Introduces DTLS for UDP

ssahani · ssahani · commit af9a44af3c36 · 2024-05-09T19:48:24.000+05:30
diff --git a/meson.build b/meson.build
@@ -128,6 +128,12 @@ conf.set('GPERF_LEN_TYPE', gperf_len_type,
 
 ############################################################
 
+libopenssl = dependency('openssl',
+                        version : '>= 1.1.0',
+                        required : get_option('openssl'))
+conf.set10('HAVE_OPENSSL', libopenssl.found())
+
+############################################################
 config_h = configure_file(
         output : 'config.h',
         configuration : conf)
@@ -165,6 +171,7 @@ systemd_netlogd = executable(
                    link_with : libshared,
                    dependencies : [
                    libcap,
+                   libopenssl,
                    libsystemd],
                    install : true,
                    install_dir : get_option('prefix'))
diff --git a/meson_options.txt b/meson_options.txt
@@ -0,0 +1,5 @@
+option('version-tag', type : 'string',
+       description : 'override the git version string')
+
+option('openssl', type : 'boolean', value : true,
+       description : 'enable openssl support')
diff --git a/src/meson.build b/src/meson.build
@@ -41,6 +41,8 @@ libshared_sources = files('''
                   share/ioprio.h
                   share/io-util.c
                   share/io-util.h
+                  share/iovec-util.c
+                  share/iovec-util.h
                   share/escape.c
                   share/escape.h
                   share/user-util.c
@@ -103,6 +105,9 @@ systemd_netlogd_sources = files('''
                         netlog/netlog-manager.c
                         netlog/netlog-manager.h
                         netlog/netlog-network.c
+                        netlog/netlog-network.h
+                        netlog/netlog-dtls.c
+                        netlog/netlog-dtls.h
                         '''.split())
 
