bugfix: machine certificate was required for client even in TLS anon mode

Reference: http://bugzilla.adiscon.com/show_bug.cgi?id=85
The fix also slightly improves performance by not storing certificates in
client sessions when there is no need to do so.

4 files changed, 25 insertions, 18 deletions

diff --git a/runtime/errmsg.c b/runtime/errmsg.c
index dc09fc03..3c3ee02c 100644
--- a/runtime/errmsg.c
+++ b/runtime/errmsg.c
@@ -98,7 +98,6 @@ LogError(int iErrno, int iErrCode, char *fmt, ... )
 	msg[sizeof(msg)/sizeof(char) - 1] = '\0'; /* just to be on the safe side... */
 	errno = 0;
 	
-dbgprintf("LogError logging error '%s', code %d\n", msg, iErrCode);
 	glblErrLogger(iErrCode, (uchar*)msg);
 
 	ENDfunc
diff --git a/runtime/glbl.c b/runtime/glbl.c
index deb32471..11a664f8 100644
--- a/runtime/glbl.c
+++ b/runtime/glbl.c
@@ -42,15 +42,6 @@
 #ifndef DFLT_NETSTRM_DRVR
 #	define DFLT_NETSTRM_DRVR ((uchar*)"ptcp")
 #endif
-#ifndef DFLT_NETSTRM_DRVR_CAF
-#	define DFLT_NETSTRM_DRVR_CAF ((uchar*)"ca.pem")
-#endif
-#ifndef DFLT_NETSTRM_DRVR_KEYFILE
-#	define DFLT_NETSTRM_DRVR_KEYFILE ((uchar*)"key.pem")
-#endif
-#ifndef DFLT_NETSTRM_DRVR_CERTFILE
-#	define DFLT_NETSTRM_DRVR_CERTFILE ((uchar*)"cert.pem")
-#endif
 
 /* static data */
 DEFobjStaticHelpers
@@ -141,7 +132,7 @@ GetDfltNetstrmDrvr(void)
 static uchar*
 GetDfltNetstrmDrvrCAF(void)
 {
-	return(pszDfltNetstrmDrvrCAF == NULL ? DFLT_NETSTRM_DRVR_CAF : pszDfltNetstrmDrvrCAF);
+	return(pszDfltNetstrmDrvrCAF);
 }
 
 
@@ -149,7 +140,7 @@ GetDfltNetstrmDrvrCAF(void)
 static uchar*
 GetDfltNetstrmDrvrKeyFile(void)
 {
-	return(pszDfltNetstrmDrvrKeyFile == NULL ? DFLT_NETSTRM_DRVR_KEYFILE : pszDfltNetstrmDrvrKeyFile);
+	return(pszDfltNetstrmDrvrKeyFile);
 }
 
 
@@ -157,7 +148,7 @@ GetDfltNetstrmDrvrKeyFile(void)
 static uchar*
 GetDfltNetstrmDrvrCertFile(void)
 {
-	return(pszDfltNetstrmDrvrCertFile == NULL ? DFLT_NETSTRM_DRVR_CERTFILE : pszDfltNetstrmDrvrCertFile);
+	return(pszDfltNetstrmDrvrCertFile);
 }
 
 
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index e670da13..3f2817f7 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -169,6 +169,17 @@ gtlsLoadOurCertKey(nsd_gtls_t *pThis)
 	certFile = glbl.GetDfltNetstrmDrvrCertFile();
 	keyFile = glbl.GetDfltNetstrmDrvrKeyFile();
 
+	if(certFile == NULL || keyFile == NULL) {
+		/* in this case, we can not set our certificate. If we are 
+		 * a client and the server is running in "anon" auth mode, this
+		 * may be well acceptable. In other cases, we will see some
+		 * more error messages down the road. -- rgerhards, 2008-07-02
+		 */
+		dbgprintf("our certificate is not set, file name values are cert: '%s', key: '%s'\n",
+			  certFile, keyFile);
+		ABORT_FINALIZE(RS_RET_CERTLESS);
+	}
+
 	/* try load certificate */
 	CHKiRet(readFile(certFile, &data));
 	CHKgnutls(gnutls_x509_crt_init(&pThis->ourCert));
@@ -531,7 +542,7 @@ finalize_it:
 		pGnuErr = gtlsStrerror(gnuRet);
 		errno = 0;
 		errmsg.LogError(0, iRet, "error adding our certificate. GnuTLS error %d, message: '%s', "
-				"key: '%s', cert: '%s'\n", gnuRet, pGnuErr, keyFile, certFile);
+				"key: '%s', cert: '%s'", gnuRet, pGnuErr, keyFile, certFile);
 		free(pGnuErr);
 	}
 	RETiRet;
@@ -636,6 +647,9 @@ gtlsGlblInitLstn(void)
 		CHKiRet(generate_dh_params());
 		gnutls_certificate_set_dh_params(xcred, dh_params); /* this is void */
 		bGlblSrvrInitDone = 1; /* we are all set now */
+
+		/* now we need to add our certificate */
+		CHKiRet(gtlsAddOurCert());
 	}
 
 finalize_it:
@@ -1129,8 +1143,6 @@ gtlsSetTransportPtr(nsd_gtls_t *pThis, int sock)
 BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */
 	iRet = nsd_ptcp.Construct(&pThis->pTcp);
 	pThis->bReportAuthErr = 1;
-	CHKiRet(gtlsAddOurCert());
-finalize_it:
 ENDobjConstruct(nsd_gtls)
 
 
@@ -1558,8 +1570,12 @@ Connect(nsd_t *pNsd, int family, uchar *port, uchar *host)
 	 */
 	/* store a pointer to ourselfs (needed by callback) */
 	gnutls_session_set_ptr(pThis->sess, (void*)pThis);
-	CHKiRet(gtlsLoadOurCertKey(pThis)); /* first load .pem files */
-	gnutls_certificate_client_set_retrieve_function(xcred, gtlsClientCertCallback);
+	iRet = gtlsLoadOurCertKey(pThis); /* first load .pem files */
+	if(iRet == RS_RET_OK) {
+		gnutls_certificate_client_set_retrieve_function(xcred, gtlsClientCertCallback);
+	} else if(iRet != RS_RET_CERTLESS) {
+		FINALIZE; /* we have an error case! */
+	}
 
 	/* Use default priorities */
 	CHKgnutls(gnutls_set_default_priority(pThis->sess));
diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h
index 7771bea5..95b2c756 100644
--- a/runtime/rsyslog.h
+++ b/runtime/rsyslog.h
@@ -247,6 +247,7 @@ enum rsRetVal_				/** return value. All methods return this if not specified oth
 	RS_RET_CLOSED = -2099, /**< connection was closed */
 	RS_RET_RETRY = -2100, /**< call should be retried (e.g. EGAIN on recv) */
 	RS_RET_GSS_ERR = -2101, /**< generic error occured in GSSAPI subsystem */
+	RS_RET_CERTLESS = -2102, /**< state: we run without machine cert (this may be OK) */
 
 	/* RainerScript error messages (range 1000.. 1999) */
 	RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */