From 74ab20fa5cb95a90b46a4b423dc85b507f17ad8d Mon Sep 17 00:00:00 2001
From: Rainer Gerhards <rgerhards@adiscon.com>
Date: Mon, 5 May 2008 12:59:06 +0200
Subject: made default certificate file locations configurable

- added $DefaultNetstreamDriverCAFile config directive
- added $DefaultNetstreamDriverCertFile config directive
- added $DefaultNetstreamDriverKeyFile config directive
---
 runtime/glbl.c     | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 runtime/glbl.h     |  3 +++
 runtime/nsd_gtls.c | 28 ++++++++++++++++++------
 3 files changed, 87 insertions(+), 7 deletions(-)

(limited to 'runtime')

diff --git a/runtime/glbl.c b/runtime/glbl.c
index 58605bb0..20840318 100644
--- a/runtime/glbl.c
+++ b/runtime/glbl.c
@@ -42,6 +42,15 @@
 #ifndef DFLT_NETSTRM_DRVR
 #	define DFLT_NETSTRM_DRVR ((uchar*)"ptcp")
 #endif
+#ifndef DFLT_NETSTRM_DRVR_CAF
+#	define DFLT_NETSTRM_DRVR_CAF ((uchar*)"ca.pem")
+#endif
+#ifndef DFLT_NETSTRM_DRVR_KEYFILE
+#	define DFLT_NETSTRM_DRVR_KEYFILE ((uchar*)"key.pem")
+#endif
+#ifndef DFLT_NETSTRM_DRVR_CERTFILE
+#	define DFLT_NETSTRM_DRVR_CERTFILE ((uchar*)"cert.pem")
+#endif
 
 /* static data */
 DEFobjStaticHelpers
@@ -60,6 +69,9 @@ static uchar *LocalDomain;	/* our local domain name  - read-only after startup *
 static char **StripDomains = NULL;/* these domains may be stripped before writing logs  - r/o after s.u., never touched by init */
 static char **LocalHosts = NULL;/* these hosts are logged with their hostname  - read-only after startup, never touched by init */
 static uchar *pszDfltNetstrmDrvr = NULL; /* module name of default netstream driver */
+static uchar *pszDfltNetstrmDrvrCAF = NULL; /* default CA file for the netstrm driver */
+static uchar *pszDfltNetstrmDrvrKeyFile = NULL; /* default key file for the netstrm driver (server) */
+static uchar *pszDfltNetstrmDrvrCertFile = NULL; /* default cert file for the netstrm driver (server) */
 
 
 /* define a macro for the simple properties' set and get functions
@@ -91,6 +103,9 @@ SIMP_PROP(LocalHosts, LocalHosts, char**)
 
 SIMP_PROP_SET(LocalHostName, LocalHostName, uchar*)
 SIMP_PROP_SET(DfltNetstrmDrvr, pszDfltNetstrmDrvr, uchar*) // TODO: use custom function which frees existing value
+SIMP_PROP_SET(DfltNetstrmDrvrCAF, pszDfltNetstrmDrvrCAF, uchar*) // TODO: use custom function which frees existing value
+SIMP_PROP_SET(DfltNetstrmDrvrKeyFile, pszDfltNetstrmDrvrKeyFile, uchar*) // TODO: use custom function which frees existing value
+SIMP_PROP_SET(DfltNetstrmDrvrCertFile, pszDfltNetstrmDrvrCertFile, uchar*) // TODO: use custom function which frees existing value
 
 #undef SIMP_PROP
 #undef SIMP_PROP_SET
@@ -122,6 +137,30 @@ GetDfltNetstrmDrvr(void)
 }
 
