Introduces DTLS for UDP

Author: ssahani

meson.build

@@ -128,6 +128,12 @@ conf.set('GPERF_LEN_TYPE', gperf_len_type,
 
 ############################################################
 
+libopenssl = dependency('openssl',
+                        version : '>= 1.1.0',
+                        required : get_option('openssl'))
+conf.set10('HAVE_OPENSSL', libopenssl.found())
+
+############################################################
 config_h = configure_file(
         output : 'config.h',
         configuration : conf)
@@ -165,6 +171,7 @@ systemd_netlogd = executable(
                    link_with : libshared,
                    dependencies : [
                    libcap,
+                   libopenssl,
                    libsystemd],
                    install : true,
                    install_dir : get_option('prefix'))

meson_options.txt

@@ -0,0 +1,5 @@
+option('version-tag', type : 'string',
+       description : 'override the git version string')
+
+option('openssl', type : 'boolean', value : true,
+       description : 'enable openssl support')

src/meson.build

@@ -41,6 +41,8 @@ libshared_sources = files('''
                   share/ioprio.h
                   share/io-util.c
                   share/io-util.h
+                  share/iovec-util.c
+                  share/iovec-util.h
                   share/escape.c
                   share/escape.h
                   share/user-util.c
@@ -103,6 +105,9 @@ systemd_netlogd_sources = files('''
                         netlog/netlog-manager.c
                         netlog/netlog-manager.h
                         netlog/netlog-network.c
+                        netlog/netlog-network.h
+                        netlog/netlog-dtls.c
+                        netlog/netlog-dtls.h
                         '''.split())
 
