diff options
-rw-r--r-- | runtime/nsd_gtls.c | 234 | ||||
-rw-r--r-- | runtime/nsdsel_gtls.c | 4 | ||||
-rw-r--r-- | runtime/rsyslog.h | 1 |
3 files changed, 50 insertions, 189 deletions
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index 799992fe..03ceba7b 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -37,6 +37,7 @@ #include "module-template.h" #include "cfsysline.h" #include "obj.h" +#include "stringbuf.h" #include "errmsg.h" #include "nsd_ptcp.h" #include "nsdsel_gtls.h" @@ -69,192 +70,41 @@ static int bGlblSrvrInitDone = 0; /**< 0 - server global init not yet done, 1 - /* ------------------------------ GnuTLS specifics ------------------------------ */ -////////////////// experimental /////////////////// -uchar *gtlsStrerror(int error); -static const char* bin2hex(void* bin, size_t bin_size) -{ - static char printable[170]; - uchar *_bin = bin; - char* print; - size_t i; - - if (bin_size > 50) bin_size = 50; - - print = printable; - for(i = 0; i < bin_size; i++) { - sprintf(print, "%2.2X:", _bin[i]); - print += 3; - } - - return printable; -} +static gnutls_certificate_credentials xcred; +static gnutls_dh_params dh_params; -#if 0 -/* This function will print information about this session's peer - * certificate. +/* Convert a fingerprint to printable data. The conversion is carried out + * according IETF I-D syslog-transport-tls-12. The fingerprint string is + * returned in a new cstr object. It is the caller's responsibility to + * destruct that object. + * rgerhards, 2008-05-08 */ static rsRetVal -print_x509_certificate_info(gnutls_session session) +GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr) { - char fingerprint[20]; - char serial[40]; - char dn[128]; - size_t size; - unsigned int algo, bits; - time_t expiration_time, activation_time; - const gnutls_datum *cert_list; - int cert_list_size = 0; - gnutls_x509_crt cert; - int gnuRet; + cstr_t *pStr = NULL; + uchar buf[4]; + size_t i; DEFiRet; - /* This function only works for X.509 certificates. - */ - if(gnutls_certificate_type_get(session) != GNUTLS_CRT_X509) - return RS_RET_TLS_CERT_ERR; - - cert_list = gnutls_certificate_get_peers(session, &cert_list_size); - - dbgprintf("Peer provided %d certificates.\n", cert_list_size); - - if(cert_list_size > 0) { - /* we only print information about the first certificate */ - gnutls_x509_crt_init( &cert); - - CHKgnutls(gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER)); - - dbgprintf("Certificate info:\n"); - - expiration_time = gnutls_x509_crt_get_expiration_time(cert); - activation_time = gnutls_x509_crt_get_activation_time(cert); - - dbgprintf("\tCertificate is valid since: %s", ctime(&activation_time)); - dbgprintf("\tCertificate expires: %s", ctime(&expiration_time)); - - /* Print the serial number of the certificate */ - size = sizeof(serial); - CHKgnutls(gnutls_x509_crt_get_serial(cert, serial, &size)); - dbgprintf("\tCertificate serial number: %s\n", bin2hex( serial, size)); - - /* print the SHA1 fingerprint */ - size = sizeof(fingerprint); - CHKgnutls(gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, fingerprint, &size)); - dbgprintf("\tCertificate SHA1 fingerprint: %s\n", bin2hex(fingerprint, size)); - - /* Extract some of the public key algorithm's parameters - */ - algo = gnutls_x509_crt_get_pk_algorithm(cert, &bits); - - dbgprintf("Certificate public key: %s", gnutls_pk_algorithm_get_name(algo)); - - /* Print the version of the X.509 - * certificate. - */ - dbgprintf("\tCertificate version: #%d\n", gnutls_x509_crt_get_version(cert)); - - size = sizeof(dn); - gnutls_x509_crt_get_dn( cert, dn, &size); - dbgprintf("\tDN: %s\n", dn); - - size = sizeof(dn); - gnutls_x509_crt_get_issuer_dn( cert, dn, &size); - dbgprintf("\tIssuer's DN: %s\n", dn); - - gnutls_x509_crt_deinit( cert); + CHKiRet(rsCStrConstruct(&pStr)); + for(i = 0 ; i < sizeFingerprint ; ++i) { + snprintf((char*)buf, sizeof(buf), "%2.2X:", pFingerprint[i]); + CHKiRet(rsCStrAppendStrWithLen(pStr, buf, 3)); } + CHKiRet(rsCStrFinish(pStr)); + + *ppStr = pStr; finalize_it: + if(iRet != RS_RET_OK) { + if(pStr != NULL) + rsCStrDestruct(&pStr); + } RETiRet; } - -/* This function will print some details of the - * given session. - */ -int print_info(gnutls_session session) -{ - const char *tmp; - gnutls_credentials_type cred; - gnutls_kx_algorithm kx; - - /* print the key exchange's algorithm name - */ - kx = gnutls_kx_get(session); - tmp = gnutls_kx_get_name(kx); - dbgprintf("- Key Exchange: %s\n", tmp); - - /* Check the authentication type used and switch - * to the appropriate. - */ - cred = gnutls_auth_get_type(session); - switch (cred) { - case GNUTLS_CRD_ANON: /* anonymous authentication */ - dbgprintf("- Anonymous DH using prime of %d bits\n", - gnutls_dh_get_prime_bits(session)); - break; - case GNUTLS_CRD_CERTIFICATE: /* certificate authentication */ - /* Check if we have been using ephemeral Diffie Hellman. - */ - if (kx == GNUTLS_KX_DHE_RSA || kx == GNUTLS_KX_DHE_DSS) { - dbgprintf("\n- Ephemeral DH using prime of %d bits\n", - gnutls_dh_get_prime_bits(session)); - } - - /* if the certificate list is available, then - * print some information about it. - */ - print_x509_certificate_info(session); - break; - case GNUTLS_CRD_SRP: /* certificate authentication */ - dbgprintf("GNUTLS_CRD_SRP/IA"); - break; - case GNUTLS_CRD_PSK: /* certificate authentication */ - dbgprintf("GNUTLS_CRD_PSK"); - break; - case GNUTLS_CRD_IA: /* certificate authentication */ - dbgprintf("GNUTLS_CRD_IA"); - break; - } /* switch */ - - /* print the protocol's name (ie TLS 1.0) */ - tmp = gnutls_protocol_get_name(gnutls_protocol_get_version(session)); - dbgprintf("- Protocol: %s\n", tmp); - - /* print the certificate type of the peer. - * ie X.509 - */ - tmp = gnutls_certificate_type_get_name( - gnutls_certificate_type_get(session)); - - dbgprintf("- Certificate Type: %s\n", tmp); - - /* print the compression algorithm (if any) - */ - tmp = gnutls_compression_get_name( gnutls_compression_get(session)); - dbgprintf("- Compression: %s\n", tmp); - - /* print the name of the cipher used. - * ie 3DES. - */ - tmp = gnutls_cipher_get_name(gnutls_cipher_get(session)); - dbgprintf("- Cipher: %s\n", tmp); - - /* Print the MAC algorithms name. - * ie SHA1 - */ - tmp = gnutls_mac_get_name(gnutls_mac_get(session)); - dbgprintf("- MAC: %s\n", tmp); - - return 0; -} -#endif - -////////////////////////////////////////////////////////////////////// -static gnutls_certificate_credentials xcred; -static gnutls_dh_params dh_params; - - /* a thread-safe variant of gnutls_strerror - TODO: implement it! * The caller must free the returned string. * rgerhards, 2008-04-30 @@ -381,11 +231,13 @@ finalize_it: static rsRetVal gtlsChkFingerprint(nsd_gtls_t *pThis) { - char fingerprint[20]; + cstr_t *pstrFingerprint = NULL; + uchar fingerprint[20]; size_t size; const gnutls_datum *cert_list; - int cert_list_size = 0; + unsigned int list_size = 0; gnutls_x509_crt cert; + int bMustDeinitCert = 0; int gnuRet; DEFiRet; @@ -395,26 +247,34 @@ gtlsChkFingerprint(nsd_gtls_t *pThis) if(gnutls_certificate_type_get(pThis->sess) != GNUTLS_CRT_X509) return RS_RET_TLS_CERT_ERR; - cert_list = gnutls_certificate_get_peers(pThis->sess, &cert_list_size); + cert_list = gnutls_certificate_get_peers(pThis->sess, &list_size); + + if(list_size < 1) + ABORT_FINALIZE(RS_RET_TLS_NO_CERT); - /* we always use only the first certificate. As of GnuTLS documentation, the - * first certificate always contains the remote peers own certificate. All other + /* If we reach this point, we have at least one valid certificate. + * We always use only the first certificate. As of GnuTLS documentation, the + * first certificate always contains the remote peer's own certificate. All other * certificates are issuer's certificates (up the chain). However, we do not match * against some issuer fingerprint but only ourselfs. -- rgerhards, 2008-05-08 */ - if(cert_list_size > 0) { - CHKgnutls(gnutls_x509_crt_init(&cert)); - CHKgnutls(gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER)); + CHKgnutls(gnutls_x509_crt_init(&cert)); + bMustDeinitCert = 1; /* indicate cert is initialized and must be freed on exit */ + CHKgnutls(gnutls_x509_crt_import(cert, &cert_list[0], GNUTLS_X509_FMT_DER)); - /* obtain the SHA1 fingerprint */ - size = sizeof(fingerprint); - CHKgnutls(gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, fingerprint, &size)); - dbgprintf("\tCertificate SHA1 fingerprint: %s\n", bin2hex(fingerprint, size)); + /* obtain the SHA1 fingerprint */ + size = sizeof(fingerprint); + CHKgnutls(gnutls_x509_crt_get_fingerprint(cert, GNUTLS_DIG_SHA1, fingerprint, &size)); + CHKiRet(GenFingerprintStr(fingerprint, size, &pstrFingerprint)); + dbgprintf("peer's certificate SHA1 fingerprint: %s\n", rsCStrGetSzStr(pstrFingerprint)); - gnutls_x509_crt_deinit(cert); - } finalize_it: + if(pstrFingerprint != NULL) + rsCStrDestruct(&pstrFingerprint); + if(bMustDeinitCert) + gnutls_x509_crt_deinit(cert); + RETiRet; } diff --git a/runtime/nsdsel_gtls.c b/runtime/nsdsel_gtls.c index bdd73419..1ee4b46c 100644 --- a/runtime/nsdsel_gtls.c +++ b/runtime/nsdsel_gtls.c @@ -129,8 +129,8 @@ doRetry(nsd_gtls_t *pNsd) case gtlsRtry_handshake: gnuRet = gnutls_handshake(pNsd->sess); if(gnuRet == 0) { - /* we got a handshake, now print session info */ - print_info(pNsd->sess); + /* we got a handshake, now check authorization */ + // TODO: do it! } break; default: diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h index 0be5d49a..367a239f 100644 --- a/runtime/rsyslog.h +++ b/runtime/rsyslog.h @@ -223,6 +223,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth RS_RET_DRVRNAME_TOO_LONG = -2082, /**< driver name too long - should never happen */ RS_RET_TLS_HANDSHAKE_ERR = -2083, /**< TLS handshake failed */ RS_RET_TLS_CERT_ERR = -2084, /**< generic TLS certificate error */ + RS_RET_TLS_NO_CERT = -2085, /**< no TLS certificate available where one was expected */ /* RainerScript error messages (range 1000.. 1999) */ RS_RET_SYSVAR_NOT_FOUND = 1001, /**< system variable could not be found (maybe misspelled) */ |