 netlogd_gperf_c = custom_target(
diff --git a/src/netlog/netlog-dtls.c b/src/netlog/netlog-dtls.c
@@ -0,0 +1,205 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <sys/epoll.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "alloc-util.h"
+#include "io-util.h"
+#include "iovec-util.h"
+#include "netlog-dtls.h"
+#include "fd-util.h"
+
+static char *tls_error_string(int ssl_error, char *buf, size_t count) {
+        assert(buf || count == 0);
+        if (ssl_error == SSL_ERROR_SSL)
+                ERR_error_string_n(ERR_get_error(), buf, count);
+        else
+                snprintf(buf, count, "SSL_get_error()=%d", ssl_error);
+        return buf;
+}
+
+#define TLS_ERROR_BUFSIZE 256
+#define TLS_ERROR_STRING(error) \
+        tls_error_string((error), (char[TLS_ERROR_BUFSIZE]){}, TLS_ERROR_BUFSIZE)
+
+static ssize_t dtls_write(DTLSManager *m, const char *buf, size_t count) {
+        int error, r;
+        ssize_t ss;
+
+        assert(m);
+
+        ERR_clear_error();
+        ss = r = SSL_write(m->ssl, buf, count);
+        if (r <= 0) {
+                error = SSL_get_error(m->ssl, r);
+                if (IN_SET(error, SSL_ERROR_WANT_READ, SSL_ERROR_WANT_WRITE)) {
+                        m->events = error == SSL_ERROR_WANT_READ ? EPOLLIN : EPOLLOUT;
+                        ss = -EAGAIN;
+                } else if (error == SSL_ERROR_ZERO_RETURN) {
+                        m->events = 0;
+                        ss = 0;
+                } else {
+                        log_debug("Failed to invoke SSL_write: %s", TLS_ERROR_STRING(error));
+                        m->events = 0;
+                        ss = -EPIPE;
+                }
+        } else
+                m->events = 0;
+
+        return ss;
+}
+
+ssize_t dtls_stream_writev(DTLSManager *m, const struct iovec *iov, size_t iovcnt) {
+        _cleanup_free_ char *buf = NULL;
+        size_t count;
+
+        assert(m);
+        assert(m->ssl);
+        assert(iov);
+        assert(iovec_total_size(iov, iovcnt) > 0);
+
+        /* single buffer. Suboptimal, but better than multiple SSL_write calls. */
+        count = iovec_total_size(iov, iovcnt);
+        buf = new(char, count);
+        for (size_t i = 0, pos = 0; i < iovcnt; pos += iov[i].iov_len, i++)
+                memcpy(buf + pos, iov[i].iov_base, iov[i].iov_len);
+
+        return dtls_write(m, buf, count);
+}
+
+int dtls_connect(DTLSManager *m, SocketAddress *address) {
+        _cleanup_(BIO_freep) BIO *bio = NULL;
+        _cleanup_(SSL_freep) SSL *ssl = NULL;
+        const SSL_CIPHER *cipher;
+        union sockaddr_union sa;
+        socklen_t salen;
+        SSL_CTX *ctx;
+        struct timeval timeout = {
+                .tv_sec = 3,
+                .tv_usec = 0,
+        };
+        int fd, r;
+
+        assert(m);
+
+        switch (address->sockaddr.sa.sa_family) {
+                case AF_INET:
+                        sa = (union sockaddr_union) {
+                        .in.sin_family = address->sockaddr.sa.sa_family,
+                        .in.sin_port = address->sockaddr.in.sin_port,
+                        .in.sin_addr = address->sockaddr.in.sin_addr,
+                };
+                        salen = sizeof(sa.in);
+                        break;
+                case AF_INET6:
+                        sa = (union sockaddr_union) {
+                        .in6.sin6_family = address->sockaddr.sa.sa_family,
+                        .in6.sin6_port = address->sockaddr.in6.sin6_port,
+                        .in6.sin6_addr = address->sockaddr.in6.sin6_addr,
+                };
+                        salen = sizeof(sa.in6);
+                        break;
+                default:
+                        return -EAFNOSUPPORT;
+        }
+
+        fd = socket(AF_INET, SOCK_DGRAM, 0);
+        if (fd < 0)
+                return log_error_errno(errno, "Failed to allocate socket: %m");;
+
+        r = connect(fd, &address->sockaddr.sa, salen);
+        if (r < 0 && errno != EINPROGRESS)
+                return log_error_errno(errno, "Failed to connect dtls socket: %m");;
+
+        ctx = SSL_CTX_new(DTLS_method());
+        if (!ctx)
+                return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
+                                       "Failed to allocate memory for SSL CTX: %m");
+
+        SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);
+        SSL_CTX_set_default_verify_paths(ctx);
+
+        ssl = SSL_new(ctx);
+        if (!ssl)
+                return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
+                                       "Failed to allocate memory for ssl: %s",
+                                       ERR_error_string(ERR_get_error(), NULL));
+
+        /* Create BIO from socket array! */
+        bio = BIO_new_dgram(fd, BIO_NOCLOSE);
+        if (!bio)
+                return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
+                                       "Failed to allocate memory for bio: %m");
+
+        BIO_ctrl(bio, BIO_CTRL_DGRAM_SET_CONNECTED, 0, &address);
+        SSL_set_bio(ssl , bio, bio);
+
+        r = SSL_connect(ssl);
+        if (r <= 0)
+                return log_error_errno(SYNTHETIC_ERRNO(ENOMEM),
+                                       "Failed to SSL_connect: %s",
+                                       ERR_error_string(ERR_get_error(), NULL));
+
+        cipher = SSL_get_current_cipher(ssl);
+        log_debug("dtls_connect: Cipher Version: %s Name: %s", SSL_CIPHER_get_version(cipher), SSL_CIPHER_get_name(cipher));
+
+        /* Set reference in SSL obj */
+        SSL_set_ex_data(ssl, 0, NULL);
+        SSL_set_ex_data(ssl, 1, NULL);
+
+        /* Set and activate timeouts */
+        BIO_ctrl(bio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
+
+        m->bio = TAKE_PTR(bio);
+        m->ssl = TAKE_PTR(ssl);
+        m->ctx = ctx;
+        m->fd = fd;
+
+        m->connected = true;
+        return 0;
+}
+
+void dtls_disconnect(DTLSManager *m) {
+        if (!m)
+                return;
+
+        ERR_clear_error();
+
+        if (m->ssl) {
+                SSL_shutdown(m->ssl);
+                SSL_free(m->ssl);
+                m->ssl = NULL;
+        }
+
+        if (m->bio) {
+                BIO_free(m->bio);
+                m->bio = NULL;
+        }
+
+        m->fd = safe_close(m->fd);
+}
+
+void dtls_manager_free(DTLSManager *m) {
+        if (!m)
+                return;
+
+        if (m->ctx)
+                SSL_CTX_free(m->ctx);
+
+        free(m);
+}
+
+int dtls_manager_init(DTLSManager **ret) {
+        _cleanup_(dtls_manager_freep) DTLSManager *m = NULL;
+
+        m = new0(DTLSManager, 1);
+        if (!m)
+                return log_oom();
+
+        *ret = TAKE_PTR(m);
+        return 0;
+}
diff --git a/src/netlog/netlog-dtls.h b/src/netlog/netlog-dtls.h
@@ -0,0 +1,39 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+#include <openssl/ssl.h>
+#include <openssl/bio.h>
+#include <stdbool.h>
+
+#include "socket-util.h"
+
+typedef struct DTLSManager DTLSManager;
+
+struct DTLSManager {
+        SSL_SESSION *session;
+        SSL_CTX *ctx;
+        BIO *bio;
+        SSL *ssl;
+
+        uint32_t events;
+        int fd;
+
+        bool shutdown;
+        bool connected;
+
+        BUF_MEM *write_buffer;
+        size_t buffer_offset;
+};
+
+void dtls_manager_free(DTLSManager *m);
+int dtls_manager_init(DTLSManager **m);
+
+int dtls_connect(DTLSManager *m, SocketAddress *addr);
+void dtls_disconnect(DTLSManager *m);
+
+ssize_t dtls_stream_writev(DTLSManager *m, const struct iovec *iov, size_t iovcnt);
+
+DEFINE_TRIVIAL_CLEANUP_FUNC(DTLSManager*, dtls_manager_free);
+
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(SSL*, SSL_free, NULL);
+DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(BIO*, BIO_free, NULL);
diff --git a/src/netlog/netlog-manager.c b/src/netlog/netlog-manager.c
@@ -28,8 +28,9 @@
         for (sd_journal_restart_data(j); ((retval) = sd_journal_enumerate_data((j), &(data), &(l))) > 0; )
 
