From b98ca5114ed1d1975e06614472d4019d8c1767ab Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Tue, 26 Feb 2008 11:02:27 +0000 Subject: split off imgssapi from imtcp, but still with a lot of dependency --- plugins/imtcp/Makefile.am | 8 -- plugins/imtcp/imtcp.c | 309 +++------------------------------------------- 2 files changed, 18 insertions(+), 299 deletions(-) (limited to 'plugins/imtcp') diff --git a/plugins/imtcp/Makefile.am b/plugins/imtcp/Makefile.am index 36cff50a..6298135a 100644 --- a/plugins/imtcp/Makefile.am +++ b/plugins/imtcp/Makefile.am @@ -1,13 +1,5 @@ pkglib_LTLIBRARIES = imtcp.la -if ENABLE_GSSAPI -pkglib_LTLIBRARIES += imgssapi.la -endif imtcp_la_SOURCES = imtcp.c imtcp_la_CPPFLAGS = -DFORCE_NO_GSS=1 -I$(top_srcdir) $(pthreads_cflags) $(mudflap_cflags) imtcp_la_LDFLAGS = $(mudflap_libs) -module -avoid-version - -imgssapi_la_SOURCES = imtcp.c -imgssapi_la_CPPFLAGS = -I$(top_srcdir) $(pthreads_cflags) $(mudflap_cflags) -imgssapi_la_LDFLAGS = $(mudflap_libs) -module -avoid-version -imgssapi_la_LIBADD = $(gss_libs) $(top_builddir)/libgssapi-misc.la diff --git a/plugins/imtcp/imtcp.c b/plugins/imtcp/imtcp.c index 84bb61a2..a1fabea7 100644 --- a/plugins/imtcp/imtcp.c +++ b/plugins/imtcp/imtcp.c @@ -47,17 +47,11 @@ #if HAVE_FCNTL_H #include #endif -#ifdef USE_GSSAPI -#include -#endif #include "rsyslog.h" #include "syslogd.h" #include "cfsysline.h" #include "module-template.h" #include "net.h" -#ifdef USE_GSSAPI -#include "gss-misc.h" -#endif #include "srUtils.h" MODULE_TYPE_INPUT @@ -102,10 +96,6 @@ static int bEnableTCP = 0; /* read-only after startup */ static int *sockTCPLstn = NULL; /* read-only after startup, modified by restart */ static struct TCPSession *pTCPSessions; /* The thread-safeness of the sesion table is doubtful */ -#ifdef USE_GSSAPI -static gss_cred_id_t gss_server_creds = GSS_C_NO_CREDENTIAL; -static char *gss_listen_service_name = NULL; -#endif /* config settings */ @@ -763,6 +753,7 @@ int TCPSessDataRcvd(int iTCPSess, char *pData, int iLen) } +#ifndef USE_GSSAPI static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVal) { if (!bEnableTCP) @@ -771,283 +762,7 @@ static rsRetVal addTCPListener(void __attribute__((unused)) *pVal, uchar *pNewVa return RS_RET_OK; } - - -#ifdef USE_GSSAPI -static rsRetVal addGSSListener(void __attribute__((unused)) *pVal, uchar *pNewVal) -{ - if (!bEnableTCP) - configureTCPListen((char *) pNewVal); - bEnableTCP |= ALLOWEDMETHOD_GSS; - - return RS_RET_OK; -} - - -/* returns 0 if all went OK, -1 if it failed */ -int TCPSessGSSInit(void) -{ - gss_buffer_desc name_buf; - gss_name_t server_name; - OM_uint32 maj_stat, min_stat; - - if (gss_server_creds != GSS_C_NO_CREDENTIAL) - return 0; - - name_buf.value = (gss_listen_service_name == NULL) ? "host" : gss_listen_service_name; - name_buf.length = strlen(name_buf.value) + 1; - maj_stat = gss_import_name(&min_stat, &name_buf, GSS_C_NT_HOSTBASED_SERVICE, &server_name); - if (maj_stat != GSS_S_COMPLETE) { - display_status("importing name", maj_stat, min_stat); - return -1; - } - - maj_stat = gss_acquire_cred(&min_stat, server_name, 0, - GSS_C_NULL_OID_SET, GSS_C_ACCEPT, - &gss_server_creds, NULL, NULL); - if (maj_stat != GSS_S_COMPLETE) { - display_status("acquiring credentials", maj_stat, min_stat); - return -1; - } - - gss_release_name(&min_stat, &server_name); - dbgprintf("GSS-API initialized\n"); - return 0; -} - - -/* returns 0 if all went OK, -1 if it failed */ -int TCPSessGSSAccept(int fd) -{ - gss_buffer_desc send_tok, recv_tok; - gss_name_t client; - OM_uint32 maj_stat, min_stat, acc_sec_min_stat; - int iSess; - gss_ctx_id_t *context; - OM_uint32 *sess_flags; - int fdSess; - char allowedMethods; - - if ((iSess = TCPSessAccept(fd)) == -1) - return -1; - - allowedMethods = pTCPSessions[iSess].allowedMethods; - if (allowedMethods & ALLOWEDMETHOD_GSS) { - /* Buffer to store raw message in case that - * gss authentication fails halfway through. - */ - char buf[MAXLINE]; - int ret = 0; - - dbgprintf("GSS-API Trying to accept TCP session %d\n", iSess); - - fdSess = pTCPSessions[iSess].sock; - if (allowedMethods & ALLOWEDMETHOD_TCP) { - int len; - fd_set fds; - struct timeval tv; - - do { - FD_ZERO(&fds); - FD_SET(fdSess, &fds); - tv.tv_sec = 1; - tv.tv_usec = 0; - ret = select(fdSess + 1, &fds, NULL, NULL, &tv); - } while (ret < 0 && errno == EINTR); - if (ret < 0) { - logerrorInt("TCP session %d will be closed, error ignored\n", iSess); - TCPSessClose(iSess); - return -1; - } else if (ret == 0) { - dbgprintf("GSS-API Reverting to plain TCP\n"); - pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP; - return 0; - } - - do { - ret = recv(fdSess, buf, sizeof (buf), MSG_PEEK); - } while (ret < 0 && errno == EINTR); - if (ret <= 0) { - if (ret == 0) - dbgprintf("GSS-API Connection closed by peer\n"); - else - logerrorInt("TCP session %d will be closed, error ignored\n", iSess); - TCPSessClose(iSess); - return -1; - } - - if (ret < 4) { - dbgprintf("GSS-API Reverting to plain TCP\n"); - pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP; - return 0; - } else if (ret == 4) { - /* The client might has been interupted after sending - * the data length (4B), give him another chance. - */ - sleep(1); - do { - ret = recv(fdSess, buf, sizeof (buf), MSG_PEEK); - } while (ret < 0 && errno == EINTR); - if (ret <= 0) { - if (ret == 0) - dbgprintf("GSS-API Connection closed by peer\n"); - else - logerrorInt("TCP session %d will be closed, error ignored\n", iSess); - TCPSessClose(iSess); - return -1; - } - } - - len = ntohl((buf[0] << 24) - | (buf[1] << 16) - | (buf[2] << 8) - | buf[3]); - if ((ret - 4) < len || len == 0) { - dbgprintf("GSS-API Reverting to plain TCP\n"); - pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP; - return 0; - } - } - - context = &pTCPSessions[iSess].gss_context; - *context = GSS_C_NO_CONTEXT; - sess_flags = &pTCPSessions[iSess].gss_flags; - do { - if (recv_token(fdSess, &recv_tok) <= 0) { - logerrorInt("TCP session %d will be closed, error ignored\n", iSess); - TCPSessClose(iSess); - return -1; - } - maj_stat = gss_accept_sec_context(&acc_sec_min_stat, context, gss_server_creds, - &recv_tok, GSS_C_NO_CHANNEL_BINDINGS, &client, - NULL, &send_tok, sess_flags, NULL, NULL); - if (recv_tok.value) { - free(recv_tok.value); - recv_tok.value = NULL; - } - if (maj_stat != GSS_S_COMPLETE - && maj_stat != GSS_S_CONTINUE_NEEDED) { - gss_release_buffer(&min_stat, &send_tok); - if (*context != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER); - if ((allowedMethods & ALLOWEDMETHOD_TCP) && - (GSS_ROUTINE_ERROR(maj_stat) == GSS_S_DEFECTIVE_TOKEN)) { - dbgprintf("GSS-API Reverting to plain TCP\n"); - dbgprintf("tcp session socket with new data: #%d\n", fdSess); - if(TCPSessDataRcvd(iSess, buf, ret) == 0) { - logerrorInt("Tearing down TCP Session %d - see " - "previous messages for reason(s)\n", - iSess); - TCPSessClose(iSess); - return -1; - } - pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_TCP; - return 0; - } - display_status("accepting context", maj_stat, - acc_sec_min_stat); - TCPSessClose(iSess); - return -1; - } - if (send_tok.length != 0) { - if (send_token(fdSess, &send_tok) < 0) { - gss_release_buffer(&min_stat, &send_tok); - logerrorInt("TCP session %d will be closed, error ignored\n", iSess); - if (*context != GSS_C_NO_CONTEXT) - gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER); - TCPSessClose(iSess); - return -1; - } - gss_release_buffer(&min_stat, &send_tok); - } - } while (maj_stat == GSS_S_CONTINUE_NEEDED); - - maj_stat = gss_display_name(&min_stat, client, &recv_tok, NULL); - if (maj_stat != GSS_S_COMPLETE) - display_status("displaying name", maj_stat, min_stat); - else - dbgprintf("GSS-API Accepted connection from: %s\n", (char*) recv_tok.value); - gss_release_name(&min_stat, &client); - gss_release_buffer(&min_stat, &recv_tok); - - dbgprintf("GSS-API