Merge pull request #135 from oracle/tls-session-tags

Author: chucklever

.github/workflows/documentation.yml

@@ -41,7 +41,8 @@ jobs:
             libkeyutils-dev \
             libnl-3-dev \
             libnl-genl-3-dev \
-            libglib2.0-dev
+            libglib2.0-dev \
+            libyaml-dev
 
       - name: Install documentation tools
         run: |
@@ -54,7 +55,7 @@ jobs:
       - name: Configure
         run: |
           ./autogen.sh
-          ./configure --with-systemd
+          ./configure --with-systemd --enable-session-tags
 
       - name: Generate HTML man pages
         run: |

.github/workflows/makefile.yml

@@ -26,12 +26,13 @@ jobs:
             libkeyutils-dev \
             libnl-3-dev \
             libnl-genl-3-dev \
-            libglib2.0-dev
+            libglib2.0-dev \
+            libyaml-dev
 
       - name: Configure
         run: |
           ./autogen.sh
-          ./configure --with-systemd
+          ./configure --with-systemd --enable-session-tags
 
       - name: Build
         run: make
@@ -40,7 +41,7 @@ jobs:
         run: make check
 
       - name: Distcheck
-        run: make distcheck
+        run: make distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-session-tags"
 
   build-musl:
 
@@ -69,13 +70,14 @@ jobs:
             keyutils-dev \
             libnl3-dev \
             glib-dev \
+            yaml-dev \
             linux-headers \
             tar
 
       - name: Configure
         run: |
           ./autogen.sh
-          ./configure --with-systemd
+          ./configure --with-systemd --enable-session-tags
 
       - name: Build
         run: make
@@ -84,4 +86,4 @@ jobs:
         run: make check
 
       - name: Distcheck
-        run: make distcheck
+        run: make distcheck DISTCHECK_CONFIGURE_FLAGS="--enable-session-tags"

.github/workflows/static.yml

@@ -22,7 +22,8 @@ jobs:
             libkeyutils-dev \
             libnl-3-dev \
             libnl-genl-3-dev \
-            libglib2.0-dev
+            libglib2.0-dev \
+            libyaml-dev
 
       - name: Install tools
         run: |
@@ -31,7 +32,7 @@ jobs:
       - name: Configure
         run: |
           ./autogen.sh
-          ./configure --with-systemd
+          ./configure --with-systemd --enable-session-tags
 
       - name: Generate compile commands
         run: |
@@ -64,7 +65,8 @@ jobs:
             libkeyutils-dev \
             libnl-3-dev \
             libnl-genl-3-dev \
-            libglib2.0-dev
+            libglib2.0-dev \
+            libyaml-dev
 
       - name: Install tools
         run: |
@@ -73,7 +75,7 @@ jobs:
       - name: Configure
         run: |
           ./autogen.sh
-          ./configure --with-systemd
+          ./configure --with-systemd --enable-session-tags
 
       - name: Run Lizard Complexity Analysis
         run: |

.gitignore

@@ -6,6 +6,7 @@ configure
 configure~
 cscope.*
 docs/doxygen/
+docs/Doxyfile
 Makefile
 Makefile.in
 .deps/

INSTALL

@@ -10,6 +10,19 @@ Normal instructions for building ktls-utils
  # systemctl enable --now tlshd
 
 
+Configure options
+-----------------
+
+  --with-systemd[=DIR]     Install systemd unit files. If DIR is
+                           specified, unit files are installed there;
+                           otherwise /usr/lib/systemd/system is used.
+
+  --enable-session-tags    Build with TLS session tags support. When
+                           enabled, tlshd can match incoming peer
+                           certificates against policy files in
+                           /etc/tlshd/tags.d/.
+
+
 Additional configuration information is provided in the generic
 instructions below.
 

README

@@ -33,6 +33,7 @@ following libraries to be installed:
 * keyutils
 * GLib-2.0
 * libnl3
+* libyaml
 
 ## Installation
 

README.md

@@ -33,6 +33,7 @@ following libraries to be installed:
 * keyutils
 * GLib-2.0
 * libnl3
+* libyaml
 
 ## Installation
 

configure.ac

@@ -47,6 +47,17 @@ AC_ARG_WITH(systemd,
 	AM_CONDITIONAL(INSTALL_SYSTEMD, [test "$use_systemd" = 1])
 	AC_SUBST(unitdir)
 
+AC_ARG_ENABLE(session-tags,
+	[AS_HELP_STRING([--enable-session-tags],
+			[enable TLS session tags support @<:@Default: no@:>@])],
+	[enable_session_tags=$enableval],
+	[enable_session_tags=no])
+AM_CONDITIONAL(HAVE_SESSION_TAGS, [test "x$enable_session_tags" = xyes])
+if test "x$enable_session_tags" = xyes ; then
+	AC_DEFINE([HAVE_SESSION_TAGS], [1],
+		  [Define to 1 to enable TLS session tags support])
+fi
+
 PKG_PROG_PKG_CONFIG([0.9.0])
 PKG_CHECK_MODULES([LIBGNUTLS], [gnutls >= 3.3.0])
 AC_SUBST([LIBGNUTLS_CFLAGS])
@@ -63,6 +74,11 @@ AC_SUBST([LIBNL3_LIBS])
 PKG_CHECK_MODULES([LIBNL_GENL3], libnl-genl-3.0 >= 3.1)
 AC_SUBST([LIBNL_GENL3_CFLAGS])
 AC_SUBST([LIBNL_GENL3_LIBS])
+if test "x$enable_session_tags" = xyes ; then
+	PKG_CHECK_MODULES([LIBYAML], [yaml-0.1])
+	AC_SUBST([LIBYAML_CFLAGS])
+	AC_SUBST([LIBYAML_LIBS])
+fi
 
 AC_CHECK_PROG(DOXYGEN, doxygen, doxygen, false)
 if test "$DOXYGEN" = false; then
@@ -88,6 +104,12 @@ AC_CHECK_LIB([gnutls], [gnutls_psk_allocate_client_credentials2],
 AC_CHECK_LIB([gnutls], [gnutls_record_get_max_send_size],
              [AC_DEFINE([HAVE_GNUTLS_RECORD_GET_MAX_SEND_SIZE], [1],
 			[Define to 1 if you have the gnutls_record_get_max_send_size function.])])
+AC_CHECK_LIB([glib-2.0], [g_pattern_spec_match],
+             [AC_DEFINE([HAVE_GLIB_G_PATTERN_SPEC_MATCH], [1],
+                        [Define to 1 if you have the g_pattern_spec_match function.])])
+AC_CHECK_LIB([glib-2.0], [g_pattern_spec_match_string],
+             [AC_DEFINE([HAVE_GLIB_G_PATTERN_SPEC_MATCH_STRING], [1],
+                        [Define to 1 if you have the g_pattern_spec_match_string function.])])
 
 AC_MSG_CHECKING(for ML-DSA support in gnutls)
 AC_COMPILE_IFELSE(
@@ -120,6 +142,7 @@ AC_CONFIG_FILES([Makefile \
                  etc/tlshd/Makefile \
                  man/Makefile \
                  man/man5/Makefile \
+                 man/man7/Makefile \
                  man/man8/Makefile \
                  src/Makefile \
                  src/tlshd/Makefile \

etc/tlshd/Makefile.am

@@ -17,13 +17,17 @@
 #
 
 tlshdconfigdir		= $(sysconfdir)/tlshd
-
 dist_tlshdconfig_DATA	= config
 
+if HAVE_SESSION_TAGS
+tlshdtagsdir		= $(tlshdconfigdir)/tags.d
+dist_tlshdtags_DATA	= tags.example
+endif
+
 MAINTAINERCLEANFILES	= Makefile.in
 
 install-exec-hook:
 	mkdir -p $(DESTDIR)$(tlshdconfigdir)
-
-uninstall-hook:
-	rm -rf $(DESTDIR)$(tlshdconfigdir)
+if HAVE_SESSION_TAGS
+	mkdir -p $(DESTDIR)$(tlshdtagsdir)
+endif

etc/tlshd/tags.example

@@ -0,0 +1,43 @@
+---
+filters:
+  monsters-university:
+    type: "x509.tbs.issuer"
+    pattern: "*,O=Monsters University,*"
+  fear-tech:
+    type: "x509.tbs.issuer"
+    pattern: "*,O=Fear Technology Institute,*"
+  school-scaring:
+    type: "x509.tbs.subject"
+    pattern: "*,OU=School of Scaring,*"
+  school-can-design:
+    type: "x509.tbs.subject"
+    pattern: "*,OU=School of Scream Can Design,*"
+  sorority-hss:
+    type: "x509.tbs.subject"
+    pattern: "*,OU=Eta Hiss Hiss,*"
+  fraternity-ror:
+    type: "x509.tbs.subject"
+    pattern: "*,OU=Roar Omega Roar,*"
+  fraternity-ok:
+    type: "x509.tbs.subject"
+    pattern: "*,OU=Oozma Kappa,*"
+  valid-keyusage:
+    type: "x509.extension.keyUsage"
+    purpose:
+      - "digitalSignature"
+      - "nonRepudiation"
+
+tags:
+  ror-mu-chapter:
+    filter:
+      - "monsters-university"
+      - "fraternity-ror"
+      - "valid-keyusage"
+  ror-ft-chapter:
+    filter:
+      - "fear-tech"
+      - "fraternity-ror"
+      - "valid-keyusage"
+  can-design-student-materials:
+    filter:
+      - "school-can-design"