From ffa17a25d2c2098d4977d377cbf20d0136fea820 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Thu, 15 May 2008 16:58:25 +0200 Subject: client provides x.509 and server prints fingerprint --- runtime/nsd_gtls.c | 37 +++++++++++++++++++++++++++++++------ runtime/nsdsel_gtls.c | 3 +++ 2 files changed, 34 insertions(+), 6 deletions(-) diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index 03ceba7b..3edaf68f 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -120,6 +120,31 @@ uchar *gtlsStrerror(int error) } +/* add our own certificate to the certificate set, so that the peer + * can identify us. Please note that we try to use mutual authentication, + * so we always add a cert, even if we are in the client role (later, + * this may be controlled by a config setting). + * rgerhards, 2008-05-15 + */ +static rsRetVal +gtlsAddOurCert(void) +{ + int gnuRet; + uchar *keyFile; + uchar *certFile; + DEFiRet; + + certFile = glbl.GetDfltNetstrmDrvrCertFile(); + keyFile = glbl.GetDfltNetstrmDrvrKeyFile(); + dbgprintf("GTLS certificate file: '%s'\n", certFile); + dbgprintf("GTLS key file: '%s'\n", keyFile); + CHKgnutls(gnutls_certificate_set_x509_key_file(xcred, (char*)certFile, (char*)keyFile, GNUTLS_X509_FMT_PEM)); + +finalize_it: + RETiRet; +} + + /* globally initialize GnuTLS */ static rsRetVal gtlsGlblInit(void) @@ -210,11 +235,7 @@ gtlsGlblInitLstn(void) * considered legacy. -- rgerhards, 2008-05-05 */ /*CHKgnutls(gnutls_certificate_set_x509_crl_file(xcred, CRLFILE, GNUTLS_X509_FMT_PEM));*/ - certFile = glbl.GetDfltNetstrmDrvrCertFile(); - keyFile = glbl.GetDfltNetstrmDrvrKeyFile(); - dbgprintf("GTLS certificate file: '%s'\n", certFile); - dbgprintf("GTLS key file: '%s'\n", keyFile); - CHKgnutls(gnutls_certificate_set_x509_key_file(xcred, (char*)certFile, (char*)keyFile, GNUTLS_X509_FMT_PEM)); + //CHKiRet(gtlsAddOurCert()); CHKiRet(generate_dh_params()); gnutls_certificate_set_dh_params(xcred, dh_params); /* this is void */ bGlblSrvrInitDone = 1; /* we are all set now */ @@ -228,7 +249,8 @@ finalize_it: /* check the fingerprint of the remote peer's certificate. * rgerhards, 2008-05-08 */ -static rsRetVal +//static rsRetVal +rsRetVal gtlsChkFingerprint(nsd_gtls_t *pThis) { cstr_t *pstrFingerprint = NULL; @@ -270,6 +292,7 @@ gtlsChkFingerprint(nsd_gtls_t *pThis) finalize_it: +dbgprintf("exit fingerprint check, iRet %d\n", iRet); if(pstrFingerprint != NULL) rsCStrDestruct(&pstrFingerprint); if(bMustDeinitCert) @@ -333,6 +356,8 @@ gtlsSetTransportPtr(nsd_gtls_t *pThis, int sock) /* Standard-Constructor */ BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */ iRet = nsd_ptcp.Construct(&pThis->pTcp); +CHKiRet(gtlsAddOurCert()); +finalize_it: ENDobjConstruct(nsd_gtls) diff --git a/runtime/nsdsel_gtls.c b/runtime/nsdsel_gtls.c index 1ee4b46c..f8889a48 100644 --- a/runtime/nsdsel_gtls.c +++ b/runtime/nsdsel_gtls.c @@ -128,9 +128,12 @@ doRetry(nsd_gtls_t *pNsd) switch(pNsd->rtryCall) { case gtlsRtry_handshake: gnuRet = gnutls_handshake(pNsd->sess); + dbgprintf("handshake ret %d\n", gnuRet); if(gnuRet == 0) { /* we got a handshake, now check authorization */ // TODO: do it! + dbgprintf("handshake done\n"); + gtlsChkFingerprint(pNsd); } break; default: -- cgit v1.2.3 From 6ea98ec5fff21c362e28a0121b78b8e6bb3b2528 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Fri, 16 May 2008 18:26:25 +0200 Subject: added first rough ability to authenticate the server against its certificate This is very experimental and needs some more work. It probably even segfaults - but the base code is there and running. The rest is refinement. While working on this, I did these two bugfixes: - bugfix: small mem leak in omfwd on exit (strmdriver name was not freed) - bugfix: $ActionSendStreamDriver had no effect --- ChangeLog | 6 +++++ runtime/netstrm.c | 32 ++++++++++++++++++++++++ runtime/netstrm.h | 4 ++- runtime/nsd.h | 4 ++- runtime/nsd_gtls.c | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++--- runtime/nsd_gtls.h | 6 +++++ runtime/rsyslog.h | 3 +++ tools/omfwd.c | 69 +++++++++++++++++++++++++++++++++++++-------------- 8 files changed, 174 insertions(+), 23 deletions(-) diff --git a/ChangeLog b/ChangeLog index ffe66f8f..cc599b52 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,11 @@ --------------------------------------------------------------------------- Version 3.19.3 (rgerhards), 2008-05-?? +- added ability to authenticate the server against its certificate + fingerprint +- bugfix: small mem leak in omfwd on exit (strmdriver name was not freed) +- bugfix: $ActionSendStreamDriver had no effect +- added ability for client to provide its fingerprint +- added ability for server to obtain client cert's fingerprint --------------------------------------------------------------------------- Version 3.19.2 (rgerhards), 2008-05-16 - bugfix: TCP input modules did incorrectly set fromhost property diff --git a/runtime/netstrm.c b/runtime/netstrm.c index a1384a28..899cb3bf 100644 --- a/runtime/netstrm.c +++ b/runtime/netstrm.c @@ -172,6 +172,10 @@ Rcv(netstrm_t *pThis, uchar *pBuf, ssize_t *pLenBuf) RETiRet; } +/* here follows a number of methods that shuffle authentication settings down + * to the drivers. Drivers not supporting these settings may return an error + * state. + * -------------------------------------------------------------------------- */ /* set the driver mode * rgerhards, 2008-04-28 @@ -186,6 +190,32 @@ SetDrvrMode(netstrm_t *pThis, int iMode) } +/* set the driver authentication mode -- rgerhards, 2008-05-16 + */ +static rsRetVal +SetDrvrAuthMode(netstrm_t *pThis, uchar *mode) +{ + DEFiRet; + ISOBJ_TYPE_assert(pThis, netstrm); + iRet = pThis->Drvr.SetAuthMode(pThis->pDrvrData, mode); + RETiRet; +} + + +/* add an accepted fingerprint -- rgerhards, 2008-05-16 + */ +static rsRetVal +AddDrvrPermittedFingerprint(netstrm_t *pThis, uchar *fingerprint) +{ + DEFiRet; + ISOBJ_TYPE_assert(pThis, netstrm); + iRet = pThis->Drvr.AddPermFingerprint(pThis->pDrvrData, fingerprint); + RETiRet; +} + +/* End of methods to shuffle autentication settings to the driver. + * -------------------------------------------------------------------------- */ + /* send a buffer. On entry, pLenBuf contains the number of octets to * write. On exit, it contains the number of octets actually written. * If this number is lower than on entry, only a partial buffer has @@ -280,6 +310,8 @@ CODESTARTobjQueryInterface(netstrm) pIf->GetRemoteHName = GetRemoteHName; pIf->GetRemoteIP = GetRemoteIP; pIf->SetDrvrMode = SetDrvrMode; + pIf->SetDrvrAuthMode = SetDrvrAuthMode; + pIf->AddDrvrPermittedFingerprint = AddDrvrPermittedFingerprint; pIf->GetSock = GetSock; finalize_it: ENDobjQueryInterface(netstrm) diff --git a/runtime/netstrm.h b/runtime/netstrm.h index a15c1d9b..ffdb392e 100644 --- a/runtime/netstrm.h +++ b/runtime/netstrm.h @@ -50,6 +50,8 @@ BEGINinterface(netstrm) /* name must also be changed in ENDinterface macro! */ rsRetVal (*GetRemoteHName)(netstrm_t *pThis, uchar **pszName); rsRetVal (*GetRemoteIP)(netstrm_t *pThis, uchar **pszIP); rsRetVal (*SetDrvrMode)(netstrm_t *pThis, int iMode); + rsRetVal (*SetDrvrAuthMode)(netstrm_t *pThis, uchar*); + rsRetVal (*AddDrvrPermittedFingerprint)(netstrm_t *pThis, uchar*); /* the GetSock() below is a hack to make imgssapi work. In the long term, * we should migrate imgssapi to a stream driver, which will relieve us of * this problem. Please note that nobody else should use GetSock(). Using it @@ -59,7 +61,7 @@ BEGINinterface(netstrm) /* name must also be changed in ENDinterface macro! */ */ rsRetVal (*GetSock)(netstrm_t *pThis, int *pSock); ENDinterface(netstrm) -#define netstrmCURR_IF_VERSION 1 /* increment whenever you change the interface structure! */ +#define netstrmCURR_IF_VERSION 2 /* increment whenever you change the interface structure! */ /* prototypes */ PROTOTYPEObj(netstrm); diff --git a/runtime/nsd.h b/runtime/nsd.h index cc06c877..1dc9efe9 100644 --- a/runtime/nsd.h +++ b/runtime/nsd.h @@ -51,6 +51,8 @@ BEGINinterface(nsd) /* name must also be changed in ENDinterface macro! */ rsRetVal (*GetRemoteHName)(nsd_t *pThis, uchar **pszName); rsRetVal (*GetRemoteIP)(nsd_t *pThis, uchar **pszIP); rsRetVal (*SetMode)(nsd_t *pThis, int mode); /* sets a driver specific mode - see driver doc for details */ + rsRetVal (*SetAuthMode)(nsd_t *pThis, uchar*); /* sets a driver specific mode - see driver doc for details */ + rsRetVal (*AddPermFingerprint)(nsd_t *pThis, uchar*); /* sets a driver specific mode - see driver doc for details */ rsRetVal (*GetSock)(nsd_t *pThis, int *pSock); rsRetVal (*SetSock)(nsd_t *pThis, int sock); /* GetSock() and SetSock() return an error if the driver does not use plain @@ -58,7 +60,7 @@ BEGINinterface(nsd) /* name must also be changed in ENDinterface macro! */ * those drivers that utilize the nsd_ptcp to do some of their work. */ ENDinterface(nsd) -#define nsdCURR_IF_VERSION 1 /* increment whenever you change the interface structure! */ +#define nsdCURR_IF_VERSION 2 /* increment whenever you change the interface structure! */ /* interface for the select call */ BEGINinterface(nsdsel) /* name must also be changed in ENDinterface macro! */ diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index 60685de7..131a3679 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -225,9 +225,6 @@ finalize_it: static rsRetVal gtlsGlblInitLstn(void) { - int gnuRet; - uchar *keyFile; - uchar *certFile; DEFiRet; if(bGlblSrvrInitDone == 0) { @@ -290,6 +287,14 @@ gtlsChkFingerprint(nsd_gtls_t *pThis) CHKiRet(GenFingerprintStr(fingerprint, size, &pstrFingerprint)); dbgprintf("peer's certificate SHA1 fingerprint: %s\n", rsCStrGetSzStr(pstrFingerprint)); + if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT) + FINALIZE; + + if(pThis->authIDs == NULL || rsCStrSzStrCmp(pstrFingerprint, pThis->authIDs, strlen((char*) pThis->authIDs))) { + // TODO: logerror + dbgprintf("invalid server fingerprint, not authorized\n"); + ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT); + } finalize_it: dbgprintf("exit fingerprint check, iRet %d\n", iRet); @@ -397,6 +402,66 @@ finalize_it: } +/* Set the authentication mode. For us, the following is supported: + * anon - no certificate checks whatsoever (discouraged, but supported) + * x509/fingerprint - certificate fingerprint + * x509/name - cerfificate name check + * mode == NULL is valid and defaults to x509/name + * rgerhards, 2008-05-16 + */ +static rsRetVal +SetAuthMode(nsd_t *pNsd, uchar *mode) +{ + DEFiRet; + nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; + + ISOBJ_TYPE_assert((pThis), nsd_gtls); +RUNLOG_VAR("%s", mode); + if(mode == NULL || !strcasecmp((char*)mode, "x509/name")) { + pThis->authMode = GTLS_AUTH_CERTNAME; + } else if(!strcasecmp((char*) mode, "x509/fingerprint")) { + pThis->authMode = GTLS_AUTH_CERTFINGERPRINT; + } else if(!strcasecmp((char*) mode, "anon")) { + pThis->authMode = GTLS_AUTH_CERTANON; + } else { + // TODO: logerror()? + ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); + } + +/* TODO: clear stored IDs! */ + +finalize_it: +dbgprintf("gtls auth mode %d set\n", pThis->authMode); + RETiRet; +} + + +/* Add a permitted fingerprint. Only useful to call if we are using + * fingerprint authentication. Results in error if we are not in this mode. + * rgerhards, 2008-05-16 + */ +static rsRetVal +AddPermFingerprint(nsd_t *pNsd, uchar *pszFingerprint) +{ + DEFiRet; + nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; + + ISOBJ_TYPE_assert((pThis), nsd_gtls); + if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT) + ABORT_FINALIZE(RS_RET_VALUE_NOT_IN_THIS_MODE); + + // TODO: proper handling - but we need to redo this when we do the + // linked list. So for now, this is good enough (but MUST BE CHANGED!). + // + + pThis->authIDs = pszFingerprint; +dbgprintf("gtls fingerprint '%s' set\n", pThis->authIDs); + +finalize_it: + RETiRet; +} + + /* Provide access to the underlying OS socket. This is primarily * useful for other drivers (like nsd_gtls) who utilize ourselfs * for some of their functionality. -- rgerhards, 2008-04-18 @@ -689,6 +754,8 @@ CODESTARTobjQueryInterface(nsd_gtls) pIf->Connect = Connect; pIf->SetSock = SetSock; pIf->SetMode = SetMode; + pIf->SetAuthMode = SetAuthMode; + pIf->AddPermFingerprint = AddPermFingerprint; pIf->GetRemoteHName = GetRemoteHName; pIf->GetRemoteIP = GetRemoteIP; finalize_it: diff --git a/runtime/nsd_gtls.h b/runtime/nsd_gtls.h index bbb0eb9e..885a8b30 100644 --- a/runtime/nsd_gtls.h +++ b/runtime/nsd_gtls.h @@ -38,11 +38,17 @@ struct nsd_gtls_s { BEGINobjInstance; /* Data to implement generic object - MUST be the first data element! */ nsd_t *pTcp; /**< our aggregated nsd_ptcp data */ int iMode; /* 0 - plain tcp, 1 - TLS */ + enum { + GTLS_AUTH_CERTNAME = 0, + GTLS_AUTH_CERTFINGERPRINT = 1, + GTLS_AUTH_CERTANON = 2 + } authMode; gtlsRtryCall_t rtryCall;/**< what must we retry? */ int bIsInitiator; /**< 0 if socket is the server end (listener), 1 if it is the initiator */ gnutls_session sess; int bHaveSess; /* as we don't know exactly which gnutls_session values are invalid, we use this one to flag whether or not we are in a session (same as -1 for a socket meaning no sess) */ + uchar *authIDs; /* TODO: make linked list, currently just a single fingerprint, must also support names */ }; /* interface is defined in nsd.h, we just implement it! */ diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h index 367a239f..088a14db 100644 --- a/runtime/rsyslog.h +++ b/runtime/rsyslog.h @@ -224,6 +224,9 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth RS_RET_TLS_HANDSHAKE_ERR = -2083, /**< TLS handshake failed */ RS_RET_TLS_CERT_ERR = -2084, /**< generic TLS certificate error */ RS_RET_TLS_NO_CERT = -2085, /**< no TLS certificate available where one was expected */ + RS_RET_VALUE_NOT_SUPPORTED = -2086, /**< a provided value is not supported */ + RS_RET_VALUE_NOT_IN_THIS_MODE = -2087, /**< a provided value is invalid for the curret mode */ + RS_RET_INVALID_FINGERPRINT = -2088, /**< a fingerprint is not valid for this use case */ /* RainerScript error messages (range 1000.. 1999) */ RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */ diff --git a/tools/omfwd.c b/tools/omfwd.c index 59245536..e0b6db01 100644 --- a/tools/omfwd.c +++ b/tools/omfwd.c @@ -78,6 +78,8 @@ typedef struct _instanceData { netstrms_t *pNS; /* netstream subsystem */ netstrm_t *pNetstrm; /* our output netstream */ uchar *pszStrmDrvr; + uchar *pszStrmDrvrAuthMode; + uchar *pszStrmDrvrFingerprint; int iStrmDrvrMode; char *f_hname; int *pSockArray; /* sockets to use for UDP */ @@ -96,6 +98,8 @@ typedef struct _instanceData { static uchar *pszTplName = NULL; /* name of the default template to use */ static uchar *pszStrmDrvr = NULL; /* name of the stream driver to use */ static int iStrmDrvrMode = 0; /* mode for stream driver, driver-dependent (0 mostly means plain tcp) */ +static uchar *pszStrmDrvrAuthMode = NULL; /* name of the default template to use */ +static uchar *pszStrmDrvrFingerprint = NULL; /* name of the default template to use */ /* get the syslog forward port from selector_t. The passed in @@ -146,7 +150,12 @@ CODESTARTfreeInstance if(pData->f_hname != NULL) free(pData->f_hname); - + if(pData->pszStrmDrvr != NULL) + free(pData->pszStrmDrvr); + if(pData->pszStrmDrvrAuthMode != NULL) + free(pData->pszStrmDrvrAuthMode); + if(pData->pszStrmDrvrFingerprint != NULL) + free(pData->pszStrmDrvrFingerprint); ENDfreeInstance @@ -268,6 +277,9 @@ static rsRetVal TCPSendInit(void *pvData) CHKiRet(netstrms.CreateStrm(pData->pNS, &pData->pNetstrm)); CHKiRet(netstrm.ConstructFinalize(pData->pNetstrm)); CHKiRet(netstrm.SetDrvrMode(pData->pNetstrm, pData->iStrmDrvrMode)); + CHKiRet(netstrm.SetDrvrAuthMode(pData->pNetstrm, pData->pszStrmDrvrAuthMode)); + CHKiRet(netstrm.AddDrvrPermittedFingerprint(pData->pNetstrm, + pData->pszStrmDrvrFingerprint)); CHKiRet(netstrm.Connect(pData->pNetstrm, glbl.GetDefPFFamily(), (uchar*)pData->port, (uchar*)pData->f_hname)); } @@ -567,14 +579,45 @@ CODE_STD_STRING_REQUESTparseSelectorAct(1) CHKiRet(tcpclt.SetSendPrepRetry(pData->pTCPClt, TCPSendPrepRetry)); CHKiRet(tcpclt.SetFraming(pData->pTCPClt, tcp_framing)); pData->iStrmDrvrMode = iStrmDrvrMode; - if(pData->pszStrmDrvr != NULL) + if(pszStrmDrvr != NULL) CHKmalloc(pData->pszStrmDrvr = (uchar*)strdup((char*)pszStrmDrvr)); + if(pszStrmDrvrAuthMode != NULL) + CHKmalloc(pData->pszStrmDrvrAuthMode = + (uchar*)strdup((char*)pszStrmDrvrAuthMode)); + if(pszStrmDrvrFingerprint != NULL) + CHKmalloc(pData->pszStrmDrvrFingerprint = + (uchar*)strdup((char*)pszStrmDrvrFingerprint)); } CODE_STD_FINALIZERparseSelectorAct ENDparseSelectorAct +/* a common function to free our configuration variables - used both on exit + * and on $ResetConfig processing. -- rgerhards, 2008-05-16 + */ +static void +freeConfigVars(void) +{ + if(pszTplName != NULL) { + free(pszTplName); + pszTplName = NULL; + } + if(pszStrmDrvr != NULL) { + free(pszStrmDrvr); + pszStrmDrvr = NULL; + } + if(pszStrmDrvrAuthMode != NULL) { + free(pszStrmDrvrAuthMode); + pszStrmDrvrAuthMode = NULL; + } + if(pszStrmDrvrFingerprint != NULL) { + free(pszStrmDrvrFingerprint); + pszStrmDrvrFingerprint = NULL; + } +} + + BEGINmodExit CODESTARTmodExit /* release what we no longer need */ @@ -585,14 +628,7 @@ CODESTARTmodExit objRelease(netstrms, LM_NETSTRMS_FILENAME); objRelease(tcpclt, LM_TCPCLT_FILENAME); - if(pszTplName != NULL) { - free(pszTplName); - pszTplName = NULL; - } - if(pszStrmDrvr != NULL) { - free(pszStrmDrvr); - pszStrmDrvr = NULL; - } + freeConfigVars(); ENDmodExit @@ -607,14 +643,9 @@ ENDqueryEtryPt */ static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __attribute__((unused)) *pVal) { - if(pszTplName != NULL) { - free(pszTplName); - pszTplName = NULL; - } - if(pszStrmDrvr != NULL) { - free(pszStrmDrvr); - pszStrmDrvr = NULL; - } + freeConfigVars(); + + /* we now must reset all non-string values */ iStrmDrvrMode = 0; return RS_RET_OK; @@ -632,6 +663,8 @@ CODEmodInit_QueryRegCFSLineHdlr CHKiRet(regCfSysLineHdlr((uchar *)"actionforwarddefaulttemplate", 0, eCmdHdlrGetWord, NULL, &pszTplName, NULL)); CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdriver", 0, eCmdHdlrGetWord, NULL, &pszStrmDrvr, NULL)); CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdrivermode", 0, eCmdHdlrInt, NULL, &iStrmDrvrMode, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdriverauthmode", 0, eCmdHdlrGetWord, NULL, &pszStrmDrvrAuthMode, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdrivercertfingerprint", 0, eCmdHdlrGetWord, NULL, &pszStrmDrvrFingerprint, NULL)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler, resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID)); ENDmodInit -- cgit v1.2.3 From edf41396efc9bcbbc333651771df49d3ec68cb4d Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Sat, 17 May 2008 11:19:12 +0200 Subject: regained netstream driver genericity; improved drivers - made action logic pass optional auth params only if they are actually configured - added new authMode and Fingerprint methods to ptcp netstream driver (keeping them once again generic) - added diagnostics messages when invalid auth modes were configured --- runtime/nsd_gtls.c | 9 ++++++--- runtime/nsd_ptcp.c | 41 +++++++++++++++++++++++++++++++++++++++++ tools/omfwd.c | 12 +++++++++--- 3 files changed, 56 insertions(+), 6 deletions(-) diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index 131a3679..df458ea3 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -416,7 +416,6 @@ SetAuthMode(nsd_t *pNsd, uchar *mode) nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; ISOBJ_TYPE_assert((pThis), nsd_gtls); -RUNLOG_VAR("%s", mode); if(mode == NULL || !strcasecmp((char*)mode, "x509/name")) { pThis->authMode = GTLS_AUTH_CERTNAME; } else if(!strcasecmp((char*) mode, "x509/fingerprint")) { @@ -424,7 +423,8 @@ RUNLOG_VAR("%s", mode); } else if(!strcasecmp((char*) mode, "anon")) { pThis->authMode = GTLS_AUTH_CERTANON; } else { - // TODO: logerror()? + errmsg.LogError(NO_ERRCODE, "authentication mode '%s' not supported by " + "gtls netstream driver", mode); ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); } @@ -447,8 +447,11 @@ AddPermFingerprint(nsd_t *pNsd, uchar *pszFingerprint) nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; ISOBJ_TYPE_assert((pThis), nsd_gtls); - if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT) + if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT) { + errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by " + "gtls netstream driver in the configured authentication mode - ignored"); ABORT_FINALIZE(RS_RET_VALUE_NOT_IN_THIS_MODE); + } // TODO: proper handling - but we need to redo this when we do the // linked list. So for now, this is good enough (but MUST BE CHANGED!). diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c index c5480a05..ae835aed 100644 --- a/runtime/nsd_ptcp.c +++ b/runtime/nsd_ptcp.c @@ -126,6 +126,45 @@ finalize_it: } +/* Set the authentication mode. For us, the following is supported: + * anon - no certificate checks whatsoever (discouraged, but supported) + * mode == NULL is valid and defaults to anon + * Actually, we do not even record the mode right now, because we can + * always work in anon mode, only. So there is no point in recording + * something if that's the only choice. What the function does is + * return an error if something is requested that we can not support. + * rgerhards, 2008-05-17 + */ +static rsRetVal +SetAuthMode(nsd_t __attribute__((unused)) *pNsd, uchar *mode) +{ + DEFiRet; + if(mode != NULL && strcasecmp((char*)mode, "anon")) { + errmsg.LogError(NO_ERRCODE, "authentication mode '%s' not supported by " + "ptcp netstream driver", mode); + ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); + } + +finalize_it: + RETiRet; +} + + +/* Add a permitted fingerprint. This is a dummy, always returning an + * error because we do not support fingerprint authentication. + * rgerhards, 2008-05-17 + */ +static rsRetVal +AddPermFingerprint(nsd_t __attribute__((unused)) *pNsd, uchar __attribute__((unused)) *pszFingerprint) +{ + errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by " + "ptcp netstream driver - ignored"); + return RS_RET_VALUE_NOT_IN_THIS_MODE; +} + + + + /* Provide access to the underlying OS socket. This is primarily * useful for other drivers (like nsd_gtls) who utilize ourselfs * for some of their functionality. @@ -625,6 +664,8 @@ CODESTARTobjQueryInterface(nsd_ptcp) pIf->GetSock = GetSock; pIf->SetSock = SetSock; pIf->SetMode = SetMode; + pIf->SetAuthMode = SetAuthMode; + pIf->AddPermFingerprint = AddPermFingerprint; pIf->Rcv = Rcv; pIf->Send = Send; pIf->LstnInit = LstnInit; diff --git a/tools/omfwd.c b/tools/omfwd.c index e0b6db01..43f601e3 100644 --- a/tools/omfwd.c +++ b/tools/omfwd.c @@ -277,9 +277,15 @@ static rsRetVal TCPSendInit(void *pvData) CHKiRet(netstrms.CreateStrm(pData->pNS, &pData->pNetstrm)); CHKiRet(netstrm.ConstructFinalize(pData->pNetstrm)); CHKiRet(netstrm.SetDrvrMode(pData->pNetstrm, pData->iStrmDrvrMode)); - CHKiRet(netstrm.SetDrvrAuthMode(pData->pNetstrm, pData->pszStrmDrvrAuthMode)); - CHKiRet(netstrm.AddDrvrPermittedFingerprint(pData->pNetstrm, - pData->pszStrmDrvrFingerprint)); + /* now set optional params, but only if they were actually configured */ + if(pData->pszStrmDrvrAuthMode != NULL) { + CHKiRet(netstrm.SetDrvrAuthMode(pData->pNetstrm, pData->pszStrmDrvrAuthMode)); + } + if(pData->pszStrmDrvrFingerprint != NULL) { + CHKiRet(netstrm.AddDrvrPermittedFingerprint(pData->pNetstrm, + pData->pszStrmDrvrFingerprint)); + } + /* params set, now connect */ CHKiRet(netstrm.Connect(pData->pNetstrm, glbl.GetDefPFFamily(), (uchar*)pData->port, (uchar*)pData->f_hname)); } -- cgit v1.2.3 From 48684ceac5d57f2c3bc9e8afce98d2026ab51958 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 19 May 2008 09:43:37 +0200 Subject: improved error messages and corrected fingerprint format --- runtime/nsd_gtls.c | 29 +++++++++++++++++++++-------- runtime/nsd_gtls.h | 3 +++ runtime/nsd_ptcp.c | 11 +++++++---- runtime/rsyslog.h | 2 +- 4 files changed, 32 insertions(+), 13 deletions(-) diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index df458ea3..4e7fa3b6 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -85,12 +85,18 @@ GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr) cstr_t *pStr = NULL; uchar buf[4]; size_t i; + int bAddColon = 0; /* do we need to add a colon to the fingerprint string? */ DEFiRet; CHKiRet(rsCStrConstruct(&pStr)); for(i = 0 ; i < sizeFingerprint ; ++i) { - snprintf((char*)buf, sizeof(buf), "%2.2X:", pFingerprint[i]); - CHKiRet(rsCStrAppendStrWithLen(pStr, buf, 3)); + if(bAddColon) { + CHKiRet(rsCStrAppendChar(pStr, ':')); + } else { + bAddColon = 1; /* all but the first need a colon added */ + } + snprintf((char*)buf, sizeof(buf), "%2.2X", pFingerprint[i]); + CHKiRet(rsCStrAppendStrWithLen(pStr, buf, 2)); } CHKiRet(rsCStrFinish(pStr)); @@ -291,8 +297,12 @@ gtlsChkFingerprint(nsd_gtls_t *pThis) FINALIZE; if(pThis->authIDs == NULL || rsCStrSzStrCmp(pstrFingerprint, pThis->authIDs, strlen((char*) pThis->authIDs))) { - // TODO: logerror - dbgprintf("invalid server fingerprint, not authorized\n"); + dbgprintf("invalid server fingerprint, not permitted to talk to us\n"); + if(pThis->bReportAuthErr == 1) { + errmsg.LogError(NO_ERRCODE, "error: server fingerprint '%s' unknown - we are " + "not permitted to talk to this server", rsCStrGetSzStr(pstrFingerprint)); + pThis->bReportAuthErr = 0; + } ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT); } @@ -361,6 +371,7 @@ gtlsSetTransportPtr(nsd_gtls_t *pThis, int sock) /* Standard-Constructor */ BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */ iRet = nsd_ptcp.Construct(&pThis->pTcp); + pThis->bReportAuthErr = 1; CHKiRet(gtlsAddOurCert()); finalize_it: ENDobjConstruct(nsd_gtls) @@ -392,8 +403,11 @@ SetMode(nsd_t *pNsd, int mode) dbgprintf("SetMode tries to set mode %d\n", mode); ISOBJ_TYPE_assert((pThis), nsd_gtls); - if(mode != 0 && mode != 1) - ABORT_FINALIZE(RS_RET_INVAID_DRVR_MODE); + if(mode != 0 && mode != 1) { + errmsg.LogError(NO_ERRCODE, "error: driver mode %d not supported by " + "gtls netstream driver", mode); + ABORT_FINALIZE(RS_RET_INVALID_DRVR_MODE); + } pThis->iMode = mode; @@ -423,7 +437,7 @@ SetAuthMode(nsd_t *pNsd, uchar *mode) } else if(!strcasecmp((char*) mode, "anon")) { pThis->authMode = GTLS_AUTH_CERTANON; } else { - errmsg.LogError(NO_ERRCODE, "authentication mode '%s' not supported by " + errmsg.LogError(NO_ERRCODE, "error: authentication mode '%s' not supported by " "gtls netstream driver", mode); ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); } @@ -455,7 +469,6 @@ AddPermFingerprint(nsd_t *pNsd, uchar *pszFingerprint) // TODO: proper handling - but we need to redo this when we do the // linked list. So for now, this is good enough (but MUST BE CHANGED!). - // pThis->authIDs = pszFingerprint; dbgprintf("gtls fingerprint '%s' set\n", pThis->authIDs); diff --git a/runtime/nsd_gtls.h b/runtime/nsd_gtls.h index 885a8b30..0576a993 100644 --- a/runtime/nsd_gtls.h +++ b/runtime/nsd_gtls.h @@ -48,6 +48,9 @@ struct nsd_gtls_s { gnutls_session sess; int bHaveSess; /* as we don't know exactly which gnutls_session values are invalid, we use this one to flag whether or not we are in a session (same as -1 for a socket meaning no sess) */ + int bReportAuthErr; /* only the first auth error is to be reported, this var triggers it. Initially, it is + * set to 1 and changed to 0 after the first report. It is changed back to 1 after + * one successful authentication. */ uchar *authIDs; /* TODO: make linked list, currently just a single fingerprint, must also support names */ }; diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c index ae835aed..6702e118 100644 --- a/runtime/nsd_ptcp.c +++ b/runtime/nsd_ptcp.c @@ -119,8 +119,11 @@ static rsRetVal SetMode(nsd_t __attribute__((unused)) *pNsd, int mode) { DEFiRet; - if(mode != 0) - ABORT_FINALIZE(RS_RET_INVAID_DRVR_MODE); + if(mode != 0) { + errmsg.LogError(NO_ERRCODE, "error: driver mode %d not supported by " + "ptcp netstream driver", mode); + ABORT_FINALIZE(RS_RET_INVALID_DRVR_MODE); + } finalize_it: RETiRet; } @@ -140,7 +143,7 @@ SetAuthMode(nsd_t __attribute__((unused)) *pNsd, uchar *mode) { DEFiRet; if(mode != NULL && strcasecmp((char*)mode, "anon")) { - errmsg.LogError(NO_ERRCODE, "authentication mode '%s' not supported by " + errmsg.LogError(NO_ERRCODE, "error: authentication mode '%s' not supported by " "ptcp netstream driver", mode); ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); } @@ -158,7 +161,7 @@ static rsRetVal AddPermFingerprint(nsd_t __attribute__((unused)) *pNsd, uchar __attribute__((unused)) *pszFingerprint) { errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by " - "ptcp netstream driver - ignored"); + "ptcp netstream driver"); return RS_RET_VALUE_NOT_IN_THIS_MODE; } diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h index 088a14db..fe26bb44 100644 --- a/runtime/rsyslog.h +++ b/runtime/rsyslog.h @@ -219,7 +219,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth RS_RET_GNUTLS_ERR = -2078, /**< (unexpected) error in GnuTLS call */ RS_RET_MAX_SESS_REACHED = -2079, /**< max nbr of sessions reached, can not create more */ RS_RET_MAX_LSTN_REACHED = -2080, /**< max nbr of listeners reached, can not create more */ - RS_RET_INVAID_DRVR_MODE = -2081, /**< tried to set mode not supported by driver */ + RS_RET_INVALID_DRVR_MODE = -2081, /**< tried to set mode not supported by driver */ RS_RET_DRVRNAME_TOO_LONG = -2082, /**< driver name too long - should never happen */ RS_RET_TLS_HANDSHAKE_ERR = -2083, /**< TLS handshake failed */ RS_RET_TLS_CERT_ERR = -2084, /**< generic TLS certificate error */ -- cgit v1.2.3 From 85b587f93d7f1294fae78317c0841a30aaa03583 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 19 May 2008 18:52:44 +0200 Subject: first implementation of TLS server client authentication check The TLS server now checks the client fingerprint. This works, but is highly experimental. Needs to be refined for practice. Also: - implemented permittedPeers helper construct to store names - changed omfwd implementation to use new permittedPeers --- plugins/imtcp/imtcp.c | 48 ++++++++++++++++++++++++++++++++++++++ runtime/net.c | 64 +++++++++++++++++++++++++++++++++++++++++++++++++++ runtime/net.h | 19 ++++++++++++++- runtime/netstrm.c | 12 ++++++---- runtime/netstrm.h | 2 +- runtime/netstrms.c | 51 +++++++++++++++++++++++++++++++++++++++- runtime/netstrms.h | 9 +++++++- runtime/nsd.h | 2 +- runtime/nsd_gtls.c | 55 ++++++++++++++++++++++++++++--------------- runtime/nsd_gtls.h | 3 ++- runtime/nsd_ptcp.c | 20 +++++++++++----- runtime/nsdsel_gtls.c | 9 ++++---- runtime/rsyslog.h | 2 ++ tcpsrv.c | 53 +++++++++++++++++++++++++++++++++++++++--- tcpsrv.h | 6 ++++- tools/omfwd.c | 50 ++++++++++++++++++++++++++++------------ 16 files changed, 347 insertions(+), 58 deletions(-) diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c index 971d3aec..d8363151 100644 --- a/plugins/imtcp/imtcp.c +++ b/plugins/imtcp/imtcp.c @@ -23,6 +23,20 @@ * A copy of the GPL can be found in the file "COPYING" in this distribution. */ +/* This note shall explain the calling sequence while we do not have + * have full RainerScript support for (TLS) sender authentication: + * + * imtcp --> tcpsrv --> netstrms (this sequence stored pPermPeers in netstrms class) + * then a callback (doOpenLstnSocks) into imtcp happens, which in turn calls + * into tcpsrv.create_tcp_socket(), + * which calls into netstrm.LstnInit(), which receives a pointer to netstrms obj + * which calls into the driver function LstnInit (again, netstrms obj passed) + * which finally calls back into netstrms obj's get functions to obtain the auth + * parameters and then applies them to the driver object instance + * + * rgerhards, 2008-05-19 + */ + #include "config.h" #include #include @@ -46,6 +60,7 @@ #include "netstrm.h" #include "errmsg.h" #include "tcpsrv.h" +#include "net.h" /* for permittedPeers, may be removed when this is removed */ MODULE_TYPE_INPUT @@ -59,10 +74,13 @@ DEFobjCurrIf(errmsg) /* Module static data */ static tcpsrv_t *pOurTcpsrv = NULL; /* our TCP server(listener) TODO: change for multiple instances */ +static permittedPeers_t *pPermPeersRoot = NULL; + /* config settings */ static int iTCPSessMax = 200; /* max number of sessions */ static int iStrmDrvrMode = 0; /* mode for stream driver, driver-dependent (0 mostly means plain tcp) */ +static uchar *pszStrmDrvrAuthMode = NULL; /* authentication mode to use */ /* callbacks */ @@ -122,9 +140,22 @@ onErrClose(tcps_sess_t *pSess) /* ------------------------------ end callbacks ------------------------------ */ +/* set permitted peer -- rgerhards, 2008-05-19 + */ +static rsRetVal +setPermittedPeer(void __attribute__((unused)) *pVal, uchar *pszID) +{ + DEFiRet; + CHKiRet(net.AddPermittedPeer(&pPermPeersRoot, pszID)); +finalize_it: + RETiRet; +} + + static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal) { DEFiRet; + if(pOurTcpsrv == NULL) { CHKiRet(tcpsrv.Construct(&pOurTcpsrv)); CHKiRet(tcpsrv.SetCBIsPermittedHost(pOurTcpsrv, isPermittedHost)); @@ -133,6 +164,15 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa CHKiRet(tcpsrv.SetCBOnRegularClose(pOurTcpsrv, onRegularClose)); CHKiRet(tcpsrv.SetCBOnErrClose(pOurTcpsrv, onErrClose)); CHKiRet(tcpsrv.SetDrvrMode(pOurTcpsrv, iStrmDrvrMode)); + /* now set optional params, but only if they were actually configured */ + if(pszStrmDrvrAuthMode != NULL) { +RUNLOG_VAR("%s", pszStrmDrvrAuthMode); + CHKiRet(tcpsrv.SetDrvrAuthMode(pOurTcpsrv, pszStrmDrvrAuthMode)); + } + if(pPermPeersRoot != NULL) { + CHKiRet(tcpsrv.SetDrvrPermPeers(pOurTcpsrv, pPermPeersRoot)); + } + /* most params set, now start listener */ tcpsrv.configureTCPListen(pOurTcpsrv, (char *) pNewVal); CHKiRet(tcpsrv.ConstructFinalize(pOurTcpsrv)); } @@ -183,6 +223,10 @@ CODESTARTmodExit if(pOurTcpsrv != NULL) iRet = tcpsrv.Destruct(&pOurTcpsrv); + if(pPermPeersRoot != NULL) { + net.DestructPermittedPeers(&pPermPeersRoot); + } + /* release objects we used */ objRelease(net, LM_NET_FILENAME); objRelease(netstrm, LM_NETSTRMS_FILENAME); @@ -227,6 +271,10 @@ CODEmodInit_QueryRegCFSLineHdlr NULL, &iTCPSessMax, STD_LOADABLE_MODULE_ID)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpserverstreamdrivermode", 0, eCmdHdlrInt, NULL, &iStrmDrvrMode, STD_LOADABLE_MODULE_ID)); + CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpserverstreamdriverauthmode", 0, + eCmdHdlrGetWord, NULL, &pszStrmDrvrAuthMode, STD_LOADABLE_MODULE_ID)); + CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpserverstreamdriverpermittedpeer", 0, + eCmdHdlrGetWord, setPermittedPeer, NULL, STD_LOADABLE_MODULE_ID)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler, resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID)); ENDmodInit diff --git a/runtime/net.c b/runtime/net.c index 7663b1b3..cbff1003 100644 --- a/runtime/net.c +++ b/runtime/net.c @@ -88,6 +88,68 @@ static struct AllowedSenders *pLastAllowedSenders_GSS = NULL; int ACLAddHostnameOnFail = 0; /* add hostname to acl when DNS resolving has failed */ int ACLDontResolve = 0; /* add hostname to acl instead of resolving it to IP(s) */ + +/* ------------------------------ begin permitted peers code ------------------------------ */ + + +/* add a permitted peer. PermittedPeers is an interim solution until we can provide + * access control via enhanced RainerScript methods. + * Note: the provided string is handed over to this function, caller must + * no longer access it. -- rgerhards, 2008-05-19 + */ +static rsRetVal +AddPermittedPeer(permittedPeers_t **ppRootPeer, uchar* pszID) +{ + permittedPeers_t *pNew = NULL; + DEFiRet; + + assert(ppRootPeer != NULL); + assert(pszID != NULL); + + CHKmalloc(pNew = malloc(sizeof(permittedPeers_t))); + CHKmalloc(pNew->pszID = (uchar*)strdup((char*)pszID)); + pNew->pNext = NULL; + + if(*ppRootPeer != NULL) { + pNew->pNext = *ppRootPeer; + } + *ppRootPeer = pNew; + +finalize_it: + if(iRet != RS_RET_OK) { + if(pNew != NULL) + free(pNew); + } + RETiRet; +} + + +/* Destruct a permitted peers list -- rgerhards, 2008-05-19 */ +static rsRetVal +DestructPermittedPeers(permittedPeers_t **ppRootPeer) +{ + permittedPeers_t *pCurr; + permittedPeers_t *pDel; + DEFiRet; + + assert(ppRootPeer != NULL); + + for(pCurr = *ppRootPeer ; pCurr != NULL ; /*EMPTY*/) { + pDel = pCurr; + pCurr = pCurr->pNext; + free(pDel->pszID); + free(pDel); + } + + *ppRootPeer = NULL; + + RETiRet; +} + + +/* ------------------------------ end permitted peers code ------------------------------ */ + + /* Code for handling allowed/disallowed senders */ static inline void MaskIP6 (struct in6_addr *addr, uint8_t bits) { @@ -1095,6 +1157,8 @@ CODESTARTobjQueryInterface(net) pIf->isAllowedSender = isAllowedSender; pIf->should_use_so_bsdcompat = should_use_so_bsdcompat; pIf->getLocalHostname = getLocalHostname; + pIf->AddPermittedPeer = AddPermittedPeer; + pIf->DestructPermittedPeers = DestructPermittedPeers; finalize_it: ENDobjQueryInterface(net) diff --git a/runtime/net.h b/runtime/net.h index 9e471bf9..673f45a9 100644 --- a/runtime/net.h +++ b/runtime/net.h @@ -91,6 +91,20 @@ struct AllowedSenders { }; +/* for fingerprints and hostnames, we need to have a temporary linked list of + * permitted values. Unforutnately, we must also duplicate this in the netstream + * drivers. However, this is the best interim solution (with the least effort). + * A clean implementation requires that we have more capable variables and the + * full-fledged scripting engine available. So we have opted to do the interim + * solution so that our users can begin to enjoy authenticated TLS. The next step + * (hopefully) is to enhance RainerScript. -- rgerhards, 2008-05-19 + */ +struct permittedPeers_s { + uchar *pszID; + permittedPeers_t *pNext; +}; + + /* interfaces */ BEGINinterface(net) /* name must also be changed in ENDinterface macro! */ rsRetVal (*cvthname)(struct sockaddr_storage *f, uchar *pszHost, uchar *pszHostFQDN, uchar *pszIP); @@ -104,7 +118,10 @@ BEGINinterface(net) /* name must also be changed in ENDinterface macro! */ int (*isAllowedSender)(struct AllowedSenders *pAllowRoot, struct sockaddr *pFrom, const char *pszFromHost); rsRetVal (*getLocalHostname)(uchar**); int (*should_use_so_bsdcompat)(void); - /* data memebers - these should go away over time... TODO */ + /* permitted peer handling should be replaced by something better (see comments above) */ + rsRetVal (*AddPermittedPeer)(permittedPeers_t **ppRootPeer, uchar *pszID); + rsRetVal (*DestructPermittedPeers)(permittedPeers_t **ppRootPeer); + /* data members - these should go away over time... TODO */ int *pACLAddHostnameOnFail; /* add hostname to acl when DNS resolving has failed */ int *pACLDontResolve; /* add hostname to acl instead of resolving it to IP(s) */ struct AllowedSenders *pAllowedSenders_UDP; diff --git a/runtime/netstrm.c b/runtime/netstrm.c index 899cb3bf..786ba7f8 100644 --- a/runtime/netstrm.c +++ b/runtime/netstrm.c @@ -43,6 +43,7 @@ #include #include "rsyslog.h" +#include "net.h" #include "module-template.h" #include "obj.h" #include "errmsg.h" @@ -202,20 +203,21 @@ SetDrvrAuthMode(netstrm_t *pThis, uchar *mode) } -/* add an accepted fingerprint -- rgerhards, 2008-05-16 - */ +/* set the driver's permitted peers -- rgerhards, 2008-05-19 */ static rsRetVal -AddDrvrPermittedFingerprint(netstrm_t *pThis, uchar *fingerprint) +SetDrvrPermPeers(netstrm_t *pThis, permittedPeers_t *pPermPeers) { DEFiRet; ISOBJ_TYPE_assert(pThis, netstrm); - iRet = pThis->Drvr.AddPermFingerprint(pThis->pDrvrData, fingerprint); + iRet = pThis->Drvr.SetPermPeers(pThis->pDrvrData, pPermPeers); RETiRet; } + /* End of methods to shuffle autentication settings to the driver. * -------------------------------------------------------------------------- */ + /* send a buffer. On entry, pLenBuf contains the number of octets to * write. On exit, it contains the number of octets actually written. * If this number is lower than on entry, only a partial buffer has @@ -311,7 +313,7 @@ CODESTARTobjQueryInterface(netstrm) pIf->GetRemoteIP = GetRemoteIP; pIf->SetDrvrMode = SetDrvrMode; pIf->SetDrvrAuthMode = SetDrvrAuthMode; - pIf->AddDrvrPermittedFingerprint = AddDrvrPermittedFingerprint; + pIf->SetDrvrPermPeers = SetDrvrPermPeers; pIf->GetSock = GetSock; finalize_it: ENDobjQueryInterface(netstrm) diff --git a/runtime/netstrm.h b/runtime/netstrm.h index ffdb392e..ae135beb 100644 --- a/runtime/netstrm.h +++ b/runtime/netstrm.h @@ -51,7 +51,7 @@ BEGINinterface(netstrm) /* name must also be changed in ENDinterface macro! */ rsRetVal (*GetRemoteIP)(netstrm_t *pThis, uchar **pszIP); rsRetVal (*SetDrvrMode)(netstrm_t *pThis, int iMode); rsRetVal (*SetDrvrAuthMode)(netstrm_t *pThis, uchar*); - rsRetVal (*AddDrvrPermittedFingerprint)(netstrm_t *pThis, uchar*); + rsRetVal (*SetDrvrPermPeers)(netstrm_t *pThis, permittedPeers_t*); /* the GetSock() below is a hack to make imgssapi work. In the long term, * we should migrate imgssapi to a stream driver, which will relieve us of * this problem. Please note that nobody else should use GetSock(). Using it diff --git a/runtime/netstrms.c b/runtime/netstrms.c index 03a46329..3e5b7819 100644 --- a/runtime/netstrms.c +++ b/runtime/netstrms.c @@ -146,8 +146,53 @@ finalize_it: } -/* set the driver mode -- rgerhards, 2008-04-30 +/* set the driver's permitted peers -- rgerhards, 2008-05-19 */ +static rsRetVal +SetDrvrPermPeers(netstrms_t *pThis, permittedPeers_t *pPermPeers) +{ + DEFiRet; + ISOBJ_TYPE_assert(pThis, netstrms); + pThis->pPermPeers = pPermPeers; + RETiRet; +} +/* return the driver's permitted peers + * We use non-standard calling conventions because it makes an awful lot + * of sense here. + * rgerhards, 2008-05-19 + */ +static uchar* +GetDrvrPermPeers(netstrms_t *pThis) +{ + ISOBJ_TYPE_assert(pThis, netstrms); + return pThis->pPermPeers; +} + + +/* set the driver auth mode -- rgerhards, 2008-05-19 */ +static rsRetVal +SetDrvrAuthMode(netstrms_t *pThis, uchar *mode) +{ + DEFiRet; + ISOBJ_TYPE_assert(pThis, netstrms); +RUNLOG_VAR("%s", mode); + CHKmalloc(pThis->pszDrvrAuthMode = (uchar*)strdup((char*)mode)); +finalize_it: + RETiRet; +} +/* return the driver auth mode + * We use non-standard calling conventions because it makes an awful lot + * of sense here. + * rgerhards, 2008-05-19 */ +static uchar* +GetDrvrAuthMode(netstrms_t *pThis) +{ + ISOBJ_TYPE_assert(pThis, netstrms); + return pThis->pszDrvrAuthMode; +} + + +/* set the driver mode -- rgerhards, 2008-04-30 */ static rsRetVal SetDrvrMode(netstrms_t *pThis, int iMode) { @@ -221,6 +266,10 @@ CODESTARTobjQueryInterface(netstrms) pIf->SetDrvrName = SetDrvrName; pIf->SetDrvrMode = SetDrvrMode; pIf->GetDrvrMode = GetDrvrMode; + pIf->SetDrvrAuthMode = SetDrvrAuthMode; + pIf->GetDrvrAuthMode = GetDrvrAuthMode; + pIf->SetDrvrPermPeers = SetDrvrPermPeers; + pIf->GetDrvrPermPeers = GetDrvrPermPeers; finalize_it: ENDobjQueryInterface(netstrms) diff --git a/runtime/netstrms.h b/runtime/netstrms.h index 1d1cc892..3f686af6 100644 --- a/runtime/netstrms.h +++ b/runtime/netstrms.h @@ -32,6 +32,9 @@ struct netstrms_s { uchar *pBaseDrvrName; /**< nsd base driver name to use, or NULL if system default */ uchar *pDrvrName; /**< full base driver name (set when driver is loaded) */ int iDrvrMode; /**< current default driver mode */ + uchar *pszDrvrAuthMode; /**< current driver authentication mode */ + permittedPeers_t *pPermPeers;/**< current driver's permitted peers */ + nsd_if_t Drvr; /**< our stream driver */ }; @@ -44,7 +47,11 @@ BEGINinterface(netstrms) /* name must also be changed in ENDinterface macro! */ rsRetVal (*CreateStrm)(netstrms_t *pThis, netstrm_t **ppStrm); rsRetVal (*SetDrvrName)(netstrms_t *pThis, uchar *pszName); rsRetVal (*SetDrvrMode)(netstrms_t *pThis, int iMode); - int (*GetDrvrMode)(netstrms_t *pThis); + rsRetVal (*SetDrvrAuthMode)(netstrms_t *pThis, uchar*); + rsRetVal (*SetDrvrPermPeers)(netstrms_t *pThis, permittedPeers_t*); + int (*GetDrvrMode)(netstrms_t *pThis); + uchar* (*GetDrvrAuthMode)(netstrms_t *pThis); + permittedPeers_t* (*GetDrvrPermPeers)(netstrms_t *pThis); ENDinterface(netstrms) #define netstrmsCURR_IF_VERSION 1 /* increment whenever you change the interface structure! */ diff --git a/runtime/nsd.h b/runtime/nsd.h index 1dc9efe9..53693b59 100644 --- a/runtime/nsd.h +++ b/runtime/nsd.h @@ -52,7 +52,7 @@ BEGINinterface(nsd) /* name must also be changed in ENDinterface macro! */ rsRetVal (*GetRemoteIP)(nsd_t *pThis, uchar **pszIP); rsRetVal (*SetMode)(nsd_t *pThis, int mode); /* sets a driver specific mode - see driver doc for details */ rsRetVal (*SetAuthMode)(nsd_t *pThis, uchar*); /* sets a driver specific mode - see driver doc for details */ - rsRetVal (*AddPermFingerprint)(nsd_t *pThis, uchar*); /* sets a driver specific mode - see driver doc for details */ + rsRetVal (*SetPermPeers)(nsd_t *pThis, permittedPeers_t*); /* sets driver permitted peers for auth needs */ rsRetVal (*GetSock)(nsd_t *pThis, int *pSock); rsRetVal (*SetSock)(nsd_t *pThis, int sock); /* GetSock() and SetSock() return an error if the driver does not use plain diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index 4e7fa3b6..ff162754 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -39,6 +39,7 @@ #include "obj.h" #include "stringbuf.h" #include "errmsg.h" +#include "net.h" #include "nsd_ptcp.h" #include "nsdsel_gtls.h" #include "nsd_gtls.h" @@ -252,7 +253,6 @@ finalize_it: /* check the fingerprint of the remote peer's certificate. * rgerhards, 2008-05-08 */ -//static rsRetVal rsRetVal gtlsChkFingerprint(nsd_gtls_t *pThis) { @@ -264,6 +264,8 @@ gtlsChkFingerprint(nsd_gtls_t *pThis) gnutls_x509_crt cert; int bMustDeinitCert = 0; int gnuRet; + int bFoundPositiveMatch; + permittedPeers_t *pPeer; DEFiRet; ISOBJ_TYPE_assert(pThis, nsd_gtls); @@ -296,11 +298,23 @@ gtlsChkFingerprint(nsd_gtls_t *pThis) if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT) FINALIZE; - if(pThis->authIDs == NULL || rsCStrSzStrCmp(pstrFingerprint, pThis->authIDs, strlen((char*) pThis->authIDs))) { - dbgprintf("invalid server fingerprint, not permitted to talk to us\n"); + /* now search through the permitted peers to see if we can find a permitted one */ + bFoundPositiveMatch = 0; + pPeer = pThis->pPermPeers; + while(pPeer != NULL && !bFoundPositiveMatch) { + if(!rsCStrSzStrCmp(pstrFingerprint, pPeer->pszID, strlen((char*) pPeer->pszID))) { + bFoundPositiveMatch = 1; + } else { + pPeer = pPeer->pNext; + } + } + + if(!bFoundPositiveMatch) { + dbgprintf("invalid peer fingerprint, not permitted to talk to it\n"); if(pThis->bReportAuthErr == 1) { - errmsg.LogError(NO_ERRCODE, "error: server fingerprint '%s' unknown - we are " - "not permitted to talk to this server", rsCStrGetSzStr(pstrFingerprint)); + errno = 0; + errmsg.LogError(NO_ERRCODE, "error: peer fingerprint '%s' unknown - we are " + "not permitted to talk to it", rsCStrGetSzStr(pstrFingerprint)); pThis->bReportAuthErr = 0; } ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT); @@ -401,7 +415,6 @@ SetMode(nsd_t *pNsd, int mode) DEFiRet; nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; -dbgprintf("SetMode tries to set mode %d\n", mode); ISOBJ_TYPE_assert((pThis), nsd_gtls); if(mode != 0 && mode != 1) { errmsg.LogError(NO_ERRCODE, "error: driver mode %d not supported by " @@ -450,28 +463,26 @@ dbgprintf("gtls auth mode %d set\n", pThis->authMode); } -/* Add a permitted fingerprint. Only useful to call if we are using - * fingerprint authentication. Results in error if we are not in this mode. - * rgerhards, 2008-05-16 +/* Set permitted peers. It is depending on the auth mode if this are + * fingerprints or names. -- rgerhards, 2008-05-19 */ static rsRetVal -AddPermFingerprint(nsd_t *pNsd, uchar *pszFingerprint) +SetPermPeers(nsd_t *pNsd, permittedPeers_t *pPermPeers) { DEFiRet; nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; ISOBJ_TYPE_assert((pThis), nsd_gtls); - if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT) { - errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by " + if(pPermPeers == NULL) + FINALIZE; + + if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT && pThis->authMode != GTLS_AUTH_CERTNAME) { + errmsg.LogError(NO_ERRCODE, "authentication not supported by " "gtls netstream driver in the configured authentication mode - ignored"); ABORT_FINALIZE(RS_RET_VALUE_NOT_IN_THIS_MODE); } - // TODO: proper handling - but we need to redo this when we do the - // linked list. So for now, this is good enough (but MUST BE CHANGED!). - - pThis->authIDs = pszFingerprint; -dbgprintf("gtls fingerprint '%s' set\n", pThis->authIDs); + pThis->pPermPeers = pPermPeers; finalize_it: RETiRet; @@ -590,6 +601,8 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew) /* if we reach this point, we are in TLS mode */ CHKiRet(gtlsInitSession(pNew)); gtlsSetTransportPtr(pNew, ((nsd_ptcp_t*) (pNew->pTcp))->sock); + pNew->authMode = pThis->authMode; + pNew->pPermPeers = pThis->pPermPeers; /* we now do the handshake. This is a bit complicated, because we are * on non-blocking sockets. Usually, the handshake will not complete @@ -633,6 +646,9 @@ Rcv(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf) nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; ISOBJ_TYPE_assert(pThis, nsd_gtls); + if(pThis->bAbortConn) + ABORT_FINALIZE(RS_RET_CONNECTION_ABORTREQ); + if(pThis->iMode == 0) { CHKiRet(nsd_ptcp.Rcv(pThis->pTcp, pBuf, pLenBuf)); FINALIZE; @@ -667,6 +683,9 @@ Send(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf) DEFiRet; ISOBJ_TYPE_assert(pThis, nsd_gtls); + if(pThis->bAbortConn) + ABORT_FINALIZE(RS_RET_CONNECTION_ABORTREQ); + if(pThis->iMode == 0) { CHKiRet(nsd_ptcp.Send(pThis->pTcp, pBuf, pLenBuf)); FINALIZE; @@ -771,7 +790,7 @@ CODESTARTobjQueryInterface(nsd_gtls) pIf->SetSock = SetSock; pIf->SetMode = SetMode; pIf->SetAuthMode = SetAuthMode; - pIf->AddPermFingerprint = AddPermFingerprint; + pIf->SetPermPeers =SetPermPeers; pIf->GetRemoteHName = GetRemoteHName; pIf->GetRemoteIP = GetRemoteIP; finalize_it: diff --git a/runtime/nsd_gtls.h b/runtime/nsd_gtls.h index 0576a993..1f3eb6b1 100644 --- a/runtime/nsd_gtls.h +++ b/runtime/nsd_gtls.h @@ -38,6 +38,7 @@ struct nsd_gtls_s { BEGINobjInstance; /* Data to implement generic object - MUST be the first data element! */ nsd_t *pTcp; /**< our aggregated nsd_ptcp data */ int iMode; /* 0 - plain tcp, 1 - TLS */ + int bAbortConn; /* if set, abort conncection (fatal error had happened) */ enum { GTLS_AUTH_CERTNAME = 0, GTLS_AUTH_CERTFINGERPRINT = 1, @@ -51,7 +52,7 @@ struct nsd_gtls_s { int bReportAuthErr; /* only the first auth error is to be reported, this var triggers it. Initially, it is * set to 1 and changed to 0 after the first report. It is changed back to 1 after * one successful authentication. */ - uchar *authIDs; /* TODO: make linked list, currently just a single fingerprint, must also support names */ + permittedPeers_t *pPermPeers; /* permitted senders */ }; /* interface is defined in nsd.h, we just implement it! */ diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c index 6702e118..14c564a3 100644 --- a/runtime/nsd_ptcp.c +++ b/runtime/nsd_ptcp.c @@ -153,16 +153,22 @@ finalize_it: } -/* Add a permitted fingerprint. This is a dummy, always returning an +/* Set the permitted peers. This is a dummy, always returning an * error because we do not support fingerprint authentication. * rgerhards, 2008-05-17 */ static rsRetVal -AddPermFingerprint(nsd_t __attribute__((unused)) *pNsd, uchar __attribute__((unused)) *pszFingerprint) +SetPermPeers(nsd_t __attribute__((unused)) *pNsd, permittedPeers_t __attribute__((unused)) *pPermPeers) { - errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by " - "ptcp netstream driver"); - return RS_RET_VALUE_NOT_IN_THIS_MODE; + DEFiRet; + + if(pPermPeers != NULL) { + errmsg.LogError(NO_ERRCODE, "authentication not supported by ptcp netstream driver"); + ABORT_FINALIZE(RS_RET_VALUE_NOT_IN_THIS_MODE); + } + +finalize_it: + RETiRet; } @@ -477,6 +483,8 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*), CHKiRet(pNS->Drvr.Construct(&pNewNsd)); CHKiRet(pNS->Drvr.SetSock(pNewNsd, sock)); CHKiRet(pNS->Drvr.SetMode(pNewNsd, netstrms.GetDrvrMode(pNS))); + CHKiRet(pNS->Drvr.SetAuthMode(pNewNsd, netstrms.GetDrvrAuthMode(pNS))); + CHKiRet(pNS->Drvr.SetPermPeers(pNewNsd, netstrms.GetDrvrPermPeers(pNS))); CHKiRet(netstrms.CreateStrm(pNS, &pNewStrm)); pNewStrm->pDrvrData = (nsd_t*) pNewNsd; CHKiRet(fAddLstn(pUsr, pNewStrm)); @@ -668,7 +676,7 @@ CODESTARTobjQueryInterface(nsd_ptcp) pIf->SetSock = SetSock; pIf->SetMode = SetMode; pIf->SetAuthMode = SetAuthMode; - pIf->AddPermFingerprint = AddPermFingerprint; + pIf->SetPermPeers = SetPermPeers; pIf->Rcv = Rcv; pIf->Send = Send; pIf->LstnInit = LstnInit; diff --git a/runtime/nsdsel_gtls.c b/runtime/nsdsel_gtls.c index e54693dc..082a044b 100644 --- a/runtime/nsdsel_gtls.c +++ b/runtime/nsdsel_gtls.c @@ -128,12 +128,10 @@ doRetry(nsd_gtls_t *pNsd) switch(pNsd->rtryCall) { case gtlsRtry_handshake: gnuRet = gnutls_handshake(pNsd->sess); - dbgprintf("handshake ret %d\n", gnuRet); if(gnuRet == 0) { + pNsd->rtryCall = gtlsRtry_None; /* we are done */ /* we got a handshake, now check authorization */ - // TODO: do it! - dbgprintf("handshake done\n"); - gtlsChkFingerprint(pNsd); + CHKiRet(gtlsChkFingerprint(pNsd)); } break; default: @@ -157,6 +155,9 @@ doRetry(nsd_gtls_t *pNsd) */ finalize_it: + if(iRet != RS_RET_OK) + pNsd->bAbortConn = 1; /* request abort */ +RUNLOG_VAR("%d", pNsd->bAbortConn); RETiRet; } diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h index fe26bb44..c06b01c3 100644 --- a/runtime/rsyslog.h +++ b/runtime/rsyslog.h @@ -81,6 +81,7 @@ typedef struct interface_s interface_t; typedef struct objInfo_s objInfo_t; typedef enum rsRetVal_ rsRetVal; /**< friendly type for global return value */ typedef rsRetVal (*errLogFunc_t)(uchar*); /* this is a trick to store a function ptr to a function returning a function ptr... */ +typedef struct permittedPeers_s permittedPeers_t; /* this should go away in the long term -- rgerhards, 2008-05-19 */ typedef struct tcpsrv_s tcpsrv_t; /* some universal 64 bit define... */ @@ -227,6 +228,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth RS_RET_VALUE_NOT_SUPPORTED = -2086, /**< a provided value is not supported */ RS_RET_VALUE_NOT_IN_THIS_MODE = -2087, /**< a provided value is invalid for the curret mode */ RS_RET_INVALID_FINGERPRINT = -2088, /**< a fingerprint is not valid for this use case */ + RS_RET_CONNECTION_ABORTREQ = -2089, /**< connection was abort requested due to previous error */ /* RainerScript error messages (range 1000.. 1999) */ RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */ diff --git a/tcpsrv.c b/tcpsrv.c index 6db2fee7..9b3553f1 100644 --- a/tcpsrv.c +++ b/tcpsrv.c @@ -457,6 +457,7 @@ Run(tcpsrv_t *pThis) pThis->pOnRegularClose(pThis->pSessions[iTCPSess]); tcps_sess.Destruct(&pThis->pSessions[iTCPSess]); } else if(state == -1) { + errno = 0; errmsg.LogError(NO_ERRCODE, "netstream session %p will be closed, error ignored\n", pThis->pSessions[iTCPSess]->pStrm); pThis->pOnErrClose(pThis->pSessions[iTCPSess]); @@ -478,12 +479,18 @@ Run(tcpsrv_t *pThis) iTCPSess = TCPSessGetNxtSess(pThis, iTCPSess); } CHKiRet(nssel.Destruct(&pSel)); +finalize_it: /* this is a very special case - this time only we do not exit the function, + * because that would not help us either. So we simply retry it. Let's see + * if that actually is a better idea. Exiting the loop wasn't we always + * crashed, which made sense (the rest of the engine was not prepared for + * that) -- rgerhards, 2008-05-19 + */ + /*EMPTY*/; } /* note that this point is usually not reached */ pthread_cleanup_pop(0); /* remove cleanup handler */ -finalize_it: // TODO: think: is it really good to exit the loop? RETiRet; } @@ -504,6 +511,10 @@ tcpsrvConstructFinalize(tcpsrv_t *pThis) /* prepare network stream subsystem */ CHKiRet(netstrms.Construct(&pThis->pNS)); CHKiRet(netstrms.SetDrvrMode(pThis->pNS, pThis->iDrvrMode)); + if(pThis->pszDrvrAuthMode != NULL) + CHKiRet(netstrms.SetDrvrAuthMode(pThis->pNS, pThis->pszDrvrAuthMode)); + if(pThis->pPermPeers != NULL) + CHKiRet(netstrms.SetDrvrPermPeers(pThis->pNS, pThis->pPermPeers)); // TODO: set driver! CHKiRet(netstrms.ConstructFinalize(pThis->pNS)); @@ -530,6 +541,8 @@ CODESTARTobjDestruct(tcpsrv) if(pThis->pNS != NULL) netstrms.Destruct(&pThis->pNS); + if(pThis->pszDrvrAuthMode != NULL) + free(pThis->pszDrvrAuthMode); if(pThis->ppLstn != NULL) free(pThis->ppLstn); ENDobjDestruct(tcpsrv) @@ -628,8 +641,14 @@ SetUsrP(tcpsrv_t *pThis, void *pUsr) pThis->pUsr = pUsr; RETiRet; } -/* set the driver mode -- rgerhards, 2008-04-30 - */ + + +/* here follows a number of methods that shuffle authentication settings down + * to the drivers. Drivers not supporting these settings may return an error + * state. + * -------------------------------------------------------------------------- */ + +/* set the driver mode -- rgerhards, 2008-04-30 */ static rsRetVal SetDrvrMode(tcpsrv_t *pThis, int iMode) { @@ -640,6 +659,32 @@ SetDrvrMode(tcpsrv_t *pThis, int iMode) } +/* set the driver authentication mode -- rgerhards, 2008-05-19 */ +static rsRetVal +SetDrvrAuthMode(tcpsrv_t *pThis, uchar *mode) +{ + DEFiRet; + ISOBJ_TYPE_assert(pThis, tcpsrv); + CHKmalloc(pThis->pszDrvrAuthMode = (uchar*)strdup((char*)mode)); +finalize_it: + RETiRet; +} + + +/* set the driver's permitted peers -- rgerhards, 2008-05-19 */ +static rsRetVal +SetDrvrPermPeers(tcpsrv_t *pThis, permittedPeers_t *pPermPeers) +{ + DEFiRet; + ISOBJ_TYPE_assert(pThis, tcpsrv); + pThis->pPermPeers = pPermPeers; + RETiRet; +} + + +/* End of methods to shuffle autentication settings to the driver.; + + * -------------------------------------------------------------------------- */ /* queryInterface function @@ -668,6 +713,8 @@ CODESTARTobjQueryInterface(tcpsrv) pIf->SetUsrP = SetUsrP; pIf->SetDrvrMode = SetDrvrMode; + pIf->SetDrvrAuthMode = SetDrvrAuthMode; + pIf->SetDrvrPermPeers = SetDrvrPermPeers; pIf->SetCBIsPermittedHost = SetCBIsPermittedHost; pIf->SetCBOpenLstnSocks = SetCBOpenLstnSocks; pIf->SetCBRcvData = SetCBRcvData; diff --git a/tcpsrv.h b/tcpsrv.h index 07826125..0feb62f3 100644 --- a/tcpsrv.h +++ b/tcpsrv.h @@ -30,6 +30,8 @@ struct tcpsrv_s { BEGINobjInstance; /**< Data to implement generic object - MUST be the first data element! */ netstrms_t *pNS; /**< pointer to network stream subsystem */ int iDrvrMode; /**< mode of the stream driver to use */ + uchar *pszDrvrAuthMode; /**< auth mode of the stream driver to use */ + permittedPeers_t *pPermPeers;/**< driver's permitted peers */ int iLstnMax; /**< max nbr of listeners currently supported */ netstrm_t **ppLstn; /**< our netstream listners */ int iSessMax; /**< max number of sessions supported */ @@ -71,12 +73,14 @@ BEGINinterface(tcpsrv) /* name must also be changed in ENDinterface macro! */ rsRetVal (*SetCBOnRegularClose)(tcpsrv_t*, rsRetVal (*) (tcps_sess_t*)); rsRetVal (*SetCBOnErrClose)(tcpsrv_t*, rsRetVal (*) (tcps_sess_t*)); rsRetVal (*SetDrvrMode)(tcpsrv_t *pThis, int iMode); + rsRetVal (*SetDrvrAuthMode)(tcpsrv_t *pThis, uchar *pszMode); + rsRetVal (*SetDrvrPermPeers)(tcpsrv_t *pThis, permittedPeers_t*); /* session specifics */ rsRetVal (*SetCBOnSessAccept)(tcpsrv_t*, rsRetVal (*) (tcpsrv_t*, tcps_sess_t*)); rsRetVal (*SetCBOnSessDestruct)(tcpsrv_t*, rsRetVal (*) (void*)); rsRetVal (*SetCBOnSessConstructFinalize)(tcpsrv_t*, rsRetVal (*) (void*)); ENDinterface(tcpsrv) -#define tcpsrvCURR_IF_VERSION 2 /* increment whenever you change the interface structure! */ +#define tcpsrvCURR_IF_VERSION 3 /* increment whenever you change the interface structure! */ /* prototypes */ diff --git a/tools/omfwd.c b/tools/omfwd.c index 43f601e3..a902fe3b 100644 --- a/tools/omfwd.c +++ b/tools/omfwd.c @@ -79,7 +79,8 @@ typedef struct _instanceData { netstrm_t *pNetstrm; /* our output netstream */ uchar *pszStrmDrvr; uchar *pszStrmDrvrAuthMode; - uchar *pszStrmDrvrFingerprint; + permittedPeers_t *pPermPeersRootFingerprint; + permittedPeers_t *pPermPeersRootNames; int iStrmDrvrMode; char *f_hname; int *pSockArray; /* sockets to use for UDP */ @@ -98,9 +99,10 @@ typedef struct _instanceData { static uchar *pszTplName = NULL; /* name of the default template to use */ static uchar *pszStrmDrvr = NULL; /* name of the stream driver to use */ static int iStrmDrvrMode = 0; /* mode for stream driver, driver-dependent (0 mostly means plain tcp) */ -static uchar *pszStrmDrvrAuthMode = NULL; /* name of the default template to use */ -static uchar *pszStrmDrvrFingerprint = NULL; /* name of the default template to use */ +static uchar *pszStrmDrvrAuthMode = NULL; /* authentication mode to use */ +static permittedPeers_t *pPermPeersRootFingerprint = NULL; +static permittedPeers_t *pPermPeersRootNames = NULL; /* get the syslog forward port from selector_t. The passed in * struct must be one that is setup for forwarding. @@ -154,8 +156,10 @@ CODESTARTfreeInstance free(pData->pszStrmDrvr); if(pData->pszStrmDrvrAuthMode != NULL) free(pData->pszStrmDrvrAuthMode); - if(pData->pszStrmDrvrFingerprint != NULL) - free(pData->pszStrmDrvrFingerprint); + if(pData->pPermPeersRootFingerprint != NULL) + net.DestructPermittedPeers(&pData->pPermPeersRootFingerprint); + if(pData->pPermPeersRootNames != NULL) + net.DestructPermittedPeers(&pData->pPermPeersRootNames); ENDfreeInstance @@ -212,6 +216,19 @@ static rsRetVal UDPSend(instanceData *pData, char *msg, size_t len) } +/* set the cert fingerprint -- rgerhards, 2008-05-19 + */ +static rsRetVal +setFingerprint(void __attribute__((unused)) *pVal, uchar *pszID) +{ + DEFiRet; + CHKiRet(net.AddPermittedPeer(&pPermPeersRootFingerprint, pszID)); +finalize_it: + RETiRet; +} + + + /* CODE FOR SENDING TCP MESSAGES */ @@ -281,9 +298,8 @@ static rsRetVal TCPSendInit(void *pvData) if(pData->pszStrmDrvrAuthMode != NULL) { CHKiRet(netstrm.SetDrvrAuthMode(pData->pNetstrm, pData->pszStrmDrvrAuthMode)); } - if(pData->pszStrmDrvrFingerprint != NULL) { - CHKiRet(netstrm.AddDrvrPermittedFingerprint(pData->pNetstrm, - pData->pszStrmDrvrFingerprint)); + if(pData->pPermPeersRootFingerprint != NULL) { + CHKiRet(netstrm.SetDrvrPermPeers(pData->pNetstrm, pData->pPermPeersRootFingerprint)); } /* params set, now connect */ CHKiRet(netstrm.Connect(pData->pNetstrm, glbl.GetDefPFFamily(), @@ -590,9 +606,14 @@ CODE_STD_STRING_REQUESTparseSelectorAct(1) if(pszStrmDrvrAuthMode != NULL) CHKmalloc(pData->pszStrmDrvrAuthMode = (uchar*)strdup((char*)pszStrmDrvrAuthMode)); - if(pszStrmDrvrFingerprint != NULL) - CHKmalloc(pData->pszStrmDrvrFingerprint = - (uchar*)strdup((char*)pszStrmDrvrFingerprint)); + if(pPermPeersRootFingerprint != NULL) { + pData->pPermPeersRootFingerprint = pPermPeersRootFingerprint; + pPermPeersRootFingerprint = NULL; + } + if(pPermPeersRootNames != NULL) { + pData->pPermPeersRootNames = pPermPeersRootNames; + pPermPeersRootNames = NULL; + } } CODE_STD_FINALIZERparseSelectorAct @@ -617,9 +638,8 @@ freeConfigVars(void) free(pszStrmDrvrAuthMode); pszStrmDrvrAuthMode = NULL; } - if(pszStrmDrvrFingerprint != NULL) { - free(pszStrmDrvrFingerprint); - pszStrmDrvrFingerprint = NULL; + if(pPermPeersRootFingerprint != NULL) { + free(pPermPeersRootFingerprint); } } @@ -670,7 +690,7 @@ CODEmodInit_QueryRegCFSLineHdlr CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdriver", 0, eCmdHdlrGetWord, NULL, &pszStrmDrvr, NULL)); CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdrivermode", 0, eCmdHdlrInt, NULL, &iStrmDrvrMode, NULL)); CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdriverauthmode", 0, eCmdHdlrGetWord, NULL, &pszStrmDrvrAuthMode, NULL)); - CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdrivercertfingerprint", 0, eCmdHdlrGetWord, NULL, &pszStrmDrvrFingerprint, NULL)); + CHKiRet(regCfSysLineHdlr((uchar *)"actionsendstreamdrivercertfingerprint", 0, eCmdHdlrGetWord, setFingerprint, NULL, NULL)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler, resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID)); ENDmodInit -- cgit v1.2.3 From 2b90fa41fd1ff69a241af01dbabac579f3be213e Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 20 May 2008 15:13:17 +0200 Subject: changed default GnuTLS key material to more reasonable values We now also provide everything to sign with a common CA. NOTE: none of this is for production use! --- contrib/gnutls/ca-key.pem | 15 +++++++++++++++ contrib/gnutls/ca.pem | 25 +++++++++++++------------ contrib/gnutls/cert.pem | 45 ++++++++++++++------------------------------- contrib/gnutls/key.pem | 26 +++++++++++++------------- runtime/nsdsel_gtls.c | 1 - 5 files changed, 55 insertions(+), 57 deletions(-) create mode 100644 contrib/gnutls/ca-key.pem diff --git a/contrib/gnutls/ca-key.pem b/contrib/gnutls/ca-key.pem new file mode 100644 index 00000000..181a8ad9 --- /dev/null +++ b/contrib/gnutls/ca-key.pem @@ -0,0 +1,15 @@ +-----BEGIN RSA PRIVATE KEY----- +MIICXQIBAAKBgQDDaz5X5YIruPH0wukMPik7xIKqrpCcr8Gm28oz5h4GtX253eWr +piBuk2a/f/CKDjeuqmiWqTs90PFNb+Z1c+Yzvagqv80VzZwDI4RcrwlNaKrBz/9X +iowCcoV8s7GvV2vtZEPSThNzz4FYkxCMvbOYZeJIYQVhZggUcuadfhmDIwIDAQAB +AoGAIG5AUD2jmYDzD+UhiultVgtkifyNaEtsuQsZu/zbt85P2VQ0z4SINlbvrXvc +iJ9tEzzEPa3udHGj/MTDe3OAB4TK5tImX1pe2gw+zaOB/DaH5i4QhXeltU7epCHF +oUv9EVNzL8Bl00MFiWcLY0LisQVfHeW5rcN9U7EbvTlWbRkCQQDR2/Qn1ceavwDU +qYt2TbEicJVC8aQMYYyc6Xvi4mZaNa8gGCpWpurgQop0Ln0QE8vA0601UVs6N3tm +g8FJ8rXpAkEA7mKCtp2MXCbHMdkZCyQt6drUYCyU9N/HtmBEtFGpqt1PdMyUI07m +rlVFDwUH9JFmg18RP1X2ufj7+ZbJzaMtKwJBAJgbw1Z0P19Mfj+mPC2dlnyN+cIx +/2Px+Mdq/J6w1tsf+jVbDqUMC0ZNNKmNYJycnJzBUNRKicMin9DoQttkjrECQQCC +s/aRY+6adBSRi0QE7NBTwUzicm81mCDrKPtilsfdTDyNgMHUXiVy/oO/yXVkLfi0 +HQLa5CpEK3UUkw2Qt2BDAkA0XXvQzW0+tEHiktLNljIluhiyOAx2bBywY/9Qmn6C +hv4sOSCzTR39jNmuNZ0X6ZZvt4VsWTHhpche/ud1+3p6 +-----END RSA PRIVATE KEY----- diff --git a/contrib/gnutls/ca.pem b/contrib/gnutls/ca.pem index 747250ca..6324c7d5 100644 --- a/contrib/gnutls/ca.pem +++ b/contrib/gnutls/ca.pem @@ -1,14 +1,15 @@ -----BEGIN CERTIFICATE----- -MIICPDCCAaegAwIBAgIBADALBgkqhkiG9w0BAQUwRTELMAkGA1UEBhMCR1IxDDAK -BgNVBAoTA0ZTRjEPMA0GA1UECxMGR05VVExTMRcwFQYDVQQDEw5HTlVUTFMgVEVT -VCBDQTAeFw0wNDA2MjgyMjQ0MDBaFw0wNzAzMjQyMjQ0MDBaMEUxCzAJBgNVBAYT -AkdSMQwwCgYDVQQKEwNGU0YxDzANBgNVBAsTBkdOVVRMUzEXMBUGA1UEAxMOR05V -VExTIFRFU1QgQ0EwgZwwCwYJKoZIhvcNAQEBA4GMADCBiAKBgMK0cY9Tap5F7DXX -tu7HpHlZtu+zqfofyLJSIBpUdbiwFIGzB486stbog0mpiy32mGIG5hNlpcRMJMVm -MmZ1RueqQWR+vdDroBoV199zAZQVww1NmmHi/Wtxa6x9SsXdya+SnoC8KI/V3EKx -gYG0hYAuYWNA9JnntTU0xCwWOBaPAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8w -DwYDVR0PAQH/BAUDAwcGADAdBgNVHQ4EFgQUeesbb6Nm5nnh0eK129onBkUpCkgw -CwYJKoZIhvcNAQEFA4GBAGCCzUSCVZOXffm/KFxbyT2Lrltyzqlr0Oknp55eNAIk -fy+m/viSOmoTCaK9Gmtk3eMAxIeZ8U7TDKrbrxx/NSsggbypqa3EMMwr2JH9kzAZ -eluQ0vEVqfvRq5jzjuORYYhl7VgqpU0/ctvI3b+9tCZAOCcUX0HPvNweAzYjnkDi +MIICYjCCAc2gAwIBAgIBATALBgkqhkiG9w0BAQUwWDELMAkGA1UEBhMCREUxHTAb +BgNVBAoTFHJzeXNsb2cgdGVzdCByb290IENBMQswCQYDVQQLEwJDQTEdMBsGA1UE +AxMUcnN5c2xvZy10ZXN0LXJvb3QtY2EwHhcNMDgwNTIwMTI1ODEyWhcNMTgwNTE4 +MTI1ODI0WjBYMQswCQYDVQQGEwJERTEdMBsGA1UEChMUcnN5c2xvZyB0ZXN0IHJv +b3QgQ0ExCzAJBgNVBAsTAkNBMR0wGwYDVQQDExRyc3lzbG9nLXRlc3Qtcm9vdC1j +YTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGAw2s+V+WCK7jx9MLpDD4pO8SCqq6Q +nK/BptvKM+YeBrV9ud3lq6YgbpNmv3/wig43rqpolqk7PdDxTW/mdXPmM72oKr/N +Fc2cAyOEXK8JTWiqwc//V4qMAnKFfLOxr1dr7WRD0k4Tc8+BWJMQjL2zmGXiSGEF +YWYIFHLmnX4ZgyMCAwEAAaNDMEEwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8E +BQMDBwYAMB0GA1UdDgQWBBQzYQQgUm0YLNdarJnc2c1LxYVClDALBgkqhkiG9w0B +AQUDgYEAuGWtH7Jkpa0n/izqQ5ddDQP/LT6taivCwlpEYEU9aumpQPWWxtYywKaP +RfM1JTMLAiYd8MS7TJ8TYRvvR32Y02Y+OhXn11xERkWvBT2M9yzqX6hDfRueN7RT +fPWsfm/NBTVojzjaECcTFenZid7PC5JiFbcU6PSUMZ49/JPhxAo= -----END CERTIFICATE----- diff --git a/contrib/gnutls/cert.pem b/contrib/gnutls/cert.pem index 88910725..6b5b13cd 100644 --- a/contrib/gnutls/cert.pem +++ b/contrib/gnutls/cert.pem @@ -1,33 +1,16 @@ -----BEGIN CERTIFICATE----- -MIICmDCCAgOgAwIBAgIBAjALBgkqhkiG9w0BAQUwUjELMAkGA1UEBhMCR1IxDDAK -BgNVBAoTA0ZTRjEPMA0GA1UECxMGR05VVExTMSQwIgYDVQQDExtHTlVUTFMgSU5U -RVJNRURJQVRFIFRFU1QgQ0EwHhcNMDQwNjI4MjI0NzAwWhcNMDcwMzIyMjI0NzAw -WjBJMQswCQYDVQQGEwJHUjEMMAoGA1UEChMDRlNGMQ8wDQYDVQQLEwZHTlVUTFMx -GzAZBgNVBAMTEkdOVVRMUyBURVNUIFNFUlZFUjCBnDALBgkqhkiG9w0BAQEDgYwA -MIGIAoGA1chUqA9ib8S5GKd29B9d1rwgUncFhJPu0+RK8kOyOsV3qBdtdWeBSiGW -So1RHkcmV9BlbUtmuHioAUkZPSo8gtoEy3JpSemW221BsjwITjGeZxZsb+4C/U2X -HUIlO+jqBK5VYbpNXkP/2ofMkWWAZyKnI+PMIfFvv/cASsI0k48CAwEAAaOBjTCB -ijAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCWxvY2FsaG9zdDATBgNVHSUEDDAK -BggrBgEFBQcDATAPBgNVHQ8BAf8EBQMDB6AAMB0GA1UdDgQWBBTIZD/hlqUB89OE -AwonwqGflkHtijAfBgNVHSMEGDAWgBQ2tS+xHdrw3r4o20MwGkLdzh5UlDALBgkq -hkiG9w0BAQUDgYEAWPpWlUlvzDZRbpneYw8d6Q8On/ZPmSYBCm38vTKPEoNA6lW1 -WIc3Vbw5zOeSfDLifIWV2W/MqyjDo9MeWvSKpcUfRfibpXBgbA4RAGW0j2K1JQmE -gP3k1vMicYzn5EglhZjoa9I+36a90vJraqzHQ7DrKtW0FDfW2GREzSh9RV8= +MIIChjCCAfGgAwIBAgIBADALBgkqhkiG9w0BAQUwWDELMAkGA1UEBhMCREUxHTAb +BgNVBAoTFHJzeXNsb2cgdGVzdCByb290IENBMQswCQYDVQQLEwJDQTEdMBsGA1UE +AxMUcnN5c2xvZy10ZXN0LXJvb3QtY2EwHhcNMDgwNTIwMTMwNDE5WhcNMTgwNTE4 +MTMwNDI2WjA6MQswCQYDVQQGEwJERTEQMA4GA1UEChMHcnN5c2xvZzEZMBcGA1UE +CxMQdGVzdCBjZXJ0aWZpY2F0ZTCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGAxmHe +fztJgaGxFYEceiUg0hdMlRVWBqoZelJ8BeXTDnXcu/5F2HtM+l+QDyDaGjKlx+NI +K4rkj7d6Wd3AKPgOYS0VSDZe3a1xf9rRYzOthWTv7tYi4/LTqPXqN5lKE71dgrB/ +/gOmvV/1YD776FIxVGCSAT0hHwkFC3slmpJSwD8CAwEAAaOBhDCBgTAMBgNVHRMB +Af8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHREECzAJ +ggdyc3lzbG9nMB0GA1UdDgQWBBQYu6eC9UALvC+5K5VOnFRi5OC98TAfBgNVHSME +GDAWgBQzYQQgUm0YLNdarJnc2c1LxYVClDALBgkqhkiG9w0BAQUDgYEAXaymqsG9 +PNBhhWIRFvXCDMaDM71vUtgSFoNUbxIV607ua2HQosPPM4EHIda6N6hdBK1bMQoG +yqBwhvw0JVaVaO70Kbs2m2Ypk3YcpJtRqyp8q8+2y/w1Mk1QazFZC29aYgX2iNVf +X4/x38YEL7Gu5vqPrTn++agnV4ZXECKuvLQ= -----END CERTIFICATE----- - ------BEGIN CERTIFICATE----- -MIICajCCAdWgAwIBAgIBATALBgkqhkiG9w0BAQUwRTELMAkGA1UEBhMCR1IxDDAK -BgNVBAoTA0ZTRjEPMA0GA1UECxMGR05VVExTMRcwFQYDVQQDEw5HTlVUTFMgVEVT -VCBDQTAeFw0wNDA2MjgyMjQ2MDBaFw0wNzAzMjMyMjQ2MDBaMFIxCzAJBgNVBAYT -AkdSMQwwCgYDVQQKEwNGU0YxDzANBgNVBAsTBkdOVVRMUzEkMCIGA1UEAxMbR05V -VExTIElOVEVSTUVESUFURSBURVNUIENBMIGcMAsGCSqGSIb3DQEBAQOBjAAwgYgC -gYC0JKSLzHuiWK66XYOJk6AxDBo94hdCFnfIor7xnZkqTgiUQZhk9HDVmmz1+tLd -yJk6r9PK+WMDDBkSOvT+SmQNd9mL2JzI+bJWwoB77aJ7vUI3/9+ugtffiapnX6wx -vLyAxeJRyN0Q3oBHc6N2dJo9z1NHoFe8xipXXHOdxU1DAwIDAQABo2QwYjAPBgNV -HRMBAf8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBAAwHQYDVR0OBBYEFDa1L7Ed2vDe -vijbQzAaQt3OHlSUMB8GA1UdIwQYMBaAFHnrG2+jZuZ54dHitdvaJwZFKQpIMAsG -CSqGSIb3DQEBBQOBgQCi/SI37DrGCeZhtGhU2AyZFaqskRoFt4zAb9UYaGZaYEh5 -0VUZsA/Ol8jiiQTtiCokZswhSsn+2McZmcspKigsY2aEBrry+TGFWMnYu5j5kcwP -1nVuHxLRwLt2rIsjgkeSNdHr8XHKi9/Roz/Gj86OnBAHwPt8WHfHK+63cMX1WA== ------END CERTIFICATE----- - diff --git a/contrib/gnutls/key.pem b/contrib/gnutls/key.pem index 1e80b2e5..3ff507f0 100644 --- a/contrib/gnutls/key.pem +++ b/contrib/gnutls/key.pem @@ -1,15 +1,15 @@ -----BEGIN RSA PRIVATE KEY----- -MIICWwIBAAKBgQDVyFSoD2JvxLkYp3b0H13WvCBSdwWEk+7T5EryQ7I6xXeoF211 -Z4FKIZZKjVEeRyZX0GVtS2a4eKgBSRk9KjyC2gTLcmlJ6ZbbbUGyPAhOMZ5nFmxv -7gL9TZcdQiU76OoErlVhuk1eQ//ah8yRZYBnIqcj48wh8W+/9wBKwjSTjwIDAQAB -AoGAAn2Ueua++1Vb4K0mxh5NbhCAAeXwEwTULfTFaMAgJe4iADvRoyIDEBWHFjRC -QyuKB1DetaDAwBprvqQW3q8MyGYD7P9h85Wfu/hpIYKTw9hNeph420aE8WXw2ygl -TkJz3bzkMrXe/WjdhS1kTt8avCNQR/p0jM/UHvNze4oLc1ECQQDfammiczQFtj+F -uf3CNcYwp5XNumF+pubdGb+UHUiHyCuVQxvm+LXgq8wXV/uXFLrp7FQFLCDQf0ji -KDB2YQvRAkEA9PY/2AaGsU7j8ePwQbxCkwuj3hY6O6aNLIGxKxwZrzbob26c+tQk -/++e0IXusIscBvcRV1Kg8Ff6fnw7/AdhXwJAG8qVbOuRmGk0BkwuFmPoeW3vNQgR -X96O7po0qPBqVdRAU2rvzYtkCFxYqq0ilI0ekZtAfKxbeykaQaRkkKPaoQJAcifP -yWJ/tu8z4DM7Ka+pFqTMwIllM1U3vFtv3LXezDE7AGDCyHKdB7MXcPXqj6nmCLMi -swwiLLahAOBnUqk6xwJAJQ4pGcFFlCiIiVsq0wYSYmZUcRpSIInEQ0f8/xN6J22Z -siP5vnJM3F7R6ciYTt2gzNci/W9cdZI2HxskkO5lbQ== +MIICWwIBAAKBgQDGYd5/O0mBobEVgRx6JSDSF0yVFVYGqhl6UnwF5dMOddy7/kXY +e0z6X5APINoaMqXH40griuSPt3pZ3cAo+A5hLRVINl7drXF/2tFjM62FZO/u1iLj +8tOo9eo3mUoTvV2CsH/+A6a9X/VgPvvoUjFUYJIBPSEfCQULeyWaklLAPwIDAQAB +AoGARIwKqmHc+0rYenq7UUVE+vMMBjNyHyllVkvsCMmpzMRS+i5ZCf1I0vZ0O5X5 +ZrX7bH8PL+R1J2eZgjXKMR3NMZBuyKHewItD9t2rIC0eD/ITlwq3VybbaMsw666e +INxSmax+dS5CEcLevHHP3c+Q7S7QAFiWV43TdFUGXWJktIkCQQDPQ5WAZ+/Tvv0Q +vtRjXMeTVaw/bSuKNUeDzFkmGyePnFeCReNFtJLE9PFSQWcPuYcbZgU59JTfA5ac +Un+cHm31AkEA9Qek+q7PcJ+kON9E6SNodCZn6gLyHjnWrq4tf8pZO3NvoX2QiuD4 +rwF7KWjr6q1JzADpLtwXnuYEhyiLFjJA4wJAcElMCEnG2y+ASH8p7z7HfKGQdLg/ +O1wMB3JA5e0WLK5lllUogI4IaZ3N02NNY25+rLBDqpc/w+ZcxQnIypqNtQJATs9p +ofON5wSB1oUBbhckZo9fxuWxqEUkJsUA/2Q+9R843XE8h166vdc1HOmRT8bywHne +hmLl+gazmCFTMw1wzwJAHng+3zGUl4D8Ov3MPFD6hwYYK6/pEdtz/NUsCSazF7eK +XuuP+DXPHNhXOuF1A3tP74pfc/fC1uCUH2G5z3Fy0Q== -----END RSA PRIVATE KEY----- diff --git a/runtime/nsdsel_gtls.c b/runtime/nsdsel_gtls.c index 082a044b..96456564 100644 --- a/runtime/nsdsel_gtls.c +++ b/runtime/nsdsel_gtls.c @@ -157,7 +157,6 @@ doRetry(nsd_gtls_t *pNsd) finalize_it: if(iRet != RS_RET_OK) pNsd->bAbortConn = 1; /* request abort */ -RUNLOG_VAR("%d", pNsd->bAbortConn); RETiRet; } -- cgit v1.2.3 From cb8188da16d0ff66ef6bc2f9b0b52554651f06b2 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Wed, 21 May 2008 11:04:01 +0200 Subject: re-enabled anon mode (failed if client did not provide cert) --- runtime/nsd_gtls.c | 9 ++++++--- tcpsrv.c | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index ff162754..fd7a502a 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -270,6 +270,12 @@ gtlsChkFingerprint(nsd_gtls_t *pThis) ISOBJ_TYPE_assert(pThis, nsd_gtls); + /* first check if we need to do fingerprint authentication - if not, we + * are already set ;) -- rgerhards, 2008-05-21 + */ + if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT) + FINALIZE; + /* This function only works for X.509 certificates. */ if(gnutls_certificate_type_get(pThis->sess) != GNUTLS_CRT_X509) return RS_RET_TLS_CERT_ERR; @@ -295,9 +301,6 @@ gtlsChkFingerprint(nsd_gtls_t *pThis) CHKiRet(GenFingerprintStr(fingerprint, size, &pstrFingerprint)); dbgprintf("peer's certificate SHA1 fingerprint: %s\n", rsCStrGetSzStr(pstrFingerprint)); - if(pThis->authMode != GTLS_AUTH_CERTFINGERPRINT) - FINALIZE; - /* now search through the permitted peers to see if we can find a permitted one */ bFoundPositiveMatch = 0; pPeer = pThis->pPermPeers; diff --git a/tcpsrv.c b/tcpsrv.c index 9b3553f1..dca6eb0c 100644 --- a/tcpsrv.c +++ b/tcpsrv.c @@ -458,7 +458,7 @@ Run(tcpsrv_t *pThis) tcps_sess.Destruct(&pThis->pSessions[iTCPSess]); } else if(state == -1) { errno = 0; - errmsg.LogError(NO_ERRCODE, "netstream session %p will be closed, error ignored\n", + errmsg.LogError(NO_ERRCODE, "netstream session %p will be closed due to error\n", pThis->pSessions[iTCPSess]->pStrm); pThis->pOnErrClose(pThis->pSessions[iTCPSess]); tcps_sess.Destruct(&pThis->pSessions[iTCPSess]); -- cgit v1.2.3 From 350f28efd97ff8f84fa0c86b5655e1cef8d4596e Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Wed, 21 May 2008 11:41:15 +0200 Subject: added new transport auth methods to doc set --- doc/imtcp.html | 11 +++++++---- doc/netstream.html | 21 +++++++++++++++++++++ doc/ns_gtls.html | 36 ++++++++++++++++++++++++++++++++++++ doc/ns_ptcp.html | 16 ++++++++++++++++ doc/rsyslog_conf.html | 11 ++++++----- 5 files changed, 86 insertions(+), 9 deletions(-) create mode 100644 doc/netstream.html create mode 100644 doc/ns_gtls.html create mode 100644 doc/ns_ptcp.html diff --git a/doc/imtcp.html b/doc/imtcp.html index b2c6d21d..86c50dba 100644 --- a/doc/imtcp.html +++ b/doc/imtcp.html @@ -1,8 +1,6 @@ -TCP Syslog Input Module - - +TCP Syslog Input Module

