", eCmdHdlrString, 0 },
	{ "template", eCmdHdlrGetWord, 0 },
	{ "statsname", eCmdHdlrGetWord, 0 }
};
static struct cnfparamblk actpblk =
	{ CNFPARAMBLK_VERSION,
	  sizeof(actpdescr)/sizeof(struct cnfparamdescr),
	  actpdescr
	};

/* module-global parameters */
static struct cnfparamdescr modpdescr[] = {
	{ "template", eCmdHdlrGetWord, 0 },
};
static struct cnfparamblk modpblk =
	{ CNFPARAMBLK_VERSION,
	  sizeof(modpdescr)/sizeof(struct cnfparamdescr),
	  modpdescr
	};

struct modConfData_s {
	rsconf_t *pConf;	/* our overall config object */
	instanceData *root, *tail;
	uchar 	*tplName;	/* default template */
};

static modConfData_t *loadModConf = NULL;	/* modConf ptr to use for the current load process */
static modConfData_t *runModConf = NULL;	/* modConf ptr to use for the current exec process */

BEGINinitConfVars		/* (re)set config variables to default values */
CODESTARTinitConfVars
ENDinitConfVars

static rsRetVal
dtls_create_socket(wrkrInstanceData_t *const __restrict__ pWrkrData, int autoclose)
{
	DEFiRet;
	DBGPRINTF("omdtls[%p]: dtls_create_socket ENTER\n", pWrkrData);
	pthread_rwlock_wrlock(&pWrkrData->pnLock);

	if (autoclose == SETUP_DTLS_AUTOCLOSE) {
		// Close Existing Connection
		dtls_close(pWrkrData);
	}

	// Init & Open Connection
	CHKiRet(dtls_init(pWrkrData));
finalize_it:
	if (iRet != RS_RET_OK) {
		/* Parameter Error's cannot be resumed, so we need to disable the action */
		if (iRet == RS_RET_PARAM_ERROR) {
			iRet = RS_RET_DISABLE_ACTION;
			LogError(0, iRet, "omdtls[%p]: action will be disabled due invalid "
				"configuration parameters\n", pWrkrData);
		}
	}
	pthread_rwlock_unlock(&pWrkrData->pnLock);
	RETiRet;
}

BEGINbeginCnfLoad
CODESTARTbeginCnfLoad
	loadModConf = pModConf;
	pModConf->pConf = pConf;
	pModConf->tplName = NULL;
ENDbeginCnfLoad

BEGINsetModCnf
	int i;
CODESTARTsetModCnf
	const struct cnfparamvals *const __restrict__ pvals = nvlstGetParams(lst, &modpblk, NULL);
	if(pvals == NULL) {
		ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
	}

	if(Debug) {
		dbgprintf("module (global) param blk for omdtls:\n");
		cnfparamsPrint(&modpblk, pvals);
	}

	for(i = 0 ; i < modpblk.nParams ; ++i) {
		if(!pvals[i].bUsed)
			continue;
		if(!strcmp(modpblk.descr[i].name, "template")) {
			loadModConf->tplName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
		} else {
			dbgprintf("omdtls: program error, non-handled "
			  "param '%s' in beginCnfLoad\n", modpblk.descr[i].name);
		}
	}
finalize_it:
	if(pvals != NULL)
		cnfparamvalsDestruct(pvals, &modpblk);
ENDsetModCnf

BEGINendCnfLoad
CODESTARTendCnfLoad
	loadModConf = NULL; /* done loading */
ENDendCnfLoad

BEGINcheckCnf
CODESTARTcheckCnf
ENDcheckCnf

BEGINactivateCnfPrePrivDrop
	instanceData *inst;
CODESTARTactivateCnfPrePrivDrop
	runModConf = pModConf;
	DBGPRINTF("omdtls: activateCnfPrePrivDrop\n");

	for(inst = runModConf->root ; inst != NULL ; inst = inst->next) {
		CHKiRet(net_ossl.osslCtxInit(inst->pNetOssl, DTLS_method()));
		// Run openssl config commands in Context
		CHKiRet(net_ossl_apply_tlscgfcmd(inst->pNetOssl, inst->tlscfgcmd));
	}
finalize_it:
ENDactivateCnfPrePrivDrop

BEGINactivateCnf
CODESTARTactivateCnf
ENDactivateCnf

BEGINfreeCnf
CODESTARTfreeCnf
	free(pModConf->tplName);
ENDfreeCnf

BEGINcreateInstance
CODESTARTcreateInstance
	DBGPRINTF("createInstance[%p]: ENTER\n", pData);
	pData->tplName = NULL;
	pData->target = NULL;
	pData->port = NULL;
	pData->tlscfgcmd = NULL;
	pData->statsName = NULL;

	/* node created, let's add to config */
	if(loadModConf->tail == NULL) {
		loadModConf->tail = loadModConf->root = pData;
	} else {
		loadModConf->tail->next = pData;
		loadModConf->tail = pData;
	}

	// Construct pNetOssl helper
	CHKiRet(net_ossl.Construct(&pData->pNetOssl));
	pData->pNetOssl->authMode = OSSL_AUTH_CERTANON;
finalize_it:
ENDcreateInstance


BEGINcreateWrkrInstance
CODESTARTcreateWrkrInstance
	DBGPRINTF("createWrkrInstance[%p]: ENTER\n", pWrkrData);
	pWrkrData->ConnectState = DTLS_DISCONNECTED;

	CHKiRet(pthread_rwlock_init(&pWrkrData->pnLock, NULL));
finalize_it:
	DBGPRINTF("createWrkrInstance[%p] returned %d\n", pWrkrData, iRet);
ENDcreateWrkrInstance


BEGINisCompatibleWithFeature
CODESTARTisCompatibleWithFeature
ENDisCompatibleWithFeature


BEGINfreeInstance
CODESTARTfreeInstance
	DBGPRINTF("freeInstance[%p]: ENTER\n", pData);

	if (pData->stats) {
		statsobj.Destruct(&pData->stats);
	}

	// DeConstruct pNetOssl helper
	net_ossl.Destruct(&pData->pNetOssl);

	/* Free other mem */
	free(pData->target);
	free(pData->port);
	free(pData->tlscfgcmd);

	free(pData->tplName);
	free(pData->statsName);
ENDfreeInstance

BEGINfreeWrkrInstance
CODESTARTfreeWrkrInstance
	DBGPRINTF("freeWrkrInstance[%p]: ENTER\n", pWrkrData);
	pthread_rwlock_wrlock(&pWrkrData->pnLock);

	// Close DTLS Connection
	dtls_close(pWrkrData);

	pthread_rwlock_unlock(&pWrkrData->pnLock);
	pthread_rwlock_destroy(&pWrkrData->pnLock);
ENDfreeWrkrInstance


BEGINdbgPrintInstInfo
CODESTARTdbgPrintInstInfo
ENDdbgPrintInstInfo

BEGINtryResume
CODESTARTtryResume
	DBGPRINTF("omdtls[%p]: tryResume ENTER\n", pWrkrData);
	if (pWrkrData->ConnectState == DTLS_DISCONNECTED) {
		CHKiRet(dtls_create_socket(pWrkrData, SETUP_DTLS_AUTOCLOSE));
	}
finalize_it:
	DBGPRINTF("omdtls[%p]: tryResume returned %d\n", pWrkrData, iRet);
ENDtryResume

BEGINbeginTransaction
CODESTARTbeginTransaction
	/* we have nothing to do to begin a transaction */
	DBGPRINTF("omdtls[%p]: beginTransaction ENTER\n", pWrkrData);
	if (pWrkrData->ConnectState == DTLS_DISCONNECTED) {
		CHKiRet(dtls_create_socket(pWrkrData, SETUP_DTLS_NONE));
	}
finalize_it:
	RETiRet;
ENDbeginTransaction

/*
 *	New Transaction action interface
*/
BEGINcommitTransaction
	unsigned i;
	sbool bDone = 0;
CODESTARTcommitTransaction
#ifndef NDEBUG
	DBGPRINTF("omdtls[%p]: commitTransaction [%d msgs] ENTER\n", pWrkrData, nParams);
#endif
	do {
		for(i = 0 ; i < nParams ; ++i) {
			CHKiRet(dtls_send(pWrkrData, pParams, i));
		}
		bDone = 1;
	} while (bDone == 0);
finalize_it:
	if(iRet != RS_RET_OK) {
		DBGPRINTF("omdtls[%p]: commitTransaction failed with status %d\n", pWrkrData, iRet);
		pWrkrData->ConnectState = DTLS_DISCONNECTED;
		iRet = RS_RET_SUSPENDED;
	}
	DBGPRINTF("omdtls[%p]: commitTransaction [%d msgs] EXIT\n", pWrkrData, nParams);
ENDcommitTransaction