Provided context flags:\n"); - display_ctx_flags(*sess_flags); - pTCPSessions[iSess].allowedMethods = ALLOWEDMETHOD_GSS; - } - - return 0; -} - - -/* returns: ? */ -int TCPSessGSSRecv(int iSess, void *buf, size_t buf_len) -{ - gss_buffer_desc xmit_buf, msg_buf; - gss_ctx_id_t *context; - OM_uint32 maj_stat, min_stat; - int fdSess; - int conf_state; - int state, len; - - fdSess = pTCPSessions[iSess].sock; - if ((state = recv_token(fdSess, &xmit_buf)) <= 0) - return state; - - context = &pTCPSessions[iSess].gss_context; - maj_stat = gss_unwrap(&min_stat, *context, &xmit_buf, &msg_buf, - &conf_state, (gss_qop_t *) NULL); - if (maj_stat != GSS_S_COMPLETE) { - display_status("unsealing message", maj_stat, min_stat); - if (xmit_buf.value) { - free(xmit_buf.value); - xmit_buf.value = 0; - } - return (-1); - } - if (xmit_buf.value) { - free(xmit_buf.value); - xmit_buf.value = 0; - } - - len = msg_buf.length < buf_len ? msg_buf.length : buf_len; - memcpy(buf, msg_buf.value, len); - gss_release_buffer(&min_stat, &msg_buf); - - return len; -} - - -void TCPSessGSSClose(int iSess) { - OM_uint32 maj_stat, min_stat; - gss_ctx_id_t *context; - - if(iSess < 0 || iSess > iTCPSessMax) { - errno = 0; - logerror("internal error, trying to close an invalid TCP session!"); - return; - } - - context = &pTCPSessions[iSess].gss_context; - maj_stat = gss_delete_sec_context(&min_stat, context, GSS_C_NO_BUFFER); - if (maj_stat != GSS_S_COMPLETE) - display_status("deleting context", maj_stat, min_stat); - *context = GSS_C_NO_CONTEXT; - pTCPSessions[iSess].gss_flags = 0; - pTCPSessions[iSess].allowedMethods = 0; - - TCPSessClose(iSess); -} - - -void TCPSessGSSDeinit(void) { - OM_uint32 maj_stat, min_stat; - - maj_stat = gss_release_cred(&min_stat, &gss_server_creds); - if (maj_stat != GSS_S_COMPLETE) - display_status("releasing credentials", maj_stat, min_stat); -} -#endif /* #ifdef USE_GSSAPI */ - +#endif /* This function is called to gather input. */ @@ -1194,7 +909,15 @@ ENDrunInput /* initialize and return if will run or not */ BEGINwillRun CODESTARTwillRun +#ifdef USE_GSSAPI + /* first check if we must support plain TCP, too. If so, set mode + * accordingly. -- rgerhards, 2008-02-26 + */ + if(bPermitPlainTcp) + bEnableTCP |= ALLOWEDMETHOD_TCP; + /* first apply some config settings */ +#endif dbgprintf("imtcp: bEnableTCP %d\n", bEnableTCP); PrintAllowedSenders(2); /* TCP */ #ifdef USE_GSSAPI @@ -1270,6 +993,7 @@ static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __a free(gss_listen_service_name); gss_listen_service_name = NULL; } + bPermitPlainTcp = 0; #endif return RS_RET_OK; } @@ -1280,15 +1004,18 @@ CODESTARTmodInit *ipIFVersProvided = 1; /* so far, we only support the initial definition */ CODEmodInit_QueryRegCFSLineHdlr /* register config file handlers */ - CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpserverrun", 0, eCmdHdlrGetWord, - addTCPListener, NULL, STD_LOADABLE_MODULE_ID)); - CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpmaxsessions", 0, eCmdHdlrInt, - NULL, &iTCPSessMax, STD_LOADABLE_MODULE_ID)); #if defined(USE_GSSAPI) + CHKiRet(omsdRegCFSLineHdlr((uchar *)"permitplaintcp", 0, eCmdHdlrBinary, + NULL, bPermitPlainTcp, STD_LOADABLE_MODULE_ID)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputgssserverrun", 0, eCmdHdlrGetWord, addGSSListener, NULL, STD_LOADABLE_MODULE_ID)); CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputgssserverservicename", 0, eCmdHdlrGetWord, NULL, &gss_listen_service_name, STD_LOADABLE_MODULE_ID)); +#else + CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpserverrun", 0, eCmdHdlrGetWord, + addTCPListener, NULL, STD_LOADABLE_MODULE_ID)); + CHKiRet(omsdRegCFSLineHdlr((uchar *)"inputtcpmaxsessions", 0, eCmdHdlrInt, + NULL, &iTCPSessMax, STD_LOADABLE_MODULE_ID)); #endif CHKiRet(omsdRegCFSLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler, resetConfigVariables, NULL, STD_LOADABLE_MODULE_ID)); -- cgit