 netlogd_gperf_c = custom_target(

src/netlog/netlog-dtls.c

@@ -0,0 +1,205 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <sys/epoll.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "alloc-util.h"
+#include "io-util.h"
+#include "iovec-util.h"
+#include "netlog-dtls.h"
+#include "fd-util.h"
+
+static char *tls_error_string(int ssl_error, char *buf, size_t count) {
+        assert(buf || count == 0);
+        if (ssl_error == SSL_ERROR_SSL)
+                ERR_error_string_n(ERR_get_error(), buf, count);
+        else
+                snprintf(buf, count, "SSL_get_error()=%d", ssl_error);
+        return buf;
+}
+
+#define TLS_ERROR_BUFSIZE 256
+#define TLS_ERROR_STRING(error) \
+        tls_error_string((error), (char[TLS_ERROR_BUFSIZE]){}, TLS_ERROR_BUFSIZE)
+
+static ssize_t dtls_write(DTLSManager *m, const char *buf, size_t count) {
+        int error, r;
+        ssize_t ss;
+
+        assert(m);
+
+        ERR_clear_error();
+        ss = r = SSL_write(m->ssl, buf, count);
+        if (r <= 0) {
+                error = SSL_get_error(m->ssl, r);
+                if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
+                        m->events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
+                        ss = -EAGAIN;
+                } else if (error == SSL_ERROR_ZERO_RETURN) {
+                        m->events = 0;
+                        ss = 0;
+                } else {
+                        log_debug("Failed to invoke SSL_write: %s", TLS_ERROR_STRING(error));
+                        m->events = 0;
+                        ss = -EPIPE;
+                }
+        } else
+                m->events = 0;
+
+        return ss;
+}
+
+ssize_t dtls_stream_writev(DTLSManager *m, const struct iovec *iov, size_t iovcnt) {
+        _cleanup_free_ char *buf = NULL;
+        size_t count;
+
+        assert(m);
+        assert(m->ssl);
+        assert(iov);
+        assert(iovec_total_size(iov, iovcnt) > 0);
+
+        /* single buffer. Suboptimal, but better than multiple SSL_write calls. */
+        count = iovec_total_size(iov, iovcnt);
+        buf = new(char, count);
+        for (size_t i = 0, pos = 0; i < iovcnt; pos += iov[i].iov_len, i++)
+                memcpy(buf + pos, iov[i].iov_base, iov[i].iov_len);
+
+        return dtls_write(m, buf, count);
+}
+
+int dtls_connect(DTLSManager *m, SocketAddress *address) {
+        _cleanup_(BIO_freep) BIO *bio = NULL;
+        _cleanup_(SSL_freep) SSL *ssl = NULL;
+        const SSL_CIPHER *cipher;
+        union sockaddr_union sa;
+        socklen_t salen;
+        SSL_CTX *ctx;
+        struct timeval timeout = {
+                .tv_sec = 3,
+                .tv_usec = 0,
+        };
+        int fd, r;
+
+        assert(m);
+
+        switch (address->sockaddr.sa.sa_family) {
+                case AF_INET:
+                        sa = (union sockaddr_union) {
+                        .in.sin_family = address->sockaddr.sa.sa_family,
+                        .in.sin_port = address->sockaddr.in.sin_port,
+                        .in.sin_addr = address->sockaddr.in.sin_addr,
+                };
+                        salen = sizeof(sa.in);
+                        break;
+                case AF_INET6:
+                        sa = (union sockaddr_union) {
+                        .in6.sin6_family = address->sockaddr.sa.sa_family,
+                        .in6.sin6_port = address->sockaddr.in6.sin6_port,
+                        .in6.sin6_addr = address->sockaddr.in6.sin6_addr,
+                };
+                        salen = sizeof(sa.in6);
+                        break;
+                default:
+                        return -EAFNOSUPPORT;
+        }
+
+        fd = socket(AF_INET, SOCK_DGRAM, 0);
+        if (fd < 0)
+                return log_error_errno(errno, "Failed to allocate socket: %m");;
+
+        r = connect(fd, &address->sockaddr.sa, salen);
+        if (r < 0 && errno != EINPROGRESS)
+                return log_error_errno(errno, "Failed to connect dtls socket: %m");;
+
+        ctx = SSL_CTX_new(DTLS_method());
+        if (!ctx)
+                return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
+                                       "Failed to allocate memory for SSL CTX: %m");
+
+        SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
+        SSL_CTX_set_default_verify_paths(ctx);
+
+        ssl = SSL_new(ctx);
+        if (!ssl)
+                return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
+                                       "Failed to allocate memory for ssl: %s",
+                                       ERR_error_string(ERR_get_error(), NULL));
+
+        /* Create BIO from socket array! */
+        bio = BIO_new_dgram(fd, BIO_NOCLOSE);
+        if (!bio)
+                return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
+                                       "Failed to allocate memory for bio: %m");
+
+        BIO_ctrl(bio, BIO_CTRL_DGRAM_SET_CONNECTED, 0, &address);
+        SSL_set_bio(ssl , bio, bio);
+
+        r = SSL_connect(ssl);
+        if (r <= 0)
+                return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
+                                       "Failed to SSL_connect: %s",
+                                       ERR_error_string(ERR_get_error(), NULL));
+
+        cipher = SSL_get_current_cipher(ssl);
+        log_debug("dtls_connect: Cipher Version: %s Name: %s", SSL_CIPHER_get_version(cipher), SSL_CIPHER_get_name(cipher));
+
+        /* Set reference in SSL obj */
+        SSL_set_ex_data(ssl, 0, NULL);
+        SSL_set_ex_data(ssl, 1, NULL);
+
+        /* Set and activate timeouts */
+        BIO_ctrl(bio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
+
+        m->bio = TAKE_PTR(bio);
+        m->ssl = TAKE_PTR(ssl);
+        m->ctx = ctx;
+        m->fd = fd;
+
+        m->connected = true;
+        return 0;
+}
+
+void dtls_disconnect(DTLSManager *m) {
+        if (!m)
+                return;
+
+        ERR_clear_error();
+
+        if (m->ssl) {
+                SSL_shutdown(m->ssl);
+                SSL_free(m->ssl);
+                m->ssl = NULL;
+        }
+
+        if (m->bio) {
+                BIO_free(m->bio);
+                m->bio = NULL;
+        }
+
+        m->fd = safe_close(m->fd);
+}
+
+void dtls_manager_free(DTLSManager *m) {
+        if (!m)
+                return;
+
+        if (m->ctx)
+                SSL_CTX_free(m->ctx);
+
+        free(m);
+}
+
+int dtls_manager_init(DTLSManager **ret) {
+        _cleanup_(dtls_manager_freep) DTLSManager *m = NULL;
+
+        m = new0(DTLSManager, 1);
+        if (!m)
+                return log_oom();
+
+        *ret = TAKE_PTR(m);
+        return 0;
+}

