summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--Makefile.am2
-rw-r--r--configure.ac1
-rw-r--r--doc/imgssapi.html2
-rw-r--r--plugins/imgssapi/.cvsignore6
-rw-r--r--plugins/imgssapi/Makefile.am6
-rw-r--r--plugins/imgssapi/imgssapi.c343
-rw-r--r--plugins/imtcp/Makefile.am8
-rw-r--r--plugins/imtcp/imtcp.c309
9 files changed, 380 insertions, 302 deletions
diff --git a/ChangeLog b/ChangeLog
index 0592f8c4..f8170719 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,10 @@
---------------------------------------------------------------------------
-Version 3.12.0 (rgerhards), 2008-02-??
+Version 3.11.6 (rgerhards), 2008-02-??
- bugfix: gssapi libraries were still linked to rsyslog core, what should
no longer be necessary. Applied fix by Michael Biebl to solve this.
+- enabled imgssapi to be loaded side-by-side with imtcp
+- added InputGSSServerPermitPlainTCP config directive
+- split imgssapi source code somewhat from imtcp
- applied patch from varmojfekoj to fix an issue with compatibility
mode and default module directories (many thanks!):
I've also noticed a bug in the compatibility code; the problem is that
diff --git a/Makefile.am b/Makefile.am
index cbf9abaf..6dee36e8 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -119,7 +119,7 @@ SUBDIRS += plugins/imklog
endif
if ENABLE_GSSAPI
-SUBDIRS += plugins/omgssapi
+SUBDIRS += plugins/omgssapi plugins/imgssapi
endif
if ENABLE_MYSQL
diff --git a/configure.ac b/configure.ac
index 3521df89..2a108fe9 100644
--- a/configure.ac
+++ b/configure.ac
@@ -486,6 +486,7 @@ AC_CONFIG_FILES([Makefile \
doc/Makefile \
plugins/imudp/Makefile \
plugins/imtcp/Makefile \
+ plugins/imgssapi/Makefile \
plugins/imuxsock/Makefile \
plugins/immark/Makefile \
plugins/imklog/Makefile \
diff --git a/doc/imgssapi.html b/doc/imgssapi.html
index a44af8ed..09d89701 100644
--- a/doc/imgssapi.html
+++ b/doc/imgssapi.html
@@ -5,7 +5,7 @@
</head>
<body>
<h1>GSSAPI Syslog Input Module</h1>
-<p><b>Module Name:&nbsp;&nbsp;&nbsp; imtcp</b></p>
+<p><b>Module Name:&nbsp;&nbsp;&nbsp; imgssapi</b></p>
<p><b>Author: </b>varmojfekoj</p>
<p><b>Description</b>:</p>
<p>Provides the ability to receive syslog messages from the
diff --git a/plugins/imgssapi/.cvsignore b/plugins/imgssapi/.cvsignore
new file mode 100644
index 00000000..9730646f
--- /dev/null
+++ b/plugins/imgssapi/.cvsignore
@@ -0,0 +1,6 @@
+.deps
+.libs
+Makefile
+Makefile.in
+*.la
+*.lo
diff --git a/plugins/imgssapi/Makefile.am b/plugins/imgssapi/Makefile.am
new file mode 100644
index 00000000..6c2d6625
--- /dev/null
+++ b/plugins/imgssapi/Makefile.am
@@ -0,0 +1,6 @@
+pkglib_LTLIBRARIES = imgssapi.la
+
+imgssapi_la_SOURCES = imgssapi.c
+imgssapi_la_CPPFLAGS = -I$(top_srcdir) $(pthreads_cflags) $(mudflap_cflags)
+imgssapi_la_LDFLAGS = $(mudflap_libs) -module -avoid-version
+imgssapi_la_LIBADD = $(gss_libs) $(top_builddir)/libgssapi-misc.la
diff --git a/plugins/imgssapi/imgssapi.c b/plugins/imgssapi/imgssapi.c
new file mode 100644
index 00000000..62bcb2dd
--- /dev/null
+++ b/plugins/imgssapi/imgssapi.c
@@ -0,0 +1,343 @@
+/* imgssapi.c
+ * This is the implementation of the GSSAPI input module.
+ *
+ * IMPORTANT: Currently this module does not really exist. It shares code
+ * from imtcp, which has everything (controlled via preprocessor
+ * defines). This file has been created in order to facilitate moving
+ * gssapi into its real own module.
+ *
+ * NOTE: read comments in module-template.h to understand how this file
+ * works!
+ *
+ * Copyright 2007 Rainer Gerhards and Adiscon GmbH.
+ *
+ * This file is part of rsyslog.
+ *
+ * Rsyslog is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * Rsyslog is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with Rsyslog. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * A copy of the GPL can be found in the file "COPYING" in this distribution.
+ */
+
+#include "config.h"
+#include <gssapi/gssapi.h>
+#include "rsyslog.h"
+#include "syslogd.h"
+#include "cfsysline.h"
+#include "module-template.h"
+#include "net.h"
+#include "srUtils.h"
+#include "gss-misc.h"
+
+/* some forward definitions - they may go away when we no longer include imtcp.c */
+static rsRetVal addGSSListener(void __attribute__((unused)) *pVal, uchar *pNewVal);
+int TCPSessGSSAccept(int fd);
+int TCPSessGSSInit(void);
+void TCPSessGSSClose(int iSess);
+void TCPSessGSSDeinit(void);
+int TCPSessGSSRecv(int iSess, void *buf, size_t buf_len);
+
+/* static data */
+static gss_cred_id_t gss_server_creds = GSS_C_NO_CREDENTIAL;
+
+/* config variables */
+static char *gss_listen_service_name = NULL;
+static int bPermitPlainTcp = 0; /* plain tcp syslog allowed on GSSAPI port? */
+
+/* ################################################################################ *
+ * # THE FOLLOWING LINE IS VITALLY IMPORTANT # *
+ * #------------------------------------------------------------------------------# *
+ * # It includes imtcp.c, which has many common code with this module. Over time, # *
+ * # we will move this into separate clases, but for the time being it permits # *
+ * # use to use a somewhat clean build process and keep the files focussed. # *
+ * ################################################################################ */
+
+#include "../imtcp/imtcp.c"
+
+/* ################################################################################ *
+ * # END IMPORTANT PART # *
+ * ################################################################################ */
+
+static rsRetVal addGSSListener(void __attribute__((unused)) *pVal, uchar *pNewVal)
+{
+ if (!bEnableTCP)
+ configureTCPListen((char *) pNewVal);
+ bEnableTCP |= ALLOWEDMETHOD_GSS;
+
+ return RS_RET_OK;
+}
+
+
+/* returns 0 if all went OK, -1 if it failed */
+int TCPSessGSSInit(void)
+{
+ gss_buffer_desc name_buf;
+ gss_name_t server_name;
+ OM_uint32 maj_stat, min_stat;
+
+ if (gss_server_creds != GSS_C_NO_CREDENTIAL)
+ return 0;
+
+ name_buf.value = (gss_listen_service_name == NULL) ? "host" : gss_listen_service_name;
+ name_buf.length = strlen(name_buf.value) + 1;
+ maj_stat = gss_import_name(&min_stat, &name_buf, GSS_C_NT_HOSTBASED_SERVICE, &server_name);
+ if (maj_stat != GSS_S_COMPLETE) {
+ display_status("importing name", maj_stat, min_stat);
+ return -1;
+ }
+
+ maj_stat = gss_acquire_cred(&min_stat, server_name, 0,
+ GSS_C_NULL_OID_SET, GSS_C_ACCEPT,
+ &gss_server_creds, NULL, NULL);
+ if (maj_stat != GSS_S_COMPLETE) {
+ display_status("acquiring credentials", maj_stat, min_stat);
+ return -1;
+ }
+
+ gss_release_name(&min_stat, &server_name);
+ dbgprintf("GSS-API initialized\n");
+ return 0;
+}
+
+
+/* returns 0 if all went OK, -1 if it failed */
+int TCPSessGSSAccept(int fd)
+{
+ gss_buffer_desc send_tok, recv_tok;
+ gss_name_t client;
+ OM_uint32 maj_stat, min_stat, acc_sec_min_stat;
+ int iSess;
+ gss_ctx_id_t *context;
+ OM_uint32 *sess_flags;
+ int fdSess;
+ char allowedMethods;
+
+ if ((iSess = TCPSessAccept(fd)) == -1)
+ return -1;
+
+ allowedMethods = pTCPSessions[iSess].allowedMethods;
+ if (allowedMethods & ALLOWEDMETHOD_GSS) {
+ /* Buffer to store raw message in case that
+ * gss authentication fails halfway through.
