diff options
author | Rainer Gerhards <rgerhards@adiscon.com> | 2011-02-01 22:58:30 +0100 |
---|---|---|
committer | Rainer Gerhards <rgerhards@adiscon.com> | 2011-02-01 22:58:30 +0100 |
commit | bea499dcb2747d1f5b42eae4978cfe86a37dc957 (patch) | |
tree | f10f76b45621bf081572aa76641b308c564aebce | |
parent | fd256a09ffa109120304d293cf6faf808c5a1a21 (diff) | |
download | rsyslog-bea499dcb2747d1f5b42eae4978cfe86a37dc957.tar.gz rsyslog-bea499dcb2747d1f5b42eae4978cfe86a37dc957.tar.xz rsyslog-bea499dcb2747d1f5b42eae4978cfe86a37dc957.zip |
(somewhat) improved TLS subsystem
- improved TLS error reporting
- improved TLS startup (Diffie-Hellman bits do not need to be generated,
as we do not support full anon key exchange -- we always need certs)
-rw-r--r-- | ChangeLog | 3 | ||||
-rw-r--r-- | runtime/nsd_gtls.c | 26 | ||||
-rw-r--r-- | tcpsrv.c | 12 |
3 files changed, 15 insertions, 26 deletions
@@ -1,3 +1,6 @@ +- improved TLS error reporting +- improved TLS startup (Diffie-Hellman bits do not need to be generated, + as we do not support full anon key exchange -- we always need certs) --------------------------------------------------------------------------- Version 6.1.3 [DEVEL] (rgerhards), 2010-12-?? - added $IMUDPSchedulingPolicy and $IMUDPSchedulingPriority config settings diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index 0ee70e56..d6874183 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -50,7 +50,6 @@ #include "nsd_gtls.h" /* things to move to some better place/functionality - TODO */ -#define DH_BITS 1024 #define CRLFILE "crl.pem" @@ -81,7 +80,6 @@ static pthread_mutex_t mutGtlsStrerror; /**< a mutex protecting the potentially /* ------------------------------ GnuTLS specifics ------------------------------ */ static gnutls_certificate_credentials xcred; -static gnutls_dh_params dh_params; #ifdef DEBUG #if 0 /* uncomment, if needed some time again -- DEV Debug only */ @@ -609,7 +607,6 @@ gtlsInitSession(nsd_gtls_t *pThis) /* request client certificate if any. */ gnutls_certificate_server_set_request( session, GNUTLS_CERT_REQUEST); - gnutls_dh_set_prime_bits(session, DH_BITS); pThis->sess = session; @@ -618,23 +615,6 @@ finalize_it: } -static rsRetVal -generate_dh_params(void) -{ - int gnuRet; - DEFiRet; - /* Generate Diffie Hellman parameters - for use with DHE - * kx algorithms. These should be discarded and regenerated - * once a day, once a week or once a month. Depending on the - * security requirements. - */ - CHKgnutls(gnutls_dh_params_init( &dh_params)); - CHKgnutls(gnutls_dh_params_generate2( dh_params, DH_BITS)); -finalize_it: - RETiRet; -} - - /* set up all global things that are needed for server operations * rgerhards, 2008-04-30 */ @@ -648,8 +628,6 @@ gtlsGlblInitLstn(void) * considered legacy. -- rgerhards, 2008-05-05 */ /*CHKgnutls(gnutls_certificate_set_x509_crl_file(xcred, CRLFILE, GNUTLS_X509_FMT_PEM));*/ - CHKiRet(generate_dh_params()); - gnutls_certificate_set_dh_params(xcred, dh_params); /* this is void */ bGlblSrvrInitDone = 1; /* we are all set now */ /* now we need to add our certificate */ @@ -1418,6 +1396,10 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew) /* we got a handshake, now check authorization */ CHKiRet(gtlsChkPeerAuth(pNew)); } else { + uchar *pGnuErr = gtlsStrerror(gnuRet); + errmsg.LogError(0, RS_RET_TLS_HANDSHAKE_ERR, + "gnutls returned error on handshake: %s\n", pGnuErr); + free(pGnuErr); ABORT_FINALIZE(RS_RET_TLS_HANDSHAKE_ERR); } @@ -577,10 +577,14 @@ processWorksetItem(tcpsrv_t *pThis, nspoll_t *pPoll, int idx, void *pUsr) if(pUsr == pThis->ppLstn) { //printf("work item %p: connect\n", pUsr); DBGPRINTF("New connect on NSD %p.\n", pThis->ppLstn[idx]); - SessAccept(pThis, pThis->ppLstnPort[idx], &pNewSess, pThis->ppLstn[idx]); - if(pPoll != NULL) - CHKiRet(nspoll.Ctl(pPoll, pNewSess->pStrm, 0, pNewSess, NSDPOLL_IN, NSDPOLL_ADD)); - DBGPRINTF("New session created with NSD %p.\n", pNewSess); + iRet = SessAccept(pThis, pThis->ppLstnPort[idx], &pNewSess, pThis->ppLstn[idx]); + if(iRet == RS_RET_OK) { + if(pPoll != NULL) + CHKiRet(nspoll.Ctl(pPoll, pNewSess->pStrm, 0, pNewSess, NSDPOLL_IN, NSDPOLL_ADD)); + DBGPRINTF("New session created with NSD %p.\n", pNewSess); + } else { + DBGPRINTF("tcpsrv: error %d during accept\n", iRet); + } } else { //printf("work item %p: receive\n", pUsr); pNewSess = (tcps_sess_t*) pUsr; |