src/netlog/netlog-dtls.h

@@ -0,0 +1,39 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include <openssl/ssl.h>
+#include <openssl/bio.h>
+#include <stdbool.h>
+
+#include "socket-util.h"
+
+typedef struct DTLSManager DTLSManager;
+
+struct DTLSManager {
+        SSL_SESSION *session;
+        SSL_CTX *ctx;
+        BIO *bio;
+        SSL *ssl;
+
+        uint32_t events;
+        int fd;
+
+        bool shutdown;
+        bool connected;
+
+        BUF_MEM *write_buffer;
+        size_t buffer_offset;
+};
+
+void dtls_manager_free(DTLSManager *m);
+int dtls_manager_init(DTLSManager **m);
+
+int dtls_connect(DTLSManager *m, SocketAddress *addr);
+void dtls_disconnect(DTLSManager *m);
+
+ssize_t dtls_stream_writev(DTLSManager *m, const struct iovec *iov, size_t iovcnt);
+
+DEFINE_TRIVIAL_CLEANUP_FUNC(DTLSManager*, dtls_manager_free);
+
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);

src/netlog/netlog-manager.c

@@ -28,8 +28,9 @@
         for (sd_journal_restart_data(j); ((retval) = sd_journal_enumerate_data((j), &(data), &(l))) > 0; )
 
 static const char *const protocol_table[_SYSLOG_TRANSMISSION_PROTOCOL_MAX] = {
-        [SYSLOG_TRANSMISSION_PROTOCOL_UDP] = "udp",
-        [SYSLOG_TRANSMISSION_PROTOCOL_TCP] = "tcp",
+        [SYSLOG_TRANSMISSION_PROTOCOL_UDP]  = "udp",
+        [SYSLOG_TRANSMISSION_PROTOCOL_TCP]  = "tcp",
+        [SYSLOG_TRANSMISSION_PROTOCOL_DTLS] = "dtls",
 };
 
 DEFINE_STRING_TABLE_LOOKUP(protocol, int);
@@ -387,9 +388,15 @@ int manager_connect(Manager *m) {
 
         manager_disconnect(m);
 
-        r = manager_open_network_socket(m);
-        if (r < 0)
-                return log_error_errno(r, "Failed to create network socket: %m");
+        if (m->protocol == SYSLOG_TRANSMISSION_PROTOCOL_DTLS) {
+                r = dtls_connect(m->dtls, &m->address);
+                if (r < 0)
+                        return r;
+        } else {
+                r = manager_open_network_socket(m);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to create network socket: %m");
+        }
 
         r = manager_journal_monitor_listen(m);
         if (r < 0)
@@ -404,6 +411,7 @@ void manager_disconnect(Manager *m) {
         close_journal_input(m);
 
         manager_close_network_socket(m);
+        dtls_disconnect(m->dtls);
 
         m->event_journal_input = sd_event_source_unref(m->event_journal_input);
 

src/netlog/netlog-manager.h

@@ -6,7 +6,7 @@
 
 #include "sd-network.h"
 #include "socket-util.h"
-#include "netlog-tls.h"
+#include "netlog-dtls.h"
 
 typedef enum SysLogTransmissionProtocol {
         SYSLOG_TRANSMISSION_PROTOCOL_UDP      = 1 << 0,
@@ -61,7 +61,7 @@ struct Manager {
         bool syslog_msgid;
         bool encrypt;
 
-        TLSManager *tls;
+        DTLSManager *dtls;
 };
 
 int manager_new(const char *state_file, const char *cursor, Manager **ret);

src/netlog/netlog-network.c

@@ -168,7 +168,11 @@ static int format_rfc5424(Manager *m,
         if (m->protocol == SYSLOG_TRANSMISSION_PROTOCOL_TCP)
                 IOVEC_SET_STRING(iov[n++], "\n");
 
