Blob Blame History Raw
diff -up rsyslog-8.2102.0/runtime/nsd_ossl.c.orig rsyslog-8.2102.0/runtime/nsd_ossl.c
--- rsyslog-8.2102.0/runtime/nsd_ossl.c.orig	2022-04-15 13:42:05.320615894 +0200
+++ rsyslog-8.2102.0/runtime/nsd_ossl.c	2022-04-15 14:33:43.472482696 +0200
@@ -609,10 +609,10 @@ finalize_it:
 }
 
 static rsRetVal
-osslInitSession(nsd_ossl_t *pThis) /* , nsd_ossl_t *pServer) */
+osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pServer) */
 {
 	DEFiRet;
-	BIO *client;
+	BIO *conn;
 	char pristringBuf[4096];
 	nsd_ptcp_t *pPtcp = (nsd_ptcp_t*) pThis->pTcp;
 
@@ -633,10 +633,8 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
 		if (pThis->DrvrVerifyDepth != 0) {
 			SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
 		}
-	}
-
-	if (bAnonInit == 1) { /* no mutex needed, read-only after init */
-		/* Allow ANON Ciphers */
+	} else 	if (bAnonInit == 1 && pThis->gnutlsPriorityString == NULL) {
+		/* Allow ANON Ciphers only in ANON Mode and if no custom priority string is defined */
 		#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 		 /* NOTE: do never use: +eNULL, it DISABLES encryption! */
 		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
@@ -653,21 +651,28 @@ osslInitSession(nsd_ossl_t *pThis) /* ,
 		}
 	}
 
-	/* Create BIO from ptcp socket! */
-	client = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
-	dbgprintf("osslInitSession: Init client BIO[%p] done\n", (void *)client);
 
-	/* Set debug Callback for client BIO as well! */
-	BIO_set_callback(client, BIO_debug_callback);
+	/* Create BIO from ptcp socket! */
+	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
+	dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn);
 
-/* TODO: still needed? Set to NON blocking ! */
-BIO_set_nbio( client, 1 );
+	/* Set debug Callback for conn BIO as well! */
+	BIO_set_callback(conn, BIO_debug_callback);
 
-	SSL_set_bio(pThis->ssl, client, client);
-	SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
+	/* TODO: still needed? Set to NON blocking ! */
+	BIO_set_nbio( conn, 1 );
+	SSL_set_bio(pThis->ssl, conn, conn);
 
+	if (osslType == osslServer) {
+		/* Server Socket */
+		SSL_set_accept_state(pThis->ssl); /* sets ssl to work in server mode. */
+		pThis->sslState = osslServer; /*set Server state */
+	} else {
+		/* Client Socket */
+		SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
+		pThis->sslState = osslClient; /*set Client state */
+	}
 	pThis->bHaveSess = 1;
-	pThis->sslState = osslServer; /*set Server state */
 
 	/* we are done */
 	FINALIZE;
@@ -1136,8 +1141,8 @@ SetAuthMode(nsd_t *const pNsd, uchar *co
 		ABORT_FINALIZE(RS_RET_VALUE_NOT_SUPPORTED);
 	}
 
-		/* Init Anon OpenSSL stuff */
-		CHKiRet(osslAnonInit());
+	/* Init Anon OpenSSL stuff */
+	CHKiRet(osslAnonInit());
 
 	dbgprintf("SetAuthMode: Set Mode %s/%d\n", mode, pThis->authMode);
 
@@ -1394,8 +1399,9 @@ osslPostHandshakeCheck(nsd_ossl_t *pNsd)
 
 	#if OPENSSL_VERSION_NUMBER >= 0x10002000L
 	if(SSL_get_shared_curve(pNsd->ssl, -1) == 0) {
-		LogError(0, RS_RET_NO_ERRCODE, "nsd_ossl:"
-		"No shared curve between syslog client and server.");
+		// This is not a failure
+		LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
+		"Information, no shared curve between syslog client and server");
 	}
 	#endif
 	sslCipher = (const SSL_CIPHER*) SSL_get_current_cipher(pNsd->ssl);
@@ -1518,7 +1524,7 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew
 	pNew->permitExpiredCerts = pThis->permitExpiredCerts;
 	pNew->pPermPeers = pThis->pPermPeers;
 	pNew->DrvrVerifyDepth = pThis->DrvrVerifyDepth;
-	CHKiRet(osslInitSession(pNew));
+	CHKiRet(osslInitSession(pNew, osslServer));
 
 	/* Store nsd_ossl_t* reference in SSL obj */
 	SSL_set_ex_data(pNew->ssl, 0, pThis);
@@ -1729,9 +1735,6 @@ Connect(nsd_t *pNsd, int family, uchar *
 	DEFiRet;
 	DBGPRINTF("openssl: entering Connect family=%d, device=%s\n", family, device);
 	nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
-	nsd_ptcp_t* pPtcp = (nsd_ptcp_t*) pThis->pTcp;
-	BIO *conn;
-	char pristringBuf[4096];
 