+ */
+ char buf[MAXLINE];
+ int ret = 0;
+
+ dbgprintf("GSS-API Trying to accept TCP session %d\n", iSess);
+
+ fdSess = pTCPSessions[iSess].sock;
+ if (allowedMethods & ALLOWEDMETHOD_TCP) {
+ int len;
+ fd_set fds;
+ struct timeval tv;
+
+ do {
+ FD_ZERO(&fds);
+ FD_SET(fdSess, &fds);
+ tv.tv_sec = 1;
+ tv.tv_usec = 0;
+ ret = select(fdSess + 1, &fds, NULL, NULL, &tv);
+ } while (ret < 0 && errno == EINTR);
+ if (ret < 0) {
+ logerrorInt("TCP session %d will be closed, error ignored\n", iSess);
+ TCPSessClose(iSess);
+ return -1;
+ } else if (ret == 0) {
+ dbgprintf("GSS-API Reverting to plain TCP\n");
+ pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP;
+ return 0;
+ }
+
+ do {
+ ret = recv(fdSess, buf, sizeof (buf), MSG_PEEK);
+ } while (ret < 0 && errno == EINTR);
+ if (ret <= 0) {
+ if (ret == 0)
+ dbgprintf("GSS-API Connection closed by peer\n");
+ else
+ logerrorInt("TCP session %d will be closed, error ignored\n", iSess);
+ TCPSessClose(iSess);
+ return -1;
+ }
+
+ if (ret < 4) {
+ dbgprintf("GSS-API Reverting to plain TCP\n");
+ pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP;
+ return 0;
+ } else if (ret == 4) {
+ /* The client might has been interupted after sending
+ * the data length (4B), give him another chance.
+ */
+ sleep(1);
+ do {
+ ret = recv(fdSess, buf, sizeof (buf), MSG_PEEK);
+ } while (ret < 0 && errno == EINTR);
+ if (ret <= 0) {
+ if (ret == 0)
+ dbgprintf("GSS-API Connection closed by peer\n");
+ else
+ logerrorInt("TCP session %d will be closed, error ignored\n", iSess);
+ TCPSessClose(iSess);
+ return -1;
+ }
+ }
+
+ len = ntohl((buf[0] << 24)
+ | (buf[1] << 16)
+ | (buf[2] << 8)
+ | buf[3]);
+ if ((ret - 4) < len || len == 0) {
+ dbgprintf("GSS-API Reverting to plain TCP\n");
+ pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP;
+ return 0;
+ }
+ }
+
+ context = &pTCPSessions[iSess].gss_context;
+ *context = GSS_C_NO_CONTEXT;
+ sess_flags = &pTCPSessions[iSess].gss_flags;
+ do {
+ if (recv_token(fdSess, &recv_tok) <= 0) {
+ logerrorInt("TCP session %d will be closed, error ignored\n", iSess);
+ TCPSessClose(iSess);
+ return -1;
+ }
+ maj_stat = gss_accept_sec_context(&acc_sec_min_stat, context, gss_server_creds,
+ &recv_tok, GSS_C_NO_CHANNEL_BINDINGS, &client,
+ NULL, &send_tok, sess_flags, NULL, NULL);
+ if (recv_tok.value) {
+ free(recv_tok.value);
+ recv_tok.value = NULL;
+ }
+ if (maj_stat != GSS_S_COMPLETE
+ && maj_stat != GSS_S_CONTINUE_NEEDED) {
+ gss_release_buffer(&min_stat, &send_tok);
+ if (*context != GSS_C_NO_CONTEXT)
+ gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER);
+ if ((allowedMethods & ALLOWEDMETHOD_TCP) &&
+ (GSS_ROUTINE_ERROR(maj_stat) == GSS_S_DEFECTIVE_TOKEN)) {
+ dbgprintf("GSS-API Reverting to plain TCP\n");
+ dbgprintf("tcp session socket with new data: #%d\n", fdSess);
+ if(TCPSessDataRcvd(iSess, buf, ret) == 0) {
+ logerrorInt("Tearing down TCP Session %d - see "
+ "previous messages for reason(s)\n",
+ iSess);
+ TCPSessClose(iSess);
+ return -1;
+ }
+ pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP;
+ return 0;
+ }
+ display_status("accepting context", maj_stat,
+ acc_sec_min_stat);
+ TCPSessClose(iSess);
+ return -1;
+ }
+ if (send_tok.length != 0) {
+ if (send_token(fdSess, &send_tok) < 0) {
+ gss_release_buffer(&min_stat, &send_tok);
+ logerrorInt("TCP session %d will be closed, error ignored\n", iSess);
+ if (*context != GSS_C_NO_CONTEXT)
+ gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER);
+ TCPSessClose(iSess);
+ return -1;
+ }
+ gss_release_buffer(&min_stat, &send_tok);
+ }
+ } while (maj_stat == GSS_S_CONTINUE_NEEDED);
+
+ maj_stat = gss_display_name(&min_stat, client, &recv_tok, NULL);
+ if (maj_stat != GSS_S_COMPLETE)
+ display_status("displaying name", maj_stat, min_stat);
+ else
+ dbgprintf("GSS-API Accepted connection from: %s\n", (char*) recv_tok.value);
+ gss_release_name(&min_stat, &client);
+ gss_release_buffer(&min_stat, &recv_tok);
+
+ dbgprintf("GSS-API Provided context flags:\n");
+ display_ctx_flags(*sess_flags);
+ pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_GSS;
+ }
+
+ return 0;
+}
+
+
+/* returns: ? */
+int TCPSessGSSRecv(int iSess, void *buf, size_t buf_len)
+{
+ gss_buffer_desc xmit_buf, msg_buf;
+ gss_ctx_id_t *context;
+ OM_uint32 maj_stat, min_stat;
+ int fdSess;
+ int conf_state;
+ int state, len;
+
+ fdSess = pTCPSessions[iSess].sock;
+ if ((state = recv_token(fdSess, &xmit_buf)) <= 0)
+ return state;
+
+ context = &pTCPSessions[iSess].gss_context;
+ maj_stat = gss_unwrap(&min_stat, *context, &xmit_buf, &msg_buf,
+ &conf_state, (gss_qop_t *) NULL);
+ if (maj_stat != GSS_S_COMPLETE) {
+ display_status("unsealing message", maj_stat, min_stat);
+ if (xmit_buf.value) {
+ free(xmit_buf.value);
+ xmit_buf.value = 0;
+ }
+ return (-1);
+ }
+ if (xmit_buf.value) {
+ free(xmit_buf.value);
+ xmit_buf.value = 0;
+ }
+
+ len = msg_buf.length < buf_len ? msg_buf.length : buf_len;
+ memcpy(buf, msg_buf.value, len);
+ gss_release_buffer(&min_stat, &msg_buf);
+
+ return len;
+}
+
+
+void TCPSessGSSClose(int iSess) {
+ OM_uint32 maj_stat, min_stat;
+ gss_ctx_id_t *context;
+
+ if(iSess < 0 || iSess > iTCPSessMax) {
+ errno = 0;
+ logerror("internal error, trying to close an invalid TCP session!");
+ return;
+ }
+
+ context = &pTCPSessions[iSess].gss_context;
+ maj_stat = gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER);
+ if (maj_stat != GSS_S_COMPLETE)
+ display_status("deleting context", maj_stat, min_stat);
+ *context = GSS_C_NO_CONTEXT;
+ pTCPSessions[iSess].gss_flags = 0;
+ pTCPSessions[iSess].allowedMethods = 0;
+
+ TCPSessClose(iSess);
+}
+
+
+void TCPSessGSSDeinit(void) {
+ OM_uint32 maj_stat, min_stat;
+
+ maj_stat = gss_release_cred(&min_stat, &gss_server_creds);
+ if (maj_stat != GSS_S_COMPLETE)
+ display_status("releasing credentials", maj_stat, min_stat);
+}
+
diff --git a/plugins/imtcp/Makefile.am b/plugins/imtcp/Makefile.am
index 36cff50a..6298135a 100644
--- a/plugins/imtcp/Makefile.am
+++ b/plugins/imtcp/Makefile.am
@@ -1,13 +1,5 @@
pkglib_LTLIBRARIES = imtcp.la
-if ENABLE_GSSAPI
-pkglib_LTLIBRARIES += imgssapi.la
-endif
imtcp_la_SOURCES = imtcp.c
imtcp_la_CPPFLAGS = -DFORCE_NO_GSS=1 -I$(top_srcdir) $(pthreads_cflags) $(mudflap_cflags)
imtcp_la_LDFLAGS = $(mudflap_libs) -module -avoid-version
-
-imgssapi_la_SOURCES = imtcp.c
-imgssapi_la_CPPFLAGS = -I$(top_srcdir) $(pthreads_cflags) $(mudflap_cflags)
-imgssapi_la_LDFLAGS = $(mudflap_libs) -module -avoid-version
-imgssapi_la_LIBADD = $(gss_libs) $(top_builddir)/libgssapi-misc.la
diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c
index 84bb61a2..a1fabea7 100644
--- a/plugins/imtcp/imtcp.c
+++ b/plugins/imtcp/imtcp.c
@@ -47,17 +47,11 @@
#if HAVE_FCNTL_H
#include <fcntl.h>
#endif
-#ifdef USE_GSSAPI
-#include <gssapi/gssapi.h>
-#endif
#include "rsyslog.h"
#include "syslogd.h"
#include "cfsysline.h"
#include "module-template.h"
#include "net.h"
-#ifdef USE_GSSAPI
-#include "gss-misc.h"
-#endif
#include "srUtils.h"
MODULE_TYPE_INPUT
@@ -102,10 +96,6 @@ static int bEnableTCP = 0; /* read-only after startup */
static int *sockTCPLstn = NULL; /* read-only after startup, modified by restart */
static struct TCPSession *pTCPSessions;
/* The thread-safeness of the sesion table is doubtful */
-#ifdef USE_GSSAPI
-static gss_cred_id_t gss_server_creds = GSS_C_NO_CREDENTIAL;
-static char *gss_listen_service_name = NULL;
-#endif
/* config settings */
@@ -763,6 +753,7 @@ int TCPSessDataRcvd(int iTCPSess, char *pData, int iLen)
}
+#ifndef USE_GSSAPI
static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal)
{
if (!bEnableTCP)
@@ -771,283 +762,7 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa
return RS_RET_OK;
}
-
-
-#ifdef USE_GSSAPI
-static rsRetVal addGSSListener(void __attribute__((unused)) *pVal, uchar *pNewVal)
-{
- if (!bEnableTCP)
- configureTCPListen((char *) pNewVal);
- bEnableTCP |= ALLOWEDMETHOD_GSS;
-
- return RS_RET_OK;
-}
-
-
-/* returns 0 if all went OK, -1 if it failed */
-int TCPSessGSSInit(void)
-{
- gss_buffer_desc name_buf;
- gss_name_t server_name;
- OM_uint32 maj_stat, min_stat;
-
- if (gss_server_creds != GSS_C_NO_CREDENTIAL)
- return 0;
-
- name_buf.value = (gss_listen_service_name == NULL) ? "host" : gss_listen_service_name;
- name_buf.length = strlen(name_buf.value) + 1;
- maj_stat = gss_import_name(&min_stat, &name_buf, GSS_C_NT_HOSTBASED_SERVICE, &server_name);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("importing name", maj_stat, min_stat);
- return -1;
- }
-
- maj_stat = gss_acquire_cred(&min_stat, server_name, 0,
- GSS_C_NULL_OID_SET, GSS_C_ACCEPT,
- &gss_server_creds, NULL, NULL);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("acquiring credentials", maj_stat, min_stat);
- return -1;
- }
-
- gss_release_name(&min_stat, &server_name);
- dbgprintf("GSS-API initialized\n");
- return 0;
-}
-
-
-/* returns 0 if all went OK, -1 if it failed */
-int TCPSessGSSAccept(int fd)
-{
- gss_buffer_desc send_tok, recv_tok;
- gss_name_t client;
- OM_uint32 maj_stat, min_stat, acc_sec_min_stat;
- int iSess;
- gss_ctx_id_t *context;
- OM_uint32 *sess_flags;
- int fdSess;
- char allowedMethods;
-
- if ((iSess = TCPSessAccept(fd)) == -1)
- return -1;
-
- allowedMethods = pTCPSessions[iSess].allowedMethods;
- if (allowedMethods & ALLOWEDMETHOD_GSS) {
- /* Buffer to store raw message in case that
- * gss authentication fails halfway through.
- */
- char buf[MAXLINE];
- int ret = 0;
-
- dbgprintf("GSS-API Trying to accept TCP session %d\n", iSess);
-
- fdSess = pTCPSessions[iSess].sock;
- if (allowedMethods & ALLOWEDMETHOD_TCP) {
- int len;
- fd_set fds;
- struct timeval tv;
-
- do {
- FD_ZERO(&fds);
- FD_SET(fdSess, &fds);
- tv.tv_sec = 1;
- tv.tv_usec = 0;
- ret = select(fdSess + 1, &fds, NULL, NULL, &tv);
- } while (ret < 0 && errno == EINTR);
- if (ret < 0) {
- logerrorInt("TCP session %d will be closed, error ignored\n", iSess);
- TCPSessClose(iSess);
- return -1;
- } else if (ret == 0) {
- dbgprintf("GSS-API Reverting to plain TCP\n");
- pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP;
- return 0;
- }
-
- do {
- ret = recv(fdSess, buf, sizeof (buf), MSG_PEEK);
- } while (ret < 0 && errno == EINTR);
- if (ret <= 0) {
- if (ret == 0)
- dbgprintf("GSS-API Connection closed by peer\n");
- else
- logerrorInt("TCP session %d will be closed, error ignored\n", iSess);
- TCPSessClose(iSess);
- return -1;
- }
-
- if (ret < 4) {
- dbgprintf("GSS-API Reverting to plain TCP\n");
- pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP;
- return 0;
- } else if (ret == 4) {
- /* The client might has been interupted after sending
- * the data length (4B), give him another chance.
- */
- sleep(1);
- do {
- ret = recv(fdSess, buf, sizeof (buf), MSG_PEEK);
- } while (ret < 0 && errno == EINTR);
- if (ret <= 0) {
- if (ret == 0)
- dbgprintf("GSS-API Connection closed by peer\n");
- else
- logerrorInt("TCP session %d will be closed, error ignored\n", iSess);
- TCPSessClose(iSess);
- return -1;
- }
- }
-
- len = ntohl((buf[0] << 24)
- | (buf[1] << 16)
- | (buf[2] << 8)
- | buf[3]);
- if ((ret - 4) < len || len == 0) {
- dbgprintf("GSS-API Reverting to plain TCP\n");
- pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP;
- return 0;
- }
- }
-
- context = &pTCPSessions[iSess].gss_context;
- *context = GSS_C_NO_CONTEXT;
- sess_flags = &pTCPSessions[iSess].gss_flags;
- do {
- if (recv_token(fdSess, &recv_tok) <= 0) {
- logerrorInt("TCP session %d will be closed, error ignored\n", iSess);
- TCPSessClose(iSess);
- return -1;
- }
- maj_stat = gss_accept_sec_context(&acc_sec_min_stat, context, gss_server_creds,
- &recv_tok, GSS_C_NO_CHANNEL_BINDINGS, &client,
- NULL, &send_tok, sess_flags, NULL, NULL);
- if (recv_tok.value) {
- free(recv_tok.value);
- recv_tok.value = NULL;
- }
- if (maj_stat != GSS_S_COMPLETE
- && maj_stat != GSS_S_CONTINUE_NEEDED) {
- gss_release_buffer(&min_stat, &send_tok);
- if (*context != GSS_C_NO_CONTEXT)
- gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER);
- if ((allowedMethods & ALLOWEDMETHOD_TCP) &&
- (GSS_ROUTINE_ERROR(maj_stat) == GSS_S_DEFECTIVE_TOKEN)) {
- dbgprintf("GSS-API Reverting to plain TCP\n");
- dbgprintf("tcp session socket with new data: #%d\n", fdSess);
- if(TCPSessDataRcvd(iSess, buf, ret) == 0) {
- logerrorInt("Tearing down TCP Session %d - see "
- "previous messages for reason(s)\n",
- iSess);
- TCPSessClose(iSess);
- return -1;
- }
- pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP;
- return 0;
- }
- display_status("accepting context", maj_stat,
- acc_sec_min_stat);
- TCPSessClose(iSess);
- return -1;
- }
- if (send_tok.length != 0) {
- if (send_token(fdSess, &send_tok) < 0) {
- gss_release_buffer(&min_stat, &send_tok);
- logerrorInt("TCP session %d will be closed, error ignored\n", iSess);
- if (*context != GSS_C_NO_CONTEXT)
- gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER);
- TCPSessClose(iSess);
- return -1;
- }
- gss_release_buffer(&min_stat, &send_tok);
- }
- } while (maj_stat == GSS_S_CONTINUE_NEEDED);
-
- maj_stat = gss_display_name(&min_stat, client, &recv_tok, NULL);
- if (maj_stat != GSS_S_COMPLETE)
- display_status("displaying name", maj_stat, min_stat);
- else
- dbgprintf("GSS-API Accepted connection from: %s\n", (char*) recv_tok.value);
- gss_release_name(&min_stat, &client);
- gss_release_buffer(&min_stat, &recv_tok);
-
- dbgprintf("GSS-API Provided context flags:\n");
- display_ctx_flags(*sess_flags);
- pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_GSS;
- }
-
- return 0;
-}
-
-
-/* returns: ? */
-int TCPSessGSSRecv(int iSess, void *buf, size_t buf_len)
-{
- gss_buffer_desc xmit_buf, msg_buf;
- gss_ctx_id_t *context;
- OM_uint32 maj_stat, min_stat;
- int fdSess;
- int conf_state;
- int state, len;
-
- fdSess = pTCPSessions[iSess].sock;
- if ((state = recv_token(fdSess, &xmit_buf)) <= 0)
- return state;
-
- context = &pTCPSessions[iSess].gss_context;
- maj_stat = gss_unwrap(&min_stat, *context, &xmit_buf, &msg_buf,
- &conf_state, (gss_qop_t *) NULL);
