diff -up rsyslog-8.2102.0/runtime/nsd_ossl.c.orig rsyslog-8.2102.0/runtime/nsd_ossl.c --- rsyslog-8.2102.0/runtime/nsd_ossl.c.orig 2022-04-15 13:42:05.320615894 +0200 +++ rsyslog-8.2102.0/runtime/nsd_ossl.c 2022-04-15 14:33:43.472482696 +0200 @@ -609,10 +609,10 @@ finalize_it: } static rsRetVal -osslInitSession(nsd_ossl_t *pThis) /* , nsd_ossl_t *pServer) */ +osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pServer) */ { DEFiRet; - BIO *client; + BIO *conn; char pristringBuf[4096]; nsd_ptcp_t *pPtcp = (nsd_ptcp_t*) pThis->pTcp; @@ -633,10 +633,8 @@ osslInitSession(nsd_ossl_t *pThis) /* , if (pThis->DrvrVerifyDepth != 0) { SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth); } - } - - if (bAnonInit == 1) { /* no mutex needed, read-only after init */ - /* Allow ANON Ciphers */ + } else if (bAnonInit == 1 && pThis->gnutlsPriorityString == NULL) { + /* Allow ANON Ciphers only in ANON Mode and if no custom priority string is defined */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) /* NOTE: do never use: +eNULL, it DISABLES encryption! */ strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0", @@ -653,21 +651,28 @@ osslInitSession(nsd_ossl_t *pThis) /* , } } - /* Create BIO from ptcp socket! */ - client = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/); - dbgprintf("osslInitSession: Init client BIO[%p] done\n", (void *)client); - /* Set debug Callback for client BIO as well! */ - BIO_set_callback(client, BIO_debug_callback); + /* Create BIO from ptcp socket! */ + conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/); + dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn); -/* TODO: still needed? Set to NON blocking ! */ -BIO_set_nbio( client, 1 ); + /* Set debug Callback for conn BIO as well! */ + BIO_set_callback(conn, BIO_debug_callback); - SSL_set_bio(pThis->ssl, client, client); - SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */ + /* TODO: still needed? Set to NON blocking ! */ + BIO_set_nbio( conn, 1 ); + SSL_set_bio(pThis->ssl, conn, conn); + if (osslType == osslServer) { + /* Server Socket */ + SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */ + pThis->sslState = osslServer; /*set Server state */ + } else { + /* Client Socket */ + SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/ + pThis->sslState = osslClient; /*set Client state */ + } pThis->bHaveSess = 1; - pThis->sslState = osslServer; /*set Server state */ /* we are done */ FINALIZE; @@ -1136,8 +1141,8 @@ SetAuthMode(nsd_t *const pNsd, uchar *co ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); } - /* Init Anon OpenSSL stuff */ - CHKiRet(osslAnonInit()); + /* Init Anon OpenSSL stuff */ + CHKiRet(osslAnonInit()); dbgprintf("SetAuthMode: Set Mode %s/%d\n", mode, pThis->authMode); @@ -1394,8 +1399,9 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd) #if OPENSSL_VERSION_NUMBER >= 0x10002000L if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) { - LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:" - "No shared curve between syslog client and server."); + // This is not a failure + LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: " + "Information, no shared curve between syslog client and server"); } #endif sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl); @@ -1518,7 +1524,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew pNew->permitExpiredCerts = pThis->permitExpiredCerts; pNew->pPermPeers = pThis->pPermPeers; pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth; - CHKiRet(osslInitSession(pNew)); + CHKiRet(osslInitSession(pNew, osslServer)); /* Store nsd_ossl_t* reference in SSL obj */ SSL_set_ex_data(pNew->ssl, 0, pThis); @@ -1729,9 +1735,6 @@ Connect(nsd_t *pNsd, int family, uchar * DEFiRet; DBGPRINTF("openssl: entering Connect family=%d, device=%s\n", family, device); nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd; - nsd_ptcp_t* pPtcp = (nsd_ptcp_t*) pThis->pTcp; - BIO *conn; - char pristringBuf[4096]; ISOBJ_TYPE_assert(pThis, nsd_ossl); assert(port != NULL); @@ -1745,61 +1748,13 @@ Connect(nsd_t *pNsd, int family, uchar * FINALIZE; } - /* Create BIO from ptcp socket! */ - conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/); - dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn); - LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: " "TLS Connection initiated with remote syslog server."); /*if we reach this point we are in tls mode */ DBGPRINTF("Connect: TLS Mode\n"); - if(!(pThis->ssl = SSL_new(ctx))) { - pThis->ssl = NULL; - osslLastSSLErrorMsg(0, pThis->ssl, LOG_ERR, "Connect"); - ABORT_FINALIZE(RS_RET_NO_ERRCODE); - } - // Set SSL_MODE_AUTO_RETRY to SSL obj - SSL_set_mode(pThis->ssl, SSL_MODE_AUTO_RETRY); - - if (pThis->authMode != OSSL_AUTH_CERTANON) { - dbgprintf("Connect: enable certificate checking (Mode=%d, VerifyDepth=%d)\n", - pThis->authMode, pThis->DrvrVerifyDepth); - /* Enable certificate valid checking */ - SSL_set_verify(pThis->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); - if (pThis->DrvrVerifyDepth != 0) { - SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth); - } - } - - if (bAnonInit == 1) { /* no mutex needed, read-only after init */ - /* Allow ANON Ciphers */ - #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) - /* NOTE: do never use: +eNULL, it DISABLES encryption! */ - strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0", - sizeof(pristringBuf)); - #else - strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL", - sizeof(pristringBuf)); - #endif - - dbgprintf("Connect: setting anon ciphers: %s\n", pristringBuf); - if ( SSL_set_cipher_list(pThis->ssl, pristringBuf) == 0 ){ - dbgprintf("Connect: Error setting ciphers '%s'\n", pristringBuf); - ABORT_FINALIZE(RS_RET_SYS_ERR); - } - } - - /* Set debug Callback for client BIO as well! */ - BIO_set_callback(conn, BIO_debug_callback); - -/* TODO: still needed? Set to NON blocking ! */ -BIO_set_nbio( conn, 1 ); - - SSL_set_bio(pThis->ssl, conn, conn); - SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/ - pThis->sslState = osslClient; /*set Client state */ - pThis->bHaveSess = 1; + /* Do SSL Session init */ + CHKiRet(osslInitSession(pThis, osslClient)); /* Store nsd_ossl_t* reference in SSL obj */ SSL_set_ex_data(pThis->ssl, 0, pThis); @@ -1828,90 +1783,106 @@ SetGnutlsPriorityString(nsd_t *const pNs nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd; ISOBJ_TYPE_assert(pThis, nsd_ossl); - pThis->gnutlsPriorityString = gnutlsPriorityString; + dbgprintf("gnutlsPriorityString: set to '%s'\n", + (gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL")); /* Skip function if function is NULL gnutlsPriorityString */ - if (gnutlsPriorityString == NULL) { - RETiRet; - } else { - dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString); #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) - char *pCurrentPos; - char *pNextPos; - char *pszCmd; - char *pszValue; - int iConfErr; - - /* Set working pointer */ - pCurrentPos = (char*) pThis->gnutlsPriorityString; - if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) { - // Create CTX Config Helper - SSL_CONF_CTX *cctx; - cctx = SSL_CONF_CTX_new(); - if (pThis->sslState == osslServer) { - SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); - } else { - SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); - } - SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); - SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS); - SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); - - do - { - pNextPos = index(pCurrentPos, '='); - if (pNextPos != NULL) { - while ( *pCurrentPos != '\0' && - (*pCurrentPos == ' ' || *pCurrentPos == '\t') ) - pCurrentPos++; - pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos); - pCurrentPos = pNextPos+1; - pNextPos = index(pCurrentPos, '\n'); - pszValue = (pNextPos == NULL ? - strdup(pCurrentPos) : - strndup(pCurrentPos, pNextPos - pCurrentPos)); - pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1); - - /* Add SSL Conf Command */ - iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue); - if (iConfErr > 0) { - dbgprintf("gnutlsPriorityString: Successfully added Command " - "'%s':'%s'\n", - pszCmd, pszValue); - } - else { - LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' " - "in gnutlsPriorityString with error '%d'", - pszCmd, pszValue, iConfErr); - } + sbool ApplySettings = 0; + if ((gnutlsPriorityString != NULL && pThis->gnutlsPriorityString == NULL) || + (gnutlsPriorityString != NULL && + strcmp( (const char*)pThis->gnutlsPriorityString, (const char*)gnutlsPriorityString) != 0) + ) { + ApplySettings = 1; + } + + pThis->gnutlsPriorityString = gnutlsPriorityString; + dbgprintf("gnutlsPriorityString: set to '%s' Apply %s\n", + (gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"), + (ApplySettings == 1? "TRUE" : "FALSE")); - free(pszCmd); - free(pszValue); + if (ApplySettings) { + + if (gnutlsPriorityString == NULL || ctx == NULL) { + RETiRet; + } else { + dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString); + char *pCurrentPos; + char *pNextPos; + char *pszCmd; + char *pszValue; + int iConfErr; + + /* Set working pointer */ + pCurrentPos = (char*) pThis->gnutlsPriorityString; + if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) { + // Create CTX Config Helper + SSL_CONF_CTX *cctx; + cctx = SSL_CONF_CTX_new(); + if (pThis->sslState == osslServer) { + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); } else { - /* Abort further parsing */ - pCurrentPos = NULL; + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); } - } - while (pCurrentPos != NULL); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS); + SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); + + do + { + pNextPos = index(pCurrentPos, '='); + if (pNextPos != NULL) { + while ( *pCurrentPos != '\0' && + (*pCurrentPos == ' ' || *pCurrentPos == '\t') ) + pCurrentPos++; + pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos); + pCurrentPos = pNextPos+1; + pNextPos = index(pCurrentPos, '\n'); + pszValue = (pNextPos == NULL ? + strdup(pCurrentPos) : + strndup(pCurrentPos, pNextPos - pCurrentPos)); + pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1); + + /* Add SSL Conf Command */ + iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue); + if (iConfErr > 0) { + dbgprintf("gnutlsPriorityString: Successfully added Command " + "'%s':'%s'\n", + pszCmd, pszValue); + } + else { + LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' " + "in gnutlsPriorityString with error '%d'", + pszCmd, pszValue, iConfErr); + } + + free(pszCmd); + free(pszValue); + } else { + /* Abort further parsing */ + pCurrentPos = NULL; + } + } + while (pCurrentPos != NULL); - /* Finalize SSL Conf */ - iConfErr = SSL_CONF_CTX_finish(cctx); - if (!iConfErr) { - LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s" - "Open ssl error info may follow in next messages", - pThis->gnutlsPriorityString); - osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString"); + /* Finalize SSL Conf */ + iConfErr = SSL_CONF_CTX_finish(cctx); + if (!iConfErr) { + LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s" + "Open ssl error info may follow in next messages", + pThis->gnutlsPriorityString); + osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString"); + } + SSL_CONF_CTX_free(cctx); } - SSL_CONF_CTX_free(cctx); } + } #else - dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString); - LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API" - "(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: " - "https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring", - gnutlsPriorityString); + LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API" + "(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: " + "https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring", + gnutlsPriorityString); #endif - } RETiRet; }