 	ISOBJ_TYPE_assert(pThis, nsd_ossl);
 	assert(port != NULL);
@@ -1745,61 +1748,13 @@ Connect(nsd_t *pNsd, int family, uchar *
 		FINALIZE;
 	}
 
-	/* Create BIO from ptcp socket! */
-	conn = BIO_new_socket(pPtcp->sock, BIO_CLOSE /*BIO_NOCLOSE*/);
-	dbgprintf("Connect: Init conn BIO[%p] done\n", (void *)conn);
-
 	LogMsg(0, RS_RET_NO_ERRCODE, LOG_INFO, "nsd_ossl: "
 		"TLS Connection initiated with remote syslog server.");
 	/*if we reach this point we are in tls mode */
 	DBGPRINTF("Connect: TLS Mode\n");
-	if(!(pThis->ssl = SSL_new(ctx))) {
-		pThis->ssl = NULL;
-		osslLastSSLErrorMsg(0, pThis->ssl, LOG_ERR, "Connect");
-		ABORT_FINALIZE(RS_RET_NO_ERRCODE);
-	}
 
-	// Set SSL_MODE_AUTO_RETRY to SSL obj
-	SSL_set_mode(pThis->ssl, SSL_MODE_AUTO_RETRY);
-
-	if (pThis->authMode != OSSL_AUTH_CERTANON) {
-		dbgprintf("Connect: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
-			pThis->authMode, pThis->DrvrVerifyDepth);
-		/* Enable certificate valid checking */
-		SSL_set_verify(pThis->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
-		if (pThis->DrvrVerifyDepth != 0) {
-			SSL_set_verify_depth(pThis->ssl, pThis->DrvrVerifyDepth);
-		}
-	}
-
-	if (bAnonInit == 1) { /* no mutex needed, read-only after init */
-		/* Allow ANON Ciphers */
-		#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-		 /* NOTE: do never use: +eNULL, it DISABLES encryption! */
-		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL@SECLEVEL=0",
-			sizeof(pristringBuf));
-		#else
-		strncpy(pristringBuf, "ALL:+COMPLEMENTOFDEFAULT:+ADH:+ECDH:+aNULL",
-			sizeof(pristringBuf));
-		#endif
-
-		dbgprintf("Connect: setting anon ciphers: %s\n", pristringBuf);
-		if ( SSL_set_cipher_list(pThis->ssl, pristringBuf) == 0 ){
-			dbgprintf("Connect: Error setting ciphers '%s'\n", pristringBuf);
-			ABORT_FINALIZE(RS_RET_SYS_ERR);
-		}
-	}
-
-	/* Set debug Callback for client BIO as well! */
-	BIO_set_callback(conn, BIO_debug_callback);
-
-/* TODO: still needed? Set to NON blocking ! */
-BIO_set_nbio( conn, 1 );
-
-	SSL_set_bio(pThis->ssl, conn, conn);
-	SSL_set_connect_state(pThis->ssl); /*sets ssl to work in client mode.*/
-	pThis->sslState = osslClient; /*set Client state */
-	pThis->bHaveSess = 1;
+	/* Do SSL Session init */
+	CHKiRet(osslInitSession(pThis, osslClient));
 
 	/* Store nsd_ossl_t* reference in SSL obj */
 	SSL_set_ex_data(pThis->ssl, 0, pThis);
@@ -1828,90 +1783,106 @@ SetGnutlsPriorityString(nsd_t *const pNs
 	nsd_ossl_t* pThis = (nsd_ossl_t*) pNsd;
 	ISOBJ_TYPE_assert(pThis, nsd_ossl);
 
-	pThis->gnutlsPriorityString = gnutlsPriorityString;
+	dbgprintf("gnutlsPriorityString: set to '%s'\n",
+		(gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"));
 
 	/* Skip function if function is NULL gnutlsPriorityString */
-	if (gnutlsPriorityString == NULL) {
-		RETiRet;
-	} else {
-		dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
 #if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
-		char *pCurrentPos;
-		char *pNextPos;
-		char *pszCmd;
-		char *pszValue;
-		int iConfErr;
-
-		/* Set working pointer */
-		pCurrentPos = (char*) pThis->gnutlsPriorityString;
-		if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
-			// Create CTX Config Helper
-			SSL_CONF_CTX *cctx;
-			cctx = SSL_CONF_CTX_new();
-			if (pThis->sslState == osslServer) {
-				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
-			} else {
-				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
-			}
-			SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
-			SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
-			SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
-
-			do
-			{
-				pNextPos = index(pCurrentPos, '=');
-				if (pNextPos != NULL) {
-					while (	*pCurrentPos != '\0' &&
-						(*pCurrentPos == ' ' || *pCurrentPos == '\t') )
-						pCurrentPos++;
-					pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
-					pCurrentPos = pNextPos+1;
-					pNextPos = index(pCurrentPos, '\n');
-					pszValue = (pNextPos == NULL ?
-							strdup(pCurrentPos) :
-							strndup(pCurrentPos, pNextPos - pCurrentPos));
-					pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
-
-					/* Add SSL Conf Command */
-					iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
-					if (iConfErr > 0) {
-						dbgprintf("gnutlsPriorityString: Successfully added Command "
-							"'%s':'%s'\n",
-							pszCmd, pszValue);
-					}
-					else {
-						LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
-							"in gnutlsPriorityString with error '%d'",
-							pszCmd, pszValue, iConfErr);
-					}
+	sbool ApplySettings = 0;
+	if ((gnutlsPriorityString != NULL && pThis->gnutlsPriorityString == NULL) ||
+		(gnutlsPriorityString != NULL &&
+		strcmp( (const char*)pThis->gnutlsPriorityString, (const char*)gnutlsPriorityString) != 0)
+		) {
+		ApplySettings = 1;
+	}
+
+	pThis->gnutlsPriorityString = gnutlsPriorityString;
+	dbgprintf("gnutlsPriorityString: set to '%s' Apply %s\n",
+		(gnutlsPriorityString != NULL ? (char*)gnutlsPriorityString : "NULL"),
+		(ApplySettings == 1? "TRUE" : "FALSE"));
 