-        return network_send(m, iov, n);
+
+        if (m->protocol == SYSLOG_TRANSMISSION_PROTOCOL_DTLS)
+                return dtls_stream_writev(m->dtls, iov, n);
+        else
+                return network_send(m, iov, n);
 }
 
 static int format_rfc3339(Manager *m,
@@ -236,7 +240,10 @@ static int format_rfc3339(Manager *m,
         if (m->protocol == SYSLOG_TRANSMISSION_PROTOCOL_TCP)
                 IOVEC_SET_STRING(iov[n++], "\n");
 
-        return network_send(m, iov, n);
+        if (m->protocol == SYSLOG_TRANSMISSION_PROTOCOL_DTLS)
+                return dtls_stream_writev(m->dtls, iov, n);
+        else
+                return network_send(m, iov, n);
 }
 
 int manager_push_to_network(Manager *m,
@@ -305,7 +312,7 @@ int manager_network_connect_socket(Manager *m) {
                         salen = sizeof(sa.in6);
                         break;
                 default:
-                        return EAFNOSUPPORT;
+                        return -EAFNOSUPPORT;
         }
 
         r = connect(m->socket, &m->address.sockaddr.sa, salen);

src/netlog/systemd-netlogd.c

@@ -171,6 +171,12 @@ int main(int argc, char **argv) {
                 goto finish;
         }
 
+        if (m->protocol == SYSLOG_TRANSMISSION_PROTOCOL_DTLS) {
+                r = dtls_manager_init(&m->dtls);
+                if (r < 0)
+                        return r;
+        }
+
         r = setup_cursor_state_file(m, uid, gid);
         if (r < 0)
                 goto cleanup;

src/share/iovec-util.c

@@ -0,0 +1,49 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "iovec-util.h"
+#include "string-util.h"
+
+size_t iovec_total_size(const struct iovec *iovec, size_t n) {
+        size_t sum = 0;
+
+        assert(iovec || n == 0);
+
+        FOREACH_ARRAY(j, iovec, n)
+                sum += j->iov_len;
+
+        return sum;
+}
+
+bool iovec_increment(struct iovec *iovec, size_t n, size_t k) {
+        assert(iovec || n == 0);
+
+        /* Returns true if there is nothing else to send (bytes written cover all of the iovec),
+         * false if there's still work to do. */
+
+        FOREACH_ARRAY(j, iovec, n) {
+                size_t sub;
+
+                if (j->iov_len == 0)
+                        continue;
+                if (k == 0)
+                        return false;
+
+                sub = MIN(j->iov_len, k);
+                j->iov_len -= sub;
+                j->iov_base = (uint8_t*) j->iov_base + sub;
+                k -= sub;
+        }
+
+        assert(k == 0); /* Anything else would mean that we wrote more bytes than available,
+                         * or the kernel reported writing more bytes than sent. */
+        return true;
+}
+
+void iovec_array_free(struct iovec *iovec, size_t n_iovec) {
+        assert(iovec || n_iovec == 0);
+
+        FOREACH_ARRAY(i, iovec, n_iovec)
+                free(i->iov_base);
+
+        free(iovec);
+}

