355 lines
12 KiB
Diff
355 lines
12 KiB
Diff
diff -up rsyslog-8.2102.0/runtime/nsd_ossl.c.orig rsyslog-8.2102.0/runtime/nsd_ossl.c
|
|
--- rsyslog-8.2102.0/runtime/nsd_ossl.c.orig 2022-04-15 13:42:05.320615894 +0200
|
|
+++ rsyslog-8.2102.0/runtime/nsd_ossl.c 2022-04-15 14:33:43.472482696 +0200
|
|
@@ -609,10 +609,10 @@ finalize_it:
|
|
}
|
|
|
|
static rsRetVal
|
|
-osslInitSession(nsd_ossl_t *pThis) /* , nsd_ossl_t *pServer) */
|
|
+osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pServer) */
|
|
{
|
|
DEFiRet;
|
|
- BIO *client;
|
|
+ BIO *conn;
|
|
char pristringBuf[4096];
|
|
nsd_ptcp_t *pPtcp = (nsd_ptcp_t*) pThis->pTcp;
|
|
|
|
@@ -633,10 +633,8 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
|
|
if (pThis->DrvrVerifyDepth != 0) {
|
|
SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
|
|
}
|
|
- }
|
|
-
|
|
- if (bAnonInit == 1) { /* no mutex needed, read-only after init */
|
|
- /* Allow ANON Ciphers */
|
|
+ } else if (bAnonInit == 1 && pThis->gnutlsPriorityString == NULL) {
|
|
+ /* Allow ANON Ciphers only in ANON Mode and if no custom priority string is defined */
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
/* NOTE: do never use: +eNULL, it DISABLES encryption! */
|
|
strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
|
|
@@ -653,21 +651,28 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
|
|
}
|
|
}
|
|
|
|
- /* Create BIO from ptcp socket! */
|
|
- client = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
|
|
- dbgprintf("osslInitSession: Init client BIO[%p] done\n", (void *)client);
|
|
|
|
- /* Set debug Callback for client BIO as well! */
|
|
- BIO_set_callback(client, BIO_debug_callback);
|
|
+ /* Create BIO from ptcp socket! */
|
|
+ conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
|
|
+ dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn);
|
|
|
|
-/* TODO: still needed? Set to NON blocking ! */
|
|
-BIO_set_nbio( client, 1 );
|
|
+ /* Set debug Callback for conn BIO as well! */
|
|
+ BIO_set_callback(conn, BIO_debug_callback);
|
|
|
|
- SSL_set_bio(pThis->ssl, client, client);
|
|
- SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
|
|
+ /* TODO: still needed? Set to NON blocking ! */
|
|
+ BIO_set_nbio( conn, 1 );
|
|
+ SSL_set_bio(pThis->ssl, conn, conn);
|
|
|
|
+ if (osslType == osslServer) {
|
|
+ /* Server Socket */
|
|
+ SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
|
|
+ pThis->sslState = osslServer; /*set Server state */
|
|
+ } else {
|
|
+ /* Client Socket */
|
|
+ SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
|
|
+ pThis->sslState = osslClient; /*set Client state */
|
|
+ }
|
|
pThis->bHaveSess = 1;
|
|
- pThis->sslState = osslServer; /*set Server state */
|
|
|
|
/* we are done */
|
|
FINALIZE;
|
|
@@ -1136,8 +1141,8 @@ SetAuthMode(nsd_t *const pNsd, uchar *co
|
|
ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
|
|
}
|
|
|
|
- /* Init Anon OpenSSL stuff */
|
|
- CHKiRet(osslAnonInit());
|
|
+ /* Init Anon OpenSSL stuff */
|
|
+ CHKiRet(osslAnonInit());
|
|
|
|
dbgprintf("SetAuthMode: Set Mode %s/%d\n", mode, pThis->authMode);
|
|
|
|
@@ -1394,8 +1399,9 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
|
|
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
|
if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
|
|
- LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
|
|
- "No shared curve between syslog client and server.");
|
|
+ // This is not a failure
|
|
+ LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
|
|
+ "Information, no shared curve between syslog client and server");
|
|
}
|
|
#endif
|
|
sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
|
|
@@ -1518,7 +1524,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
|
|
pNew->permitExpiredCerts = pThis->permitExpiredCerts;
|
|
pNew->pPermPeers = pThis->pPermPeers;
|
|
pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
|
|
- CHKiRet(osslInitSession(pNew));
|
|
+ CHKiRet(osslInitSession(pNew, osslServer));
|
|
|
|
/* Store nsd_ossl_t* reference in SSL obj */
|
|
SSL_set_ex_data(pNew->ssl, 0, pThis);
|
|
@@ -1729,9 +1735,6 @@ Connect(nsd_t *pNsd, int family, uchar *
|
|
DEFiRet;
|
|
DBGPRINTF("openssl: entering Connect family=%d, device=%s\n", family, device);
|
|
nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
|
|
- nsd_ptcp_t* pPtcp = (nsd_ptcp_t*) pThis->pTcp;
|
|
- BIO *conn;
|
|
- char pristringBuf[4096];
|
|
|
|
ISOBJ_TYPE_assert(pThis, nsd_ossl);
|
|
assert(port != NULL);
|
|
@@ -1745,61 +1748,13 @@ Connect(nsd_t *pNsd, int family, uchar *
|
|
FINALIZE;
|
|
}
|
|
|
|
- /* Create BIO from ptcp socket! */
|
|
- conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
|
|
- dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
|
|
-
|
|
LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
|
|
"TLS Connection initiated with remote syslog server.");
|
|
/*if we reach this point we are in tls mode */
|
|
DBGPRINTF("Connect: TLS Mode\n");
|
|
- if(!(pThis->ssl = SSL_new(ctx))) {
|
|
- pThis->ssl = NULL;
|
|
- osslLastSSLErrorMsg(0, pThis->ssl, LOG_ERR, "Connect");
|
|
- ABORT_FINALIZE(RS_RET_NO_ERRCODE);
|
|
- }
|
|
|
|
- // Set SSL_MODE_AUTO_RETRY to SSL obj
|
|
- SSL_set_mode(pThis->ssl, SSL_MODE_AUTO_RETRY);
|
|
-
|
|
- if (pThis->authMode != OSSL_AUTH_CERTANON) {
|
|
- dbgprintf("Connect: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
|
|
- pThis->authMode, pThis->DrvrVerifyDepth);
|
|
- /* Enable certificate valid checking */
|
|
- SSL_set_verify(pThis->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
|
|
- if (pThis->DrvrVerifyDepth != 0) {
|
|
- SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
|
|
- }
|
|
- }
|
|
-
|
|
- if (bAnonInit == 1) { /* no mutex needed, read-only after init */
|
|
- /* Allow ANON Ciphers */
|
|
- #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
- /* NOTE: do never use: +eNULL, it DISABLES encryption! */
|
|
- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
|
|
- sizeof(pristringBuf));
|
|
- #else
|
|
- strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL",
|
|
- sizeof(pristringBuf));
|
|
- #endif
|
|
-
|
|
- dbgprintf("Connect: setting anon ciphers: %s\n", pristringBuf);
|
|
- if ( SSL_set_cipher_list(pThis->ssl, pristringBuf) == 0 ){
|
|
- dbgprintf("Connect: Error setting ciphers '%s'\n", pristringBuf);
|
|
- ABORT_FINALIZE(RS_RET_SYS_ERR);
|
|
- }
|
|
- }
|
|
-
|
|
- /* Set debug Callback for client BIO as well! */
|
|
- BIO_set_callback(conn, BIO_debug_callback);
|
|
-
|
|
-/* TODO: still needed? Set to NON blocking ! */
|
|
-BIO_set_nbio( conn, 1 );