- if (maj_stat != GSS_S_COMPLETE) {
- display_status("unsealing message", maj_stat, min_stat);
- if (xmit_buf.value) {
- free(xmit_buf.value);
- xmit_buf.value = 0;
- }
- return (-1);
- }
- if (xmit_buf.value) {
- free(xmit_buf.value);
- xmit_buf.value = 0;
- }
-
- len = msg_buf.length < buf_len ? msg_buf.length : buf_len;
- memcpy(buf, msg_buf.value, len);
- gss_release_buffer(&min_stat, &msg_buf);
-
- return len;
-}
-
-
-void TCPSessGSSClose(int iSess) {
- OM_uint32 maj_stat, min_stat;
- gss_ctx_id_t *context;
-
- if(iSess < 0 || iSess > iTCPSessMax) {
- errno = 0;
- logerror("internal error, trying to close an invalid TCP session!");
- return;
- }
-
- context = &pTCPSessions[iSess].gss_context;
- maj_stat = gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER);
- if (maj_stat != GSS_S_COMPLETE)
- display_status("deleting context", maj_stat, min_stat);
- *context = GSS_C_NO_CONTEXT;
- pTCPSessions[iSess].gss_flags = 0;
- pTCPSessions[iSess].allowedMethods = 0;
-
- TCPSessClose(iSess);
-}
-
-
-void TCPSessGSSDeinit(void) {
- OM_uint32 maj_stat, min_stat;
-
- maj_stat = gss_release_cred(&min_stat, &gss_server_creds);
- if (maj_stat != GSS_S_COMPLETE)
- display_status("releasing credentials", maj_stat, min_stat);
-}
-#endif /* #ifdef USE_GSSAPI */
-
+#endif
/* This function is called to gather input.
*/
@@ -1194,7 +909,15 @@ ENDrunInput
/* initialize and return if will run or not */
BEGINwillRun
CODESTARTwillRun
+#ifdef USE_GSSAPI
+ /* first check if we must support plain TCP, too. If so, set mode
+ * accordingly. -- rgerhards, 2008-02-26
+ */
+ if(bPermitPlainTcp)
+ bEnableTCP |= ALLOWEDMETHOD_TCP;
+
/* first apply some config settings */
+#endif
dbgprintf("imtcp: bEnableTCP %d\n", bEnableTCP);
PrintAllowedSenders(2); /* TCP */
#ifdef USE_GSSAPI
@@ -1270,6 +993,7 @@ static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __a
free(gss_listen_service_name);
gss_listen_service_name = NULL;
}
+ bPermitPlainTcp = 0;
#endif
return RS_RET_OK;
}
@@ -1280,15 +1004,18 @@ CODESTARTmodInit
*ipIFVersProvided = 1; /* so far, we only support the initial definition */
CODEmodInit_QueryRegCFSLineHdlr
/* register config file handlers */
- CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpserverrun", 0, eCmdHdlrGetWord,
- addTCPListener, NULL, STD_LOADABLE_MODULE_ID));
- CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpmaxsessions", 0, eCmdHdlrInt,
- NULL, &iTCPSessMax, STD_LOADABLE_MODULE_ID));
#if defined(USE_GSSAPI)
+ CHKiRet(omsdRegCFSLineHdlr((uchar *)"permitplaintcp", 0, eCmdHdlrBinary,
+ NULL, bPermitPlainTcp, STD_LOADABLE_MODULE_ID));
CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputgssserverrun", 0, eCmdHdlrGetWord,
addGSSListener, NULL, STD_LOADABLE_MODULE_ID));
CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputgssserverservicename", 0, eCmdHdlrGetWord,
NULL, &gss_listen_service_name, STD_LOADABLE_MODULE_ID));
+#else
+ CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpserverrun", 0, eCmdHdlrGetWord,
+ addTCPListener, NULL, STD_LOADABLE_MODULE_ID));
+ CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpmaxsessions", 0, eCmdHdlrInt,
+ NULL, &iTCPSessMax, STD_LOADABLE_MODULE_ID));
#endif
CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler,
resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID));