summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRainer Gerhards <rgerhards@adiscon.com>2008-05-19 09:43:37 +0200
committerRainer Gerhards <rgerhards@adiscon.com>2008-05-19 09:43:37 +0200
commit48684ceac5d57f2c3bc9e8afce98d2026ab51958 (patch)
tree76265ca131f1c8a682c703b5acd34d117c253560
parentedf41396efc9bcbbc333651771df49d3ec68cb4d (diff)
downloadrsyslog-48684ceac5d57f2c3bc9e8afce98d2026ab51958.tar.gz
rsyslog-48684ceac5d57f2c3bc9e8afce98d2026ab51958.tar.xz
rsyslog-48684ceac5d57f2c3bc9e8afce98d2026ab51958.zip
improved error messages and corrected fingerprint format
-rw-r--r--runtime/nsd_gtls.c29
-rw-r--r--runtime/nsd_gtls.h3
-rw-r--r--runtime/nsd_ptcp.c11
-rw-r--r--runtime/rsyslog.h2
4 files changed, 32 insertions, 13 deletions
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index df458ea3..4e7fa3b6 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -85,12 +85,18 @@ GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr)
cstr_t *pStr = NULL;
uchar buf[4];
size_t i;
+ int bAddColon = 0; /* do we need to add a colon to the fingerprint string? */
DEFiRet;
CHKiRet(rsCStrConstruct(&pStr));
for(i = 0 ; i < sizeFingerprint ; ++i) {
- snprintf((char*)buf, sizeof(buf), "%2.2X:", pFingerprint[i]);
- CHKiRet(rsCStrAppendStrWithLen(pStr, buf, 3));
+ if(bAddColon) {
+ CHKiRet(rsCStrAppendChar(pStr, ':'));
+ } else {
+ bAddColon = 1; /* all but the first need a colon added */
+ }
+ snprintf((char*)buf, sizeof(buf), "%2.2X", pFingerprint[i]);
+ CHKiRet(rsCStrAppendStrWithLen(pStr, buf, 2));
}
CHKiRet(rsCStrFinish(pStr));
@@ -291,8 +297,12 @@ gtlsChkFingerprint(nsd_gtls_t *pThis)
FINALIZE;
if(pThis->authIDs == NULL || rsCStrSzStrCmp(pstrFingerprint, pThis->authIDs, strlen((char*) pThis->authIDs))) {
- // TODO: logerror
- dbgprintf("invalid server fingerprint, not authorized\n");
+ dbgprintf("invalid server fingerprint, not permitted to talk to us\n");
+ if(pThis->bReportAuthErr == 1) {
+ errmsg.LogError(NO_ERRCODE, "error: server fingerprint '%s' unknown - we are "
+ "not permitted to talk to this server", rsCStrGetSzStr(pstrFingerprint));
+ pThis->bReportAuthErr = 0;
+ }
ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT);
}
@@ -361,6 +371,7 @@ gtlsSetTransportPtr(nsd_gtls_t *pThis, int sock)
/* Standard-Constructor */
BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */
iRet = nsd_ptcp.Construct(&pThis->pTcp);
+ pThis->bReportAuthErr = 1;
CHKiRet(gtlsAddOurCert());
finalize_it:
ENDobjConstruct(nsd_gtls)
@@ -392,8 +403,11 @@ SetMode(nsd_t *pNsd, int mode)
dbgprintf("SetMode tries to set mode %d\n", mode);
ISOBJ_TYPE_assert((pThis), nsd_gtls);
- if(mode != 0 && mode != 1)
- ABORT_FINALIZE(RS_RET_INVAID_DRVR_MODE);
+ if(mode != 0 && mode != 1) {
+ errmsg.LogError(NO_ERRCODE, "error: driver mode %d not supported by "
+ "gtls netstream driver", mode);
+ ABORT_FINALIZE(RS_RET_INVALID_DRVR_MODE);
+ }
pThis->iMode = mode;
@@ -423,7 +437,7 @@ SetAuthMode(nsd_t *pNsd, uchar *mode)
} else if(!strcasecmp((char*) mode, "anon")) {
pThis->authMode = GTLS_AUTH_CERTANON;
} else {
- errmsg.LogError(NO_ERRCODE, "authentication mode '%s' not supported by "
+ errmsg.LogError(NO_ERRCODE, "error: authentication mode '%s' not supported by "
"gtls netstream driver", mode);
ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
}
@@ -455,7 +469,6 @@ AddPermFingerprint(nsd_t *pNsd, uchar *pszFingerprint)
// TODO: proper handling - but we need to redo this when we do the
// linked list. So for now, this is good enough (but MUST BE CHANGED!).