 static const char *const protocol_table[_SYSLOG_TRANSMISSION_PROTOCOL_MAX] = {
-        [SYSLOG_TRANSMISSION_PROTOCOL_UDP] = "udp",
-        [SYSLOG_TRANSMISSION_PROTOCOL_TCP] = "tcp",
+        [SYSLOG_TRANSMISSION_PROTOCOL_UDP]  = "udp",
+        [SYSLOG_TRANSMISSION_PROTOCOL_TCP]  = "tcp",
+        [SYSLOG_TRANSMISSION_PROTOCOL_DTLS] = "dtls",
 };
 
 DEFINE_STRING_TABLE_LOOKUP(protocol, int);
@@ -387,9 +388,15 @@ int manager_connect(Manager *m) {
 
         manager_disconnect(m);
 
-        r = manager_open_network_socket(m);
-        if (r < 0)
-                return log_error_errno(r, "Failed to create network socket: %m");
+        if (m->protocol == SYSLOG_TRANSMISSION_PROTOCOL_DTLS) {
+                r = dtls_connect(m->dtls, &m->address);
+                if (r < 0)
+                        return r;
+        } else {
+                r = manager_open_network_socket(m);
+                if (r < 0)
+                        return log_error_errno(r, "Failed to create network socket: %m");
+        }
 
         r = manager_journal_monitor_listen(m);
         if (r < 0)
@@ -404,6 +411,7 @@ void manager_disconnect(Manager *m) {
         close_journal_input(m);
 
         manager_close_network_socket(m);
+        dtls_disconnect(m->dtls);
 
         m->event_journal_input = sd_event_source_unref(m->event_journal_input);
 
diff --git a/src/netlog/netlog-manager.h b/src/netlog/netlog-manager.h
@@ -6,7 +6,7 @@
 
 #include "sd-network.h"
 #include "socket-util.h"
-#include "netlog-tls.h"
+#include "netlog-dtls.h"
 
 typedef enum SysLogTransmissionProtocol {
         SYSLOG_TRANSMISSION_PROTOCOL_UDP      = 1 << 0,
@@ -61,7 +61,7 @@ struct Manager {
         bool syslog_msgid;
         bool encrypt;
 
-        TLSManager *tls;
+        DTLSManager *dtls;
 };
 
 int manager_new(const char *state_file, const char *cursor, Manager **ret);
diff --git a/src/netlog/netlog-network.c b/src/netlog/netlog-network.c
@@ -168,7 +168,11 @@ static int format_rfc5424(Manager *m,
         if (m->protocol == SYSLOG_TRANSMISSION_PROTOCOL_TCP)
                 IOVEC_SET_STRING(iov[n++], "\n");
 
-        return network_send(m, iov, n);
+
+        if (m->protocol == SYSLOG_TRANSMISSION_PROTOCOL_DTLS)
+                return dtls_stream_writev(m->dtls, iov, n);
+        else
+                return network_send(m, iov, n);
 }
 
 static int format_rfc3339(Manager *m,
@@ -236,7 +240,10 @@ static int format_rfc3339(Manager *m,
         if (m->protocol == SYSLOG_TRANSMISSION_PROTOCOL_TCP)
                 IOVEC_SET_STRING(iov[n++], "\n");
 
-        return network_send(m, iov, n);
+        if (m->protocol == SYSLOG_TRANSMISSION_PROTOCOL_DTLS)
+                return dtls_stream_writev(m->dtls, iov, n);
+        else
+                return network_send(m, iov, n);
 }
 
 int manager_push_to_network(Manager *m,
@@ -305,7 +312,7 @@ int manager_network_connect_socket(Manager *m) {
                         salen = sizeof(sa.in6);
                         break;
                 default:
-                        return EAFNOSUPPORT;
+                        return -EAFNOSUPPORT;
         }
 
         r = connect(m->socket, &m->address.sockaddr.sa, salen);
diff --git a/src/netlog/systemd-netlogd.c b/src/netlog/systemd-netlogd.c
@@ -171,6 +171,12 @@ int main(int argc, char **argv) {
                 goto finish;
         }
 
+        if (m->protocol == SYSLOG_TRANSMISSION_PROTOCOL_DTLS) {
+                r = dtls_manager_init(&m->dtls);
+                if (r < 0)
+                        return r;
+        }
+
         r = setup_cursor_state_file(m, uid, gid);
         if (r < 0)
                 goto cleanup;
diff --git a/src/share/iovec-util.c b/src/share/iovec-util.c
diff --git a/src/share/iovec-util.h b/src/share/iovec-util.h
diff --git a/src/share/macro.h b/src/share/macro.h
