diff options
author | Rainer Gerhards <rgerhards@adiscon.com> | 2008-04-30 14:51:45 +0200 |
---|---|---|
committer | Rainer Gerhards <rgerhards@adiscon.com> | 2008-04-30 14:51:45 +0200 |
commit | b0d63ea8f26f525bbfd177aaa6a1294b0d94f1f9 (patch) | |
tree | 8ff1fa91347b213919636eb458ec8c5989e7ac3e /runtime/nsd_gtls.c | |
parent | 055d4ffc2afc77e03a3d31720d4a0998f8c3d92c (diff) | |
download | rsyslog-b0d63ea8f26f525bbfd177aaa6a1294b0d94f1f9.tar.gz rsyslog-b0d63ea8f26f525bbfd177aaa6a1294b0d94f1f9.tar.xz rsyslog-b0d63ea8f26f525bbfd177aaa6a1294b0d94f1f9.zip |
made plain tcp syslog via TLS work on the server
... but so far only in blocking mode
Diffstat (limited to 'runtime/nsd_gtls.c')
-rw-r--r-- | runtime/nsd_gtls.c | 127 |
1 files changed, 122 insertions, 5 deletions
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index a06d7cca..51d32b6c 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -35,6 +35,13 @@ #include "nsd_ptcp.h" #include "nsd_gtls.h" +/* things to move to some better place/functionality - TODO */ +#define DH_BITS 1024 +#define CAFILE "ca.pem" // TODO: allow to specify +#define KEYFILE "key.pem" +#define CERTFILE "cert.pem" +#define CRLFILE "crl.pem" + MODULE_TYPE_LIB /* static data */ @@ -43,19 +50,36 @@ DEFobjCurrIf(errmsg) DEFobjCurrIf(glbl) DEFobjCurrIf(nsd_ptcp) +static int bGlblSrvrInitDone = 0; /**< 0 - server global init not yet done, 1 - already done */ /* a macro to check GnuTLS calls against unexpected errors */ #define CHKgnutls(x) \ if((gnuRet = (x)) != 0) { \ - dbgprintf("unexpected GnuTLS error %d in %s:%d\n", gnuRet, __FILE__, __LINE__); \ - gnutls_perror(gnuRet); /* TODO: can we do better? */ \ + uchar *pErr = gtlsStrerror(gnuRet); \ + dbgprintf("unexpected GnuTLS error %d in %s:%d: %s\n", gnuRet, __FILE__, __LINE__, pErr); \ + free(pErr); \ ABORT_FINALIZE(RS_RET_GNUTLS_ERR); \ } -#define CAFILE "ca.pem" // TODO: allow to specify /* ------------------------------ GnuTLS specifics ------------------------------ */ static gnutls_certificate_credentials xcred; +static gnutls_dh_params dh_params; + +/* a thread-safe variant of gnutls_strerror - TODO: implement it! + * The caller must free the returned string. + * rgerhards, 2008-04-30 + */ +uchar *gtlsStrerror(int error) +{ + uchar *pErr; + + // TODO: guard by mutex! + pErr = (uchar*) strdup(gnutls_strerror(error)); + + return pErr; +} + /* globally initialize GnuTLS */ static rsRetVal @@ -76,6 +100,71 @@ finalize_it: RETiRet; } +static rsRetVal +gtlsInitSession(nsd_gtls_t *pThis) +{ + DEFiRet; + int gnuRet; + gnutls_session session; + + gnutls_init(&session, GNUTLS_SERVER); + pThis->bHaveSess = 1; + pThis->bIsInitiator = 0; + + /* avoid calling all the priority functions, since the defaults are adequate. */ + CHKgnutls(gnutls_set_default_priority(session)); + CHKgnutls(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred)); + + /* request client certificate if any. */ + gnutls_certificate_server_set_request( session, GNUTLS_CERT_REQUEST); + gnutls_dh_set_prime_bits(session, DH_BITS); + + pThis->sess = session; + +finalize_it: + RETiRet; +} + + + +static rsRetVal +generate_dh_params(void) +{ + int gnuRet; + DEFiRet; + /* Generate Diffie Hellman parameters - for use with DHE + * kx algorithms. These should be discarded and regenerated + * once a day, once a week or once a month. Depending on the + * security requirements. + */ + CHKgnutls(gnutls_dh_params_init( &dh_params)); + CHKgnutls(gnutls_dh_params_generate2( dh_params, DH_BITS)); +finalize_it: + RETiRet; +} + + +/* set up all global things that are needed for server operations + * rgerhards, 2008-04-30 + */ +static rsRetVal +gtlsGlblInitLstn(void) +{ + int gnuRet; + DEFiRet; + + if(bGlblSrvrInitDone == 0) { + //CHKgnutls(gnutls_certificate_set_x509_crl_file(xcred, CRLFILE, GNUTLS_X509_FMT_PEM)); + CHKgnutls(gnutls_certificate_set_x509_key_file(xcred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM)); + CHKiRet(generate_dh_params()); + gnutls_certificate_set_dh_params(xcred, dh_params); /* this is void */ + bGlblSrvrInitDone = 1; /* we are all set now */ + } + +finalize_it: + RETiRet; +} + /* globally de-initialize GnuTLS */ static rsRetVal @@ -100,9 +189,11 @@ gtlsEndSess(nsd_gtls_t *pThis) DEFiRet; if(pThis->bHaveSess) { - gnuRet = gnutls_bye(pThis->sess, GNUTLS_SHUT_RDWR); - while(gnuRet == GNUTLS_E_INTERRUPTED || gnuRet == GNUTLS_E_AGAIN) { + if(pThis->bIsInitiator) { gnuRet = gnutls_bye(pThis->sess, GNUTLS_SHUT_RDWR); + while(gnuRet == GNUTLS_E_INTERRUPTED || gnuRet == GNUTLS_E_AGAIN) { + gnuRet = gnutls_bye(pThis->sess, GNUTLS_SHUT_RDWR); + } } gnutls_deinit(pThis->sess); } @@ -116,6 +207,7 @@ gtlsEndSess(nsd_gtls_t *pThis) /* Standard-Constructor */ BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */ iRet = nsd_ptcp.Construct(&pThis->pTcp); + pThis->iMode = 1; // TODO: remove! ENDobjConstruct(nsd_gtls) @@ -204,7 +296,9 @@ LstnInit(netstrms_t *pNS, void *pUsr, rsRetVal(*fAddLstn)(void*,netstrm_t*), uchar *pLstnPort, uchar *pLstnIP, int iSessMax) { DEFiRet; + CHKiRet(gtlsGlblInitLstn()); iRet = nsd_ptcp.LstnInit(pNS, pUsr, fAddLstn, pLstnPort, pLstnIP, iSessMax); +finalize_it: RETiRet; } @@ -247,6 +341,7 @@ static rsRetVal AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew) { DEFiRet; + int gnuRet; nsd_gtls_t *pNew = NULL; nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; @@ -256,6 +351,23 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew) CHKiRet(nsd_ptcp.Destruct(&pNew->pTcp)); CHKiRet(nsd_ptcp.AcceptConnReq(pThis->pTcp, &pNew->pTcp)); + if(pThis->iMode == 0) { + /* we are in non-TLS mode, so we are done */ + *ppNew = (nsd_t*) pNew; + FINALIZE; + } + + /* if we reach this point, we are in TLS mode */ + CHKiRet(gtlsInitSession(pNew)); + gnutls_transport_set_ptr(pNew->sess, (gnutls_transport_ptr)((nsd_ptcp_t*) (pNew->pTcp))->sock); + + /* we now do the handshake. This is a bit complicated, because we are + * on non-blocking sockets. Usually, the handshake will not complete + * immediately, so that we need to retry it some time later. + */ + CHKgnutls(gnutls_handshake(pNew->sess)); + pThis->iMode = 1; /* this session is now in TLS mode! */ + *ppNew = (nsd_t*) pNew; finalize_it: @@ -280,6 +392,8 @@ static rsRetVal Rcv(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf) { DEFiRet; + int gnuRet; + ssize_t lenRcvd; nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd; ISOBJ_TYPE_assert(pThis, nsd_gtls); @@ -289,6 +403,8 @@ Rcv(nsd_t *pNsd, uchar *pBuf, ssize_t *pLenBuf) } /* in TLS mode now */ + lenRcvd = gnutls_record_recv(pThis->sess, pBuf, *pLenBuf); + *pLenBuf = lenRcvd; finalize_it: RETiRet; @@ -358,6 +474,7 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host) /* we reach this point if in TLS mode */ CHKgnutls(gnutls_init(&pThis->sess, GNUTLS_CLIENT)); pThis->bHaveSess = 1; + pThis->bIsInitiator = 1; /* Use default priorities */ CHKgnutls(gnutls_set_default_priority(pThis->sess)); |