diff options
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | configure.ac | 1 | ||||
-rw-r--r-- | doc/imgssapi.html | 2 | ||||
-rw-r--r-- | plugins/imgssapi/.cvsignore | 6 | ||||
-rw-r--r-- | plugins/imgssapi/Makefile.am | 6 | ||||
-rw-r--r-- | plugins/imgssapi/imgssapi.c | 343 | ||||
-rw-r--r-- | plugins/imtcp/Makefile.am | 8 | ||||
-rw-r--r-- | plugins/imtcp/imtcp.c | 309 |
9 files changed, 380 insertions, 302 deletions
@@ -1,7 +1,10 @@ --------------------------------------------------------------------------- -Version 3.12.0 (rgerhards), 2008-02-?? +Version 3.11.6 (rgerhards), 2008-02-?? - bugfix: gssapi libraries were still linked to rsyslog core, what should no longer be necessary. Applied fix by Michael Biebl to solve this. +- enabled imgssapi to be loaded side-by-side with imtcp +- added InputGSSServerPermitPlainTCP config directive +- split imgssapi source code somewhat from imtcp - applied patch from varmojfekoj to fix an issue with compatibility mode and default module directories (many thanks!): I've also noticed a bug in the compatibility code; the problem is that diff --git a/Makefile.am b/Makefile.am index cbf9abaf..6dee36e8 100644 --- a/Makefile.am +++ b/Makefile.am @@ -119,7 +119,7 @@ SUBDIRS += plugins/imklog endif if ENABLE_GSSAPI -SUBDIRS += plugins/omgssapi +SUBDIRS += plugins/omgssapi plugins/imgssapi endif if ENABLE_MYSQL diff --git a/configure.ac b/configure.ac index 3521df89..2a108fe9 100644 --- a/configure.ac +++ b/configure.ac @@ -486,6 +486,7 @@ AC_CONFIG_FILES([Makefile \ doc/Makefile \ plugins/imudp/Makefile \ plugins/imtcp/Makefile \ + plugins/imgssapi/Makefile \ plugins/imuxsock/Makefile \ plugins/immark/Makefile \ plugins/imklog/Makefile \ diff --git a/doc/imgssapi.html b/doc/imgssapi.html index a44af8ed..09d89701 100644 --- a/doc/imgssapi.html +++ b/doc/imgssapi.html @@ -5,7 +5,7 @@ </head> <body> <h1>GSSAPI Syslog Input Module</h1> -<p><b>Module Name: imtcp</b></p> +<p><b>Module Name: imgssapi</b></p> <p><b>Author: </b>varmojfekoj</p> <p><b>Description</b>:</p> <p>Provides the ability to receive syslog messages from the diff --git a/plugins/imgssapi/.cvsignore b/plugins/imgssapi/.cvsignore new file mode 100644 index 00000000..9730646f --- /dev/null +++ b/plugins/imgssapi/.cvsignore @@ -0,0 +1,6 @@ +.deps +.libs +Makefile +Makefile.in +*.la +*.lo diff --git a/plugins/imgssapi/Makefile.am b/plugins/imgssapi/Makefile.am new file mode 100644 index 00000000..6c2d6625 --- /dev/null +++ b/plugins/imgssapi/Makefile.am @@ -0,0 +1,6 @@ +pkglib_LTLIBRARIES = imgssapi.la + +imgssapi_la_SOURCES = imgssapi.c +imgssapi_la_CPPFLAGS = -I$(top_srcdir) $(pthreads_cflags) $(mudflap_cflags) +imgssapi_la_LDFLAGS = $(mudflap_libs) -module -avoid-version +imgssapi_la_LIBADD = $(gss_libs) $(top_builddir)/libgssapi-misc.la diff --git a/plugins/imgssapi/imgssapi.c b/plugins/imgssapi/imgssapi.c new file mode 100644 index 00000000..62bcb2dd --- /dev/null +++ b/plugins/imgssapi/imgssapi.c @@ -0,0 +1,343 @@ +/* imgssapi.c + * This is the implementation of the GSSAPI input module. + * + * IMPORTANT: Currently this module does not really exist. It shares code + * from imtcp, which has everything (controlled via preprocessor + * defines). This file has been created in order to facilitate moving + * gssapi into its real own module. + * + * NOTE: read comments in module-template.h to understand how this file + * works! + * + * Copyright 2007 Rainer Gerhards and Adiscon GmbH. + * + * This