TCP Syslog Input Module

Module Name:    imtcp

@@ -23,7 +21,12 @@ $InputTCPServerRun multiple times. This is not currently supported.
  • $InputTCPServerRun <port>
    Starts a TCP server on selected port
  • $InputTCPMaxSessions <number>
    -Sets the maximum number of sessions supported
    • +Sets the maximum number of sessions supported
  • $InputTCPServerStreamDriverMode <number>
    +Sets the driver mode for the currently selected network stream driver. <number> is driver specifc.
  • $InputTCPServerStreamDriverAuthMode <mode-string>
    +Sets the authentication mode for the currently selected network stream driver. <mode-string> is driver specifc.
  • $InputTCPServerStreamDriverPermittedPeer <id-string>
    +Sets permitted peer IDs. Only these peers are able to connect to the +listener. <id-string> semantics depend on the currently selected +AuthMode and  network stream driver. PermittedPeers may not be set in anonymous modes.
    • Caveats/Known Bugs:
      diff --git a/doc/netstream.html b/doc/netstream.html new file mode 100644 index 00000000..e7d54c12 --- /dev/null +++ b/doc/netstream.html @@ -0,0 +1,21 @@ + +Network Stream Drivers + + + +

      Network Stream Drivers

      Network stream drivers are a layer +between various parts of rsyslogd (e.g. the imtcp module) and the +transport layer. They provide sequenced delivery, authentication and +confidentiality to the upper layers. Drivers implement different +capabilities.

      Users need to know about netstream drivers because +they need to configure the proper driver, and proper driver properties, +to achieve desired results (e.g. a TLS-protected syslog transmission).

      The following drivers exist:

      • ptcp - the plain tcp network transport (no security)
      • gtls - a secure TLS transport implemented via the GnuTLS library
      [rsyslog.conf overview] +[manual index] [rsyslog site] +

      This documentation is part of the +rsyslog +project.
      +Copyright © 2008 by Rainer +Gerhards and +Adiscon. +Released under the GNU GPL version 3 or higher.

      + \ No newline at end of file diff --git a/doc/ns_gtls.html b/doc/ns_gtls.html new file mode 100644 index 00000000..ff5ed7c3 --- /dev/null +++ b/doc/ns_gtls.html @@ -0,0 +1,36 @@ + +gtls Network Stream Driver + + + +

      gtls Network Stream Driver

      +

      This network stream +driver implements a TLS protected transport via the GnuTLS +library.

      +

      Supported Driver Modes

      +
        +
      • 0 - unencrypted trasmission (just like ptcp driver)
        • +
      • 1 - TLS-protected operation
        • +
      Note: mode 0 does not provide any benefit over the ptcp driver. +This mode exists for technical reasons, but should not be used. It may +be removed in the future.
      +Supported Authentication Modes
      +
        +
      • anon - anonymous authentication as +described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
        • +
      • x509/fingerprint - certificate fingerprint authentication as +described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
      • x509/name - certificate validation and subject name authentication as +described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft [NOT YET IMPLEMENTED]
        • +
      Note: "anon" does not permit to authenticate the remote peer. As +such, this mode is vulnerable to man in the middle attacks as well as +unauthorized access. It is recommended NOT to use this mode.
      +[rsyslog.conf overview] +[manual index] [rsyslog site] +

      This documentation is part of the +rsyslog +project.
      +Copyright © 2008 by Rainer +Gerhards and +Adiscon. +Released under the GNU GPL version 3 or higher.

      + \ No newline at end of file diff --git a/doc/ns_ptcp.html b/doc/ns_ptcp.html new file mode 100644 index 00000000..c028d6c0 --- /dev/null +++ b/doc/ns_ptcp.html @@ -0,0 +1,16 @@ + +ptcp Network Stream Driver + + + +

      ptcp Network Stream Driver

      +

      This network stream driver implement a plain tcp transport without security properties.

      Supported Driver Modes

      • 0 - unencrypted trasmission
      Supported Authentication Modes
      • "anon" - no authentication
      [rsyslog.conf overview] +[manual index] [rsyslog site] +

      This documentation is part of the +rsyslog +project.
      +Copyright © 2008 by Rainer +Gerhards and +Adiscon. +Released under the GNU GPL version 3 or higher.

      + \ No newline at end of file diff --git a/doc/rsyslog_conf.html b/doc/rsyslog_conf.html index a78a70c1..8cd79cd1 100644 --- a/doc/rsyslog_conf.html +++ b/doc/rsyslog_conf.html @@ -121,16 +121,17 @@ default 60000 (1 minute)]
    • $ActionResumeInterval
    • $ActionResumeRetryCount <number> [default 0, -1 means eternal]
    • $ActionSendStreamDriver <driver basename> just like $DefaultNetstreamDriver, but for the specific action -
    • $ActionSendStreamDriverMode <mode>, default 0, mode to use with the stream driver -(driver-specific)
      • +
    • $ActionSendStreamDriverMode <mode>, default 0, mode to use with the stream driver +(driver-specific)
    • $ActionSendStreamDriverAuthMode <mode>,  authentication mode to use with the stream driver +(driver-specific)
    • $ActionSendStreamDriverCertFingerprint <sha1-fingerprint>,  accepted fingerprint +(driver-specific) - directive may go away!
    • $AllowedSender
    • $ControlCharacterEscapePrefix
    • $DebugPrintCFSyslineHandlerList
    • $DebugPrintModuleList
    • $DebugPrintTemplateList
      • -
    • $DefaultNetstreamDriver <drivername>, default lmnsd_ptcp, use lmnsd_gtls for TLS protection
      • -
    • $DefaultNetstreamDriverCAFile </path/to/cafile.pem>
      • +
    • $DefaultNetstreamDriver <drivername>, the default network stream driver to use. Defaults to ptcp.$DefaultNetstreamDriverCAFile </path/to/cafile.pem>
    • $DefaultNetstreamDriverCertFile </path/to/certfile.pem>
    • $DefaultNetstreamDriverKeyFile </path/to/keyfile.pem>
    • $DirCreateMode
      • @@ -1200,4 +1201,4 @@ additional and database support). For obvious reasons, the syntax for defining such features is available in rsyslogd, only.
       

      - + \ No newline at end of file -- cgit v1.2.3 From 8cb6ec4cee79d41c30d7df38b58ab1f198ac8581 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Wed, 21 May 2008 11:45:40 +0200 Subject: added some forgotten doc --- doc/imtcp.html | 2 +- doc/ns_gtls.html | 37 ++++++++++++++++++++++++++----------- 2 files changed, 27 insertions(+), 12 deletions(-) diff --git a/doc/imtcp.html b/doc/imtcp.html index 86c50dba..12f8020d 100644 --- a/doc/imtcp.html +++ b/doc/imtcp.html @@ -20,7 +20,7 @@ $InputTCPServerRun multiple times. This is not currently supported.
      • $InputTCPServerRun <port>
        Starts a TCP server on selected port
        • -
      • $InputTCPMaxSessions <number>
        +
        • $InputTCPMaxSessions <number>
        Sets the maximum number of sessions supported
      • $InputTCPServerStreamDriverMode <number>
        Sets the driver mode for the currently selected network stream driver. <number> is driver specifc.
      • $InputTCPServerStreamDriverAuthMode <mode-string>
        Sets the authentication mode for the currently selected network stream driver. <mode-string> is driver specifc.
      • $InputTCPServerStreamDriverPermittedPeer <id-string>
        diff --git a/doc/ns_gtls.html b/doc/ns_gtls.html index ff5ed7c3..46e2e238 100644 --- a/doc/ns_gtls.html +++ b/doc/ns_gtls.html @@ -11,21 +11,36 @@ library.

        • 0 - unencrypted trasmission (just like ptcp driver)
        • 1 - TLS-protected operation
          • -
        Note: mode 0 does not provide any benefit over the ptcp driver. -This mode exists for technical reasons, but should not be used. It may -be removed in the future.
        -Supported Authentication Modes
        +
      +Note: mode 0 does not provide any benefit over the ptcp driver. This +mode exists for technical reasons, but should not be used. It may be +removed in the future.
      +Supported Authentication +Modes
        -
      • anon - anonymous authentication as +
      • anon +- anonymous authentication as described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
        • -
      • x509/fingerprint - certificate fingerprint authentication as -described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
      • x509/name - certificate validation and subject name authentication as -described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft [NOT YET IMPLEMENTED]
        • -
      Note: "anon" does not permit to authenticate the remote peer. As -such, this mode is vulnerable to man in the middle attacks as well as +
    • x509/fingerprint +- certificate fingerprint authentication as +described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft
      • +
    • x509/name +- certificate validation and subject name authentication as +described in IETF's draft-ietf-syslog-transport-tls-12 Internet draft +[NOT YET IMPLEMENTED]
      • +
    +Note: "anon" does not permit to authenticate the remote peer. As such, +this mode is vulnerable to man in the middle attacks as well as unauthorized access. It is recommended NOT to use this mode.
    -[rsyslog.conf overview] +
    +Known Problems
    +

    Even in x509/fingerprint mode, both the client and sever +certificate currently must be signed by the same root CA. This is an +artifact of the underlying GnuTLS library and the way we use it. It is +expected that we can resolve this issue in the future.

    +

    [rsyslog.conf overview] [manual index] [rsyslog site] +

    This documentation is part of the rsyslog project.
    -- cgit v1.2.3