- //
pThis->authIDs = pszFingerprint;
dbgprintf("gtls fingerprint '%s' set\n", pThis->authIDs);
diff --git a/runtime/nsd_gtls.h b/runtime/nsd_gtls.h
index 885a8b30..0576a993 100644
--- a/runtime/nsd_gtls.h
+++ b/runtime/nsd_gtls.h
@@ -48,6 +48,9 @@ struct nsd_gtls_s {
gnutls_session sess;
int bHaveSess; /* as we don't know exactly which gnutls_session values are invalid, we use this one
to flag whether or not we are in a session (same as -1 for a socket meaning no sess) */
+ int bReportAuthErr; /* only the first auth error is to be reported, this var triggers it. Initially, it is
+ * set to 1 and changed to 0 after the first report. It is changed back to 1 after
+ * one successful authentication. */
uchar *authIDs; /* TODO: make linked list, currently just a single fingerprint, must also support names */
};
diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c
index ae835aed..6702e118 100644
--- a/runtime/nsd_ptcp.c
+++ b/runtime/nsd_ptcp.c
@@ -119,8 +119,11 @@ static rsRetVal
SetMode(nsd_t __attribute__((unused)) *pNsd, int mode)
{
DEFiRet;
- if(mode != 0)
- ABORT_FINALIZE(RS_RET_INVAID_DRVR_MODE);
+ if(mode != 0) {
+ errmsg.LogError(NO_ERRCODE, "error: driver mode %d not supported by "
+ "ptcp netstream driver", mode);
+ ABORT_FINALIZE(RS_RET_INVALID_DRVR_MODE);
+ }
finalize_it:
RETiRet;
}
@@ -140,7 +143,7 @@ SetAuthMode(nsd_t __attribute__((unused)) *pNsd, uchar *mode)
{
DEFiRet;
if(mode != NULL && strcasecmp((char*)mode, "anon")) {
- errmsg.LogError(NO_ERRCODE, "authentication mode '%s' not supported by "
+ errmsg.LogError(NO_ERRCODE, "error: authentication mode '%s' not supported by "
"ptcp netstream driver", mode);
ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
}
@@ -158,7 +161,7 @@ static rsRetVal
AddPermFingerprint(nsd_t __attribute__((unused)) *pNsd, uchar __attribute__((unused)) *pszFingerprint)
{
errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by "
- "ptcp netstream driver - ignored");
+ "ptcp netstream driver");
return RS_RET_VALUE_NOT_IN_THIS_MODE;
}
diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
index 088a14db..fe26bb44 100644
--- a/runtime/rsyslog.h
+++ b/runtime/rsyslog.h
@@ -219,7 +219,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth
RS_RET_GNUTLS_ERR = -2078, /**< (unexpected) error in GnuTLS call */
RS_RET_MAX_SESS_REACHED = -2079, /**< max nbr of sessions reached, can not create more */
RS_RET_MAX_LSTN_REACHED = -2080, /**< max nbr of listeners reached, can not create more */
- RS_RET_INVAID_DRVR_MODE = -2081, /**< tried to set mode not supported by driver */
+ RS_RET_INVALID_DRVR_MODE = -2081, /**< tried to set mode not supported by driver */
RS_RET_DRVRNAME_TOO_LONG = -2082, /**< driver name too long - should never happen */
RS_RET_TLS_HANDSHAKE_ERR = -2083, /**< TLS handshake failed */
RS_RET_TLS_CERT_ERR = -2084, /**< generic TLS certificate error */