-					free(pszCmd);
-					free(pszValue);
+	if (ApplySettings) {
+
+		if (gnutlsPriorityString == NULL || ctx == NULL) {
+			RETiRet;
+		} else {
+			dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
+			char *pCurrentPos;
+			char *pNextPos;
+			char *pszCmd;
+			char *pszValue;
+			int iConfErr;
+
+			/* Set working pointer */
+			pCurrentPos = (char*) pThis->gnutlsPriorityString;
+			if (pCurrentPos != NULL && strlen(pCurrentPos) > 0) {
+				// Create CTX Config Helper
+				SSL_CONF_CTX *cctx;
+				cctx = SSL_CONF_CTX_new();
+				if (pThis->sslState == osslServer) {
+					SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
 				} else {
-					/* Abort further parsing */
-					pCurrentPos = NULL;
+					SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
 				}
-			}
-			while (pCurrentPos != NULL);
+				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
+				SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
+				SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
+
+				do
+				{
+					pNextPos = index(pCurrentPos, '=');
+					if (pNextPos != NULL) {
+						while (	*pCurrentPos != '\0' &&
+							(*pCurrentPos == ' ' || *pCurrentPos == '\t') )
+							pCurrentPos++;
+						pszCmd = strndup(pCurrentPos, pNextPos-pCurrentPos);
+						pCurrentPos = pNextPos+1;
+						pNextPos = index(pCurrentPos, '\n');
+						pszValue = (pNextPos == NULL ?
+								strdup(pCurrentPos) :
+								strndup(pCurrentPos, pNextPos - pCurrentPos));
+						pCurrentPos = (pNextPos == NULL ? NULL : pNextPos+1);
+
+						/* Add SSL Conf Command */
+						iConfErr = SSL_CONF_cmd(cctx, pszCmd, pszValue);
+						if (iConfErr > 0) {
+							dbgprintf("gnutlsPriorityString: Successfully added Command "
+								"'%s':'%s'\n",
+								pszCmd, pszValue);
+						}
+						else {
+							LogError(0, RS_RET_SYS_ERR, "Failed to added Command: %s:'%s' "
+								"in gnutlsPriorityString with error '%d'",
+								pszCmd, pszValue, iConfErr);
+						}
+
+						free(pszCmd);
+						free(pszValue);
+					} else {
+						/* Abort further parsing */
+						pCurrentPos = NULL;
+					}
+				}
+				while (pCurrentPos != NULL);
 
-			/* Finalize SSL Conf */
-			iConfErr = SSL_CONF_CTX_finish(cctx);
-			if (!iConfErr) {
-				LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
-						"Open ssl error info may follow in next messages",
-						pThis->gnutlsPriorityString);
-				osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+				/* Finalize SSL Conf */
+				iConfErr = SSL_CONF_CTX_finish(cctx);
+				if (!iConfErr) {
+					LogError(0, RS_RET_SYS_ERR, "Error: setting openssl command parameters: %s"
+							"Open ssl error info may follow in next messages",
+							pThis->gnutlsPriorityString);
+					osslLastSSLErrorMsg(0, NULL, LOG_ERR, "SetGnutlsPriorityString");
+				}
+				SSL_CONF_CTX_free(cctx);
 			}
-			SSL_CONF_CTX_free(cctx);
 		}
+	}
 #else
-		dbgprintf("gnutlsPriorityString: set to '%s'\n", gnutlsPriorityString);
-		LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
-			"(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
-			"https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
-			gnutlsPriorityString);
+	LogError(0, RS_RET_SYS_ERR, "Warning: TLS library does not support SSL_CONF_cmd API"
+		"(maybe it is too old?). Cannot use gnutlsPriorityString ('%s'). For more see: "
+		"https://www.rsyslog.com/doc/master/configuration/modules/imtcp.html#gnutlsprioritystring",
+		gnutlsPriorityString);
 #endif
-	}
 
 	RETiRet;
 }