 
+/* return the current default netstream driver CA File */
+static uchar*
+GetDfltNetstrmDrvrCAF(void)
+{
+	return(pszDfltNetstrmDrvrCAF == NULL ? DFLT_NETSTRM_DRVR_CAF : pszDfltNetstrmDrvrCAF);
+}
+
+
+/* return the current default netstream driver key File */
+static uchar*
+GetDfltNetstrmDrvrKeyFile(void)
+{
+	return(pszDfltNetstrmDrvrKeyFile == NULL ? DFLT_NETSTRM_DRVR_KEYFILE : pszDfltNetstrmDrvrKeyFile);
+}
+
+
+/* return the current default netstream driver certificate File */
+static uchar*
+GetDfltNetstrmDrvrCertFile(void)
+{
+	return(pszDfltNetstrmDrvrCertFile == NULL ? DFLT_NETSTRM_DRVR_CERTFILE : pszDfltNetstrmDrvrCertFile);
+}
+
+
 /* queryInterface function
  * rgerhards, 2008-02-21
  */
@@ -149,6 +188,9 @@ CODESTARTobjQueryInterface(glbl)
 	SIMP_PROP(StripDomains)
 	SIMP_PROP(LocalHosts)
 	SIMP_PROP(DfltNetstrmDrvr)
+	SIMP_PROP(DfltNetstrmDrvrCAF)
+	SIMP_PROP(DfltNetstrmDrvrKeyFile)
+	SIMP_PROP(DfltNetstrmDrvrCertFile)
 #undef	SIMP_PROP
 finalize_it:
 ENDobjQueryInterface(glbl)
@@ -163,6 +205,18 @@ static rsRetVal resetConfigVariables(uchar __attribute__((unused)) *pp, void __a
 		free(pszDfltNetstrmDrvr);
 		pszDfltNetstrmDrvr = NULL;
 	}
+	if(pszDfltNetstrmDrvrCAF != NULL) {
+		free(pszDfltNetstrmDrvrCAF);
+		pszDfltNetstrmDrvrCAF = NULL;
+	}
+	if(pszDfltNetstrmDrvrKeyFile != NULL) {
+		free(pszDfltNetstrmDrvrKeyFile);
+		pszDfltNetstrmDrvrKeyFile = NULL;
+	}
+	if(pszDfltNetstrmDrvrCertFile != NULL) {
+		free(pszDfltNetstrmDrvrCertFile);
+		pszDfltNetstrmDrvrCertFile = NULL;
+	}
 	if(pszWorkDir != NULL) {
 		free(pszWorkDir);
 		pszWorkDir = NULL;
@@ -184,6 +238,9 @@ BEGINAbstractObjClassInit(glbl, 1, OBJ_IS_CORE_MODULE) /* class, version */
 	CHKiRet(regCfSysLineHdlr((uchar *)"workdirectory", 0, eCmdHdlrGetWord, NULL, &pszWorkDir, NULL));
 	CHKiRet(regCfSysLineHdlr((uchar *)"dropmsgswithmaliciousdnsptrrecords", 0, eCmdHdlrBinary, NULL, &bDropMalPTRMsgs, NULL));
 	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdriver", 0, eCmdHdlrGetWord, NULL, &pszDfltNetstrmDrvr, NULL));
+	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercafile", 0, eCmdHdlrGetWord, NULL, &pszDfltNetstrmDrvrCAF, NULL));
+	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdriverkeyfile", 0, eCmdHdlrGetWord, NULL, &pszDfltNetstrmDrvrKeyFile, NULL));
+	CHKiRet(regCfSysLineHdlr((uchar *)"defaultnetstreamdrivercertfile", 0, eCmdHdlrGetWord, NULL, &pszDfltNetstrmDrvrCertFile, NULL));
 	CHKiRet(regCfSysLineHdlr((uchar *)"resetconfigvariables", 1, eCmdHdlrCustomHandler, resetConfigVariables, NULL, NULL));
 ENDObjClassInit(glbl)
 
@@ -194,6 +251,12 @@ ENDObjClassInit(glbl)
 BEGINObjClassExit(glbl, OBJ_IS_CORE_MODULE) /* class, version */
 	if(pszDfltNetstrmDrvr != NULL)
 		free(pszDfltNetstrmDrvr);
+	if(pszDfltNetstrmDrvrCAF != NULL)
+		free(pszDfltNetstrmDrvrCAF);
+	if(pszDfltNetstrmDrvrKeyFile != NULL)
+		free(pszDfltNetstrmDrvrKeyFile);
+	if(pszDfltNetstrmDrvrCertFile != NULL)
+		free(pszDfltNetstrmDrvrCertFile);
 	if(pszWorkDir != NULL)
 		free(pszWorkDir);
 	if(LocalHostName != NULL)
diff --git a/runtime/glbl.h b/runtime/glbl.h
index b6864f3d..adfae27e 100644
--- a/runtime/glbl.h
+++ b/runtime/glbl.h
@@ -49,6 +49,9 @@ BEGINinterface(glbl) /* name must also be changed in ENDinterface macro! */
 	SIMP_PROP(StripDomains, char**)
 	SIMP_PROP(LocalHosts, char**)
 	SIMP_PROP(DfltNetstrmDrvr, uchar*)
+	SIMP_PROP(DfltNetstrmDrvrCAF, uchar*)
+	SIMP_PROP(DfltNetstrmDrvrKeyFile, uchar*)
+	SIMP_PROP(DfltNetstrmDrvrCertFile, uchar*)
 #undef	SIMP_PROP
 ENDinterface(glbl)
 #define glblCURR_IF_VERSION 1 /* increment whenever you change the interface structure! */
diff --git a/runtime/nsd_gtls.c b/runtime/nsd_gtls.c
index 630c751b..64f5929b 100644
--- a/runtime/nsd_gtls.c
+++ b/runtime/nsd_gtls.c
@@ -30,6 +30,7 @@
 #include "rsyslog.h"
 #include "syslogd-types.h"
 #include "module-template.h"
+#include "cfsysline.h"
 #include "obj.h"
 #include "errmsg.h"
 #include "nsd_ptcp.h"
@@ -38,11 +39,9 @@
 
 /* things to move to some better place/functionality - TODO */
 #define DH_BITS 1024
-#define CAFILE "ca.pem" // TODO: allow to specify
-#define KEYFILE "key.pem"
-#define CERTFILE "cert.pem"
 #define CRLFILE "crl.pem"
 
+
 MODULE_TYPE_LIB
 
 /* static data */
@@ -87,6 +86,7 @@ static rsRetVal
 gtlsGlblInit(void)
 {
 	int gnuRet;
+	uchar *cafile;
 	DEFiRet;
 
 	CHKgnutls(gnutls_global_init());
@@ -95,7 +95,16 @@ gtlsGlblInit(void)
 	CHKgnutls(gnutls_certificate_allocate_credentials(&xcred));
 
 	/* sets the trusted cas file */
-	gnutls_certificate_set_x509_trust_file(xcred, CAFILE, GNUTLS_X509_FMT_PEM);
+	cafile = glbl.GetDfltNetstrmDrvrCAF();
+	dbgprintf("GTLS CA file: '%s'\n", cafile);
+	gnuRet = gnutls_certificate_set_x509_trust_file(xcred, (char*)cafile, GNUTLS_X509_FMT_PEM);
+	if(gnuRet < 0) {
+		/* TODO; a more generic error-tracking function (this one based on CHKgnutls()) */
+		uchar *pErr = gtlsStrerror(gnuRet);
+		dbgprintf("unexpected GnuTLS error %d in %s:%d: %s\n", gnuRet, __FILE__, __LINE__, pErr);
+		free(pErr);
+		ABORT_FINALIZE(RS_RET_GNUTLS_ERR);
+	}
 
 finalize_it:
 	RETiRet;
@@ -152,6 +161,8 @@ static rsRetVal
 gtlsGlblInitLstn(void)
 {
 	int gnuRet;
+	uchar *keyFile;
+	uchar *certFile;
 	DEFiRet;
 
 	if(bGlblSrvrInitDone == 0) {
@@ -159,7 +170,11 @@ gtlsGlblInitLstn(void)
 		 * considered legacy. -- rgerhards, 2008-05-05
 		 */
 		/*CHKgnutls(gnutls_certificate_set_x509_crl_file(xcred, CRLFILE, GNUTLS_X509_FMT_PEM));*/
-		CHKgnutls(gnutls_certificate_set_x509_key_file(xcred, CERTFILE, KEYFILE, GNUTLS_X509_FMT_PEM));
+		certFile = glbl.GetDfltNetstrmDrvrCertFile();
+		keyFile = glbl.GetDfltNetstrmDrvrKeyFile();
+		dbgprintf("GTLS certificate file: '%s'\n", certFile);
+		dbgprintf("GTLS key file: '%s'\n", keyFile);
+		CHKgnutls(gnutls_certificate_set_x509_key_file(xcred, (char*)certFile, (char*)keyFile, GNUTLS_X509_FMT_PEM));
 		CHKiRet(generate_dh_params());
 		gnutls_certificate_set_dh_params(xcred, dh_params); /* this is void */
 		bGlblSrvrInitDone = 1; /* we are all set now */
@@ -350,12 +365,10 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew)
 	nsd_gtls_t *pThis = (nsd_gtls_t*) pNsd;
 
 	ISOBJ_TYPE_assert((pThis), nsd_gtls);
-	// TODO: method to construct without pTcp
 	CHKiRet(nsd_gtlsConstruct(&pNew));
 	CHKiRet(nsd_ptcp.Destruct(&pNew->pTcp));
 	CHKiRet(nsd_ptcp.AcceptConnReq(pThis->pTcp, &pNew->pTcp));
 	
-RUNLOG_VAR("%d", pThis->iMode);
 	if(pThis->iMode == 0) {
 		/* we are in non-TLS mode, so we are done */
 		*ppNew = (nsd_t*) pNew;
@@ -593,6 +606,7 @@ CODESTARTmodInit
 	/* Initialize all classes that are in our module - this includes ourselfs */
 	CHKiRet(nsd_gtlsClassInit(pModInfo)); /* must be done after tcps_sess, as we use it */
 	CHKiRet(nsdsel_gtlsClassInit(pModInfo)); /* must be done after tcps_sess, as we use it */
+
 ENDmodInit
 /* vi:set ai:
  */
-- 
cgit