|
|
-
|
|
- SSL_set_bio(pThis->ssl, conn, conn);
|
|
- SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
|
|
- pThis->sslState = osslClient; /*set Client state */
|
|
- pThis->bHaveSess = 1;
|
|
+ /* Do SSL Session init */
|
|
+ CHKiRet(osslInitSession(pThis, osslClient));
|
|
|
|
/* Store nsd_ossl_t* reference in SSL obj */
|
|
SSL_set_ex_data(pThis->ssl, 0, pThis);
|
|
@@ -1828,90 +1783,106 @@ SetGnutlsPriorityString(nsd_t *const pNs
|
|
nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
|
|
ISOBJ_TYPE_assert(pThis, nsd_ossl);
|
|
|
|
- pThis->gnutlsPriorityString = gnutlsPriorityString;
|
|
+ dbgprintf("gnutlsPriorityString: set to '%s'\n",
|
|
+ (gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"));
|
|
|
|
/* Skip function if function is NULL gnutlsPriorityString */
|
|
- if (gnutlsPriorityString == NULL) {
|
|
- RETiRet;
|
|
- } else {
|
|
- dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
- char *pCurrentPos;
|
|
- char *pNextPos;
|
|
- char *pszCmd;
|
|
- char *pszValue;
|
|
- int iConfErr;
|
|
-
|
|
- /* Set working pointer */
|
|
- pCurrentPos = (char*) pThis->gnutlsPriorityString;
|
|
- if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
|
|
- // Create CTX Config Helper
|
|
- SSL_CONF_CTX *cctx;
|
|
- cctx = SSL_CONF_CTX_new();
|
|
- if (pThis->sslState == osslServer) {
|
|
- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
|
|
- } else {
|
|
- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
|
|
- }
|
|
- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
|
|
- SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
|
|
- SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
|
|
-
|
|
- do
|
|
- {
|
|
- pNextPos = index(pCurrentPos, '=');
|
|
- if (pNextPos != NULL) {
|
|
- while ( *pCurrentPos != '\0' &&
|
|
- (*pCurrentPos == ' ' || *pCurrentPos == '\t') )
|
|
- pCurrentPos++;
|
|
- pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
|
|
- pCurrentPos = pNextPos+1;
|
|
- pNextPos = index(pCurrentPos, '\n');
|
|
- pszValue = (pNextPos == NULL ?
|
|
- strdup(pCurrentPos) :
|
|
- strndup(pCurrentPos, pNextPos - pCurrentPos));
|
|
- pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
|
|
-
|
|
- /* Add SSL Conf Command */
|
|
- iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
|
|
- if (iConfErr > 0) {
|
|
- dbgprintf("gnutlsPriorityString: Successfully added Command "
|
|
- "'%s':'%s'\n",
|
|
- pszCmd, pszValue);
|
|
- }
|
|
- else {
|
|
- LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
|
|
- "in gnutlsPriorityString with error '%d'",
|
|
- pszCmd, pszValue, iConfErr);
|
|
- }
|
|
+ sbool ApplySettings = 0;
|
|
+ if ((gnutlsPriorityString != NULL && pThis->gnutlsPriorityString == NULL) ||
|
|
+ (gnutlsPriorityString != NULL &&
|
|
+ strcmp( (const char*)pThis->gnutlsPriorityString, (const char*)gnutlsPriorityString) != 0)
|
|
+ ) {
|
|
+ ApplySettings = 1;
|
|
+ }
|
|
+
|
|
+ pThis->gnutlsPriorityString = gnutlsPriorityString;
|
|
+ dbgprintf("gnutlsPriorityString: set to '%s' Apply %s\n",
|
|
+ (gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"),
|
|
+ (ApplySettings == 1? "TRUE" : "FALSE"));
|
|
|
|
- free(pszCmd);
|
|
- free(pszValue);
|
|
+ if (ApplySettings) {
|
|
+
|
|
+ if (gnutlsPriorityString == NULL || ctx == NULL) {
|
|
+ RETiRet;
|
|
+ } else {
|
|
+ dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
|
|
+ char *pCurrentPos;
|
|
+ char *pNextPos;
|
|
+ char *pszCmd;
|
|
+ char *pszValue;
|
|
+ int iConfErr;
|
|
+
|
|
+ /* Set working pointer */
|
|
+ pCurrentPos = (char*) pThis->gnutlsPriorityString;
|
|
+ if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
|
|
+ // Create CTX Config Helper
|
|
+ SSL_CONF_CTX *cctx;
|
|
+ cctx = SSL_CONF_CTX_new();
|
|
+ if (pThis->sslState == osslServer) {
|
|
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
|
|
} else {
|
|
- /* Abort further parsing */
|
|
- pCurrentPos = NULL;
|
|
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
|
|
}
|
|
- }
|
|
- while (pCurrentPos != NULL);
|
|
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
|
|
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
|
|
+ SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
|
|
+
|
|
+ do
|
|
+ {
|
|
+ pNextPos = index(pCurrentPos, '=');
|
|
+ if (pNextPos != NULL) {
|
|
+ while ( *pCurrentPos != '\0' &&
|
|
+ (*pCurrentPos == ' ' || *pCurrentPos == '\t') )
|
|
+ pCurrentPos++;
|
|
+ pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
|
|
+ pCurrentPos = pNextPos+1;
|
|
+ pNextPos = index(pCurrentPos, '\n');
|
|
+ pszValue = (pNextPos == NULL ?
|
|
+ strdup(pCurrentPos) :
|
|
+ strndup(pCurrentPos, pNextPos - pCurrentPos));
|
|
+ pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
|
|
+
|
|
+ /* Add SSL Conf Command */
|
|
+ iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
|
|
+ if (iConfErr > 0) {
|
|
+ dbgprintf("gnutlsPriorityString: Successfully added Command "
|
|
+ "'%s':'%s'\n",
|
|
+ pszCmd, pszValue);
|
|
+ }
|
|
+ else {
|
|
+ LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
|
|
+ "in gnutlsPriorityString with error '%d'",
|
|
+ pszCmd, pszValue, iConfErr);
|
|
+ }
|
|
+
|
|
+ free(pszCmd);
|
|
+ free(pszValue);
|
|
+ } else {
|
|
+ /* Abort further parsing */
|
|
+ pCurrentPos = NULL;
|
|
+ }
|
|
+ }
|
|
+ while (pCurrentPos != NULL);
|
|
|
|
- /* Finalize SSL Conf */
|
|
- iConfErr = SSL_CONF_CTX_finish(cctx);
|
|
- if (!iConfErr) {
|
|
- LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
|
|
- "Open ssl error info may follow in next messages",
|
|
- pThis->gnutlsPriorityString);
|
|
- osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
|
|
+ /* Finalize SSL Conf */
|
|
+ iConfErr = SSL_CONF_CTX_finish(cctx);
|
|
+ if (!iConfErr) {
|
|
+ LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
|
|
+ "Open ssl error info may follow in next messages",
|
|
+ pThis->gnutlsPriorityString);
|
|
+ osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
|
|
+ }
|
|
+ SSL_CONF_CTX_free(cctx);
|
|
}
|
|
- SSL_CONF_CTX_free(cctx);
|
|
}
|
|
+ }
|
|
#else
|
|
- dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
|
|
- LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
|
|
- "(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
|
|
- "https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
|
|
- gnutlsPriorityString);
|
|
+ LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
|
|
+ "(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
|
|
+ "https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
|
|
+ gnutlsPriorityString);
|
|
#endif
|
|
- }
|
|
|
|
RETiRet;
|
|
}
|