file is part of rsyslog. + * + * Rsyslog is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * Rsyslog is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with Rsyslog. If not, see <http://www.gnu.org/licenses/>. + * + * A copy of the GPL can be found in the file "COPYING" in this distribution. + */ + +#include "config.h" +#include <gssapi/gssapi.h> +#include "rsyslog.h" +#include "syslogd.h" +#include "cfsysline.h" +#include "module-template.h" +#include "net.h" +#include "srUtils.h" +#include "gss-misc.h" + +/* some forward definitions - they may go away when we no longer include imtcp.c */ +static rsRetVal addGSSListener(void __attribute__((unused)) *pVal, uchar *pNewVal); +int TCPSessGSSAccept(int fd); +int TCPSessGSSInit(void); +void TCPSessGSSClose(int iSess); +void TCPSessGSSDeinit(void); +int TCPSessGSSRecv(int iSess, void *buf, size_t buf_len); + +/* static data */ +static gss_cred_id_t gss_server_creds = GSS_C_NO_CREDENTIAL; + +/* config variables */ +static char *gss_listen_service_name = NULL; +static int bPermitPlainTcp = 0; /* plain tcp syslog allowed on GSSAPI port? */ + +/* ################################################################################ * + * # THE FOLLOWING LINE IS VITALLY IMPORTANT # * + * #------------------------------------------------------------------------------# * + * # It includes imtcp.c, which has many common code with this module. Over time, # * + * # we will move this into separate clases, but for the time being it permits # * + * # use to use a somewhat clean build process and keep the files focussed. # * + * ################################################################################ */ + +#include "../imtcp/imtcp.c" + +/* ################################################################################ * + * # END IMPORTANT PART # * + * ################################################################################ */ + +static rsRetVal addGSSListener(void __attribute__((unused)) *pVal, uchar *pNewVal) +{ + if (!bEnableTCP) + configureTCPListen((char *) pNewVal); + bEnableTCP |= ALLOWEDMETHOD_GSS; + + return RS_RET_OK; +} + + +/* returns 0 if all went OK, -1 if it failed */ +int TCPSessGSSInit(void) +{ + gss_buffer_desc name_buf; + gss_name_t server_name; + OM_uint32 maj_stat, min_stat; + + if (gss_server_creds != GSS_C_NO_CREDENTIAL) + return 0; + + name_buf.value = (gss_listen_service_name == NULL) ? "host" : gss_listen_service_name; + name_buf.length = strlen(name_buf.value) + 1; + maj_stat = gss_import_name(&min_stat, &name_buf, GSS_C_NT_HOSTBASED_SERVICE, &server_name); + if (maj_stat != GSS_S_COMPLETE) { + display_status("importing name", maj_stat, min_stat); + return -1; + } + + maj_stat = gss_acquire_cred(&min_stat, server_name, 0, + GSS_C_NULL_OID_SET, GSS_C_ACCEPT, + &gss_server_creds, NULL, NULL); + if (maj_stat != GSS_S_COMPLETE) { + display_status("acquiring credentials", maj_stat, min_stat); + return -1; + } + + gss_release_name(&min_stat, &server_name); + dbgprintf("GSS-API initialized\n"); + return 0; +} + + +/* returns 0 if all went OK, -1 if it failed */ +int TCPSessGSSAccept(int fd) +{ + gss_buffer_desc send_tok, recv_tok; + gss_name_t client; + OM_uint32 maj_stat, min_stat, acc_sec_min_stat; + int iSess; + gss_ctx_id_t *context; + OM_uint32 *sess_flags; + int fdSess; + char allowedMethods; + + if ((iSess = TCPSessAccept(fd)) == -1) + return -1; + + allowedMethods = pTCPSessions[iSess].allowedMethods; + if (allowedMethods & ALLOWEDMETHOD_GSS) { + /* Buffer to store raw message in case that + * gss authentication fails halfway through. + */ + char buf[MAXLINE]; + int ret = 0; + + dbgprintf("GSS-API Trying to accept TCP session %d\n", iSess); + + fdSess = pTCPSessions[iSess].sock; + if (allowedMethods & ALLOWEDMETHOD_TCP) { + int len; + fd_set fds; + struct timeval tv; + + do { + FD_ZERO(&fds); + FD_SET(fdSess, &fds); + tv.tv_sec = 1; + tv.tv_usec = 0; + ret = select(fdSess + 1, &fds, NULL, NULL, &tv); + } while (ret < 0 && errno == EINTR); + if (ret < 0) { + logerrorInt("TCP session %d will be closed, error ignored\n", iSess); + TCPSessClose(iSess); + return -1; + } else if (ret == 0) { + dbgprintf("GSS-API Reverting to plain TCP\n"); + pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP; + return 0; + } + + do { + ret = recv(fdSess, buf, sizeof (buf), MSG_PEEK); + } while (ret < 0 && errno == EINTR); + if (ret <= 0) { + if (ret == 0) + dbgprintf("GSS-API Connection closed by peer\n"); + else + logerrorInt("TCP session %d will be closed, error ignored\n", iSess); + TCPSessClose(iSess); + return -1; + } + + if (ret < 4) { + dbgprintf("GSS-API Reverting to plain TCP\n"); + pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP; + return 0; + } else if (ret == 4) { + /* The client might has been interupted after sending + * the data length (4B), give him another chance. + */ + sleep(1); + do { + ret = recv(fdSess, buf, sizeof (buf), MSG_PEEK); + } while (ret < 0 && errno == EINTR); + if (ret <= 0) { + if (ret == 0) + dbgprintf("GSS-API Connection closed by peer\n"); + else + logerrorInt("TCP session %d will be closed, error ignored\n", iSess); + TCPSessClose(iSess); + return -1; + } + } + + len = ntohl((buf[0] << 24) + | (buf[1] << 16) + | (buf[2] << 8) + | buf[3]); + if ((ret - 4) < len || len == 0) { + dbgprintf("GSS-API Reverting to plain TCP\n"); + pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP; + return 0; + } + } + + context = &pTCPSessions[iSess].gss_context; + *context = GSS_C_NO_CONTEXT; + sess_flags = &pTCPSessions[iSess].gss_flags; + do { + if (recv_token(fdSess, &recv_tok) <= 0) { + logerrorInt("TCP session %d will be closed, error ignored\n", iSess); + TCPSessClose(iSess); + return -1; + } + maj_stat = gss_accept_sec_context(&acc_sec_min_stat, context, gss_server_creds, + &recv_tok, GSS_C_NO_CHANNEL_BINDINGS, &client, + NULL, &send_tok, sess_flags, NULL, NULL); + if (recv_tok.value) { + free(recv_tok.value); + recv_tok.value = NULL; + } + if (maj_stat != GSS_S_COMPLETE + && maj_stat != GSS_S_CONTINUE_NEEDED) { + gss_release_buffer(&min_stat, &send_tok); + if (*context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER); + if ((allowedMethods & ALLOWEDMETHOD_TCP) && + (GSS_ROUTINE_ERROR(maj_stat) == GSS_S_DEFECTIVE_TOKEN)) { + dbgprintf("GSS-API Reverting to plain TCP\n"); + dbgprintf("tcp session socket with new data: #%d\n", fdSess); + if(TCPSessDataRcvd(iSess, buf, ret) == 0) { + logerrorInt("Tearing down TCP Session %d - see " + "previous messages for reason(s)\n", + iSess); + TCPSessClose(iSess); + return -1; + } + pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP; + return 0; + } + display_status("accepting context", maj_stat, + acc_sec_min_stat); + TCPSessClose(iSess); + return -1; + } + if (send_tok.length != 0) { + if (send_token(fdSess, &send_tok) < 0) { + gss_release_buffer(&min_stat, &send_tok); + logerrorInt("TCP session %d will be closed, error ignored\n", iSess); + if (*context != GSS_C_NO_CONTEXT) + gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER); + TCPSessClose(iSess); + return -1; + } + gss_release_buffer(&min_stat, &send_tok); + } + } while (maj_stat == GSS_S_CONTINUE_NEEDED); + + maj_stat = gss_display_name(&min_stat, client, &recv_tok, NULL); + if (maj_stat != GSS_S_COMPLETE) + display_status("displaying name", maj_stat, min_stat); + else + dbgprintf("GSS-API Accepted connection from: %s\n", (char*) recv_tok.value); + gss_release_name(&min_stat, &client); + gss_release_buffer(&min_stat, &recv_tok); + + dbgprintf("GSS-API Provided context flags:\n"); + display_ctx_flags(*sess_flags); + pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_GSS; + } + + return 0; +} + + +/* returns: ? */ +int TCPSessGSSRecv(int iSess, void *buf, size_t buf_len) +{ + gss_buffer_desc xmit_buf, msg_buf; + gss_ctx_id_t *context; + OM_uint32 maj_stat, min_stat; + int fdSess; + int conf_state; + int state, len; + + fdSess = pTCPSessions[iSess].sock; + if ((state = recv_token(fdSess, &xmit_buf)) <= 0) + return state; + + context = &pTCPSessions[iSess].gss_context; + maj_stat = gss_unwrap(&min_stat, *context, &xmit_buf, &msg_buf, + &conf_state, (gss_qop_t *) NULL); + if (maj_stat != GSS_S_COMPLETE) { + display_status("unsealing message", maj_stat, min_stat); + if (xmit_buf.value) { + free(xmit_buf.value); + xmit_buf.value = 0; + } + return (-1); + } + if (xmit_buf.value) { + free(xmit_buf.value); + xmit_buf.value = 0; + } + + len = msg_buf.length < buf_len ? msg_buf.length : buf_len; + memcpy(buf, msg_buf.value, len); + gss_release_buffer(&min_stat, &msg_buf); + + return len; +} + + +void TCPSessGSSClose(int iSess) { + OM_uint32 maj_stat, min_stat; + gss_ctx_id_t *context; + + if(iSess < 0 || iSess > iTCPSessMax) { + errno = 0; + logerror("internal error, trying to close an invalid TCP session!"); + return; + } + + context = &pTCPSessions[iSess].gss_context; + maj_stat = gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER); + if (maj_stat != GSS_S_COMPLETE) + display_status("deleting context", maj_stat, min_stat); + *context = GSS_C_NO_CONTEXT; + pTCPSessions[iSess].gss_flags = 0; + pTCPSessions[iSess].allowedMethods = 0; + + TCPSessClose(iSess); +} + + +void TCPSessGSSDeinit(void) { + OM_uint32 maj_stat, min_stat; + + maj_stat = gss_release_cred(&min_stat, &gss_server_creds); + if (maj_stat != GSS_S_COMPLETE) + display_status("releasing credentials", maj_stat, min_stat); +} + diff --git a/plugins/imtcp/Makefile.am b/plugins/imtcp/Makefile.am index 36cff50a..6298135a 100644 --- a/plugins/imtcp/Makefile.am +++ b/plugins/imtcp/Makefile.am @@ -1,13 +1,5 @@ pkglib_LTLIBRARIES = imtcp.la -if ENABLE_GSSAPI -pkglib_LTLIBRARIES += imgssapi.la -endif imtcp_la_SOURCES = imtcp.c imtcp_la_CPPFLAGS = -DFORCE_NO_GSS=1 -I$(top_srcdir) $(pthreads_cflags) $(mudflap_cflags) imtcp_la_LDFLAGS = $(mudflap_libs) -module -avoid-version - -imgssapi_la_SOURCES = imtcp.c -imgssapi_la_CPPFLAGS = -I$(top_srcdir) $(pthreads_cflags) $(mudflap_cflags) -imgssapi_la_LDFLAGS = $(mudflap_libs) -module -avoid-version -imgssapi_la_LIBADD = $(gss_libs) $(top_builddir)/libgssapi-misc.la diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c index 84bb61a2..a1fabea7 100644 --- a/plugins/imtcp/imtcp.c +++ b/plugins/imtcp/imtcp.c @@ -47,17 +47,11 @@ #if HAVE_FCNTL_H #include <fcntl.h> #endif -#ifdef USE_GSSAPI -#include <gssapi/gssapi.h> -#endif #include "rsyslog.h" #include "syslogd.h" #include "cfsysline.h" #include "module-template.h" #include "net.h" -#ifdef USE_GSSAPI -#include "gss-misc.h" -#endif #include "srUtils.h" MODULE_TYPE_INPUT @@ -102,10 +96,6 @@ static int bEnableTCP = 0; /* read-only after startup */ static int *sockTCPLstn = NULL; /* read-only after startup, modified by restart */ static struct TCPSession *pTCPSessions; /* The thread-safeness of the sesion table is doubtful */ -#ifdef USE_GSSAPI -static gss_cred_id_t gss_server_creds = GSS_C_NO_CREDENTIAL; -static char *gss_listen_service_name = NULL; -#endif /* config settings */ @@ -763,6 +753,7 @@ int TCPSessDataRcvd(int iTCPSess, char *pData, int iLen) } +#ifndef USE_GSSAPI static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal) { if (!bEnableTCP) @@ -771,283 +762,7 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa return RS_RET_OK; } - - -#ifdef USE_GSSAPI -static rsRetVal addGSSListener(void __attribute__((unused)) *pVal, uchar *pNewVal) -{ - if (!bEnableTCP) - configureTCPListen((char *) pNewVal); - bEnableTCP |= ALLOWEDMETHOD_GSS; - - return RS_RET_OK; -} - - -/* returns 0 if all went OK, -1 if it failed */ -int TCPSessGSSInit(void) -{ - gss_buffer_desc name_buf; - gss_name_t server_name; - OM_uint32 maj_stat, min_stat; - - if (gss_server_creds != GSS_C_NO_CREDENTIAL) - return 0; - - name_buf.value = (gss_listen_service_name == NULL) ? "host" : gss_listen_service_name; - name_buf.length = strlen(name_buf.value) + 1; - maj_stat = gss_import_name(&min_stat, &name_buf, GSS_C_NT_HOSTBASED_SERVICE, &server_name); - if (maj_stat != GSS_S_COMPLETE) { - display_status("importing name", maj_stat, min_stat); - return -1; - } - - maj_stat = gss_acquire_cred(&min_stat, server_name, 0, - GSS_C_NULL_OID_SET, GSS_C_ACCEPT, - &gss_server_creds, NULL, NULL); - if (maj_stat != GSS_S_COMPLETE) { - display_status("acquiring credentials", maj_stat, min_stat); - return -1; - } - - gss_release_name(&min_stat, &server_name); - dbgprintf("GSS-API initialized\n"); - return 0; -} - - -/* returns 0 if all went OK, -1 if it failed */ -int TCPSessGSSAccept(int fd) -{ - gss_buffer_desc send_tok, recv_tok; - gss_name_t client; - OM_uint32 maj_stat, min_stat, acc_sec_min_stat; - int iSess; - gss_ctx_id_t *context; - OM_uint32 *sess_flags; - int fdSess; - char allowedMethods; - - if ((iSess = TCPSessAccept(fd)) == -1) - return -1; - - allowedMethods = pTCPSessions[iSess].allowedMethods; - if (allowedMethods & ALLOWEDMETHOD_GSS) { - /* Buffer to store raw message in case that - * gss authentication fails halfway through. - */ - char buf[MAXLINE]; - int ret = 0; - - dbgprintf("GSS-API Trying to accept TCP session %d\n", iSess); - - fdSess = pTCPSessions[iSess].sock; - if (allowedMethods & ALLOWEDMETHOD_TCP) { - int len; - fd_set fds; - struct timeval tv; - - do { - FD_ZERO(&fds); - FD_SET(fdSess, &fds); - tv.tv_sec = 1; - tv.tv_usec = 0; - ret = select(fdSess + 1, &fds, NULL, NULL, &tv); - } while (ret < 0 && errno == EINTR); - if (ret < 0) { - logerrorInt("TCP session %d will be closed, error ignored\n", iSess); - TCPSessClose(iSess); - return -1; - } else if (ret == 0) { - dbgprintf("GSS-API Reverting to plain TCP\n"); - pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP; - return 0; - } - - do { - ret = recv(fdSess, buf, sizeof (buf), MSG_PEEK); - } while (ret < 0 && errno == EINTR); - if (ret <= 0) { - if (ret == 0) - dbgprintf("GSS-API Connection closed by peer\n"); - else - logerrorInt("TCP session %d will be closed, error ignored\n", iSess); - TCPSessClose(iSess); - return -1; - } - - if (ret < 4) { - dbgprintf("GSS-API Reverting to plain TCP\n"); - pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP; - return 0; - } else if (ret == 4) { - /* The client might has been interupted after sending - * the data length (4B), give him another chance. - */ - sleep(1); - do { - ret = recv(fdSess, buf, sizeof (buf), MSG_PEEK); - } while (ret < 0 && errno == EINTR); - if (ret <= 0) { - if (ret == 0) - dbgprintf("GSS-API Connection closed by peer\n"); - else - logerrorInt("TCP session %d will be closed, error ignored\n", iSess); - TCPSessClose(iSess); - return -1; - } - } - - len = ntohl((buf[0] << 24) - | (buf[1] << 16) - | (buf[2] << 8) - | buf[3]); - if ((ret - 4) < len || len == 0) { - dbgprintf("GSS-API Reverting to plain TCP\n"); - pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP; - return 0; - } - } - - context = &pTCPSessions[iSess].gss_context; - *context = GSS_C_NO_CONTEXT; - sess_flags = &pTCPSessions[iSess].gss_flags; - do { - if (recv_token(fdSess, &recv_tok) <= 0) { - logerrorInt("TCP session %d will be closed, error ignored\n", iSess); - TCPSessClose(iSess); - return -1; - } - maj_stat = gss_accept_sec_context(&acc_sec_min_stat, context, gss_server_creds, - &recv_tok, GSS_C_NO_CHANNEL_BINDINGS, &client, - NULL, &send_tok, sess_flags, NULL, NULL); - if (recv_tok.value) { - free(recv_tok.value); - recv_tok.value = NULL; - } - if (maj_stat != GSS_S_COMPLETE - && maj_stat != GSS_S_CONTINUE_NEEDED) { - gss_release_buffer(&min_stat, &send_tok); - if (*context != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER); - if ((allowedMethods & ALLOWEDMETHOD_TCP) && - (GSS_ROUTINE_ERROR(maj_stat) == GSS_S_DEFECTIVE_TOKEN)) { - dbgprintf("GSS-API Reverting to plain TCP\n"); - dbgprintf("tcp session socket with new data: #%d\n", fdSess); - if(TCPSessDataRcvd(iSess, buf, ret) == 0) { - logerrorInt("Tearing down TCP Session %d - see " - "previous messages for reason(s)\n", - iSess); - TCPSessClose(iSess); - return -1; - } - pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP; - return 0; - } - display_status("accepting context", maj_stat, - acc_sec_min_stat); - TCPSessClose(iSess); - return -1; - } - if (send_tok.length != 0) { - if (send_token(fdSess, &send_tok) < 0) { - gss_release_buffer(&min_stat, &send_tok); - logerrorInt("TCP session %d will be closed, error ignored\n", iSess); - if (*context != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER); - TCPSessClose(iSess); - return -1; - } - gss_release_buffer(&min_stat, &send_tok); - } - } while (maj_stat == GSS_S_CONTINUE_NEEDED); - - maj_stat = gss_display_name(&min_stat, client, &recv_tok, NULL); - if (maj_stat != GSS_S_COMPLETE) - display_status("displaying name", maj_stat, min_stat); - else - dbgprintf("GSS-API Accepted connection from: %s\n", (char*) recv_tok.value); - gss_release_name(&min_stat, &client); - gss_release_buffer(&min_stat, &recv_tok); - - dbgprintf("GSS-API Provided context flags:\n"); - display_ctx_flags(*sess_flags); - pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_GSS; - } - - return 0; -} - - -/* returns: ? */ -int TCPSessGSSRecv(int iSess, void *buf, size_t buf_len) -{ - gss_buffer_desc xmit_buf, msg_buf; - gss_ctx_id_t *context; - OM_uint32 maj_stat, min_stat; - int fdSess; - int conf_state; - int state, len; - - fdSess = pTCPSessions[iSess].sock; - if ((state = recv_token(fdSess, &xmit_buf)) <= 0) - return state; - - context = &pTCPSessions[iSess].gss_context; - maj_stat = gss_unwrap(&min_stat, *context, &xmit_buf, &msg_buf, - &conf_state, (gss_qop_t *) NULL); - if (maj_stat != GSS_S_COMPLETE) { - display_status("unsealing message", maj_stat, min_stat); - if (xmit_buf.value) { - free(xmit_buf.value); - xmit_buf.value = 0; - } - return (-1); - } - if (xmit_buf.value) { - free(xmit_buf.value); - xmit_buf.value = 0; - } - - len = msg_buf.length < buf_len ? msg_buf.length : buf_len; - memcpy(buf, msg_buf.value, len); - gss_release_buffer(&min_stat, &msg_buf); - - return len; -} - - -void TCPSessGSSClose(int iSess) { - OM_uint32 maj_stat, min_stat; - gss_ctx_id_t *context; - - if(iSess < 0 || iSess > iTCPSessMax) { - errno = 0; - logerror("internal error, trying to close an invalid TCP session!"); - return; - } - - context = &pTCPSessions[iSess].gss_context; - maj_stat = gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER); - if (maj_stat != GSS_S_COMPLETE) - display_status("deleting context", maj_stat, min_stat); - *context = GSS_C_NO_CONTEXT; - pTCPSessions[iSess].gss_flags = 0; - pTCPSessions[iSess].allowedMethods = 0; - - TCPSessClose(iSess); -} - - -void TCPSessGSSDeinit(void) { - OM_uint32 maj_stat, min_stat; - - maj_stat = gss_release_cred(&min_stat, &gss_server_creds); - if (maj_stat != GSS_S_COMPLETE) - display_status("releasing credentials", maj_stat, min_stat); -} -#endif /* #ifdef USE_GSSAPI */ - +#endif /* This function is called to gather input. */ @@ -1194,7 +909,15 @@ ENDrunInput /* initialize and return if will run or not */ BEGINwillRun CODESTARTwillRun +#ifdef USE_GSSAPI + /* first check if we must support plain TCP, too. If so, set mode + * accordingly. -- rgerhards, 2008-02-26 + */ + if(bPermitPlainTcp) + bEnableTCP |= ALLOWEDMETHOD_TCP; + /* first apply some config settings */ +#endif dbgprintf("imtcp: bEnableTCP %d\n", bEnableTCP); PrintAllowedSenders(2); /* TCP */ #ifdef USE_GSSAPI @@ -1270,6 +993,7 @@ static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __a free(gss_listen_service_name); gss_listen_service_name = NULL; } + bPermitPlainTcp = 0; #endif return RS_RET_OK; } @@ -1280,15 +1004,18 @@ CODESTARTmodInit *ipIFVersProvided = 1; /* so far, we only support the initial definition */ CODEmodInit_QueryRegCFSLineHdlr /* register config file handlers */ - CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpserverrun", 0, eCmdHdlrGetWord, - addTCPListener, NULL, STD_LOADABLE_MODULE_ID)); - CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpmaxsessions", 0, eCmdHdlrInt, - NULL, &iTCPSessMax, STD_LOADABLE_MODULE_ID)); #if defined(USE_GSSAPI) + CHKiRet(omsdRegCFSLineHdlr((uchar *)"permitplaintcp", 0, eCmdHdlrBinary, + NULL, bPermitPlainTcp, STD_LOADABLE_MODULE_ID)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputgssserverrun", 0, eCmdHdlrGetWord, addGSSListener, NULL, STD_LOADABLE_MODULE_ID)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputgssserverservicename", 0, eCmdHdlrGetWord, NULL, &gss_listen_service_name, STD_LOADABLE_MODULE_ID)); +#else + CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpserverrun", 0, eCmdHdlrGetWord, + addTCPListener, NULL, STD_LOADABLE_MODULE_ID)); + CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpmaxsessions", 0, eCmdHdlrInt, + NULL, &iTCPSessMax, STD_LOADABLE_MODULE_ID)); #endif CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler, resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID)); |