src/share/iovec-util.h

@@ -0,0 +1,65 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include <stdbool.h>
+#include <sys/types.h>
+#include <sys/uio.h>
+
+#include "alloc-util.h"
+#include "macro.h"
+
+/* An iovec pointing to a single NUL byte */
+#define IOVEC_NUL_BYTE (const struct iovec) {                   \
+                .iov_base = (void*) (const uint8_t[1]) { 0 },   \
+                .iov_len = 1,                                   \
+        }
+
+size_t iovec_total_size(const struct iovec *iovec, size_t n);
+
+bool iovec_increment(struct iovec *iovec, size_t n, size_t k);
+
+/* This accepts both const and non-const pointers */
+#define IOVEC_MAKE(base, len)                                           \
+        (struct iovec) {                                                \
+                .iov_base = (void*) (base),                             \
+                .iov_len = (len),                                       \
+        }
+
+static inline struct iovec* iovec_make_string(struct iovec *iovec, const char *s) {
+        assert(iovec);
+        /* We don't use strlen_ptr() here, because we don't want to include string-util.h for now */
+        *iovec = IOVEC_MAKE(s, s ? strlen(s) : 0);
+        return iovec;
+}
+
+#define IOVEC_MAKE_STRING(s) \
+        *iovec_make_string(&(struct iovec) {}, s)
+
+#define CONST_IOVEC_MAKE_STRING(s)              \
+        (const struct iovec) {                  \
+                .iov_base = (char*) s,          \
+                .iov_len = STRLEN(s),           \
+        }
+
+static inline void iovec_done(struct iovec *iovec) {
+        /* A _cleanup_() helper that frees the iov_base in the iovec */
+        assert(iovec);
+
+        iovec->iov_base = mfree(iovec->iov_base);
+        iovec->iov_len = 0;
+}
+
+static inline bool iovec_is_set(const struct iovec *iovec) {
+        /* Checks if the iovec points to a non-empty chunk of memory */
+        return iovec && iovec->iov_len > 0 && iovec->iov_base;
+}
+
+static inline bool iovec_is_valid(const struct iovec *iovec) {
+        /* Checks if the iovec is either NULL, empty or points to a valid bit of memory */
+        return !iovec || (iovec->iov_base || iovec->iov_len == 0);
+}
+
+char* set_iovec_string_field(struct iovec *iovec, size_t *n_iovec, const char *field, const char *value);
+char* set_iovec_string_field_free(struct iovec *iovec, size_t *n_iovec, const char *field, char *value);
+
+void iovec_array_free(struct iovec *iovec, size_t n_iovec);

src/share/macro.h

@@ -58,6 +58,10 @@
         _Pragma("GCC diagnostic push");                                 \
         _Pragma("GCC diagnostic ignored \"-Wincompatible-pointer-types\"")
 
+#define DISABLE_WARNING_ADDRESS                                         \
+        _Pragma("GCC diagnostic push");                                 \
+        _Pragma("GCC diagnostic ignored \"-Waddress\"")
+
 #define REENABLE_WARNING                                                \
         _Pragma("GCC diagnostic pop")
 
@@ -383,13 +387,39 @@ static inline unsigned long ALIGN_POWER2(unsigned long u) {
 #endif
 #endif
 
+#define _FOREACH_ARRAY(i, array, num, m, end)                           \
+        for (typeof(array[0]) *i = (array), *end = ({                   \
+                                typeof(num) m = (num);                  \
+                                (i && m > 0) ? i + m : NULL;            \
+                        }); end && i < end; i++)
+
+#define FOREACH_ARRAY(i, array, num)                                    \
+        _FOREACH_ARRAY(i, array, num, UNIQ_T(m, UNIQ), UNIQ_T(end, UNIQ))
+
+#define FOREACH_ELEMENT(i, array)                                 \
+        FOREACH_ARRAY(i, array, ELEMENTSOF(array))
+
 #define DEFINE_TRIVIAL_CLEANUP_FUNC(type, func)                 \
         static inline void func##p(type *p) {                   \
                 if (*p)                                         \
                         func(*p);                               \
         }                                                       \
         struct __useless_struct_to_allow_trailing_semicolon__
 
+
+/* When func() doesn't return the appropriate type, set variable to empty afterwards.
+ * The func() may be provided by a dynamically loaded shared library, hence add an assertion. */
+#define DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(type, func, empty)     \
+        static inline void func##p(type *p) {                   \
+                if (*p != (empty)) {                            \
+                        DISABLE_WARNING_ADDRESS;                \
+                        assert(func);                           \
+                        REENABLE_WARNING;                       \
+                        func(*p);                               \
+                        *p = (empty);                           \
+                }                                               \
+        }
+
 /* Takes inspiration from Rust's Option::take() method: reads and returns a pointer, but at the same time
  * resets it to NULL. See: https://doc.rust-lang.org/std/option/enum.Option.html#method.take */
 #define TAKE_PTR(ptr)                           \