BEGINnewActInst
	struct cnfparamvals *pvals;
	int i;
	int iNumTpls;
	FILE *fp;
	DBGPRINTF("newActInst: ENTER\n");
CODESTARTnewActInst
	if((pvals = nvlstGetParams(lst, &actpblk, NULL)) == NULL) {
		ABORT_FINALIZE(RS_RET_MISSING_CNFPARAMS);
	}
	
	// Create new instance and set default params
	CHKiRet(createInstance(&pData));

	for(i = 0 ; i < actpblk.nParams ; ++i) {
		if(!pvals[i].bUsed)
			continue;
		if(!strcmp(actpblk.descr[i].name, "target")) {
			pData->target = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
		} else if(!strcmp(actpblk.descr[i].name, "port")) {
			pData->port = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
		} else if(!strcmp(actpblk.descr[i].name, "template")) {
			pData->tplName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
		} else if(!strcmp(actpblk.descr[i].name, "statsname")) {
			pData->statsName = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
		} else if(!strcmp(actpblk.descr[i].name, "tls.authmode")) {
			char* pszAuthMode = es_str2cstr(pvals[i].val.d.estr, NULL);
			if(!strcasecmp(pszAuthMode, "fingerprint"))
				pData->pNetOssl->authMode = OSSL_AUTH_CERTFINGERPRINT;
			else if(!strcasecmp(pszAuthMode, "name"))
				pData->pNetOssl->authMode = OSSL_AUTH_CERTNAME;
			else if(!strcasecmp(pszAuthMode, "certvalid"))
				pData->pNetOssl->authMode = OSSL_AUTH_CERTVALID;
			else
				pData->pNetOssl->authMode = OSSL_AUTH_CERTANON;
			free(pszAuthMode);
		} else if(!strcmp(actpblk.descr[i].name, "tls.cacert")) {
			pData->pNetOssl->pszCAFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
			fp = fopen((const char*)pData->pNetOssl->pszCAFile, "r");
			if(fp == NULL) {
				char errStr[1024];
				rs_strerror_r(errno, errStr, sizeof(errStr));
				LogError(0, RS_RET_NO_FILE_ACCESS,
				"error: certificate file %s couldn't be accessed: %s\n",
				pData->pNetOssl->pszCAFile, errStr);
			} else {
				fclose(fp);
			}
		} else if(!strcmp(actpblk.descr[i].name, "tls.mycert")) {
			pData->pNetOssl->pszCertFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
			fp = fopen((const char*)pData->pNetOssl->pszCertFile, "r");
			if(fp == NULL) {
				char errStr[1024];
				rs_strerror_r(errno, errStr, sizeof(errStr));
				LogError(0, RS_RET_NO_FILE_ACCESS,
				"error: certificate file %s couldn't be accessed: %s\n",
				pData->pNetOssl->pszCertFile, errStr);
			} else {
				fclose(fp);
			}
		} else if(!strcmp(actpblk.descr[i].name, "tls.myprivkey")) {
			pData->pNetOssl->pszKeyFile = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
			fp = fopen((const char*)pData->pNetOssl->pszKeyFile, "r");
			if(fp == NULL) {
				char errStr[1024];
				rs_strerror_r(errno, errStr, sizeof(errStr));
				LogError(0, RS_RET_NO_FILE_ACCESS,
				"error: certificate file %s couldn't be accessed: %s\n",
				pData->pNetOssl->pszKeyFile, errStr);
			} else {
				fclose(fp);
			}
		} else if(!strcmp(actpblk.descr[i].name, "tls.tlscfgcmd")) {
			pData->tlscfgcmd = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL);
		} else {
			LogError(0, RS_RET_INTERNAL_ERROR,
				"omdtls: program error, non-handled param '%s'\n", actpblk.descr[i].name);
		}
	}

	/* check if no port is set. If so, we use DEFAULT of 433 */
	if(pData->port == NULL) {
		CHKmalloc(pData->port = (uchar *)strdup("443"));
	}

	iNumTpls = 1;
	CODE_STD_STRING_REQUESTnewActInst(iNumTpls);

	CHKiRet(OMSRsetEntry(*ppOMSR, 0, (uchar*)strdup((pData->tplName == NULL) ?
						"RSYSLOG_FileFormat" : (char*)pData->tplName),
						OMSR_NO_RQD_TPL_OPTS));

	if (pData->statsName) {
		CHKiRet(statsobj.Construct(&pData->stats));
		CHKiRet(statsobj.SetName(pData->stats, (uchar *)pData->statsName));
		CHKiRet(statsobj.SetOrigin(pData->stats, (uchar *)"omdtls"));

		/* Track following stats */
		STATSCOUNTER_INIT(pData->ctrDtlsSubmit, pData->mutCtrDtlsSubmit);
		CHKiRet(statsobj.AddCounter(pData->stats, (uchar *)"submitted",
			ctrType_IntCtr, CTR_FLAG_RESETTABLE, &pData->ctrDtlsSubmit));
		STATSCOUNTER_INIT(pData->ctrDtlsFail, pData->mutCtrDtlsFail);
		CHKiRet(statsobj.AddCounter(pData->stats, (uchar *)"failures",
			ctrType_IntCtr, CTR_FLAG_RESETTABLE, &pData->ctrDtlsFail));
		CHKiRet(statsobj.ConstructFinalize(pData->stats));
	}
CODE_STD_FINALIZERnewActInst
	cnfparamvalsDestruct(pvals, &actpblk);
ENDnewActInst


BEGINmodExit
CODESTARTmodExit
	DBGPRINTF("modExit: ENTER\n");
	statsobj.Destruct(&dtlsStats);
	objRelease(net_ossl, LM_NET_OSSL_FILENAME);
	objRelease(statsobj, CORE_COMPONENT);
	objRelease(datetime, CORE_COMPONENT);
	objRelease(glbl, CORE_COMPONENT);
ENDmodExit

NO_LEGACY_CONF_parseSelectorAct
BEGINqueryEtryPt
CODESTARTqueryEtryPt
CODEqueryEtryPt_STD_OMODTX_QUERIES
CODEqueryEtryPt_STD_OMOD8_QUERIES
CODEqueryEtryPt_STD_CONF2_QUERIES
CODEqueryEtryPt_STD_CONF2_setModCnf_QUERIES
CODEqueryEtryPt_STD_CONF2_PREPRIVDROP_QUERIES
CODEqueryEtryPt_STD_CONF2_OMOD_QUERIES
ENDqueryEtryPt


BEGINmodInit()
CODESTARTmodInit
	DBGPRINTF("modInit: ENTER\n");
INITLegCnfVars
	*ipIFVersProvided = CURR_MOD_IF_VERSION;
CODEmodInit_QueryRegCFSLineHdlr
	/* request objects we use */
	CHKiRet(objUse(glbl, CORE_COMPONENT));
	CHKiRet(objUse(net_ossl, LM_NET_OSSL_FILENAME));
	CHKiRet(objUse(datetime, CORE_COMPONENT));
	CHKiRet(objUse(statsobj, CORE_COMPONENT));

	CHKiRet(statsobj.Construct(&dtlsStats));
	CHKiRet(statsobj.SetName(dtlsStats, (uchar *)"omdtls"));
	CHKiRet(statsobj.SetOrigin(dtlsStats, (uchar*)"omdtls"));
	STATSCOUNTER_INIT(ctrDtlsSubmit, mutCtrDtlsSubmit);
	CHKiRet(statsobj.AddCounter(dtlsStats, (uchar *)"submitted",
		ctrType_IntCtr, CTR_FLAG_RESETTABLE, &ctrDtlsSubmit));
	STATSCOUNTER_INIT(ctrDtlsFail, mutCtrDtlsFail);
	CHKiRet(statsobj.AddCounter(dtlsStats, (uchar *)"failures",
		ctrType_IntCtr, CTR_FLAG_RESETTABLE, &ctrDtlsFail));

	CHKiRet(statsobj.ConstructFinalize(dtlsStats));
ENDmodInit

/*
*	Setup socket and establish virtual Connect on a SOCKET Level for DTLS
*/
static rsRetVal
dtls_send(wrkrInstanceData_t *pWrkrData, const actWrkrIParams_t *__restrict__ const pParam, const int iMsg)
{
	DEFiRet;
	int iErr, sslerr;
	instanceData *const pData = (instanceData *const) pWrkrData->pData;

	// Get Msg String
	const char* pszParamStr = (const char*)actParam(pParam, 1 /*pData->iNumTpls*/, iMsg, 0).param;
	size_t tzParamStrLen = actParam(pParam, 1 /*pData->iNumTpls*/, iMsg, 0).lenStr;
	DBGPRINTF("dtls_send[%p]: msg %d msg:'%.*s%s'\n",
		pWrkrData,
		iMsg,
		(int)(tzParamStrLen > 0 ? (tzParamStrLen > 64 ? 64 : tzParamStrLen-1) : 0),
		pszParamStr,
		(tzParamStrLen > 64 ? "..." : ""));

	iErr = SSL_write(pWrkrData->sslClient, pszParamStr, tzParamStrLen);
	if(iErr > 0) {
		DBGPRINTF("dtls_send[%p]: Successfully send message '%s' with %ld bytes to %s:%s\n",
			pWrkrData, pszParamStr, tzParamStrLen, pData->target, pData->port);

		// Increment Stats Counter
		STATSCOUNTER_INC(ctrDtlsSubmit, mutCtrDtlsSubmit);
		INST_STATSCOUNTER_INC(pData, pData->ctrDtlsSubmit, pData->mutCtrDtlsSubmit);
	} else {
		sslerr = SSL_get_error(pWrkrData->sslClient, iErr);
		if (sslerr == SSL_ERROR_SYSCALL) {
			dbgprintf("dtls_send[%p]: SSL_write failed with SSL_ERROR_SYSCALL(%s)"
				" - Aborting Connection.\n", pWrkrData, strerror(errno));
			net_ossl_lastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_WARNING,
				"omdtls", "SSL_write");
			ABORT_FINALIZE(RS_RET_ERR);
		} else {
			dbgprintf("dtls_send[%p]: SSL_write failed with ERROR [%d]: %s"
				" - Aborting Connection.\n", pWrkrData, sslerr, ERR_error_string(sslerr, NULL));
			net_ossl_lastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_WARNING,
				"omdtls", "SSL_write");
			ABORT_FINALIZE(RS_RET_ERR);
		}

		// Increment Stats Counter
		STATSCOUNTER_INC(ctrDtlsFail, mutCtrDtlsFail);
		INST_STATSCOUNTER_INC(pData, pData->ctrDtlsFail, pData->mutCtrDtlsFail);
	}
finalize_it:
	DBGPRINTF("dtls_send[%p]: Exit with %d for %s:%s\n", pWrkrData, iRet, pData->target, pData->port);
	if(iRet != RS_RET_OK) {
		dtls_close(pWrkrData);
	}
	RETiRet;
}

/*
*	Setup socket and establish virtual Connect on a SOCKET Level for DTLS
*/
static rsRetVal
dtls_connect(wrkrInstanceData_t *pWrkrData) {
	DEFiRet;
	int iErr;
	instanceData *const pData = (instanceData *const) pWrkrData->pData;
	BIO *bio_client;
	const SSL_CIPHER *sslCipher;

	DBGPRINTF("dtls_connect[%p]: setup DTLS for %s:%s\n", pWrkrData, pData->target, pData->port);
	pWrkrData->ConnectState = DTLS_CONNECTING;

	// Create SSL object
	pWrkrData->sslClient = SSL_new(pData->pNetOssl->ctx);
	if(!pWrkrData->sslClient) {
		dbgprintf("dtls_connect[%p]: SSL_new failed failed\n", pWrkrData);
		net_ossl_lastOpenSSLErrorMsg(pData->target, 0, pWrkrData->sslClient, LOG_WARNING, "omdtls", "SSL_new");
		ABORT_FINALIZE(RS_RET_ERR);
	}

	// Set certifcate check callback
	if (pData->pNetOssl->authMode != OSSL_AUTH_CERTANON) {
		dbgprintf("dtls_connect[%p]: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
			pWrkrData, pData->pNetOssl->authMode, pData->CertVerifyDepth);
		/* Enable certificate valid checking */
		net_ossl_set_ssl_verify_callback(pWrkrData->sslClient, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
		if (pData->CertVerifyDepth != 0) {
			SSL_set_verify_depth(pWrkrData->sslClient, pData->CertVerifyDepth);
		}
	} else {
		dbgprintf("dtls_connect[%p]: disable certificate checking\n", pWrkrData);
		net_ossl_set_ssl_verify_callback(pWrkrData->sslClient, SSL_VERIFY_NONE);
	}

