diff options
author | Rainer Gerhards <rgerhards@adiscon.com> | 2008-07-02 11:56:54 +0200 |
---|---|---|
committer | Rainer Gerhards <rgerhards@adiscon.com> | 2008-07-02 11:56:54 +0200 |
commit | aeef9bbe727d80c5882cc0a883b8dfd5df461f10 (patch) | |
tree | 292836490a6c886b7c0054a55bc41e5b0f937404 /runtime | |
parent | ba35cbbfe3002e200e4561d93c234805d9a8d760 (diff) | |
download | rsyslog-aeef9bbe727d80c5882cc0a883b8dfd5df461f10.tar.gz rsyslog-aeef9bbe727d80c5882cc0a883b8dfd5df461f10.tar.xz rsyslog-aeef9bbe727d80c5882cc0a883b8dfd5df461f10.zip |
bugfix: machine certificate was required for client even in TLS anon mode
Reference: http://bugzilla.adiscon.com/show_bug.cgi?id=85
The fix also slightly improves performance by not storing certificates in
client sessions when there is no need to do so.
Diffstat (limited to 'runtime')
-rw-r--r-- | runtime/errmsg.c | 1 | ||||
-rw-r--r-- | runtime/glbl.c | 15 | ||||
-rw-r--r-- | runtime/nsd_gtls.c | 26 | ||||
-rw-r--r-- | runtime/rsyslog.h | 1 |
4 files changed, 25 insertions, 18 deletions
diff --git a/runtime/errmsg.c b/runtime/errmsg.c index dc09fc03..3c3ee02c 100644 --- a/runtime/errmsg.c +++ b/runtime/errmsg.c @@ -98,7 +98,6 @@ LogError(int iErrno, int iErrCode, char *fmt, ... ) msg[sizeof(msg)/sizeof(char) - 1] = '\0'; /* just to be on the safe side... */ errno = 0; -dbgprintf("LogError logging error '%s', code %d\n", msg, iErrCode); glblErrLogger(iErrCode, (uchar*)msg); ENDfunc diff --git a/runtime/glbl.c b/runtime/glbl.c index deb32471..11a664f8 100644 --- a/runtime/glbl.c +++ b/runtime/glbl.c @@ -42,15 +42,6 @@ #ifndef DFLT_NETSTRM_DRVR # define DFLT_NETSTRM_DRVR ((uchar*)"ptcp") #endif -#ifndef DFLT_NETSTRM_DRVR_CAF -# define DFLT_NETSTRM_DRVR_CAF ((uchar*)"ca.pem") -#endif -#ifndef DFLT_NETSTRM_DRVR_KEYFILE -# define DFLT_NETSTRM_DRVR_KEYFILE ((uchar*)"key.pem") -#endif -#ifndef DFLT_NETSTRM_DRVR_CERTFILE -# define DFLT_NETSTRM_DRVR_CERTFILE ((uchar*)"cert.pem") -#endif /* static data */ DEFobjStaticHelpers @@ -141,7 +132,7 @@ GetDfltNetstrmDrvr(void) static uchar* GetDfltNetstrmDrvrCAF(void) { - return(pszDfltNetstrmDrvrCAF == NULL ? DFLT_NETSTRM_DRVR_CAF : pszDfltNetstrmDrvrCAF); + return(pszDfltNetstrmDrvrCAF); } @@ -149,7 +140,7 @@ GetDfltNetstrmDrvrCAF(void) static uchar* GetDfltNetstrmDrvrKeyFile(void) { - return(pszDfltNetstrmDrvrKeyFile == NULL ? DFLT_NETSTRM_DRVR_KEYFILE : pszDfltNetstrmDrvrKeyFile); + return(pszDfltNetstrmDrvrKeyFile); } @@ -157,7 +148,7 @@ GetDfltNetstrmDrvrKeyFile(void) static uchar* GetDfltNetstrmDrvrCertFile(void) { - return(pszDfltNetstrmDrvrCertFile == NULL ? DFLT_NETSTRM_DRVR_CERTFILE : pszDfltNetstrmDrvrCertFile); + return(pszDfltNetstrmDrvrCertFile); } diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index e670da13..3f2817f7 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -169,6 +169,17 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis) certFile = glbl.GetDfltNetstrmDrvrCertFile(); keyFile = glbl.GetDfltNetstrmDrvrKeyFile(); + if(certFile == NULL || keyFile == NULL) { + /* in this case, we can not set our certificate. If we are + * a client and the server is running in "anon" auth mode, this + * may be well acceptable. In other cases, we will see some + * more error messages down the road. -- rgerhards, 2008-07-02 + */ + dbgprintf("our certificate is not set, file name values are cert: '%s', key: '%s'\n", + certFile, keyFile); + ABORT_FINALIZE(RS_RET_CERTLESS); + } + /* try load certificate */ CHKiRet(readFile(certFile, &data)); CHKgnutls(gnutls_x509_crt_init(&pThis->ourCert)); @@ -531,7 +542,7 @@ finalize_it: pGnuErr = gtlsStrerror(gnuRet); errno = 0; errmsg.LogError(0, iRet, "error adding our certificate. GnuTLS error %d, message: '%s', " - "key: '%s', cert: '%s'\n", gnuRet, pGnuErr, keyFile, certFile); + "key: '%s', cert: '%s'", gnuRet, pGnuErr, keyFile, certFile); free(pGnuErr); } RETiRet; @@ -636,6 +647,9 @@ gtlsGlblInitLstn(void) CHKiRet(generate_dh_params()); gnutls_certificate_set_dh_params(xcred, dh_params); /* this is void */ bGlblSrvrInitDone = 1; /* we are all set now */ + + /* now we need to add our certificate */ + CHKiRet(gtlsAddOurCert()); } finalize_it: @@ -1129,8 +1143,6 @@ gtlsSetTransportPtr(nsd_gtls_t *pThis, int sock) BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */ iRet = nsd_ptcp.Construct(&pThis->pTcp); pThis->bReportAuthErr = 1; - CHKiRet(gtlsAddOurCert()); -finalize_it: ENDobjConstruct(nsd_gtls) @@ -1558,8 +1570,12 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host) */ /* store a pointer to ourselfs (needed by callback) */ gnutls_session_set_ptr(pThis->sess, (void*)pThis); - CHKiRet(gtlsLoadOurCertKey(pThis)); /* first load .pem files */ - gnutls_certificate_client_set_retrieve_function(xcred, gtlsClientCertCallback); + iRet = gtlsLoadOurCertKey(pThis); /* first load .pem files */ + if(iRet == RS_RET_OK) { + gnutls_certificate_client_set_retrieve_function(xcred, gtlsClientCertCallback); + } else if(iRet != RS_RET_CERTLESS) { + FINALIZE; /* we have an error case! */ + } /* Use default priorities */ CHKgnutls(gnutls_set_default_priority(pThis->sess)); diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h index 7771bea5..95b2c756 100644 --- a/runtime/rsyslog.h +++ b/runtime/rsyslog.h @@ -247,6 +247,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth RS_RET_CLOSED = -2099, /**< connection was closed */ RS_RET_RETRY = -2100, /**< call should be retried (e.g. EGAIN on recv) */ RS_RET_GSS_ERR = -2101, /**< generic error occured in GSSAPI subsystem */ + RS_RET_CERTLESS = -2102, /**< state: we run without machine cert (this may be OK) */ /* RainerScript error messages (range 1000.. 1999) */ RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */ |