From 48684ceac5d57f2c3bc9e8afce98d2026ab51958 Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Mon, 19 May 2008 09:43:37 +0200 Subject: improved error messages and corrected fingerprint format --- runtime/nsd_gtls.c | 29 +++++++++++++++++++++-------- runtime/nsd_gtls.h | 3 +++ runtime/nsd_ptcp.c | 11 +++++++---- runtime/rsyslog.h | 2 +- 4 files changed, 32 insertions(+), 13 deletions(-) diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c index df458ea3..4e7fa3b6 100644 --- a/runtime/nsd_gtls.c +++ b/runtime/nsd_gtls.c @@ -85,12 +85,18 @@ GenFingerprintStr(uchar *pFingerprint, size_t sizeFingerprint, cstr_t **ppStr) cstr_t *pStr = NULL; uchar buf[4]; size_t i; + int bAddColon = 0; /* do we need to add a colon to the fingerprint string? */ DEFiRet; CHKiRet(rsCStrConstruct(&pStr)); for(i = 0 ; i < sizeFingerprint ; ++i) { - snprintf((char*)buf, sizeof(buf), "%2.2X:", pFingerprint[i]); - CHKiRet(rsCStrAppendStrWithLen(pStr, buf, 3)); + if(bAddColon) { + CHKiRet(rsCStrAppendChar(pStr, ':')); + } else { + bAddColon = 1; /* all but the first need a colon added */ + } + snprintf((char*)buf, sizeof(buf), "%2.2X", pFingerprint[i]); + CHKiRet(rsCStrAppendStrWithLen(pStr, buf, 2)); } CHKiRet(rsCStrFinish(pStr)); @@ -291,8 +297,12 @@ gtlsChkFingerprint(nsd_gtls_t *pThis) FINALIZE; if(pThis->authIDs == NULL || rsCStrSzStrCmp(pstrFingerprint, pThis->authIDs, strlen((char*) pThis->authIDs))) { - // TODO: logerror - dbgprintf("invalid server fingerprint, not authorized\n"); + dbgprintf("invalid server fingerprint, not permitted to talk to us\n"); + if(pThis->bReportAuthErr == 1) { + errmsg.LogError(NO_ERRCODE, "error: server fingerprint '%s' unknown - we are " + "not permitted to talk to this server", rsCStrGetSzStr(pstrFingerprint)); + pThis->bReportAuthErr = 0; + } ABORT_FINALIZE(RS_RET_INVALID_FINGERPRINT); } @@ -361,6 +371,7 @@ gtlsSetTransportPtr(nsd_gtls_t *pThis, int sock) /* Standard-Constructor */ BEGINobjConstruct(nsd_gtls) /* be sure to specify the object type also in END macro! */ iRet = nsd_ptcp.Construct(&pThis->pTcp); + pThis->bReportAuthErr = 1; CHKiRet(gtlsAddOurCert()); finalize_it: ENDobjConstruct(nsd_gtls) @@ -392,8 +403,11 @@ SetMode(nsd_t *pNsd, int mode) dbgprintf("SetMode tries to set mode %d\n", mode); ISOBJ_TYPE_assert((pThis), nsd_gtls); - if(mode != 0 && mode != 1) - ABORT_FINALIZE(RS_RET_INVAID_DRVR_MODE); + if(mode != 0 && mode != 1) { + errmsg.LogError(NO_ERRCODE, "error: driver mode %d not supported by " + "gtls netstream driver", mode); + ABORT_FINALIZE(RS_RET_INVALID_DRVR_MODE); + } pThis->iMode = mode; @@ -423,7 +437,7 @@ SetAuthMode(nsd_t *pNsd, uchar *mode) } else if(!strcasecmp((char*) mode, "anon")) { pThis->authMode = GTLS_AUTH_CERTANON; } else { - errmsg.LogError(NO_ERRCODE, "authentication mode '%s' not supported by " + errmsg.LogError(NO_ERRCODE, "error: authentication mode '%s' not supported by " "gtls netstream driver", mode); ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); } @@ -455,7 +469,6 @@ AddPermFingerprint(nsd_t *pNsd, uchar *pszFingerprint) // TODO: proper handling - but we need to redo this when we do the // linked list. So for now, this is good enough (but MUST BE CHANGED!). - // pThis->authIDs = pszFingerprint; dbgprintf("gtls fingerprint '%s' set\n", pThis->authIDs); diff --git a/runtime/nsd_gtls.h b/runtime/nsd_gtls.h index 885a8b30..0576a993 100644 --- a/runtime/nsd_gtls.h +++ b/runtime/nsd_gtls.h @@ -48,6 +48,9 @@ struct nsd_gtls_s { gnutls_session sess; int bHaveSess; /* as we don't know exactly which gnutls_session values are invalid, we use this one to flag whether or not we are in a session (same as -1 for a socket meaning no sess) */ + int bReportAuthErr; /* only the first auth error is to be reported, this var triggers it. Initially, it is + * set to 1 and changed to 0 after the first report. It is changed back to 1 after + * one successful authentication. */ uchar *authIDs; /* TODO: make linked list, currently just a single fingerprint, must also support names */ }; diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c index ae835aed..6702e118 100644 --- a/runtime/nsd_ptcp.c +++ b/runtime/nsd_ptcp.c @@ -119,8 +119,11 @@ static rsRetVal SetMode(nsd_t __attribute__((unused)) *pNsd, int mode) { DEFiRet; - if(mode != 0) - ABORT_FINALIZE(RS_RET_INVAID_DRVR_MODE); + if(mode != 0) { + errmsg.LogError(NO_ERRCODE, "error: driver mode %d not supported by " + "ptcp netstream driver", mode); + ABORT_FINALIZE(RS_RET_INVALID_DRVR_MODE); + } finalize_it: RETiRet; } @@ -140,7 +143,7 @@ SetAuthMode(nsd_t __attribute__((unused)) *pNsd, uchar *mode) { DEFiRet; if(mode != NULL && strcasecmp((char*)mode, "anon")) { - errmsg.LogError(NO_ERRCODE, "authentication mode '%s' not supported by " + errmsg.LogError(NO_ERRCODE, "error: authentication mode '%s' not supported by " "ptcp netstream driver", mode); ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED); } @@ -158,7 +161,7 @@ static rsRetVal AddPermFingerprint(nsd_t __attribute__((unused)) *pNsd, uchar __attribute__((unused)) *pszFingerprint) { errmsg.LogError(NO_ERRCODE, "fingerprint authentication not supported by " - "ptcp netstream driver - ignored"); + "ptcp netstream driver"); return RS_RET_VALUE_NOT_IN_THIS_MODE; } diff --git a/runtime/rsyslog.h b/runtime/rsyslog.h index 088a14db..fe26bb44 100644 --- a/runtime/rsyslog.h +++ b/runtime/rsyslog.h @@ -219,7 +219,7 @@ enum rsRetVal_ /** return value. All methods return this if not specified oth RS_RET_GNUTLS_ERR = -2078, /**< (unexpected) error in GnuTLS call */ RS_RET_MAX_SESS_REACHED = -2079, /**< max nbr of sessions reached, can not create more */ RS_RET_MAX_LSTN_REACHED = -2080, /**< max nbr of listeners reached, can not create more */ - RS_RET_INVAID_DRVR_MODE = -2081, /**< tried to set mode not supported by driver */ + RS_RET_INVALID_DRVR_MODE = -2081, /**< tried to set mode not supported by driver */ RS_RET_DRVRNAME_TOO_LONG = -2082, /**< driver name too long - should never happen */ RS_RET_TLS_HANDSHAKE_ERR = -2083, /**< TLS handshake failed */ RS_RET_TLS_CERT_ERR = -2084, /**< generic TLS certificate error */ -- cgit