	/* Create BIO from socket array! */
	bio_client = BIO_new_dgram(pWrkrData->sockout, BIO_NOCLOSE);
	if (!bio_client) {
		net_ossl_lastOpenSSLErrorMsg(pData->target, 0, pWrkrData->sslClient, LOG_INFO,
			"dtls_connect", "BIO_new_dgram");
		ABORT_FINALIZE(RS_RET_ERR);
	}
	BIO_ctrl(bio_client, BIO_CTRL_DGRAM_SET_CONNECTED, 0, &pWrkrData->dtls_client_addr);
	SSL_set_bio(pWrkrData->sslClient, bio_client, bio_client);

	/* Set debug Callback for conn BIO as well! */
	net_ossl_set_bio_callback(bio_client);

	dbgprintf("dtls_connect[%p]: Starting DTLS session ...\n", pWrkrData);
	/* Perform handshake */
	iErr = SSL_connect(pWrkrData->sslClient);
	if (iErr <= 0) {
		net_ossl_lastOpenSSLErrorMsg(pData->target, iErr, pWrkrData->sslClient, LOG_INFO,
			"dtls_connect", "SSL_connect");
		ABORT_FINALIZE(RS_RET_ERR);
	}

	// Print Cipher info
	sslCipher = SSL_get_current_cipher(pWrkrData->sslClient);
	dbgprintf("dtls_connect[%p]: Cipher Version: %s Name: %s\n", pWrkrData,
		SSL_CIPHER_get_version(sslCipher), SSL_CIPHER_get_name(sslCipher));

	if(Debug) {
		// Print Peer Certificate info
		X509 *cert = SSL_get_peer_certificate(pWrkrData->sslClient);
		if (cert != NULL) {
			char *line;
			line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
			dbgprintf("dtls_connect[%p]: Subject: %s\n", pWrkrData, line);
			OPENSSL_free(line);

			line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
			dbgprintf("dtls_connect[%p]: Issuer: %s\n", pWrkrData, line);
			OPENSSL_free(line);
			X509_free(cert);
		} else {
			dbgprintf("dtls_connect[%p]: No certificates.\n", pWrkrData);
		}
	}

	/* Set reference in SSL obj */
	SSL_set_ex_data(pWrkrData->sslClient, 0, NULL);
	SSL_set_ex_data(pWrkrData->sslClient, 1, NULL);

	/* Set and activate timeouts */
	struct timeval timeout;
	timeout.tv_sec = 3;
	timeout.tv_usec = 0;
	BIO_ctrl(bio_client, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);

	pWrkrData->ConnectState = DTLS_CONNECTED;
finalize_it:
	DBGPRINTF("dtls_connect[%p]: Exit with %d for %s:%s\n", pWrkrData, iRet, pData->target, pData->port);
	if(iRet != RS_RET_OK) {
		pWrkrData->ConnectState = DTLS_DISCONNECTED;
	}
	RETiRet;
}

/*
*	Setup socket and establish virtual Connect on a SOCKET Level for DTLS
*/
static rsRetVal
dtls_init(wrkrInstanceData_t *pWrkrData)
{
	DEFiRet;
	int iErr;
	instanceData *const pData = (instanceData *const) pWrkrData->pData;
	struct addrinfo *addrResolved = NULL;
	struct addrinfo hints;
	DBGPRINTF("dtls_init[%p]: setup for %s:%s\n", pWrkrData, pData->target, pData->port);

	// Close previous ressources if any left open
	dtls_close(pWrkrData);

	// Setup receiving Socket for DTLS
	if((pWrkrData->sockin = socket(AF_INET, SOCK_DGRAM, 0)) == -1)
		return 1;
	memset(&pWrkrData->dtls_client_addr, 0, sizeof(pWrkrData->dtls_client_addr));
	pWrkrData->dtls_client_addr.sin_family = AF_INET;
	pWrkrData->dtls_client_addr.sin_port = htons(0);
	pWrkrData->dtls_client_addr.sin_addr.s_addr = INADDR_ANY;
	if (bind(pWrkrData->sockin,
		(struct sockaddr*)&pWrkrData->dtls_client_addr,
		sizeof(pWrkrData->dtls_client_addr)) < 0) {
		LogError(0, RS_RET_SUSPENDED, "omdtls[%p]: dtls_init Unable to bind DTLS CLient socket with errno %d",
			pWrkrData, errno);
		ABORT_FINALIZE(RS_RET_COULD_NOT_BIND);
	}

	// Resolve target address
	memset(&hints, 0, sizeof(hints));
	/* port must be numeric, because config file syntax requires this */
	hints.ai_family = glbl.GetDefPFFamily(runModConf->pConf);
	hints.ai_socktype = SOCK_DGRAM;
	if((iErr = (getaddrinfo((char*)pData->target, (char*)pData->port, &hints, &addrResolved))) != 0) {
		LogError(0, RS_RET_SUSPENDED,
			"omdtls[%p]: could not get addrinfo for hostname '%s':'%s': %s",
			pWrkrData, pData->target, pData->port, gai_strerror(iErr));
		ABORT_FINALIZE(RS_RET_ADDRESS_UNKNOWN);
	}
	pWrkrData->dtls_rcvr_addrinfo = addrResolved;
	addrResolved = NULL;

	// Init Socket Connection (Which technically does not connect but prepares socket for DTLS)
	DBGPRINTF("dtls_init[%p]: Init Session to %s:%s\n", pWrkrData, pData->target, pData->port);

	// Connect the UDP socket to the receiver's address
	pWrkrData->sockout = socket(AF_INET, SOCK_DGRAM, 0);
	if (connect(pWrkrData->sockout,
		pWrkrData->dtls_rcvr_addrinfo->ai_addr,
		pWrkrData->dtls_rcvr_addrinfo->ai_addrlen) < 0) {
		LogError(0, RS_RET_SUSPENDED,
			"dtls_init[%p]: Failed to connect to hostname '%s':'%s': %s",
			pWrkrData, pData->target, pData->port, gai_strerror(iErr));
		ABORT_FINALIZE(RS_RET_ERR);
	}
	
	// Socket Connect successfull, no continue with TLS
	CHKiRet(dtls_connect(pWrkrData));

	// We reached this position means we are ready to send!
	pWrkrData->ConnectState = DTLS_CONNECTED;
finalize_it:
	DBGPRINTF("dtls_init[%p]: doTryResume %s iRet %d\n", pWrkrData, pData->target, iRet);
	if(addrResolved != NULL) {
		freeaddrinfo(addrResolved);
	}
	if(iRet != RS_RET_OK) {
		if(pWrkrData->dtls_rcvr_addrinfo != NULL) {
			freeaddrinfo(pWrkrData->dtls_rcvr_addrinfo);
			pWrkrData->dtls_rcvr_addrinfo = NULL;
		}
		iRet = RS_RET_SUSPENDED;

		// Force DTLS Disconnect State
		dtls_close(pWrkrData);
		// pWrkrData->ConnectState = DTLS_DISCONNECTED;
	}
	RETiRet;
}

static rsRetVal
dtls_close(wrkrInstanceData_t *pWrkrData)
{
	DEFiRet;
	int iErr;
	instanceData *const pData = (instanceData *const) pWrkrData->pData;
	if (pWrkrData->ConnectState == DTLS_CONNECTED) {
		DBGPRINTF("dtls_close[%p]: close session for %s:%s\n", pWrkrData, pData->target, pData->port);
		if (	pWrkrData->sslClient != NULL &&
			pWrkrData->ConnectState == DTLS_CONNECTED) {
			iErr = SSL_shutdown(pWrkrData->sslClient);
			if (iErr <= 0){
				/* Shutdown not finished, call SSL_read to do a bidirectional shutdown, see doc:
				*	https://www.openssl.org/docs/man1.1.1/man3/SSL_shutdown.html
				*	We do a single SSL_read which should be fine for protocol handling.
				*	No data is to be expected from the receiver side.
				*/
				char rcvBuf[DTLS_MAX_RCVBUF];
				SSL_read(pWrkrData->sslClient, rcvBuf, DTLS_MAX_RCVBUF);
			}
			SSL_free(pWrkrData->sslClient);
			pWrkrData->sslClient = NULL;
		}
	}

	// Close Sockets
	if (	pWrkrData->sockout != 0) {
		close(pWrkrData->sockout);
		pWrkrData->sockout = 0;
	}
	if (	pWrkrData->sockin != 0) {
		close(pWrkrData->sockin);
		pWrkrData->sockin = 0;
	}

	// Free Memory
	if(pWrkrData->dtls_rcvr_addrinfo != NULL) {
		freeaddrinfo(pWrkrData->dtls_rcvr_addrinfo);
		pWrkrData->dtls_rcvr_addrinfo = NULL;
	}

	// Reset Helpers
	pWrkrData->ConnectState = DTLS_DISCONNECTED;
FINALIZE;
finalize_it:
	RETiRet;
}