diff options
Diffstat (limited to 'runtime')
| -rw-r--r-- | runtime/libgcry.c | 27 | ||||
| -rw-r--r-- | runtime/libgcry.h | 4 | ||||
| -rw-r--r-- | runtime/lmcry_gcry.c | 31 | ||||
| -rw-r--r-- | runtime/stream.c | 5 |
4 files changed, 47 insertions, 20 deletions
diff --git a/runtime/libgcry.c b/runtime/libgcry.c index 8184c160..5f1dbf58 100644 --- a/runtime/libgcry.c +++ b/runtime/libgcry.c @@ -27,6 +27,7 @@ #include "rsyslog.h" #include "libgcry.h" +#define GCRY_CIPHER GCRY_CIPHER_3DES // TODO: make configurable static inline gcryfile gcryfileConstruct(gcryctx ctx) @@ -98,20 +99,34 @@ removePadding(char *buf, size_t *plen) done: return; } +/* returns 0 on succes, positive if key length does not match and key + * of return value size is required. + */ +int +rsgcrySetKey(gcryctx ctx, unsigned char *key, uint16_t keyLen) +{ + uint16_t reqKeyLen = gcry_cipher_get_algo_keylen(GCRY_CIPHER); + int r; + + if(keyLen != reqKeyLen) + r = reqKeyLen; + ctx->keyLen = keyLen; + ctx->key = malloc(keyLen); + memcpy(ctx->key, key, keyLen); + r = 0; +done: return r; +} + rsRetVal rsgcryInitCrypt(gcryctx ctx, gcryfile *pgf, int gcry_mode, char *iniVector) { - #define GCRY_CIPHER GCRY_CIPHER_3DES // TODO: make configurable - size_t keyLength; - char *aesSymKey = "123456789012345678901234"; // TODO: TEST ONLY - gcry_error_t gcryError; + gcry_error_t gcryError; gcryfile gf = NULL; DEFiRet; CHKmalloc(gf = gcryfileConstruct(ctx)); gf->blkLength = gcry_cipher_get_algo_blklen(GCRY_CIPHER); - keyLength = gcry_cipher_get_algo_keylen(GCRY_CIPHER); gcryError = gcry_cipher_open( &gf->chd, // gcry_cipher_hd_t * @@ -125,7 +140,7 @@ rsgcryInitCrypt(gcryctx ctx, gcryfile *pgf, int gcry_mode, char *iniVector) ABORT_FINALIZE(RS_RET_ERR); } - gcryError = gcry_cipher_setkey(gf->chd, aesSymKey, keyLength); + gcryError = gcry_cipher_setkey(gf->chd, gf->ctx->key, gf->ctx->keyLen); if (gcryError) { dbgprintf("gcry_cipher_setkey failed: %s/%s\n", gcry_strsource(gcryError), diff --git a/runtime/libgcry.h b/runtime/libgcry.h index 0405162f..608abd6c 100644 --- a/runtime/libgcry.h +++ b/runtime/libgcry.h @@ -24,7 +24,8 @@ struct gcryctx_s { - void *usrptr; /* for error function */ + uchar *key; + size_t keyLen; }; typedef struct gcryctx_s *gcryctx; typedef struct gcryfile_s *gcryfile; @@ -38,6 +39,7 @@ struct gcryfile_s { int rsgcryInit(void); void rsgcryExit(void); +int rsgcrySetKey(gcryctx ctx, unsigned char *key, uint16_t keyLen); gcryctx gcryCtxNew(void); void rsgcryCtxDel(gcryctx ctx); int gcryfileDestruct(gcryfile gf); diff --git a/runtime/lmcry_gcry.c b/runtime/lmcry_gcry.c index 6800055d..ce0fef2f 100644 --- a/runtime/lmcry_gcry.c +++ b/runtime/lmcry_gcry.c @@ -44,6 +44,7 @@ DEFobjCurrIf(glbl) /* tables for interfacing with the v6 config system */ static struct cnfparamdescr cnfpdescr[] = { + { "cry.key", eCmdHdlrGetWord, 0 }, { "cry.mode", eCmdHdlrGetWord, 0 }, /* CBC, ECB, etc */ { "cry.algo", eCmdHdlrGetWord, 0 } }; @@ -83,12 +84,13 @@ ENDobjDestruct(lmcry_gcry) * after construction, but before the OnFileOpen() entry point. * Defaults are expected to have been set during construction. */ -rsRetVal +static rsRetVal SetCnfParam(void *pT, struct nvlst *lst) { lmcry_gcry_t *pThis = (lmcry_gcry_t*) pT; - int i; + int i, r; uchar *cstr; + uchar *key = NULL; struct cnfparamvals *pvals; pvals = nvlstGetParams(lst, &pblk, NULL); if(Debug) { @@ -99,14 +101,9 @@ SetCnfParam(void *pT, struct nvlst *lst) for(i = 0 ; i < pblk.nParams ; ++i) { if(!pvals[i].bUsed) continue; + if(!strcmp(pblk.descr[i].name, "cry.key")) { + key = (uchar*) es_str2cstr(pvals[i].val.d.estr, NULL); #if 0 - if(!strcmp(pblk.descr[i].name, "sig.hashfunction")) { - cstr = (uchar*) es_str2cstr(pvals[i].val.d.estr, NULL); - if(gcrySetHashFunction(pThis->ctx, (char*)cstr) != 0) { - errmsg.LogError(0, RS_RET_ERR, "Hash function " - "'%s' unknown - using default", cstr); - } - free(cstr); } else if(!strcmp(pblk.descr[i].name, "sig.timestampservice")) { cstr = (uchar*)es_str2cstr(pvals[i].val.d.estr, NULL); gcrySetTimestamper(pThis->ctx, (char*) cstr); @@ -120,10 +117,24 @@ SetCnfParam(void *pT, struct nvlst *lst) } else { DBGPRINTF("lmcry_gcry: program error, non-handled " "param '%s'\n", pblk.descr[i].name); - } #endif + } } + if(key != NULL) { + errmsg.LogError(0, RS_RET_ERR, "Note: specifying an actual key directly from the " + "config file is highly insecure - DO NOT USE FOR PRODUCTION"); + r = rsgcrySetKey(pThis->ctx, key, strlen((char*)key)); + if(r > 0) { + errmsg.LogError(0, RS_RET_ERR, "Key length %d expected, but " + "key of length %d given", r, strlen((char*)key)); + } + } + cnfparamvalsDestruct(pvals, &pblk); + if(key != NULL) { + memset(key, 0, strlen((char*)key)); + free(key); + } return RS_RET_OK; } diff --git a/runtime/stream.c b/runtime/stream.c index 941fc39d..b31520b0 100644 --- a/runtime/stream.c +++ b/runtime/stream.c @@ -256,9 +256,8 @@ doPhysOpen(strm_t *pThis) dbgprintf("DDDD: cryprov %p\n", pThis->cryprov); if(pThis->cryprov != NULL) { - iRet = pThis->cryprov->OnFileOpen(pThis->cryprovData, - pThis->pszCurrFName, &pThis->cryprovFileData); -dbgprintf("DDDD: iREt cryprov->onFileOpen: %d\n", iRet); + CHKiRet(pThis->cryprov->OnFileOpen(pThis->cryprovData, + pThis->pszCurrFName, &pThis->cryprovFileData)); } finalize_it: RETiRet; |