summaryrefslogtreecommitdiffstats
path: root/runtime
diff options
context:
space:
mode:
authorRainer Gerhards <rgerhards@adiscon.com>2008-07-02 11:56:54 +0200
committerRainer Gerhards <rgerhards@adiscon.com>2008-07-02 11:56:54 +0200
commitaeef9bbe727d80c5882cc0a883b8dfd5df461f10 (patch)
tree292836490a6c886b7c0054a55bc41e5b0f937404 /runtime
parentba35cbbfe3002e200e4561d93c234805d9a8d760 (diff)
downloadrsyslog-aeef9bbe727d80c5882cc0a883b8dfd5df461f10.tar.gz
rsyslog-aeef9bbe727d80c5882cc0a883b8dfd5df461f10.tar.xz
rsyslog-aeef9bbe727d80c5882cc0a883b8dfd5df461f10.zip
bugfix: machine certificate was required for client even in TLS anon mode
Reference: http://bugzilla.adiscon.com/show_bug.cgi?id=85 The fix also slightly improves performance by not storing certificates in client sessions when there is no need to do so.
Diffstat (limited to 'runtime')
-rw-r--r--runtime/errmsg.c1
-rw-r--r--runtime/glbl.c15
-rw-r--r--runtime/nsd_gtls.c26
-rw-r--r--runtime/rsyslog.h1
4 files changed, 25 insertions, 18 deletions
diff --git a/runtime/errmsg.c b/runtime/errmsg.c
index dc09fc03..3c3ee02c 100644
--- a/runtime/errmsg.c
+++ b/runtime/errmsg.c
@@ -98,7 +98,6 @@ LogError(int iErrno, int iErrCode, char *fmt, ... )
msg[sizeof(msg)/sizeof(char) - 1] = '\0'; /* just to be on the safe side... */
errno = 0;
-dbgprintf("LogError logging error '%s', code %d\n", msg, iErrCode);
glblErrLogger(iErrCode, (uchar*)msg);
ENDfunc
diff --git a/runtime/glbl.c b/runtime/glbl.c
index deb32471..11a664f8 100644
--- a/runtime/glbl.c
+++ b/runtime/glbl.c
@@ -42,15 +42,6 @@
#ifndef DFLT_NETSTRM_DRVR
# define DFLT_NETSTRM_DRVR ((uchar*)"ptcp")
#endif
-#ifndef DFLT_NETSTRM_DRVR_CAF
-# define DFLT_NETSTRM_DRVR_CAF ((uchar*)"ca.pem")
-#endif
-#ifndef DFLT_NETSTRM_DRVR_KEYFILE
-# define DFLT_NETSTRM_DRVR_KEYFILE ((uchar*)"key.pem")
-#endif
-#ifndef DFLT_NETSTRM_DRVR_CERTFILE
-# define DFLT_NETSTRM_DRVR_CERTFILE ((uchar*)"cert.pem")
-#endif
/* static data */
DEFobjStaticHelpers
@@ -141,7 +132,7 @@ GetDfltNetstrmDrvr(void)
static uchar*
GetDfltNetstrmDrvrCAF(void)
{
- return(pszDfltNetstrmDrvrCAF == NULL ? DFLT_NETSTRM_DRVR_CAF : pszDfltNetstrmDrvrCAF);
+ return(pszDfltNetstrmDrvrCAF);
}
@@ -149,7 +140,7 @@ GetDfltNetstrmDrvrCAF(void)
static uchar*
GetDfltNetstrmDrvrKeyFile(void)
{
- return(pszDfltNetstrmDrvrKeyFile == NULL ? DFLT_NETSTRM_DRVR_KEYFILE : pszDfltNetstrmDrvrKeyFile);
+ return(pszDfltNetstrmDrvrKeyFile);
}
@@ -157,7 +148,7 @@ GetDfltNetstrmDrvrKeyFile(void)
static uchar*
GetDfltNetstrmDrvrCertFile(void)
{
- return(pszDfltNetstrmDrvrCertFile == NULL ? DFLT_NETSTRM_DRVR_CERTFILE : pszDfltNetstrmDrvrCertFile);
+ return(pszDfltNetstrmDrvrCertFile);
}
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index e670da13..3f2817f7 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -169,6 +169,17 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)
certFile = glbl.GetDfltNetstrmDrvrCertFile();
keyFile = glbl.GetDfltNetstrmDrvrKeyFile();
+ if(certFile == NULL || keyFile == NULL) {
+ /* in this case, we can not set our certificate. If we are
+ * a client and the server is running in "anon" auth mode, this
+ * may be well acceptable. In other cases, we will see some
+ * more error messages down the road. -- rgerhards, 2008-07-02
+ */
+ dbgprintf("our certificate is not set, file name values are cert: '%s', key: '%s'\n",
+ certFile, keyFile);
+ ABORT_FINALIZE(RS_RET_CERTLESS);
+ }
+
/* try load certificate */
CHKiRet(readFile(certFile, &data));
CHKgnutls(gnutls_x509_crt_init(&pThis->ourCert));
@@ -531,7 +542,7 @@ finalize_it:
pGnuErr = gtlsStrerror(gnuRet);
errno = 0;
errmsg.LogError(0, iRet, "error adding our certificate. GnuTLS error %d, message: '%s', "
- "key: '%s', cert: '%s'\n", gnuRet, pGnuErr, keyFile, certFile);
+ "key: '%s', cert: '%s'", gnuRet, pGnuErr, keyFile, certFile);
free(pGnuErr);
}
RETiRet;
@@ -636,6 +647,9 @@ gtlsGlblInitLstn(void)
CHKiRet(generate_dh_params());
gnutls_certificate_set_dh_params(xcred, dh_params); /* this is void */
bGlblSrvrInitDone = 1; /* we are all set now */
+
+ /* now we need to add our certificate */
+ CHKiRet(gtlsAddOurCert());
}
finalize_it:
@@ -1129,8 +1143,6 @@ gtlsSetTransportPtr(nsd_gtls_t *pThis, int sock)
BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */
iRet = nsd_ptcp.Construct(&pThis->pTcp);
pThis->bReportAuthErr = 1;
- CHKiRet(gtlsAddOurCert());
-finalize_it:
ENDobjConstruct(nsd_gtls)
@@ -1558,8 +1570,12 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host)
*/
/* store a pointer to ourselfs (needed by callback) */
gnutls_session_set_ptr(pThis->sess, (void*)pThis);
- CHKiRet(gtlsLoadOurCertKey(pThis)); /* first load .pem files */
- gnutls_certificate_client_set_retrieve_function(xcred, gtlsClientCertCallback);
+ iRet = gtlsLoadOurCertKey(pThis); /* first load .pem files */
+ if(iRet == RS_RET_OK) {
+ gnutls_certificate_client_set_retrieve_function(xcred, gtlsClientCertCallback);
+ } else if(iRet != RS_RET_CERTLESS) {
+ FINALIZE; /* we have an error case! */
+ }
/* Use default priorities */
CHKgnutls(gnutls_set_default_priority(pThis->sess));
diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
index 7771bea5..95b2c756 100644
--- a/runtime/rsyslog.h
+++ b/runtime/rsyslog.h
@@ -247,6 +247,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth
RS_RET_CLOSED = -2099, /**< connection was closed */
RS_RET_RETRY = -2100, /**< call should be retried (e.g. EGAIN on recv) */
RS_RET_GSS_ERR = -2101, /**< generic error occured in GSSAPI subsystem */
+ RS_RET_CERTLESS = -2102, /**< state: we run without machine cert (this may be OK) */
/* RainerScript error messages (range 1000.. 1999) */
RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */