rsyslog/rsyslog-8.2102.0-rhbz2046158-correct-custom-ciphers-behaviour.patch

355 lines
12 KiB
Diff
Raw Normal View History

diff -up rsyslog-8.2102.0/runtime/nsd_ossl.c.orig rsyslog-8.2102.0/runtime/nsd_ossl.c
--- rsyslog-8.2102.0/runtime/nsd_ossl.c.orig 2022-04-15 13:42:05.320615894 +0200
+++ rsyslog-8.2102.0/runtime/nsd_ossl.c 2022-04-15 14:33:43.472482696 +0200
@@ -609,10 +609,10 @@ finalize_it:
}
static rsRetVal
-osslInitSession(nsd_ossl_t *pThis) /* , nsd_ossl_t *pServer) */
+osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pServer) */
{
DEFiRet;
- BIO *client;
+ BIO *conn;
char pristringBuf[4096];
nsd_ptcp_t *pPtcp = (nsd_ptcp_t*) pThis->pTcp;
@@ -633,10 +633,8 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
if (pThis->DrvrVerifyDepth != 0) {
SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
}
- }
-
- if (bAnonInit == 1) { /* no mutex needed, read-only after init */
- /* Allow ANON Ciphers */
+ } else if (bAnonInit == 1 && pThis->gnutlsPriorityString == NULL) {
+ /* Allow ANON Ciphers only in ANON Mode and if no custom priority string is defined */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
/* NOTE: do never use: +eNULL, it DISABLES encryption! */
strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
@@ -653,21 +651,28 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
}
}
- /* Create BIO from ptcp socket! */
- client = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
- dbgprintf("osslInitSession: Init client BIO[%p] done\n", (void *)client);
- /* Set debug Callback for client BIO as well! */
- BIO_set_callback(client, BIO_debug_callback);
+ /* Create BIO from ptcp socket! */
+ conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+ dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn);
-/* TODO: still needed? Set to NON blocking ! */
-BIO_set_nbio( client, 1 );
+ /* Set debug Callback for conn BIO as well! */
+ BIO_set_callback(conn, BIO_debug_callback);
- SSL_set_bio(pThis->ssl, client, client);
- SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
+ /* TODO: still needed? Set to NON blocking ! */
+ BIO_set_nbio( conn, 1 );
+ SSL_set_bio(pThis->ssl, conn, conn);
+ if (osslType == osslServer) {
+ /* Server Socket */
+ SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
+ pThis->sslState = osslServer; /*set Server state */
+ } else {
+ /* Client Socket */
+ SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
+ pThis->sslState = osslClient; /*set Client state */
+ }
pThis->bHaveSess = 1;
- pThis->sslState = osslServer; /*set Server state */
/* we are done */
FINALIZE;
@@ -1136,8 +1141,8 @@ SetAuthMode(nsd_t *const pNsd, uchar *co
ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
}
- /* Init Anon OpenSSL stuff */
- CHKiRet(osslAnonInit());
+ /* Init Anon OpenSSL stuff */
+ CHKiRet(osslAnonInit());
dbgprintf("SetAuthMode: Set Mode %s/%d\n", mode, pThis->authMode);
@@ -1394,8 +1399,9 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
- LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
- "No shared curve between syslog client and server.");
+ // This is not a failure
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
+ "Information, no shared curve between syslog client and server");
}
#endif
sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
@@ -1518,7 +1524,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
pNew->permitExpiredCerts = pThis->permitExpiredCerts;
pNew->pPermPeers = pThis->pPermPeers;
pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
- CHKiRet(osslInitSession(pNew));
+ CHKiRet(osslInitSession(pNew, osslServer));
/* Store nsd_ossl_t* reference in SSL obj */
SSL_set_ex_data(pNew->ssl, 0, pThis);
@@ -1729,9 +1735,6 @@ Connect(nsd_t *pNsd, int family, uchar *
DEFiRet;
DBGPRINTF("openssl: entering Connect family=%d, device=%s\n", family, device);
nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
- nsd_ptcp_t* pPtcp = (nsd_ptcp_t*) pThis->pTcp;
- BIO *conn;
- char pristringBuf[4096];
ISOBJ_TYPE_assert(pThis, nsd_ossl);
assert(port != NULL);
@@ -1745,61 +1748,13 @@ Connect(nsd_t *pNsd, int family, uchar *
FINALIZE;
}
- /* Create BIO from ptcp socket! */
- conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
- dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
-
LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
"TLS Connection initiated with remote syslog server.");
/*if we reach this point we are in tls mode */
DBGPRINTF("Connect: TLS Mode\n");
- if(!(pThis->ssl = SSL_new(ctx))) {
- pThis->ssl = NULL;
- osslLastSSLErrorMsg(0, pThis->ssl, LOG_ERR, "Connect");
- ABORT_FINALIZE(RS_RET_NO_ERRCODE);
- }
- // Set SSL_MODE_AUTO_RETRY to SSL obj
- SSL_set_mode(pThis->ssl, SSL_MODE_AUTO_RETRY);
-
- if (pThis->authMode != OSSL_AUTH_CERTANON) {
- dbgprintf("Connect: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
- pThis->authMode, pThis->DrvrVerifyDepth);
- /* Enable certificate valid checking */
- SSL_set_verify(pThis->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
- if (pThis->DrvrVerifyDepth != 0) {
- SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
- }
- }
-
- if (bAnonInit == 1) { /* no mutex needed, read-only after init */
- /* Allow ANON Ciphers */
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- /* NOTE: do never use: +eNULL, it DISABLES encryption! */
- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
- sizeof(pristringBuf));
- #else
- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL",
- sizeof(pristringBuf));
- #endif
-
- dbgprintf("Connect: setting anon ciphers: %s\n", pristringBuf);
- if ( SSL_set_cipher_list(pThis->ssl, pristringBuf) == 0 ){
- dbgprintf("Connect: Error setting ciphers '%s'\n", pristringBuf);
- ABORT_FINALIZE(RS_RET_SYS_ERR);
- }
- }
-
- /* Set debug Callback for client BIO as well! */
- BIO_set_callback(conn, BIO_debug_callback);
-
-/* TODO: still needed? Set to NON blocking ! */
-BIO_set_nbio( conn, 1 );
-
- SSL_set_bio(pThis->ssl, conn, conn);
- SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
- pThis->sslState = osslClient; /*set Client state */
- pThis->bHaveSess = 1;
+ /* Do SSL Session init */
+ CHKiRet(osslInitSession(pThis, osslClient));
/* Store nsd_ossl_t* reference in SSL obj */
SSL_set_ex_data(pThis->ssl, 0, pThis);
@@ -1828,90 +1783,106 @@ SetGnutlsPriorityString(nsd_t *const pNs
nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
ISOBJ_TYPE_assert(pThis, nsd_ossl);
- pThis->gnutlsPriorityString = gnutlsPriorityString;
+ dbgprintf("gnutlsPriorityString: set to '%s'\n",
+ (gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"));
/* Skip function if function is NULL gnutlsPriorityString */
- if (gnutlsPriorityString == NULL) {
- RETiRet;
- } else {
- dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
- char *pCurrentPos;
- char *pNextPos;
- char *pszCmd;
- char *pszValue;
- int iConfErr;
-
- /* Set working pointer */
- pCurrentPos = (char*) pThis->gnutlsPriorityString;
- if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
- // Create CTX Config Helper
- SSL_CONF_CTX *cctx;
- cctx = SSL_CONF_CTX_new();
- if (pThis->sslState == osslServer) {
- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
- } else {
- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
- }
- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
- SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
-
- do
- {
- pNextPos = index(pCurrentPos, '=');
- if (pNextPos != NULL) {
- while ( *pCurrentPos != '\0' &&
- (*pCurrentPos == ' ' || *pCurrentPos == '\t') )
- pCurrentPos++;
- pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
- pCurrentPos = pNextPos+1;
- pNextPos = index(pCurrentPos, '\n');
- pszValue = (pNextPos == NULL ?
- strdup(pCurrentPos) :
- strndup(pCurrentPos, pNextPos - pCurrentPos));
- pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
-
- /* Add SSL Conf Command */
- iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
- if (iConfErr > 0) {
- dbgprintf("gnutlsPriorityString: Successfully added Command "
- "'%s':'%s'\n",
- pszCmd, pszValue);
- }
- else {
- LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
- "in gnutlsPriorityString with error '%d'",
- pszCmd, pszValue, iConfErr);
- }
+ sbool ApplySettings = 0;
+ if ((gnutlsPriorityString != NULL && pThis->gnutlsPriorityString == NULL) ||
+ (gnutlsPriorityString != NULL &&
+ strcmp( (const char*)pThis->gnutlsPriorityString, (const char*)gnutlsPriorityString) != 0)
+ ) {
+ ApplySettings = 1;
+ }
+
+ pThis->gnutlsPriorityString = gnutlsPriorityString;
+ dbgprintf("gnutlsPriorityString: set to '%s' Apply %s\n",
+ (gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"),
+ (ApplySettings == 1? "TRUE" : "FALSE"));
- free(pszCmd);
- free(pszValue);
+ if (ApplySettings) {
+
+ if (gnutlsPriorityString == NULL || ctx == NULL) {
+ RETiRet;
+ } else {
+ dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
+ char *pCurrentPos;
+ char *pNextPos;
+ char *pszCmd;
+ char *pszValue;
+ int iConfErr;
+
+ /* Set working pointer */
+ pCurrentPos = (char*) pThis->gnutlsPriorityString;
+ if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
+ // Create CTX Config Helper
+ SSL_CONF_CTX *cctx;
+ cctx = SSL_CONF_CTX_new();
+ if (pThis->sslState == osslServer) {
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
} else {
- /* Abort further parsing */
- pCurrentPos = NULL;
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
}
- }
- while (pCurrentPos != NULL);
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
+ SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+
+ do
+ {
+ pNextPos = index(pCurrentPos, '=');
+ if (pNextPos != NULL) {
+ while ( *pCurrentPos != '\0' &&
+ (*pCurrentPos == ' ' || *pCurrentPos == '\t') )
+ pCurrentPos++;
+ pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
+ pCurrentPos = pNextPos+1;
+ pNextPos = index(pCurrentPos, '\n');
+ pszValue = (pNextPos == NULL ?
+ strdup(pCurrentPos) :
+ strndup(pCurrentPos, pNextPos - pCurrentPos));
+ pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
+
+ /* Add SSL Conf Command */
+ iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
+ if (iConfErr > 0) {
+ dbgprintf("gnutlsPriorityString: Successfully added Command "
+ "'%s':'%s'\n",
+ pszCmd, pszValue);
+ }
+ else {
+ LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
+ "in gnutlsPriorityString with error '%d'",
+ pszCmd, pszValue, iConfErr);
+ }
+
+ free(pszCmd);
+ free(pszValue);
+ } else {
+ /* Abort further parsing */
+ pCurrentPos = NULL;
+ }
+ }
+ while (pCurrentPos != NULL);
- /* Finalize SSL Conf */
- iConfErr = SSL_CONF_CTX_finish(cctx);
- if (!iConfErr) {
- LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
- "Open ssl error info may follow in next messages",
- pThis->gnutlsPriorityString);
- osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+ /* Finalize SSL Conf */
+ iConfErr = SSL_CONF_CTX_finish(cctx);
+ if (!iConfErr) {
+ LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
+ "Open ssl error info may follow in next messages",
+ pThis->gnutlsPriorityString);
+ osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+ }
+ SSL_CONF_CTX_free(cctx);
}
- SSL_CONF_CTX_free(cctx);
}
+ }
#else
- dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
- LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
- "(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
- "https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
- gnutlsPriorityString);
+ LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
+ "(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
+ "https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
+ gnutlsPriorityString);
#endif
- }
RETiRet;
}